Added RequestAuthorizationCodeViaAuthorizationCodeGrant command

Author: pdt256

authorization_command_handler.go

@@ -2,18 +2,25 @@ package goauth2
 
 import (
 	"github.com/inklabs/rangedb"
+	"github.com/inklabs/rangedb/pkg/clock"
 )
 
 type authorizationCommandHandler struct {
 	store          rangedb.Store
 	pendingEvents  []rangedb.Event
 	tokenGenerator TokenGenerator
+	clock          clock.Clock
 }
 
-func newAuthorizationCommandHandler(store rangedb.Store, tokenGenerator TokenGenerator) *authorizationCommandHandler {
+func newAuthorizationCommandHandler(
+	store rangedb.Store,
+	tokenGenerator TokenGenerator,
+	clock clock.Clock,
+) *authorizationCommandHandler {
 	return &authorizationCommandHandler{
 		store:          store,
 		tokenGenerator: tokenGenerator,
+		clock:          clock,
 	}
 }
 
@@ -135,6 +142,26 @@ func (h *authorizationCommandHandler) Handle(command Command) bool {
 			return false
 		}
 
+	case RequestAuthorizationCodeViaAuthorizationCodeGrant:
+		clientApplication := h.loadClientApplicationAggregate(c.ClientID)
+
+		if !clientApplication.IsOnBoarded {
+			h.emit(RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidClientApplicationID{
+				UserID:   c.UserID,
+				ClientID: c.ClientID,
+			})
+			return false
+		}
+
+		if clientApplication.RedirectUri != c.RedirectUri {
+			h.emit(RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidClientApplicationRedirectUri{
+				UserID:      c.UserID,
+				ClientID:    c.ClientID,
+				RedirectUri: c.RedirectUri,
+			})
+			return false
+		}
+
 	}
 
 	return true
@@ -145,7 +172,7 @@ func (h *authorizationCommandHandler) emit(events ...rangedb.Event) {
 }
 
 func (h *authorizationCommandHandler) loadResourceOwnerAggregate(userID string) *resourceOwner {
-	return newResourceOwner(h.store.AllEventsByStream(resourceOwnerStream(userID)), h.tokenGenerator)
+	return newResourceOwner(h.store.AllEventsByStream(resourceOwnerStream(userID)), h.tokenGenerator, h.clock)
 }
 
 func (h *authorizationCommandHandler) loadClientApplicationAggregate(clientID string) *clientApplication {

goauth2.go

@@ -2,21 +2,30 @@ package goauth2
 
 import (
 	"github.com/inklabs/rangedb"
+	"github.com/inklabs/rangedb/pkg/clock"
 	"github.com/inklabs/rangedb/provider/inmemorystore"
 
 	"github.com/inklabs/goauth2/provider/uuidtoken"
 )
 
 //App is the OAuth2 CQRS application.
 type App struct {
+	clock              clock.Clock
 	store              rangedb.Store
-	preCommandHandlers []PreCommandHandler
 	tokenGenerator     TokenGenerator
+	preCommandHandlers []PreCommandHandler
 }
 
 // Option defines functional option parameters for App.
 type Option func(*App)
 
+//WithClock is a functional option to inject a clock.
+func WithClock(clock clock.Clock) Option {
+	return func(app *App) {
+		app.clock = clock
+	}
+}
+
 //WithStore is a functional option to inject a RangeDB Event Store.
 func WithStore(store rangedb.Store) Option {
 	return func(app *App) {
@@ -43,7 +52,7 @@ func New(options ...Option) *App {
 	}
 
 	app.preCommandHandlers = []PreCommandHandler{
-		newAuthorizationCommandHandler(app.store, app.tokenGenerator),
+		newAuthorizationCommandHandler(app.store, app.tokenGenerator, app.clock),
 	}
 
 	return app
@@ -86,6 +95,9 @@ func (a *App) Dispatch(command Command) []rangedb.Event {
 	case RequestAccessTokenViaRefreshTokenGrant:
 		events = a.handleWithRefreshTokenAggregate(command)
 
+	case RequestAuthorizationCodeViaAuthorizationCodeGrant:
+		events = a.handleWithResourceOwnerAggregate(command)
+
 	}
 
 	return events
@@ -98,13 +110,20 @@ func (a *App) handleWithClientApplicationAggregate(command Command) []rangedb.Ev
 }
 
 func (a *App) handleWithResourceOwnerAggregate(command Command) []rangedb.Event {
-	aggregate := newResourceOwner(a.store.AllEventsByStream(rangedb.GetEventStream(command)), a.tokenGenerator)
+	aggregate := newResourceOwner(
+		a.store.AllEventsByStream(rangedb.GetEventStream(command)),
+		a.tokenGenerator,
+		a.clock,
+	)
 	aggregate.Handle(command)
 	return a.savePendingEvents(aggregate)
 }
 
 func (a *App) handleWithRefreshTokenAggregate(command Command) []rangedb.Event {
-	aggregate := newRefreshToken(a.store.AllEventsByStream(rangedb.GetEventStream(command)), a.tokenGenerator)
+	aggregate := newRefreshToken(
+		a.store.AllEventsByStream(rangedb.GetEventStream(command)),
+		a.tokenGenerator,
+	)
 	aggregate.Handle(command)
 	return a.savePendingEvents(aggregate)
 }

goauth2_test.go

@@ -2,8 +2,10 @@ package goauth2_test
 
 import (
 	"testing"
+	"time"
 
 	"github.com/inklabs/rangedb"
+	"github.com/inklabs/rangedb/pkg/clock/provider/seededclock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -25,6 +27,12 @@ const (
 	passwordHash        = "$2a$10$U6ej0p2d9Y8OO2635R7l/O4oEBvxgc9o6gCaQ1wjMZ77dr4qGl8nu"
 	password            = "Pass123!"
 	refreshToken        = "1eff35434eee448884a2d7e2dd28b119"
+	authorizationCode   = "afa410b917034f67b64ec9164bf4140d"
+)
+
+var (
+	issueTime              = time.Date(2020, 04, 1, 8, 0, 0, 0, time.UTC)
+	issueTimePlus10Minutes = issueTime.Add(10 * time.Minute)
 )
 
 func Test_OnBoardUser(t *testing.T) {
@@ -808,3 +816,117 @@ func Test_RequestAccessTokenViaRefreshTokenGrant_For_ClientApplication(t *testin
 			},
 		))
 }
+
+func Test_RequestAuthorizationCodeViaAuthorizationCodeGrant(t *testing.T) {
+	tokenGenerator := goauth2test.NewSeededTokenGenerator(authorizationCode)
+	options := []goauth2.Option{
+		goauth2.WithTokenGenerator(tokenGenerator),
+		goauth2.WithClock(seededclock.New(issueTime)),
+	}
+
+	t.Run("issues authorization code to user", goauth2TestCase(options...).
+		Given(
+			goauth2.UserWasOnBoarded{
+				UserID:       userID,
+				Username:     email,
+				PasswordHash: passwordHash,
+			},
+			goauth2.ClientApplicationWasOnBoarded{
+				ClientID:     clientID,
+				ClientSecret: clientSecret,
+				RedirectUri:  redirectUri,
+				UserID:       adminUserID,
+			},
+		).
+		When(goauth2.RequestAuthorizationCodeViaAuthorizationCodeGrant{
+			UserID:      userID,
+			ClientID:    clientID,
+			RedirectUri: redirectUri,
+			Username:    email,
+			Password:    password,
+		}).
+		Then(goauth2.AuthorizationCodeWasIssuedToUserViaAuthorizationCodeGrant{
+			UserID:            userID,
+			AuthorizationCode: authorizationCode,
+			ExpiresAt:         issueTimePlus10Minutes.Unix(),
+		}))
+
+	t.Run("rejected due to missing client application id", goauth2TestCase().
+		Given().
+		When(goauth2.RequestAuthorizationCodeViaAuthorizationCodeGrant{
+			UserID:      userID,
+			ClientID:    clientID,
+			RedirectUri: redirectUri,
+			Username:    email,
+			Password:    password,
+		}).
+		Then(goauth2.RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidClientApplicationID{
+			UserID:   userID,
+			ClientID: clientID,
+		}))
+
+	t.Run("rejected due to invalid client application redirect uri", goauth2TestCase().
+		Given(goauth2.ClientApplicationWasOnBoarded{
+			ClientID:     clientID,
+			ClientSecret: clientSecret,
+			RedirectUri:  redirectUri,
+			UserID:       adminUserID,
+		}).
+		When(goauth2.RequestAuthorizationCodeViaAuthorizationCodeGrant{
+			UserID:      userID,
+			ClientID:    clientID,
+			RedirectUri: wrongRedirectUri,
+			Username:    email,
+			Password:    password,
+		}).
+		Then(goauth2.RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidClientApplicationRedirectUri{
+			UserID:      userID,
+			ClientID:    clientID,
+			RedirectUri: wrongRedirectUri,
+		}))
+
+	t.Run("rejected due to missing user", goauth2TestCase().
+		Given(goauth2.ClientApplicationWasOnBoarded{
+			ClientID:     clientID,
+			ClientSecret: clientSecret,
+			RedirectUri:  redirectUri,
+			UserID:       adminUserID,
+		}).
+		When(goauth2.RequestAuthorizationCodeViaAuthorizationCodeGrant{
+			UserID:      userID,
+			ClientID:    clientID,
+			RedirectUri: redirectUri,
+			Username:    email,
+			Password:    password,
+		}).
+		Then(goauth2.RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidUser{
+			UserID:   userID,
+			ClientID: clientID,
+		}))
+
+	t.Run("rejected due to invalid user password", goauth2TestCase().
+		Given(
+			goauth2.UserWasOnBoarded{
+				UserID:       userID,
+				Username:     email,
+				PasswordHash: passwordHash,
+			},
+			goauth2.ClientApplicationWasOnBoarded{
+				ClientID:     clientID,
+				ClientSecret: clientSecret,
+				RedirectUri:  redirectUri,
+				UserID:       adminUserID,
+			},
+		).
+		When(goauth2.RequestAuthorizationCodeViaAuthorizationCodeGrant{
+			UserID:      userID,
+			ClientID:    clientID,
+			RedirectUri: redirectUri,
+			Username:    email,
+			Password:    "wrong-password",
+		}).
+		Then(goauth2.RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidUserPassword{
+			UserID:   userID,
+			ClientID: clientID,
+		}))
+}

resource_owner.go

@@ -1,11 +1,16 @@
 package goauth2
 
 import (
+	"time"
+
 	"github.com/inklabs/rangedb"
+	"github.com/inklabs/rangedb/pkg/clock"
 
 	"github.com/inklabs/goauth2/pkg/securepass"
 )
 
+const authorizationCodeLifetime = 10 * time.Minute
+
 type resourceOwner struct {
 	IsOnBoarded                             bool
 	Username                                string
@@ -14,11 +19,13 @@ type resourceOwner struct {
 	IsAdministrator                         bool
 	IsAuthorizedToOnboardClientApplications bool
 	tokenGenerator                          TokenGenerator
+	clock                                   clock.Clock
 }
 
-func newResourceOwner(records <-chan *rangedb.Record, tokenGenerator TokenGenerator) *resourceOwner {
+func newResourceOwner(records <-chan *rangedb.Record, tokenGenerator TokenGenerator, clock clock.Clock) *resourceOwner {
 	aggregate := &resourceOwner{
 		tokenGenerator: tokenGenerator,
+		clock:          clock,
 	}
 
 	for record := range records {
@@ -160,6 +167,37 @@ func (a *resourceOwner) Handle(command Command) {
 			},
 		)
 
+	case RequestAuthorizationCodeViaAuthorizationCodeGrant:
+		if !a.IsOnBoarded {
+			a.emit(RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidUser{
+				UserID:   c.UserID,
+				ClientID: c.ClientID,
+			})
+			return
+		}
+
+		if !a.IsPasswordValid(c.Password) {
+			a.emit(RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidUserPassword{
+				UserID:   c.UserID,
+				ClientID: c.ClientID,
+			})
+			return
+		}
+
+		authorizationCode, err := a.tokenGenerator.New()
+		if err != nil {
+			// TODO: emit error
+			return
+		}
+
+		expiresAt := a.clock.Now().Add(authorizationCodeLifetime).Unix()
+
+		a.emit(AuthorizationCodeWasIssuedToUserViaAuthorizationCodeGrant{
+			UserID:            c.UserID,
+			AuthorizationCode: authorizationCode,
+			ExpiresAt:         expiresAt,
+		})
+
 	}
 }
 

resource_owner_commands.go

@@ -29,3 +29,10 @@ type RequestAccessTokenViaROPCGrant struct {
 	Username     string `json:"username"`
 	Password     string `json:"password"`
 }
+type RequestAuthorizationCodeViaAuthorizationCodeGrant struct {
+	UserID      string `json:"userID"`
+	ClientID    string `json:"clientID"`
+	RedirectUri string `json:"redirectUri"`
+	Username    string `json:"username"`
+	Password    string `json:"password"`
+}

resource_owner_events.go

@@ -96,3 +96,27 @@ type RequestAccessTokenViaROPCGrantWasRejectedDueToInvalidClientApplicationCrede
 	UserID   string `json:"userID"`
 	ClientID string `json:"clientID"`
 }
+
+// RequestAuthorizationCodeViaAuthorizationCodeGrant Events
+type AuthorizationCodeWasIssuedToUserViaAuthorizationCodeGrant struct {
+	UserID            string `json:"userID"`
+	AuthorizationCode string `json:"authorizationCode"`
+	ExpiresAt         int64  `json:"expiresAt"`
+}
+type RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidClientApplicationID struct {
+	UserID   string `json:"userID"`
+	ClientID string `json:"clientID"`
+}
+type RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidClientApplicationRedirectUri struct {
+	UserID      string `json:"userID"`
+	ClientID    string `json:"clientID"`
+	RedirectUri string `json:"redirectUri"`
+}
+type RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidUser struct {
+	UserID   string `json:"userID"`
+	ClientID string `json:"clientID"`
+}
+type RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidUserPassword struct {
+	UserID   string `json:"userID"`
+	ClientID string `json:"clientID"`
+}