challenger

OAuth 2.0-based authentication service that validates user can receive messages at a certain address
Log | Files | Refs | Submodules | README | LICENSE

token_add_token.c (3035B)


      1 /*
      2    This file is part of Challenger
      3    Copyright (C) 2023 Taler Systems SA
      4 
      5    Challenger is free software; you can redistribute it and/or modify it under the
      6    terms of the GNU General Public License as published by the Free Software
      7    Foundation; either version 3, or (at your option) any later version.
      8 
      9    Challenger is distributed in the hope that it will be useful, but WITHOUT ANY
     10    WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
     11    A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
     12 
     13    You should have received a copy of the GNU General Public License along with
     14    Challenger; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
     15  */
     16 /**
     17  * @file src/challengerdb/token_add_token.c
     18  * @brief Implementation of the token_add_token function for Postgres
     19  * @author Christian Grothoff
     20  */
     21 #include "platform.h"
     22 #include <taler/taler_error_codes.h>
     23 #include <taler/taler_dbevents.h>
     24 #include <taler/taler_pq_lib.h>
     25 #include "token_add_token.h"
     26 #include "pg_helper.h"
     27 
     28 
     29 enum GNUNET_DB_QueryStatus
     30 CHALLENGERDB_token_add_token (struct CHALLENGERDB_PostgresContext *ctx,
     31                               const struct CHALLENGER_ValidationNonceP *nonce,
     32                               const struct CHALLENGER_AccessTokenP *token,
     33                               struct GNUNET_TIME_Relative token_expiration,
     34                               struct GNUNET_TIME_Relative address_expiration)
     35 {
     36   struct GNUNET_TIME_Absolute ge
     37     = GNUNET_TIME_relative_to_absolute (token_expiration);
     38   struct GNUNET_PQ_QueryParam params[] = {
     39     GNUNET_PQ_query_param_auto_from_type (nonce),
     40     GNUNET_PQ_query_param_auto_from_type (token),
     41     GNUNET_PQ_query_param_absolute_time (&ge),
     42     GNUNET_PQ_query_param_relative_time (&address_expiration),
     43     GNUNET_PQ_query_param_end
     44   };
     45 
     46   /* Redemption must be atomic and one-shot (RFC 6749 4.1.2): consume the
     47      validation by deleting it as we mint the token, so the same authorization
     48      code cannot be replayed to mint additional tokens.  A replay finds no
     49      matching validations row and thus inserts no token (NO_RESULTS), which the
     50      caller maps to 'invalid_grant'.  The 'address IS NOT NULL' guard avoids
     51      violating the tokens.address NOT NULL constraint (and only consumes a
     52      validation that actually carries a solved address). */
     53   PREPARE (ctx,
     54            "token_add_token",
     55            "WITH consumed AS ("
     56            "  DELETE FROM validations"
     57            "   WHERE nonce=$1"
     58            "     AND address IS NOT NULL"
     59            "  RETURNING address, last_tx_time"
     60            ") INSERT INTO tokens"
     61            " (access_token"
     62            " ,address"
     63            " ,token_expiration_time"
     64            " ,address_expiration_time"
     65            ") SELECT"
     66            " $2, address, $3, $4 + last_tx_time"
     67            " FROM consumed;");
     68   return GNUNET_PQ_eval_prepared_non_select (ctx->conn,
     69                                              "token_add_token",
     70                                              params);
     71 }