Merge pull request 'fix: Do not delete global Oauth2 applications' (#6054) from fnetx/global-oauth-corruption into forgejo

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6054
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>

models/auth/TestOrphanedOAuth2Applications/oauth2_application.yaml

@@ -23,3 +23,11 @@
   redirect_uris: '["http://127.0.0.1", "https://127.0.0.1"]'
   created_unix: 1712358091
   updated_unix: 1712358091
+-
+  id: 1003
+  uid: 0
+  name: "Global Auth source that should be kept"
+  client_id: "2f3467c1-7b3b-463d-ab04-2ae2b2712826"
+  redirect_uris: '["http://example.com/globalapp", "https://example.com/globalapp"]'
+  created_unix: 1732387292
+  updated_unix: 1732387292

models/auth/oauth2.go

@@ -657,6 +657,7 @@ func CountOrphanedOAuth2Applications(ctx context.Context) (int64, error) {
 		Table("`oauth2_application`").
 		Join("LEFT", "`user`", "`oauth2_application`.`uid` = `user`.`id`").
 		Where(builder.IsNull{"`user`.id"}).
+		Where(builder.Neq{"uid": 0}). // exclude instance-wide admin applications
 		Where(builder.NotIn("`oauth2_application`.`client_id`", BuiltinApplicationsClientIDs())).
 		Select("COUNT(`oauth2_application`.`id`)").
 		Count()
@@ -668,6 +669,7 @@ func DeleteOrphanedOAuth2Applications(ctx context.Context) (int64, error) {
 		From("`oauth2_application`").
 		Join("LEFT", "`user`", "`oauth2_application`.`uid` = `user`.`id`").
 		Where(builder.IsNull{"`user`.id"}).
+		Where(builder.Neq{"uid": 0}). // exclude instance-wide admin applications
 		Where(builder.NotIn("`oauth2_application`.`client_id`", BuiltinApplicationsClientIDs()))
 
 	b := builder.Delete(builder.In("id", subQuery)).From("`oauth2_application`")

models/auth/oauth2_test.go

@@ -296,4 +296,5 @@ func TestOrphanedOAuth2Applications(t *testing.T) {
 	require.NoError(t, err)
 	assert.EqualValues(t, 0, count)
 	unittest.AssertExistsIf(t, false, &auth_model.OAuth2Application{ID: 1002})
+	unittest.AssertExistsIf(t, true, &auth_model.OAuth2Application{ID: 1003})
 }