Add a GraphQL mutation to create arbitrary OAuth2 sessions.

2025-07-31 09:24:31 +03:00 · 2023-09-08 19:28:46 +02:00
parent b8012bb66c
commit 83ca90ee3d
8 changed files with 369 additions and 71 deletions
--- a/crates/graphql/src/lib.rs
+++ b/crates/graphql/src/lib.rs
@ -131,6 +131,13 @@ impl Requester {
        }
    }

+    fn oauth2_session(&self) -> Option<&Session> {
+        match self {
+            Self::OAuth2Session(session, _) => Some(session),
+            Self::BrowserSession(_) | Self::Anonymous => None,
+        }
+    }
+
    /// Returns true if the requester can access the resource.
    fn is_owner_or_admin(&self, resource: &impl OwnerId) -> bool {
        // If the requester is an admin, they can do anything.
--- a/crates/graphql/src/mutations/oauth2_session.rs
+++ b/crates/graphql/src/mutations/oauth2_session.rs
@ -13,13 +13,19 @@
 // limitations under the License.

 use anyhow::Context as _;
-use async_graphql::{Context, Enum, InputObject, Object, ID};
-use mas_data_model::Device;
+use async_graphql::{Context, Description, Enum, InputObject, Object, ID};
+use chrono::Duration;
+use mas_data_model::{Device, TokenType};
 use mas_storage::{
-    job::{DeleteDeviceJob, JobRepositoryExt},
-    oauth2::OAuth2SessionRepository,
+    job::{DeleteDeviceJob, JobRepositoryExt, ProvisionDeviceJob},
+    oauth2::{
+        OAuth2AccessTokenRepository, OAuth2ClientRepository, OAuth2RefreshTokenRepository,
+        OAuth2SessionRepository,
+    },
+    user::UserRepository,
    RepositoryAccess,
 };
+use oauth2_types::scope::Scope;

 use crate::{
    model::{NodeType, OAuth2Session},
@ -31,6 +37,45 @@ pub struct OAuth2SessionMutations {
    _private: (),
 }

+/// The input of the `createOauth2Session` mutation.
+#[derive(InputObject)]
+pub struct CreateOAuth2SessionInput {
+    /// The scope of the session
+    scope: String,
+
+    /// The ID of the user for which to create the session
+    user_id: ID,
+
+    /// Whether the session should issue a never-expiring access token
+    permanent: Option<bool>,
+}
+
+/// The payload of the `createOauth2Session` mutation.
+#[derive(Description)]
+pub struct CreateOAuth2SessionPayload {
+    access_token: String,
+    refresh_token: Option<String>,
+    session: mas_data_model::Session,
+}
+
+#[Object(use_type_description)]
+impl CreateOAuth2SessionPayload {
+    /// Access token for this session
+    pub async fn access_token(&self) -> &str {
+        &self.access_token
+    }
+
+    /// Refresh token for this session, if it is not a permanent session
+    pub async fn refresh_token(&self) -> Option<&str> {
+        self.refresh_token.as_deref()
+    }
+
+    /// The OAuth 2.0 session which was just created
+    pub async fn oauth2_session(&self) -> OAuth2Session {
+        OAuth2Session(self.session.clone())
+    }
+}
+
 /// The input of the `endOauth2Session` mutation.
 #[derive(InputObject)]
 pub struct EndOAuth2SessionInput {
@ -75,6 +120,93 @@ impl EndOAuth2SessionPayload {

 #[Object]
 impl OAuth2SessionMutations {
+    /// Create a new arbitrary OAuth 2.0 Session.
+    ///
+    /// Only available for administrators.
+    async fn create_oauth2_session(
+        &self,
+        ctx: &Context<'_>,
+        input: CreateOAuth2SessionInput,
+    ) -> Result<CreateOAuth2SessionPayload, async_graphql::Error> {
+        let state = ctx.state();
+        let user_id = NodeType::User.extract_ulid(&input.user_id)?;
+        let scope: Scope = input.scope.parse().context("Invalid scope")?;
+        let permanent = input.permanent.unwrap_or(false);
+        let requester = ctx.requester();
+
+        if !requester.is_admin() {
+            return Err(async_graphql::Error::new("Unauthorized"));
+        }
+
+        let session = requester
+            .oauth2_session()
+            .context("Requester should be a OAuth 2.0 client")?;
+
+        let mut repo = state.repository().await?;
+        let clock = state.clock();
+        let mut rng = state.rng();
+
+        let client = repo
+            .oauth2_client()
+            .lookup(session.client_id)
+            .await?
+            .context("Client not found")?;
+
+        let user = repo
+            .user()
+            .lookup(user_id)
+            .await?
+            .context("User not found")?;
+
+        // Generate a new access token
+        let access_token = TokenType::AccessToken.generate(&mut rng);
+
+        // Create the OAuth 2.0 Session
+        let session = repo
+            .oauth2_session()
+            .add(&mut rng, &clock, &client, Some(&user), None, scope)
+            .await?;
+
+        // Look for devices to provision
+        for scope in &*session.scope {
+            if let Some(device) = Device::from_scope_token(scope) {
+                repo.job()
+                    .schedule_job(ProvisionDeviceJob::new(&user, &device))
+                    .await?;
+            }
+        }
+
+        let ttl = if permanent {
+            // XXX: that's lazy
+            Duration::days(365 * 50)
+        } else {
+            Duration::minutes(5)
+        };
+        let access_token = repo
+            .oauth2_access_token()
+            .add(&mut rng, &clock, &session, access_token, ttl)
+            .await?;
+
+        let refresh_token = if !permanent {
+            let refresh_token = TokenType::RefreshToken.generate(&mut rng);
+
+            let refresh_token = repo
+                .oauth2_refresh_token()
+                .add(&mut rng, &clock, &session, &access_token, refresh_token)
+                .await?;
+
+            Some(refresh_token)
+        } else {
+            None
+        };
+
+        Ok(CreateOAuth2SessionPayload {
+            session,
+            access_token: access_token.access_token,
+            refresh_token: refresh_token.map(|t| t.refresh_token),
+        })
+    }
+
    async fn end_oauth2_session(
        &self,
        ctx: &Context<'_>,