2023-07-10 15:27:00 +02:00
|
|
|
package command
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
|
|
"github.com/zitadel/zitadel/internal/repository/authrequest"
|
2023-12-08 16:30:55 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
2023-07-10 15:27:00 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
type AuthRequestWriteModel struct {
|
|
|
|
eventstore.WriteModel
|
|
|
|
aggregate *eventstore.Aggregate
|
|
|
|
|
|
|
|
LoginClient string
|
|
|
|
ClientID string
|
|
|
|
RedirectURI string
|
|
|
|
State string
|
|
|
|
Nonce string
|
|
|
|
Scope []string
|
|
|
|
Audience []string
|
|
|
|
ResponseType domain.OIDCResponseType
|
|
|
|
CodeChallenge *domain.OIDCCodeChallenge
|
|
|
|
Prompt []domain.Prompt
|
|
|
|
UILocales []string
|
|
|
|
MaxAge *time.Duration
|
|
|
|
LoginHint *string
|
|
|
|
HintUserID *string
|
|
|
|
SessionID string
|
|
|
|
UserID string
|
|
|
|
AuthTime time.Time
|
2023-07-12 14:24:01 +02:00
|
|
|
AuthMethods []domain.UserAuthMethodType
|
2023-07-10 15:27:00 +02:00
|
|
|
AuthRequestState domain.AuthRequestState
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewAuthRequestWriteModel(ctx context.Context, id string) *AuthRequestWriteModel {
|
|
|
|
return &AuthRequestWriteModel{
|
|
|
|
WriteModel: eventstore.WriteModel{
|
|
|
|
AggregateID: id,
|
|
|
|
},
|
|
|
|
aggregate: &authrequest.NewAggregate(id, authz.GetInstance(ctx).InstanceID()).Aggregate,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (m *AuthRequestWriteModel) Reduce() error {
|
|
|
|
for _, event := range m.Events {
|
|
|
|
switch e := event.(type) {
|
|
|
|
case *authrequest.AddedEvent:
|
|
|
|
m.LoginClient = e.LoginClient
|
|
|
|
m.ClientID = e.ClientID
|
|
|
|
m.RedirectURI = e.RedirectURI
|
|
|
|
m.State = e.State
|
|
|
|
m.Nonce = e.Nonce
|
|
|
|
m.Scope = e.Scope
|
|
|
|
m.Audience = e.Audience
|
|
|
|
m.ResponseType = e.ResponseType
|
|
|
|
m.CodeChallenge = e.CodeChallenge
|
|
|
|
m.Prompt = e.Prompt
|
|
|
|
m.UILocales = e.UILocales
|
|
|
|
m.MaxAge = e.MaxAge
|
|
|
|
m.LoginHint = e.LoginHint
|
|
|
|
m.HintUserID = e.HintUserID
|
|
|
|
m.AuthRequestState = domain.AuthRequestStateAdded
|
|
|
|
case *authrequest.SessionLinkedEvent:
|
|
|
|
m.SessionID = e.SessionID
|
|
|
|
m.UserID = e.UserID
|
|
|
|
m.AuthTime = e.AuthTime
|
2023-07-12 14:24:01 +02:00
|
|
|
m.AuthMethods = e.AuthMethods
|
2023-07-10 15:27:00 +02:00
|
|
|
case *authrequest.CodeAddedEvent:
|
|
|
|
m.AuthRequestState = domain.AuthRequestStateCodeAdded
|
|
|
|
case *authrequest.FailedEvent:
|
|
|
|
m.AuthRequestState = domain.AuthRequestStateFailed
|
|
|
|
case *authrequest.CodeExchangedEvent:
|
|
|
|
m.AuthRequestState = domain.AuthRequestStateCodeExchanged
|
|
|
|
case *authrequest.SucceededEvent:
|
|
|
|
m.AuthRequestState = domain.AuthRequestStateSucceeded
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return m.WriteModel.Reduce()
|
|
|
|
}
|
|
|
|
|
|
|
|
func (m *AuthRequestWriteModel) Query() *eventstore.SearchQueryBuilder {
|
|
|
|
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
|
|
AddQuery().
|
|
|
|
AggregateTypes(authrequest.AggregateType).
|
|
|
|
AggregateIDs(m.AggregateID).
|
|
|
|
Builder()
|
|
|
|
}
|
|
|
|
|
|
|
|
// CheckAuthenticated checks that the auth request exists, a session must have been linked
|
|
|
|
// and in case of a Code Flow the code must have been exchanged
|
|
|
|
func (m *AuthRequestWriteModel) CheckAuthenticated() error {
|
|
|
|
if m.SessionID == "" {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowPreconditionFailed(nil, "AUTHR-SF2r2", "Errors.AuthRequest.NotAuthenticated")
|
2023-07-10 15:27:00 +02:00
|
|
|
}
|
|
|
|
// in case of OIDC Code Flow, the code must have been exchanged
|
|
|
|
if m.ResponseType == domain.OIDCResponseTypeCode && m.AuthRequestState == domain.AuthRequestStateCodeExchanged {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
// in case of OIDC Implicit Flow, check that the requests exists, but has not succeeded yet
|
|
|
|
if (m.ResponseType == domain.OIDCResponseTypeIDToken || m.ResponseType == domain.OIDCResponseTypeIDTokenToken) &&
|
|
|
|
m.AuthRequestState == domain.AuthRequestStateAdded {
|
|
|
|
return nil
|
|
|
|
}
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowPreconditionFailed(nil, "AUTHR-sajk3", "Errors.AuthRequest.NotAuthenticated")
|
2023-07-10 15:27:00 +02:00
|
|
|
}
|