zitadel/internal/auth/repository/eventsourcing/handler/user_session.go
Livio Spring d016379e2a
feat: pass and handle auth request context for email links (#7815)
* pass and handle auth request context

* tests and cleanup

* cleanup
2024-04-24 17:50:58 +02:00

367 lines
11 KiB
Go

package handler
import (
"context"
"time"
auth_view "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing/view"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore"
"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
query2 "github.com/zitadel/zitadel/internal/query"
"github.com/zitadel/zitadel/internal/repository/instance"
"github.com/zitadel/zitadel/internal/repository/org"
"github.com/zitadel/zitadel/internal/repository/user"
view_model "github.com/zitadel/zitadel/internal/user/repository/view/model"
"github.com/zitadel/zitadel/internal/zerrors"
)
const (
userSessionTable = "auth.user_sessions"
)
type UserSession struct {
queries *query2.Queries
view *auth_view.View
es handler.EventStore
}
var _ handler.Projection = (*UserSession)(nil)
func newUserSession(
ctx context.Context,
config handler.Config,
view *auth_view.View,
queries *query2.Queries,
) *handler.Handler {
return handler.NewHandler(
ctx,
&config,
&UserSession{
queries: queries,
view: view,
es: config.Eventstore,
},
)
}
// Name implements [handler.Projection]
func (*UserSession) Name() string {
return userSessionTable
}
// Reducers implements [handler.Projection]
func (s *UserSession) Reducers() []handler.AggregateReducer {
return []handler.AggregateReducer{
{
Aggregate: user.AggregateType,
EventReducers: []handler.EventReducer{
{
Event: user.UserV1PasswordCheckSucceededType,
Reduce: s.Reduce,
},
{
Event: user.UserV1PasswordCheckFailedType,
Reduce: s.Reduce,
},
{
Event: user.UserV1MFAOTPCheckSucceededType,
Reduce: s.Reduce,
},
{
Event: user.UserV1MFAOTPCheckFailedType,
Reduce: s.Reduce,
},
{
Event: user.UserV1SignedOutType,
Reduce: s.Reduce,
},
{
Event: user.HumanPasswordCheckSucceededType,
Reduce: s.Reduce,
},
{
Event: user.HumanPasswordCheckFailedType,
Reduce: s.Reduce,
},
{
Event: user.UserIDPLoginCheckSucceededType,
Reduce: s.Reduce,
},
{
Event: user.HumanMFAOTPCheckSucceededType,
Reduce: s.Reduce,
},
{
Event: user.HumanMFAOTPCheckFailedType,
Reduce: s.Reduce,
},
{
Event: user.HumanU2FTokenCheckSucceededType,
Reduce: s.Reduce,
},
{
Event: user.HumanU2FTokenCheckFailedType,
Reduce: s.Reduce,
},
{
Event: user.HumanPasswordlessTokenCheckSucceededType,
Reduce: s.Reduce,
},
{
Event: user.HumanPasswordlessTokenCheckFailedType,
Reduce: s.Reduce,
},
{
Event: user.HumanSignedOutType,
Reduce: s.Reduce,
},
{
Event: user.UserV1PasswordChangedType,
Reduce: s.Reduce,
},
{
Event: user.UserV1MFAOTPRemovedType,
Reduce: s.Reduce,
},
{
Event: user.UserLockedType,
Reduce: s.Reduce,
},
{
Event: user.UserDeactivatedType,
Reduce: s.Reduce,
},
{
Event: user.HumanPasswordChangedType,
Reduce: s.Reduce,
},
{
Event: user.HumanMFAOTPRemovedType,
Reduce: s.Reduce,
},
{
Event: user.UserIDPLinkRemovedType,
Reduce: s.Reduce,
},
{
Event: user.UserIDPLinkCascadeRemovedType,
Reduce: s.Reduce,
},
{
Event: user.HumanPasswordlessTokenRemovedType,
Reduce: s.Reduce,
},
{
Event: user.HumanU2FTokenRemovedType,
Reduce: s.Reduce,
},
{
Event: user.UserRemovedType,
Reduce: s.Reduce,
},
{
Event: user.HumanRegisteredType,
Reduce: s.Reduce,
},
},
},
{
Aggregate: org.AggregateType,
EventReducers: []handler.EventReducer{
{
Event: org.OrgRemovedEventType,
Reduce: s.Reduce,
},
},
},
{
Aggregate: instance.AggregateType,
EventReducers: []handler.EventReducer{
{
Event: instance.InstanceRemovedEventType,
Reduce: s.Reduce,
},
},
},
}
}
func (u *UserSession) Reduce(event eventstore.Event) (_ *handler.Statement, err error) {
switch event.Type() {
case user.UserV1PasswordCheckSucceededType,
user.UserV1PasswordCheckFailedType,
user.UserV1MFAOTPCheckSucceededType,
user.UserV1MFAOTPCheckFailedType,
user.UserV1SignedOutType,
user.HumanPasswordCheckSucceededType,
user.HumanPasswordCheckFailedType,
user.UserIDPLoginCheckSucceededType,
user.HumanMFAOTPCheckSucceededType,
user.HumanMFAOTPCheckFailedType,
user.HumanU2FTokenCheckSucceededType,
user.HumanU2FTokenCheckFailedType,
user.HumanPasswordlessTokenCheckSucceededType,
user.HumanPasswordlessTokenCheckFailedType,
user.HumanSignedOutType:
return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error {
var session *view_model.UserSessionView
eventData, err := view_model.UserSessionFromEvent(event)
if err != nil {
return err
}
session, err = u.view.UserSessionByIDs(eventData.UserAgentID, event.Aggregate().ID, event.Aggregate().InstanceID)
if err != nil {
if !zerrors.IsNotFound(err) {
return err
}
session = &view_model.UserSessionView{
CreationDate: event.CreatedAt(),
ResourceOwner: event.Aggregate().ResourceOwner,
UserAgentID: eventData.UserAgentID,
UserID: event.Aggregate().ID,
State: int32(domain.UserSessionStateActive),
InstanceID: event.Aggregate().InstanceID,
}
}
return u.updateSession(session, event)
}), nil
case user.UserLockedType,
user.UserDeactivatedType:
return handler.NewUpdateStatement(event,
[]handler.Column{
handler.NewCol("passwordless_verification", time.Time{}),
handler.NewCol("password_verification", time.Time{}),
handler.NewCol("second_factor_verification", time.Time{}),
handler.NewCol("second_factor_verification_type", domain.MFALevelNotSetUp),
handler.NewCol("multi_factor_verification", time.Time{}),
handler.NewCol("multi_factor_verification_type", domain.MFALevelNotSetUp),
handler.NewCol("external_login_verification", time.Time{}),
handler.NewCol("state", domain.UserSessionStateTerminated),
handler.NewCol("change_date", event.CreatedAt()),
handler.NewCol("sequence", event.Sequence()),
},
[]handler.Condition{
handler.NewCond("instance_id", event.Aggregate().InstanceID),
handler.NewCond("user_id", event.Aggregate().ID),
handler.Not(handler.NewCond("state", domain.UserSessionStateTerminated)),
},
), nil
case user.UserV1PasswordChangedType,
user.HumanPasswordChangedType:
userAgent, err := agentIDFromSession(event)
if err != nil {
return nil, err
}
return handler.NewMultiStatement(event,
handler.AddUpdateStatement(
[]handler.Column{
handler.NewCol("password_verification", event.CreatedAt()),
handler.NewCol("change_date", event.CreatedAt()),
handler.NewCol("sequence", event.Sequence()),
},
[]handler.Condition{
handler.NewCond("instance_id", event.Aggregate().InstanceID),
handler.NewCond("user_id", event.Aggregate().ID),
handler.NewCond("user_agent_id", userAgent),
}),
handler.AddUpdateStatement(
[]handler.Column{
handler.NewCol("password_verification", time.Time{}),
handler.NewCol("change_date", event.CreatedAt()),
handler.NewCol("sequence", event.Sequence()),
},
[]handler.Condition{
handler.NewCond("instance_id", event.Aggregate().InstanceID),
handler.NewCond("user_id", event.Aggregate().ID),
handler.Not(handler.NewCond("user_agent_id", userAgent)),
handler.Not(handler.NewCond("state", domain.UserSessionStateTerminated)),
}),
), nil
case user.UserV1MFAOTPRemovedType,
user.HumanMFAOTPRemovedType,
user.HumanU2FTokenRemovedType:
return handler.NewUpdateStatement(event,
[]handler.Column{
handler.NewCol("second_factor_verification", time.Time{}),
handler.NewCol("change_date", event.CreatedAt()),
handler.NewCol("sequence", event.Sequence()),
},
[]handler.Condition{
handler.NewCond("instance_id", event.Aggregate().InstanceID),
handler.NewCond("user_id", event.Aggregate().ID),
handler.Not(handler.NewCond("state", domain.UserSessionStateTerminated)),
},
), nil
case user.UserIDPLinkRemovedType,
user.UserIDPLinkCascadeRemovedType:
return handler.NewUpdateStatement(event,
[]handler.Column{
handler.NewCol("external_login_verification", time.Time{}),
handler.NewCol("selected_idp_config_id", ""),
handler.NewCol("change_date", event.CreatedAt()),
handler.NewCol("sequence", event.Sequence()),
},
[]handler.Condition{
handler.NewCond("instance_id", event.Aggregate().InstanceID),
handler.NewCond("user_id", event.Aggregate().ID),
handler.Not(handler.NewCond("selected_idp_config_id", "")),
},
), nil
case user.HumanPasswordlessTokenRemovedType:
return handler.NewUpdateStatement(event,
[]handler.Column{
handler.NewCol("passwordless_verification", time.Time{}),
handler.NewCol("multi_factor_verification", time.Time{}),
handler.NewCol("change_date", event.CreatedAt()),
handler.NewCol("sequence", event.Sequence()),
},
[]handler.Condition{
handler.NewCond("instance_id", event.Aggregate().InstanceID),
handler.NewCond("user_id", event.Aggregate().ID),
handler.Not(handler.NewCond("state", domain.UserSessionStateTerminated)),
},
), nil
case user.UserRemovedType:
return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error {
return u.view.DeleteUserSessions(event.Aggregate().ID, event.Aggregate().InstanceID)
}), nil
case user.HumanRegisteredType:
return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error {
eventData, err := view_model.UserSessionFromEvent(event)
if err != nil {
return err
}
session := &view_model.UserSessionView{
CreationDate: event.CreatedAt(),
ResourceOwner: event.Aggregate().ResourceOwner,
UserAgentID: eventData.UserAgentID,
UserID: event.Aggregate().ID,
State: int32(domain.UserSessionStateActive),
InstanceID: event.Aggregate().InstanceID,
PasswordVerification: event.CreatedAt(),
}
return u.updateSession(session, event)
}), nil
case instance.InstanceRemovedEventType:
return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error {
return u.view.DeleteInstanceUserSessions(event.Aggregate().InstanceID)
}), nil
case org.OrgRemovedEventType:
return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error {
return u.view.DeleteOrgUserSessions(event)
}), nil
default:
return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error {
return nil
}), nil
}
}
func (u *UserSession) updateSession(session *view_model.UserSessionView, event eventstore.Event) error {
if err := session.AppendEvent(event); err != nil {
return err
}
return u.view.PutUserSession(session)
}