data-model: don't embed the client in the auth grant

crates/data-model/src/lib.rs

@@ -23,12 +23,18 @@
     clippy::type_repetition_in_bounds
 )]
 
+use thiserror::Error;
+
 pub(crate) mod compat;
 pub(crate) mod oauth2;
 pub(crate) mod tokens;
 pub(crate) mod upstream_oauth2;
 pub(crate) mod users;
 
+#[derive(Debug, Error)]
+#[error("invalid state transition")]
+pub struct InvalidTransitionError;
+
 pub use self::{
     compat::{
         CompatAccessToken, CompatRefreshToken, CompatSession, CompatSsoLogin, CompatSsoLoginState,

crates/data-model/src/oauth2/authorization_grant.rs

@@ -21,11 +21,11 @@ use oauth2_types::{
     requests::ResponseMode,
 };
 use serde::Serialize;
-use thiserror::Error;
 use ulid::Ulid;
 use url::Url;
 
-use super::{client::Client, session::Session};
+use super::session::Session;
+use crate::InvalidTransitionError;
 
 #[derive(Debug, Clone, PartialEq, Eq, Serialize)]
 pub struct Pkce {
@@ -53,10 +53,6 @@ pub struct AuthorizationCode {
     pub pkce: Option<Pkce>,
 }
 
-#[derive(Debug, Error)]
-#[error("invalid state transition")]
-pub struct InvalidTransitionError;
-
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Default)]
 #[serde(tag = "stage", rename_all = "lowercase")]
 pub enum AuthorizationGrantStage {
@@ -132,7 +128,7 @@ pub struct AuthorizationGrant {
     #[serde(flatten)]
     pub stage: AuthorizationGrantStage,
     pub code: Option<AuthorizationCode>,
-    pub client: Client,
+    pub client_id: Ulid,
     pub redirect_uri: Url,
     pub scope: oauth2_types::scope::Scope,
     pub state: Option<String>,

crates/data-model/src/oauth2/session.rs

@@ -17,6 +17,8 @@ use oauth2_types::scope::Scope;
 use serde::Serialize;
 use ulid::Ulid;
 
+use crate::InvalidTransitionError;
+
 #[derive(Debug, Clone, PartialEq, Eq, Serialize)]
 pub struct Session {
     pub id: Ulid,
@@ -25,3 +27,14 @@ pub struct Session {
     pub scope: Scope,
     pub finished_at: Option<DateTime<Utc>>,
 }
+
+impl Session {
+    pub fn finish(mut self, finished_at: DateTime<Utc>) -> Result<Self, InvalidTransitionError> {
+        if self.finished_at.is_some() {
+            return Err(InvalidTransitionError);
+        }
+
+        self.finished_at = Some(finished_at);
+        Ok(self)
+    }
+}