feat: user application dashboard (#727)

Co-authored-by: Elias Schneider <login@eliasschneider.com>
2025-12-16 09:13:20 +03:00 · 2025-08-10 10:56:03 -05:00
parent 87956ea725
commit 484c2f6ef2
31 changed files with 640 additions and 92 deletions
--- a/backend/internal/controller/oidc_controller.go
+++ b/backend/internal/controller/oidc_controller.go
@@ -57,6 +57,9 @@ func NewOidcController(group *gin.RouterGroup, authMiddleware *middleware.AuthMi

 	group.GET("/oidc/users/me/clients", authMiddleware.WithAdminNotRequired().Add(), oc.listOwnAuthorizedClientsHandler)
 	group.GET("/oidc/users/:id/clients", authMiddleware.Add(), oc.listAuthorizedClientsHandler)
+
+	group.DELETE("/oidc/users/me/clients/:clientId", authMiddleware.WithAdminNotRequired().Add(), oc.revokeOwnClientAuthorizationHandler)
+
 }

 type OidcController struct {
@@ -704,6 +707,27 @@ func (oc *OidcController) listAuthorizedClients(c *gin.Context, userID string) {
 	})
 }

+// revokeOwnClientAuthorizationHandler godoc
+// @Summary Revoke authorization for an OIDC client
+// @Description Revoke the authorization for a specific OIDC client for the current user
+// @Tags OIDC
+// @Param clientId path string true "Client ID to revoke authorization for"
+// @Success 204 "No Content"
+// @Router /api/oidc/users/me/clients/{clientId} [delete]
+func (oc *OidcController) revokeOwnClientAuthorizationHandler(c *gin.Context) {
+	clientID := c.Param("clientId")
+
+	userID := c.GetString("userID")
+
+	err := oc.oidcService.RevokeAuthorizedClient(c.Request.Context(), userID, clientID)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
 func (oc *OidcController) verifyDeviceCodeHandler(c *gin.Context) {
 	userCode := c.Query("code")
 	if userCode == "" {
--- a/backend/internal/dto/api_key_dto.go
+++ b/backend/internal/dto/api_key_dto.go
@@ -6,14 +6,14 @@ import (

 type ApiKeyCreateDto struct {
 	Name        string            `json:"name" binding:"required,min=3,max=50" unorm:"nfc"`
-	Description string            `json:"description" unorm:"nfc"`
+	Description *string           `json:"description" unorm:"nfc"`
 	ExpiresAt   datatype.DateTime `json:"expiresAt" binding:"required"`
 }

 type ApiKeyDto struct {
 	ID                  string             `json:"id"`
 	Name                string             `json:"name"`
-	Description         string             `json:"description"`
+	Description         *string            `json:"description"`
 	ExpiresAt           datatype.DateTime  `json:"expiresAt"`
 	LastUsedAt          *datatype.DateTime `json:"lastUsedAt"`
 	CreatedAt           datatype.DateTime  `json:"createdAt"`
--- a/backend/internal/dto/oidc_dto.go
+++ b/backend/internal/dto/oidc_dto.go
@@ -1,9 +1,12 @@
 package dto

+import datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+
 type OidcClientMetaDataDto struct {
-	ID      string `json:"id"`
-	Name    string `json:"name"`
-	HasLogo bool   `json:"hasLogo"`
+	ID        string  `json:"id"`
+	Name      string  `json:"name"`
+	HasLogo   bool    `json:"hasLogo"`
+	LaunchURL *string `json:"launchURL"`
 }

 type OidcClientDto struct {
@@ -32,6 +35,7 @@ type OidcClientCreateDto struct {
 	IsPublic           bool                     `json:"isPublic"`
 	PkceEnabled        bool                     `json:"pkceEnabled"`
 	Credentials        OidcClientCredentialsDto `json:"credentials"`
+	LaunchURL          *string                  `json:"launchURL" binding:"omitempty,url"`
 }

 type OidcClientCredentialsDto struct {
@@ -145,8 +149,9 @@ type DeviceCodeInfoDto struct {
 }

 type AuthorizedOidcClientDto struct {
-	Scope  string                `json:"scope"`
-	Client OidcClientMetaDataDto `json:"client"`
+	Scope      string                `json:"scope"`
+	Client     OidcClientMetaDataDto `json:"client"`
+	LastUsedAt datatype.DateTime     `json:"lastUsedAt"`
 }

 type OidcClientPreviewDto struct {
--- a/backend/internal/model/oidc.go
+++ b/backend/internal/model/oidc.go
@@ -11,7 +11,9 @@ import (
 )

 type UserAuthorizedOidcClient struct {
-	Scope  string
+	Scope      string
+	LastUsedAt datatype.DateTime `sortable:"true"`
+
 	UserID string `gorm:"primary_key;"`
 	User   User

@@ -47,6 +49,7 @@ type OidcClient struct {
 	IsPublic           bool
 	PkceEnabled        bool
 	Credentials        OidcClientCredentials
+	LaunchURL          *string

 	AllowedUserGroups []UserGroup `gorm:"many2many:oidc_clients_allowed_user_groups;"`
 	CreatedByID       string
--- a/backend/internal/service/api_key_service.go
+++ b/backend/internal/service/api_key_service.go
@@ -55,8 +55,8 @@ func (s *ApiKeyService) CreateApiKey(ctx context.Context, userID string, input d
 	apiKey := model.ApiKey{
 		Name:        input.Name,
 		Key:         utils.CreateSha256Hash(token), // Hash the token for storage
-		Description: &input.Description,
-		ExpiresAt:   datatype.DateTime(input.ExpiresAt),
+		Description: input.Description,
+		ExpiresAt:   input.ExpiresAt,
 		UserID:      userID,
 	}

--- a/backend/internal/service/e2etest_service.go
+++ b/backend/internal/service/e2etest_service.go
@@ -154,6 +154,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 					ID: "3654a746-35d4-4321-ac61-0bdcff2b4055",
 				},
 				Name:               "Nextcloud",
+				LaunchURL:          utils.Ptr("https://nextcloud.local"),
 				Secret:             "$2a$10$9dypwot8nGuCjT6wQWWpJOckZfRprhe2EkwpKizxS/fpVHrOLEJHC", // w2mUeZISmEvIDMEDvpY0PnxQIpj1m3zY
 				CallbackURLs:       model.UrlList{"http://nextcloud/auth/callback"},
 				LogoutCallbackURLs: model.UrlList{"http://nextcloud/auth/logout/callback"},
@@ -172,6 +173,16 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 					userGroups[1],
 				},
 			},
+			{
+				Base: model.Base{
+					ID: "7c21a609-96b5-4011-9900-272b8d31a9d1",
+				},
+				Name:               "Tailscale",
+				Secret:             "$2a$10$xcRReBsvkI1XI6FG8xu/pOgzeF00bH5Wy4d/NThwcdi3ZBpVq/B9a", // n4VfQeXlTzA6yKpWbR9uJcMdSx2qH0Lo
+				CallbackURLs:       model.UrlList{"http://tailscale/auth/callback"},
+				LogoutCallbackURLs: model.UrlList{"http://tailscale/auth/logout/callback"},
+				CreatedByID:        users[0].ID,
+			},
 			{
 				Base: model.Base{
 					ID: "c48232ff-ff65-45ed-ae96-7afa8a9b443b",
@@ -245,14 +256,22 @@ func (s *TestService) SeedDatabase(baseURL string) error {

 		userAuthorizedClients := []model.UserAuthorizedOidcClient{
 			{
-				Scope:    "openid profile email",
-				UserID:   users[0].ID,
-				ClientID: oidcClients[0].ID,
+				Scope:      "openid profile email",
+				UserID:     users[0].ID,
+				ClientID:   oidcClients[0].ID,
+				LastUsedAt: datatype.DateTime(time.Date(2025, 8, 1, 13, 0, 0, 0, time.UTC)),
 			},
 			{
-				Scope:    "openid profile email",
-				UserID:   users[1].ID,
-				ClientID: oidcClients[2].ID,
+				Scope:      "openid profile email",
+				UserID:     users[0].ID,
+				ClientID:   oidcClients[2].ID,
+				LastUsedAt: datatype.DateTime(time.Date(2025, 8, 10, 14, 0, 0, 0, time.UTC)),
+			},
+			{
+				Scope:      "openid profile email",
+				UserID:     users[1].ID,
+				ClientID:   oidcClients[3].ID,
+				LastUsedAt: datatype.DateTime(time.Date(2025, 8, 12, 12, 0, 0, 0, time.UTC)),
 			},
 		}
 		for _, userAuthorizedClient := range userAuthorizedClients {
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
@@ -149,20 +149,11 @@ func (s *OidcService) Authorize(ctx context.Context, input dto.AuthorizeOidcClie
 		return "", "", &common.OidcAccessDeniedError{}
 	}

-	// Check if the user has already authorized the client with the given scope
-	hasAuthorizedClient, err := s.hasAuthorizedClientInternal(ctx, input.ClientID, userID, input.Scope, tx)
+	hasAlreadyAuthorizedClient, err := s.createAuthorizedClientInternal(ctx, userID, input.ClientID, input.Scope, tx)
 	if err != nil {
 		return "", "", err
 	}

-	// If the user has not authorized the client, create a new authorization in the database
-	if !hasAuthorizedClient {
-		err := s.createAuthorizedClientInternal(ctx, userID, input.ClientID, input.Scope, tx)
-		if err != nil {
-			return "", "", err
-		}
-	}
-
 	// Create the authorization code
 	code, err := s.createAuthorizationCode(ctx, input.ClientID, userID, input.Scope, input.Nonce, input.CodeChallenge, input.CodeChallengeMethod, tx)
 	if err != nil {
@@ -170,7 +161,7 @@ func (s *OidcService) Authorize(ctx context.Context, input dto.AuthorizeOidcClie
 	}

 	// Log the authorization event
-	if hasAuthorizedClient {
+	if hasAlreadyAuthorizedClient {
 		s.auditLogService.Create(ctx, model.AuditLogEventClientAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": client.Name}, tx)
 	} else {
 		s.auditLogService.Create(ctx, model.AuditLogEventNewClientAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": client.Name}, tx)
@@ -724,6 +715,7 @@ func updateOIDCClientModelFromDto(client *model.OidcClient, input *dto.OidcClien
 	client.IsPublic = input.IsPublic
 	// PKCE is required for public clients
 	client.PkceEnabled = input.IsPublic || input.PkceEnabled
+	client.LaunchURL = input.LaunchURL

 	// Credentials
 	if len(input.Credentials.FederatedIdentities) > 0 {
@@ -1231,22 +1223,16 @@ func (s *OidcService) VerifyDeviceCode(ctx context.Context, userCode string, use
 		return fmt.Errorf("error saving device auth: %w", err)
 	}

-	// Create user authorization if needed
-	hasAuthorizedClient, err := s.hasAuthorizedClientInternal(ctx, deviceAuth.ClientID, userID, deviceAuth.Scope, tx)
+	hasAlreadyAuthorizedClient, err := s.createAuthorizedClientInternal(ctx, userID, deviceAuth.ClientID, deviceAuth.Scope, tx)
 	if err != nil {
 		return err
 	}

 	auditLogData := model.AuditLogData{"clientName": deviceAuth.Client.Name}
-	if !hasAuthorizedClient {
-		err = s.createAuthorizedClientInternal(ctx, userID, deviceAuth.ClientID, deviceAuth.Scope, tx)
-		if err != nil {
-			return err
-		}
-
-		s.auditLogService.Create(ctx, model.AuditLogEventNewDeviceCodeAuthorization, ipAddress, userAgent, userID, auditLogData, tx)
-	} else {
+	if hasAlreadyAuthorizedClient {
 		s.auditLogService.Create(ctx, model.AuditLogEventDeviceCodeAuthorization, ipAddress, userAgent, userID, auditLogData, tx)
+	} else {
+		s.auditLogService.Create(ctx, model.AuditLogEventNewDeviceCodeAuthorization, ipAddress, userAgent, userID, auditLogData, tx)
 	}

 	return tx.Commit().Error
@@ -1322,6 +1308,34 @@ func (s *OidcService) ListAuthorizedClients(ctx context.Context, userID string,
 	return authorizedClients, response, err
 }

+func (s *OidcService) RevokeAuthorizedClient(ctx context.Context, userID string, clientID string) error {
+	tx := s.db.Begin()
+	defer func() {
+		tx.Rollback()
+	}()
+
+	var authorizedClient model.UserAuthorizedOidcClient
+	err := tx.
+		WithContext(ctx).
+		Where("user_id = ? AND client_id = ?", userID, clientID).
+		First(&authorizedClient).Error
+	if err != nil {
+		return err
+	}
+
+	err = tx.WithContext(ctx).Delete(&authorizedClient).Error
+	if err != nil {
+		return err
+	}
+
+	err = tx.Commit().Error
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (s *OidcService) createRefreshToken(ctx context.Context, clientID string, userID string, scope string, tx *gorm.DB) (string, error) {
 	refreshToken, err := utils.GenerateRandomAlphanumericString(40)
 	if err != nil {
@@ -1357,14 +1371,37 @@ func (s *OidcService) createRefreshToken(ctx context.Context, clientID string, u
 	return signed, nil
 }

-func (s *OidcService) createAuthorizedClientInternal(ctx context.Context, userID string, clientID string, scope string, tx *gorm.DB) error {
-	userAuthorizedClient := model.UserAuthorizedOidcClient{
-		UserID:   userID,
-		ClientID: clientID,
-		Scope:    scope,
+func (s *OidcService) createAuthorizedClientInternal(ctx context.Context, userID string, clientID string, scope string, tx *gorm.DB) (hasAlreadyAuthorizedClient bool, err error) {
+
+	// Check if the user has already authorized the client with the given scope
+	hasAlreadyAuthorizedClient, err = s.hasAuthorizedClientInternal(ctx, clientID, userID, scope, tx)
+	if err != nil {
+		return false, err
 	}

-	err := tx.WithContext(ctx).
+	if hasAlreadyAuthorizedClient {
+		err = tx.
+			WithContext(ctx).
+			Model(&model.UserAuthorizedOidcClient{}).
+			Where("user_id = ? AND client_id = ?", userID, clientID).
+			Update("last_used_at", datatype.DateTime(time.Now())).
+			Error
+
+		if err != nil {
+			return hasAlreadyAuthorizedClient, err
+		}
+
+		return hasAlreadyAuthorizedClient, nil
+	}
+
+	userAuthorizedClient := model.UserAuthorizedOidcClient{
+		UserID:     userID,
+		ClientID:   clientID,
+		Scope:      scope,
+		LastUsedAt: datatype.DateTime(time.Now()),
+	}
+
+	err = tx.WithContext(ctx).
 		Clauses(clause.OnConflict{
 			Columns:   []clause.Column{{Name: "user_id"}, {Name: "client_id"}},
 			DoUpdates: clause.AssignmentColumns([]string{"scope"}),
@@ -1372,7 +1409,7 @@ func (s *OidcService) createAuthorizedClientInternal(ctx context.Context, userID
 		Create(&userAuthorizedClient).
 		Error

-	return err
+	return hasAlreadyAuthorizedClient, err
 }

 type ClientAuthCredentials struct {
@@ -1704,3 +1741,19 @@ func (s *OidcService) getUserClaimsFromAuthorizedClient(ctx context.Context, aut

 	return claims, nil
 }
+
+func (s *OidcService) IsClientAccessibleToUser(ctx context.Context, clientID string, userID string) (bool, error) {
+	var user model.User
+	err := s.db.WithContext(ctx).Preload("UserGroups").First(&user, "id = ?", userID).Error
+	if err != nil {
+		return false, err
+	}
+
+	var client model.OidcClient
+	err = s.db.WithContext(ctx).Preload("AllowedUserGroups").First(&client, "id = ?", clientID).Error
+	if err != nil {
+		return false, err
+	}
+
+	return s.IsUserGroupAllowedToAuthorize(user, client), nil
+}
--- a/backend/resources/migrations/postgres/20250810144214_apps_dashboard.down.sql
+++ b/backend/resources/migrations/postgres/20250810144214_apps_dashboard.down.sql
@@ -0,0 +1,3 @@
+ALTER TABLE oidc_clients DROP COLUMN launch_url;
+
+ALTER TABLE user_authorized_oidc_clients DROP COLUMN last_used_at;
--- a/backend/resources/migrations/postgres/20250810144214_apps_dashboard.up.sql
+++ b/backend/resources/migrations/postgres/20250810144214_apps_dashboard.up.sql
@@ -0,0 +1,3 @@
+ALTER TABLE oidc_clients ADD COLUMN launch_url TEXT;
+
+ALTER TABLE user_authorized_oidc_clients ADD COLUMN last_used_at TIMESTAMPTZ NOT NULL DEFAULT current_timestamp;
--- a/backend/resources/migrations/sqlite/20250810144214_apps_dashboard.down.sql
+++ b/backend/resources/migrations/sqlite/20250810144214_apps_dashboard.down.sql
@@ -0,0 +1,3 @@
+ALTER TABLE oidc_clients DROP COLUMN launch_url;
+
+ALTER TABLE user_authorized_oidc_clients DROP COLUMN created_at;
--- a/backend/resources/migrations/sqlite/20250810144214_apps_dashboard.up.sql
+++ b/backend/resources/migrations/sqlite/20250810144214_apps_dashboard.up.sql
@@ -0,0 +1,16 @@
+ALTER TABLE oidc_clients ADD COLUMN launch_url TEXT;
+
+CREATE TABLE user_authorized_oidc_clients_new
+(
+    scope     TEXT,
+    user_id   TEXT,
+    client_id TEXT REFERENCES oidc_clients,
+    last_used_at DATETIME NOT NULL,
+    PRIMARY KEY (user_id, client_id)
+);
+
+INSERT INTO user_authorized_oidc_clients_new (scope, user_id, client_id, last_used_at)
+SELECT scope, user_id, client_id, unixepoch() FROM user_authorized_oidc_clients;
+
+DROP TABLE user_authorized_oidc_clients;
+ALTER TABLE user_authorized_oidc_clients_new RENAME TO user_authorized_oidc_clients;