feat: tokens on user aggregate (#837)

* fix: fix remove policies in spoolers * fix: reread of token by id * fix: update oidc package * fix: possible nil pointer on token split Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-12 05:07:31 +00:00 · 2020-10-15 13:52:41 +02:00
parent fbb30840f1
commit 265b491696
24 changed files with 518 additions and 247 deletions
--- a/internal/user/model/token.go
+++ b/internal/user/model/token.go
@@ -0,0 +1,18 @@
+package model
+
+import (
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"time"
+)
+
+type Token struct {
+	es_models.ObjectRoot
+
+	TokenID           string
+	ApplicationID     string
+	UserAgentID       string
+	Audience          []string
+	Expiration        time.Time
+	Scopes            []string
+	PreferredLanguage string
+}
--- a/internal/user/model/token_view.go
+++ b/internal/user/model/token_view.go
@@ -0,0 +1,61 @@
+package model
+
+import (
+	"time"
+
+	"github.com/caos/zitadel/internal/model"
+)
+
+type TokenView struct {
+	ID                string
+	CreationDate      time.Time
+	ChangeDate        time.Time
+	ResourceOwner     string
+	UserID            string
+	ApplicationID     string
+	UserAgentID       string
+	Audience          []string
+	Expiration        time.Time
+	Scopes            []string
+	Sequence          uint64
+	PreferredLanguage string
+}
+
+type TokenSearchRequest struct {
+	Offset        uint64
+	Limit         uint64
+	SortingColumn TokenSearchKey
+	Asc           bool
+	Queries       []*TokenSearchQuery
+}
+
+type TokenSearchKey int32
+
+const (
+	TokenSearchKeyUnspecified TokenSearchKey = iota
+	TokenSearchKeyTokenID
+	TokenSearchKeyUserID
+	TokenSearchKeyApplicationID
+	TokenSearchKeyUserAgentID
+	TokenSearchKeyExpiration
+	TokenSearchKeyResourceOwner
+)
+
+type TokenSearchQuery struct {
+	Key    TokenSearchKey
+	Method model.SearchMethod
+	Value  string
+}
+
+type TokenSearchResponse struct {
+	Offset      uint64
+	Limit       uint64
+	TotalResult uint64
+	Result      []*Token
+}
+
+func (r *TokenSearchRequest) EnsureLimit(limit uint64) {
+	if r.Limit == 0 || r.Limit > limit {
+		r.Limit = limit
+	}
+}
--- a/internal/user/repository/eventsourcing/eventstore.go
+++ b/internal/user/repository/eventsourcing/eventstore.go
@@ -634,6 +634,27 @@ func (es *UserEventstore) ExternalLoginChecked(ctx context.Context, userID strin
 	return nil
 }

+func (es *UserEventstore) TokenAdded(ctx context.Context, token *usr_model.Token) (*usr_model.Token, error) {
+	user, err := es.UserByID(ctx, token.AggregateID)
+	if err != nil {
+		return nil, err
+	}
+	id, err := es.idGenerator.Next()
+	if err != nil {
+		return nil, err
+	}
+	token.TokenID = id
+	repoUser := model.UserFromModel(user)
+	repoToken := model.TokenFromModel(token)
+	agg := TokenAddedAggregate(es.AggregateCreator(), repoUser, repoToken)
+	err = es_sdk.Push(ctx, es.PushAggregates, repoToken.AppendEvents, agg)
+	if err != nil {
+		return nil, err
+	}
+	es.userCache.cacheUser(repoUser)
+	return model.TokenToModel(repoToken), nil
+}
+
 func (es *UserEventstore) ChangeMachine(ctx context.Context, machine *usr_model.Machine) (*usr_model.Machine, error) {
 	user, err := es.UserByID(ctx, machine.AggregateID)
 	if err != nil {
--- a/internal/user/repository/eventsourcing/model/token.go
+++ b/internal/user/repository/eventsourcing/model/token.go
@@ -0,0 +1,80 @@
+package model
+
+import (
+	"encoding/json"
+	"time"
+
+	"github.com/caos/logging"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/user/model"
+)
+
+type Token struct {
+	es_models.ObjectRoot
+
+	TokenID           string    `json:"tokenId" gorm:"column:token_id"`
+	ApplicationID     string    `json:"applicationId" gorm:"column:application_id"`
+	UserAgentID       string    `json:"userAgentId" gorm:"column:user_agent_id"`
+	Audience          []string  `json:"audience" gorm:"column:audience"`
+	Scopes            []string  `json:"scopes" gorm:"column:scopes"`
+	Expiration        time.Time `json:"expiration" gorm:"column:expiration"`
+	PreferredLanguage string    `json:"preferredLanguage" gorm:"column:preferred_language"`
+}
+
+func TokenFromModel(token *model.Token) *Token {
+	return &Token{
+		ObjectRoot:        token.ObjectRoot,
+		TokenID:           token.TokenID,
+		ApplicationID:     token.ApplicationID,
+		UserAgentID:       token.UserAgentID,
+		Audience:          token.Audience,
+		Scopes:            token.Scopes,
+		Expiration:        token.Expiration,
+		PreferredLanguage: token.PreferredLanguage,
+	}
+}
+
+func TokenToModel(token *Token) *model.Token {
+	return &model.Token{
+		ObjectRoot:        token.ObjectRoot,
+		TokenID:           token.TokenID,
+		ApplicationID:     token.ApplicationID,
+		UserAgentID:       token.UserAgentID,
+		Audience:          token.Audience,
+		Scopes:            token.Scopes,
+		Expiration:        token.Expiration,
+		PreferredLanguage: token.PreferredLanguage,
+	}
+}
+
+func (t *Token) AppendEvents(events ...*es_models.Event) error {
+	for _, event := range events {
+		if err := t.AppendEvent(event); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (t *Token) AppendEvent(event *es_models.Event) error {
+	switch event.Type {
+	case UserTokenAdded:
+		err := t.setData(event)
+		if err != nil {
+			return err
+		}
+		t.CreationDate = event.CreationDate
+	}
+	return nil
+}
+
+func (t *Token) setData(event *es_models.Event) error {
+	t.ObjectRoot.AppendEvent(event)
+	if err := json.Unmarshal(event.Data, t); err != nil {
+		logging.Log("EVEN-4Fm9s").WithError(err).Error("could not unmarshal event data")
+		return caos_errs.ThrowInternal(err, "MODEL-5Gms9", "could not unmarshal event")
+	}
+	return nil
+}
--- a/internal/user/repository/eventsourcing/model/types.go
+++ b/internal/user/repository/eventsourcing/model/types.go
@@ -67,6 +67,8 @@ const (
 	UserDeactivated models.EventType = "user.deactivated"
 	UserReactivated models.EventType = "user.reactivated"
 	UserRemoved     models.EventType = "user.removed"
+
+	UserTokenAdded models.EventType = "user.token.added"
 )

 // the following consts are for user(v2).human
--- a/internal/user/repository/eventsourcing/user.go
+++ b/internal/user/repository/eventsourcing/user.go
@@ -474,6 +474,16 @@ func ExternalLoginCheckSucceededAggregate(aggCreator *es_models.AggregateCreator
 	}
 }

+func TokenAddedAggregate(aggCreator *es_models.AggregateCreator, user *model.User, token *model.Token) es_sdk.AggregateFunc {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		agg, err := UserAggregateOverwriteContext(ctx, aggCreator, user, user.ResourceOwner, user.AggregateID)
+		if err != nil {
+			return nil, err
+		}
+		return agg.AppendEvent(model.UserTokenAdded, token)
+	}
+}
+
 func MachineChangeAggregate(aggCreator *es_models.AggregateCreator, user *model.User, machine *model.Machine) func(ctx context.Context) (*es_models.Aggregate, error) {
 	return func(ctx context.Context) (*es_models.Aggregate, error) {
 		if machine == nil {
--- a/internal/user/repository/view/model/token.go
+++ b/internal/user/repository/view/model/token.go
@@ -0,0 +1,127 @@
+package model
+
+import (
+	"encoding/json"
+	"github.com/caos/logging"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	usr_model "github.com/caos/zitadel/internal/user/model"
+	usr_es_model "github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
+	"time"
+
+	"github.com/lib/pq"
+)
+
+const (
+	TokenKeyTokenID       = "id"
+	TokenKeyUserID        = "user_id"
+	TokenKeyApplicationID = "application_id"
+	TokenKeyUserAgentID   = "user_agent_id"
+	TokenKeyExpiration    = "expiration"
+	TokenKeyResourceOwner = "resource_owner"
+)
+
+type TokenView struct {
+	ID                string         `json:"tokenId" gorm:"column:id;primary_key"`
+	CreationDate      time.Time      `json:"-" gorm:"column:creation_date"`
+	ChangeDate        time.Time      `json:"-" gorm:"column:change_date"`
+	ResourceOwner     string         `json:"-" gorm:"column:resource_owner"`
+	UserID            string         `json:"-" gorm:"column:user_id"`
+	ApplicationID     string         `json:"applicationId" gorm:"column:application_id"`
+	UserAgentID       string         `json:"userAgentId" gorm:"column:user_agent_id"`
+	Audience          pq.StringArray `json:"audience" gorm:"column:audience"`
+	Scopes            pq.StringArray `json:"scopes" gorm:"column:scopes"`
+	Expiration        time.Time      `json:"expiration" gorm:"column:expiration"`
+	Sequence          uint64         `json:"-" gorm:"column:sequence"`
+	PreferredLanguage string         `json:"preferredLanguage" gorm:"column:preferred_language"`
+	Deactivated       bool           `json:"-" gorm:"-"`
+}
+
+func TokenViewFromModel(token *usr_model.TokenView) *TokenView {
+	return &TokenView{
+		ID:                token.ID,
+		CreationDate:      token.CreationDate,
+		ChangeDate:        token.ChangeDate,
+		ResourceOwner:     token.ResourceOwner,
+		UserID:            token.UserID,
+		ApplicationID:     token.ApplicationID,
+		UserAgentID:       token.UserAgentID,
+		Audience:          token.Audience,
+		Scopes:            token.Scopes,
+		Expiration:        token.Expiration,
+		Sequence:          token.Sequence,
+		PreferredLanguage: token.PreferredLanguage,
+	}
+}
+
+func TokenViewToModel(token *TokenView) *usr_model.TokenView {
+	return &usr_model.TokenView{
+		ID:                token.ID,
+		CreationDate:      token.CreationDate,
+		ChangeDate:        token.ChangeDate,
+		ResourceOwner:     token.ResourceOwner,
+		UserID:            token.UserID,
+		ApplicationID:     token.ApplicationID,
+		UserAgentID:       token.UserAgentID,
+		Audience:          token.Audience,
+		Scopes:            token.Scopes,
+		Expiration:        token.Expiration,
+		Sequence:          token.Sequence,
+		PreferredLanguage: token.PreferredLanguage,
+	}
+}
+
+func (t *TokenView) AppendEventIfMyToken(event *models.Event) (err error) {
+	view := new(TokenView)
+	switch event.Type {
+	case usr_es_model.UserTokenAdded:
+		view.setRootData(event)
+		err = view.setData(event)
+	case usr_es_model.UserRemoved,
+		usr_es_model.UserDeactivated,
+		usr_es_model.UserLocked:
+		t.Deactivated = true
+		return nil
+	case usr_es_model.UserUnlocked,
+		usr_es_model.UserReactivated:
+		if t.ID != "" && event.CreationDate.Before(t.CreationDate) {
+			t.Deactivated = false
+		}
+		return nil
+	default:
+		return nil
+	}
+	if view.ID == t.ID {
+		return t.AppendEvent(event)
+	}
+	return nil
+}
+
+func (t *TokenView) AppendEvent(event *es_models.Event) error {
+	t.ChangeDate = event.CreationDate
+	t.Sequence = event.Sequence
+	switch event.Type {
+	case usr_es_model.UserTokenAdded:
+		t.setRootData(event)
+		err := t.setData(event)
+		if err != nil {
+			return err
+		}
+		t.CreationDate = event.CreationDate
+	}
+	return nil
+}
+
+func (t *TokenView) setRootData(event *models.Event) {
+	t.UserID = event.AggregateID
+	t.ResourceOwner = event.ResourceOwner
+}
+
+func (t *TokenView) setData(event *es_models.Event) error {
+	if err := json.Unmarshal(event.Data, t); err != nil {
+		logging.Log("EVEN-3Gm9s").WithError(err).Error("could not unmarshal event data")
+		return caos_errs.ThrowInternal(err, "MODEL-5Gms9", "could not unmarshal event")
+	}
+	return nil
+}
--- a/internal/user/repository/view/model/token_query.go
+++ b/internal/user/repository/view/model/token_query.go
@@ -0,0 +1,69 @@
+package model
+
+import (
+	global_model "github.com/caos/zitadel/internal/model"
+	"github.com/caos/zitadel/internal/user/model"
+	"github.com/caos/zitadel/internal/view/repository"
+)
+
+type TokenSearchRequest model.TokenSearchRequest
+type TokenSearchQuery model.TokenSearchQuery
+type TokenSearchKey model.TokenSearchKey
+
+func (req TokenSearchRequest) GetLimit() uint64 {
+	return req.Limit
+}
+
+func (req TokenSearchRequest) GetOffset() uint64 {
+	return req.Offset
+}
+
+func (req TokenSearchRequest) GetSortingColumn() repository.ColumnKey {
+	if req.SortingColumn == model.TokenSearchKeyUnspecified {
+		return nil
+	}
+	return TokenSearchKey(req.SortingColumn)
+}
+
+func (req TokenSearchRequest) GetAsc() bool {
+	return req.Asc
+}
+
+func (req TokenSearchRequest) GetQueries() []repository.SearchQuery {
+	result := make([]repository.SearchQuery, len(req.Queries))
+	for i, q := range req.Queries {
+		result[i] = TokenSearchQuery{Key: q.Key, Value: q.Value, Method: q.Method}
+	}
+	return result
+}
+
+func (req TokenSearchQuery) GetKey() repository.ColumnKey {
+	return TokenSearchKey(req.Key)
+}
+
+func (req TokenSearchQuery) GetMethod() global_model.SearchMethod {
+	return req.Method
+}
+
+func (req TokenSearchQuery) GetValue() interface{} {
+	return req.Value
+}
+
+func (key TokenSearchKey) ToColumnName() string {
+	switch model.TokenSearchKey(key) {
+	case model.TokenSearchKeyTokenID:
+		return TokenKeyTokenID
+	case model.TokenSearchKeyUserAgentID:
+		return TokenKeyUserAgentID
+	case model.TokenSearchKeyUserID:
+		return TokenKeyUserID
+	case model.TokenSearchKeyApplicationID:
+		return TokenKeyApplicationID
+	case model.TokenSearchKeyExpiration:
+		return TokenKeyExpiration
+	case model.TokenSearchKeyResourceOwner:
+		return TokenKeyResourceOwner
+	default:
+		return ""
+	}
+}
--- a/internal/user/repository/view/token_view.go
+++ b/internal/user/repository/view/token_view.go
@@ -0,0 +1,72 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/errors"
+	global_model "github.com/caos/zitadel/internal/model"
+	"github.com/caos/zitadel/internal/user/model"
+	usr_model "github.com/caos/zitadel/internal/user/repository/view/model"
+	"github.com/caos/zitadel/internal/view/repository"
+	"github.com/jinzhu/gorm"
+	"github.com/lib/pq"
+)
+
+func TokenByID(db *gorm.DB, table, tokenID string) (*usr_model.TokenView, error) {
+	token := new(usr_model.TokenView)
+	query := repository.PrepareGetByKey(table, usr_model.TokenSearchKey(model.TokenSearchKeyTokenID), tokenID)
+	err := query(db, token)
+	if errors.IsNotFound(err) {
+		return nil, errors.ThrowNotFound(nil, "VIEW-6ub3p", "Errors.Token.NotFound")
+	}
+	return token, err
+}
+
+func TokensByUserID(db *gorm.DB, table, userID string) ([]*usr_model.TokenView, error) {
+	tokens := make([]*usr_model.TokenView, 0)
+	userIDQuery := &model.TokenSearchQuery{
+		Key:    model.TokenSearchKeyUserID,
+		Method: global_model.SearchMethodEquals,
+		Value:  userID,
+	}
+	query := repository.PrepareSearchQuery(table, usr_model.TokenSearchRequest{
+		Queries: []*model.TokenSearchQuery{userIDQuery},
+	})
+	_, err := query(db, &tokens)
+	return tokens, err
+}
+
+func PutToken(db *gorm.DB, table string, token *usr_model.TokenView) error {
+	save := repository.PrepareSave(table)
+	return save(db, token)
+}
+
+func PutTokens(db *gorm.DB, table string, tokens ...*usr_model.TokenView) error {
+	save := repository.PrepareBulkSave(table)
+	t := make([]interface{}, len(tokens))
+	for i, token := range tokens {
+		t[i] = token
+	}
+	return save(db, t...)
+}
+
+func DeleteToken(db *gorm.DB, table, tokenID string) error {
+	delete := repository.PrepareDeleteByKey(table, usr_model.TokenSearchKey(model.TokenSearchKeyTokenID), tokenID)
+	return delete(db)
+}
+
+func DeleteSessionTokens(db *gorm.DB, table, agentID, userID string) error {
+	delete := repository.PrepareDeleteByKeys(table,
+		repository.Key{Key: usr_model.TokenSearchKey(model.TokenSearchKeyUserAgentID), Value: agentID},
+		repository.Key{Key: usr_model.TokenSearchKey(model.TokenSearchKeyUserID), Value: userID},
+	)
+	return delete(db)
+}
+
+func DeleteUserTokens(db *gorm.DB, table, userID string) error {
+	delete := repository.PrepareDeleteByKey(table, usr_model.TokenSearchKey(model.TokenSearchKeyUserID), userID)
+	return delete(db)
+}
+
+func DeleteApplicationTokens(db *gorm.DB, table string, appIDs []string) error {
+	delete := repository.PrepareDeleteByKey(table, usr_model.TokenSearchKey(model.TokenSearchKeyApplicationID), pq.StringArray(appIDs))
+	return delete(db)
+}