0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2025-01-06 20:40:08 -05:00

chore: update code

This commit is contained in:
Darcy Ye 2024-12-26 12:22:17 +08:00
parent e7ca10056c
commit fd2ea4a24e
No known key found for this signature in database
GPG key ID: B46F4C07EDEFC610
3 changed files with 45 additions and 50 deletions

View file

@ -4,6 +4,7 @@ import { sql } from '@silverhand/slonik';
import { buildInsertIntoWithPool } from '#src/database/insert-into.js'; import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
import { buildUpdateWhereWithPool } from '#src/database/update-where.js'; import { buildUpdateWhereWithPool } from '#src/database/update-where.js';
import { DeletionError } from '#src/errors/SlonikError/index.js';
import { convertToIdentifiers } from '#src/utils/sql.js'; import { convertToIdentifiers } from '#src/utils/sql.js';
const { table, fields } = convertToIdentifiers(SamlApplicationSessions); const { table, fields } = convertToIdentifiers(SamlApplicationSessions);
@ -15,16 +16,48 @@ export const createSamlApplicationSessionQueries = (pool: CommonQueryMethods) =>
const updateSession = buildUpdateWhereWithPool(pool)(SamlApplicationSessions, true); const updateSession = buildUpdateWhereWithPool(pool)(SamlApplicationSessions, true);
const deleteExpiredOrFullyUsedSessions = async () => { /**
* Removes the OIDC state from a session, which marks OIDC state as consumed.
*
* @param id The ID of the session.
* @returns The updated session.
*/
const removeSessionOidcStateById = async (id: string) =>
updateSession({
set: { oidcState: null },
where: { id },
jsonbMode: 'merge',
});
const deleteExpiredSessions = async () => {
const { rowCount } = await pool.query(sql` const { rowCount } = await pool.query(sql`
delete from ${table} delete from ${table}
where ${fields.expiresAt} < now() where ${fields.expiresAt} < now()
or (${fields.isSamlResponseSent} = true and ${fields.isOidcStateChecked} = true)
`); `);
return rowCount; if (rowCount < 1) {
throw new DeletionError(SamlApplicationSessions.table);
}
}; };
const deleteSessionById = async (id: string) => {
const { rowCount } = await pool.query(sql`
delete from ${table}
where ${fields.id} = ${id}
`);
if (rowCount < 1) {
throw new DeletionError(SamlApplicationSessions.table);
}
};
const findSessionById = async (id: string) =>
pool.maybeOne<SamlApplicationSession>(sql`
select ${sql.join(Object.values(fields), sql`, `)}
from ${table}
where ${fields.id}=${id}
`);
const findSessionsByApplicationId = async (applicationId: string) => const findSessionsByApplicationId = async (applicationId: string) =>
pool.any<SamlApplicationSession>(sql` pool.any<SamlApplicationSession>(sql`
select ${sql.join(Object.values(fields), sql`, `)} select ${sql.join(Object.values(fields), sql`, `)}
@ -32,35 +65,13 @@ export const createSamlApplicationSessionQueries = (pool: CommonQueryMethods) =>
where ${fields.applicationId}=${applicationId} where ${fields.applicationId}=${applicationId}
`); `);
const findAvailableSessionByAppIdAndState = async (applicationId: string, state: string) =>
pool.one<SamlApplicationSession>(sql`
select ${sql.join(Object.values(fields), sql`, `)}
from ${table}
where ${fields.applicationId}=${applicationId}
and ${fields.oidcState}=${state} and ${fields.isOidcStateChecked} = false and ${
fields.expiresAt
} > now()
`);
const findAvailableSessionByAppIdAndSamlRequestId = async (
applicationId: string,
samlRequestId: string
) =>
pool.one<SamlApplicationSession>(sql`
select ${sql.join(Object.values(fields), sql`, `)}
from ${table}
where ${fields.applicationId}=${applicationId}
and ${fields.samlRequestId}=${samlRequestId} and ${fields.isSamlResponseSent} = false and ${
fields.expiresAt
} > now()
`);
return { return {
insertSession, insertSession,
updateSession, updateSession,
deleteExpiredOrFullyUsedSessions, removeSessionOidcStateById,
deleteExpiredSessions,
deleteSessionById,
findSessionById,
findSessionsByApplicationId, findSessionsByApplicationId,
findAvailableSessionByAppIdAndState,
findAvailableSessionByAppIdAndSamlRequestId,
}; };
}; };

View file

@ -13,23 +13,16 @@ const alteration: AlterationScript = {
id varchar(32) not null, id varchar(32) not null,
application_id varchar(21) not null application_id varchar(21) not null
references applications (id) on update cascade on delete cascade, references applications (id) on update cascade on delete cascade,
saml_request_id varchar(128), saml_request_id varchar(128) not null,
oidc_state varchar(32), oidc_state varchar(32),
is_oidc_state_checked boolean not null default false,
is_saml_response_sent boolean not null default false,
relay_state varchar(256), relay_state varchar(256),
auth_request_info jsonb not null, raw_auth_request text not null,
created_at timestamptz not null default(now()), created_at timestamptz not null default(now()),
expires_at timestamptz not null, expires_at timestamptz not null,
primary key (tenant_id, id), primary key (tenant_id, id),
constraint saml_application_sessions__application_type constraint saml_application_sessions__application_type
check (check_application_type(application_id, 'SAML')) check (check_application_type(application_id, 'SAML'))
); );
create unique index saml_application_sessions__oidc_state
on saml_application_sessions (tenant_id, oidc_state);
create unique index saml_application_sessions__saml_request_id
on saml_application_sessions (tenant_id, saml_request_id);
`); `);
await applyTableRls(pool, 'saml_application_sessions'); await applyTableRls(pool, 'saml_application_sessions');
}, },

View file

@ -8,25 +8,16 @@ create table saml_application_sessions (
application_id varchar(21) not null application_id varchar(21) not null
references applications (id) on update cascade on delete cascade, references applications (id) on update cascade on delete cascade,
/** The identifier of the SAML SSO auth request ID, SAML request ID is pretty long. */ /** The identifier of the SAML SSO auth request ID, SAML request ID is pretty long. */
saml_request_id varchar(128), saml_request_id varchar(128) not null,
/** The identifier of the OIDC auth request state. */ /** The identifier of the OIDC auth request state. */
oidc_state varchar(32), oidc_state varchar(32),
/** When checking the OIDC auth state, we should have this flag to prevent replay attack. */
is_oidc_state_checked boolean not null default false,
/** When sending the SAML authn response, we should have this flag to prevent replay attack. */
is_saml_response_sent boolean not null default false,
/** The relay state of the SAML auth request. */ /** The relay state of the SAML auth request. */
relay_state varchar(256), relay_state varchar(256),
/** The request info of the SAML auth request. */ /** The raw request of the SAML auth request. */
auth_request_info jsonb /* @use AuthRequestInfo */ not null, raw_auth_request text not null,
created_at timestamptz not null default(now()), created_at timestamptz not null default(now()),
expires_at timestamptz not null, expires_at timestamptz not null,
primary key (tenant_id, id), primary key (tenant_id, id),
constraint saml_application_sessions__application_type constraint saml_application_sessions__application_type
check (check_application_type(application_id, 'SAML')) check (check_application_type(application_id, 'SAML'))
); );
create unique index saml_application_sessions__oidc_state
on saml_application_sessions (tenant_id, oidc_state);
create unique index saml_application_sessions__saml_request_id
on saml_application_sessions (tenant_id, saml_request_id);