Implement login_hint as per MSC4198

crates/data-model/Cargo.toml

@@ -22,6 +22,7 @@ rand.workspace = true
 rand_chacha = "0.3.1"
 regex = "1.11.1"
 woothee = "0.13.0"
+ruma-common = "0.13.0"
 
 mas-iana.workspace = true
 mas-jose.workspace = true

crates/data-model/src/lib.rs

@@ -9,7 +9,7 @@
 use thiserror::Error;
 
 pub(crate) mod compat;
-pub(crate) mod oauth2;
+pub mod oauth2;
 mod site_config;
 pub(crate) mod tokens;
 pub(crate) mod upstream_oauth2;

crates/data-model/src/oauth2/authorization_grant.rs

@@ -17,6 +17,7 @@ use rand::{
     distributions::{Alphanumeric, DistString},
     RngCore,
 };
+use ruma_common::{OwnedUserId, UserId};
 use serde::Serialize;
 use ulid::Ulid;
 use url::Url;
@@ -141,6 +142,11 @@ impl AuthorizationGrantStage {
     }
 }
 
+pub enum LoginHint {
+    MXID(OwnedUserId),
+    None,
+}
+
 #[derive(Debug, Clone, PartialEq, Eq, Serialize)]
 pub struct AuthorizationGrant {
     pub id: Ulid,
@@ -157,6 +163,7 @@ pub struct AuthorizationGrant {
     pub response_type_id_token: bool,
     pub created_at: DateTime<Utc>,
     pub requires_consent: bool,
+    pub login_hint: Option<String>,
 }
 
 impl std::ops::Deref for AuthorizationGrant {
@@ -179,6 +186,36 @@ impl AuthorizationGrant {
         self.created_at - max_age
     }
 
+    #[must_use]
+    pub fn parse_login_hint(&self, homeserver: &str) -> LoginHint {
+        let Some(login_hint) = &self.login_hint else {
+            return LoginHint::None;
+        };
+
+        // Return none if the format is incorrect
+        let Some((prefix, value)) = login_hint.split_once(':') else {
+            return LoginHint::None;
+        };
+
+        match prefix {
+            "mxid" => {
+                // Instead of erroring just return none
+                let Ok(mxid) = UserId::parse(value) else {
+                    return LoginHint::None;
+                };
+
+                // Only handle MXIDs for current homeserver
+                if mxid.server_name() != homeserver {
+                    return LoginHint::None;
+                }
+
+                LoginHint::MXID(mxid)
+            }
+            // Unknown hint type, treat as none
+            _ => LoginHint::None,
+        }
+    }
+
     /// Mark the authorization grant as exchanged.
     ///
     /// # Errors
@@ -242,6 +279,104 @@ impl AuthorizationGrant {
             response_type_id_token: false,
             created_at: now,
             requires_consent: false,
+            login_hint: Some(String::from("mxid:@example-user:example.com")),
         }
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use rand::thread_rng;
+
+    use super::*;
+
+    #[test]
+    fn no_login_hint() {
+        #[allow(clippy::disallowed_methods)]
+        let mut rng = thread_rng();
+
+        #[allow(clippy::disallowed_methods)]
+        let now = Utc::now();
+
+        let grant = AuthorizationGrant {
+            login_hint: None,
+            ..AuthorizationGrant::sample(now, &mut rng)
+        };
+
+        let hint = grant.parse_login_hint("example.com");
+
+        assert!(matches!(hint, LoginHint::None));
+    }
+
+    #[test]
+    fn valid_login_hint() {
+        #[allow(clippy::disallowed_methods)]
+        let mut rng = thread_rng();
+
+        #[allow(clippy::disallowed_methods)]
+        let now = Utc::now();
+
+        let grant = AuthorizationGrant {
+            login_hint: Some(String::from("mxid:@example-user:example.com")),
+            ..AuthorizationGrant::sample(now, &mut rng)
+        };
+
+        let hint = grant.parse_login_hint("example.com");
+
+        assert!(matches!(hint, LoginHint::MXID(mxid) if mxid.localpart() == "example-user"));
+    }
+
+    #[test]
+    fn invalid_login_hint() {
+        #[allow(clippy::disallowed_methods)]
+        let mut rng = thread_rng();
+
+        #[allow(clippy::disallowed_methods)]
+        let now = Utc::now();
+
+        let grant = AuthorizationGrant {
+            login_hint: Some(String::from("example-user")),
+            ..AuthorizationGrant::sample(now, &mut rng)
+        };
+
+        let hint = grant.parse_login_hint("example.com");
+
+        assert!(matches!(hint, LoginHint::None));
+    }
+
+    #[test]
+    fn valid_login_hint_for_wrong_homeserver() {
+        #[allow(clippy::disallowed_methods)]
+        let mut rng = thread_rng();
+
+        #[allow(clippy::disallowed_methods)]
+        let now = Utc::now();
+
+        let grant = AuthorizationGrant {
+            login_hint: Some(String::from("mxid:@example-user:matrix.org")),
+            ..AuthorizationGrant::sample(now, &mut rng)
+        };
+
+        let hint = grant.parse_login_hint("example.com");
+
+        assert!(matches!(hint, LoginHint::None));
+    }
+
+    #[test]
+    fn unknown_login_hint_type() {
+        #[allow(clippy::disallowed_methods)]
+        let mut rng = thread_rng();
+
+        #[allow(clippy::disallowed_methods)]
+        let now = Utc::now();
+
+        let grant = AuthorizationGrant {
+            login_hint: Some(String::from("something:anything")),
+            ..AuthorizationGrant::sample(now, &mut rng)
+        };
+
+        let hint = grant.parse_login_hint("example.com");
+
+        assert!(matches!(hint, LoginHint::None));
+    }
+}

crates/data-model/src/oauth2/mod.rs

@@ -10,7 +10,9 @@ mod device_code_grant;
 mod session;
 
 pub use self::{
-    authorization_grant::{AuthorizationCode, AuthorizationGrant, AuthorizationGrantStage, Pkce},
+    authorization_grant::{
+        AuthorizationCode, AuthorizationGrant, AuthorizationGrantStage, LoginHint, Pkce,
+    },
     client::{Client, InvalidRedirectUriError, JwksOrJwksUri},
     device_code_grant::{DeviceCodeGrant, DeviceCodeGrantState},
     session::{Session, SessionState},

crates/handlers/src/oauth2/authorization/mod.rs

@@ -291,6 +291,7 @@ pub(crate) async fn get(
                     response_mode,
                     response_type.has_id_token(),
                     requires_consent,
+                    params.auth.login_hint,
                 )
                 .await?;
             let continue_grant = PostAuthAction::continue_grant(grant.id);