Add auth req store

Author: thiva-k

backend/dbscripts/runtimedb/postgres.sql

@@ -10,6 +10,18 @@ CREATE TABLE AUTHORIZATION_CODE (
     EXPIRY_TIME TIMESTAMP NOT NULL
 );
 
+-- Table to store OAuth2 authorization request context
+CREATE TABLE AUTHORIZATION_REQUEST (
+    AUTH_REQUEST_ID VARCHAR(36) PRIMARY KEY,
+    REQUEST_DATA JSONB NOT NULL,
+    AUTH_TIME TIMESTAMP NOT NULL,
+    EXPIRY_TIME TIMESTAMP NOT NULL,
+    CREATED_AT TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+
+-- Index for efficient expiry cleanup
+CREATE INDEX IDX_AUTHORIZATION_REQUEST_EXPIRY ON AUTHORIZATION_REQUEST(EXPIRY_TIME);
+
 -- Table to store flow context metadata and state
 CREATE TABLE FLOW_CONTEXT (
     FLOW_ID VARCHAR(36) PRIMARY KEY,

backend/dbscripts/runtimedb/sqlite.sql

@@ -10,6 +10,18 @@ CREATE TABLE AUTHORIZATION_CODE (
     EXPIRY_TIME DATETIME NOT NULL
 );
 
+-- Table to store OAuth2 authorization request context
+CREATE TABLE AUTHORIZATION_REQUEST (
+    AUTH_REQUEST_ID VARCHAR(36) PRIMARY KEY,
+    REQUEST_DATA TEXT NOT NULL,
+    AUTH_TIME DATETIME NOT NULL,
+    EXPIRY_TIME DATETIME NOT NULL,
+    CREATED_AT TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+
+-- Index for efficient expiry cleanup
+CREATE INDEX IDX_AUTHORIZATION_REQUEST_EXPIRY ON AUTHORIZATION_REQUEST(EXPIRY_TIME);
+
 -- Table to store flow context metadata and state
 CREATE TABLE FLOW_CONTEXT (
     FLOW_ID VARCHAR(36) PRIMARY KEY,

backend/internal/oauth/oauth2/authz/store.go renamed to backend/internal/oauth/oauth2/authz/auth_code_store.go

@@ -22,8 +22,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"strings"
-	"time"
 
 	"github.com/asgardeo/thunder/internal/system/database/provider"
 )
@@ -266,32 +264,3 @@ func appendAuthzDataJSON(row map[string]interface{}, authzCode *AuthorizationCod
 
 	return authzCode, nil
 }
-
-// parseTimeField parses a time field from the database result.
-func parseTimeField(field interface{}, fieldName string) (time.Time, error) {
-	const customTimeFormat = "2006-01-02 15:04:05.999999999"
-
-	switch v := field.(type) {
-	case string:
-		trimmedTime := trimTimeString(v)
-		parsedTime, err := time.Parse(customTimeFormat, trimmedTime)
-		if err != nil {
-			return time.Time{}, fmt.Errorf("error parsing %s: %w", fieldName, err)
-		}
-		return parsedTime, nil
-	case time.Time:
-		return v, nil
-	default:
-		return time.Time{}, fmt.Errorf("unexpected type for %s", fieldName)
-	}
-}
-
-// trimTimeString trims extra information from a time string to match the expected format.
-func trimTimeString(timeStr string) string {
-	// Split the string into parts by spaces and retain only the first two parts.
-	parts := strings.SplitN(timeStr, " ", 3)
-	if len(parts) >= 2 {
-		return parts[0] + " " + parts[1]
-	}
-	return timeStr
-}

backend/internal/oauth/oauth2/authz/store_test.go renamed to backend/internal/oauth/oauth2/authz/auth_code_store_test.go

@@ -287,9 +287,11 @@ func (suite *AuthorizationCodeStoreTestSuite) TestUpdateAuthorizationCodeState_E
 	suite.mockdbProvider.AssertExpectations(suite.T())
 }
 
+const testTimeString = "2023-12-01 10:30:45.123456789"
+
 func (suite *AuthorizationCodeStoreTestSuite) TestParseTimeField_StringInput() {
-	testTime := "2023-12-01 10:30:45.123456789 extra content"
-	expectedTime, _ := time.Parse("2006-01-02 15:04:05.999999999", "2023-12-01 10:30:45.123456789")
+	testTime := testTimeString + " extra content"
+	expectedTime, _ := time.Parse("2006-01-02 15:04:05.999999999", testTimeString)
 
 	result, err := parseTimeField(testTime, "test_field")
 	assert.NoError(suite.T(), err)
@@ -305,8 +307,8 @@ func (suite *AuthorizationCodeStoreTestSuite) TestParseTimeField_TimeInput() {
 }
 
 func (suite *AuthorizationCodeStoreTestSuite) TestTrimTimeString() {
-	input := "2023-12-01 10:30:45.123456789 extra content here"
-	expected := "2023-12-01 10:30:45.123456789"
+	input := testTimeString + " extra content here"
+	expected := testTimeString
 
 	result := trimTimeString(input)
 	assert.Equal(suite.T(), expected, result)

backend/internal/oauth/oauth2/authz/auth_req_store.go

@@ -0,0 +1,250 @@
+/*
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package authz
+
+import (
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/asgardeo/thunder/internal/oauth/oauth2/model"
+	"github.com/asgardeo/thunder/internal/system/database/provider"
+	"github.com/asgardeo/thunder/internal/system/log"
+	"github.com/asgardeo/thunder/internal/system/utils"
+)
+
+// AuthRequestContext holds OAuth authorization request information including parameters and authentication time.
+type AuthRequestContext struct {
+	OAuthParameters model.OAuthParameters
+	AuthTime        time.Time
+}
+
+// authorizationRequestStoreInterface defines the interface for authorization request storage.
+type authorizationRequestStoreInterface interface {
+	AddRequest(value AuthRequestContext) string
+	GetRequest(key string) (bool, AuthRequestContext)
+	ClearRequest(key string)
+}
+
+// authorizationRequestStore provides the authorization request store functionality using database.
+type authorizationRequestStore struct {
+	dbProvider     provider.DBProviderInterface
+	validityPeriod time.Duration
+}
+
+// newAuthorizationRequestStore creates a new instance of authorizationRequestStore with injected dependencies.
+func newAuthorizationRequestStore() authorizationRequestStoreInterface {
+	return &authorizationRequestStore{
+		dbProvider:     provider.GetDBProvider(),
+		validityPeriod: 10 * time.Minute, // Set a default validity period.
+	}
+}
+
+// AddRequest adds an authorization request context entry to the store.
+func (authzRS *authorizationRequestStore) AddRequest(value AuthRequestContext) string {
+	logger := log.GetLogger().With(log.String(log.LoggerKeyComponentName, "AuthorizationRequestStore"))
+
+	dbClient, err := authzRS.dbProvider.GetRuntimeDBClient()
+	if err != nil {
+		logger.Error("Failed to get database client", log.Error(err))
+		return ""
+	}
+
+	key := utils.GenerateUUID()
+	expiryTime := value.AuthTime.Add(authzRS.validityPeriod)
+
+	// Serialize AuthRequestContext to JSON
+	jsonDataBytes, err := authzRS.getJSONDataBytes(value)
+	if err != nil {
+		logger.Error("Failed to marshal request context to JSON", log.Error(err))
+		return ""
+	}
+
+	_, err = dbClient.Execute(queryInsertAuthRequest, key, jsonDataBytes, value.AuthTime, expiryTime)
+	if err != nil {
+		logger.Error("Failed to insert authorization request", log.Error(err))
+		return ""
+	}
+
+	return key
+}
+
+// GetRequest retrieves an authorization request context entry from the store.
+func (authzRS *authorizationRequestStore) GetRequest(key string) (bool, AuthRequestContext) {
+	logger := log.GetLogger().With(log.String(log.LoggerKeyComponentName, "AuthorizationRequestStore"))
+
+	if key == "" {
+		return false, AuthRequestContext{}
+	}
+
+	dbClient, err := authzRS.dbProvider.GetRuntimeDBClient()
+	if err != nil {
+		logger.Error("Failed to get database client", log.Error(err))
+		return false, AuthRequestContext{}
+	}
+
+	// Check expiry by comparing with current time
+	now := time.Now()
+	results, err := dbClient.Query(queryGetAuthRequest, key, now)
+	if err != nil {
+		logger.Error("Failed to query authorization request", log.Error(err))
+		return false, AuthRequestContext{}
+	}
+
+	if len(results) == 0 {
+		return false, AuthRequestContext{}
+	}
+
+	row := results[0]
+	authRequestContext, err := authzRS.buildAuthRequestContextFromResultRow(row)
+	if err != nil {
+		logger.Error("Failed to build authorization request context from result", log.Error(err))
+		return false, AuthRequestContext{}
+	}
+
+	return true, authRequestContext
+}
+
+// ClearRequest removes a specific authorization request context entry from the store.
+func (authzRS *authorizationRequestStore) ClearRequest(key string) {
+	if key == "" {
+		return
+	}
+
+	logger := log.GetLogger().With(log.String(log.LoggerKeyComponentName, "AuthorizationRequestStore"))
+	dbClient, err := authzRS.dbProvider.GetRuntimeDBClient()
+	if err != nil {
+		logger.Error("Failed to get database client", log.Error(err))
+		return
+	}
+
+	_, err = dbClient.Execute(queryDeleteAuthRequest, key)
+	if err != nil {
+		logger.Error("Failed to delete authorization request", log.Error(err))
+	}
+}
+
+// getJSONDataBytes prepares the JSON data bytes for the authorization request context.
+func (authzRS *authorizationRequestStore) getJSONDataBytes(authRequestContext AuthRequestContext) ([]byte, error) {
+	jsonData := map[string]interface{}{
+		"state":                 authRequestContext.OAuthParameters.State,
+		"client_id":             authRequestContext.OAuthParameters.ClientID,
+		"redirect_uri":          authRequestContext.OAuthParameters.RedirectURI,
+		"response_type":         authRequestContext.OAuthParameters.ResponseType,
+		"standard_scopes":       authRequestContext.OAuthParameters.StandardScopes,
+		"permission_scopes":     authRequestContext.OAuthParameters.PermissionScopes,
+		"code_challenge":        authRequestContext.OAuthParameters.CodeChallenge,
+		"code_challenge_method": authRequestContext.OAuthParameters.CodeChallengeMethod,
+		"resource":              authRequestContext.OAuthParameters.Resource,
+	}
+
+	jsonDataBytes, err := json.Marshal(jsonData)
+	if err != nil {
+		return nil, fmt.Errorf("error marshaling request context to JSON: %w", err)
+	}
+	return jsonDataBytes, nil
+}
+
+// buildAuthRequestContextFromResultRow builds an AuthRequestContext from a database result row.
+func (authzRS *authorizationRequestStore) buildAuthRequestContextFromResultRow(
+	row map[string]interface{},
+) (AuthRequestContext, error) {
+	// Parse request_data JSON
+	var dataJSON string
+	if val, ok := row["request_data"].(string); ok && val != "" {
+		dataJSON = val
+	} else if val, ok := row["request_data"].([]byte); ok && len(val) > 0 {
+		dataJSON = string(val)
+	} else {
+		return AuthRequestContext{}, fmt.Errorf("request_data is missing or of unexpected type")
+	}
+
+	var requestDataMap map[string]interface{}
+	if err := json.Unmarshal([]byte(dataJSON), &requestDataMap); err != nil {
+		return AuthRequestContext{}, fmt.Errorf("failed to unmarshal request_data JSON: %w", err)
+	}
+
+	// Parse auth_time
+	authTime, err := parseTimeField(row["auth_time"], "auth_time")
+	if err != nil {
+		return AuthRequestContext{}, err
+	}
+
+	// Build OAuthParameters from JSON
+	oauthParams := model.OAuthParameters{}
+	// Initialize slices to empty (not nil) to match original behavior
+	oauthParams.StandardScopes = []string{}
+	oauthParams.PermissionScopes = []string{}
+
+	if state, ok := requestDataMap["state"].(string); ok {
+		oauthParams.State = state
+	}
+	if clientID, ok := requestDataMap["client_id"].(string); ok {
+		oauthParams.ClientID = clientID
+	}
+	if redirectURI, ok := requestDataMap["redirect_uri"].(string); ok {
+		oauthParams.RedirectURI = redirectURI
+	}
+	if responseType, ok := requestDataMap["response_type"].(string); ok {
+		oauthParams.ResponseType = responseType
+	}
+	// Handle standard_scopes - can be []interface{} or []string or nil
+	if standardScopes, ok := requestDataMap["standard_scopes"].([]interface{}); ok {
+		oauthParams.StandardScopes = convertToStringArray(standardScopes)
+	} else if standardScopes, ok := requestDataMap["standard_scopes"].([]string); ok {
+		oauthParams.StandardScopes = standardScopes
+	} else if requestDataMap["standard_scopes"] == nil {
+		// Handle nil case - set to empty slice
+		oauthParams.StandardScopes = []string{}
+	}
+	// Handle permission_scopes - can be []interface{} or []string or nil
+	if permissionScopes, ok := requestDataMap["permission_scopes"].([]interface{}); ok {
+		oauthParams.PermissionScopes = convertToStringArray(permissionScopes)
+	} else if permissionScopes, ok := requestDataMap["permission_scopes"].([]string); ok {
+		oauthParams.PermissionScopes = permissionScopes
+	} else if requestDataMap["permission_scopes"] == nil {
+		// Handle nil case - set to empty slice
+		oauthParams.PermissionScopes = []string{}
+	}
+	if codeChallenge, ok := requestDataMap["code_challenge"].(string); ok {
+		oauthParams.CodeChallenge = codeChallenge
+	}
+	if codeChallengeMethod, ok := requestDataMap["code_challenge_method"].(string); ok {
+		oauthParams.CodeChallengeMethod = codeChallengeMethod
+	}
+	if resource, ok := requestDataMap["resource"].(string); ok {
+		oauthParams.Resource = resource
+	}
+
+	return AuthRequestContext{
+		OAuthParameters: oauthParams,
+		AuthTime:        authTime,
+	}, nil
+}
+
+// convertToStringArray converts []interface{} to []string.
+func convertToStringArray(arr []interface{}) []string {
+	result := make([]string, 0, len(arr))
+	for _, v := range arr {
+		if str, ok := v.(string); ok {
+			result = append(result, str)
+		}
+	}
+	return result
+}