storage: include PATs alongside personal sessions

Author: reivilibre

crates/storage-pg/src/iden.rs

@@ -125,6 +125,18 @@ pub enum PersonalSessions {
     LastActiveIp,
 }
 
+#[derive(sea_query::Iden)]
+#[iden = "personal_access_tokens"]
+pub enum PersonalAccessTokens {
+    Table,
+    PersonalAccessTokenId,
+    PersonalSessionId,
+    // AccessTokenSha256,
+    CreatedAt,
+    ExpiresAt,
+    RevokedAt,
+}
+
 #[derive(sea_query::Iden)]
 #[iden = "upstream_oauth_providers"]
 pub enum UpstreamOAuthProviders {

crates/storage-pg/src/personal/mod.rs

@@ -105,16 +105,16 @@ mod tests {
 
         let full_list = repo.personal_session().list(all, pagination).await.unwrap();
         assert_eq!(full_list.edges.len(), 1);
-        assert_eq!(full_list.edges[0].node.id, session.id);
-        assert!(full_list.edges[0].node.is_valid());
+        assert_eq!(full_list.edges[0].node.0.id, session.id);
+        assert!(full_list.edges[0].node.0.is_valid());
         let active_list = repo
             .personal_session()
             .list(active, pagination)
             .await
             .unwrap();
         assert_eq!(active_list.edges.len(), 1);
-        assert_eq!(active_list.edges[0].node.id, session.id);
-        assert!(active_list.edges[0].node.is_valid());
+        assert_eq!(active_list.edges[0].node.0.id, session.id);
+        assert!(active_list.edges[0].node.0.is_valid());
         let finished_list = repo
             .personal_session()
             .list(finished, pagination)
@@ -154,7 +154,7 @@ mod tests {
 
         let full_list = repo.personal_session().list(all, pagination).await.unwrap();
         assert_eq!(full_list.edges.len(), 1);
-        assert_eq!(full_list.edges[0].node.id, session.id);
+        assert_eq!(full_list.edges[0].node.0.id, session.id);
         let active_list = repo
             .personal_session()
             .list(active, pagination)
@@ -167,8 +167,8 @@ mod tests {
             .await
             .unwrap();
         assert_eq!(finished_list.edges.len(), 1);
-        assert_eq!(finished_list.edges[0].node.id, session.id);
-        assert!(finished_list.edges[0].node.is_revoked());
+        assert_eq!(finished_list.edges[0].node.0.id, session.id);
+        assert!(finished_list.edges[0].node.0.is_revoked());
 
         // Reload the session and check again
         let session_lookup = repo

crates/storage-pg/src/personal/session.rs

@@ -9,7 +9,10 @@ use async_trait::async_trait;
 use chrono::{DateTime, Utc};
 use mas_data_model::{
     Clock, User,
-    personal::session::{PersonalSession, PersonalSessionOwner, SessionState},
+    personal::{
+        PersonalAccessToken,
+        session::{PersonalSession, PersonalSessionOwner, SessionState},
+    },
 };
 use mas_storage::{
     Page, Pagination,
@@ -19,7 +22,7 @@ use mas_storage::{
 use oauth2_types::scope::Scope;
 use rand::RngCore;
 use sea_query::{
-    Condition, Expr, PgFunc, PostgresQueryBuilder, Query, SimpleExpr, enum_def,
+    Cond, Condition, Expr, PgFunc, PostgresQueryBuilder, Query, SimpleExpr, enum_def,
     extension::postgres::PgExpr as _,
 };
 use sea_query_binder::SqlxBinder as _;
@@ -31,7 +34,7 @@ use crate::{
     DatabaseError,
     errors::DatabaseInconsistencyError,
     filter::{Filter, StatementExt as _},
-    iden::PersonalSessions,
+    iden::{PersonalAccessTokens, PersonalSessions},
     pagination::QueryBuilderExt as _,
     tracing::ExecuteExt as _,
 };
@@ -116,6 +119,73 @@ impl TryFrom<PersonalSessionLookup> for PersonalSession {
     }
 }
 
+#[derive(sqlx::FromRow)]
+#[enum_def]
+struct PersonalSessionAndAccessTokenLookup {
+    personal_session_id: Uuid,
+    owner_user_id: Option<Uuid>,
+    owner_oauth2_client_id: Option<Uuid>,
+    actor_user_id: Uuid,
+    human_name: String,
+    scope_list: Vec<String>,
+    created_at: DateTime<Utc>,
+    revoked_at: Option<DateTime<Utc>>,
+    last_active_at: Option<DateTime<Utc>>,
+    last_active_ip: Option<IpAddr>,
+
+    // tokens
+    personal_access_token_id: Option<Uuid>,
+    token_created_at: Option<DateTime<Utc>>,
+    token_expires_at: Option<DateTime<Utc>>,
+}
+
+impl Node<Ulid> for PersonalSessionAndAccessTokenLookup {
+    fn cursor(&self) -> Ulid {
+        self.personal_session_id.into()
+    }
+}
+
+impl TryFrom<PersonalSessionAndAccessTokenLookup>
+    for (PersonalSession, Option<PersonalAccessToken>)
+{
+    type Error = DatabaseInconsistencyError;
+
+    fn try_from(value: PersonalSessionAndAccessTokenLookup) -> Result<Self, Self::Error> {
+        let session = PersonalSession::try_from(PersonalSessionLookup {
+            personal_session_id: value.personal_session_id,
+            owner_user_id: value.owner_user_id,
+            owner_oauth2_client_id: value.owner_oauth2_client_id,
+            actor_user_id: value.actor_user_id,
+            human_name: value.human_name,
+            scope_list: value.scope_list,
+            created_at: value.created_at,
+            revoked_at: value.revoked_at,
+            last_active_at: value.last_active_at,
+            last_active_ip: value.last_active_ip,
+        })?;
+
+        let token_opt = if let Some(id) = value.personal_access_token_id {
+            let id = Ulid::from(id);
+            Some(PersonalAccessToken {
+                id,
+                session_id: session.id,
+                // should not be possible
+                created_at: value.token_created_at.ok_or(
+                    DatabaseInconsistencyError::on("personal_sessions")
+                        .column("created_at")
+                        .row(id),
+                )?,
+                expires_at: value.token_expires_at,
+                revoked_at: None,
+            })
+        } else {
+            None
+        };
+
+        Ok((session, token_opt))
+    }
+}
+
 #[async_trait]
 impl PersonalSessionRepository for PgPersonalSessionRepository<'_> {
     type Error = DatabaseError;
@@ -274,60 +344,90 @@ impl PersonalSessionRepository for PgPersonalSessionRepository<'_> {
         &mut self,
         filter: PersonalSessionFilter<'_>,
         pagination: Pagination,
-    ) -> Result<Page<PersonalSession>, Self::Error> {
+    ) -> Result<Page<(PersonalSession, Option<PersonalAccessToken>)>, Self::Error> {
         let (sql, arguments) = Query::select()
             .expr_as(
                 Expr::col((PersonalSessions::Table, PersonalSessions::PersonalSessionId)),
-                PersonalSessionLookupIden::PersonalSessionId,
+                PersonalSessionAndAccessTokenLookupIden::PersonalSessionId,
             )
             .expr_as(
                 Expr::col((PersonalSessions::Table, PersonalSessions::OwnerUserId)),
-                PersonalSessionLookupIden::OwnerUserId,
+                PersonalSessionAndAccessTokenLookupIden::OwnerUserId,
             )
             .expr_as(
                 Expr::col((
                     PersonalSessions::Table,
                     PersonalSessions::OwnerOAuth2ClientId,
                 )),
-                PersonalSessionLookupIden::OwnerOauth2ClientId,
+                PersonalSessionAndAccessTokenLookupIden::OwnerOauth2ClientId,
             )
             .expr_as(
                 Expr::col((PersonalSessions::Table, PersonalSessions::ActorUserId)),
-                PersonalSessionLookupIden::ActorUserId,
+                PersonalSessionAndAccessTokenLookupIden::ActorUserId,
             )
             .expr_as(
                 Expr::col((PersonalSessions::Table, PersonalSessions::HumanName)),
-                PersonalSessionLookupIden::HumanName,
+                PersonalSessionAndAccessTokenLookupIden::HumanName,
             )
             .expr_as(
                 Expr::col((PersonalSessions::Table, PersonalSessions::ScopeList)),
-                PersonalSessionLookupIden::ScopeList,
+                PersonalSessionAndAccessTokenLookupIden::ScopeList,
             )
             .expr_as(
                 Expr::col((PersonalSessions::Table, PersonalSessions::CreatedAt)),
-                PersonalSessionLookupIden::CreatedAt,
+                PersonalSessionAndAccessTokenLookupIden::CreatedAt,
             )
             .expr_as(
                 Expr::col((PersonalSessions::Table, PersonalSessions::RevokedAt)),
-                PersonalSessionLookupIden::RevokedAt,
+                PersonalSessionAndAccessTokenLookupIden::RevokedAt,
             )
             .expr_as(
                 Expr::col((PersonalSessions::Table, PersonalSessions::LastActiveAt)),
-                PersonalSessionLookupIden::LastActiveAt,
+                PersonalSessionAndAccessTokenLookupIden::LastActiveAt,
             )
             .expr_as(
                 Expr::col((PersonalSessions::Table, PersonalSessions::LastActiveIp)),
-                PersonalSessionLookupIden::LastActiveIp,
+                PersonalSessionAndAccessTokenLookupIden::LastActiveIp,
+            )
+            .expr_as(
+                Expr::col((
+                    PersonalAccessTokens::Table,
+                    PersonalAccessTokens::PersonalAccessTokenId,
+                )),
+                PersonalSessionAndAccessTokenLookupIden::PersonalAccessTokenId,
+            )
+            .expr_as(
+                Expr::col((PersonalAccessTokens::Table, PersonalAccessTokens::CreatedAt)),
+                PersonalSessionAndAccessTokenLookupIden::TokenCreatedAt,
+            )
+            .expr_as(
+                Expr::col((PersonalAccessTokens::Table, PersonalAccessTokens::ExpiresAt)),
+                PersonalSessionAndAccessTokenLookupIden::TokenExpiresAt,
             )
             .from(PersonalSessions::Table)
+            .left_join(
+                PersonalAccessTokens::Table,
+                Cond::all()
+                    .add(
+                        Expr::col((PersonalSessions::Table, PersonalSessions::PersonalSessionId))
+                            .eq(Expr::col((
+                                PersonalAccessTokens::Table,
+                                PersonalAccessTokens::PersonalSessionId,
+                            ))),
+                    )
+                    .add(
+                        Expr::col((PersonalAccessTokens::Table, PersonalAccessTokens::RevokedAt))
+                            .is_null(),
+                    ),
+            )
             .apply_filter(filter)
             .generate_pagination(
                 (PersonalSessions::Table, PersonalSessions::PersonalSessionId),
                 pagination,
             )
             .build_sqlx(PostgresQueryBuilder);
 
-        let edges: Vec<PersonalSessionLookup> = sqlx::query_as_with(&sql, arguments)
+        let edges: Vec<PersonalSessionAndAccessTokenLookup> = sqlx::query_as_with(&sql, arguments)
             .traced()
             .fetch_all(&mut *self.conn)
             .await?;
@@ -349,6 +449,21 @@ impl PersonalSessionRepository for PgPersonalSessionRepository<'_> {
         let (sql, arguments) = Query::select()
             .expr(Expr::col((PersonalSessions::Table, PersonalSessions::PersonalSessionId)).count())
             .from(PersonalSessions::Table)
+            .left_join(
+                PersonalAccessTokens::Table,
+                Cond::all()
+                    .add(
+                        Expr::col((PersonalSessions::Table, PersonalSessions::PersonalSessionId))
+                            .eq(Expr::col((
+                                PersonalAccessTokens::Table,
+                                PersonalAccessTokens::PersonalSessionId,
+                            ))),
+                    )
+                    .add(
+                        Expr::col((PersonalAccessTokens::Table, PersonalAccessTokens::RevokedAt))
+                            .is_null(),
+                    ),
+            )
             .apply_filter(filter)
             .build_sqlx(PostgresQueryBuilder);
 
@@ -419,5 +534,13 @@ impl Filter for PersonalSessionFilter<'_> {
                 Expr::col((PersonalSessions::Table, PersonalSessions::LastActiveAt))
                     .gt(last_active_after)
             }))
+            .add_option(self.expires_before().map(|expires_before| {
+                Expr::col((PersonalAccessTokens::Table, PersonalAccessTokens::ExpiresAt))
+                    .lt(expires_before)
+            }))
+            .add_option(self.expires_after().map(|expires_after| {
+                Expr::col((PersonalAccessTokens::Table, PersonalAccessTokens::ExpiresAt))
+                    .gt(expires_after)
+            }))
     }
 }

crates/storage/src/personal/session.rs

@@ -7,7 +7,10 @@ use async_trait::async_trait;
 use chrono::{DateTime, Utc};
 use mas_data_model::{
     Client, Clock, Device, User,
-    personal::session::{PersonalSession, PersonalSessionOwner},
+    personal::{
+        PersonalAccessToken,
+        session::{PersonalSession, PersonalSessionOwner},
+    },
 };
 use oauth2_types::scope::Scope;
 use rand_core::RngCore;
@@ -97,7 +100,7 @@ pub trait PersonalSessionRepository: Send + Sync {
         &mut self,
         filter: PersonalSessionFilter<'_>,
         pagination: Pagination,
-    ) -> Result<Page<PersonalSession>, Self::Error>;
+    ) -> Result<Page<(PersonalSession, Option<PersonalAccessToken>)>, Self::Error>;
 
     /// Count [`PersonalSession`]s matching the given filter
     ///
@@ -134,12 +137,13 @@ repository_impl!(PersonalSessionRepository:
         &mut self,
         filter: PersonalSessionFilter<'_>,
         pagination: Pagination,
-    ) -> Result<Page<PersonalSession>, Self::Error>;
+    ) -> Result<Page<(PersonalSession, Option<PersonalAccessToken>)>, Self::Error>;
 
     async fn count(&mut self, filter: PersonalSessionFilter<'_>) -> Result<usize, Self::Error>;
 );
 
-/// Filter parameters for listing personal sessions
+/// Filter parameters for listing personal sessions alongside personal access
+/// tokens
 #[derive(Clone, Copy, Debug, PartialEq, Eq, Default)]
 pub struct PersonalSessionFilter<'a> {
     owner_user: Option<&'a User>,
@@ -150,6 +154,8 @@ pub struct PersonalSessionFilter<'a> {
     scope: Option<&'a Scope>,
     last_active_before: Option<DateTime<Utc>>,
     last_active_after: Option<DateTime<Utc>>,
+    expires_before: Option<DateTime<Utc>>,
+    expires_after: Option<DateTime<Utc>>,
 }
 
 /// Filter for what state a personal session is in.
@@ -296,4 +302,34 @@ impl<'a> PersonalSessionFilter<'a> {
     pub fn device(&self) -> Option<&'a Device> {
         self.device
     }
+
+    /// Only return sessions whose access tokens expire before the given time
+    #[must_use]
+    pub fn with_expires_before(mut self, expires_before: DateTime<Utc>) -> Self {
+        self.expires_before = Some(expires_before);
+        self
+    }
+
+    /// Get the expires before filter
+    ///
+    /// Returns [`None`] if no expires before filter was set
+    #[must_use]
+    pub fn expires_before(&self) -> Option<DateTime<Utc>> {
+        self.expires_before
+    }
+
+    /// Only return sessions whose access tokens expire after the given time
+    #[must_use]
+    pub fn with_expires_after(mut self, expires_after: DateTime<Utc>) -> Self {
+        self.expires_after = Some(expires_after);
+        self
+    }
+
+    /// Get the expires after filter
+    ///
+    /// Returns [`None`] if no expires after filter was set
+    #[must_use]
+    pub fn expires_after(&self) -> Option<DateTime<Utc>> {
+        self.expires_after
+    }
 }

crates/tasks/src/matrix.rs

@@ -259,7 +259,8 @@ impl RunnableJob for SyncDevicesJob {
                 .map_err(JobError::retry)?;
 
             for edge in page.edges {
-                for scope in &*edge.node.scope {
+                let (session, _) = &edge.node;
+                for scope in &*session.scope {
                     if let Some(device) = Device::from_scope_token(scope) {
                         devices.insert(device.as_str().to_owned());
                     }