matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-29 22:01:14 +03:00
Code Activity

storage: oauth2 session repository

Browse Source
This commit is contained in:
Quentin Gliech
2023-01-05 15:16:03 +01:00
parent e26f75246d
commit 603a26eabd
18 changed files with 307 additions and 227 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
crates/axum-utils/src/client_authorization.rs
View File

@ -31,7 +31,7 @@ use mas_http::HttpServiceExt;
use mas_iana::oauth::OAuthClientAuthenticationMethod; use mas_iana::oauth::OAuthClientAuthenticationMethod;
use mas_jose::{jwk::PublicJsonWebKeySet, jwt::Jwt}; use mas_jose::{jwk::PublicJsonWebKeySet, jwt::Jwt};
use mas_keystore::Encrypter; use mas_keystore::Encrypter;
use mas_storage::{oauth2::client::OAuth2ClientRepository, DatabaseError, Repository}; use mas_storage::{oauth2::OAuth2ClientRepository, DatabaseError, Repository};
use serde::{de::DeserializeOwned, Deserialize}; use serde::{de::DeserializeOwned, Deserialize};
use serde_json::Value; use serde_json::Value;
use sqlx::PgConnection; use sqlx::PgConnection;

2
crates/cli/src/commands/manage.rs
View File

@ -18,7 +18,7 @@ use mas_config::{DatabaseConfig, PasswordsConfig, RootConfig};
use mas_iana::{jose::JsonWebSignatureAlg, oauth::OAuthClientAuthenticationMethod}; use mas_iana::{jose::JsonWebSignatureAlg, oauth::OAuthClientAuthenticationMethod};
use mas_router::UrlBuilder; use mas_router::UrlBuilder;
use mas_storage::{ use mas_storage::{
oauth2::client::OAuth2ClientRepository, oauth2::OAuth2ClientRepository,
upstream_oauth2::UpstreamOAuthProviderRepository, upstream_oauth2::UpstreamOAuthProviderRepository,
user::{UserEmailRepository, UserPasswordRepository, UserRepository}, user::{UserEmailRepository, UserPasswordRepository, UserRepository},
Clock, Repository, Clock, Repository,

2
crates/data-model/src/oauth2/session.rs
View File

@ -12,6 +12,7 @@
// See the License for the specific language governing permissions and // See the License for the specific language governing permissions and
// limitations under the License. // limitations under the License.
use chrono::{DateTime, Utc};
use oauth2_types::scope::Scope; use oauth2_types::scope::Scope;
use serde::Serialize; use serde::Serialize;
use ulid::Ulid; use ulid::Ulid;
@ -22,4 +23,5 @@ pub struct Session {
pub user_session_id: Ulid, pub user_session_id: Ulid,
pub client_id: Ulid, pub client_id: Ulid,
pub scope: Scope, pub scope: Scope,
pub finished_at: Option<DateTime<Utc>>,
} }

2
crates/graphql/src/lib.rs
View File

@ -31,7 +31,7 @@ use async_graphql::{
Context, Description, EmptyMutation, EmptySubscription, ID, Context, Description, EmptyMutation, EmptySubscription, ID,
}; };
use mas_storage::{ use mas_storage::{
oauth2::client::OAuth2ClientRepository, oauth2::OAuth2ClientRepository,
upstream_oauth2::UpstreamOAuthProviderRepository, upstream_oauth2::UpstreamOAuthProviderRepository,
user::{BrowserSessionRepository, UserEmailRepository}, user::{BrowserSessionRepository, UserEmailRepository},
Repository, UpstreamOAuthLinkRepository, Repository, UpstreamOAuthLinkRepository,

4
crates/graphql/src/model/oauth.rs
View File

@ -14,9 +14,7 @@
use anyhow::Context as _; use anyhow::Context as _;
use async_graphql::{Context, Description, Object, ID}; use async_graphql::{Context, Description, Object, ID};
use mas_storage::{ use mas_storage::{oauth2::OAuth2ClientRepository, user::BrowserSessionRepository, Repository};
oauth2::client::OAuth2ClientRepository, user::BrowserSessionRepository, Repository,
};
use oauth2_types::scope::Scope; use oauth2_types::scope::Scope;
use sqlx::PgPool; use sqlx::PgPool;
use ulid::Ulid; use ulid::Ulid;

12
crates/graphql/src/model/users.rs
View File

@ -18,6 +18,7 @@ use async_graphql::{
}; };
use chrono::{DateTime, Utc}; use chrono::{DateTime, Utc};
use mas_storage::{ use mas_storage::{
oauth2::OAuth2SessionRepository,
user::{BrowserSessionRepository, UserEmailRepository}, user::{BrowserSessionRepository, UserEmailRepository},
Repository, UpstreamOAuthLinkRepository, Repository, UpstreamOAuthLinkRepository,
}; };
@ -241,14 +242,13 @@ impl User {
.map(|x: OpaqueCursor<NodeCursor>| x.extract_for_type(NodeType::OAuth2Session)) .map(|x: OpaqueCursor<NodeCursor>| x.extract_for_type(NodeType::OAuth2Session))
.transpose()?; .transpose()?;
let (has_previous_page, has_next_page, edges) = let page = conn
mas_storage::oauth2::get_paginated_user_oauth_sessions( .oauth2_session()
&mut conn, &self.0, before_id, after_id, first, last, .list_paginated(&self.0, before_id, after_id, first, last)
)
.await?; .await?;
let mut connection = Connection::new(has_previous_page, has_next_page); let mut connection = Connection::new(page.has_previous_page, page.has_next_page);
connection.edges.extend(edges.into_iter().map(|s| { connection.edges.extend(page.edges.into_iter().map(|s| {
Edge::new( Edge::new(
OpaqueCursor(NodeCursor(NodeType::OAuth2Session, s.id)), OpaqueCursor(NodeCursor(NodeType::OAuth2Session, s.id)),
OAuth2Session(s), OAuth2Session(s),

13
crates/handlers/src/oauth2/authorization/complete.rs
View File

@ -25,9 +25,13 @@ use mas_data_model::{AuthorizationGrant, BrowserSession};
use mas_keystore::Encrypter; use mas_keystore::Encrypter;
use mas_policy::PolicyFactory; use mas_policy::PolicyFactory;
use mas_router::{PostAuthAction, Route}; use mas_router::{PostAuthAction, Route};
use mas_storage::oauth2::{ use mas_storage::{
authorization_grant::{derive_session, fulfill_grant, get_grant_by_id}, oauth2::{
authorization_grant::{fulfill_grant, get_grant_by_id},
consent::fetch_client_consent, consent::fetch_client_consent,
OAuth2SessionRepository,
},
Repository,
}; };
use mas_templates::Templates; use mas_templates::Templates;
use oauth2_types::requests::{AccessTokenResponse, AuthorizationResponse}; use oauth2_types::requests::{AccessTokenResponse, AuthorizationResponse};
@ -193,7 +197,10 @@ pub(crate) async fn complete(
} }
// All good, let's start the session // All good, let's start the session
let session = derive_session(&mut txn, &mut rng, &clock, &grant, browser_session).await?; let session = txn
.oauth2_session()
.create_from_grant(&mut rng, &clock, &grant, &browser_session)
.await?;
let grant = fulfill_grant(&mut txn, grant, session.clone()).await?; let grant = fulfill_grant(&mut txn, grant, session.clone()).await?;

2
crates/handlers/src/oauth2/authorization/mod.rs
View File

@ -26,7 +26,7 @@ use mas_keystore::Encrypter;
use mas_policy::PolicyFactory; use mas_policy::PolicyFactory;
use mas_router::{PostAuthAction, Route}; use mas_router::{PostAuthAction, Route};
use mas_storage::{ use mas_storage::{
oauth2::{authorization_grant::new_authorization_grant, client::OAuth2ClientRepository}, oauth2::{authorization_grant::new_authorization_grant, OAuth2ClientRepository},
Repository, Repository,
}; };
use mas_templates::Templates; use mas_templates::Templates;

2
crates/handlers/src/oauth2/registration.rs
View File

@ -19,7 +19,7 @@ use hyper::StatusCode;
use mas_iana::oauth::OAuthClientAuthenticationMethod; use mas_iana::oauth::OAuthClientAuthenticationMethod;
use mas_keystore::Encrypter; use mas_keystore::Encrypter;
use mas_policy::{PolicyFactory, Violation}; use mas_policy::{PolicyFactory, Violation};
use mas_storage::{oauth2::client::OAuth2ClientRepository, Repository}; use mas_storage::{oauth2::OAuth2ClientRepository, Repository};
use oauth2_types::{ use oauth2_types::{
errors::{ClientError, ClientErrorCode}, errors::{ClientError, ClientErrorCode},
registration::{ registration::{

4
crates/handlers/src/oauth2/token.rs
View File

@ -35,8 +35,8 @@ use mas_storage::{
oauth2::{ oauth2::{
access_token::{add_access_token, revoke_access_token}, access_token::{add_access_token, revoke_access_token},
authorization_grant::{exchange_grant, lookup_grant_by_code}, authorization_grant::{exchange_grant, lookup_grant_by_code},
end_oauth_session,
refresh_token::{add_refresh_token, consume_refresh_token, lookup_active_refresh_token}, refresh_token::{add_refresh_token, consume_refresh_token, lookup_active_refresh_token},
OAuth2SessionRepository,
}, },
user::BrowserSessionRepository, user::BrowserSessionRepository,
Repository, Repository,
@ -234,7 +234,7 @@ async fn authorization_code_grant(
// Ending the session if the token was already exchanged more than 20s ago // Ending the session if the token was already exchanged more than 20s ago
if now - exchanged_at > Duration::seconds(20) { if now - exchanged_at > Duration::seconds(20) {
debug!("Ending potentially compromised session"); debug!("Ending potentially compromised session");
end_oauth_session(&mut txn, &clock, session).await?; txn.oauth2_session().finish(&clock, session).await?;
txn.commit().await?; txn.commit().await?;
} }

2
crates/handlers/src/oauth2/userinfo.rs
View File

@ -29,7 +29,7 @@ use mas_jose::{
use mas_keystore::Keystore; use mas_keystore::Keystore;
use mas_router::UrlBuilder; use mas_router::UrlBuilder;
use mas_storage::{ use mas_storage::{
oauth2::client::OAuth2ClientRepository, oauth2::OAuth2ClientRepository,
user::{BrowserSessionRepository, UserEmailRepository}, user::{BrowserSessionRepository, UserEmailRepository},
Repository, Repository,
}; };

57
crates/storage/sqlx-data.json
View File

@ -629,6 +629,22 @@
}, },
"query": "\n UPDATE compat_sessions cs\n SET finished_at = $2\n FROM compat_access_tokens ca\n WHERE ca.access_token = $1\n AND ca.compat_session_id = cs.compat_session_id\n AND cs.finished_at IS NULL\n RETURNING cs.compat_session_id\n " "query": "\n UPDATE compat_sessions cs\n SET finished_at = $2\n FROM compat_access_tokens ca\n WHERE ca.access_token = $1\n AND ca.compat_session_id = cs.compat_session_id\n AND cs.finished_at IS NULL\n RETURNING cs.compat_session_id\n "
}, },
"583ae9a0db9cd55fa57a179339550f3dab1bfc76f35ad488e1560ea37f7ed029": {
"describe": {
"columns": [],
"nullable": [],
"parameters": {
"Left": [
"Uuid",
"Uuid",
"Uuid",
"Text",
"Timestamptz"
]
}
},
"query": "\n INSERT INTO oauth2_sessions\n ( oauth2_session_id\n , user_session_id\n , oauth2_client_id\n , scope\n , created_at\n )\n VALUES ($1, $2, $3, $4, $5)\n "
},
"5b5d5c82da37c6f2d8affacfb02119965c04d1f2a9cc53dbf5bd4c12584969a0": { "5b5d5c82da37c6f2d8affacfb02119965c04d1f2a9cc53dbf5bd4c12584969a0": {
"describe": { "describe": {
"columns": [], "columns": [],
@ -1325,19 +1341,6 @@
}, },
"query": "\n UPDATE compat_refresh_tokens\n SET consumed_at = $2\n WHERE compat_refresh_token_id = $1\n " "query": "\n UPDATE compat_refresh_tokens\n SET consumed_at = $2\n WHERE compat_refresh_token_id = $1\n "
}, },
"9c1ef3114bfe22884d893bb11dc6054421c28cce4bd828cfe6a4ad46c062481a": {
"describe": {
"columns": [],
"nullable": [],
"parameters": {
"Left": [
"Uuid",
"Timestamptz"
]
}
},
"query": "\n UPDATE oauth2_sessions\n SET finished_at = $2\n WHERE oauth2_session_id = $1\n "
},
"a300fe99c95679c5664646a6a525c0491829e97db45f3234483872ed38436322": { "a300fe99c95679c5664646a6a525c0491829e97db45f3234483872ed38436322": {
"describe": { "describe": {
"columns": [ "columns": [
@ -1469,6 +1472,19 @@
}, },
"query": "\n INSERT INTO user_email_confirmation_codes\n (user_email_confirmation_code_id, user_email_id, code, created_at, expires_at)\n VALUES ($1, $2, $3, $4, $5)\n " "query": "\n INSERT INTO user_email_confirmation_codes\n (user_email_confirmation_code_id, user_email_id, code, created_at, expires_at)\n VALUES ($1, $2, $3, $4, $5)\n "
}, },
"b700dc3f7d0f86f4904725d8357e34b7e457f857ed37c467c314142877fd5367": {
"describe": {
"columns": [],
"nullable": [],
"parameters": {
"Left": [
"Uuid",
"Timestamptz"
]
}
},
"query": "\n UPDATE oauth2_sessions\n SET finished_at = $2\n WHERE oauth2_session_id = $1\n "
},
"b9875a270f7e753e48075ccae233df6e24a91775ceb877735508c1d5b2300d64": { "b9875a270f7e753e48075ccae233df6e24a91775ceb877735508c1d5b2300d64": {
"describe": { "describe": {
"columns": [], "columns": [],
@ -1484,21 +1500,6 @@
}, },
"query": "\n UPDATE upstream_oauth_authorization_sessions\n SET upstream_oauth_link_id = $1,\n completed_at = $2,\n id_token = $3\n WHERE upstream_oauth_authorization_session_id = $4\n " "query": "\n UPDATE upstream_oauth_authorization_sessions\n SET upstream_oauth_link_id = $1,\n completed_at = $2,\n id_token = $3\n WHERE upstream_oauth_authorization_session_id = $4\n "
}, },
"bc768c63a7737818967bc28560de714bbbd262bdf3ab73d297263bb73dcd9f5e": {
"describe": {
"columns": [],
"nullable": [],
"parameters": {
"Left": [
"Uuid",
"Uuid",
"Timestamptz",
"Uuid"
]
}
},
"query": "\n INSERT INTO oauth2_sessions\n (oauth2_session_id, user_session_id, oauth2_client_id, scope, created_at)\n SELECT\n $1,\n $2,\n og.oauth2_client_id,\n og.scope,\n $3\n FROM\n oauth2_authorization_grants og\n WHERE\n og.oauth2_authorization_grant_id = $4\n "
},
"bd1f6daa5fa1b10250c01f8b3fbe451646a9ceeefa6f72b9c4e29b6d05f17641": { "bd1f6daa5fa1b10250c01f8b3fbe451646a9ceeefa6f72b9c4e29b6d05f17641": {
"describe": { "describe": {
"columns": [], "columns": [],

1
crates/storage/src/oauth2/access_token.rs
View File

@ -134,6 +134,7 @@ pub async fn lookup_active_access_token(
client_id: res.oauth2_client_id.into(), client_id: res.oauth2_client_id.into(),
user_session_id: res.user_session_id.into(), user_session_id: res.user_session_id.into(),
scope, scope,
finished_at: None,
}; };
Ok(Some((access_token, session))) Ok(Some((access_token, session)))

59
crates/storage/src/oauth2/authorization_grant.rs
View File

@ -16,8 +16,7 @@ use std::num::NonZeroU32;
use chrono::{DateTime, Utc}; use chrono::{DateTime, Utc};
use mas_data_model::{ use mas_data_model::{
AuthorizationCode, AuthorizationGrant, AuthorizationGrantStage, BrowserSession, Client, Pkce, AuthorizationCode, AuthorizationGrant, AuthorizationGrantStage, Client, Pkce, Session,
Session,
}; };
use mas_iana::oauth::PkceCodeChallengeMethod; use mas_iana::oauth::PkceCodeChallengeMethod;
use oauth2_types::{requests::ResponseMode, scope::Scope}; use oauth2_types::{requests::ResponseMode, scope::Scope};
@ -27,7 +26,7 @@ use ulid::Ulid;
use url::Url; use url::Url;
use uuid::Uuid; use uuid::Uuid;
use super::client::OAuth2ClientRepository; use super::OAuth2ClientRepository;
use crate::{Clock, DatabaseError, DatabaseInconsistencyError, LookupResultExt, Repository}; use crate::{Clock, DatabaseError, DatabaseInconsistencyError, LookupResultExt, Repository};
#[tracing::instrument( #[tracing::instrument(
@ -186,6 +185,7 @@ impl GrantLookup {
client_id: client.id, client_id: client.id,
user_session_id: user_session_id.into(), user_session_id: user_session_id.into(),
scope, scope,
finished_at: None,
}; };
Some(session) Some(session)
@ -431,59 +431,6 @@ pub async fn lookup_grant_by_code(
Ok(Some(grant)) Ok(Some(grant))
} }
#[tracing::instrument(
skip_all,
fields(
%grant.id,
client.id = %grant.client.id,
session.id,
user_session.id = %browser_session.id,
user.id = %browser_session.user.id,
),
err,
)]
pub async fn derive_session(
executor: impl PgExecutor<'_>,
mut rng: impl Rng + Send,
clock: &Clock,
grant: &AuthorizationGrant,
browser_session: BrowserSession,
) -> Result<Session, sqlx::Error> {
let created_at = clock.now();
let id = Ulid::from_datetime_with_source(created_at.into(), &mut rng);
tracing::Span::current().record("session.id", tracing::field::display(id));
sqlx::query!(
r#"
INSERT INTO oauth2_sessions
(oauth2_session_id, user_session_id, oauth2_client_id, scope, created_at)
SELECT
$1,
$2,
og.oauth2_client_id,
og.scope,
$3
FROM
oauth2_authorization_grants og
WHERE
og.oauth2_authorization_grant_id = $4
"#,
Uuid::from(id),
Uuid::from(browser_session.id),
created_at,
Uuid::from(grant.id),
)
.execute(executor)
.await?;
Ok(Session {
id,
user_session_id: browser_session.id,
client_id: grant.client.id,
scope: grant.scope.clone(),
})
}
#[tracing::instrument( #[tracing::instrument(
skip_all, skip_all,
fields( fields(

127
crates/storage/src/oauth2/mod.rs
View File

@ -12,129 +12,14 @@
// See the License for the specific language governing permissions and // See the License for the specific language governing permissions and
// limitations under the License. // limitations under the License.
use mas_data_model::{Session, User};
use sqlx::{PgConnection, PgExecutor, QueryBuilder};
use tracing::{info_span, Instrument};
use ulid::Ulid;
use uuid::Uuid;
use crate::{
pagination::{process_page, QueryBuilderExt},
Clock, DatabaseError, DatabaseInconsistencyError,
};
pub mod access_token; pub mod access_token;
pub mod authorization_grant; pub mod authorization_grant;
pub mod client; mod client;
pub mod consent; pub mod consent;
pub mod refresh_token; pub mod refresh_token;
pub mod session; mod session;
#[tracing::instrument( pub use self::{
skip_all, client::{OAuth2ClientRepository, PgOAuth2ClientRepository},
fields( session::{OAuth2SessionRepository, PgOAuth2SessionRepository},
%session.id, };
user_session.id = %session.user_session_id,
client.id = %session.client_id,
),
err,
)]
pub async fn end_oauth_session(
executor: impl PgExecutor<'_>,
clock: &Clock,
session: Session,
) -> Result<(), DatabaseError> {
let finished_at = clock.now();
let res = sqlx::query!(
r#"
UPDATE oauth2_sessions
SET finished_at = $2
WHERE oauth2_session_id = $1
"#,
Uuid::from(session.id),
finished_at,
)
.execute(executor)
.await?;
DatabaseError::ensure_affected_rows(&res, 1)
}
#[derive(sqlx::FromRow)]
struct OAuthSessionLookup {
oauth2_session_id: Uuid,
user_session_id: Uuid,
oauth2_client_id: Uuid,
scope: String,
}
#[tracing::instrument(
skip_all,
fields(
%user.id,
%user.username,
),
err,
)]
pub async fn get_paginated_user_oauth_sessions(
conn: &mut PgConnection,
user: &User,
before: Option<Ulid>,
after: Option<Ulid>,
first: Option<usize>,
last: Option<usize>,
) -> Result<(bool, bool, Vec<Session>), DatabaseError> {
let mut query = QueryBuilder::new(
r#"
SELECT
os.oauth2_session_id,
os.user_session_id,
os.oauth2_client_id,
os.scope,
os.created_at,
os.finished_at
FROM oauth2_sessions os
LEFT JOIN user_sessions us
USING (user_session_id)
"#,
);
query
.push(" WHERE us.user_id = ")
.push_bind(Uuid::from(user.id))
.generate_pagination("oauth2_session_id", before, after, first, last)?;
let span = info_span!(
"Fetch paginated user oauth sessions",
db.statement = query.sql()
);
let page: Vec<OAuthSessionLookup> = query
.build_query_as()
.fetch_all(&mut *conn)
.instrument(span)
.await?;
let (has_previous_page, has_next_page, page) = process_page(page, first, last)?;
let page: Result<Vec<_>, DatabaseInconsistencyError> = page
.into_iter()
.map(|item| {
let id = Ulid::from(item.oauth2_session_id);
let scope = item.scope.parse().map_err(|e| {
DatabaseInconsistencyError::on("oauth2_sessions")
.column("scope")
.row(id)
.source(e)
})?;
Ok(Session {
id: Ulid::from(item.oauth2_session_id),
client_id: item.oauth2_client_id.into(),
user_session_id: item.user_session_id.into(),
scope,
})
})
.collect();
Ok((has_previous_page, has_next_page, page?))
}

1
crates/storage/src/oauth2/refresh_token.rs
View File

@ -158,6 +158,7 @@ pub async fn lookup_active_refresh_token(
client_id: res.oauth2_client_id.into(), client_id: res.oauth2_client_id.into(),
user_session_id: res.user_session_id.into(), user_session_id: res.user_session_id.into(),
scope, scope,
finished_at: None,
}; };
Ok(Some((refresh_token, session))) Ok(Some((refresh_token, session)))

223
crates/storage/src/oauth2/session.rs
View File

@ -13,8 +13,231 @@
// limitations under the License. // limitations under the License.
use async_trait::async_trait; use async_trait::async_trait;
use chrono::{DateTime, Utc};
use mas_data_model::{AuthorizationGrant, BrowserSession, Session, User};
use rand::RngCore;
use sqlx::{PgConnection, QueryBuilder};
use ulid::Ulid;
use uuid::Uuid;
use crate::{
pagination::{process_page, Page, QueryBuilderExt},
tracing::ExecuteExt,
Clock, DatabaseError, DatabaseInconsistencyError,
};
#[async_trait] #[async_trait]
pub trait OAuth2SessionRepository { pub trait OAuth2SessionRepository {
type Error; type Error;
async fn create_from_grant(
&mut self,
rng: &mut (dyn RngCore + Send),
clock: &Clock,
grant: &AuthorizationGrant,
user_session: &BrowserSession,
) -> Result<Session, Self::Error>;
async fn finish(&mut self, clock: &Clock, session: Session) -> Result<Session, Self::Error>;
async fn list_paginated(
&mut self,
user: &User,
before: Option<Ulid>,
after: Option<Ulid>,
first: Option<usize>,
last: Option<usize>,
) -> Result<Page<Session>, Self::Error>;
}
pub struct PgOAuth2SessionRepository<'c> {
conn: &'c mut PgConnection,
}
impl<'c> PgOAuth2SessionRepository<'c> {
pub fn new(conn: &'c mut PgConnection) -> Self {
Self { conn }
}
}
#[derive(sqlx::FromRow)]
struct OAuthSessionLookup {
oauth2_session_id: Uuid,
user_session_id: Uuid,
oauth2_client_id: Uuid,
scope: String,
finished_at: Option<DateTime<Utc>>,
}
impl TryFrom<OAuthSessionLookup> for Session {
type Error = DatabaseInconsistencyError;
fn try_from(value: OAuthSessionLookup) -> Result<Self, Self::Error> {
let id = Ulid::from(value.oauth2_session_id);
let scope = value.scope.parse().map_err(|e| {
DatabaseInconsistencyError::on("oauth2_sessions")
.column("scope")
.row(id)
.source(e)
})?;
Ok(Session {
id,
client_id: value.oauth2_client_id.into(),
user_session_id: value.user_session_id.into(),
scope,
finished_at: value.finished_at,
})
}
}
#[async_trait]
impl<'c> OAuth2SessionRepository for PgOAuth2SessionRepository<'c> {
type Error = DatabaseError;
#[tracing::instrument(
name = "db.oauth2_session.create_from_grant",
skip_all,
fields(
db.statement,
%user_session.id,
user.id = %user_session.user.id,
%grant.id,
client.id = %grant.client.id,
session.id,
session.scope = %grant.scope,
),
err,
)]
async fn create_from_grant(
&mut self,
rng: &mut (dyn RngCore + Send),
clock: &Clock,
grant: &AuthorizationGrant,
user_session: &BrowserSession,
) -> Result<Session, Self::Error> {
let created_at = clock.now();
let id = Ulid::from_datetime_with_source(created_at.into(), rng);
tracing::Span::current().record("session.id", tracing::field::display(id));
sqlx::query!(
r#"
INSERT INTO oauth2_sessions
( oauth2_session_id
, user_session_id
, oauth2_client_id
, scope
, created_at
)
VALUES ($1, $2, $3, $4, $5)
"#,
Uuid::from(id),
Uuid::from(user_session.id),
Uuid::from(grant.client.id),
grant.scope.to_string(),
created_at,
)
.traced()
.execute(&mut *self.conn)
.await?;
Ok(Session {
id,
user_session_id: user_session.id,
client_id: grant.client.id,
scope: grant.scope.clone(),
finished_at: None,
})
}
#[tracing::instrument(
name = "db.oauth2_session.finish",
skip_all,
fields(
db.statement,
%session.id,
%session.scope,
user_session.id = %session.user_session_id,
client.id = %session.client_id,
),
err,
)]
async fn finish(
&mut self,
clock: &Clock,
mut session: Session,
) -> Result<Session, Self::Error> {
let finished_at = clock.now();
let res = sqlx::query!(
r#"
UPDATE oauth2_sessions
SET finished_at = $2
WHERE oauth2_session_id = $1
"#,
Uuid::from(session.id),
finished_at,
)
.traced()
.execute(&mut *self.conn)
.await?;
DatabaseError::ensure_affected_rows(&res, 1)?;
session.finished_at = Some(finished_at);
Ok(session)
}
#[tracing::instrument(
name = "db.oauth2_session.list_paginated",
skip_all,
fields(
db.statement,
%user.id,
%user.username,
),
err,
)]
async fn list_paginated(
&mut self,
user: &User,
before: Option<Ulid>,
after: Option<Ulid>,
first: Option<usize>,
last: Option<usize>,
) -> Result<Page<Session>, Self::Error> {
let mut query = QueryBuilder::new(
r#"
SELECT oauth2_session_id
, user_session_id
, oauth2_client_id
, scope
, created_at
, finished_at
FROM oauth2_sessions os
"#,
);
query
.push(" WHERE us.user_id = ")
.push_bind(Uuid::from(user.id))
.generate_pagination("oauth2_session_id", before, after, first, last)?;
let edges: Vec<OAuthSessionLookup> = query
.build_query_as()
.traced()
.fetch_all(&mut *self.conn)
.await?;
let (has_previous_page, has_next_page, edges) = process_page(edges, first, last)?;
let edges: Result<Vec<_>, DatabaseInconsistencyError> =
edges.into_iter().map(Session::try_from).collect();
Ok(Page {
has_next_page,
has_previous_page,
edges: edges?,
})
}
} }

17
crates/storage/src/repository.rs
View File

@ -15,7 +15,7 @@
use sqlx::{PgConnection, Postgres, Transaction}; use sqlx::{PgConnection, Postgres, Transaction};
use crate::{ use crate::{
oauth2::client::PgOAuth2ClientRepository, oauth2::{PgOAuth2ClientRepository, PgOAuth2SessionRepository},
upstream_oauth2::{ upstream_oauth2::{
PgUpstreamOAuthLinkRepository, PgUpstreamOAuthProviderRepository, PgUpstreamOAuthLinkRepository, PgUpstreamOAuthProviderRepository,
PgUpstreamOAuthSessionRepository, PgUpstreamOAuthSessionRepository,
@ -59,6 +59,10 @@ pub trait Repository {
where where
Self: 'c; Self: 'c;
type OAuth2SessionRepository<'c>
where
Self: 'c;
fn upstream_oauth_link(&mut self) -> Self::UpstreamOAuthLinkRepository<'_>; fn upstream_oauth_link(&mut self) -> Self::UpstreamOAuthLinkRepository<'_>;
fn upstream_oauth_provider(&mut self) -> Self::UpstreamOAuthProviderRepository<'_>; fn upstream_oauth_provider(&mut self) -> Self::UpstreamOAuthProviderRepository<'_>;
fn upstream_oauth_session(&mut self) -> Self::UpstreamOAuthSessionRepository<'_>; fn upstream_oauth_session(&mut self) -> Self::UpstreamOAuthSessionRepository<'_>;
@ -67,6 +71,7 @@ pub trait Repository {
fn user_password(&mut self) -> Self::UserPasswordRepository<'_>; fn user_password(&mut self) -> Self::UserPasswordRepository<'_>;
fn browser_session(&mut self) -> Self::BrowserSessionRepository<'_>; fn browser_session(&mut self) -> Self::BrowserSessionRepository<'_>;
fn oauth2_client(&mut self) -> Self::OAuth2ClientRepository<'_>; fn oauth2_client(&mut self) -> Self::OAuth2ClientRepository<'_>;
fn oauth2_session(&mut self) -> Self::OAuth2SessionRepository<'_>;
} }
impl Repository for PgConnection { impl Repository for PgConnection {
@ -78,6 +83,7 @@ impl Repository for PgConnection {
type UserPasswordRepository<'c> = PgUserPasswordRepository<'c> where Self: 'c; type UserPasswordRepository<'c> = PgUserPasswordRepository<'c> where Self: 'c;
type BrowserSessionRepository<'c> = PgBrowserSessionRepository<'c> where Self: 'c; type BrowserSessionRepository<'c> = PgBrowserSessionRepository<'c> where Self: 'c;
type OAuth2ClientRepository<'c> = PgOAuth2ClientRepository<'c> where Self: 'c; type OAuth2ClientRepository<'c> = PgOAuth2ClientRepository<'c> where Self: 'c;
type OAuth2SessionRepository<'c> = PgOAuth2SessionRepository<'c> where Self: 'c;
fn upstream_oauth_link(&mut self) -> Self::UpstreamOAuthLinkRepository<'_> { fn upstream_oauth_link(&mut self) -> Self::UpstreamOAuthLinkRepository<'_> {
PgUpstreamOAuthLinkRepository::new(self) PgUpstreamOAuthLinkRepository::new(self)
@ -110,6 +116,10 @@ impl Repository for PgConnection {
fn oauth2_client(&mut self) -> Self::OAuth2ClientRepository<'_> { fn oauth2_client(&mut self) -> Self::OAuth2ClientRepository<'_> {
PgOAuth2ClientRepository::new(self) PgOAuth2ClientRepository::new(self)
} }
fn oauth2_session(&mut self) -> Self::OAuth2SessionRepository<'_> {
PgOAuth2SessionRepository::new(self)
}
} }
impl<'t> Repository for Transaction<'t, Postgres> { impl<'t> Repository for Transaction<'t, Postgres> {
@ -121,6 +131,7 @@ impl<'t> Repository for Transaction<'t, Postgres> {
type UserPasswordRepository<'c> = PgUserPasswordRepository<'c> where Self: 'c; type UserPasswordRepository<'c> = PgUserPasswordRepository<'c> where Self: 'c;
type BrowserSessionRepository<'c> = PgBrowserSessionRepository<'c> where Self: 'c; type BrowserSessionRepository<'c> = PgBrowserSessionRepository<'c> where Self: 'c;
type OAuth2ClientRepository<'c> = PgOAuth2ClientRepository<'c> where Self: 'c; type OAuth2ClientRepository<'c> = PgOAuth2ClientRepository<'c> where Self: 'c;
type OAuth2SessionRepository<'c> = PgOAuth2SessionRepository<'c> where Self: 'c;
fn upstream_oauth_link(&mut self) -> Self::UpstreamOAuthLinkRepository<'_> { fn upstream_oauth_link(&mut self) -> Self::UpstreamOAuthLinkRepository<'_> {
PgUpstreamOAuthLinkRepository::new(self) PgUpstreamOAuthLinkRepository::new(self)
@ -153,4 +164,8 @@ impl<'t> Repository for Transaction<'t, Postgres> {
fn oauth2_client(&mut self) -> Self::OAuth2ClientRepository<'_> { fn oauth2_client(&mut self) -> Self::OAuth2ClientRepository<'_> {
PgOAuth2ClientRepository::new(self) PgOAuth2ClientRepository::new(self)
} }
fn oauth2_session(&mut self) -> Self::OAuth2SessionRepository<'_> {
PgOAuth2SessionRepository::new(self)
}
} }