Elk login fails with `401 Unauthorized` on upgraded instances

[dahlia]

Description

Elk client authentication fails on Hollo instances that were upgraded from 0.5.x to 0.6.x, while working correctly on fresh 0.6.x installations.

Observed Behavior

• Fresh 0.6.x installs: Elk login works correctly ✅
• Upgraded 0.5.x → 0.6.x installs: Elk login fails with 401 Unauthorized ❌
• Other clients: Phanpy and other clients work fine on both scenarios ✅

Error Details

POST /oauth/token endpoint returns 401 Unauthorized when attempting to authenticate via Elk.

Steps to Reproduce

1. Have a Hollo instance that was previously on 0.5.x with Elk login working
2. Upgrade to Hollo 0.6.x
3. Attempt to log in via Elk
4. Observe 401 error during token exchange

Environment

• Hollo version: 0.6.x (upgraded from 0.5.x)
• Client: Elk
• Working clients: Phanpy, Moshidon, etc.

Additional Context

This suggests there may be a migration issue with existing OAuth client registrations when upgrading from 0.5.x to 0.6.x, specifically affecting how Elk's centralized OAuth flow is handled.

[ThisIsMissEm]

@dahlia I can do some testing today, although I did already open one issue with Elk in regards to #163

[dahlia]

@ThisIsMissEm Yeah, although I'm not sure either, I guess it's a separate issue from #163…

[ThisIsMissEm]

I'll investigate today. Happens with elk.zone right?

[dahlia]

Yeah, it happens with elk.zone!

[ThisIsMissEm]

This is a duplicate of #163, login with elk.zone works using Hollo 0.6.1, it was the issue already reported in elk-zone/elk#3306

[dahlia]

Yeah, it works with fresh Hollo 0.6.x installations, but it does not work if you had a Hollo 0.5.x and signed in to it using Elk once, and then upgrade it to Hollo 0.6.x, it now fails to sign in with Elk…

[ThisIsMissEm]

So sign in once on 0.5, upgrade to 0.6.1, and it fails? Interesting. I'll give that a try.

[dahlia]

Yes, exactly!

[ThisIsMissEm]

Looks like the issue is confidential on Application isn't correctly being set for old applications.

This is because confidential defaulted to false, I've added a migration to update all older registrations to true, and newly created applications will gain true as well.