Allow filtering sessions by client kind (dynamic or static)

sandhose · sandhose · commit dab640aa5189 · 2025-02-12T17:31:21.000+01:00
diff --git a/crates/handlers/src/admin/v1/oauth2_sessions/list.rs b/crates/handlers/src/admin/v1/oauth2_sessions/list.rs
@@ -46,6 +46,22 @@ impl std::fmt::Display for OAuth2SessionStatus {
     }
 }
 
+#[derive(Deserialize, JsonSchema, Clone, Copy)]
+#[serde(rename_all = "snake_case")]
+enum OAuth2ClientKind {
+    Dynamic,
+    Static,
+}
+
+impl std::fmt::Display for OAuth2ClientKind {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Self::Dynamic => write!(f, "dynamic"),
+            Self::Static => write!(f, "static"),
+        }
+    }
+}
+
 #[derive(FromRequestParts, Deserialize, JsonSchema, OperationIo)]
 #[serde(rename = "OAuth2SessionFilter")]
 #[aide(input_with = "Query<FilterParams>")]
@@ -61,6 +77,10 @@ pub struct FilterParams {
     #[schemars(with = "Option<crate::admin::schema::Ulid>")]
     client: Option<Ulid>,
 
+    /// Retrieve the items only for a specific client kind
+    #[serde(rename = "filter[client-kind]")]
+    client_kind: Option<OAuth2ClientKind>,
+
     /// Retrieve the items started from the given browser session
     #[serde(rename = "filter[user-session]")]
     #[schemars(with = "Option<crate::admin::schema::Ulid>")]
@@ -95,6 +115,11 @@ impl std::fmt::Display for FilterParams {
             sep = '&';
         }
 
+        if let Some(client_kind) = self.client_kind {
+            write!(f, "{sep}filter[client-kind]={client_kind}")?;
+            sep = '&';
+        }
+
         if let Some(user_session) = self.user_session {
             write!(f, "{sep}filter[user-session]={user_session}")?;
             sep = '&';
@@ -232,6 +257,12 @@ pub async fn handler(
         None => filter,
     };
 
+    let filter = match params.client_kind {
+        Some(OAuth2ClientKind::Dynamic) => filter.only_dynamic_clients(),
+        Some(OAuth2ClientKind::Static) => filter.only_static_clients(),
+        None => filter,
+    };
+
     let user_session = if let Some(user_session_id) = params.user_session {
         let user_session = repo
             .browser_session()
diff --git a/crates/storage-pg/src/iden.rs b/crates/storage-pg/src/iden.rs
@@ -83,6 +83,15 @@ pub enum OAuth2Sessions {
     LastActiveIp,
 }
 
+#[derive(sea_query::Iden)]
+#[iden = "oauth2_clients"]
+pub enum OAuth2Clients {
+    Table,
+    #[iden = "oauth2_client_id"]
+    OAuth2ClientId,
+    IsStatic,
+}
+
 #[derive(sea_query::Iden)]
 #[iden = "upstream_oauth_providers"]
 pub enum UpstreamOAuthProviders {
diff --git a/crates/storage-pg/src/oauth2/session.rs b/crates/storage-pg/src/oauth2/session.rs
@@ -23,7 +23,7 @@ use uuid::Uuid;
 
 use crate::{
     filter::{Filter, StatementExt},
-    iden::OAuth2Sessions,
+    iden::{OAuth2Clients, OAuth2Sessions},
     pagination::QueryBuilderExt,
     tracing::ExecuteExt,
     DatabaseError, DatabaseInconsistencyError,
@@ -104,6 +104,26 @@ impl Filter for OAuth2SessionFilter<'_> {
                 Expr::col((OAuth2Sessions::Table, OAuth2Sessions::OAuth2ClientId))
                     .eq(Uuid::from(client.id))
             }))
+            .add_option(self.client_kind().map(|client_kind| {
+                // This builds either a:
+                // `WHERE oauth2_client_id = ANY(...)`
+                // or a `WHERE oauth2_client_id <> ALL(...)`
+                let static_clients = Query::select()
+                    .expr(Expr::col((
+                        OAuth2Clients::Table,
+                        OAuth2Clients::OAuth2ClientId,
+                    )))
+                    .and_where(Expr::col((OAuth2Clients::Table, OAuth2Clients::IsStatic)).into())
+                    .from(OAuth2Clients::Table)
+                    .take();
+                if client_kind.is_static() {
+                    Expr::col((OAuth2Sessions::Table, OAuth2Sessions::OAuth2ClientId))
+                        .eq(Expr::any(static_clients))
+                } else {
+                    Expr::col((OAuth2Sessions::Table, OAuth2Sessions::OAuth2ClientId))
+                        .ne(Expr::all(static_clients))
+                }
+            }))
             .add_option(self.device().map(|device| {
                 Expr::val(device.to_scope_token().to_string()).eq(PgFunc::any(Expr::col((
                     OAuth2Sessions::Table,
diff --git a/crates/storage/src/oauth2/session.rs b/crates/storage/src/oauth2/session.rs
@@ -31,6 +31,18 @@ impl OAuth2SessionState {
     }
 }
 
+#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash)]
+pub enum ClientKind {
+    Static,
+    Dynamic,
+}
+
+impl ClientKind {
+    pub fn is_static(self) -> bool {
+        matches!(self, Self::Static)
+    }
+}
+
 /// Filter parameters for listing OAuth 2.0 sessions
 #[derive(Clone, Copy, Debug, PartialEq, Eq, Default)]
 pub struct OAuth2SessionFilter<'a> {
@@ -39,6 +51,7 @@ pub struct OAuth2SessionFilter<'a> {
     browser_session: Option<&'a BrowserSession>,
     device: Option<&'a Device>,
     client: Option<&'a Client>,
+    client_kind: Option<ClientKind>,
     state: Option<OAuth2SessionState>,
     scope: Option<&'a Scope>,
     last_active_before: Option<DateTime<Utc>>,
@@ -119,6 +132,28 @@ impl<'a> OAuth2SessionFilter<'a> {
         self.client
     }
 
+    /// List only static clients
+    #[must_use]
+    pub fn only_static_clients(mut self) -> Self {
+        self.client_kind = Some(ClientKind::Static);
+        self
+    }
+
+    /// List only dynamic clients
+    #[must_use]
+    pub fn only_dynamic_clients(mut self) -> Self {
+        self.client_kind = Some(ClientKind::Dynamic);
+        self
+    }
+
+    /// Get the client kind filter
+    ///
+    /// Returns [`None`] if no client kind filter was set
+    #[must_use]
+    pub fn client_kind(&self) -> Option<ClientKind> {
+        self.client_kind
+    }
+
     /// Only return sessions with a last active time before the given time
     #[must_use]
     pub fn with_last_active_before(mut self, last_active_before: DateTime<Utc>) -> Self {
diff --git a/docs/api/spec.json b/docs/api/spec.json
@@ -357,6 +357,17 @@
             },
             "style": "form"
           },
+          {
+            "in": "query",
+            "name": "filter[client-kind]",
+            "description": "Retrieve the items only for a specific client kind",
+            "schema": {
+              "description": "Retrieve the items only for a specific client kind",
+              "$ref": "#/components/schemas/OAuth2ClientKind",
+              "nullable": true
+            },
+            "style": "form"
+          },
           {
             "in": "query",
             "name": "filter[user-session]",
@@ -2347,6 +2358,11 @@
             "$ref": "#/components/schemas/ULID",
             "nullable": true
           },
+          "filter[client-kind]": {
+            "description": "Retrieve the items only for a specific client kind",
+            "$ref": "#/components/schemas/OAuth2ClientKind",
+            "nullable": true
+          },
           "filter[user-session]": {
             "description": "Retrieve the items started from the given browser session",
             "$ref": "#/components/schemas/ULID",
@@ -2367,6 +2383,13 @@
           }
         }
       },
+      "OAuth2ClientKind": {
+        "type": "string",
+        "enum": [
+          "dynamic",
+          "static"
+        ]
+      },
       "OAuth2SessionStatus": {
         "type": "string",
         "enum": [
