Merge pull request #19941 from mozilla/FXA-12616

feat(auth-server): Add new attached_oauth_clients endpoint

Author: nshirley

packages/fxa-auth-client/lib/client.ts

@@ -1844,6 +1844,14 @@ export default class AuthClient {
     return this.sessionGet('/account/attached_clients', sessionToken, headers);
   }
 
+  async attachedOauthClients(sessionToken: hexstring, headers?: Headers) {
+    return this.sessionGet(
+      '/account/attached_oauth_clients',
+      sessionToken,
+      headers
+    );
+  }
+
   async attachedClientDestroy(
     sessionToken: hexstring,
     clientInfo: any,

packages/fxa-auth-server/docs/swagger/devices-and-sessions-api.ts

@@ -36,6 +36,22 @@ const ACCOUNT_ATTACHED_CLIENTS_GET = {
   ],
 };
 
+const ACCOUNT_ATTACHED_OAUTH_CLIENTS_GET = {
+  ...TAGS_DEVICES_AND_SESSIONS,
+  description: '/account/attached_oauth_clients',
+  notes: [
+    dedent`
+      🔒 Authenticated with session token
+
+      Returns an array listing all the OAuth Clients that the authenticated user has connected to their account.
+
+      This will only return active sessions. For example, if a user has signed into a service and then later disconnects from that service via account settings connected devices, they would not appear on this list.
+
+      Each OAuth Client will have exactly one record, and include the 'lastAccessTime' property.
+    `,
+  ],
+};
+
 const ACCOUNT_ATTACHED_CLIENT_DESTROY_POST = {
   ...TAGS_DEVICES_AND_SESSIONS,
   description: '/account/attached_client/destroy',
@@ -71,13 +87,13 @@ const ACCOUNT_DEVICE_POST = {
           description: dedent`
             Failing requests may be caused by the following errors (this is not an exhaustive list):
             - \`errno: 107\` - Invalid parameter in request body
-          `
+          `,
         },
         503: {
           description: dedent`
             Failing requests may be caused by the following errors (this is not an exhaustive list):
             - \`errno: 202\` - Feature not enabled
-          `
+          `,
         },
       },
     },
@@ -200,6 +216,7 @@ const ACCOUNT_DEVICE_DESTROY_POST = {
 const API_DOCS = {
   ACCOUNT_ATTACHED_CLIENT_DESTROY_POST,
   ACCOUNT_ATTACHED_CLIENTS_GET,
+  ACCOUNT_ATTACHED_OAUTH_CLIENTS_GET,
   ACCOUNT_DEVICE_COMMANDS_GET,
   ACCOUNT_DEVICE_DESTROY_POST,
   ACCOUNT_DEVICE_POST,

packages/fxa-auth-server/lib/oauth/authorized_clients.js

@@ -21,6 +21,99 @@ function serialize(clientIdHex, token) {
   };
 }
 
+/**
+ * Sorts authorized clients by last_access_time, client_name, created_time, and scope.
+ */
+function sortAuthorizedClients(clients) {
+  return clients.sort(function (a, b) {
+    if (b.last_access_time > a.last_access_time) {
+      return 1;
+    }
+    if (b.last_access_time < a.last_access_time) {
+      return -1;
+    }
+    if (a.client_name > b.client_name) {
+      return 1;
+    }
+    if (a.client_name < b.client_name) {
+      return -1;
+    }
+    if (a.created_time > b.created_time) {
+      return 1;
+    }
+    if (a.created_time < b.created_time) {
+      return -1;
+    }
+    // To help provide a deterministic result order to simplify testing, also sort of scope values.
+    if (a.scope > b.scope) {
+      return 1;
+    }
+    if (a.scope < b.scope) {
+      return -1;
+    }
+    return 0;
+  });
+}
+
+/**
+ * Processes access tokens into unified records by clientId.
+ * Merges multiple access tokens for the same client.
+ * Filters out clients already seen in refresh tokens and canGrant clients.
+ * @param {Array} accessTokens
+ * @param {Set} seenClientIds - ClientIds to exclude
+ * @returns {Array} Array of serialized records
+ */
+function processAccessTokens(accessTokens, seenClientIds) {
+  const accessTokenRecordsByClientId = new Map();
+
+  for (const token of accessTokens) {
+    const clientId = token.clientId.toString('hex');
+    if (!seenClientIds.has(clientId) && !token.clientCanGrant) {
+      let record = accessTokenRecordsByClientId.get(clientId);
+      if (typeof record === 'undefined') {
+        record = {
+          clientId,
+          clientName: token.clientName,
+          createdAt: token.createdAt,
+          lastUsedAt: token.createdAt,
+          scope: ScopeSet.fromArray([]),
+        };
+        accessTokenRecordsByClientId.set(clientId, record);
+      }
+      // Merge details of all access tokens into a single record.
+      record.scope.add(token.scope);
+      if (token.createdAt < record.createdAt) {
+        record.createdAt = token.createdAt;
+      }
+      if (record.lastUsedAt < token.createdAt) {
+        record.lastUsedAt = token.createdAt;
+      }
+    }
+  }
+
+  return Array.from(accessTokenRecordsByClientId.values()).map((record) =>
+    serialize(record.clientId, record)
+  );
+}
+
+/**
+ * Processes refresh tokens into serialized records.
+ * @param {Array} refreshTokens
+ * @returns {Object} { records: Array, seenClientIds: Set }
+ */
+function processRefreshTokens(refreshTokens) {
+  const records = [];
+  const seenClientIds = new Set();
+
+  for (const token of refreshTokens) {
+    const clientId = token.clientId.toString('hex');
+    records.push(serialize(clientId, token));
+    seenClientIds.add(clientId);
+  }
+
+  return { records, seenClientIds };
+}
+
 module.exports = {
   async destroy(clientId, uid, refreshTokenId) {
     await oauthDB.ready();
@@ -34,90 +127,47 @@ module.exports = {
       await oauthDB.deleteClientAuthorization(clientId, uid);
     }
   },
+  /**
+   * Fetches all authorized clients for a given user ID,
+   * @param {*} uid
+   * @returns
+   */
   async list(uid) {
     await oauthDB.ready();
-    const authorizedClients = [];
-
+    // get both refresh and access tokens in parallel
     const [refreshTokens, accessTokens] = await Promise.all([
       oauthDB.getRefreshTokensByUid(uid),
       oauthDB.getAccessTokensByUid(uid),
     ]);
 
-    // First, enumerate all the refresh tokens.
-    // Each of these is a separate instance of an authorized client
-    // and should be displayed to the user as such. Nice and simple!
-    const seenClientIds = new Set();
-    for (const token of refreshTokens) {
-      const clientId = token.clientId.toString('hex');
-      authorizedClients.push(serialize(clientId, token));
-      seenClientIds.add(clientId);
-    }
+    const { records: refreshRecords, seenClientIds } =
+      processRefreshTokens(refreshTokens);
 
-    // Next, enumerate all the access tokens. In the interests of giving the user a
-    // complete-yet-comprehensible list of all the things attached to their account,
-    // we want to:
-    //
-    //  1. Show a single unified record for any client that is not using refresh tokens.
-    //  2. Avoid showing access tokens for `canGrant` clients; such clients will always
-    //     hold some other sort of token, and we don't want them to appear in the list twice.
-    const accessTokenRecordsByClientId = new Map();
-    for (const token of accessTokens) {
-      const clientId = token.clientId.toString('hex');
-      if (!seenClientIds.has(clientId) && !token.clientCanGrant) {
-        let record = accessTokenRecordsByClientId.get(clientId);
-        if (typeof record === 'undefined') {
-          record = {
-            clientId,
-            clientName: token.clientName,
-            createdAt: token.createdAt,
-            lastUsedAt: token.createdAt,
-            scope: ScopeSet.fromArray([]),
-          };
-          accessTokenRecordsByClientId.set(clientId, record);
-        }
-        // Merge details of all access tokens into a single record.
-        record.scope.add(token.scope);
-        if (token.createdAt < record.createdAt) {
-          record.createdAt = token.createdAt;
-        }
-        if (record.lastUsedAt < token.createdAt) {
-          record.lastUsedAt = token.createdAt;
-        }
-      }
-    }
-    for (const [clientId, record] of accessTokenRecordsByClientId.entries()) {
-      authorizedClients.push(serialize(clientId, record));
-    }
+    const accessRecords = processAccessTokens(accessTokens, seenClientIds);
 
-    // Sort the final list first by last_access_time, then by client_name, then by created_time.
-    authorizedClients.sort(function (a, b) {
-      if (b.last_access_time > a.last_access_time) {
-        return 1;
-      }
-      if (b.last_access_time < a.last_access_time) {
-        return -1;
-      }
-      if (a.client_name > b.client_name) {
-        return 1;
-      }
-      if (a.client_name < b.client_name) {
-        return -1;
-      }
-      if (a.created_time > b.created_time) {
-        return 1;
-      }
-      if (a.created_time < b.created_time) {
-        return -1;
-      }
-      // To help provide a deterministic result order to simplify testing, also sort of scope values.
-      if (a.scope > b.scope) {
-        return 1;
-      }
-      if (a.scope < b.scope) {
-        return -1;
-      }
-      return 0;
-    });
-    return authorizedClients;
+    const authorizedClients = [...refreshRecords, ...accessRecords];
+    return sortAuthorizedClients(authorizedClients);
+  },
+
+  /**
+   * Fetches a list of unique OAuth clients authorized by a user.
+   * Each clientId appears only once. The DB layer handles uniqueness
+   * and selects the token with the most recent lastAccessTime.
+   */
+  async listUnique(uid) {
+    await oauthDB.ready();
+
+    const [refreshTokens, accessTokens] = await Promise.all([
+      oauthDB.getUniqueRefreshTokensByUid(uid),
+      oauthDB.getAccessTokensByUid(uid),
+    ]);
+
+    const { records: refreshRecords, seenClientIds } =
+      processRefreshTokens(refreshTokens);
+
+    const accessRecords = processAccessTokens(accessTokens, seenClientIds);
+
+    const authorizedClients = [...refreshRecords, ...accessRecords];
+    return sortAuthorizedClients(authorizedClients);
   },
 };

packages/fxa-auth-server/lib/oauth/db/index.js

@@ -133,9 +133,16 @@ class OauthDB extends ConnectedServicesDb {
     return t;
   }
 
-  async getRefreshTokensByUid(uid) {
-    await this.ready();
-    const tokens = await this.mysql._getRefreshTokensByUid(uid);
+  /**
+   * Processes each refresh token, checking it against the redis cache. If
+   * found, it merges the metadata from redis into the token object. Objects
+   * found in redis, but not in mysql, are pruned.
+   * @param {*} uid
+   * @param {*} getTokens
+   * @returns
+   */
+  async _processRefreshTokens(uid, getTokens) {
+    const tokens = await getTokens;
     const extraMetadata = await this.redis.getRefreshTokens(uid);
     // We'll take this opportunity to clean up any tokens that exist in redis but
     // not in mysql, so this loop deletes each token from `extraMetadata` once handled.
@@ -154,6 +161,34 @@ class OauthDB extends ConnectedServicesDb {
     return tokens;
   }
 
+  /**
+   * Fetches all refresh tokens for a given uid. Multiple tokens can be
+   * returned for a single clientId
+   * @param uid
+   * @returns {Promise<*>}
+   */
+  async getRefreshTokensByUid(uid) {
+    await this.ready();
+    return this._processRefreshTokens(
+      uid,
+      this.mysql._getRefreshTokensByUid(uid)
+    );
+  }
+
+  /**
+   * Fetches all unique refresh tokens for a given uid. A clientId will
+   * only appear once, prioritized by lastUsedAt date
+   * @param uid
+   * @returns {Promise<*>}
+   */
+  async getUniqueRefreshTokensByUid(uid) {
+    await this.ready();
+    return await this._processRefreshTokens(
+      uid,
+      this.mysql._getUniqueRefreshTokensByUid(uid)
+    );
+  }
+
   async removeRefreshToken(token) {
     await this.ready();
     await this.redis.removeRefreshToken(token.userId, token.tokenId);

packages/fxa-auth-server/lib/oauth/db/mysql/index.js

@@ -138,6 +138,30 @@ const QUERY_LIST_REFRESH_TOKENS_BY_UID =
   '  refreshTokens.scope, clients.name as clientName, clients.canGrant AS clientCanGrant ' +
   'FROM refreshTokens LEFT OUTER JOIN clients ON clients.id = refreshTokens.clientId ' +
   'WHERE refreshTokens.userId=?';
+
+/**
+ * Gets a unique list of refresh tokens for a given user.
+ * Groups by clientId, returning only the most recently used token for each client.
+ */
+const QUERY_LIST_UNIQUE_REFRESH_TOKENS_BY_UID =
+  'SELECT ' +
+  '  rt.clientId, ' +
+  '  rt.token AS tokenId, ' +
+  '  rt.createdAt, ' +
+  '  rt.lastUsedAt, ' +
+  '  rt.scope, ' +
+  '  clients.name AS clientName, ' +
+  '  clients.canGrant AS clientCanGrant ' +
+  'FROM refreshTokens rt ' +
+  'INNER JOIN ( ' +
+  '  SELECT clientId, MAX(lastUsedAt) AS maxLastUsedAt ' +
+  '  FROM refreshTokens ' +
+  '  WHERE userId=? ' +
+  '  GROUP BY clientId ' +
+  ') latest ON rt.clientId = latest.clientId AND rt.lastUsedAt = latest.maxLastUsedAt ' +
+  'LEFT OUTER JOIN clients ON clients.id = rt.clientId ' +
+  'WHERE rt.userId=?';
+
 const QUERY_LIST_REFRESH_TOKENS_BY_CLIENT_ID =
   'SELECT refreshTokens.createdAt, refreshTokens.userId FROM refreshTokens WHERE refreshTokens.clientId=?';
 const DELETE_ACTIVE_CODES_BY_CLIENT_AND_UID =
@@ -426,6 +450,24 @@ class MysqlStore extends MysqlOAuthShared {
     return refreshTokens;
   }
 
+  /**
+   * Get a unique list of refresh tokens for a given user.
+   * @param {String} uid
+   * @returns {Promise}
+   */
+  async _getUniqueRefreshTokensByUid(uid) {
+    const uidBuf = buf(uid);
+    const refreshTokens = await this._read(
+      QUERY_LIST_UNIQUE_REFRESH_TOKENS_BY_UID,
+      // we need to pass uid twice because it's used two times in the query
+      [uidBuf, uidBuf]
+    );
+    refreshTokens.forEach((t) => {
+      t.scope = ScopeSet.fromString(t.scope);
+    });
+    return refreshTokens;
+  }
+
   /**
    * Get all refresh tokens for all users for a given clientId.
    * @param {String} clientId