Remove the last authentication from the browser session model

crates/handlers/src/oauth2/authorization/complete.rs

@@ -27,7 +27,8 @@ use mas_policy::PolicyFactory;
 use mas_router::{PostAuthAction, Route, UrlBuilder};
 use mas_storage::{
     oauth2::{OAuth2AuthorizationGrantRepository, OAuth2ClientRepository, OAuth2SessionRepository},
-    BoxClock, BoxRepository, BoxRng,
+    user::BrowserSessionRepository,
+    BoxClock, BoxRepository, BoxRng, RepositoryAccess,
 };
 use mas_templates::Templates;
 use oauth2_types::requests::AuthorizationResponse;
@@ -194,10 +195,16 @@ pub(crate) async fn complete(
     }
 
     // Check if the authentication is fresh enough
-    if !browser_session.was_authenticated_after(grant.max_auth_time()) {
+    let authentication = repo
+        .browser_session()
+        .get_last_authentication(&browser_session)
+        .await?;
+    let authentication = authentication.filter(|auth| auth.created_at > grant.max_auth_time());
+
+    let Some(valid_authentication) = authentication else {
         repo.save().await?;
         return Err(GrantCompletionError::RequiresReauth);
-    }
+    };
 
     // Run through the policy
     let mut policy = policy_factory.instantiate().await?;
@@ -257,6 +264,7 @@ pub(crate) async fn complete(
             &grant,
             &browser_session,
             None,
+            Some(&valid_authentication),
         )?);
     }
 

crates/handlers/src/oauth2/mod.rs

@@ -16,7 +16,8 @@ use std::collections::HashMap;
 
 use chrono::Duration;
 use mas_data_model::{
-    AccessToken, AuthorizationGrant, BrowserSession, Client, RefreshToken, Session, TokenType,
+    AccessToken, Authentication, AuthorizationGrant, BrowserSession, Client, RefreshToken, Session,
+    TokenType,
 };
 use mas_iana::jose::JsonWebSignatureAlg;
 use mas_jose::{
@@ -60,6 +61,7 @@ pub(crate) fn generate_id_token(
     grant: &AuthorizationGrant,
     browser_session: &BrowserSession,
     access_token: Option<&AccessToken>,
+    last_authentication: Option<&Authentication>,
 ) -> Result<String, IdTokenSignatureError> {
     let mut claims = HashMap::new();
     let now = clock.now();
@@ -73,7 +75,7 @@ pub(crate) fn generate_id_token(
         claims::NONCE.insert(&mut claims, nonce.clone())?;
     }
 
-    if let Some(ref last_authentication) = browser_session.last_authentication {
+    if let Some(last_authentication) = last_authentication {
         claims::AUTH_TIME.insert(&mut claims, last_authentication.created_at)?;
     }
 
@@ -113,7 +115,7 @@ pub(crate) async fn generate_token_pair<R: RepositoryAccess>(
 
     let access_token = repo
         .oauth2_access_token()
-        .add(rng, clock, session, access_token_str.clone(), ttl)
+        .add(rng, clock, session, access_token_str, ttl)
         .await?;
 
     let refresh_token = repo

crates/handlers/src/oauth2/token.rs

@@ -302,6 +302,11 @@ async fn authorization_code_grant(
         .await?
         .ok_or(RouteError::NoSuchBrowserSession)?;
 
+    let last_authentication = repo
+        .browser_session()
+        .get_last_authentication(&browser_session)
+        .await?;
+
     let ttl = Duration::minutes(5);
     let (access_token, refresh_token) =
         generate_token_pair(&mut rng, clock, &mut repo, &session, ttl).await?;
@@ -316,6 +321,7 @@ async fn authorization_code_grant(
             &authz_grant,
             &browser_session,
             Some(&access_token),
+            last_authentication.as_ref(),
         )?)
     } else {
         None