feat: tokens on user aggregate (#837)

* fix: fix remove policies in spoolers * fix: reread of token by id * fix: update oidc package * fix: possible nil pointer on token split Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-12 08:37:32 +00:00 · 2020-10-15 13:52:41 +02:00
parent fbb30840f1
commit 265b491696
24 changed files with 518 additions and 247 deletions
--- a/internal/auth/repository/eventsourcing/eventstore/token.go
+++ b/internal/auth/repository/eventsourcing/eventstore/token.go
@@ -2,38 +2,83 @@ package eventstore

 import (
 	"context"
+	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	usr_model "github.com/caos/zitadel/internal/user/model"
+	user_event "github.com/caos/zitadel/internal/user/repository/eventsourcing"
+	"github.com/caos/zitadel/internal/user/repository/view/model"
 	"time"

 	"github.com/caos/zitadel/internal/auth/repository/eventsourcing/view"
-	token_model "github.com/caos/zitadel/internal/token/model"
-	token_view_model "github.com/caos/zitadel/internal/token/repository/view/model"
 )

 type TokenRepo struct {
-	View *view.View
+	UserEvents *user_event.UserEventstore
+	View       *view.View
 }

-func (repo *TokenRepo) CreateToken(ctx context.Context, agentID, applicationID, userID string, audience, scopes []string, lifetime time.Duration) (*token_model.Token, error) {
+func (repo *TokenRepo) CreateToken(ctx context.Context, agentID, applicationID, userID string, audience, scopes []string, lifetime time.Duration) (*usr_model.Token, error) {
 	preferredLanguage := ""
 	user, _ := repo.View.UserByID(userID)
 	if user != nil {
 		preferredLanguage = user.PreferredLanguage
 	}
-	token, err := repo.View.CreateToken(agentID, applicationID, userID, preferredLanguage, audience, scopes, lifetime)
-	if err != nil {
-		return nil, err
+	now := time.Now().UTC()
+	token := &usr_model.Token{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: userID,
+		},
+		UserAgentID:       agentID,
+		ApplicationID:     applicationID,
+		Audience:          audience,
+		Scopes:            scopes,
+		Expiration:        now.Add(lifetime),
+		PreferredLanguage: preferredLanguage,
 	}
-	return token_view_model.TokenToModel(token), nil
+	return repo.UserEvents.TokenAdded(ctx, token)
 }

-func (repo *TokenRepo) IsTokenValid(ctx context.Context, tokenID string) (bool, error) {
-	return repo.View.IsTokenValid(tokenID)
+func (repo *TokenRepo) IsTokenValid(ctx context.Context, userID, tokenID string) (bool, error) {
+	token, err := repo.TokenByID(ctx, userID, tokenID)
+	if err == nil {
+		return token.Expiration.After(time.Now().UTC()), nil
+	}
+	if errors.IsNotFound(err) {
+		return false, nil
+	}
+	return false, err
 }

-func (repo *TokenRepo) TokenByID(ctx context.Context, tokenID string) (*token_model.Token, error) {
-	token, err := repo.View.TokenByID(tokenID)
-	if err != nil {
-		return nil, err
+func (repo *TokenRepo) TokenByID(ctx context.Context, userID, tokenID string) (*usr_model.TokenView, error) {
+	token, viewErr := repo.View.TokenByID(tokenID)
+	if viewErr != nil && !errors.IsNotFound(viewErr) {
+		return nil, viewErr
 	}
-	return token_view_model.TokenToModel(token), nil
+	if errors.IsNotFound(viewErr) {
+		token = new(model.TokenView)
+		token.ID = tokenID
+		token.UserID = userID
+	}
+
+	events, esErr := repo.UserEvents.UserEventsByID(ctx, userID, token.Sequence)
+	if errors.IsNotFound(viewErr) && len(events) == 0 {
+		return nil, errors.ThrowNotFound(nil, "EVENT-4T90g", "Errors.Token.NotFound")
+	}
+
+	if esErr != nil {
+		logging.Log("EVENT-5Nm9s").WithError(viewErr).Debug("error retrieving new events")
+		return model.TokenViewToModel(token), nil
+	}
+	viewToken := *token
+	for _, event := range events {
+		err := token.AppendEventIfMyToken(event)
+		if err != nil {
+			return model.TokenViewToModel(&viewToken), nil
+		}
+	}
+	if !token.Expiration.After(time.Now().UTC()) || token.Deactivated {
+		return nil, errors.ThrowNotFound(nil, "EVENT-5Bm9s", "Errors.Token.NotFound")
+	}
+	return model.TokenViewToModel(token), nil
 }
--- a/internal/auth/repository/eventsourcing/handler/token.go
+++ b/internal/auth/repository/eventsourcing/handler/token.go
@@ -43,6 +43,13 @@ func (u *Token) EventQuery() (*models.SearchQuery, error) {

 func (u *Token) Reduce(event *models.Event) (err error) {
 	switch event.Type {
+	case user_es_model.UserTokenAdded:
+		token := new(view_model.TokenView)
+		err := token.AppendEvent(event)
+		if err != nil {
+			return err
+		}
+		return u.view.PutToken(token)
 	case user_es_model.UserProfileChanged,
 		user_es_model.HumanProfileChanged:
 		user := new(view_model.UserView)
--- a/internal/auth/repository/eventsourcing/repository.go
+++ b/internal/auth/repository/eventsourcing/repository.go
@@ -143,7 +143,10 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, au
 			MfaHardwareCheckLifeTime:   systemDefaults.VerificationLifetimes.MfaHardwareCheck.Duration,
 			IAMID:                      systemDefaults.IamID,
 		},
-		eventstore.TokenRepo{View: view},
+		eventstore.TokenRepo{
+			UserEvents: user,
+			View:       view,
+		},
 		eventstore.KeyRepository{
 			KeyEvents:          key,
 			View:               view,
--- a/internal/auth/repository/eventsourcing/view/token.go
+++ b/internal/auth/repository/eventsourcing/view/token.go
@@ -1,62 +1,33 @@
 package view

 import (
+	usr_view "github.com/caos/zitadel/internal/user/repository/view"
+	"github.com/caos/zitadel/internal/user/repository/view/model"
 	"github.com/caos/zitadel/internal/view/repository"
-	"time"
-
-	"github.com/caos/zitadel/internal/token/repository/view"
-	"github.com/caos/zitadel/internal/token/repository/view/model"
 )

 const (
 	tokenTable = "auth.tokens"
 )

-func (v *View) TokenByID(tokenID string) (*model.Token, error) {
-	return view.TokenByID(v.Db, tokenTable, tokenID)
+func (v *View) TokenByID(tokenID string) (*model.TokenView, error) {
+	return usr_view.TokenByID(v.Db, tokenTable, tokenID)
 }

-func (v *View) TokensByUserID(userID string) ([]*model.Token, error) {
-	return view.TokensByUserID(v.Db, tokenTable, userID)
+func (v *View) TokensByUserID(userID string) ([]*model.TokenView, error) {
+	return usr_view.TokensByUserID(v.Db, tokenTable, userID)
 }

-func (v *View) IsTokenValid(tokenID string) (bool, error) {
-	return view.IsTokenValid(v.Db, tokenTable, tokenID)
-}
-
-func (v *View) CreateToken(agentID, applicationID, userID, preferredLanguage string, audience, scopes []string, lifetime time.Duration) (*model.Token, error) {
-	id, err := v.idGenerator.Next()
-	if err != nil {
-		return nil, err
-	}
-	now := time.Now().UTC()
-	token := &model.Token{
-		ID:                id,
-		CreationDate:      now,
-		UserID:            userID,
-		ApplicationID:     applicationID,
-		UserAgentID:       agentID,
-		Scopes:            scopes,
-		Audience:          audience,
-		Expiration:        now.Add(lifetime),
-		PreferredLanguage: preferredLanguage,
-	}
-	if err := view.PutToken(v.Db, tokenTable, token); err != nil {
-		return nil, err
-	}
-	return token, nil
-}
-
-func (v *View) PutToken(token *model.Token) error {
-	err := view.PutToken(v.Db, tokenTable, token)
+func (v *View) PutToken(token *model.TokenView) error {
+	err := usr_view.PutToken(v.Db, tokenTable, token)
 	if err != nil {
 		return err
 	}
 	return v.ProcessedTokenSequence(token.Sequence)
 }

-func (v *View) PutTokens(token []*model.Token, sequence uint64) error {
-	err := view.PutTokens(v.Db, tokenTable, token...)
+func (v *View) PutTokens(token []*model.TokenView, sequence uint64) error {
+	err := usr_view.PutTokens(v.Db, tokenTable, token...)
 	if err != nil {
 		return err
 	}
@@ -64,7 +35,7 @@ func (v *View) PutTokens(token []*model.Token, sequence uint64) error {
 }

 func (v *View) DeleteToken(tokenID string, eventSequence uint64) error {
-	err := view.DeleteToken(v.Db, tokenTable, tokenID)
+	err := usr_view.DeleteToken(v.Db, tokenTable, tokenID)
 	if err != nil {
 		return nil
 	}
@@ -72,7 +43,7 @@ func (v *View) DeleteToken(tokenID string, eventSequence uint64) error {
 }

 func (v *View) DeleteSessionTokens(agentID, userID string, eventSequence uint64) error {
-	err := view.DeleteSessionTokens(v.Db, tokenTable, agentID, userID)
+	err := usr_view.DeleteSessionTokens(v.Db, tokenTable, agentID, userID)
 	if err != nil {
 		return nil
 	}
@@ -80,7 +51,7 @@ func (v *View) DeleteSessionTokens(agentID, userID string, eventSequence uint64)
 }

 func (v *View) DeleteUserTokens(userID string, eventSequence uint64) error {
-	err := view.DeleteUserTokens(v.Db, tokenTable, userID)
+	err := usr_view.DeleteUserTokens(v.Db, tokenTable, userID)
 	if err != nil {
 		return nil
 	}
@@ -88,7 +59,7 @@ func (v *View) DeleteUserTokens(userID string, eventSequence uint64) error {
 }

 func (v *View) DeleteApplicationTokens(eventSequence uint64, ids ...string) error {
-	err := view.DeleteApplicationTokens(v.Db, tokenTable, ids)
+	err := usr_view.DeleteApplicationTokens(v.Db, tokenTable, ids)
 	if err != nil {
 		return nil
 	}
--- a/internal/auth/repository/token.go
+++ b/internal/auth/repository/token.go
@@ -2,13 +2,12 @@ package repository

 import (
 	"context"
+	usr_model "github.com/caos/zitadel/internal/user/model"
 	"time"
-
-	"github.com/caos/zitadel/internal/token/model"
 )

 type TokenRepository interface {
-	CreateToken(ctx context.Context, agentID, applicationID, userID string, audience, scopes []string, lifetime time.Duration) (*model.Token, error)
-	IsTokenValid(ctx context.Context, tokenID string) (bool, error)
-	TokenByID(ctx context.Context, tokenID string) (*model.Token, error)
+	CreateToken(ctx context.Context, agentID, applicationID, userID string, audience, scopes []string, lifetime time.Duration) (*usr_model.Token, error)
+	IsTokenValid(ctx context.Context, userID, tokenID string) (bool, error)
+	TokenByID(ctx context.Context, userID, tokenID string) (*usr_model.TokenView, error)
 }