Add SynapseReader support for access tokens and refresh tokens

Author: reivilibre

crates/syn2mas/src/synapse_reader/fixtures/access_token_alice.sql

@@ -0,0 +1,14 @@
+INSERT INTO access_tokens
+  (
+  id,
+  user_id,
+  device_id,
+  token
+  )
+  VALUES
+  (
+  42,
+  '@alice:example.com',
+  'ADEVICE',
+  'syt_aaaaaaaaaaaaaa_aaaa'
+  );

crates/syn2mas/src/synapse_reader/fixtures/access_token_alice_with_puppet.sql

@@ -0,0 +1,16 @@
+INSERT INTO access_tokens
+  (
+  id,
+  user_id,
+  device_id,
+  token,
+  puppets_user_id
+  )
+  VALUES
+  (
+  42,
+  '@alice:example.com',
+  NULL,
+  'syt_pupupupupup_eett',
+  '@bob:example.com'
+  );

crates/syn2mas/src/synapse_reader/fixtures/access_token_alice_with_refresh_token.sql

@@ -0,0 +1,56 @@
+INSERT INTO access_tokens
+  (
+  id,
+  user_id,
+  device_id,
+  token,
+  refresh_token_id,
+  used
+  )
+  VALUES
+  (
+    42,
+    '@alice:example.com',
+    'ADEVICE',
+    'syt_aaaaaaaaaaaaaa_aaaa',
+    7,
+    TRUE
+  ),
+  (
+    43,
+    '@alice:example.com',
+    'ADEVICE',
+    'syt_AAAAAAAAAAAAAA_AAAA',
+    8,
+    TRUE
+  );
+
+INSERT INTO refresh_tokens
+  (
+  id,
+  user_id,
+  device_id,
+  token,
+  next_token_id,
+  expiry_ts,
+  ultimate_session_expiry_ts
+  )
+  VALUES
+  (
+    7,
+    '@alice:example.com',
+    'ADEVICE',
+    'syr_bbbbbbbbbbbbb_bbbb',
+    8,
+    1738096199000,
+    1778096199000
+  ),
+  (
+    8,
+    '@alice:example.com',
+    'ADEVICE',
+    'syr_cccccccccccc_cccc',
+    NULL,
+    1748096199000,
+    1778096199000
+  );

crates/syn2mas/src/synapse_reader/fixtures/access_token_alice_with_unused_refresh_token.sql

@@ -0,0 +1,56 @@
+INSERT INTO access_tokens
+  (
+  id,
+  user_id,
+  device_id,
+  token,
+  refresh_token_id,
+  used
+  )
+  VALUES
+  (
+    42,
+    '@alice:example.com',
+    'ADEVICE',
+    'syt_aaaaaaaaaaaaaa_aaaa',
+    7,
+    TRUE
+  ),
+  (
+    43,
+    '@alice:example.com',
+    'ADEVICE',
+    'syt_AAAAAAAAAAAAAA_AAAA',
+    8,
+    FALSE
+  );
+
+INSERT INTO refresh_tokens
+  (
+  id,
+  user_id,
+  device_id,
+  token,
+  next_token_id,
+  expiry_ts,
+  ultimate_session_expiry_ts
+  )
+  VALUES
+  (
+    7,
+    '@alice:example.com',
+    'ADEVICE',
+    'syr_bbbbbbbbbbbbb_bbbb',
+    8,
+    1738096199000,
+    1778096199000
+  ),
+  (
+    8,
+    '@alice:example.com',
+    'ADEVICE',
+    'syr_cccccccccccc_cccc',
+    NULL,
+    1748096199000,
+    1778096199000
+  );

crates/syn2mas/src/synapse_reader/mod.rs

@@ -209,6 +209,26 @@ pub struct SynapseExternalId {
     pub external_id: String,
 }
 
+/// Row of the `access_tokens` table in Synapse.
+#[derive(Clone, Debug, FromRow, PartialEq, Eq, PartialOrd, Ord)]
+pub struct SynapseAccessToken {
+    pub user_id: FullUserId,
+    pub device_id: Option<String>,
+    pub token: String,
+    pub valid_until_ms: Option<MillisecondsTimestamp>,
+    pub last_validated: Option<MillisecondsTimestamp>,
+    pub refresh_token_id: Option<i64>,
+}
+
+/// Row of the `refresh_tokens` table in Synapse.
+#[derive(Clone, Debug, FromRow, PartialEq, Eq, PartialOrd, Ord)]
+pub struct SynapseRefreshToken {
+    pub id: i64,
+    pub user_id: FullUserId,
+    pub device_id: String,
+    pub token: String,
+}
+
 /// List of Synapse tables that we should acquire an `EXCLUSIVE` lock on.
 ///
 /// This is a safety measure against other processes changing the data
@@ -350,6 +370,54 @@ impl<'conn> SynapseReader<'conn> {
         .fetch(&mut *self.txn)
         .map_err(|err| err.into_database("reading Synapse user external IDs"))
     }
+
+    /// Reads access tokens from the Synapse database.
+    /// This does not include access tokens used for puppetting users, as those
+    /// are not supported by MAS. This also does not include access tokens
+    /// which have been made obsolete by using the associated refresh token
+    /// and then acknowledging the successor access token by using it to
+    /// authenticate a request.
+    pub fn read_access_tokens(
+        &mut self,
+    ) -> impl Stream<Item = Result<SynapseAccessToken, Error>> + '_ {
+        sqlx::query_as(
+            "
+            SELECT
+              at0.user_id, at0.device_id, at0.token, at0.valid_until_ms, at0.last_validated, at0.refresh_token_id
+            FROM access_tokens at0
+            LEFT JOIN refresh_tokens rt0 ON at0.refresh_token_id = rt0.id
+            LEFT JOIN access_tokens at1 ON rt0.next_token_id = at1.refresh_token_id
+            WHERE at0.puppets_user_id IS NULL AND (NOT at1.used OR at1.used IS NULL)
+            ",
+        )
+        .fetch(&mut *self.txn)
+        .map_err(|err| err.into_database("reading Synapse access tokens"))
+    }
+
+    /// Reads refresh tokens from the Synapse database.
+    /// This also does not include refresh tokens which have been made obsolete
+    /// by using the refresh token and then acknowledging the
+    /// successor access token by using it to authenticate a request.
+    ///
+    /// The `expiry_ts` and `ultimate_session_expiry_ts` columns are ignored as
+    /// they are not implemented in MAS.
+    /// Further, they are unused by any real-world deployment to the best of
+    /// our knowledge.
+    pub fn read_refresh_tokens(
+        &mut self,
+    ) -> impl Stream<Item = Result<SynapseRefreshToken, Error>> + '_ {
+        sqlx::query_as(
+            "
+            SELECT
+              rt0.id, rt0.user_id, rt0.device_id, rt0.token, rt0.next_token_id
+            FROM refresh_tokens rt0
+            LEFT JOIN access_tokens at1 ON at1.refresh_token_id = rt0.next_token_id
+            WHERE NOT at1.used OR at1.used IS NULL
+            ",
+        )
+        .fetch(&mut *self.txn)
+        .map_err(|err| err.into_database("reading Synapse refresh tokens"))
+    }
 }
 
 #[cfg(test)]
@@ -361,7 +429,10 @@ mod test {
     use sqlx::{migrate::Migrator, PgPool};
 
     use crate::{
-        synapse_reader::{SynapseExternalId, SynapseThreepid, SynapseUser},
+        synapse_reader::{
+            SynapseAccessToken, SynapseExternalId, SynapseRefreshToken, SynapseThreepid,
+            SynapseUser,
+        },
         SynapseReader,
     };
 
@@ -415,4 +486,92 @@ mod test {
 
         assert_debug_snapshot!(external_ids);
     }
+
+    #[sqlx::test(migrator = "MIGRATOR", fixtures("user_alice", "access_token_alice"))]
+    async fn test_read_access_token(pool: PgPool) {
+        let mut conn = pool.acquire().await.expect("failed to get connection");
+        let mut reader = SynapseReader::new(&mut conn, false)
+            .await
+            .expect("failed to make SynapseReader");
+
+        let access_tokens: BTreeSet<SynapseAccessToken> = reader
+            .read_access_tokens()
+            .try_collect()
+            .await
+            .expect("failed to read Synapse access tokens");
+
+        assert_debug_snapshot!(access_tokens);
+    }
+
+    /// Tests that puppetting access tokens are ignored.
+    #[sqlx::test(
+        migrator = "MIGRATOR",
+        fixtures("user_alice", "access_token_alice_with_puppet")
+    )]
+    async fn test_read_access_token_puppet(pool: PgPool) {
+        let mut conn = pool.acquire().await.expect("failed to get connection");
+        let mut reader = SynapseReader::new(&mut conn, false)
+            .await
+            .expect("failed to make SynapseReader");
+
+        let access_tokens: BTreeSet<SynapseAccessToken> = reader
+            .read_access_tokens()
+            .try_collect()
+            .await
+            .expect("failed to read Synapse access tokens");
+
+        assert!(access_tokens.is_empty());
+    }
+
+    #[sqlx::test(
+        migrator = "MIGRATOR",
+        fixtures("user_alice", "access_token_alice_with_refresh_token")
+    )]
+    async fn test_read_access_and_refresh_tokens(pool: PgPool) {
+        let mut conn = pool.acquire().await.expect("failed to get connection");
+        let mut reader = SynapseReader::new(&mut conn, false)
+            .await
+            .expect("failed to make SynapseReader");
+
+        let access_tokens: BTreeSet<SynapseAccessToken> = reader
+            .read_access_tokens()
+            .try_collect()
+            .await
+            .expect("failed to read Synapse access tokens");
+
+        let refresh_tokens: BTreeSet<SynapseRefreshToken> = reader
+            .read_refresh_tokens()
+            .try_collect()
+            .await
+            .expect("failed to read Synapse refresh tokens");
+
+        assert_debug_snapshot!(access_tokens);
+        assert_debug_snapshot!(refresh_tokens);
+    }
+
+    #[sqlx::test(
+        migrator = "MIGRATOR",
+        fixtures("user_alice", "access_token_alice_with_unused_refresh_token")
+    )]
+    async fn test_read_access_and_unused_refresh_tokens(pool: PgPool) {
+        let mut conn = pool.acquire().await.expect("failed to get connection");
+        let mut reader = SynapseReader::new(&mut conn, false)
+            .await
+            .expect("failed to make SynapseReader");
+
+        let access_tokens: BTreeSet<SynapseAccessToken> = reader
+            .read_access_tokens()
+            .try_collect()
+            .await
+            .expect("failed to read Synapse access tokens");
+
+        let refresh_tokens: BTreeSet<SynapseRefreshToken> = reader
+            .read_refresh_tokens()
+            .try_collect()
+            .await
+            .expect("failed to read Synapse refresh tokens");
+
+        assert_debug_snapshot!(access_tokens);
+        assert_debug_snapshot!(refresh_tokens);
+    }
 }

crates/syn2mas/src/synapse_reader/snapshots/syn2mas__synapse_reader__test__read_access_and_refresh_tokens-2.snap

@@ -0,0 +1,14 @@
+---
+source: crates/syn2mas/src/synapse_reader/mod.rs
+expression: refresh_tokens
+---
+{
+    SynapseRefreshToken {
+        id: 8,
+        user_id: FullUserId(
+            "@alice:example.com",
+        ),
+        device_id: "ADEVICE",
+        token: "syr_cccccccccccc_cccc",
+    },
+}

crates/syn2mas/src/synapse_reader/snapshots/syn2mas__synapse_reader__test__read_access_and_refresh_tokens.snap

@@ -0,0 +1,20 @@
+---
+source: crates/syn2mas/src/synapse_reader/mod.rs
+expression: access_tokens
+---
+{
+    SynapseAccessToken {
+        user_id: FullUserId(
+            "@alice:example.com",
+        ),
+        device_id: Some(
+            "ADEVICE",
+        ),
+        token: "syt_AAAAAAAAAAAAAA_AAAA",
+        valid_until_ms: None,
+        last_validated: None,
+        refresh_token_id: Some(
+            8,
+        ),
+    },
+}

crates/syn2mas/src/synapse_reader/snapshots/syn2mas__synapse_reader__test__read_access_and_unused_refresh_tokens-2.snap

@@ -0,0 +1,22 @@
+---
+source: crates/syn2mas/src/synapse_reader/mod.rs
+expression: refresh_tokens
+---
+{
+    SynapseRefreshToken {
+        id: 7,
+        user_id: FullUserId(
+            "@alice:example.com",
+        ),
+        device_id: "ADEVICE",
+        token: "syr_bbbbbbbbbbbbb_bbbb",
+    },
+    SynapseRefreshToken {
+        id: 8,
+        user_id: FullUserId(
+            "@alice:example.com",
+        ),
+        device_id: "ADEVICE",
+        token: "syr_cccccccccccc_cccc",
+    },
+}