feat: tokens on user aggregate (#837)

* fix: fix remove policies in spoolers

* fix: reread of token by id

* fix: update oidc package

* fix: possible nil pointer on token split

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

internal/authz/repository/eventsourcing/eventstore/token_verifier.go

@@ -2,6 +2,11 @@ package eventstore
 
 import (
 	"context"
+	"github.com/caos/logging"
+	usr_model "github.com/caos/zitadel/internal/user/model"
+	usr_event "github.com/caos/zitadel/internal/user/repository/eventsourcing"
+	"github.com/caos/zitadel/internal/user/repository/view/model"
+	"strings"
 	"time"
 
 	"github.com/caos/zitadel/internal/authz/repository/eventsourcing/view"
@@ -16,16 +21,55 @@ type TokenVerifierRepo struct {
 	IAMID                string
 	IAMEvents            *iam_event.IAMEventstore
 	ProjectEvents        *proj_event.ProjectEventstore
+	UserEvents           *usr_event.UserEventstore
 	View                 *view.View
 }
 
+func (repo *TokenVerifierRepo) TokenByID(ctx context.Context, tokenID, userID string) (*usr_model.TokenView, error) {
+	token, viewErr := repo.View.TokenByID(tokenID)
+	if viewErr != nil && !caos_errs.IsNotFound(viewErr) {
+		return nil, viewErr
+	}
+	if caos_errs.IsNotFound(viewErr) {
+		token = new(model.TokenView)
+		token.ID = tokenID
+		token.UserID = userID
+	}
+
+	events, esErr := repo.UserEvents.UserEventsByID(ctx, userID, token.Sequence)
+	if caos_errs.IsNotFound(viewErr) && len(events) == 0 {
+		return nil, caos_errs.ThrowNotFound(nil, "EVENT-4T90g", "Errors.Token.NotFound")
+	}
+
+	if esErr != nil {
+		logging.Log("EVENT-5Nm9s").WithError(viewErr).Debug("error retrieving new events")
+		return model.TokenViewToModel(token), nil
+	}
+	viewToken := *token
+	for _, event := range events {
+		err := token.AppendEventIfMyToken(event)
+		if err != nil {
+			return model.TokenViewToModel(&viewToken), nil
+		}
+	}
+	if !token.Expiration.After(time.Now().UTC()) || token.Deactivated {
+		return nil, caos_errs.ThrowNotFound(nil, "EVENT-5Bm9s", "Errors.Token.NotFound")
+	}
+	return model.TokenViewToModel(token), nil
+}
+
 func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenString, clientID string) (userID string, agentID string, prefLang string, err error) {
 	//TODO: use real key
-	tokenID, err := crypto.DecryptAESString(tokenString, string(repo.TokenVerificationKey[:32]))
+	tokenIDSubject, err := crypto.DecryptAESString(tokenString, string(repo.TokenVerificationKey[:32]))
 	if err != nil {
 		return "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-8EF0zZ", "invalid token")
 	}
-	token, err := repo.View.TokenByID(tokenID)
+
+	splittedToken := strings.Split(tokenIDSubject, ":")
+	if len(splittedToken) != 2 {
+		return "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-GDg3a", "invalid token")
+	}
+	token, err := repo.TokenByID(ctx, splittedToken[0], splittedToken[1])
 	if err != nil {
 		return "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-BxUSiL", "invalid token")
 	}

internal/authz/repository/eventsourcing/repository.go

@@ -2,6 +2,7 @@ package eventsourcing
 
 import (
 	"context"
+	es_user "github.com/caos/zitadel/internal/user/repository/eventsourcing"
 
 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/auth_request/repository/cache"
@@ -65,6 +66,16 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults) (*
 	if err != nil {
 		return nil, err
 	}
+	user, err := es_user.StartUser(
+		es_user.UserConfig{
+			Eventstore: es,
+			Cache:      conf.Eventstore.Cache,
+		},
+		systemDefaults,
+	)
+	if err != nil {
+		return nil, err
+	}
 	repos := handler.EventstoreRepos{IamEvents: iam}
 	spool := spooler.StartSpooler(conf.Spooler, es, view, sqlClient, repos, systemDefaults)
 
@@ -85,6 +96,7 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults) (*
 			IAMID:         systemDefaults.IamID,
 			IAMEvents:     iam,
 			ProjectEvents: project,
+			UserEvents:    user,
 			View:          view,
 		},
 	}, nil

internal/authz/repository/eventsourcing/view/token.go

@@ -1,8 +1,8 @@
 package view
 
 import (
-	"github.com/caos/zitadel/internal/token/repository/view"
-	"github.com/caos/zitadel/internal/token/repository/view/model"
+	usr_view "github.com/caos/zitadel/internal/user/repository/view"
+	usr_view_model "github.com/caos/zitadel/internal/user/repository/view/model"
 	"github.com/caos/zitadel/internal/view/repository"
 )
 
@@ -10,16 +10,12 @@ const (
 	tokenTable = "auth.tokens"
 )
 
-func (v *View) TokenByID(tokenID string) (*model.Token, error) {
-	return view.TokenByID(v.Db, tokenTable, tokenID)
+func (v *View) TokenByID(tokenID string) (*usr_view_model.TokenView, error) {
+	return usr_view.TokenByID(v.Db, tokenTable, tokenID)
 }
 
-func (v *View) IsTokenValid(tokenID string) (bool, error) {
-	return view.IsTokenValid(v.Db, tokenTable, tokenID)
-}
-
-func (v *View) PutToken(token *model.Token) error {
-	err := view.PutToken(v.Db, tokenTable, token)
+func (v *View) PutToken(token *usr_view_model.TokenView) error {
+	err := usr_view.PutToken(v.Db, tokenTable, token)
 	if err != nil {
 		return err
 	}
@@ -27,7 +23,7 @@ func (v *View) PutToken(token *model.Token) error {
 }
 
 func (v *View) DeleteToken(tokenID string, eventSequence uint64) error {
-	err := view.DeleteToken(v.Db, tokenTable, tokenID)
+	err := usr_view.DeleteToken(v.Db, tokenTable, tokenID)
 	if err != nil {
 		return nil
 	}
@@ -35,7 +31,7 @@ func (v *View) DeleteToken(tokenID string, eventSequence uint64) error {
 }
 
 func (v *View) DeleteSessionTokens(agentID, userID string, eventSequence uint64) error {
-	err := view.DeleteSessionTokens(v.Db, tokenTable, agentID, userID)
+	err := usr_view.DeleteSessionTokens(v.Db, tokenTable, agentID, userID)
 	if err != nil {
 		return nil
 	}