Add auth req store

Author: thiva-k

backend/dbscripts/runtimedb/postgres.sql

@@ -15,6 +15,22 @@ CREATE TABLE AUTHORIZATION_CODE (
 -- Index for deployment isolation on AUTHORIZATION_CODE
 CREATE INDEX idx_authorization_code_deployment_id ON AUTHORIZATION_CODE (DEPLOYMENT_ID);
 
+-- Table to store OAuth2 authorization request context
+CREATE TABLE AUTHORIZATION_REQUEST (
+    AUTH_ID VARCHAR(36) NOT NULL,
+    DEPLOYMENT_ID VARCHAR(255) NOT NULL,
+    REQUEST_DATA JSONB NOT NULL,
+    EXPIRY_TIME TIMESTAMP NOT NULL,
+    CREATED_AT TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    PRIMARY KEY (AUTH_ID, DEPLOYMENT_ID)
+);
+
+-- Index for deployment isolation on AUTHORIZATION_REQUEST
+CREATE INDEX idx_authorization_request_deployment_id ON AUTHORIZATION_REQUEST (DEPLOYMENT_ID);
+
+-- Index for expiry time on AUTHORIZATION_REQUEST
+CREATE INDEX idx_authorization_request_expiry_time ON AUTHORIZATION_REQUEST (EXPIRY_TIME);
+
 -- Table to store flow context metadata and state
 CREATE TABLE FLOW_CONTEXT (
     FLOW_ID VARCHAR(36) NOT NULL,

backend/dbscripts/runtimedb/sqlite.sql

@@ -15,6 +15,22 @@ CREATE TABLE AUTHORIZATION_CODE (
 -- Index for deployment isolation on AUTHORIZATION_CODE
 CREATE INDEX idx_authorization_code_deployment_id ON AUTHORIZATION_CODE (DEPLOYMENT_ID);
 
+-- Table to store OAuth2 authorization request context
+CREATE TABLE AUTHORIZATION_REQUEST (
+    AUTH_ID VARCHAR(36) NOT NULL,
+    DEPLOYMENT_ID VARCHAR(255) NOT NULL,
+    REQUEST_DATA TEXT NOT NULL,
+    EXPIRY_TIME DATETIME NOT NULL,
+    CREATED_AT TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    PRIMARY KEY (AUTH_ID, DEPLOYMENT_ID)
+);
+
+-- Index for deployment isolation on AUTHORIZATION_REQUEST
+CREATE INDEX idx_authorization_request_deployment_id ON AUTHORIZATION_REQUEST (DEPLOYMENT_ID);
+
+-- Index for expiry time on AUTHORIZATION_REQUEST
+CREATE INDEX idx_authorization_request_expiry_time ON AUTHORIZATION_REQUEST (EXPIRY_TIME);
+
 -- Table to store flow context metadata and state
 CREATE TABLE FLOW_CONTEXT (
     FLOW_ID VARCHAR(36) NOT NULL,

backend/internal/oauth/oauth2/authz/store.go renamed to backend/internal/oauth/oauth2/authz/auth_code_store.go

@@ -22,8 +22,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"strings"
-	"time"
 
 	"github.com/asgardeo/thunder/internal/system/config"
 	"github.com/asgardeo/thunder/internal/system/database/provider"
@@ -269,32 +267,3 @@ func appendAuthzDataJSON(row map[string]interface{}, authzCode *AuthorizationCod
 
 	return authzCode, nil
 }
-
-// parseTimeField parses a time field from the database result.
-func parseTimeField(field interface{}, fieldName string) (time.Time, error) {
-	const customTimeFormat = "2006-01-02 15:04:05.999999999"
-
-	switch v := field.(type) {
-	case string:
-		trimmedTime := trimTimeString(v)
-		parsedTime, err := time.Parse(customTimeFormat, trimmedTime)
-		if err != nil {
-			return time.Time{}, fmt.Errorf("error parsing %s: %w", fieldName, err)
-		}
-		return parsedTime, nil
-	case time.Time:
-		return v, nil
-	default:
-		return time.Time{}, fmt.Errorf("unexpected type for %s", fieldName)
-	}
-}
-
-// trimTimeString trims extra information from a time string to match the expected format.
-func trimTimeString(timeStr string) string {
-	// Split the string into parts by spaces and retain only the first two parts.
-	parts := strings.SplitN(timeStr, " ", 3)
-	if len(parts) >= 2 {
-		return parts[0] + " " + parts[1]
-	}
-	return timeStr
-}

backend/internal/oauth/oauth2/authz/store_test.go renamed to backend/internal/oauth/oauth2/authz/auth_code_store_test.go

@@ -292,9 +292,11 @@ func (suite *AuthorizationCodeStoreTestSuite) TestUpdateAuthorizationCodeState_E
 	suite.mockdbProvider.AssertExpectations(suite.T())
 }
 
+const testTimeString = "2023-12-01 10:30:45.123456789"
+
 func (suite *AuthorizationCodeStoreTestSuite) TestParseTimeField_StringInput() {
-	testTime := "2023-12-01 10:30:45.123456789 extra content"
-	expectedTime, _ := time.Parse("2006-01-02 15:04:05.999999999", "2023-12-01 10:30:45.123456789")
+	testTime := testTimeString + " extra content"
+	expectedTime, _ := time.Parse("2006-01-02 15:04:05.999999999", testTimeString)
 
 	result, err := parseTimeField(testTime, "test_field")
 	assert.NoError(suite.T(), err)
@@ -310,8 +312,8 @@ func (suite *AuthorizationCodeStoreTestSuite) TestParseTimeField_TimeInput() {
 }
 
 func (suite *AuthorizationCodeStoreTestSuite) TestTrimTimeString() {
-	input := "2023-12-01 10:30:45.123456789 extra content here"
-	expected := "2023-12-01 10:30:45.123456789"
+	input := testTimeString + " extra content here"
+	expected := testTimeString
 
 	result := trimTimeString(input)
 	assert.Equal(suite.T(), expected, result)

backend/internal/oauth/oauth2/authz/auth_req_store.go

@@ -0,0 +1,240 @@
+/*
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package authz
+
+import (
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/asgardeo/thunder/internal/oauth/oauth2/model"
+	"github.com/asgardeo/thunder/internal/system/config"
+	"github.com/asgardeo/thunder/internal/system/database/provider"
+	"github.com/asgardeo/thunder/internal/system/log"
+	"github.com/asgardeo/thunder/internal/system/utils"
+)
+
+// authRequestContext holds OAuth authorization request information.
+type authRequestContext struct {
+	OAuthParameters model.OAuthParameters
+}
+
+// authorizationRequestStoreInterface defines the interface for authorization request storage.
+type authorizationRequestStoreInterface interface {
+	AddRequest(value authRequestContext) string
+	GetRequest(key string) (bool, authRequestContext)
+	ClearRequest(key string)
+}
+
+// authorizationRequestStore provides the authorization request store functionality using database.
+type authorizationRequestStore struct {
+	dbProvider     provider.DBProviderInterface
+	validityPeriod time.Duration
+	deploymentID   string
+	logger         *log.Logger
+}
+
+// newAuthorizationRequestStore creates a new instance of authorizationRequestStore with injected dependencies.
+func newAuthorizationRequestStore() authorizationRequestStoreInterface {
+	return &authorizationRequestStore{
+		dbProvider:     provider.GetDBProvider(),
+		validityPeriod: 10 * time.Minute,
+		deploymentID:   config.GetThunderRuntime().Config.Server.Identifier,
+		logger:         log.GetLogger().With(log.String(log.LoggerKeyComponentName, "AuthorizationRequestStore")),
+	}
+}
+
+// AddRequest adds an authorization request context entry to the store.
+func (authzRS *authorizationRequestStore) AddRequest(value authRequestContext) string {
+	dbClient, err := authzRS.dbProvider.GetRuntimeDBClient()
+	if err != nil {
+		authzRS.logger.Error("Failed to get database client", log.Error(err))
+		return ""
+	}
+
+	key := utils.GenerateUUID()
+	// Calculate expiry based on current time
+	requestInitiatedTime := time.Now()
+	expiryTime := requestInitiatedTime.Add(authzRS.validityPeriod)
+
+	// Serialize authRequestContext to JSON
+	jsonDataBytes, err := authzRS.getJSONDataBytes(value)
+	if err != nil {
+		authzRS.logger.Error("Failed to marshal request context to JSON", log.Error(err))
+		return ""
+	}
+
+	_, err = dbClient.Execute(queryInsertAuthRequest, key, jsonDataBytes, expiryTime, authzRS.deploymentID)
+	if err != nil {
+		authzRS.logger.Error("Failed to insert authorization request", log.Error(err))
+		return ""
+	}
+
+	return key
+}
+
+// GetRequest retrieves an authorization request context entry from the store.
+func (authzRS *authorizationRequestStore) GetRequest(key string) (bool, authRequestContext) {
+	if key == "" {
+		return false, authRequestContext{}
+	}
+
+	dbClient, err := authzRS.dbProvider.GetRuntimeDBClient()
+	if err != nil {
+		authzRS.logger.Error("Failed to get database client", log.Error(err))
+		return false, authRequestContext{}
+	}
+
+	// Check expiry by comparing with current time
+	now := time.Now()
+	results, err := dbClient.Query(queryGetAuthRequest, key, now, authzRS.deploymentID)
+	if err != nil {
+		authzRS.logger.Error("Failed to query authorization request", log.Error(err))
+		return false, authRequestContext{}
+	}
+
+	if len(results) == 0 {
+		return false, authRequestContext{}
+	}
+
+	row := results[0]
+	authRequestCtx, err := authzRS.buildAuthRequestContextFromResultRow(row)
+	if err != nil {
+		authzRS.logger.Error("Failed to build authorization request context from result", log.Error(err))
+		return false, authRequestContext{}
+	}
+
+	return true, authRequestCtx
+}
+
+// ClearRequest removes a specific authorization request context entry from the store.
+func (authzRS *authorizationRequestStore) ClearRequest(key string) {
+	if key == "" {
+		return
+	}
+
+	dbClient, err := authzRS.dbProvider.GetRuntimeDBClient()
+	if err != nil {
+		authzRS.logger.Error("Failed to get database client", log.Error(err))
+		return
+	}
+
+	_, err = dbClient.Execute(queryDeleteAuthRequest, key, authzRS.deploymentID)
+	if err != nil {
+		authzRS.logger.Error("Failed to delete authorization request", log.Error(err))
+	}
+}
+
+// getJSONDataBytes prepares the JSON data bytes for the authorization request context.
+func (authzRS *authorizationRequestStore) getJSONDataBytes(authRequestCtx authRequestContext) ([]byte, error) {
+	jsonData := map[string]interface{}{
+		jsonKeyState:               authRequestCtx.OAuthParameters.State,
+		jsonKeyClientID:            authRequestCtx.OAuthParameters.ClientID,
+		jsonKeyRedirectURI:         authRequestCtx.OAuthParameters.RedirectURI,
+		jsonKeyResponseType:        authRequestCtx.OAuthParameters.ResponseType,
+		jsonKeyStandardScopes:      authRequestCtx.OAuthParameters.StandardScopes,
+		jsonKeyPermissionScopes:    authRequestCtx.OAuthParameters.PermissionScopes,
+		jsonKeyCodeChallenge:       authRequestCtx.OAuthParameters.CodeChallenge,
+		jsonKeyCodeChallengeMethod: authRequestCtx.OAuthParameters.CodeChallengeMethod,
+		jsonKeyResource:            authRequestCtx.OAuthParameters.Resource,
+	}
+
+	jsonDataBytes, err := json.Marshal(jsonData)
+	if err != nil {
+		return nil, fmt.Errorf("error marshaling request context to JSON: %w", err)
+	}
+	return jsonDataBytes, nil
+}
+
+// buildAuthRequestContextFromResultRow builds an authRequestContext from a database result row.
+func (authzRS *authorizationRequestStore) buildAuthRequestContextFromResultRow(
+	row map[string]interface{},
+) (authRequestContext, error) {
+	var dataJSON string
+	if val, ok := row[dbColumnRequestData].(string); ok && val != "" {
+		dataJSON = val
+	} else if val, ok := row[dbColumnRequestData].([]byte); ok && len(val) > 0 {
+		dataJSON = string(val)
+	} else {
+		return authRequestContext{}, fmt.Errorf("%s is missing or of unexpected type", dbColumnRequestData)
+	}
+
+	var requestDataMap map[string]interface{}
+	if err := json.Unmarshal([]byte(dataJSON), &requestDataMap); err != nil {
+		return authRequestContext{}, fmt.Errorf("failed to unmarshal %s JSON: %w", dbColumnRequestData, err)
+	}
+
+	// Build OAuthParameters from JSON
+	oauthParams := model.OAuthParameters{}
+	oauthParams.StandardScopes = []string{}
+	oauthParams.PermissionScopes = []string{}
+
+	if state, ok := requestDataMap[jsonKeyState].(string); ok {
+		oauthParams.State = state
+	}
+	if clientID, ok := requestDataMap[jsonKeyClientID].(string); ok {
+		oauthParams.ClientID = clientID
+	}
+	if redirectURI, ok := requestDataMap[jsonKeyRedirectURI].(string); ok {
+		oauthParams.RedirectURI = redirectURI
+	}
+	if responseType, ok := requestDataMap[jsonKeyResponseType].(string); ok {
+		oauthParams.ResponseType = responseType
+	}
+	// Handle standard_scopes
+	if standardScopes, ok := requestDataMap[jsonKeyStandardScopes].([]interface{}); ok {
+		oauthParams.StandardScopes = convertToStringArray(standardScopes)
+	} else if standardScopes, ok := requestDataMap[jsonKeyStandardScopes].([]string); ok {
+		oauthParams.StandardScopes = standardScopes
+	} else if requestDataMap[jsonKeyStandardScopes] == nil {
+		oauthParams.StandardScopes = []string{}
+	}
+	// Handle permission_scopes
+	if permissionScopes, ok := requestDataMap[jsonKeyPermissionScopes].([]interface{}); ok {
+		oauthParams.PermissionScopes = convertToStringArray(permissionScopes)
+	} else if permissionScopes, ok := requestDataMap[jsonKeyPermissionScopes].([]string); ok {
+		oauthParams.PermissionScopes = permissionScopes
+	} else if requestDataMap[jsonKeyPermissionScopes] == nil {
+		oauthParams.PermissionScopes = []string{}
+	}
+	if codeChallenge, ok := requestDataMap[jsonKeyCodeChallenge].(string); ok {
+		oauthParams.CodeChallenge = codeChallenge
+	}
+	if codeChallengeMethod, ok := requestDataMap[jsonKeyCodeChallengeMethod].(string); ok {
+		oauthParams.CodeChallengeMethod = codeChallengeMethod
+	}
+	if resource, ok := requestDataMap[jsonKeyResource].(string); ok {
+		oauthParams.Resource = resource
+	}
+
+	return authRequestContext{
+		OAuthParameters: oauthParams,
+	}, nil
+}
+
+// convertToStringArray converts []interface{} to []string.
+func convertToStringArray(arr []interface{}) []string {
+	result := make([]string, 0, len(arr))
+	for _, v := range arr {
+		if str, ok := v.(string); ok {
+			result = append(result, str)
+		}
+	}
+	return result
+}