feat(core): list user grants by userId

list user grants by userId

Author: simeng-li

packages/core/src/__mocks__/oidc-grant.ts

@@ -0,0 +1,22 @@
+type OidcGrantInstance = {
+  id: string;
+  payload: {
+    kind: 'Grant';
+    clientId: string;
+    accountId: string;
+  };
+  expiresAt: number;
+};
+
+export const createMockOidcGrantInstance = (
+  overrides?: Partial<OidcGrantInstance>
+): OidcGrantInstance => ({
+  id: 'grant-id',
+  payload: {
+    kind: 'Grant',
+    clientId: 'demo-app',
+    accountId: 'user-id',
+  },
+  expiresAt: 1_787_997_038_000,
+  ...overrides,
+});

packages/core/src/libraries/session.ts

@@ -3,6 +3,7 @@ import {
   jsonObjectGuard,
   jwtCustomizerUserInteractionContextGuard,
   oidcSessionInstancePayloadGuard,
+  userApplicationGrantPayloadGuard,
 } from '@logto/schemas';
 import { conditional, deduplicate } from '@silverhand/essentials';
 import type { Context } from 'koa';
@@ -207,6 +208,29 @@ const formatSessionWithExtension = (session: SessionInstanceWithExtension) => {
   };
 };
 
+const formatApplicationGrant = (
+  grant: Awaited<
+    ReturnType<Queries['oidcModelInstances']['findUserActiveApplicationGrants']>
+  >[number]
+) => {
+  const payloadResult = userApplicationGrantPayloadGuard.safeParse(grant.payload);
+
+  if (!payloadResult.success) {
+    throw new RequestError(
+      { code: 'oidc.invalid_grant', status: 500 },
+      {
+        cause: payloadResult.error,
+      }
+    );
+  }
+
+  return {
+    id: grant.id,
+    payload: payloadResult.data,
+    expiresAt: grant.expiresAt,
+  };
+};
+
 /* ================ Session management =============== */
 
 type SessionAuthorizationDetails = {
@@ -242,6 +266,18 @@ export const createSessionLibrary = (queries: Queries) => {
     return formatSessionWithExtension(result);
   };
 
+  const findUserActiveApplicationGrants = async (
+    userId: string,
+    applicationType?: 'thirdParty' | 'firstParty'
+  ) => {
+    const result = await queries.oidcModelInstances.findUserActiveApplicationGrants(
+      userId,
+      applicationType
+    );
+
+    return result.map((grant) => formatApplicationGrant(grant));
+  };
+
   const revokeSessionAssociatedGrants = async ({
     provider,
     authorizations,
@@ -295,6 +331,7 @@ export const createSessionLibrary = (queries: Queries) => {
   return {
     findUserActiveSessionsWithExtensions,
     findUserActiveSessionWithExtension,
+    findUserActiveApplicationGrants,
     revokeSessionAssociatedGrants,
   };
 };

packages/core/src/queries/oidc-model-instance.test.ts

@@ -1,7 +1,8 @@
 import type { CreateOidcModelInstance } from '@logto/schemas';
-import { OidcModelInstances } from '@logto/schemas';
+import { Applications, OidcModelInstances } from '@logto/schemas';
 import { createMockPool, createMockQueryResult, sql } from '@silverhand/slonik';
 
+import { createMockOidcGrantInstance } from '#src/__mocks__/oidc-grant.js';
 import { convertToIdentifiers } from '#src/utils/sql.js';
 import type { QueryType } from '#src/utils/test-utils.js';
 import { expectSqlAssert } from '#src/utils/test-utils.js';
@@ -24,10 +25,12 @@ const {
   consumeInstanceById,
   destroyInstanceById,
   revokeInstanceByGrantId,
+  findUserActiveApplicationGrants,
 } = createOidcModelInstanceQueries(pool);
 
 describe('oidc-model-instance query', () => {
   const { table, fields } = convertToIdentifiers(OidcModelInstances);
+  const { table: applicationTable, fields: applicationFields } = convertToIdentifiers(Applications);
   const expiresAt = Date.now();
   const instance: CreateOidcModelInstance = {
     modelName: 'access_token',
@@ -71,7 +74,7 @@ describe('oidc-model-instance query', () => {
     const expectSql = sql`
       select ${fields.payload}, ${fields.consumedAt}
       from ${table}
-      where "model_name"=$1 
+      where "model_name"=$1
       and "id"=$2
     `;
 
@@ -92,7 +95,7 @@ describe('oidc-model-instance query', () => {
     const uid_value = 'foo';
 
     // Mock a single result
-    mockQuery.mockImplementationOnce(async (sql, values) => {
+    mockQuery.mockImplementationOnce(async () => {
       // Simulate pool.any
       return createMockQueryResult([{ consumedAt: 10 }]);
     });
@@ -200,4 +203,76 @@ describe('oidc-model-instance query', () => {
 
     await revokeInstanceByGrantId(instance.modelName, grantId);
   });
+
+  it('findUserActiveApplicationGrants with thirdparty', async () => {
+    const userId = 'user-id';
+    const expectSql = sql`
+      select "oidc_model_instance"."id", "oidc_model_instance"."payload", "oidc_model_instance"."expires_at"
+      from ${table} as "oidc_model_instance"
+      inner join ${applicationTable} as "application"
+        on "oidc_model_instance"."payload"->>'clientId'="application"."id"
+      where "oidc_model_instance"."model_name"='Grant'
+        and "oidc_model_instance"."payload"->>'accountId'=${userId}
+        and "application"."is_third_party"=${true}
+        and "oidc_model_instance"."expires_at" > to_timestamp($3)
+    `;
+
+    const grant = createMockOidcGrantInstance({
+      payload: { kind: 'Grant', clientId: 'demo-app', accountId: userId },
+    });
+
+    mockQuery.mockImplementationOnce(async (sql, values) => {
+      expectSqlAssert(sql, expectSql.sql);
+      expect(values).toEqual([userId, true, expect.any(Number)]);
+
+      return createMockQueryResult([grant as never]);
+    });
+
+    await expect(findUserActiveApplicationGrants(userId, 'thirdParty')).resolves.toEqual([grant]);
+  });
+
+  it('findUserActiveApplicationGrants with firstparty', async () => {
+    const userId = 'user-id';
+    const expectSql = sql`
+      select "oidc_model_instance"."id", "oidc_model_instance"."payload", "oidc_model_instance"."expires_at"
+      from ${table} as "oidc_model_instance"
+      inner join ${applicationTable} as "application"
+        on "oidc_model_instance"."payload"->>'clientId'="application"."id"
+      where "oidc_model_instance"."model_name"='Grant'
+        and "oidc_model_instance"."payload"->>'accountId'=${userId}
+        and "application"."is_third_party"=${false}
+        and "oidc_model_instance"."expires_at" > to_timestamp($3)
+    `;
+
+    mockQuery.mockImplementationOnce(async (sql, values) => {
+      expectSqlAssert(sql, expectSql.sql);
+      expect(values).toEqual([userId, false, expect.any(Number)]);
+
+      return createMockQueryResult([]);
+    });
+
+    await expect(findUserActiveApplicationGrants(userId, 'firstParty')).resolves.toEqual([]);
+  });
+
+  it('findUserActiveApplicationGrants with all', async () => {
+    const userId = 'user-id';
+    const expectSql = sql`
+      select "oidc_model_instance"."id", "oidc_model_instance"."payload", "oidc_model_instance"."expires_at"
+      from ${table} as "oidc_model_instance"
+      inner join ${applicationTable} as "application"
+        on "oidc_model_instance"."payload"->>'clientId'="application"."id"
+      where "oidc_model_instance"."model_name"='Grant'
+        and "oidc_model_instance"."payload"->>'accountId'=${userId}
+        and "oidc_model_instance"."expires_at" > to_timestamp($2)
+    `;
+
+    mockQuery.mockImplementationOnce(async (sql, values) => {
+      expectSqlAssert(sql, expectSql.sql);
+      expect(values).toEqual([userId, expect.any(Number)]);
+
+      return createMockQueryResult([]);
+    });
+
+    await expect(findUserActiveApplicationGrants(userId)).resolves.toEqual([]);
+  });
 });

packages/core/src/queries/oidc-model-instance.ts

@@ -1,5 +1,5 @@
 import type { OidcModelInstance, OidcModelInstancePayload } from '@logto/schemas';
-import { OidcModelInstances } from '@logto/schemas';
+import { Applications, OidcModelInstances } from '@logto/schemas';
 import type { Nullable } from '@silverhand/essentials';
 import { conditional } from '@silverhand/essentials';
 import type { CommonQueryMethods, ValueExpression } from '@silverhand/slonik';
@@ -13,6 +13,13 @@ export type WithConsumed<T> = T & { consumed?: boolean };
 export type QueryResult = Pick<OidcModelInstance, 'payload' | 'consumedAt'>;
 
 const { table, fields } = convertToIdentifiers(OidcModelInstances);
+const { table: applicationTable, fields: applicationFields } = convertToIdentifiers(Applications);
+
+export type ActiveApplicationGrantInstance = Pick<
+  OidcModelInstance,
+  'id' | 'payload' | 'expiresAt'
+> & { modelName: 'Grant' };
+export type GrantApplicationType = 'thirdParty' | 'firstParty';
 
 /**
  * This interval helps to avoid concurrency issues when exchanging the rotating refresh token multiple times within a given timeframe;
@@ -136,6 +143,52 @@ export const createOidcModelInstanceQueries = (pool: CommonQueryMethods) => {
     `);
   };
 
+  const findUserActiveApplicationGrants = async (
+    userId: string,
+    applicationType?: GrantApplicationType
+  ) => {
+    const oidcModelInstanceAlias = 'oidc_model_instance';
+    const applicationAlias = 'application';
+    const oidcModelInstanceTableIdentifier = sql.identifier([oidcModelInstanceAlias]);
+    const applicationTableIdentifier = sql.identifier([applicationAlias]);
+    const oidcModelInstanceId = sql.identifier([
+      oidcModelInstanceAlias,
+      OidcModelInstances.fields.id,
+    ]);
+    const oidcModelInstancePayload = sql.identifier([
+      oidcModelInstanceAlias,
+      OidcModelInstances.fields.payload,
+    ]);
+    const oidcModelInstanceExpiresAt = sql.identifier([
+      oidcModelInstanceAlias,
+      OidcModelInstances.fields.expiresAt,
+    ]);
+    const oidcModelInstanceModelName = sql.identifier([
+      oidcModelInstanceAlias,
+      OidcModelInstances.fields.modelName,
+    ]);
+    const applicationId = sql.identifier([applicationAlias, Applications.fields.id]);
+    const applicationIsThirdParty = sql.identifier([
+      applicationAlias,
+      Applications.fields.isThirdParty,
+    ]);
+
+    return pool.any<ActiveApplicationGrantInstance>(sql`
+      select ${oidcModelInstanceId}, ${oidcModelInstancePayload}, ${oidcModelInstanceExpiresAt}
+      from ${table} as ${oidcModelInstanceTableIdentifier}
+      inner join ${applicationTable} as ${applicationTableIdentifier}
+        on ${oidcModelInstancePayload}->>'clientId'=${applicationId}
+      where ${oidcModelInstanceModelName}='Grant'
+        and ${oidcModelInstancePayload}->>'accountId'=${userId}
+        ${
+          applicationType
+            ? sql`and ${applicationIsThirdParty}=${applicationType === 'thirdParty'}`
+            : sql``
+        }
+        and ${oidcModelInstanceExpiresAt} > ${convertToTimestamp()}
+    `);
+  };
+
   return {
     upsertInstance,
     findPayloadById,
@@ -144,5 +197,6 @@ export const createOidcModelInstanceQueries = (pool: CommonQueryMethods) => {
     destroyInstanceById,
     revokeInstanceByGrantId,
     revokeInstanceByUserId,
+    findUserActiveApplicationGrants,
   };
 };

packages/core/src/routes/admin-user/session.openapi.json

@@ -12,6 +12,25 @@
         "description": "Retrieve all non-expired sessions for the user, including session metadata and interaction details when available."
       }
     },
+    "/api/users/{userId}/grants": {
+      "get": {
+        "tags": ["Dev feature"],
+        "parameters": [
+          {
+            "in": "query",
+            "name": "appType",
+            "description": "Application type filter. Use 'thirdParty' to list third-party app grants only, or 'firstParty' to list first-party app grants only. If omitted, grants from all applications are returned."
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Return non-expired grants of the user. Results are filtered by app type when `appType` is provided."
+          }
+        },
+        "summary": "Get user active grants",
+        "description": "Retrieve all non-expired grants of the user. Optionally filter by application type via `appType`; when omitted, grants from all application types are returned."
+      }
+    },
     "/api/users/{userId}/sessions/{sessionId}": {
       "get": {
         "parameters": [],

packages/core/src/routes/admin-user/session.ts

@@ -1,10 +1,11 @@
 import {
   SessionGrantRevokeTarget,
+  getUserApplicationGrantsResponseGuard,
   getUserSessionResponseGuard,
   getUserSessionsResponseGuard,
 } from '@logto/schemas';
 import { assert } from '@silverhand/essentials';
-import { nativeEnum, object, string } from 'zod';
+import { nativeEnum, object, string, enum as zodEnum } from 'zod';
 
 import RequestError from '#src/errors/RequestError/index.js';
 import koaGuard from '#src/middleware/koa-guard.js';
@@ -41,6 +42,32 @@ export default function adminUserSessionRoutes<T extends ManagementApiRouter>(
     }
   );
 
+  router.get(
+    '/users/:userId/grants',
+    koaGuard({
+      params: object({ userId: string() }),
+      query: object({
+        appType: zodEnum(['firstParty', 'thirdParty']).optional(),
+      }),
+      response: getUserApplicationGrantsResponseGuard,
+      status: [200, 500],
+    }),
+    async (ctx, next) => {
+      const {
+        params: { userId },
+      } = ctx.guard;
+
+      const { appType } = ctx.guard.query;
+      const grants = await sessionLibrary.findUserActiveApplicationGrants(userId, appType);
+
+      ctx.body = {
+        grants,
+      };
+
+      return next();
+    }
+  );
+
   router.get(
     '/users/:userId/sessions/:sessionId',
     koaGuard({

packages/integration-tests/src/api/admin-user.ts

@@ -2,6 +2,7 @@ import type {
   CreatePersonalAccessToken,
   DesensitizedEnterpriseSsoTokenSetSecret,
   DesensitizedSocialTokenSetSecret,
+  GetUserApplicationGrantsResponse,
   GetUserSessionResponse,
   GetUserSessionsResponse,
   Identities,
@@ -231,6 +232,18 @@ export const getUserSsoIdentity = async (
 export const getUserSessions = async (userId: string) =>
   authedAdminApi.get(`users/${userId}/sessions`).json<GetUserSessionsResponse>();
 
+export const getUserApplicationGrants = async (
+  userId: string,
+  appType?: 'firstParty' | 'thirdParty'
+) =>
+  authedAdminApi
+    .get(`users/${userId}/grants`, {
+      searchParams: new URLSearchParams({
+        ...conditional(appType && { appType }),
+      }),
+    })
+    .json<GetUserApplicationGrantsResponse>();
+
 export const getUserSession = async (userId: string, sessionId: string) =>
   authedAdminApi.get(`users/${userId}/sessions/${sessionId}`).json<GetUserSessionResponse>();