matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-29 22:01:14 +03:00
Code Activity

data-model: Make the user_id optional in the OAuth 2.0 sessions

Browse Source
This commit is contained in:
Quentin Gliech
2023-09-04 16:32:43 +02:00
parent 3691090757
commit 7e247830c9
16 changed files with 133 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
crates/graphql/src/lib.rs
View File

@ -63,7 +63,7 @@ pub enum Requester {
BrowserSession(BrowserSession),
/// The requester is a OAuth2 session, with an access token.
OAuth2Session(Session, User),
OAuth2Session(Session, Option<User>),
}
trait OwnerId {
@ -90,7 +90,7 @@ impl OwnerId for mas_data_model::UserEmail {
impl OwnerId for Session {
fn owner_id(&self) -> Option<Ulid> {
Some(self.user_id)
self.user_id
}
}
@ -126,7 +126,7 @@ impl Requester {
fn user(&self) -> Option<&User> {
match self {
Self::BrowserSession(session) => Some(&session.user),
Self::OAuth2Session(_session, user) => Some(user),
Self::OAuth2Session(_session, user) => user.as_ref(),
Self::Anonymous => None,
}
}

16
crates/graphql/src/model/oauth.rs
View File

@ -22,7 +22,7 @@ use ulid::Ulid;
use url::Url;
use super::{BrowserSession, NodeType, User};
use crate::state::ContextExt;
use crate::{state::ContextExt, UserId};
/// The state of an OAuth 2.0 session.
#[derive(Enum, Copy, Clone, Eq, PartialEq)]
@ -108,17 +108,25 @@ impl OAuth2Session {
}
/// User authorized for this session.
pub async fn user(&self, ctx: &Context<'_>) -> Result<User, async_graphql::Error> {
pub async fn user(&self, ctx: &Context<'_>) -> Result<Option<User>, async_graphql::Error> {
let state = ctx.state();
let Some(user_id) = self.0.user_id else {
return Ok(None);
};
if !ctx.requester().is_owner_or_admin(&UserId(user_id)) {
return Err(async_graphql::Error::new("Unauthorized"));
}
let mut repo = state.repository().await?;
let user = repo
.user()
.lookup(self.0.user_id)
.lookup(user_id)
.await?
.context("Could not load user")?;
repo.cancel().await?;
Ok(User(user))
Ok(Some(User(user)))
}
}

36
crates/graphql/src/mutations/oauth2_session.rs
View File

@ -96,24 +96,26 @@ impl OAuth2SessionMutations {
return Ok(EndOAuth2SessionPayload::NotFound);
}
let user = repo
.user()
.lookup(session.user_id)
.await?
.context("Could not load user")?;
if let Some(user_id) = session.user_id {
let user = repo
.user()
.lookup(user_id)
.await?
.context("Could not load user")?;
// Scan the scopes of the session to find if there is any device that should be
// deleted from the Matrix server.
// TODO: this should be moved in a higher level "end oauth session" method.
// XXX: this might not be the right semantic, but it's the best we
// can do for now, since we're not explicitly storing devices for OAuth2
// sessions.
for scope in &*session.scope {
if let Some(device) = Device::from_scope_token(scope) {
// Schedule a job to delete the device.
repo.job()
.schedule_job(DeleteDeviceJob::new(&user, &device))
.await?;
// Scan the scopes of the session to find if there is any device that should be
// deleted from the Matrix server.
// TODO: this should be moved in a higher level "end oauth session" method.
// XXX: this might not be the right semantic, but it's the best we
// can do for now, since we're not explicitly storing devices for OAuth2
// sessions.
for scope in &*session.scope {
if let Some(device) = Device::from_scope_token(scope) {
// Schedule a job to delete the device.
repo.job()
.schedule_job(DeleteDeviceJob::new(&user, &device))
.await?;
}
}
}

4
crates/graphql/src/query/viewer.rs
View File

@ -31,8 +31,8 @@ impl ViewerQuery {
match requester {
Requester::BrowserSession(session) => Viewer::user(session.user.clone()),
Requester::OAuth2Session(_session, user) => Viewer::user(user.clone()),
Requester::Anonymous => Viewer::anonymous(),
Requester::OAuth2Session(_session, Some(user)) => Viewer::user(user.clone()),
Requester::OAuth2Session(_, None) | Requester::Anonymous => Viewer::anonymous(),
}
}