P4-05: OIDC login (generic, JIT-provisioned) #16
@@ -12,13 +12,14 @@ import (
|
||||
// insert; the raw token is what the caller hands to the user (cookie).
|
||||
func (s *Store) CreateSession(ctx context.Context, sess Session, tokenHash string) error {
|
||||
_, err := s.db.ExecContext(ctx,
|
||||
`INSERT INTO sessions (id, user_id, created_at, expires_at, ip, ua)
|
||||
VALUES (?, ?, ?, ?, ?, ?)`,
|
||||
`INSERT INTO sessions (id, user_id, created_at, expires_at, ip, ua, id_token)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?)`,
|
||||
tokenHash,
|
||||
sess.UserID,
|
||||
sess.CreatedAt.UTC().Format(time.RFC3339Nano),
|
||||
sess.ExpiresAt.UTC().Format(time.RFC3339Nano),
|
||||
sess.IP, sess.UA)
|
||||
nullableStr(sess.IP), nullableStr(sess.UA),
|
||||
nullableStr(sess.IDToken))
|
||||
if err != nil {
|
||||
return fmt.Errorf("store: create session: %w", err)
|
||||
}
|
||||
@@ -32,15 +33,15 @@ func (s *Store) CreateSession(ctx context.Context, sess Session, tokenHash strin
|
||||
// of valid token hashes.
|
||||
func (s *Store) LookupSession(ctx context.Context, tokenHash string) (*Session, error) {
|
||||
row := s.db.QueryRowContext(ctx,
|
||||
`SELECT id, user_id, created_at, expires_at, ip, ua
|
||||
`SELECT id, user_id, created_at, expires_at, ip, ua, id_token
|
||||
FROM sessions
|
||||
WHERE id = ? AND expires_at > ?`,
|
||||
tokenHash, time.Now().UTC().Format(time.RFC3339Nano))
|
||||
|
||||
var sess Session
|
||||
var created, expires string
|
||||
var ip, ua sql.NullString
|
||||
if err := row.Scan(&sess.ID, &sess.UserID, &created, &expires, &ip, &ua); err != nil {
|
||||
var ip, ua, idTok sql.NullString
|
||||
if err := row.Scan(&sess.ID, &sess.UserID, &created, &expires, &ip, &ua, &idTok); err != nil {
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return nil, ErrNotFound
|
||||
}
|
||||
@@ -62,6 +63,9 @@ func (s *Store) LookupSession(ctx context.Context, tokenHash string) (*Session,
|
||||
if ua.Valid {
|
||||
sess.UA = ua.String
|
||||
}
|
||||
if idTok.Valid {
|
||||
sess.IDToken = idTok.String
|
||||
}
|
||||
return &sess, nil
|
||||
}
|
||||
|
||||
|
||||
@@ -43,3 +43,34 @@ func TestDeleteSessionsByUserID(t *testing.T) {
|
||||
t.Error("hash1 should be gone")
|
||||
}
|
||||
}
|
||||
|
||||
func TestSessionRoundTripsIDToken(t *testing.T) {
|
||||
t.Parallel()
|
||||
s := openTestStore(t)
|
||||
ctx := context.Background()
|
||||
now := time.Now().UTC()
|
||||
|
||||
uid := "u-oidc"
|
||||
if err := s.CreateUser(ctx, User{
|
||||
ID: uid, Username: "ouser", PasswordHash: "",
|
||||
Role: RoleOperator, CreatedAt: now,
|
||||
AuthSource: "oidc",
|
||||
}); err != nil {
|
||||
t.Fatalf("create user: %v", err)
|
||||
}
|
||||
|
||||
if err := s.CreateSession(ctx, Session{
|
||||
ID: "h1", UserID: uid, CreatedAt: now,
|
||||
ExpiresAt: now.Add(time.Hour),
|
||||
IDToken: "eyJ.fake.jwt",
|
||||
}, "h1"); err != nil {
|
||||
t.Fatalf("create session: %v", err)
|
||||
}
|
||||
got, err := s.LookupSession(ctx, "h1")
|
||||
if err != nil {
|
||||
t.Fatalf("lookup: %v", err)
|
||||
}
|
||||
if got.IDToken != "eyJ.fake.jwt" {
|
||||
t.Errorf("id_token round trip: got %q", got.IDToken)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user