Merge commit from fork

* fix: prevent intent token reuse and add expiry * fix duplicate * fix expiration
2025-08-11 18:07:31 +00:00 · 2025-05-02 13:44:24 +02:00
parent bb56b362a7
commit b1e60e7398
48 changed files with 673 additions and 123 deletions
--- a/internal/repository/idpintent/eventstore.go
+++ b/internal/repository/idpintent/eventstore.go
@@ -11,4 +11,5 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, SAMLRequestEventType, SAMLRequestEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, LDAPSucceededEventType, LDAPSucceededEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, FailedEventType, FailedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, ConsumedEventType, eventstore.GenericEventMapper[ConsumedEvent])
 }
--- a/internal/repository/idpintent/intent.go
+++ b/internal/repository/idpintent/intent.go
@@ -3,6 +3,7 @@ package idpintent
 import (
 	"context"
 	"net/url"
+	"time"

 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/eventstore"
@@ -16,6 +17,7 @@ const (
 	SAMLRequestEventType   = instanceEventTypePrefix + "saml.requested"
 	LDAPSucceededEventType = instanceEventTypePrefix + "ldap.succeeded"
 	FailedEventType        = instanceEventTypePrefix + "failed"
+	ConsumedEventType      = instanceEventTypePrefix + "consumed"
 )

 type StartedEvent struct {
@@ -79,6 +81,7 @@ type SucceededEvent struct {

 	IDPAccessToken *crypto.CryptoValue `json:"idpAccessToken,omitempty"`
 	IDPIDToken     string              `json:"idpIdToken,omitempty"`
+	ExpiresAt      time.Time           `json:"expiresAt,omitempty"`
 }

 func NewSucceededEvent(
@@ -90,6 +93,7 @@ func NewSucceededEvent(
 	userID string,
 	idpAccessToken *crypto.CryptoValue,
 	idpIDToken string,
+	expiresAt time.Time,
 ) *SucceededEvent {
 	return &SucceededEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -103,6 +107,7 @@ func NewSucceededEvent(
 		UserID:         userID,
 		IDPAccessToken: idpAccessToken,
 		IDPIDToken:     idpIDToken,
+		ExpiresAt:      expiresAt,
 	}
 }

@@ -136,6 +141,7 @@ type SAMLSucceededEvent struct {
 	UserID      string `json:"userId,omitempty"`

 	Assertion *crypto.CryptoValue `json:"assertion,omitempty"`
+	ExpiresAt time.Time           `json:"expiresAt,omitempty"`
 }

 func NewSAMLSucceededEvent(
@@ -146,6 +152,7 @@ func NewSAMLSucceededEvent(
 	idpUserName,
 	userID string,
 	assertion *crypto.CryptoValue,
+	expiresAt time.Time,
 ) *SAMLSucceededEvent {
 	return &SAMLSucceededEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -158,6 +165,7 @@ func NewSAMLSucceededEvent(
 		IDPUserName: idpUserName,
 		UserID:      userID,
 		Assertion:   assertion,
+		ExpiresAt:   expiresAt,
 	}
 }

@@ -233,6 +241,7 @@ type LDAPSucceededEvent struct {
 	UserID      string `json:"userId,omitempty"`

 	EntryAttributes map[string][]string `json:"user,omitempty"`
+	ExpiresAt       time.Time           `json:"expiresAt,omitempty"`
 }

 func NewLDAPSucceededEvent(
@@ -243,6 +252,7 @@ func NewLDAPSucceededEvent(
 	idpUserName,
 	userID string,
 	attributes map[string][]string,
+	expiresAt time.Time,
 ) *LDAPSucceededEvent {
 	return &LDAPSucceededEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -255,6 +265,7 @@ func NewLDAPSucceededEvent(
 		IDPUserName:     idpUserName,
 		UserID:          userID,
 		EntryAttributes: attributes,
+		ExpiresAt:       expiresAt,
 	}
 }

@@ -320,3 +331,32 @@ func FailedEventMapper(event eventstore.Event) (eventstore.Event, error) {

 	return e, nil
 }
+
+type ConsumedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func NewConsumedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *ConsumedEvent {
+	return &ConsumedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ConsumedEventType,
+		),
+	}
+}
+
+func (e *ConsumedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *ConsumedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func (e *ConsumedEvent) SetBaseEvent(base *eventstore.BaseEvent) {
+	e.BaseEvent = *base
+}