chore: simplify consent challenge decoding

GitOrigin-RevId: c22df92e87df48f7884ae4a85f591a3e6e71e22e

Author: aeneasr

consent/handler.go

@@ -353,6 +353,7 @@ func (h *Handler) getOAuth2LoginRequest(w http.ResponseWriter, r *http.Request)
 	var err error
 	ctx, span := h.r.Tracer(r.Context()).Tracer().Start(r.Context(), "consent.getOAuth2LoginRequest")
 	defer otelx.End(span, &err)
+
 	challenge := cmp.Or(
 		r.URL.Query().Get("login_challenge"),
 		r.URL.Query().Get("challenge"),
@@ -652,6 +653,10 @@ type getOAuth2ConsentRequest struct {
 //	  410: oAuth2RedirectTo
 //	  default: errorOAuth2
 func (h *Handler) getOAuth2ConsentRequest(w http.ResponseWriter, r *http.Request) {
+	var err error
+	ctx, span := h.r.Tracer(r.Context()).Tracer().Start(r.Context(), "consent.getOAuth2ConsentRequest")
+	defer otelx.End(span, &err)
+
 	challenge := cmp.Or(
 		r.URL.Query().Get("consent_challenge"),
 		r.URL.Query().Get("challenge"),
@@ -661,28 +666,23 @@ func (h *Handler) getOAuth2ConsentRequest(w http.ResponseWriter, r *http.Request
 		return
 	}
 
-	request, err := h.r.ConsentManager().GetConsentRequest(r.Context(), challenge)
+	f, err := flow.DecodeFromConsentChallenge(ctx, h.r, challenge)
 	if err != nil {
 		h.r.Writer().WriteError(w, r, err)
 		return
 	}
-	if request.WasHandled {
+
+	if f.ConsentWasHandled {
 		h.r.Writer().WriteCode(w, r, http.StatusGone, &flow.OAuth2RedirectTo{
-			RedirectTo: request.RequestURL,
+			RedirectTo: f.RequestURL,
 		})
 		return
 	}
 
-	if request.RequestedScope == nil {
-		request.RequestedScope = []string{}
-	}
-
-	if request.RequestedAudience == nil {
-		request.RequestedAudience = []string{}
-	}
-
-	request.Client = sanitizeClient(request.Client)
-	h.r.Writer().Write(w, r, request)
+	// Transform flow to the existing API format.
+	req := f.GetConsentRequest(challenge)
+	req.Client.Secret = ""
+	h.r.Writer().Write(w, r, req)
 }
 
 // Accept OAuth 2.0 Consent Request
@@ -734,7 +734,9 @@ type acceptOAuth2ConsentRequest struct {
 //	  200: oAuth2RedirectTo
 //	  default: errorOAuth2
 func (h *Handler) acceptOAuth2ConsentRequest(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	var err error
+	ctx, span := h.r.Tracer(r.Context()).Tracer().Start(r.Context(), "consent.acceptOAuth2ConsentRequest")
+	defer otelx.End(span, &err)
 
 	challenge := cmp.Or(
 		r.URL.Query().Get("consent_challenge"),
@@ -745,39 +747,32 @@ func (h *Handler) acceptOAuth2ConsentRequest(w http.ResponseWriter, r *http.Requ
 		return
 	}
 
-	var p flow.AcceptOAuth2ConsentRequest
+	var payload flow.AcceptOAuth2ConsentRequest
 	d := json.NewDecoder(r.Body)
 	d.DisallowUnknownFields()
-	if err := d.Decode(&p); err != nil {
+	if err := d.Decode(&payload); err != nil {
 		h.r.Writer().WriteErrorCode(w, r, http.StatusBadRequest, errors.WithStack(err))
 		return
 	}
 
-	cr, err := h.r.ConsentManager().GetConsentRequest(ctx, challenge)
+	f, err := flow.DecodeFromConsentChallenge(ctx, h.r, challenge)
 	if err != nil {
 		h.r.Writer().WriteError(w, r, errors.WithStack(err))
 		return
 	}
 
-	p.ConsentRequestID = cr.ConsentRequestID
-	p.RequestedAt = cr.RequestedAt
-	p.HandledAt = sqlxx.NullTime(time.Now().UTC())
-
-	f, err := flow.Decode[flow.Flow](ctx, h.r.FlowCipher(), challenge, flow.AsConsentChallenge)
-	if err != nil {
-		h.r.Writer().WriteError(w, r, err)
-		return
-	}
+	payload.ConsentRequestID = f.ConsentRequestID.String()
+	payload.RequestedAt = f.RequestedAt
+	payload.HandledAt = sqlxx.NullTime(time.Now().UTC())
 
-	hr, err := h.r.ConsentManager().HandleConsentRequest(ctx, f, &p)
-	if err != nil {
+	if err := f.HandleConsentRequest(&payload); err != nil {
 		h.r.Writer().WriteError(w, r, errors.WithStack(err))
 		return
-	} else if hr.Skip {
-		p.Remember = false
+	} else if f.ConsentSkip {
+		payload.Remember = false
 	}
 
-	ru, err := url.Parse(hr.RequestURL)
+	ru, err := url.Parse(f.RequestURL)
 	if err != nil {
 		h.r.Writer().WriteError(w, r, err)
 		return
@@ -789,8 +784,7 @@ func (h *Handler) acceptOAuth2ConsentRequest(w http.ResponseWriter, r *http.Requ
 		return
 	}
 
-	events.Trace(ctx, events.ConsentAccepted, events.WithClientID(cr.Client.GetID()), events.WithSubject(cr.Subject))
-
+	events.Trace(ctx, events.ConsentAccepted, events.WithClientID(f.Client.GetID()), events.WithSubject(f.Subject))
 	h.r.Writer().Write(w, r, &flow.OAuth2RedirectTo{
 		RedirectTo: urlx.SetQuery(ru, url.Values{"consent_verifier": {verifier}}).String(),
 	})
@@ -855,41 +849,33 @@ func (h *Handler) rejectOAuth2ConsentRequest(w http.ResponseWriter, r *http.Requ
 		return
 	}
 
-	var p flow.RequestDeniedError
+	var payload flow.RequestDeniedError
 	d := json.NewDecoder(r.Body)
 	d.DisallowUnknownFields()
-	if err := d.Decode(&p); err != nil {
+	if err := d.Decode(&payload); err != nil {
 		h.r.Writer().WriteErrorCode(w, r, http.StatusBadRequest, errors.WithStack(err))
 		return
 	}
 
-	p.Valid = true
-	p.SetDefaults(flow.ConsentRequestDeniedErrorName)
-	hr, err := h.r.ConsentManager().GetConsentRequest(ctx, challenge)
+	payload.Valid = true
+	payload.SetDefaults(flow.ConsentRequestDeniedErrorName)
+	f, err := flow.DecodeFromConsentChallenge(ctx, h.r, challenge)
 	if err != nil {
 		h.r.Writer().WriteError(w, r, errors.WithStack(err))
 		return
 	}
 
-	f, err := flow.Decode[flow.Flow](ctx, h.r.FlowCipher(), challenge, flow.AsConsentChallenge)
-	if err != nil {
-		h.r.Writer().WriteError(w, r, err)
-		return
-	}
-	cr := f.GetConsentRequest(challenge)
-
-	request, err := h.r.ConsentManager().HandleConsentRequest(ctx, f, &flow.AcceptOAuth2ConsentRequest{
-		Error:            &p,
-		ConsentRequestID: cr.ConsentRequestID,
-		RequestedAt:      hr.RequestedAt,
+	if err := f.HandleConsentRequest(&flow.AcceptOAuth2ConsentRequest{
+		Error:            &payload,
+		ConsentRequestID: f.ConsentRequestID.String(),
+		RequestedAt:      f.RequestedAt,
 		HandledAt:        sqlxx.NullTime(time.Now().UTC()),
-	})
-	if err != nil {
+	}); err != nil {
 		h.r.Writer().WriteError(w, r, errors.WithStack(err))
 		return
 	}
 
-	ru, err := url.Parse(request.RequestURL)
+	ru, err := url.Parse(f.RequestURL)
 	if err != nil {
 		h.r.Writer().WriteError(w, r, err)
 		return
@@ -901,7 +887,7 @@ func (h *Handler) rejectOAuth2ConsentRequest(w http.ResponseWriter, r *http.Requ
 		return
 	}
 
-	events.Trace(ctx, events.ConsentRejected, events.WithClientID(request.Client.GetID()), events.WithSubject(request.Subject))
+	events.Trace(ctx, events.ConsentRejected, events.WithClientID(f.Client.GetID()), events.WithSubject(f.Subject))
 
 	h.r.Writer().Write(w, r, &flow.OAuth2RedirectTo{
 		RedirectTo: urlx.SetQuery(ru, url.Values{"consent_verifier": {verifier}}).String(),

consent/manager.go

@@ -26,9 +26,6 @@ func (ForcedObfuscatedLoginSession) TableName() string {
 
 type (
 	Manager interface {
-		GetConsentRequest(ctx context.Context, challenge string) (*flow.OAuth2ConsentRequest, error)
-		HandleConsentRequest(ctx context.Context, f *flow.Flow, r *flow.AcceptOAuth2ConsentRequest) (*flow.OAuth2ConsentRequest, error)
-
 		RevokeSubjectConsentSession(ctx context.Context, user string) error
 		RevokeSubjectClientConsentSession(ctx context.Context, user, client string) error
 		RevokeConsentSessionByID(ctx context.Context, consentRequestID string) error

consent/test/manager_test_helpers.go

@@ -11,6 +11,9 @@ import (
 	"time"
 
 	"github.com/gofrs/uuid"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/handler/openid"
 	"github.com/ory/hydra/v2/aead"
@@ -20,11 +23,8 @@ import (
 	"github.com/ory/hydra/v2/flow"
 	"github.com/ory/hydra/v2/oauth2"
 	"github.com/ory/hydra/v2/x"
-	"github.com/ory/x/assertx"
 	"github.com/ory/x/contextx"
 	"github.com/ory/x/sqlxx"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )
 
 func MockConsentRequest(key string, remember bool, rememberFor int, hasError bool, skip bool, authAt bool, loginChallengeBase string, network string) (c *flow.OAuth2ConsentRequest, h *flow.AcceptOAuth2ConsentRequest, f *flow.Flow) {
@@ -239,8 +239,7 @@ func SaneMockHandleConsentRequest(t *testing.T, m consent.Manager, f *flow.Flow,
 		HandledAt:        sqlxx.NullTime(time.Now().UTC().Add(-time.Minute)),
 	}
 
-	_, err := m.HandleConsentRequest(context.Background(), f, h)
-	require.NoError(t, err)
+	require.NoError(t, f.HandleConsentRequest(h))
 
 	return h
 }
@@ -584,26 +583,11 @@ func ManagerTests(deps Deps, m consent.Manager, clientManager client.Manager, fo
 					_ = clientManager.CreateClient(ctx, consentRequest.Client) // Ignore errors that are caused by duplication
 					f.NID = deps.Contextualizer().Network(context.Background(), uuid.Nil)
 
-					consentChallenge := makeID("challenge", network, tc.key)
-
-					_, err := m.GetConsentRequest(ctx, consentChallenge)
-					require.Error(t, err)
-
-					consentChallenge = x.Must(f.ToConsentChallenge(ctx, deps))
-
-					got1, err := m.GetConsentRequest(ctx, consentChallenge)
-					require.NoError(t, err)
-					compareConsentRequest(t, consentRequest, got1)
-					assert.False(t, got1.WasHandled)
-
-					got1, err = m.HandleConsentRequest(ctx, f, h)
-					require.NoError(t, err)
-					assertx.TimeDifferenceLess(t, time.Now(), time.Time(h.HandledAt), 5)
-					compareConsentRequest(t, consentRequest, got1)
+					require.NoError(t, f.HandleConsentRequest(h))
+					assert.WithinDuration(t, time.Now(), time.Time(h.HandledAt), 5*time.Second)
 
 					h.GrantedAudience = sqlxx.StringSliceJSONFormat{"new-audience"}
-					_, err = m.HandleConsentRequest(ctx, f, h)
-					require.NoError(t, err)
+					require.NoError(t, f.HandleConsentRequest(h))
 
 					consentVerifier := x.Must(f.ToConsentVerifier(ctx, deps))
 
@@ -711,10 +695,8 @@ func ManagerTests(deps Deps, m consent.Manager, clientManager client.Manager, fo
 			_ = clientManager.CreateClient(ctx, cr1.Client)
 			_ = clientManager.CreateClient(ctx, cr2.Client)
 
-			_, err := m.HandleConsentRequest(ctx, f1, hcr1)
-			require.NoError(t, err)
-			_, err = m.HandleConsentRequest(ctx, f2, hcr2)
-			require.NoError(t, err)
+			require.NoError(t, f1.HandleConsentRequest(hcr1))
+			require.NoError(t, f2.HandleConsentRequest(hcr2))
 
 			crr1, err := m.VerifyAndInvalidateConsentRequest(ctx, x.Must(f1.ToConsentVerifier(ctx, deps)))
 			require.NoError(t, err)
@@ -778,13 +760,6 @@ func ManagerTests(deps Deps, m consent.Manager, clientManager client.Manager, fo
 						require.NoError(t, m.RevokeSubjectClientConsentSession(ctx, tc.subject, tc.client))
 					}
 
-					for _, id := range tc.ids {
-						t.Run(fmt.Sprintf("id=%s", id), func(t *testing.T) {
-							_, err := m.GetConsentRequest(ctx, id)
-							assert.True(t, errors.Is(err, x.ErrNotFound))
-						})
-					}
-
 					r, err := fositeManager.GetAccessTokenSession(ctx, tc.at, nil)
 					assert.Error(t, err, "%+v", r)
 					r, err = fositeManager.GetRefreshTokenSession(ctx, tc.rt, nil)
@@ -823,10 +798,8 @@ func ManagerTests(deps Deps, m consent.Manager, clientManager client.Manager, fo
 				flow.WithConsentCSRF(cr2.CSRF),
 			)
 
-			_, err := m.HandleConsentRequest(ctx, f1, hcr1)
-			require.NoError(t, err)
-			_, err = m.HandleConsentRequest(ctx, f2, hcr2)
-			require.NoError(t, err)
+			require.NoError(t, f1.HandleConsentRequest(hcr1))
+			require.NoError(t, f2.HandleConsentRequest(hcr2))
 			handledConsentRequest1, err := m.VerifyAndInvalidateConsentRequest(ctx, x.Must(f1.ToConsentVerifier(ctx, deps)))
 			require.NoError(t, err)
 			handledConsentRequest2, err := m.VerifyAndInvalidateConsentRequest(ctx, x.Must(f2.ToConsentVerifier(ctx, deps)))
@@ -1119,46 +1092,8 @@ func ManagerTests(deps Deps, m consent.Manager, clientManager client.Manager, fo
 			require.NoError(t, m.CreateLoginSession(ctx, &s))
 			require.NoError(t, m.ConfirmLoginSession(ctx, &s))
 
-			f := &flow.Flow{
-				ID:                   uuid.Must(uuid.NewV4()).String(),
-				Subject:              uuid.Must(uuid.NewV4()).String(),
-				LoginVerifier:        uuid.Must(uuid.NewV4()).String(),
-				Client:               cl,
-				LoginAuthenticatedAt: sqlxx.NullTime(time.Now()),
-				RequestedAt:          time.Now(),
-				SessionID:            sqlxx.NullString(s.ID),
-				NID:                  deps.Contextualizer().Network(ctx, uuid.Nil),
-			}
-
-			expected := &flow.OAuth2ConsentRequest{
-				ConsentRequestID:     uuid.Must(uuid.NewV4()).String(),
-				Skip:                 true,
-				Subject:              subject,
-				OpenIDConnectContext: nil,
-				Client:               cl,
-				ClientID:             cl.ID,
-				RequestURL:           "",
-				LoginChallenge:       sqlxx.NullString(f.ID),
-				LoginSessionID:       sqlxx.NullString(s.ID),
-				Verifier:             uuid.Must(uuid.NewV4()).String(),
-				CSRF:                 uuid.Must(uuid.NewV4()).String(),
-			}
-
-			f.ConsentRequestID = sqlxx.NullString(expected.ConsentRequestID)
-
-			consentChallenge, err := f.ToConsentChallenge(ctx, deps)
-			require.NoError(t, err)
-
-			result, err := m.GetConsentRequest(ctx, consentChallenge)
-			require.NoError(t, err)
-			assert.EqualValues(t, expected.ConsentRequestID, result.ConsentRequestID)
-
-			_, err = m.DeleteLoginSession(ctx, s.ID)
-			require.NoError(t, err)
-
-			result, err = m.GetConsentRequest(ctx, consentChallenge)
+			_, err := m.DeleteLoginSession(ctx, s.ID)
 			require.NoError(t, err)
-			assert.EqualValues(t, expected.ConsentRequestID, result.ConsentRequestID)
 		})
 	}
 }