mirror of
https://github.com/pocket-id/pocket-id.git
synced 2026-07-18 08:49:54 +00:00
844 lines
26 KiB
Go
844 lines
26 KiB
Go
package oidc
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"net/url"
|
|
"time"
|
|
|
|
"github.com/ory/fosite"
|
|
fositeoauth2 "github.com/ory/fosite/handler/oauth2"
|
|
"github.com/ory/fosite/handler/openid"
|
|
"github.com/ory/fosite/handler/pkce"
|
|
"github.com/ory/fosite/handler/rfc8628"
|
|
fositestorage "github.com/ory/fosite/storage"
|
|
"github.com/pocket-id/pocket-id/backend/internal/model"
|
|
datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
|
|
"gorm.io/gorm"
|
|
"gorm.io/gorm/clause"
|
|
)
|
|
|
|
const (
|
|
sessionKindAuthorizeCode = "authorize_code"
|
|
sessionKindAccessToken = "access_token"
|
|
sessionKindRefreshToken = "refresh_token"
|
|
sessionKindPKCE = "pkce"
|
|
sessionKindOpenID = "openid"
|
|
sessionKindPAR = "par"
|
|
sessionKindDeviceCode = "device_code"
|
|
sessionKindUserCode = "user_code"
|
|
)
|
|
|
|
var (
|
|
_ fosite.Storage = (*Store)(nil)
|
|
_ fosite.PARStorage = (*Store)(nil)
|
|
_ fositeoauth2.CoreStorage = (*Store)(nil)
|
|
_ fositeoauth2.TokenRevocationStorage = (*Store)(nil)
|
|
_ rfc8628.RFC8628CoreStorage = (*Store)(nil)
|
|
_ openid.OpenIDConnectRequestStorage = (*Store)(nil)
|
|
_ pkce.PKCERequestStorage = (*Store)(nil)
|
|
_ fositestorage.Transactional = (*Store)(nil)
|
|
)
|
|
|
|
// NewStore creates the fosite storage. Exported for packages that need to seed or
|
|
// revoke sessions (e.g. the e2e test service).
|
|
func NewStore(db *gorm.DB, apiAccess APIAccessProvider) *Store {
|
|
return &Store{db: db, apiAccess: apiAccess}
|
|
}
|
|
|
|
type Store struct {
|
|
db *gorm.DB
|
|
apiAccess APIAccessProvider
|
|
issuer string
|
|
}
|
|
|
|
// WithIssuer sets the issuer that is added as an extra audience to access tokens carrying an identity scope, so they can be presented to Pocket ID's own endpoints such as /userinfo
|
|
// It returns the store to allow chaining at construction
|
|
func (s *Store) WithIssuer(issuer string) *Store {
|
|
s.issuer = issuer
|
|
return s
|
|
}
|
|
|
|
type storedRequester struct {
|
|
Authorize bool `json:"authorize,omitempty"`
|
|
|
|
ID string `json:"id"`
|
|
RequestedAt time.Time `json:"requested_at"`
|
|
ClientID string `json:"client_id"`
|
|
RequestedScope fosite.Arguments `json:"requested_scope,omitempty"`
|
|
GrantedScope fosite.Arguments `json:"granted_scope,omitempty"`
|
|
Form url.Values `json:"form,omitempty"`
|
|
Session *Session `json:"session,omitempty"`
|
|
RequestedAudience fosite.Arguments `json:"requested_audience,omitempty"`
|
|
GrantedAudience fosite.Arguments `json:"granted_audience,omitempty"`
|
|
Device bool `json:"device,omitempty"`
|
|
UserCodeState fosite.UserCodeState `json:"user_code_state,omitempty"`
|
|
|
|
ResponseTypes fosite.Arguments `json:"response_types,omitempty"`
|
|
RedirectURI string `json:"redirect_uri,omitempty"`
|
|
State string `json:"state,omitempty"`
|
|
HandledResponseTypes fosite.Arguments `json:"handled_response_types,omitempty"`
|
|
ResponseMode fosite.ResponseModeType `json:"response_mode,omitempty"`
|
|
DefaultResponseMode fosite.ResponseModeType `json:"default_response_mode,omitempty"`
|
|
}
|
|
|
|
// Satisfies fosite.Storage
|
|
|
|
func (s *Store) GetClient(ctx context.Context, id string) (fosite.Client, error) {
|
|
tx := s.dbFor(ctx)
|
|
|
|
var clientModel model.OidcClient
|
|
err := tx.
|
|
Preload("AllowedUserGroups").
|
|
First(&clientModel, "id = ?", id).
|
|
Error
|
|
if errors.Is(err, gorm.ErrRecordNotFound) {
|
|
return nil, fosite.ErrNotFound
|
|
} else if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
client := Client{OidcClient: clientModel}
|
|
|
|
// Populate the custom-API scopes and audiences the client may request only when the API feature is wired
|
|
if s.apiAccess != nil {
|
|
apiScopes, apiAudiences, err := s.apiAccess.ClientAPIScopes(ctx, tx, id)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
client.apiScopes = apiScopes
|
|
client.apiAudiences = apiAudiences
|
|
}
|
|
|
|
return client, nil
|
|
}
|
|
|
|
func (s *Store) ClientAssertionJWTValid(ctx context.Context, jti string) error {
|
|
var count int64
|
|
err := s.dbFor(ctx).
|
|
Model(&clientAssertionJTI{}).
|
|
Where("jti = ? AND expires_at > ?", jti, datatype.DateTime(time.Now())).
|
|
Count(&count).
|
|
Error
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if count > 0 {
|
|
return fosite.ErrJTIKnown
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (s *Store) SetClientAssertionJWT(ctx context.Context, jti string, exp time.Time) error {
|
|
err := s.dbFor(ctx).Create(&clientAssertionJTI{
|
|
JTI: jti,
|
|
ExpiresAt: datatype.DateTime(exp),
|
|
}).Error
|
|
if errors.Is(err, gorm.ErrDuplicatedKey) {
|
|
return fosite.ErrJTIKnown
|
|
}
|
|
return err
|
|
}
|
|
|
|
// Satisfies fositeoauth2.CoreStorage
|
|
|
|
func (s *Store) CreateAuthorizeCodeSession(ctx context.Context, code string, request fosite.Requester) error {
|
|
return s.upsertSession(ctx, sessionKindAuthorizeCode, code, request, "", true, fosite.AuthorizeCode)
|
|
}
|
|
|
|
func (s *Store) GetAuthorizeCodeSession(ctx context.Context, code string, _ fosite.Session) (fosite.Requester, error) {
|
|
request, active, err := s.getRequesterSession(ctx, sessionKindAuthorizeCode, code)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !active {
|
|
return request, fosite.ErrInvalidatedAuthorizeCode
|
|
}
|
|
return request, nil
|
|
}
|
|
|
|
func (s *Store) InvalidateAuthorizeCodeSession(ctx context.Context, code string) error {
|
|
return s.deactivateSession(ctx, sessionKindAuthorizeCode, code)
|
|
}
|
|
|
|
func (s *Store) CreateAccessTokenSession(ctx context.Context, signature string, request fosite.Requester) error {
|
|
// userinfo and introspection read the granted audience from the persisted access token session, so an access token granted an identity scope is stored with the issuer added to its audience, letting it be presented to Pocket ID's own identity endpoints
|
|
// A token audienced only to a custom API carries no identity scope here and so never gains the issuer audience
|
|
return s.upsertSession(ctx, sessionKindAccessToken, signature, withIdentityAudience(request, s.issuer), "", true, fosite.AccessToken)
|
|
}
|
|
|
|
func (s *Store) GetAccessTokenSession(ctx context.Context, signature string, _ fosite.Session) (fosite.Requester, error) {
|
|
request, _, err := s.getRequesterSession(ctx, sessionKindAccessToken, signature)
|
|
return request, err
|
|
}
|
|
|
|
func (s *Store) DeleteAccessTokenSession(ctx context.Context, signature string) error {
|
|
return s.deleteSession(ctx, sessionKindAccessToken, signature)
|
|
}
|
|
|
|
func (s *Store) CreateRefreshTokenSession(ctx context.Context, signature string, accessSignature string, request fosite.Requester) error {
|
|
return s.upsertSession(ctx, sessionKindRefreshToken, signature, request, accessSignature, true, fosite.RefreshToken)
|
|
}
|
|
|
|
func (s *Store) GetRefreshTokenSession(ctx context.Context, signature string, _ fosite.Session) (fosite.Requester, error) {
|
|
request, active, err := s.getRequesterSession(ctx, sessionKindRefreshToken, signature)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !active {
|
|
return request, fosite.ErrInactiveToken
|
|
}
|
|
return request, nil
|
|
}
|
|
|
|
func (s *Store) DeleteRefreshTokenSession(ctx context.Context, signature string) error {
|
|
return s.deleteSession(ctx, sessionKindRefreshToken, signature)
|
|
}
|
|
|
|
func (s *Store) RotateRefreshToken(ctx context.Context, requestID string, refreshTokenSignature string) error {
|
|
if err := s.deactivateSession(ctx, sessionKindRefreshToken, refreshTokenSignature); err != nil {
|
|
return err
|
|
}
|
|
return s.RevokeAccessToken(ctx, requestID)
|
|
}
|
|
|
|
// Satisfies fositeoauth2.TokenRevocationStorage
|
|
|
|
func (s *Store) RevokeRefreshToken(ctx context.Context, requestID string) error {
|
|
return s.dbFor(ctx).
|
|
Model(&OAuth2Session{}).
|
|
Where("kind = ? AND request_id = ?", sessionKindRefreshToken, requestID).
|
|
Update("active", false).
|
|
Error
|
|
}
|
|
|
|
func (s *Store) RevokeAccessToken(ctx context.Context, requestID string) error {
|
|
return s.dbFor(ctx).
|
|
Where("kind = ? AND request_id = ?", sessionKindAccessToken, requestID).
|
|
Delete(&OAuth2Session{}).
|
|
Error
|
|
}
|
|
|
|
func (s *Store) RevokeSessionsByIDTokenHint(ctx context.Context, userID, clientID, idTokenJTI string) error {
|
|
_, jtiMatches, err := s.findUserClientRequestIDs(ctx, userID, clientID, idTokenJTI)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return s.revokeRequestIDs(ctx, jtiMatches)
|
|
}
|
|
|
|
func RevokeUserClientSessions(ctx context.Context, db *gorm.DB, userID, clientID string) error {
|
|
s := NewStore(db, nil)
|
|
requestIDs, _, err := s.findUserClientRequestIDs(ctx, userID, clientID, "")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return s.revokeRequestIDs(ctx, requestIDs)
|
|
}
|
|
|
|
func (s *Store) findUserClientRequestIDs(ctx context.Context, userID, clientID, idTokenJTI string) (candidates []string, jtiMatches []string, err error) {
|
|
var sessions []OAuth2Session
|
|
err = s.dbFor(ctx).
|
|
Where("kind = ? AND active = ?", sessionKindRefreshToken, true).
|
|
Find(&sessions).
|
|
Error
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
candidateRequestIDs := map[string]struct{}{}
|
|
matchingRequestIDs := map[string]struct{}{}
|
|
for _, session := range sessions {
|
|
requester, err := s.decodeRequester(ctx, session.RequestData)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
requestSession := requester.GetSession()
|
|
if requestSession == nil || requester.GetClient().GetID() != clientID || requestSession.GetSubject() != userID {
|
|
continue
|
|
}
|
|
|
|
// Add all sessions that match the user and client
|
|
candidateRequestIDs[session.RequestID] = struct{}{}
|
|
// Only add sessions that also match the ID token hint JTI
|
|
if storedSession, ok := requestSession.(*Session); ok && idTokenJTI != "" && storedSession.IDTokenClaims().JTI == idTokenJTI {
|
|
matchingRequestIDs[session.RequestID] = struct{}{}
|
|
}
|
|
}
|
|
|
|
return mapKeys(candidateRequestIDs), mapKeys(matchingRequestIDs), nil
|
|
}
|
|
|
|
func (s *Store) revokeRequestIDs(ctx context.Context, requestIDs []string) error {
|
|
if len(requestIDs) == 0 {
|
|
return nil
|
|
}
|
|
|
|
if err := s.dbFor(ctx).
|
|
Model(&OAuth2Session{}).
|
|
Where("kind = ? AND request_id IN ?", sessionKindRefreshToken, requestIDs).
|
|
Update("active", false).
|
|
Error; err != nil {
|
|
return err
|
|
}
|
|
|
|
return s.dbFor(ctx).
|
|
Where("kind = ? AND request_id IN ?", sessionKindAccessToken, requestIDs).
|
|
Delete(&OAuth2Session{}).
|
|
Error
|
|
}
|
|
|
|
func mapKeys(m map[string]struct{}) []string {
|
|
keys := make([]string, 0, len(m))
|
|
for key := range m {
|
|
keys = append(keys, key)
|
|
}
|
|
return keys
|
|
}
|
|
|
|
// Satisfies pkce.PKCERequestStorage
|
|
|
|
func (s *Store) CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error {
|
|
// PKCE sessions share the authorize code lifespan so abandoned ones expire and get cleaned up
|
|
return s.upsertSession(ctx, sessionKindPKCE, signature, requester, "", true, fosite.AuthorizeCode)
|
|
}
|
|
|
|
func (s *Store) GetPKCERequestSession(ctx context.Context, signature string, _ fosite.Session) (fosite.Requester, error) {
|
|
request, _, err := s.getRequesterSession(ctx, sessionKindPKCE, signature)
|
|
return request, err
|
|
}
|
|
|
|
func (s *Store) DeletePKCERequestSession(ctx context.Context, signature string) error {
|
|
return s.deleteSession(ctx, sessionKindPKCE, signature)
|
|
}
|
|
|
|
// Satisfies openid.OpenIDConnectRequestStorage
|
|
|
|
func (s *Store) CreateOpenIDConnectSession(ctx context.Context, authorizeCode string, requester fosite.Requester) error {
|
|
return s.upsertSession(ctx, sessionKindOpenID, authorizeCode, requester, "", true, fosite.AuthorizeCode)
|
|
}
|
|
|
|
func (s *Store) GetOpenIDConnectSession(ctx context.Context, authorizeCode string, _ fosite.Requester) (fosite.Requester, error) {
|
|
request, _, err := s.getRequesterSession(ctx, sessionKindOpenID, authorizeCode)
|
|
if errors.Is(err, fosite.ErrNotFound) {
|
|
return nil, openid.ErrNoSessionFound
|
|
}
|
|
return request, err
|
|
}
|
|
|
|
func (s *Store) DeleteOpenIDConnectSession(ctx context.Context, authorizeCode string) error {
|
|
return s.deleteSession(ctx, sessionKindOpenID, authorizeCode)
|
|
}
|
|
|
|
// Satisfies fosite.PARStorage
|
|
|
|
func (s *Store) CreatePARSession(ctx context.Context, requestURI string, request fosite.AuthorizeRequester) error {
|
|
return s.upsertAuthorizeSession(ctx, sessionKindPAR, requestURI, request, true, fosite.PushedAuthorizeRequestContext)
|
|
}
|
|
|
|
func (s *Store) GetPARSession(ctx context.Context, requestURI string) (fosite.AuthorizeRequester, error) {
|
|
session, err := s.getSession(ctx, sessionKindPAR, requestURI)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !session.Active || session.ExpiresAt == nil || session.ExpiresAt.ToTime().Before(time.Now()) {
|
|
return nil, fosite.ErrNotFound
|
|
}
|
|
|
|
result := s.dbFor(ctx).
|
|
Model(&OAuth2Session{}).
|
|
Where("kind = ? AND key = ? AND active = ?", sessionKindPAR, requestURI, true).
|
|
Update("active", false)
|
|
if result.Error != nil {
|
|
return nil, result.Error
|
|
}
|
|
if result.RowsAffected == 0 {
|
|
return nil, fosite.ErrNotFound
|
|
}
|
|
|
|
return s.decodeAuthorizeRequester(ctx, session.RequestData)
|
|
}
|
|
|
|
func (s *Store) DeletePARSession(ctx context.Context, requestURI string) error {
|
|
return s.deleteSession(ctx, sessionKindPAR, requestURI)
|
|
}
|
|
|
|
// Satisfies rfc8628.RFC8628CoreStorage
|
|
|
|
func (s *Store) CreateDeviceAuthSession(ctx context.Context, deviceCodeSignature, userCodeSignature string, request fosite.DeviceRequester) error {
|
|
requestData, err := s.encodeDeviceRequester(request)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if _, err := s.getSession(ctx, sessionKindUserCode, userCodeSignature); err == nil {
|
|
return fosite.ErrExistingUserCodeSignature
|
|
} else if !errors.Is(err, fosite.ErrNotFound) {
|
|
return err
|
|
}
|
|
|
|
expDeviceCode := expiresAt(request.GetSession(), fosite.DeviceCode)
|
|
expUserCode := expiresAt(request.GetSession(), fosite.UserCode)
|
|
if err := s.storeSession(ctx, sessionKindDeviceCode, deviceCodeSignature, request.GetID(), "", true, requestData, expDeviceCode); err != nil {
|
|
return err
|
|
}
|
|
return s.storeSession(ctx, sessionKindUserCode, userCodeSignature, request.GetID(), "", true, requestData, expUserCode)
|
|
}
|
|
|
|
func (s *Store) GetDeviceCodeSession(ctx context.Context, signature string, _ fosite.Session) (fosite.DeviceRequester, error) {
|
|
request, active, err := s.getDeviceRequesterSession(ctx, sessionKindDeviceCode, signature)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !active {
|
|
return request, fosite.ErrInvalidatedDeviceCode
|
|
}
|
|
return request, nil
|
|
}
|
|
|
|
func (s *Store) InvalidateDeviceCodeSession(ctx context.Context, signature string) error {
|
|
session, err := s.getSession(ctx, sessionKindDeviceCode, signature)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Only flip rows that are still active so two concurrent token requests for the same
|
|
// device code cannot both pass the single-use check and each mint a token set.
|
|
result := s.dbFor(ctx).
|
|
Model(&OAuth2Session{}).
|
|
Where("kind IN ? AND request_id = ? AND active = ?", []string{sessionKindDeviceCode, sessionKindUserCode}, session.RequestID, true).
|
|
Update("active", false)
|
|
if result.Error != nil {
|
|
return result.Error
|
|
}
|
|
if result.RowsAffected == 0 {
|
|
return fosite.ErrNotFound
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (s *Store) GetDeviceCodeSessionByUserCodeSignature(ctx context.Context, signature string) (fosite.DeviceRequester, error) {
|
|
request, active, err := s.getDeviceRequesterSession(ctx, sessionKindUserCode, signature)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !active {
|
|
return nil, fosite.ErrNotFound
|
|
}
|
|
return request, nil
|
|
}
|
|
|
|
func (s *Store) AcceptDeviceCodeSessionByUserCodeSignature(ctx context.Context, signature string, request fosite.DeviceRequester) (string, error) {
|
|
userCodeSession, err := s.getSession(ctx, sessionKindUserCode, signature)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
request.SetUserCodeState(fosite.UserCodeAccepted)
|
|
|
|
requestData, err := s.encodeDeviceRequester(request)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
deviceCodeSession, err := s.getSessionByRequestID(ctx, sessionKindDeviceCode, userCodeSession.RequestID)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
err = s.dbFor(ctx).
|
|
Model(&OAuth2Session{}).
|
|
Where("kind IN ? AND request_id = ?", []string{sessionKindDeviceCode, sessionKindUserCode}, userCodeSession.RequestID).
|
|
Updates(map[string]any{
|
|
"request_data": requestData,
|
|
}).
|
|
Error
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
return deviceCodeSession.Key, nil
|
|
}
|
|
|
|
// Satisfies fositestorage.Transactional
|
|
|
|
func (s *Store) BeginTX(ctx context.Context) (context.Context, error) {
|
|
tx := s.db.WithContext(ctx).Begin()
|
|
if tx.Error != nil {
|
|
return ctx, tx.Error
|
|
}
|
|
return contextWithTx(ctx, tx), nil
|
|
}
|
|
|
|
func (s *Store) Commit(ctx context.Context) error {
|
|
tx, ok := ctx.Value(txContextKey{}).(*gorm.DB)
|
|
if !ok {
|
|
return nil
|
|
}
|
|
return tx.Commit().Error
|
|
}
|
|
|
|
func (s *Store) Rollback(ctx context.Context) error {
|
|
tx, ok := ctx.Value(txContextKey{}).(*gorm.DB)
|
|
if !ok {
|
|
return nil
|
|
}
|
|
return tx.Rollback().Error
|
|
}
|
|
|
|
func (s *Store) upsertSession(ctx context.Context, kind string, key string, requester fosite.Requester, accessTokenSignature string, active bool, expiresAtKey fosite.TokenType) error {
|
|
requestData, err := s.encodeRequester(requester)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return s.storeSession(ctx, kind, key, requester.GetID(), accessTokenSignature, active, requestData, expiresAt(requester.GetSession(), expiresAtKey))
|
|
}
|
|
|
|
func (s *Store) upsertAuthorizeSession(ctx context.Context, kind string, key string, requester fosite.AuthorizeRequester, active bool, expiresAtKey fosite.TokenType) error {
|
|
requestData, err := s.encodeAuthorizeRequester(requester)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return s.storeSession(ctx, kind, key, requester.GetID(), "", active, requestData, expiresAt(requester.GetSession(), expiresAtKey))
|
|
}
|
|
|
|
func (s *Store) storeSession(ctx context.Context, kind string, key string, requestID string, accessTokenSignature string, active bool, requestData string, exp *datatype.DateTime) error {
|
|
session := OAuth2Session{
|
|
Kind: kind,
|
|
Key: key,
|
|
RequestID: requestID,
|
|
AccessTokenSignature: accessTokenSignature,
|
|
Active: active,
|
|
RequestData: requestData,
|
|
ExpiresAt: exp,
|
|
}
|
|
|
|
return s.dbFor(ctx).
|
|
Clauses(clause.OnConflict{
|
|
Columns: []clause.Column{{Name: "kind"}, {Name: "key"}},
|
|
DoUpdates: clause.AssignmentColumns([]string{
|
|
"request_id",
|
|
"access_token_signature",
|
|
"active",
|
|
"request_data",
|
|
"expires_at",
|
|
}),
|
|
}).
|
|
Create(&session).
|
|
Error
|
|
}
|
|
|
|
func (s *Store) getRequesterSession(ctx context.Context, kind string, key string) (fosite.Requester, bool, error) {
|
|
session, err := s.getSession(ctx, kind, key)
|
|
if err != nil {
|
|
return nil, false, err
|
|
}
|
|
|
|
requester, err := s.decodeRequester(ctx, session.RequestData)
|
|
if err != nil {
|
|
return nil, false, err
|
|
}
|
|
|
|
return requester, session.Active, nil
|
|
}
|
|
|
|
func (s *Store) getDeviceRequesterSession(ctx context.Context, kind string, key string) (fosite.DeviceRequester, bool, error) {
|
|
session, err := s.getSession(ctx, kind, key)
|
|
if err != nil {
|
|
return nil, false, err
|
|
}
|
|
|
|
requester, err := s.decodeDeviceRequester(ctx, session.RequestData)
|
|
if err != nil {
|
|
return nil, false, err
|
|
}
|
|
|
|
return requester, session.Active, nil
|
|
}
|
|
|
|
func (s *Store) getSession(ctx context.Context, kind string, key string) (session OAuth2Session, err error) {
|
|
err = s.dbFor(ctx).
|
|
Where("kind = ? AND key = ?", kind, key).
|
|
First(&session).
|
|
Error
|
|
if errors.Is(err, gorm.ErrRecordNotFound) {
|
|
return session, fosite.ErrNotFound
|
|
}
|
|
if err != nil {
|
|
return session, err
|
|
}
|
|
|
|
return session, nil
|
|
}
|
|
|
|
func (s *Store) getSessionByRequestID(ctx context.Context, kind string, requestID string) (session OAuth2Session, err error) {
|
|
err = s.dbFor(ctx).
|
|
Where("kind = ? AND request_id = ?", kind, requestID).
|
|
First(&session).
|
|
Error
|
|
if errors.Is(err, gorm.ErrRecordNotFound) {
|
|
return session, fosite.ErrNotFound
|
|
}
|
|
if err != nil {
|
|
return session, err
|
|
}
|
|
|
|
return session, nil
|
|
}
|
|
|
|
func (s *Store) deleteSession(ctx context.Context, kind string, key string) error {
|
|
return s.dbFor(ctx).
|
|
Where("kind = ? AND key = ?", kind, key).
|
|
Delete(&OAuth2Session{}).
|
|
Error
|
|
}
|
|
|
|
func (s *Store) deactivateSession(ctx context.Context, kind string, key string) error {
|
|
result := s.dbFor(ctx).
|
|
Model(&OAuth2Session{}).
|
|
Where("kind = ? AND key = ? AND active = ?", kind, key, true).
|
|
Update("active", false)
|
|
if result.Error != nil {
|
|
return result.Error
|
|
}
|
|
if result.RowsAffected == 0 {
|
|
return fosite.ErrNotFound
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (s *Store) encodeRequester(requester fosite.Requester) (string, error) {
|
|
stored, err := s.storedRequesterFromRequester(requester)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
data, err := json.Marshal(stored)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return string(data), nil
|
|
}
|
|
|
|
func (s *Store) encodeAuthorizeRequester(requester fosite.AuthorizeRequester) (string, error) {
|
|
stored, err := s.storedRequesterFromRequester(requester)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
stored.Authorize = true
|
|
stored.ResponseTypes = cloneArguments(requester.GetResponseTypes())
|
|
if redirectURI := requester.GetRedirectURI(); redirectURI != nil {
|
|
stored.RedirectURI = redirectURI.String()
|
|
}
|
|
stored.State = requester.GetState()
|
|
stored.ResponseMode = requester.GetResponseMode()
|
|
stored.DefaultResponseMode = requester.GetDefaultResponseMode()
|
|
|
|
if ar, ok := requester.(*fosite.AuthorizeRequest); ok {
|
|
stored.HandledResponseTypes = cloneArguments(ar.HandledResponseTypes)
|
|
}
|
|
|
|
data, err := json.Marshal(stored)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return string(data), nil
|
|
}
|
|
|
|
func (s *Store) encodeDeviceRequester(requester fosite.DeviceRequester) (string, error) {
|
|
stored, err := s.storedRequesterFromRequester(requester)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
stored.Device = true
|
|
stored.UserCodeState = requester.GetUserCodeState()
|
|
|
|
data, err := json.Marshal(stored)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return string(data), nil
|
|
}
|
|
|
|
func (s *Store) storedRequesterFromRequester(requester fosite.Requester) (storedRequester, error) {
|
|
if requester == nil {
|
|
return storedRequester{}, fosite.ErrServerError.WithHint("requester must not be nil")
|
|
}
|
|
|
|
return storedRequester{
|
|
ID: requester.GetID(),
|
|
RequestedAt: requester.GetRequestedAt(),
|
|
ClientID: requester.GetClient().GetID(),
|
|
RequestedScope: cloneArguments(requester.GetRequestedScopes()),
|
|
GrantedScope: cloneArguments(requester.GetGrantedScopes()),
|
|
Form: sanitizeStoredForm(requester.GetRequestForm()),
|
|
Session: cloneSession(requester.GetSession()),
|
|
RequestedAudience: cloneArguments(requester.GetRequestedAudience()),
|
|
GrantedAudience: cloneArguments(requester.GetGrantedAudience()),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Store) decodeRequester(ctx context.Context, data string) (fosite.Requester, error) {
|
|
var stored storedRequester
|
|
if err := json.Unmarshal([]byte(data), &stored); err != nil {
|
|
return nil, err
|
|
}
|
|
if stored.Authorize {
|
|
return s.requesterFromStoredAuthorize(ctx, stored)
|
|
}
|
|
return s.requesterFromStored(ctx, stored)
|
|
}
|
|
|
|
func (s *Store) decodeAuthorizeRequester(ctx context.Context, data string) (fosite.AuthorizeRequester, error) {
|
|
var stored storedRequester
|
|
if err := json.Unmarshal([]byte(data), &stored); err != nil {
|
|
return nil, err
|
|
}
|
|
stored.Authorize = true
|
|
return s.requesterFromStoredAuthorize(ctx, stored)
|
|
}
|
|
|
|
func (s *Store) decodeDeviceRequester(ctx context.Context, data string) (fosite.DeviceRequester, error) {
|
|
var stored storedRequester
|
|
if err := json.Unmarshal([]byte(data), &stored); err != nil {
|
|
return nil, err
|
|
}
|
|
stored.Device = true
|
|
return s.requesterFromStoredDevice(ctx, stored)
|
|
}
|
|
|
|
func (s *Store) requesterFromStored(ctx context.Context, stored storedRequester) (fosite.Requester, error) {
|
|
client, err := s.GetClient(ctx, stored.ClientID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
request := fosite.NewRequest()
|
|
request.ID = stored.ID
|
|
request.RequestedAt = stored.RequestedAt
|
|
request.Client = client
|
|
request.RequestedScope = cloneArguments(stored.RequestedScope)
|
|
request.GrantedScope = cloneArguments(stored.GrantedScope)
|
|
request.Form = cloneValues(stored.Form)
|
|
request.Session = stored.Session
|
|
request.RequestedAudience = cloneArguments(stored.RequestedAudience)
|
|
request.GrantedAudience = cloneArguments(stored.GrantedAudience)
|
|
return request, nil
|
|
}
|
|
|
|
func (s *Store) requesterFromStoredDevice(ctx context.Context, stored storedRequester) (fosite.DeviceRequester, error) {
|
|
requester, err := s.requesterFromStored(ctx, stored)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
base := requester.(*fosite.Request)
|
|
request := fosite.NewDeviceRequest()
|
|
request.Request = *base
|
|
request.UserCodeState = stored.UserCodeState
|
|
return request, nil
|
|
}
|
|
|
|
func (s *Store) requesterFromStoredAuthorize(ctx context.Context, stored storedRequester) (fosite.AuthorizeRequester, error) {
|
|
requester, err := s.requesterFromStored(ctx, stored)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
base := requester.(*fosite.Request)
|
|
request := fosite.NewAuthorizeRequest()
|
|
request.Request = *base
|
|
request.ResponseTypes = cloneArguments(stored.ResponseTypes)
|
|
request.State = stored.State
|
|
request.HandledResponseTypes = cloneArguments(stored.HandledResponseTypes)
|
|
request.ResponseMode = stored.ResponseMode
|
|
request.DefaultResponseMode = stored.DefaultResponseMode
|
|
|
|
if stored.RedirectURI != "" {
|
|
redirectURI, err := url.Parse(stored.RedirectURI)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
request.RedirectURI = redirectURI
|
|
}
|
|
|
|
return request, nil
|
|
}
|
|
|
|
func cloneSession(session fosite.Session) *Session {
|
|
if session == nil {
|
|
return nil
|
|
}
|
|
|
|
if s, ok := session.(*Session); ok {
|
|
cloned := s.Clone()
|
|
if typed, ok := cloned.(*Session); ok {
|
|
return typed
|
|
}
|
|
}
|
|
|
|
cloned := NewEmptySession()
|
|
cloned.Subject = session.GetSubject()
|
|
for _, tokenType := range []fosite.TokenType{
|
|
fosite.AccessToken,
|
|
fosite.RefreshToken,
|
|
fosite.AuthorizeCode,
|
|
fosite.IDToken,
|
|
fosite.PushedAuthorizeRequestContext,
|
|
fosite.DeviceCode,
|
|
fosite.UserCode,
|
|
} {
|
|
if exp := session.GetExpiresAt(tokenType); !exp.IsZero() {
|
|
cloned.SetExpiresAt(tokenType, exp)
|
|
}
|
|
}
|
|
return cloned
|
|
}
|
|
|
|
func cloneArguments(arguments fosite.Arguments) fosite.Arguments {
|
|
if len(arguments) == 0 {
|
|
return fosite.Arguments{}
|
|
}
|
|
cloned := make(fosite.Arguments, len(arguments))
|
|
copy(cloned, arguments)
|
|
return cloned
|
|
}
|
|
|
|
func sanitizeStoredForm(values url.Values) url.Values {
|
|
cloned := cloneValues(values)
|
|
cloned.Del("client_secret")
|
|
cloned.Del("client_assertion")
|
|
return cloned
|
|
}
|
|
|
|
func cloneValues(values url.Values) url.Values {
|
|
if len(values) == 0 {
|
|
return url.Values{}
|
|
}
|
|
cloned := make(url.Values, len(values))
|
|
for key, value := range values {
|
|
cloned[key] = append([]string(nil), value...)
|
|
}
|
|
return cloned
|
|
}
|
|
|
|
func expiresAt(session fosite.Session, tokenType fosite.TokenType) *datatype.DateTime {
|
|
if session == nil || tokenType == "" {
|
|
return nil
|
|
}
|
|
exp := session.GetExpiresAt(tokenType)
|
|
if exp.IsZero() {
|
|
return nil
|
|
}
|
|
return new(datatype.DateTime(exp))
|
|
}
|
|
|
|
func (s *Store) dbFor(ctx context.Context) *gorm.DB {
|
|
return dbFromContext(ctx, s.db)
|
|
}
|