store: round-trip IDToken on sessions for RP-initiated logout

internal/store/sessions.go

@@ -12,13 +12,14 @@ import (
 // insert; the raw token is what the caller hands to the user (cookie).
 func (s *Store) CreateSession(ctx context.Context, sess Session, tokenHash string) error {
 	_, err := s.db.ExecContext(ctx,
-		`INSERT INTO sessions (id, user_id, created_at, expires_at, ip, ua)
-		 VALUES (?, ?, ?, ?, ?, ?)`,
+		`INSERT INTO sessions (id, user_id, created_at, expires_at, ip, ua, id_token)
+		 VALUES (?, ?, ?, ?, ?, ?, ?)`,
 		tokenHash,
 		sess.UserID,
 		sess.CreatedAt.UTC().Format(time.RFC3339Nano),
 		sess.ExpiresAt.UTC().Format(time.RFC3339Nano),
-		sess.IP, sess.UA)
+		nullableStr(sess.IP), nullableStr(sess.UA),
+		nullableStr(sess.IDToken))
 	if err != nil {
 		return fmt.Errorf("store: create session: %w", err)
 	}
@@ -32,15 +33,15 @@ func (s *Store) CreateSession(ctx context.Context, sess Session, tokenHash strin
 // of valid token hashes.
 func (s *Store) LookupSession(ctx context.Context, tokenHash string) (*Session, error) {
 	row := s.db.QueryRowContext(ctx,
-		`SELECT id, user_id, created_at, expires_at, ip, ua
+		`SELECT id, user_id, created_at, expires_at, ip, ua, id_token
 		 FROM sessions
 		 WHERE id = ? AND expires_at > ?`,
 		tokenHash, time.Now().UTC().Format(time.RFC3339Nano))
 
 	var sess Session
 	var created, expires string
-	var ip, ua sql.NullString
-	if err := row.Scan(&sess.ID, &sess.UserID, &created, &expires, &ip, &ua); err != nil {
+	var ip, ua, idTok sql.NullString
+	if err := row.Scan(&sess.ID, &sess.UserID, &created, &expires, &ip, &ua, &idTok); err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return nil, ErrNotFound
 		}
@@ -62,6 +63,9 @@ func (s *Store) LookupSession(ctx context.Context, tokenHash string) (*Session,
 	if ua.Valid {
 		sess.UA = ua.String
 	}
+	if idTok.Valid {
+		sess.IDToken = idTok.String
+	}
 	return &sess, nil
 }