Merge commit from fork

* fix: prevent intent token reuse and add expiry * fix duplicate * fix expiration
2025-08-11 21:07:31 +00:00 · 2025-05-02 13:44:24 +02:00
parent bb56b362a7
commit b1e60e7398
48 changed files with 673 additions and 123 deletions
--- a/internal/command/session_test.go
+++ b/internal/command/session_test.go
@@ -695,6 +695,7 @@ func TestCommands_updateSession(t *testing.T) {
 								"userID2",
 								nil,
 								"",
+								time.Now().Add(time.Hour),
 							),
 						),
 					),
@@ -757,6 +758,111 @@ func TestCommands_updateSession(t *testing.T) {
 				err: zerrors.ThrowPermissionDenied(nil, "CRYPTO-CRYPTO", "Errors.Intent.InvalidToken"),
 			},
 		},
+		{
+			"set user, intent token already consumed",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanAddedEvent(context.Background(), &user.NewAggregate("userID", "org1").Aggregate,
+								"username", "", "", "", "", language.English, domain.GenderUnspecified, "", false),
+						),
+						eventFromEventPusher(
+							idpintent.NewSucceededEvent(context.Background(),
+								&idpintent.NewAggregate("intent", "instance1").Aggregate,
+								nil,
+								"idpUserID",
+								"idpUsername",
+								"userID",
+								nil,
+								"",
+								time.Now().Add(time.Hour),
+							),
+						),
+						eventFromEventPusher(
+							idpintent.NewConsumedEvent(context.Background(),
+								&idpintent.NewAggregate("intent", "instance1").Aggregate,
+							),
+						),
+					),
+				),
+			},
+			args{
+				ctx: authz.NewMockContext("instance1", "", ""),
+				checks: &SessionCommands{
+					sessionWriteModel: NewSessionWriteModel("sessionID", "instance1"),
+					sessionCommands: []SessionCommand{
+						CheckUser("userID", "org1", &language.Afrikaans),
+						CheckIntent("intent", "aW50ZW50"),
+					},
+					createToken: func(sessionID string) (string, string, error) {
+						return "tokenID",
+							"token",
+							nil
+					},
+					intentAlg: decryption(nil),
+					now: func() time.Time {
+						return testNow
+					},
+				},
+				metadata: map[string][]byte{
+					"key": []byte("value"),
+				},
+			},
+			res{
+				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Df4bw", "Errors.Intent.NotSucceeded"),
+			},
+		},
+		{
+			"set user, intent token already expired",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanAddedEvent(context.Background(), &user.NewAggregate("userID", "org1").Aggregate,
+								"username", "", "", "", "", language.English, domain.GenderUnspecified, "", false),
+						),
+						eventFromEventPusher(
+							idpintent.NewSucceededEvent(context.Background(),
+								&idpintent.NewAggregate("intent", "instance1").Aggregate,
+								nil,
+								"idpUserID",
+								"idpUsername",
+								"userID",
+								nil,
+								"",
+								time.Now().Add(-time.Hour),
+							),
+						),
+					),
+				),
+			},
+			args{
+				ctx: authz.NewMockContext("instance1", "", ""),
+				checks: &SessionCommands{
+					sessionWriteModel: NewSessionWriteModel("sessionID", "instance1"),
+					sessionCommands: []SessionCommand{
+						CheckUser("userID", "org1", &language.Afrikaans),
+						CheckIntent("intent", "aW50ZW50"),
+					},
+					createToken: func(sessionID string) (string, string, error) {
+						return "tokenID",
+							"token",
+							nil
+					},
+					intentAlg: decryption(nil),
+					now: func() time.Time {
+						return testNow
+					},
+				},
+				metadata: map[string][]byte{
+					"key": []byte("value"),
+				},
+			},
+			res{
+				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-SAf42", "Errors.Intent.Expired"),
+			},
+		},
 		{
 			"set user, intent, metadata and token",
 			fields{
@@ -768,13 +874,14 @@ func TestCommands_updateSession(t *testing.T) {
 						),
 						eventFromEventPusher(
 							idpintent.NewSucceededEvent(context.Background(),
-								&idpintent.NewAggregate("id", "instance1").Aggregate,
+								&idpintent.NewAggregate("intent", "instance1").Aggregate,
 								nil,
 								"idpUserID",
 								"idpUsername",
 								"userID",
 								nil,
 								"",
+								time.Now().Add(time.Hour),
 							),
 						),
 					),
@@ -783,6 +890,7 @@ func TestCommands_updateSession(t *testing.T) {
 							"userID", "org1", testNow, &language.Afrikaans),
 						session.NewIntentCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate,
 							testNow),
+						idpintent.NewConsumedEvent(context.Background(), &idpintent.NewAggregate("intent", "org1").Aggregate),
 						session.NewMetadataSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate,
 							map[string][]byte{"key": []byte("value")}),
 						session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate,
@@ -842,13 +950,14 @@ func TestCommands_updateSession(t *testing.T) {
 						),
 						eventFromEventPusher(
 							idpintent.NewSucceededEvent(context.Background(),
-								&idpintent.NewAggregate("id", "instance1").Aggregate,
+								&idpintent.NewAggregate("intent", "instance1").Aggregate,
 								nil,
 								"idpUserID",
 								"idpUsername",
 								"",
 								nil,
 								"",
+								time.Now().Add(time.Hour),
 							),
 						),
 					),
@@ -866,6 +975,7 @@ func TestCommands_updateSession(t *testing.T) {
 							"userID", "org1", testNow, &language.Afrikaans),
 						session.NewIntentCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate,
 							testNow),
+						idpintent.NewConsumedEvent(context.Background(), &idpintent.NewAggregate("intent", "org1").Aggregate),
 						session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate,
 							"tokenID"),
 					),