feat: refresh token (#1728)

* begin refresh tokens * refresh tokens * list and revoke refresh tokens * handle remove * tests for refresh tokens * uniqueness and default expiration * rename oidc token methods * cleanup * migration version * Update internal/static/i18n/en.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * fixes * feat: update oidc pkg for refresh tokens Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-12 10:57:35 +00:00 · 2021-05-20 13:33:35 +02:00
parent bc21eeb114
commit ec5020bebc
36 changed files with 2732 additions and 55 deletions
--- a/internal/user/repository/view/model/refresh_token.go
+++ b/internal/user/repository/view/model/refresh_token.go
@@ -0,0 +1,154 @@
+package model
+
+import (
+	"encoding/json"
+	"time"
+
+	"github.com/caos/logging"
+	"github.com/lib/pq"
+
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+	user_repo "github.com/caos/zitadel/internal/repository/user"
+	usr_model "github.com/caos/zitadel/internal/user/model"
+)
+
+const (
+	RefreshTokenKeyTokenID       = "id"
+	RefreshTokenKeyUserID        = "user_id"
+	RefreshTokenKeyApplicationID = "application_id"
+	RefreshTokenKeyUserAgentID   = "user_agent_id"
+	RefreshTokenKeyExpiration    = "expiration"
+	RefreshTokenKeyResourceOwner = "resource_owner"
+)
+
+type RefreshTokenView struct {
+	ID                    string         `json:"tokenId" gorm:"column:id"`
+	CreationDate          time.Time      `json:"-" gorm:"column:creation_date"`
+	ChangeDate            time.Time      `json:"-" gorm:"column:change_date"`
+	ResourceOwner         string         `json:"-" gorm:"column:resource_owner"`
+	Token                 string         `json:"-" gorm:"column:token"`
+	UserID                string         `json:"-" gorm:"column:user_id;primary_key"`
+	ClientID              string         `json:"clientID" gorm:"column:client_id;primary_key"`
+	UserAgentID           string         `json:"userAgentId" gorm:"column:user_agent_id;primary_key"`
+	Audience              pq.StringArray `json:"audience" gorm:"column:audience"`
+	Scopes                pq.StringArray `json:"scopes" gorm:"column:scopes"`
+	AuthMethodsReferences pq.StringArray `json:"authMethodsReference" gorm:"column:amr"`
+	AuthTime              time.Time      `json:"authTime" gorm:"column:auth_time"`
+	IdleExpiration        time.Time      `json:"-" gorm:"column:idle_expiration"`
+	Expiration            time.Time      `json:"-" gorm:"column:expiration"`
+	Sequence              uint64         `json:"-" gorm:"column:sequence"`
+}
+
+func RefreshTokenViewsToModel(tokens []*RefreshTokenView) []*usr_model.RefreshTokenView {
+	result := make([]*usr_model.RefreshTokenView, len(tokens))
+	for i, g := range tokens {
+		result[i] = RefreshTokenViewToModel(g)
+	}
+	return result
+}
+
+func RefreshTokenViewToModel(token *RefreshTokenView) *usr_model.RefreshTokenView {
+	return &usr_model.RefreshTokenView{
+		ID:                    token.ID,
+		CreationDate:          token.CreationDate,
+		ChangeDate:            token.ChangeDate,
+		ResourceOwner:         token.ResourceOwner,
+		Token:                 token.Token,
+		UserID:                token.UserID,
+		ClientID:              token.ClientID,
+		UserAgentID:           token.UserAgentID,
+		Audience:              token.Audience,
+		Scopes:                token.Scopes,
+		AuthMethodsReferences: token.AuthMethodsReferences,
+		AuthTime:              token.AuthTime,
+		IdleExpiration:        token.IdleExpiration,
+		Expiration:            token.Expiration,
+		Sequence:              token.Sequence,
+	}
+}
+
+func (t *RefreshTokenView) AppendEventIfMyRefreshToken(event *es_models.Event) (err error) {
+	view := new(RefreshTokenView)
+	switch eventstore.EventType(event.Type) {
+	case user_repo.HumanRefreshTokenAddedType:
+		view.setRootData(event)
+		err = view.appendAddedEvent(event)
+		if err != nil {
+			return err
+		}
+	case user_repo.HumanRefreshTokenRenewedType:
+		view.setRootData(event)
+		err = view.appendRenewedEvent(event)
+		if err != nil {
+			return err
+		}
+	case user_repo.HumanRefreshTokenRemovedType,
+		user_repo.UserRemovedType,
+		user_repo.UserDeactivatedType,
+		user_repo.UserLockedType:
+		view.appendRemovedEvent(event)
+	default:
+		return nil
+	}
+	if view.ID == t.ID {
+		return t.AppendEvent(event)
+	}
+	return nil
+}
+
+func (t *RefreshTokenView) AppendEvent(event *es_models.Event) error {
+	t.ChangeDate = event.CreationDate
+	t.Sequence = event.Sequence
+	switch eventstore.EventType(event.Type) {
+	case user_repo.HumanRefreshTokenAddedType:
+		t.setRootData(event)
+		return t.appendAddedEvent(event)
+	case user_repo.HumanRefreshTokenRenewedType:
+		t.setRootData(event)
+		return t.appendRenewedEvent(event)
+	}
+	return nil
+}
+
+func (t *RefreshTokenView) setRootData(event *es_models.Event) {
+	t.UserID = event.AggregateID
+	t.ResourceOwner = event.ResourceOwner
+}
+
+func (t *RefreshTokenView) appendAddedEvent(event *es_models.Event) error {
+	e := new(user_repo.HumanRefreshTokenAddedEvent)
+	if err := json.Unmarshal(event.Data, e); err != nil {
+		logging.Log("EVEN-Dbb31").WithError(err).Error("could not unmarshal event data")
+		return caos_errs.ThrowInternal(err, "MODEL-Bbr42", "could not unmarshal event")
+	}
+	t.ID = e.TokenID
+	t.CreationDate = event.CreationDate
+	t.AuthMethodsReferences = e.AuthMethodsReferences
+	t.AuthTime = e.AuthTime
+	t.Audience = e.Audience
+	t.ClientID = e.ClientID
+	t.Expiration = event.CreationDate.Add(e.Expiration)
+	t.IdleExpiration = event.CreationDate.Add(e.IdleExpiration)
+	t.Scopes = e.Scopes
+	t.Token = e.TokenID
+	t.UserAgentID = e.UserAgentID
+	return nil
+}
+
+func (t *RefreshTokenView) appendRenewedEvent(event *es_models.Event) error {
+	e := new(user_repo.HumanRefreshTokenRenewedEvent)
+	if err := json.Unmarshal(event.Data, e); err != nil {
+		logging.Log("EVEN-Vbbn2").WithError(err).Error("could not unmarshal event data")
+		return caos_errs.ThrowInternal(err, "MODEL-Bbrn4", "could not unmarshal event")
+	}
+	t.ID = e.TokenID
+	t.IdleExpiration = event.CreationDate.Add(e.IdleExpiration)
+	t.Token = e.RefreshToken
+	return nil
+}
+
+func (t *RefreshTokenView) appendRemovedEvent(event *es_models.Event) {
+	t.Expiration = event.CreationDate
+}
--- a/internal/user/repository/view/model/refresh_token_query.go
+++ b/internal/user/repository/view/model/refresh_token_query.go
@@ -0,0 +1,69 @@
+package model
+
+import (
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/user/model"
+	"github.com/caos/zitadel/internal/view/repository"
+)
+
+type RefreshTokenSearchRequest model.RefreshTokenSearchRequest
+type RefreshTokenSearchQuery model.RefreshTokenSearchQuery
+type RefreshTokenSearchKey model.RefreshTokenSearchKey
+
+func (req RefreshTokenSearchRequest) GetLimit() uint64 {
+	return req.Limit
+}
+
+func (req RefreshTokenSearchRequest) GetOffset() uint64 {
+	return req.Offset
+}
+
+func (req RefreshTokenSearchRequest) GetSortingColumn() repository.ColumnKey {
+	if req.SortingColumn == model.RefreshTokenSearchKeyUnspecified {
+		return nil
+	}
+	return RefreshTokenSearchKey(req.SortingColumn)
+}
+
+func (req RefreshTokenSearchRequest) GetAsc() bool {
+	return req.Asc
+}
+
+func (req RefreshTokenSearchRequest) GetQueries() []repository.SearchQuery {
+	result := make([]repository.SearchQuery, len(req.Queries))
+	for i, q := range req.Queries {
+		result[i] = RefreshTokenSearchQuery{Key: q.Key, Value: q.Value, Method: q.Method}
+	}
+	return result
+}
+
+func (req RefreshTokenSearchQuery) GetKey() repository.ColumnKey {
+	return RefreshTokenSearchKey(req.Key)
+}
+
+func (req RefreshTokenSearchQuery) GetMethod() domain.SearchMethod {
+	return req.Method
+}
+
+func (req RefreshTokenSearchQuery) GetValue() interface{} {
+	return req.Value
+}
+
+func (key RefreshTokenSearchKey) ToColumnName() string {
+	switch model.RefreshTokenSearchKey(key) {
+	case model.RefreshTokenSearchKeyRefreshTokenID:
+		return RefreshTokenKeyTokenID
+	case model.RefreshTokenSearchKeyUserAgentID:
+		return RefreshTokenKeyUserAgentID
+	case model.RefreshTokenSearchKeyUserID:
+		return RefreshTokenKeyUserID
+	case model.RefreshTokenSearchKeyApplicationID:
+		return RefreshTokenKeyApplicationID
+	case model.RefreshTokenSearchKeyExpiration:
+		return RefreshTokenKeyExpiration
+	case model.RefreshTokenSearchKeyResourceOwner:
+		return RefreshTokenKeyResourceOwner
+	default:
+		return ""
+	}
+}
--- a/internal/user/repository/view/refresh_token_view.go
+++ b/internal/user/repository/view/refresh_token_view.go
@@ -0,0 +1,79 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/user/model"
+	usr_model "github.com/caos/zitadel/internal/user/repository/view/model"
+	"github.com/caos/zitadel/internal/view/repository"
+	"github.com/jinzhu/gorm"
+	"github.com/lib/pq"
+)
+
+func RefreshTokenByID(db *gorm.DB, table, tokenID string) (*usr_model.RefreshTokenView, error) {
+	token := new(usr_model.RefreshTokenView)
+	query := repository.PrepareGetByKey(table, usr_model.RefreshTokenSearchKey(model.RefreshTokenSearchKeyRefreshTokenID), tokenID)
+	err := query(db, token)
+	if errors.IsNotFound(err) {
+		return nil, errors.ThrowNotFound(nil, "VIEW-6ub3p", "Errors.RefreshToken.NotFound")
+	}
+	return token, err
+}
+
+func RefreshTokensByUserID(db *gorm.DB, table, userID string) ([]*usr_model.RefreshTokenView, error) {
+	tokens := make([]*usr_model.RefreshTokenView, 0)
+	userIDQuery := &model.RefreshTokenSearchQuery{
+		Key:    model.RefreshTokenSearchKeyUserID,
+		Method: domain.SearchMethodEquals,
+		Value:  userID,
+	}
+	query := repository.PrepareSearchQuery(table, usr_model.RefreshTokenSearchRequest{
+		Queries: []*model.RefreshTokenSearchQuery{userIDQuery},
+	})
+	_, err := query(db, &tokens)
+	return tokens, err
+}
+
+func PutRefreshToken(db *gorm.DB, table string, token *usr_model.RefreshTokenView) error {
+	save := repository.PrepareSave(table)
+	return save(db, token)
+}
+
+func PutRefreshTokens(db *gorm.DB, table string, tokens ...*usr_model.RefreshTokenView) error {
+	save := repository.PrepareBulkSave(table)
+	t := make([]interface{}, len(tokens))
+	for i, token := range tokens {
+		t[i] = token
+	}
+	return save(db, t...)
+}
+
+func SearchRefreshTokens(db *gorm.DB, table string, req *model.RefreshTokenSearchRequest) ([]*usr_model.RefreshTokenView, uint64, error) {
+	tokens := make([]*usr_model.RefreshTokenView, 0)
+	query := repository.PrepareSearchQuery(table, usr_model.RefreshTokenSearchRequest{Limit: req.Limit, Offset: req.Offset, Queries: req.Queries})
+	count, err := query(db, &tokens)
+	return tokens, count, err
+}
+
+func DeleteRefreshToken(db *gorm.DB, table, tokenID string) error {
+	delete := repository.PrepareDeleteByKey(table, usr_model.RefreshTokenSearchKey(model.RefreshTokenSearchKeyRefreshTokenID), tokenID)
+	return delete(db)
+}
+
+func DeleteSessionRefreshTokens(db *gorm.DB, table, agentID, userID string) error {
+	delete := repository.PrepareDeleteByKeys(table,
+		repository.Key{Key: usr_model.RefreshTokenSearchKey(model.RefreshTokenSearchKeyUserAgentID), Value: agentID},
+		repository.Key{Key: usr_model.RefreshTokenSearchKey(model.RefreshTokenSearchKeyUserID), Value: userID},
+	)
+	return delete(db)
+}
+
+func DeleteUserRefreshTokens(db *gorm.DB, table, userID string) error {
+	delete := repository.PrepareDeleteByKey(table, usr_model.RefreshTokenSearchKey(model.RefreshTokenSearchKeyUserID), userID)
+	return delete(db)
+}
+
+func DeleteApplicationRefreshTokens(db *gorm.DB, table string, appIDs []string) error {
+	delete := repository.PrepareDeleteByKey(table, usr_model.RefreshTokenSearchKey(model.RefreshTokenSearchKeyApplicationID), pq.StringArray(appIDs))
+	return delete(db)
+}