feat(core,schemas): add application user consent scope delete api (#5120)

* feat(core,schemas): add application user consent scope delete api add application user consent scope delete api * chore(core): add the invalid user consent scope type fallback error add the invalid user consent scope type fallback error
2025-03-31 22:51:25 -05:00 · 2023-12-20 13:34:18 +08:00 · 2023-12-20 13:34:18 +08:00 · 072c6629d3
commit 072c6629d3
parent bbc223b81c
7 changed files with 215 additions and 4 deletions
--- a/packages/core/src/libraries/application.ts
+++ b/packages/core/src/libraries/application.ts
@ -1,4 +1,9 @@
-import { OrganizationScopes, Scopes, type Scope } from '@logto/schemas';
+import {
+  OrganizationScopes,
+  Scopes,
+  type Scope,
+  ApplicationUserConsentScopeType,
+} from '@logto/schemas';

 import RequestError from '#src/errors/RequestError/index.js';
 import type Queries from '#src/tenants/Queries.js';
@ -156,6 +161,31 @@ export const createApplicationLibrary = (queries: Queries) => {
  const getApplicationUserConsentScopes = async (applicationId: string) =>
    useConsentUserScopes.findAllByApplicationId(applicationId);

+  const deleteApplicationUserConsentScopesByTypeAndScopeId = async (
+    applicationId: string,
+    type: ApplicationUserConsentScopeType,
+    scopeId: string
+  ) => {
+    switch (type) {
+      case ApplicationUserConsentScopeType.OrganizationScopes: {
+        await userConsentOrganizationScopes.delete({ applicationId, organizationScopeId: scopeId });
+        break;
+      }
+      case ApplicationUserConsentScopeType.ResourceScopes: {
+        await userConsentResourceScopes.delete({ applicationId, scopeId });
+        break;
+      }
+      case ApplicationUserConsentScopeType.UserScopes: {
+        await useConsentUserScopes.deleteByApplicationIdAndScopeId(applicationId, scopeId);
+        break;
+      }
+      default: {
+        // eslint-disable-next-line @typescript-eslint/restrict-template-expressions -- just in case
+        throw new Error(`Unexpected application user consent scope type: ${type}`);
+      }
+    }
+  };
+
  return {
    validateThirdPartyApplicationById,
    findApplicationScopesForResourceIndicator,
@ -164,5 +194,6 @@ export const createApplicationLibrary = (queries: Queries) => {
    getApplicationUserConsentOrganizationScopes,
    getApplicationUserConsentResourceScopes,
    getApplicationUserConsentScopes,
+    deleteApplicationUserConsentScopesByTypeAndScopeId,
  };
 };
--- a/packages/core/src/queries/application-user-consent-scopes.ts
+++ b/packages/core/src/queries/application-user-consent-scopes.ts
@ -11,6 +11,7 @@ import { convertToIdentifiers } from '@logto/shared';
 import { sql, type CommonQueryMethods } from 'slonik';

 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
+import { DeletionError } from '#src/errors/SlonikError/index.js';
 import { TwoRelationsQueries } from '#src/utils/RelationQueries.js';

 export class ApplicationUserConsentOrganizationScopeQueries extends TwoRelationsQueries<
@ -48,8 +49,22 @@ export const createApplicationUserConsentUserScopeQueries = (pool: CommonQueryMe
    return scopes.map(({ userScope }) => userScope);
  };

+  const deleteByApplicationIdAndScopeId = async (applicationId: string, scopeId: string) => {
+    const { table, fields } = convertToIdentifiers(ApplicationUserConsentUserScopes);
+
+    const { rowCount } = await pool.query(sql`
+      delete from ${table}
+      where ${fields.applicationId} = ${applicationId} and ${fields.userScope} = ${scopeId}
+    `);
+
+    if (rowCount < 1) {
+      throw new DeletionError(ApplicationUserConsentUserScopes.table);
+    }
+  };
+
  return {
    insert,
    findAllByApplicationId,
+    deleteByApplicationIdAndScopeId,
  };
 };
--- a/packages/core/src/routes/applications/application-user-consent-scope.openapi.json
+++ b/packages/core/src/routes/applications/application-user-consent-scope.openapi.json
@ -64,6 +64,20 @@
          }
        }
      }
+    },
+    "/api/applications/{applicationId}/user-consent-scopes/{scopeType}/{scopeId}": {
+      "delete": {
+        "summary": "Remove user consent scope from application.",
+        "description": "Remove the user consent scope from an application by application id, scope type and scope id",
+        "responses": {
+          "204": {
+            "description": "The user consent scope is removed from the application successfully"
+          },
+          "404": {
+            "description": "The application or scope is not found"
+          }
+        }
+      }
    }
  }
 }
--- a/packages/core/src/routes/applications/application-user-consent-scope.ts
+++ b/packages/core/src/routes/applications/application-user-consent-scope.ts
@ -1,5 +1,8 @@
 import { UserScope } from '@logto/core-kit';
-import { applicationUserConsentScopesResponseGuard } from '@logto/schemas';
+import {
+  applicationUserConsentScopesResponseGuard,
+  ApplicationUserConsentScopeType,
+} from '@logto/schemas';
 import { object, string, nativeEnum } from 'zod';

 import koaGuard from '#src/middleware/koa-guard.js';
@ -21,6 +24,7 @@ export default function applicationUserConsentScopeRoutes<T extends AuthedRouter
          getApplicationUserConsentOrganizationScopes,
          getApplicationUserConsentResourceScopes,
          getApplicationUserConsentScopes,
+          deleteApplicationUserConsentScopesByTypeAndScopeId,
        },
      },
    },
@ -87,4 +91,30 @@ export default function applicationUserConsentScopeRoutes<T extends AuthedRouter
      return next();
    }
  );
+
+  router.delete(
+    '/applications/:applicationId/user-consent-scopes/:scopeType/:scopeId',
+    koaGuard({
+      params: object({
+        applicationId: string(),
+        scopeType: nativeEnum(ApplicationUserConsentScopeType),
+        scopeId: string(),
+      }),
+      status: [204, 404],
+    }),
+    async (ctx, next) => {
+      const {
+        params: { applicationId, scopeType, scopeId },
+      } = ctx.guard;
+
+      // Validate application exists
+      await findApplicationById(applicationId);
+
+      await deleteApplicationUserConsentScopesByTypeAndScopeId(applicationId, scopeType, scopeId);
+
+      ctx.status = 204;
+
+      return next();
+    }
+  );
 }
--- a/packages/integration-tests/src/api/application-user-consent-scope.ts
+++ b/packages/integration-tests/src/api/application-user-consent-scope.ts
@ -1,5 +1,8 @@
 import { type UserScope } from '@logto/core-kit';
-import { type ApplicationUserConsentScopesResponse } from '@logto/schemas';
+import {
+  type ApplicationUserConsentScopeType,
+  type ApplicationUserConsentScopesResponse,
+} from '@logto/schemas';

 import { authedAdminApi } from './api.js';

@ -16,3 +19,12 @@ export const getUserConsentScopes = async (applicationId: string) =>
  authedAdminApi
    .get(`applications/${applicationId}/user-consent-scopes`)
    .json<ApplicationUserConsentScopesResponse>();
+
+export const deleteUserConsentScopes = async (
+  applicationId: string,
+  scopeType: ApplicationUserConsentScopeType,
+  scopeId: string
+) =>
+  authedAdminApi.delete(
+    `applications/${applicationId}/user-consent-scopes/${scopeType}/${scopeId}`
+  );
--- a/packages/integration-tests/src/tests/api/application-user-consent-scope.test.ts
+++ b/packages/integration-tests/src/tests/api/application-user-consent-scope.test.ts
@ -1,9 +1,10 @@
 import { UserScope } from '@logto/core-kit';
-import { ApplicationType } from '@logto/schemas';
+import { ApplicationType, ApplicationUserConsentScopeType } from '@logto/schemas';

 import {
  assignUserConsentScopes,
  getUserConsentScopes,
+  deleteUserConsentScopes,
 } from '#src/api/application-user-consent-scope.js';
 import { createApplication, deleteApplication } from '#src/api/application.js';
 import { OrganizationScopeApi } from '#src/api/organization-scope.js';
@ -173,4 +174,106 @@ describe('assign user consent scopes to application', () => {

    await deleteApplication(newApp.id);
  });
+
+  it('should return 404 when trying to delete consent scopes from non-existing application', async () => {
+    await expectRejects(
+      deleteUserConsentScopes(
+        'non-existing-application',
+        ApplicationUserConsentScopeType.OrganizationScopes,
+        organizationScopes.get('organizationScope1')!
+      ),
+      {
+        code: 'entity.not_exists_with_id',
+        statusCode: 404,
+      }
+    );
+  });
+
+  it('should return 404 when trying to delete non-existing consent scopes', async () => {
+    await expectRejects(
+      deleteUserConsentScopes(
+        applicationIds.get('thirdPartyApp')!,
+        ApplicationUserConsentScopeType.OrganizationScopes,
+        'non-existing-organization-scope'
+      ),
+      {
+        code: 'entity.not_found',
+        statusCode: 404,
+      }
+    );
+
+    await expectRejects(
+      deleteUserConsentScopes(
+        applicationIds.get('thirdPartyApp')!,
+        ApplicationUserConsentScopeType.ResourceScopes,
+        'non-existing-resource-scope'
+      ),
+      {
+        code: 'entity.not_found',
+        statusCode: 404,
+      }
+    );
+
+    await expectRejects(
+      deleteUserConsentScopes(
+        applicationIds.get('thirdPartyApp')!,
+        ApplicationUserConsentScopeType.UserScopes,
+        'non-existing-user-scope'
+      ),
+      {
+        code: 'entity.not_found',
+        statusCode: 404,
+      }
+    );
+  });
+
+  it('should delete consent scopes successfully', async () => {
+    await expect(
+      assignUserConsentScopes(applicationIds.get('thirdPartyApp')!, {
+        organizationScopes: Array.from(organizationScopes.values()),
+        resourceScopes: Array.from(resourceScopes.values()),
+        userScopes: [UserScope.Profile, UserScope.Email, UserScope.OrganizationRoles],
+      })
+    ).resolves.not.toThrow();
+
+    await expect(
+      deleteUserConsentScopes(
+        applicationIds.get('thirdPartyApp')!,
+        ApplicationUserConsentScopeType.OrganizationScopes,
+        organizationScopes.get('organizationScope1')!
+      )
+    ).resolves.not.toThrow();
+
+    await expect(
+      deleteUserConsentScopes(
+        applicationIds.get('thirdPartyApp')!,
+        ApplicationUserConsentScopeType.ResourceScopes,
+        resourceScopes.get('resourceScope1')!
+      )
+    ).resolves.not.toThrow();
+
+    await expect(
+      deleteUserConsentScopes(
+        applicationIds.get('thirdPartyApp')!,
+        ApplicationUserConsentScopeType.UserScopes,
+        UserScope.OrganizationRoles
+      )
+    ).resolves.not.toThrow();
+
+    const result = await getUserConsentScopes(applicationIds.get('thirdPartyApp')!);
+
+    expect(
+      result.organizationScopes.find(
+        ({ id }) => id === organizationScopes.get('organizationScope1')!
+      )
+    ).toBeUndefined();
+
+    expect(
+      result.resourceScopes[0]!.scopes.find(
+        ({ id }) => id === resourceScopes.get('resourceScope1')!
+      )
+    ).toBeUndefined();
+
+    expect(result.userScopes.includes(UserScope.OrganizationRoles)).toBeFalsy();
+  });
 });
--- a/packages/schemas/src/types/application.ts
+++ b/packages/schemas/src/types/application.ts
@ -52,6 +52,12 @@ export const applicationUserConsentScopesResponseGuard = z.object({
  userScopes: z.array(z.nativeEnum(UserScope)),
 });

+export enum ApplicationUserConsentScopeType {
+  OrganizationScopes = 'organization-scopes',
+  ResourceScopes = 'resource-scopes',
+  UserScopes = 'user-scopes',
+}
+
 export type ApplicationUserConsentScopesResponse = z.infer<
  typeof applicationUserConsentScopesResponseGuard
 >;