From 60d7e91b9666823f28ec5056e8f23bc68eaadd0f Mon Sep 17 00:00:00 2001 From: Felix <23635466+its-felix@users.noreply.github.com> Date: Sun, 25 Feb 2024 19:27:34 +0100 Subject: [PATCH] feat: show consent prompt if token invalid or has unverified accs --- ...licationClientAuthorizationRepository.java | 28 ++++++++++++++----- .../oauth2/server/service/OAuth2Scope.java | 10 ++++++- .../ApplicationClientAccountServiceImpl.java | 11 ++++++-- 3 files changed, 39 insertions(+), 10 deletions(-) diff --git a/src/main/java/com/gw2auth/oauth2/server/repository/application/client/authorization/ApplicationClientAuthorizationRepository.java b/src/main/java/com/gw2auth/oauth2/server/repository/application/client/authorization/ApplicationClientAuthorizationRepository.java index 2d999f67..2cd0cc4d 100644 --- a/src/main/java/com/gw2auth/oauth2/server/repository/application/client/authorization/ApplicationClientAuthorizationRepository.java +++ b/src/main/java/com/gw2auth/oauth2/server/repository/application/client/authorization/ApplicationClientAuthorizationRepository.java @@ -166,15 +166,29 @@ WHERE md5(refresh_token_value) = md5(:refresh_token) List findAllWithGw2AccountIdsByAccountIdAndApplicationClientId(@Param("account_id") UUID accountId, @Param("application_client_id") UUID applicationClientId); @Query(""" - SELECT * - FROM application_client_authorizations - WHERE account_id = :account_id - AND application_client_id = :application_client_id - AND authorized_scopes @> ARRAY[ :authorized_scopes ]::TEXT[] - ORDER BY creation_time DESC + SELECT auth.id + FROM application_client_authorizations auth + LEFT JOIN application_client_authorization_gw2_accounts auth_gw2_acc + ON auth.id = auth_gw2_acc.application_client_authorization_id + LEFT JOIN gw2_account_api_tokens gw2_acc_tk + ON auth_gw2_acc.account_id = gw2_acc_tk.account_id AND auth_gw2_acc.gw2_account_id = gw2_acc_tk.gw2_account_id + LEFT JOIN gw2_account_verifications gw2_acc_ver + ON auth_gw2_acc.account_id = gw2_acc_ver.account_id AND auth_gw2_acc.gw2_account_id = gw2_acc_ver.gw2_account_id + WHERE auth.account_id = :account_id + AND auth.application_client_id = :application_client_id + AND auth.authorized_scopes @> ARRAY[ :authorized_scopes ]::TEXT[] + GROUP BY auth.id + HAVING BOOL_AND(gw2_acc_tk.last_valid_time = gw2_acc_tk.last_valid_check_time) + AND (( NOT :requires_gw2_accs ) OR ( COUNT(auth_gw2_acc.*) > 0 )) + AND (( NOT :verified_only ) OR ( COUNT(gw2_acc_ver.*) = COUNT(auth_gw2_acc.*) )) + ORDER BY auth.creation_time DESC LIMIT 1 """) - Optional findLatestByAccountIdAndApplicationClientIdAndHavingScopes(@Param("account_id") UUID accountId, @Param("application_client_id") UUID applicationClientId, @Param("authorized_scopes") Set scopes); + Optional findLatestForNewAuthorization(@Param("account_id") UUID accountId, + @Param("application_client_id") UUID applicationClientId, + @Param("authorized_scopes") Set scopes, + @Param("requires_gw2_accs") boolean requiresGw2Accs, + @Param("verified_only") boolean verifiedOnly); @Query(""" SELECT diff --git a/src/main/java/com/gw2auth/oauth2/server/service/OAuth2Scope.java b/src/main/java/com/gw2auth/oauth2/server/service/OAuth2Scope.java index e583a0e3..f34ee687 100644 --- a/src/main/java/com/gw2auth/oauth2/server/service/OAuth2Scope.java +++ b/src/main/java/com/gw2auth/oauth2/server/service/OAuth2Scope.java @@ -87,7 +87,15 @@ public static OAuth2Scope fromOAuth2Required(String value) { } public static boolean containsAnyGw2AccountRelatedScopes(Set scopes) { - return scopes.stream().anyMatch(GW2_ACCOUNT_RELATED::contains); + return scopes.stream().anyMatch(OAuth2Scope::isGw2AccountRelatedScope); + } + + public static boolean isGw2AuthVerifiedScope(OAuth2Scope scope) { + return scope == GW2AUTH_VERIFIED || scope == GW2ACC_VERIFIED; + } + + public static boolean isGw2AccountRelatedScope(OAuth2Scope scope) { + return GW2_ACCOUNT_RELATED.contains(scope); } public static Stream allForVersion(OAuth2ClientApiVersion clientApiVersion) { diff --git a/src/main/java/com/gw2auth/oauth2/server/service/application/client/account/ApplicationClientAccountServiceImpl.java b/src/main/java/com/gw2auth/oauth2/server/service/application/client/account/ApplicationClientAccountServiceImpl.java index 44332448..649b5914 100644 --- a/src/main/java/com/gw2auth/oauth2/server/service/application/client/account/ApplicationClientAccountServiceImpl.java +++ b/src/main/java/com/gw2auth/oauth2/server/service/application/client/account/ApplicationClientAccountServiceImpl.java @@ -209,8 +209,15 @@ public OAuth2AuthorizationConsent findById(String registeredClientId, String pri return null; } - final String copyGw2AccountIdsFromClientAuthorizationId = this.applicationClientAuthorizationRepository.findLatestByAccountIdAndApplicationClientIdAndHavingScopes(accountId, applicationClientId, this.authorizationCodeParamAccessor.getRequestedScopes()) - .map(ApplicationClientAuthorizationEntity::id) + final Set requestedScopes = this.authorizationCodeParamAccessor.getRequestedScopes(); + final boolean requiresGw2Accs = requestedScopes.stream() + .map(OAuth2Scope::fromOAuth2Required) + .anyMatch(OAuth2Scope::isGw2AccountRelatedScope); + final boolean verifiedOnly = requestedScopes.stream() + .map(OAuth2Scope::fromOAuth2Required) + .anyMatch(OAuth2Scope::isGw2AuthVerifiedScope); + + final String copyGw2AccountIdsFromClientAuthorizationId = this.applicationClientAuthorizationRepository.findLatestForNewAuthorization(accountId, applicationClientId, requestedScopes, requiresGw2Accs, verifiedOnly) .orElse(null); if (copyGw2AccountIdsFromClientAuthorizationId == null) {