matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-29 22:01:14 +03:00
Code Activity

Make the client_id a foreign key

Browse Source
This commit is contained in:
Quentin Gliech
2022-04-28 18:39:45 +02:00
parent 42c5f0e0dd
commit ead7e4804a
10 changed files with 785 additions and 735 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
crates/storage/migrations/20220428161108_oauth2_client_fk.down.sql Normal file
View File

@ -0,0 +1,23 @@
-- Copyright 2022 The Matrix.org Foundation C.I.C.
--
-- Licensed under the Apache License, Version 2.0 (the "License");
-- you may not use this file except in compliance with the License.
-- You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
TRUNCATE TABLE oauth2_sessions, oauth2_authorization_grants RESTART IDENTITY CASCADE;
ALTER TABLE oauth2_sessions
DROP COLUMN "oauth2_client_id",
ADD COLUMN "client_id" TEXT NOT NULL;
ALTER TABLE oauth2_authorization_grants
DROP COLUMN "oauth2_client_id",
ADD COLUMN "client_id" TEXT NOT NULL;

27
crates/storage/migrations/20220428161108_oauth2_client_fk.up.sql Normal file
View File

@ -0,0 +1,27 @@
-- Copyright 2022 The Matrix.org Foundation C.I.C.
--
-- Licensed under the Apache License, Version 2.0 (the "License");
-- you may not use this file except in compliance with the License.
-- You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
TRUNCATE TABLE oauth2_sessions, oauth2_authorization_grants RESTART IDENTITY CASCADE;
ALTER TABLE oauth2_sessions
DROP COLUMN "client_id",
ADD COLUMN "oauth2_client_id" BIGINT
NOT NULL
REFERENCES oauth2_clients (id) ON DELETE CASCADE;
ALTER TABLE oauth2_authorization_grants
DROP COLUMN "client_id",
ADD COLUMN "oauth2_client_id" BIGINT
NOT NULL
REFERENCES oauth2_clients (id) ON DELETE CASCADE;

1428
crates/storage/sqlx-data.json
View File

File diff suppressed because it is too large Load Diff

8
crates/storage/src/oauth2/access_token.rs
View File

@ -18,7 +18,7 @@ use mas_data_model::{AccessToken, Authentication, BrowserSession, Session, User,
use sqlx::{Acquire, PgExecutor, Postgres};
use thiserror::Error;
use super::client::{lookup_client_by_client_id, ClientFetchError};
use super::client::{lookup_client, ClientFetchError};
use crate::{DatabaseInconsistencyError, IdAndCreationTime, PostgresqlBackend};
pub async fn add_access_token(
@ -64,7 +64,7 @@ pub struct OAuth2AccessTokenLookup {
access_token_expires_after: i32,
access_token_created_at: DateTime<Utc>,
session_id: i64,
client_id: String,
oauth2_client_id: i64,
scope: String,
user_session_id: i64,
user_session_created_at: DateTime<Utc>,
@ -119,7 +119,7 @@ where
at.expires_after AS "access_token_expires_after",
at.created_at AS "access_token_created_at",
os.id AS "session_id!",
os.client_id AS "client_id!",
os.oauth2_client_id AS "oauth2_client_id!",
os.scope AS "scope!",
us.id AS "user_session_id!",
us.created_at AS "user_session_created_at!",
@ -165,7 +165,7 @@ where
expires_after: Duration::seconds(res.access_token_expires_after.into()),
};
let client = lookup_client_by_client_id(&mut *conn, &res.client_id).await?;
let client = lookup_client(&mut *conn, res.oauth2_client_id).await?;
let primary_email = match (
res.user_email_id,

18
crates/storage/src/oauth2/authorization_grant.rs
View File

@ -27,7 +27,7 @@ use oauth2_types::{requests::ResponseMode, scope::Scope};
use sqlx::{PgConnection, PgExecutor};
use url::Url;
use super::client::lookup_client_by_client_id;
use super::client::{lookup_client};
use crate::{DatabaseInconsistencyError, IdAndCreationTime, PostgresqlBackend};
#[allow(clippy::too_many_arguments)]
@ -58,7 +58,7 @@ pub async fn new_authorization_grant(
IdAndCreationTime,
r#"
INSERT INTO oauth2_authorization_grants
(client_id, redirect_uri, scope, state, nonce, max_age,
(oauth2_client_id, redirect_uri, scope, state, nonce, max_age,
acr_values, response_mode, code_challenge, code_challenge_method,
response_type_code, response_type_token, response_type_id_token,
code)
@ -66,7 +66,7 @@ pub async fn new_authorization_grant(
($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14)
RETURNING id, created_at
"#,
&client.client_id,
&client.data,
redirect_uri.to_string(),
scope.to_string(),
state,
@ -123,7 +123,7 @@ struct GrantLookup {
grant_code: Option<String>,
grant_code_challenge: Option<String>,
grant_code_challenge_method: Option<String>,
client_id: String,
oauth2_client_id: i64,
session_id: Option<i64>,
user_session_id: Option<i64>,
user_session_created_at: Option<DateTime<Utc>>,
@ -149,7 +149,7 @@ impl GrantLookup {
.map_err(|_e| DatabaseInconsistencyError)?;
// TODO: don't unwrap
let client = lookup_client_by_client_id(executor, &self.client_id)
let client = lookup_client(executor, self.oauth2_client_id)
.await
.unwrap();
@ -340,7 +340,7 @@ pub async fn get_grant_by_id(
og.nonce AS grant_nonce,
og.max_age AS grant_max_age,
og.acr_values AS grant_acr_values,
og.client_id AS client_id,
og.oauth2_client_id AS oauth2_client_id,
og.code AS grant_code,
og.response_type_code AS grant_response_type_code,
og.response_type_token AS grant_response_type_token,
@ -408,7 +408,7 @@ pub async fn lookup_grant_by_code(
og.nonce AS grant_nonce,
og.max_age AS grant_max_age,
og.acr_values AS grant_acr_values,
og.client_id AS client_id,
og.oauth2_client_id AS oauth2_client_id,
og.code AS grant_code,
og.response_type_code AS grant_response_type_code,
og.response_type_token AS grant_response_type_token,
@ -464,10 +464,10 @@ pub async fn derive_session(
IdAndCreationTime,
r#"
INSERT INTO oauth2_sessions
(user_session_id, client_id, scope)
(user_session_id, oauth2_client_id, scope)
SELECT
$1,
og.client_id,
og.oauth2_client_id,
og.scope
FROM
oauth2_authorization_grants og

2
crates/storage/src/oauth2/client.rs
View File

@ -486,7 +486,7 @@ pub async fn insert_client_from_config(
}
pub async fn truncate_clients(executor: impl PgExecutor<'_>) -> anyhow::Result<()> {
sqlx::query!("TRUNCATE oauth2_client_redirect_uris, oauth2_clients")
sqlx::query!("TRUNCATE oauth2_client_redirect_uris, oauth2_clients RESTART IDENTITY CASCADE")
.execute(executor)
.await?;
Ok(())

8
crates/storage/src/oauth2/refresh_token.rs
View File

@ -20,7 +20,7 @@ use mas_data_model::{
use sqlx::{PgConnection, PgExecutor};
use thiserror::Error;
use super::client::{lookup_client_by_client_id, ClientFetchError};
use super::client::{lookup_client, ClientFetchError};
use crate::{DatabaseInconsistencyError, IdAndCreationTime, PostgresqlBackend};
pub async fn add_refresh_token(
@ -64,7 +64,7 @@ struct OAuth2RefreshTokenLookup {
access_token_expires_after: Option<i32>,
access_token_created_at: Option<DateTime<Utc>>,
session_id: i64,
client_id: String,
oauth2_client_id: i64,
scope: String,
user_session_id: i64,
user_session_created_at: DateTime<Utc>,
@ -111,7 +111,7 @@ pub async fn lookup_active_refresh_token(
at.expires_after AS "access_token_expires_after?",
at.created_at AS "access_token_created_at?",
os.id AS "session_id!",
os.client_id AS "client_id!",
os.oauth2_client_id AS "oauth2_client_id!",
os.scope AS "scope!",
us.id AS "user_session_id!",
us.created_at AS "user_session_created_at!",
@ -174,7 +174,7 @@ pub async fn lookup_active_refresh_token(
access_token,
};
let client = lookup_client_by_client_id(&mut *conn, &res.client_id).await?;
let client = lookup_client(&mut *conn, res.oauth2_client_id).await?;
let primary_email = match (
res.user_email_id,

2
crates/templates/src/res/pages/login.html
View File

@ -35,7 +35,7 @@ limitations under the License.
<div class="text-center">
<h1 class="text-lg text-center font-medium">Log in</h1>
{% if next and next.kind == "continue_authorization_grant" %}
<p>to continue to <em>{{ next.grant.client.client_id }}</em></p>
<p>to continue to <em>{{ next.grant.client.client_name | default(value=next.grand.client.client_id) }}</em></p>
{% else %}
<p>Use your existing account</p>
{% endif %}

2
crates/templates/src/res/pages/reauth.html
View File

@ -33,7 +33,7 @@ limitations under the License.
<div class="text-center">
<h1 class="text-lg text-center font-medium">Confim access</h1>
{% if next and next.kind == "continue_authorization_grant" %}
<p>to continue to <em>{{ next.grant.client.client_id }}</em></p>
<p>to continue to <em>{{ next.grant.client.client_name | default(value=next.grand.client.client_id) }}</em></p>
{% endif %}
</div>
<input type="hidden" name="csrf" value="{{ csrf_token }}" />

2
crates/templates/src/res/pages/register.html
View File

@ -35,7 +35,7 @@ limitations under the License.
<div class="text-center">
<h1 class="text-lg text-center font-medium">Create your account</h1>
{% if next and next.kind == "continue_authorization_grant" %}
<p>to continue to <em>{{ next.grant.client.client_id }}</em></p>
<p>to continue to <em>{{ next.grant.client.client_name | default(value=next.grand.client.client_id) }}</em></p>
{% endif %}
</div>
<input type="hidden" name="csrf" value="{{ csrf_token }}" />