feat(core): add social identity

logto-io · Oct 21, 2024 · 6ed9c2e · 6ed9c2e
1 parent 61aa13f
commit 6ed9c2e
Show file tree

Hide file tree

Showing 10 changed files with 526 additions and 24 deletions.
diff --git a/packages/core/src/libraries/user.ts b/packages/core/src/libraries/user.ts
@@ -29,6 +29,7 @@ export const createUserLibrary = (queries: Queries) => {
       hasUserWithEmail,
       hasUserWithId,
       hasUserWithPhone,
+      hasUserWithIdentity,
       findUsersByIds,
       updateUserById,
       findUserById,
@@ -91,10 +92,11 @@ export const createUserLibrary = (queries: Queries) => {
       username?: Nullable<string>;
       primaryEmail?: Nullable<string>;
       primaryPhone?: Nullable<string>;
+      identity?: Nullable<{ target: string; id: string }>;
     },
     excludeUserId?: string
   ) => {
-    const { primaryEmail, primaryPhone, username } = identifiers;
+    const { primaryEmail, primaryPhone, username, identity } = identifiers;
 
     if (primaryEmail && (await hasUserWithEmail(primaryEmail, excludeUserId))) {
       throw new RequestError({ code: 'user.email_already_in_use', status: 422 });
@@ -107,6 +109,10 @@ export const createUserLibrary = (queries: Queries) => {
     if (username && (await hasUser(username, excludeUserId))) {
       throw new RequestError({ code: 'user.username_already_in_use', status: 422 });
     }
+
+    if (identity && (await hasUserWithIdentity(identity.target, identity.id, excludeUserId))) {
+      throw new RequestError({ code: 'user.identity_already_in_use', status: 422 });
+    }
   };
 
   const findUsersByRoleName = async (roleName: string) => {

diff --git a/packages/core/src/routes/experience/classes/verifications/social-verification.ts b/packages/core/src/routes/experience/classes/verifications/social-verification.ts
@@ -1,4 +1,10 @@
-import { socialUserInfoGuard, type SocialUserInfo, type ToZodObject } from '@logto/connector-kit';
+import {
+  type ConnectorSession,
+  connectorSessionGuard,
+  socialUserInfoGuard,
+  type SocialUserInfo,
+  type ToZodObject,
+} from '@logto/connector-kit';
 import {
   VerificationType,
   type JsonObject,
@@ -34,13 +40,18 @@ export type SocialVerificationRecordData = {
    * The social identity returned by the connector.
    */
   socialUserInfo?: SocialUserInfo;
+  /**
+   * The connector session result
+   */
+  connectorSession?: ConnectorSession;
 };
 
 export const socialVerificationRecordDataGuard = z.object({
   id: z.string(),
   connectorId: z.string(),
   type: z.literal(VerificationType.Social),
   socialUserInfo: socialUserInfoGuard.optional(),
+  connectorSession: connectorSessionGuard.optional(),
 }) satisfies ToZodObject<SocialVerificationRecordData>;
 
 export class SocialVerification implements IdentifierVerificationRecord<VerificationType.Social> {
@@ -59,19 +70,21 @@ export class SocialVerification implements IdentifierVerificationRecord<Verifica
   public readonly type = VerificationType.Social;
   public readonly connectorId: string;
   public socialUserInfo?: SocialUserInfo;
-
+  public connectorSession?: ConnectorSession;
   private connectorDataCache?: LogtoConnector;
 
   constructor(
     private readonly libraries: Libraries,
     private readonly queries: Queries,
     data: SocialVerificationRecordData
   ) {
-    const { id, connectorId, socialUserInfo } = socialVerificationRecordDataGuard.parse(data);
+    const { id, connectorId, socialUserInfo, connectorSession } =
+      socialVerificationRecordDataGuard.parse(data);
 
     this.id = id;
     this.connectorId = connectorId;
     this.socialUserInfo = socialUserInfo;
+    this.connectorSession = connectorSession;
   }
 
   /**
@@ -102,11 +115,21 @@ export class SocialVerification implements IdentifierVerificationRecord<Verifica
     tenantContext: TenantContext,
     { state, redirectUri }: SocialAuthorizationUrlPayload
   ) {
-    return createSocialAuthorizationUrl(ctx, tenantContext, {
-      connectorId: this.connectorId,
-      state,
-      redirectUri,
-    });
+    return createSocialAuthorizationUrl(
+      ctx,
+      tenantContext,
+      {
+        connectorId: this.connectorId,
+        state,
+        redirectUri,
+      },
+      {
+        setSession: async (connectorSession) => {
+          this.connectorSession = connectorSession;
+        },
+        jti: this.id,
+      }
+    );
   }
 
   /**
@@ -119,11 +142,17 @@ export class SocialVerification implements IdentifierVerificationRecord<Verifica
    *
    * TODO: check the log event
    */
-  async verify(ctx: WithLogContext, tenantContext: TenantContext, connectorData: JsonObject) {
+  async verify(
+    ctx: WithLogContext,
+    tenantContext: TenantContext,
+    connectorData: JsonObject,
+    skipInteractionLogging = false
+  ) {
     const socialUserInfo = await verifySocialIdentity(
       { connectorId: this.connectorId, connectorData },
       ctx,
-      tenantContext
+      tenantContext,
+      { getSession: async () => this.connectorSession ?? {}, skipInteractionLogging }
     );
 
     this.socialUserInfo = socialUserInfo;
@@ -235,13 +264,14 @@ export class SocialVerification implements IdentifierVerificationRecord<Verifica
   }
 
   toJson(): SocialVerificationRecordData {
-    const { id, connectorId, type, socialUserInfo } = this;
+    const { id, connectorId, type, socialUserInfo, connectorSession } = this;
 
     return {
       id,
       connectorId,
       type,
       socialUserInfo,
+      connectorSession,
     };
   }
 

diff --git a/packages/core/src/routes/interaction/utils/social-verification.ts b/packages/core/src/routes/interaction/utils/social-verification.ts
@@ -15,7 +15,11 @@ import type { SocialAuthorizationUrlPayload } from '../types/index.js';
 export const createSocialAuthorizationUrl = async (
   ctx: WithLogContext,
   { provider, connectors }: TenantContext,
-  payload: SocialAuthorizationUrlPayload
+  payload: SocialAuthorizationUrlPayload,
+  {
+    setSession,
+    jti,
+  }: { setSession?: (connectorSession: ConnectorSession) => Promise<void>; jti?: string } = {}
 ) => {
   const { getLogtoConnectorById } = connectors;
 
@@ -30,7 +34,7 @@ export const createSocialAuthorizationUrl = async (
     headers: { 'user-agent': userAgent },
   } = ctx.request;
 
-  const { jti } = await provider.interactionDetails(ctx.req, ctx.res);
+  const { jti: finalJti } = jti ? { jti } : await provider.interactionDetails(ctx.req, ctx.res);
 
   return connector.getAuthorizationUri(
     {
@@ -43,25 +47,34 @@ export const createSocialAuthorizationUrl = async (
        */
       connectorId,
       connectorFactoryId: connector.metadata.id,
-      jti,
+      jti: finalJti,
       headers: { userAgent },
     },
-    async (connectorStorage: ConnectorSession) =>
-      assignConnectorSessionResult(ctx, provider, connectorStorage)
+    // TODO(LOG-10266): remove this and migrate all connector session result to verification record
+    setSession ??
+      (async (connectorStorage: ConnectorSession) =>
+        assignConnectorSessionResult(ctx, provider, connectorStorage))
   );
 };
 
 export const verifySocialIdentity = async (
   { connectorId, connectorData }: SocialConnectorPayload,
   ctx: WithLogContext,
-  { provider, libraries }: TenantContext
+  { provider, libraries }: TenantContext,
+  {
+    getSession,
+    skipInteractionLogging,
+  }: { getSession?: () => Promise<ConnectorSession>; skipInteractionLogging?: boolean } = {}
 ): Promise<SocialUserInfo> => {
   const {
     socials: { getUserInfo, getConnector },
   } = libraries;
 
-  const log = ctx.createLog('Interaction.SignIn.Identifier.Social.Submit');
-  log.append({ connectorId, connectorData });
+  // TODO(LOG-10268): move logging to experience api layer
+  const log = skipInteractionLogging
+    ? undefined
+    : ctx.createLog('Interaction.SignIn.Identifier.Social.Submit');
+  log?.append({ connectorId, connectorData });
 
   const connector = await getConnector(connectorId);
 
@@ -76,11 +89,13 @@ export const verifySocialIdentity = async (
     assertThat(value === csrfToken, 'session.csrf_token_mismatch');
   }
 
-  const userInfo = await getUserInfo(connectorId, connectorData, async () =>
-    getConnectorSessionResult(ctx, provider)
+  const userInfo = await getUserInfo(
+    connectorId,
+    connectorData,
+    getSession ?? (async () => getConnectorSessionResult(ctx, provider))
   );
 
-  log.append(userInfo);
+  log?.append(userInfo);
 
   return userInfo;
 };

diff --git a/packages/core/src/routes/profile/index.openapi.json b/packages/core/src/routes/profile/index.openapi.json
@@ -218,6 +218,34 @@
           }
         }
       }
+    },
+    "/api/profile/identities": {
+      "post": {
+        "operationId": "AddUserIdentities",
+        "summary": "Add a user identity",
+        "description": "Add an identity (social identity) to the user, a verification record is required for checking sensitive permissions, and a verification record for the social identity is required.",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "properties": {
+                  "verificationRecordId": {
+                    "description": "The verification record ID for checking sensitive permissions."
+                  },
+                  "newIdentifierVerificationRecordId": {
+                    "description": "The identifier verification record ID for the new social identity ownership verification."
+                  }
+                }
+              }
+            }
+          }
+        },
+        "responses": {
+          "204": {
+            "description": "The identity was added successfully."
+          }
+        }
+      }
     }
   }
 }
diff --git a/packages/core/src/routes/profile/index.ts b/packages/core/src/routes/profile/index.ts
@@ -236,4 +236,63 @@ export default function profileRoutes<T extends UserRouter>(
       return next();
     }
   );
+
+  router.post(
+    '/profile/identities',
+    koaGuard({
+      body: z.object({
+        verificationRecordId: z.string(),
+        newIdentifierVerificationRecordId: z.string(),
+      }),
+      status: [204, 400, 401],
+    }),
+    async (ctx, next) => {
+      const { id: userId, scopes } = ctx.auth;
+      const { verificationRecordId, newIdentifierVerificationRecordId } = ctx.guard.body;
+
+      assertThat(scopes.has(UserScope.Identities), 'auth.unauthorized');
+
+      await verifyUserSensitivePermission({
+        userId,
+        id: verificationRecordId,
+        queries,
+        libraries,
+      });
+
+      // Check new identifier
+      const newVerificationRecord = await buildVerificationRecordByIdAndType({
+        type: VerificationType.Social,
+        id: newIdentifierVerificationRecordId,
+        queries,
+        libraries,
+      });
+      assertThat(newVerificationRecord.isVerified, 'verification_record.not_found');
+
+      const {
+        socialIdentity: { target, userInfo },
+      } = await newVerificationRecord.toUserProfile();
+
+      await checkIdentifierCollision({ identity: { target, id: userInfo.id } }, userId);
+
+      const user = await findUserById(userId);
+
+      assertThat(!user.identities[target], 'user.identity_already_in_use');
+
+      const updatedUser = await updateUserById(userId, {
+        identities: {
+          ...user.identities,
+          [target]: {
+            userId: userInfo.id,
+            details: userInfo,
+          },
+        },
+      });
+
+      ctx.appendDataHookContext('User.Data.Updated', { user: updatedUser });
+
+      ctx.status = 204;
+
+      return next();
+    }
+  );
 }