feat: show consent prompt if token invalid or has unverified accs

gw2auth · Feb 25, 2024 · 60d7e91 · 60d7e91
1 parent 717a152
commit 60d7e91
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 10 deletions.
diff --git a/...repository/application/client/authorization/ApplicationClientAuthorizationRepository.java b/...repository/application/client/authorization/ApplicationClientAuthorizationRepository.java
@@ -166,15 +166,29 @@ WHERE md5(refresh_token_value) = md5(:refresh_token)
     List<ApplicationClientAuthorizationWithGw2AccountIdsEntity> findAllWithGw2AccountIdsByAccountIdAndApplicationClientId(@Param("account_id") UUID accountId, @Param("application_client_id") UUID applicationClientId);
 
     @Query("""
-    SELECT *
-    FROM application_client_authorizations
-    WHERE account_id = :account_id
-    AND application_client_id = :application_client_id
-    AND authorized_scopes @> ARRAY[ :authorized_scopes ]::TEXT[]
-    ORDER BY creation_time DESC
+    SELECT auth.id
+    FROM application_client_authorizations auth
+    LEFT JOIN application_client_authorization_gw2_accounts auth_gw2_acc
+    ON auth.id = auth_gw2_acc.application_client_authorization_id
+    LEFT JOIN gw2_account_api_tokens gw2_acc_tk
+    ON auth_gw2_acc.account_id = gw2_acc_tk.account_id AND auth_gw2_acc.gw2_account_id = gw2_acc_tk.gw2_account_id
+    LEFT JOIN gw2_account_verifications gw2_acc_ver
+    ON auth_gw2_acc.account_id = gw2_acc_ver.account_id AND auth_gw2_acc.gw2_account_id = gw2_acc_ver.gw2_account_id
+    WHERE auth.account_id = :account_id
+    AND auth.application_client_id = :application_client_id
+    AND auth.authorized_scopes @> ARRAY[ :authorized_scopes ]::TEXT[]
+    GROUP BY auth.id
+    HAVING BOOL_AND(gw2_acc_tk.last_valid_time = gw2_acc_tk.last_valid_check_time)
+    AND (( NOT :requires_gw2_accs ) OR ( COUNT(auth_gw2_acc.*) > 0 ))
+    AND (( NOT :verified_only ) OR ( COUNT(gw2_acc_ver.*) = COUNT(auth_gw2_acc.*) ))
+    ORDER BY auth.creation_time DESC
     LIMIT 1
     """)
-    Optional<ApplicationClientAuthorizationEntity> findLatestByAccountIdAndApplicationClientIdAndHavingScopes(@Param("account_id") UUID accountId, @Param("application_client_id") UUID applicationClientId, @Param("authorized_scopes") Set<String> scopes);
+    Optional<String> findLatestForNewAuthorization(@Param("account_id") UUID accountId,
+                                                   @Param("application_client_id") UUID applicationClientId,
+                                                   @Param("authorized_scopes") Set<String> scopes,
+                                                   @Param("requires_gw2_accs") boolean requiresGw2Accs,
+                                                   @Param("verified_only") boolean verifiedOnly);
 
     @Query("""
     SELECT

diff --git a/src/main/java/com/gw2auth/oauth2/server/service/OAuth2Scope.java b/src/main/java/com/gw2auth/oauth2/server/service/OAuth2Scope.java
@@ -87,7 +87,15 @@ public static OAuth2Scope fromOAuth2Required(String value) {
     }
 
     public static boolean containsAnyGw2AccountRelatedScopes(Set<OAuth2Scope> scopes) {
-        return scopes.stream().anyMatch(GW2_ACCOUNT_RELATED::contains);
+        return scopes.stream().anyMatch(OAuth2Scope::isGw2AccountRelatedScope);
+    }
+
+    public static boolean isGw2AuthVerifiedScope(OAuth2Scope scope) {
+        return scope == GW2AUTH_VERIFIED || scope == GW2ACC_VERIFIED;
+    }
+
+    public static boolean isGw2AccountRelatedScope(OAuth2Scope scope) {
+        return GW2_ACCOUNT_RELATED.contains(scope);
     }
 
     public static Stream<OAuth2Scope> allForVersion(OAuth2ClientApiVersion clientApiVersion) {

diff --git a/...oauth2/server/service/application/client/account/ApplicationClientAccountServiceImpl.java b/...oauth2/server/service/application/client/account/ApplicationClientAccountServiceImpl.java
@@ -209,8 +209,15 @@ public OAuth2AuthorizationConsent findById(String registeredClientId, String pri
                 return null;
             }
 
-            final String copyGw2AccountIdsFromClientAuthorizationId = this.applicationClientAuthorizationRepository.findLatestByAccountIdAndApplicationClientIdAndHavingScopes(accountId, applicationClientId, this.authorizationCodeParamAccessor.getRequestedScopes())
-                    .map(ApplicationClientAuthorizationEntity::id)
+            final Set<String> requestedScopes = this.authorizationCodeParamAccessor.getRequestedScopes();
+            final boolean requiresGw2Accs = requestedScopes.stream()
+                    .map(OAuth2Scope::fromOAuth2Required)
+                    .anyMatch(OAuth2Scope::isGw2AccountRelatedScope);
+            final boolean verifiedOnly = requestedScopes.stream()
+                    .map(OAuth2Scope::fromOAuth2Required)
+                    .anyMatch(OAuth2Scope::isGw2AuthVerifiedScope);
+
+            final String copyGw2AccountIdsFromClientAuthorizationId = this.applicationClientAuthorizationRepository.findLatestForNewAuthorization(accountId, applicationClientId, requestedScopes, requiresGw2Accs, verifiedOnly)
                     .orElse(null);
 
             if (copyGw2AccountIdsFromClientAuthorizationId == null) {