kych

sessions.rs (11295B)

---

 // Database operations for verification_sessions table
 
 use sqlx::PgPool;
 use anyhow::Result;
 use uuid::Uuid;
 use chrono::{DateTime, Utc};
 
 /// Status of a verification session
 #[derive(Debug, Clone, sqlx::Type, serde::Serialize, serde::Deserialize, PartialEq)]
 #[sqlx(type_name = "varchar")]
 pub enum SessionStatus {
     #[sqlx(rename = "pending")]
     Pending,
     #[sqlx(rename = "authorized")]
     Authorized,
     #[sqlx(rename = "verified")]
     Verified,
     #[sqlx(rename = "completed")]
     Completed,
     #[sqlx(rename = "expired")]
     Expired,
     #[sqlx(rename = "failed")]
     Failed,
 }
 
 /// Verification session record used in /setup endpoint
 #[derive(Debug, Clone, sqlx::FromRow)]
 pub struct VerificationSession {
     pub id: Uuid,
     pub client_id: Uuid,
     pub nonce: String,
     pub scope: String,
     pub redirect_uri: Option<String>,
     pub state: Option<String>,
     pub verification_url: Option<String>,
     pub request_id: Option<String>,
     pub verifier_nonce: Option<String>,
     pub status: SessionStatus,
     pub created_at: DateTime<Utc>,
     pub authorized_at: Option<DateTime<Utc>>,
     pub verified_at: Option<DateTime<Utc>>,
     pub completed_at: Option<DateTime<Utc>>,
     pub failed_at: Option<DateTime<Utc>>,
     pub expires_at: DateTime<Utc>,
 }
 
 /// Authorize record data used in /authorize endpoint
 #[derive(Debug, Clone)]
 pub struct AuthorizeSessionData {
     // Session fields
     pub session_id: Uuid,
     pub status: SessionStatus,
     pub expires_at: DateTime<Utc>,
     pub scope: String,
     pub redirect_uri: Option<String>,
     pub state: Option<String>,
     pub verification_url: Option<String>,
     pub verification_deeplink: Option<String>,
     pub request_id: Option<String>,
     pub verifier_nonce: Option<String>,
     // Client fields
     pub verifier_url: String,
     pub verifier_management_api_path: String,
     pub allowed_redirect_uris: Option<String>,
     pub accepted_issuer_dids: Option<String>,
 }
 
 /// Notification record data used in /notification webhook endpoint
 #[derive(Debug, Clone)]
 pub struct NotificationSessionData {
     // Session fields
     pub session_id: Uuid,
     pub nonce: String,
     pub status: SessionStatus,
     pub redirect_uri: Option<String>,
     pub state: Option<String>,
     // Client fields
     pub client_id: Uuid,
     pub allowed_redirect_uris: Option<String>,
     pub verifier_url: String,
     pub verifier_management_api_path: String,
 }
 
 #[derive(Debug, Clone)]
 pub struct StatusSessionData {
     pub session_id: Uuid,
     pub status: SessionStatus,
     pub state: Option<String>,
     pub redirect_uri: Option<String>,
     pub authorization_code: Option<String>,
 }
 
 /// Create a new verification session
 ///
 /// Returns None if client_id doesn't exist
 ///
 /// Used by the /setup endpoint
 pub async fn create_session(
     pool: &PgPool,
     client_id: &str,
     nonce: &str,
     expires_in_minutes: i64,
 ) -> Result<Option<VerificationSession>> {
     let session = sqlx::query_as::<_, VerificationSession>(
         r#"
         INSERT INTO oauth2gw.verification_sessions (client_id, nonce, scope,
                                                             expires_at, status)
         SELECT c.id, $1, '', NOW() + $2 * INTERVAL '1 minute', 'pending'
         FROM oauth2gw.clients c
         WHERE c.client_id = $3
         RETURNING
             id, client_id, nonce, scope, redirect_uri, state, verification_url,
             request_id, verifier_nonce, status, created_at, authorized_at,
             verified_at, completed_at, failed_at, expires_at
         "#
     )
         .bind(nonce)
         .bind(expires_in_minutes)
         .bind(client_id)
         .fetch_optional(pool)
         .await?;
 
     Ok(session)
 }
 
 /// Fetch session and client data for /authorize endpoint
 ///
 /// Returns all data needed for backend validation and idempotent responses.
 /// Updates the session scope with the provided scope parameter.
 /// Does NOT validate redirect_uri - caller must check against allowed_redirect_uris.
 ///
 /// Used by the /authorize endpoint
 pub async fn get_session_for_authorize(
     pool: &PgPool,
     nonce: &str,
     client_id: &str,
     scope: &str,
     redirect_uri: &str,
     state: &str,
 ) -> Result<Option<AuthorizeSessionData>> {
     let result = sqlx::query(
         r#"
         UPDATE oauth2gw.verification_sessions s
         SET scope = $3, redirect_uri = $4, state = $5
         FROM oauth2gw.clients c
         WHERE s.client_id = c.id
           AND s.nonce = $1
           AND c.client_id = $2
         RETURNING
             s.id AS session_id,
             s.status,
             s.expires_at,
             s.scope,
             s.redirect_uri,
             s.state,
             s.verification_url,
             s.verification_deeplink,
             s.request_id,
             s.verifier_nonce,
             c.verifier_url,
             c.verifier_management_api_path,
             c.redirect_uri AS allowed_redirect_uris,
             c.accepted_issuer_dids
         "#
     )
     .bind(nonce)
     .bind(client_id)
     .bind(scope)
     .bind(redirect_uri)
     .bind(state)
     .fetch_optional(pool)
     .await?;
 
     Ok(result.map(|row: sqlx::postgres::PgRow| {
         use sqlx::Row;
         AuthorizeSessionData {
             session_id: row.get("session_id"),
             status: row.get("status"),
             expires_at: row.get("expires_at"),
             scope: row.get("scope"),
             redirect_uri: row.get("redirect_uri"),
             state: row.get("state"),
             verification_url: row.get("verification_url"),
             verification_deeplink: row.get("verification_deeplink"),
             request_id: row.get("request_id"),
             verifier_nonce: row.get("verifier_nonce"),
             verifier_url: row.get("verifier_url"),
             verifier_management_api_path: row.get("verifier_management_api_path"),
             allowed_redirect_uris: row.get("allowed_redirect_uris"),
             accepted_issuer_dids: row.get("accepted_issuer_dids"),
         }
     }))
 }
 
 /// Fetch session and client data for /notification webhook
 ///
 /// Returns all data needed for backend validation and client notification.
 ///
 /// Used by the /notification endpoint (incoming webhook from Swiyu)
 pub async fn get_session_for_notification(
     pool: &PgPool,
     request_id: &str,
 ) -> Result<Option<NotificationSessionData>> {
     let result = sqlx::query(
         r#"
         UPDATE oauth2gw.verification_sessions s
         SET status = s.status
         FROM oauth2gw.clients c
         WHERE s.client_id = c.id
           AND s.request_id = $1
         RETURNING
             s.id AS session_id,
             s.nonce,
             s.status,
             s.redirect_uri,
             s.state,
             c.id AS client_id,
             c.redirect_uri AS allowed_redirect_uris,
             c.verifier_url,
             c.verifier_management_api_path
         "#
     )
     .bind(request_id)
     .fetch_optional(pool)
     .await?;
 
     Ok(result.map(|row: sqlx::postgres::PgRow| {
         use sqlx::Row;
         NotificationSessionData {
             session_id: row.get("session_id"),
             nonce: row.get("nonce"),
             status: row.get("status"),
             redirect_uri: row.get("redirect_uri"),
             state: row.get("state"),
             client_id: row.get("client_id"),
             allowed_redirect_uris: row.get("allowed_redirect_uris"),
             verifier_url: row.get("verifier_url"),
             verifier_management_api_path: row.get("verifier_management_api_path"),
         }
     }))
 }
 
 pub async fn get_session_for_status(
     pool: &PgPool,
     request_id: &str,
 ) -> Result<Option<StatusSessionData>> {
     let result = sqlx::query(
         r#"
         SELECT
             s.id AS session_id,
             s.status,
             s.state,
             s.redirect_uri,
             ac.code AS authorization_code
         FROM oauth2gw.verification_sessions s
         LEFT JOIN oauth2gw.authorization_codes ac
             ON ac.session_id = s.id
         WHERE s.request_id = $1
         "#
     )
     .bind(request_id)
     .fetch_optional(pool)
     .await?;
 
     Ok(result.map(|row: sqlx::postgres::PgRow| {
         use sqlx::Row;
         StatusSessionData {
             session_id: row.get("session_id"),
             status: row.get("status"),
             state: row.get("state"),
             redirect_uri: row.get("redirect_uri"),
             authorization_code: row.get("authorization_code"),
         }
     }))
 }
 
 /// Data returned after updating session to authorized
 #[derive(Debug, Clone)]
 pub struct AuthorizedSessionResult {
     pub request_id: String,
     pub verification_url: String,
 }
 
 /// Update session to authorized with verifier response data
 ///
 /// Called after successful POST to Swiyu Verifier.
 /// Sets status to 'authorized' and stores verification_url, request_id, verifier_nonce.
 /// Returns the request_id (verification_id) and verification_url.
 ///
 /// Used by the /authorize endpoint
 pub async fn update_session_authorized(
     pool: &PgPool,
     session_id: Uuid,
     verification_url: &str,
     verification_deeplink: Option<&str>,
     request_id: &str,
     verifier_nonce: Option<&str>,
 ) -> Result<AuthorizedSessionResult> {
     let result = sqlx::query(
         r#"
         UPDATE oauth2gw.verification_sessions
         SET status = 'authorized',
             verification_url = $1,
             verification_deeplink = $2,
             request_id = $3,
             verifier_nonce = $4,
             authorized_at = NOW()
         WHERE id = $5
         RETURNING request_id, verification_url
         "#
     )
     .bind(verification_url)
     .bind(verification_deeplink)
     .bind(request_id)
     .bind(verifier_nonce)
     .bind(session_id)
     .fetch_one(pool)
     .await?;
 
     use sqlx::Row;
     Ok(AuthorizedSessionResult {
         request_id: result.get("request_id"),
         verification_url: result.get("verification_url"),
     })
 }
 
 /// Atomically update session to verified and create authorization code
 ///
 /// Returns the generated authorization code on success.
 pub async fn verify_session_and_issue_code(
     pool: &PgPool,
     session_id: Uuid,
     status: SessionStatus,
     authorization_code: &str,
     code_expires_in_minutes: i64,
     _client_id: Uuid,
     _callback_body: &str,
     verifiable_credential: Option<&serde_json::Value>,
 ) -> Result<String> {
     let timestamp_field = match status {
         SessionStatus::Verified => "verified_at",
         SessionStatus::Failed => "failed_at",
         _ => return Err(anyhow::anyhow!("Invalid status for notification: must be Verified or Failed")),
     };
 
     let query = format!(
         r#"
         WITH updated_session AS (
             UPDATE oauth2gw.verification_sessions
             SET status = $1, {} = NOW(), verifiable_credential = $5
             WHERE id = $2
             RETURNING id
         )
         INSERT INTO oauth2gw.authorization_codes (session_id, code, expires_at)
         VALUES ($2, $3, NOW() + $4 * INTERVAL '1 minute')
         RETURNING code
         "#,
         timestamp_field
     );
 
     let code = sqlx::query_scalar::<_, String>(&query)
         .bind(status)
         .bind(session_id)
         .bind(authorization_code)
         .bind(code_expires_in_minutes)
         .bind(verifiable_credential)
         .fetch_one(pool)
         .await?;
 
     Ok(code)
 }