From 84b20bc4e13de29ac8d5a887b944b45271ebc4a5 Mon Sep 17 00:00:00 2001
From: Silvan <silvan.reusser@gmail.com>
Date: Thu, 15 Sep 2022 14:59:40 +0200
Subject: [PATCH] fix(auth): always get token by id and user id (#4371)

Co-authored-by: Florian Forster <florian@zitadel.com>
---
 .gitignore                                                | 2 ++
 internal/api/oidc/auth_request.go                         | 2 +-
 internal/api/oidc/client.go                               | 4 ++--
 .../auth/repository/eventsourcing/eventstore/token.go     | 6 +++---
 internal/auth/repository/eventsourcing/view/token.go      | 4 ++--
 internal/auth/repository/token.go                         | 2 +-
 .../repository/eventsourcing/eventstore/token_verifier.go | 8 ++++----
 internal/authz/repository/eventsourcing/view/token.go     | 4 ++--
 internal/user/repository/view/token_view.go               | 3 ++-
 9 files changed, 19 insertions(+), 16 deletions(-)

diff --git a/.gitignore b/.gitignore
index ed9eaa0085..5ebb78fb39 100644
--- a/.gitignore
+++ b/.gitignore
@@ -65,3 +65,5 @@ migrations/cockroach/migrate_cloud.go
 !/.artifacts/zitadel
 /zitadel
 
+go.work
+go.work.sum
\ No newline at end of file
diff --git a/internal/api/oidc/auth_request.go b/internal/api/oidc/auth_request.go
index d32d2e49c2..3c082cc215 100644
--- a/internal/api/oidc/auth_request.go
+++ b/internal/api/oidc/auth_request.go
@@ -174,7 +174,7 @@ func (o *OPStorage) RevokeToken(ctx context.Context, token, userID, clientID str
 		}
 		return oidc.ErrServerError().WithParent(err)
 	}
-	accessToken, err := o.repo.TokenByID(ctx, userID, token)
+	accessToken, err := o.repo.TokenByIDs(ctx, userID, token)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			return nil
diff --git a/internal/api/oidc/client.go b/internal/api/oidc/client.go
index f865e57869..0ad114979c 100644
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@@ -119,7 +119,7 @@ func (o *OPStorage) AuthorizeClientIDSecret(ctx context.Context, id string, secr
 func (o *OPStorage) SetUserinfoFromToken(ctx context.Context, userInfo oidc.UserInfoSetter, tokenID, subject, origin string) (err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	token, err := o.repo.TokenByID(ctx, subject, tokenID)
+	token, err := o.repo.TokenByIDs(ctx, subject, tokenID)
 	if err != nil {
 		return errors.ThrowPermissionDenied(nil, "OIDC-Dsfb2", "token is not valid or has expired")
 	}
@@ -154,7 +154,7 @@ func (o *OPStorage) SetUserinfoFromScopes(ctx context.Context, userInfo oidc.Use
 }
 
 func (o *OPStorage) SetIntrospectionFromToken(ctx context.Context, introspection oidc.IntrospectionResponse, tokenID, subject, clientID string) error {
-	token, err := o.repo.TokenByID(ctx, subject, tokenID)
+	token, err := o.repo.TokenByIDs(ctx, subject, tokenID)
 	if err != nil {
 		return errors.ThrowPermissionDenied(nil, "OIDC-Dsfb2", "token is not valid or has expired")
 	}
diff --git a/internal/auth/repository/eventsourcing/eventstore/token.go b/internal/auth/repository/eventsourcing/eventstore/token.go
index d5bc10ea72..46a80f2bfa 100644
--- a/internal/auth/repository/eventsourcing/eventstore/token.go
+++ b/internal/auth/repository/eventsourcing/eventstore/token.go
@@ -23,7 +23,7 @@ type TokenRepo struct {
 }
 
 func (repo *TokenRepo) IsTokenValid(ctx context.Context, userID, tokenID string) (bool, error) {
-	token, err := repo.TokenByID(ctx, userID, tokenID)
+	token, err := repo.TokenByIDs(ctx, userID, tokenID)
 	if err == nil {
 		return token.Expiration.After(time.Now().UTC()), nil
 	}
@@ -33,8 +33,8 @@ func (repo *TokenRepo) IsTokenValid(ctx context.Context, userID, tokenID string)
 	return false, err
 }
 
-func (repo *TokenRepo) TokenByID(ctx context.Context, userID, tokenID string) (*usr_model.TokenView, error) {
-	token, viewErr := repo.View.TokenByID(tokenID, authz.GetInstance(ctx).InstanceID())
+func (repo *TokenRepo) TokenByIDs(ctx context.Context, userID, tokenID string) (*usr_model.TokenView, error) {
+	token, viewErr := repo.View.TokenByIDs(tokenID, userID, authz.GetInstance(ctx).InstanceID())
 	if viewErr != nil && !errors.IsNotFound(viewErr) {
 		return nil, viewErr
 	}
diff --git a/internal/auth/repository/eventsourcing/view/token.go b/internal/auth/repository/eventsourcing/view/token.go
index c333e9fe36..a5289f2efd 100644
--- a/internal/auth/repository/eventsourcing/view/token.go
+++ b/internal/auth/repository/eventsourcing/view/token.go
@@ -12,8 +12,8 @@ const (
 	tokenTable = "auth.tokens"
 )
 
-func (v *View) TokenByID(tokenID, instanceID string) (*model.TokenView, error) {
-	return usr_view.TokenByID(v.Db, tokenTable, tokenID, instanceID)
+func (v *View) TokenByIDs(tokenID, userID, instanceID string) (*model.TokenView, error) {
+	return usr_view.TokenByIDs(v.Db, tokenTable, tokenID, userID, instanceID)
 }
 
 func (v *View) TokensByUserID(userID, instanceID string) ([]*model.TokenView, error) {
diff --git a/internal/auth/repository/token.go b/internal/auth/repository/token.go
index 0c0214a3f8..a448a5f4ed 100644
--- a/internal/auth/repository/token.go
+++ b/internal/auth/repository/token.go
@@ -8,5 +8,5 @@ import (
 
 type TokenRepository interface {
 	IsTokenValid(ctx context.Context, userID, tokenID string) (bool, error)
-	TokenByID(ctx context.Context, userID, tokenID string) (*usr_model.TokenView, error)
+	TokenByIDs(ctx context.Context, userID, tokenID string) (*usr_model.TokenView, error)
 }
diff --git a/internal/authz/repository/eventsourcing/eventstore/token_verifier.go b/internal/authz/repository/eventsourcing/eventstore/token_verifier.go
index 721b0401e8..a48e5dcf7e 100644
--- a/internal/authz/repository/eventsourcing/eventstore/token_verifier.go
+++ b/internal/authz/repository/eventsourcing/eventstore/token_verifier.go
@@ -49,7 +49,7 @@ func (repo *TokenVerifierRepo) tokenByID(ctx context.Context, tokenID, userID st
 		OnError(err).
 		Errorf("could not get current sequence for token check")
 
-	token, viewErr := repo.View.TokenByID(tokenID, instanceID)
+	token, viewErr := repo.View.TokenByIDs(tokenID, userID, instanceID)
 	if viewErr != nil && !caos_errs.IsNotFound(viewErr) {
 		return nil, viewErr
 	}
@@ -146,7 +146,7 @@ func (repo *TokenVerifierRepo) getUserEvents(ctx context.Context, userID, instan
 	return repo.Eventstore.FilterEvents(ctx, query)
 }
 
-//getTokenIDAndSubject returns the TokenID and Subject of both opaque tokens and JWTs
+// getTokenIDAndSubject returns the TokenID and Subject of both opaque tokens and JWTs
 func (repo *TokenVerifierRepo) getTokenIDAndSubject(ctx context.Context, accessToken string) (tokenID string, subject string, valid bool) {
 	// accessToken can be either opaque or JWT
 	// let's try opaque first:
@@ -188,8 +188,8 @@ type openIDKeySet struct {
 	*query.Queries
 }
 
-//VerifySignature implements the oidc.KeySet interface
-//providing an implementation for the keys retrieved directly from Queries
+// VerifySignature implements the oidc.KeySet interface
+// providing an implementation for the keys retrieved directly from Queries
 func (o *openIDKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) ([]byte, error) {
 	keySet, err := o.Queries.ActivePublicKeys(ctx, time.Now())
 	if err != nil {
diff --git a/internal/authz/repository/eventsourcing/view/token.go b/internal/authz/repository/eventsourcing/view/token.go
index 330fb4bee5..2c8aead649 100644
--- a/internal/authz/repository/eventsourcing/view/token.go
+++ b/internal/authz/repository/eventsourcing/view/token.go
@@ -12,8 +12,8 @@ const (
 	tokenTable = "auth.tokens"
 )
 
-func (v *View) TokenByID(tokenID, instanceID string) (*usr_view_model.TokenView, error) {
-	return usr_view.TokenByID(v.Db, tokenTable, tokenID, instanceID)
+func (v *View) TokenByIDs(tokenID, userID, instanceID string) (*usr_view_model.TokenView, error) {
+	return usr_view.TokenByIDs(v.Db, tokenTable, tokenID, userID, instanceID)
 }
 
 func (v *View) PutToken(token *usr_view_model.TokenView, event *models.Event) error {
diff --git a/internal/user/repository/view/token_view.go b/internal/user/repository/view/token_view.go
index 89e9322ab6..e74ca66ec8 100644
--- a/internal/user/repository/view/token_view.go
+++ b/internal/user/repository/view/token_view.go
@@ -10,10 +10,11 @@ import (
 	"github.com/zitadel/zitadel/internal/view/repository"
 )
 
-func TokenByID(db *gorm.DB, table, tokenID, instanceID string) (*usr_model.TokenView, error) {
+func TokenByIDs(db *gorm.DB, table, tokenID, userID, instanceID string) (*usr_model.TokenView, error) {
 	token := new(usr_model.TokenView)
 	query := repository.PrepareGetByQuery(table,
 		&usr_model.TokenSearchQuery{Key: model.TokenSearchKeyTokenID, Method: domain.SearchMethodEquals, Value: tokenID},
+		&usr_model.TokenSearchQuery{Key: model.TokenSearchKeyUserID, Method: domain.SearchMethodEquals, Value: userID},
 		&usr_model.TokenSearchQuery{Key: model.TokenSearchKeyInstanceID, Method: domain.SearchMethodEquals, Value: instanceID},
 	)
 	err := query(db, token)