dev: Create new GetAccessTokenWithSession to minimize calls

Author: vlasebian

config/messages.json

@@ -8846,6 +8846,15 @@
       "file": "oauth.go"
     }
   },
+  "error:pkg/oauth:session_expired": {
+    "translations": {
+      "en": "session expired"
+    },
+    "description": {
+      "package": "pkg/oauth",
+      "file": "storage.go"
+    }
+  },
   "error:pkg/oauth:token": {
     "translations": {
       "en": "invalid token"

pkg/identityserver/bunstore/oauth_store.go

@@ -698,6 +698,54 @@ func (s *oauthStore) GetAccessToken(ctx context.Context, id string) (*ttnpb.OAut
 	return pb, nil
 }
 
+func (s *oauthStore) GetAccessTokenWithSession(
+	ctx context.Context, id string,
+) (*ttnpb.OAuthAccessToken, *ttnpb.UserSession, error) {
+	ctx, span := tracer.StartFromContext(ctx, "GetAccessTokenWithSession")
+	defer span.End()
+
+	model := &AccessToken{}
+	selectQuery := s.newSelectModel(ctx, model).
+		Where("token_id = ?", id).
+		Relation("User", func(q *bun.SelectQuery) *bun.SelectQuery {
+			return q.Column("account_uid")
+		}).
+		Relation("Client", func(q *bun.SelectQuery) *bun.SelectQuery {
+			return q.Column("client_id")
+		}).
+		Relation("UserSession")
+
+	if err := selectQuery.Scan(ctx); err != nil {
+		err = storeutil.WrapDriverError(err)
+		if errors.IsNotFound(err) {
+			return nil, nil, store.ErrAccessTokenNotFound.WithAttributes(
+				"access_token_id", id,
+			)
+		}
+		return nil, nil, err
+	}
+
+	// NOTE: This imposes a limitation on the client's rights if the token's user is the unique support user.
+	if model.User.Account.UID == ttnpb.SupportUserID {
+		model.Rights = convertIntSlice[ttnpb.Right, int](ttnpb.AllReadAdminRights.GetRights())
+	}
+
+	pb, err := accessTokenToPB(model, nil, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	var sessionPB *ttnpb.UserSession
+	if model.UserSession != nil {
+		sessionPB, err = userSessionToPB(model.UserSession, pb.UserIds)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
+	return pb, sessionPB, nil
+}
+
 func (s *oauthStore) DeleteAccessToken(ctx context.Context, id string) error {
 	ctx, span := tracer.StartFromContext(ctx, "DeleteAccessToken")
 	defer span.End()

pkg/identityserver/entity_access.go

@@ -178,7 +178,7 @@ func (is *IdentityServer) authInfo(ctx context.Context) (info *ttnpb.AuthInfoRes
 		}
 	case auth.AccessToken:
 		fetch = func(ctx context.Context, st store.Store) error {
-			accessToken, err := st.GetAccessToken(ctx, tokenID)
+			accessToken, session, err := st.GetAccessTokenWithSession(ctx, tokenID)
 			if err != nil {
 				if errors.IsNotFound(err) {
 					return errTokenNotFound.WithCause(err)
@@ -198,12 +198,8 @@ func (is *IdentityServer) authInfo(ctx context.Context) (info *ttnpb.AuthInfoRes
 				return errTokenExpired.New()
 			}
 			if accessToken.UserSessionId != "" {
-				session, err := st.GetSession(ctx, accessToken.UserIds, accessToken.UserSessionId)
-				if err != nil {
-					if errors.IsNotFound(err) {
-						return errTokenExpired.WithCause(err)
-					}
-					return err
+				if session == nil {
+					return errTokenExpired.New()
 				}
 				if expiresAt := ttnpb.StdTime(session.ExpiresAt); expiresAt != nil && expiresAt.Before(time.Now()) {
 					return errTokenExpired.New()

pkg/identityserver/entity_access_test.go

@@ -15,11 +15,15 @@
 package identityserver
 
 import (
+	"context"
 	"testing"
 	"time"
 
+	"go.thethings.network/lorawan-stack/v3/pkg/auth"
+	"go.thethings.network/lorawan-stack/v3/pkg/auth/pbkdf2"
 	"go.thethings.network/lorawan-stack/v3/pkg/errors"
 	"go.thethings.network/lorawan-stack/v3/pkg/identityserver/storetest"
+	"go.thethings.network/lorawan-stack/v3/pkg/rpcmetadata"
 	"go.thethings.network/lorawan-stack/v3/pkg/ttnpb"
 	"go.thethings.network/lorawan-stack/v3/pkg/util/test"
 	"go.thethings.network/lorawan-stack/v3/pkg/util/test/assertions/should"
@@ -64,7 +68,86 @@ func TestEntityAccess(t *testing.T) {
 	storedKey.ExpiresAt = timestamppb.New(time.Now().Add(-10 * time.Minute))
 	expiredCreds := rpcCreds(expiredKey)
 
+	oauthUsr := p.NewUser()
+	oauthClient := p.NewClient(oauthUsr.GetOrganizationOrUserIdentifiers())
+	oauthClient.Rights = []ttnpb.Right{ttnpb.Right_RIGHT_USER_ALL}
+
+	// Session that is already expired.
+	expiredSession := p.NewUserSession(oauthUsr.GetIds())
+	p.UserSessions[len(p.UserSessions)-1].ExpiresAt = timestamppb.New(time.Now().Add(-10 * time.Minute))
+
+	// Session that is still valid.
+	validSession := p.NewUserSession(oauthUsr.GetIds())
+	p.UserSessions[len(p.UserSessions)-1].ExpiresAt = timestamppb.New(time.Now().Add(10 * time.Minute))
+
+	// Generate access token bearer strings. The stored AccessToken is the hashed key.
+	newBearerAccessToken := func() (bearer, tokenID, hashed string) {
+		t.Helper()
+		raw, err := auth.AccessToken.Generate(context.Background(), "")
+		if err != nil {
+			t.Fatal(err)
+		}
+		_, tokenID, key, err := auth.SplitToken(raw)
+		if err != nil {
+			t.Fatal(err)
+		}
+		hashValidator := pbkdf2.Default()
+		hashValidator.Iterations = 10
+		hashed, err = auth.Hash(auth.NewContextWithHashValidator(context.Background(), hashValidator), key)
+		if err != nil {
+			t.Fatal(err)
+		}
+		return raw, tokenID, hashed
+	}
+
+	expiredSessionToken, expiredSessionTokenID, expiredSessionTokenHash := newBearerAccessToken()
+	missingSessionToken, missingSessionTokenID, missingSessionTokenHash := newBearerAccessToken()
+	validSessionToken, validSessionTokenID, validSessionTokenHash := newBearerAccessToken()
+
+	bearerCreds := func(bearer string) grpc.CallOption {
+		return grpc.PerRPCCredentials(rpcmetadata.MD{
+			AuthType:      "bearer",
+			AuthValue:     bearer,
+			AllowInsecure: true,
+		})
+	}
+
 	testWithIdentityServer(t, func(is *IdentityServer, cc *grpc.ClientConn) {
+		ctx := test.Context()
+		if _, err := is.store.CreateAccessToken(ctx, &ttnpb.OAuthAccessToken{
+			UserIds:       oauthUsr.GetIds(),
+			ClientIds:     oauthClient.GetIds(),
+			UserSessionId: expiredSession.GetSessionId(),
+			Id:            expiredSessionTokenID,
+			AccessToken:   expiredSessionTokenHash,
+			Rights:        oauthClient.GetRights(),
+			ExpiresAt:     timestamppb.New(time.Now().Add(time.Hour)),
+		}, ""); err != nil {
+			t.Fatal(err)
+		}
+		if _, err := is.store.CreateAccessToken(ctx, &ttnpb.OAuthAccessToken{
+			UserIds:       oauthUsr.GetIds(),
+			ClientIds:     oauthClient.GetIds(),
+			UserSessionId: "00000000-0000-0000-0000-000000000000",
+			Id:            missingSessionTokenID,
+			AccessToken:   missingSessionTokenHash,
+			Rights:        oauthClient.GetRights(),
+			ExpiresAt:     timestamppb.New(time.Now().Add(time.Hour)),
+		}, ""); err != nil {
+			t.Fatal(err)
+		}
+		if _, err := is.store.CreateAccessToken(ctx, &ttnpb.OAuthAccessToken{
+			UserIds:       oauthUsr.GetIds(),
+			ClientIds:     oauthClient.GetIds(),
+			UserSessionId: validSession.GetSessionId(),
+			Id:            validSessionTokenID,
+			AccessToken:   validSessionTokenHash,
+			Rights:        oauthClient.GetRights(),
+			ExpiresAt:     timestamppb.New(time.Now().Add(time.Hour)),
+		}, ""); err != nil {
+			t.Fatal(err)
+		}
+
 		is.config.UserRegistration.ContactInfoValidation.Required = true
 
 		cli := ttnpb.NewEntityAccessClient(cc)
@@ -166,5 +249,29 @@ func TestEntityAccess(t *testing.T) {
 				a.So(errors.IsUnauthenticated(err), should.BeTrue)
 			}
 		})
+
+		t.Run("Access Token with Valid Session", func(t *testing.T) {
+			a, ctx := test.New(t)
+			authInfo, err := cli.AuthInfo(ctx, ttnpb.Empty, bearerCreds(validSessionToken))
+			if a.So(err, should.BeNil) && a.So(authInfo, should.NotBeNil) {
+				a.So(authInfo.GetOauthAccessToken(), should.NotBeNil)
+			}
+		})
+
+		t.Run("Access Token with Expired Session", func(t *testing.T) {
+			a, ctx := test.New(t)
+			_, err := cli.AuthInfo(ctx, ttnpb.Empty, bearerCreds(expiredSessionToken))
+			if a.So(err, should.NotBeNil) {
+				a.So(errors.IsUnauthenticated(err), should.BeTrue)
+			}
+		})
+
+		t.Run("Access Token with Missing Session", func(t *testing.T) {
+			a, ctx := test.New(t)
+			_, err := cli.AuthInfo(ctx, ttnpb.Empty, bearerCreds(missingSessionToken))
+			if a.So(err, should.NotBeNil) {
+				a.So(errors.IsUnauthenticated(err), should.BeTrue)
+			}
+		})
 	}, withPrivateTestDatabase(p))
 }

pkg/identityserver/identityserver.go

@@ -160,6 +160,12 @@ func New(c *component.Component, config *Config) (is *IdentityServer, err error)
 
 	is.config.OAuth.CSRFAuthKey = is.GetBaseConfig(is.Context()).HTTP.Cookie.HashKey
 	is.config.OAuth.UI.FrontendConfig.EnableUserRegistration = is.config.UserRegistration.Enabled
+	if is.config.UserLogin.SessionTTL < 0 {
+		log.FromContext(is.Context()).WithField("session_ttl", is.config.UserLogin.SessionTTL).Warn(
+			"Negative is.user-login.session-ttl; resetting to 0 (sessions never expire)",
+		)
+		is.config.UserLogin.SessionTTL = 0
+	}
 	is.config.OAuth.Login.SessionTTL = is.config.UserLogin.SessionTTL
 	is.oauth, err = oauth.NewServer(c, &oauthAppStore{is.store}, is.config.OAuth, GenerateCSPString)
 	if err != nil {

pkg/identityserver/store/store_interfaces.go

@@ -310,6 +310,9 @@ type OAuthStore interface {
 		ctx context.Context, userIDs *ttnpb.UserIdentifiers, clientIDs *ttnpb.ClientIdentifiers,
 	) ([]*ttnpb.OAuthAccessToken, error)
 	GetAccessToken(ctx context.Context, id string) (*ttnpb.OAuthAccessToken, error)
+	// GetAccessTokenWithSession returns the access token and its linked user session.
+	// The returned session is nil if the token is not linked to a session or the session no longer exists.
+	GetAccessTokenWithSession(ctx context.Context, id string) (*ttnpb.OAuthAccessToken, *ttnpb.UserSession, error)
 	DeleteAccessToken(ctx context.Context, id string) error
 }
 

pkg/webui/locales/ja.json

@@ -2871,6 +2871,7 @@
   "error:pkg/oauth:no_access_token": "提供されたトークンはアクセストークンではありません",
   "error:pkg/oauth:no_refresh_token": "提供されたトークンは更新トークンではありません",
   "error:pkg/oauth:parse": "リクエストボディの解析",
+  "error:pkg/oauth:session_expired": "",
   "error:pkg/oauth:token": "無効なトークン",
   "error:pkg/oauth:token_mismatch": "更新トークンID `{refresh_token_id}` はアクセストークンID `{access_token_id}` と一致しません",
   "error:pkg/oauth:unauthorized_client": "クライアントがこの手段でトークンを要求することは認証されていません",