chore: update code

2024-12-30 20:33:54 -05:00 · 2024-12-26 12:22:17 +08:00 · 2024-12-26 12:22:17 +08:00 · fd2ea4a24e
commit fd2ea4a24e
parent e7ca10056c
3 changed files with 45 additions and 50 deletions
--- a/packages/core/src/saml-applications/queries/sessions.ts
+++ b/packages/core/src/saml-applications/queries/sessions.ts
@ -4,6 +4,7 @@ import { sql } from '@silverhand/slonik';

 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
 import { buildUpdateWhereWithPool } from '#src/database/update-where.js';
+import { DeletionError } from '#src/errors/SlonikError/index.js';
 import { convertToIdentifiers } from '#src/utils/sql.js';

 const { table, fields } = convertToIdentifiers(SamlApplicationSessions);
@ -15,16 +16,48 @@ export const createSamlApplicationSessionQueries = (pool: CommonQueryMethods) =>

  const updateSession = buildUpdateWhereWithPool(pool)(SamlApplicationSessions, true);

-  const deleteExpiredOrFullyUsedSessions = async () => {
+  /**
+   * Removes the OIDC state from a session, which marks OIDC state as consumed.
+   *
+   * @param id The ID of the session.
+   * @returns The updated session.
+   */
+  const removeSessionOidcStateById = async (id: string) =>
+    updateSession({
+      set: { oidcState: null },
+      where: { id },
+      jsonbMode: 'merge',
+    });
+
+  const deleteExpiredSessions = async () => {
    const { rowCount } = await pool.query(sql`
      delete from ${table}
      where ${fields.expiresAt} < now()
-      or (${fields.isSamlResponseSent} = true and ${fields.isOidcStateChecked} = true)
    `);

-    return rowCount;
+    if (rowCount < 1) {
+      throw new DeletionError(SamlApplicationSessions.table);
+    }
  };

+  const deleteSessionById = async (id: string) => {
+    const { rowCount } = await pool.query(sql`
+      delete from ${table}
+      where ${fields.id} = ${id}
+    `);
+
+    if (rowCount < 1) {
+      throw new DeletionError(SamlApplicationSessions.table);
+    }
+  };
+
+  const findSessionById = async (id: string) =>
+    pool.maybeOne<SamlApplicationSession>(sql`
+      select ${sql.join(Object.values(fields), sql`, `)}
+      from ${table}
+      where ${fields.id}=${id}
+    `);
+
  const findSessionsByApplicationId = async (applicationId: string) =>
    pool.any<SamlApplicationSession>(sql`
      select ${sql.join(Object.values(fields), sql`, `)}
@ -32,35 +65,13 @@ export const createSamlApplicationSessionQueries = (pool: CommonQueryMethods) =>
      where ${fields.applicationId}=${applicationId}
    `);

-  const findAvailableSessionByAppIdAndState = async (applicationId: string, state: string) =>
-    pool.one<SamlApplicationSession>(sql`
-      select ${sql.join(Object.values(fields), sql`, `)}
-      from ${table}
-      where ${fields.applicationId}=${applicationId}
-      and ${fields.oidcState}=${state} and ${fields.isOidcStateChecked} = false and ${
-        fields.expiresAt
-      } > now()
-    `);
-
-  const findAvailableSessionByAppIdAndSamlRequestId = async (
-    applicationId: string,
-    samlRequestId: string
-  ) =>
-    pool.one<SamlApplicationSession>(sql`
-      select ${sql.join(Object.values(fields), sql`, `)}
-      from ${table}
-      where ${fields.applicationId}=${applicationId}
-      and ${fields.samlRequestId}=${samlRequestId} and ${fields.isSamlResponseSent} = false and ${
-        fields.expiresAt
-      } > now()
-    `);
-
  return {
    insertSession,
    updateSession,
-    deleteExpiredOrFullyUsedSessions,
+    removeSessionOidcStateById,
+    deleteExpiredSessions,
+    deleteSessionById,
+    findSessionById,
    findSessionsByApplicationId,
-    findAvailableSessionByAppIdAndState,
-    findAvailableSessionByAppIdAndSamlRequestId,
  };
 };
--- a/packages/schemas/alterations/next-1735012422-add-saml-application-sessions-table.ts
+++ b/packages/schemas/alterations/next-1735012422-add-saml-application-sessions-table.ts
@ -13,23 +13,16 @@ const alteration: AlterationScript = {
        id varchar(32) not null,
        application_id varchar(21) not null 
          references applications (id) on update cascade on delete cascade,
-        saml_request_id varchar(128),
+        saml_request_id varchar(128) not null,
        oidc_state varchar(32),
-        is_oidc_state_checked boolean not null default false,
-        is_saml_response_sent boolean not null default false,
        relay_state varchar(256),
-        auth_request_info jsonb not null,
+        raw_auth_request text not null,
        created_at timestamptz not null default(now()),
        expires_at timestamptz not null,
        primary key (tenant_id, id),
        constraint saml_application_sessions__application_type 
          check (check_application_type(application_id, 'SAML'))
      );
-
-      create unique index saml_application_sessions__oidc_state 
-        on saml_application_sessions (tenant_id, oidc_state);
-      create unique index saml_application_sessions__saml_request_id
-        on saml_application_sessions (tenant_id, saml_request_id);
    `);
    await applyTableRls(pool, 'saml_application_sessions');
  },
--- a/packages/schemas/tables/saml_application_sessions.sql
+++ b/packages/schemas/tables/saml_application_sessions.sql
@ -8,25 +8,16 @@ create table saml_application_sessions (
  application_id varchar(21) not null
    references applications (id) on update cascade on delete cascade,
  /** The identifier of the SAML SSO auth request ID, SAML request ID is pretty long. */
-  saml_request_id varchar(128),
+  saml_request_id varchar(128) not null,
  /** The identifier of the OIDC auth request state. */
  oidc_state varchar(32),
-  /** When checking the OIDC auth state, we should have this flag to prevent replay attack. */
-  is_oidc_state_checked boolean not null default false,
-  /** When sending the SAML authn response, we should have this flag to prevent replay attack. */
-  is_saml_response_sent boolean not null default false,
  /** The relay state of the SAML auth request. */
  relay_state varchar(256),
-  /** The request info of the SAML auth request. */
-  auth_request_info jsonb /* @use AuthRequestInfo */ not null,
+  /** The raw request of the SAML auth request. */
+  raw_auth_request text not null,
  created_at timestamptz not null default(now()),
  expires_at timestamptz not null,
  primary key (tenant_id, id),
  constraint saml_application_sessions__application_type 
    check (check_application_type(application_id, 'SAML'))
 );
-
-create unique index saml_application_sessions__oidc_state 
-  on saml_application_sessions (tenant_id, oidc_state);
-create unique index saml_application_sessions__saml_request_id
-  on saml_application_sessions (tenant_id, saml_request_id);