Add session counts to policy input

2025-11-06 08:44:31 +00:00
parent 7ee32e796a
commit cb5ea26792
5 changed files with 67 additions and 2 deletions
--- a/crates/handlers/src/oauth2/authorization/consent.rs
+++ b/crates/handlers/src/oauth2/authorization/consent.rs
@@ -32,7 +32,7 @@ use super::callback::CallbackDestination;
 use crate::{
    BoundActivityTracker, PreferredLanguage, impl_from_error_for_route,
    oauth2::generate_id_token,
-    session::{SessionOrFallback, load_session_or_fallback},
+    session::{SessionOrFallback, count_user_sessions_for_limiting, load_session_or_fallback},
 };
 #[derive(Debug, Error)]
@@ -136,10 +136,15 @@ pub(crate) async fn get(
    let (csrf_token, cookie_jar) = cookie_jar.csrf_token(&clock, &mut rng);
    let session_counts = count_user_sessions_for_limiting(&mut repo, &session.user)
        .await
        .map_err(|e| RouteError::Internal(e.into()))?;
    let res = policy
        .evaluate_authorization_grant(mas_policy::AuthorizationGrantInput {
            user: Some(&session.user),
            client: &client,
            session_counts: Some(session_counts),
            scope: &grant.scope,
            grant_type: mas_policy::GrantType::AuthorizationCode,
            requester: mas_policy::Requester {
@@ -235,10 +240,15 @@ pub(crate) async fn post(
        return Err(RouteError::GrantNotPending(grant.id));
    }
    let session_counts = count_user_sessions_for_limiting(&mut repo, &browser_session.user)
        .await
        .map_err(|e| RouteError::Internal(e.into()))?;
    let res = policy
        .evaluate_authorization_grant(mas_policy::AuthorizationGrantInput {
            user: Some(&browser_session.user),
            client: &client,
            session_counts: Some(session_counts),
            scope: &grant.scope,
            grant_type: mas_policy::GrantType::AuthorizationCode,
            requester: mas_policy::Requester {
--- a/crates/handlers/src/oauth2/device/consent.rs
+++ b/crates/handlers/src/oauth2/device/consent.rs
@@ -27,7 +27,7 @@ use ulid::Ulid;
 use crate::{
    BoundActivityTracker, PreferredLanguage,
-    session::{SessionOrFallback, load_session_or_fallback},
+    session::{SessionOrFallback, count_user_sessions_for_limiting, load_session_or_fallback},
 };
 #[derive(Deserialize, Debug)]
@@ -103,11 +103,16 @@ pub(crate) async fn get(
        .context("Client not found")
        .map_err(InternalError::from_anyhow)?;
    let session_counts = count_user_sessions_for_limiting(&mut repo, &session.user)
        .await
        .map_err(InternalError::from_anyhow)?;
    // Evaluate the policy
    let res = policy
        .evaluate_authorization_grant(mas_policy::AuthorizationGrantInput {
            grant_type: mas_policy::GrantType::DeviceCode,
            client: &client,
            session_counts: Some(session_counts),
            scope: &grant.scope,
            user: Some(&session.user),
            requester: mas_policy::Requester {
@@ -205,11 +210,16 @@ pub(crate) async fn post(
        .context("Client not found")
        .map_err(InternalError::from_anyhow)?;
    let session_counts = count_user_sessions_for_limiting(&mut repo, &session.user)
        .await
        .map_err(InternalError::from_anyhow)?;
    // Evaluate the policy
    let res = policy
        .evaluate_authorization_grant(mas_policy::AuthorizationGrantInput {
            grant_type: mas_policy::GrantType::DeviceCode,
            client: &client,
            session_counts: Some(session_counts),
            scope: &grant.scope,
            user: Some(&session.user),
            requester: mas_policy::Requester {
--- a/crates/handlers/src/oauth2/token.rs
+++ b/crates/handlers/src/oauth2/token.rs
@@ -781,6 +781,7 @@ async fn client_credentials_grant(
        .evaluate_authorization_grant(mas_policy::AuthorizationGrantInput {
            user: None,
            client,
            session_counts: None,
            scope: &scope,
            grant_type: mas_policy::GrantType::ClientCredentials,
            requester: mas_policy::Requester {
--- a/crates/policy/src/model.rs
+++ b/crates/policy/src/model.rs
@@ -168,6 +168,10 @@ pub struct AuthorizationGrantInput<'a> {
    #[schemars(with = "Option<std::collections::HashMap<String, serde_json::Value>>")]
    pub user: Option<&'a User>,
    /// How many sessions the user has.
    /// Not populated if it's not a user logging in.
    pub session_counts: Option<SessionCounts>,
    #[schemars(with = "std::collections::HashMap<String, serde_json::Value>")]
    pub client: &'a Client,
--- a/policies/schema/authorization_grant_input.json
+++ b/policies/schema/authorization_grant_input.json
@@ -14,6 +14,14 @@
      "type": "object",
      "additionalProperties": true
    },
    "session_counts": {
      "description": "How many sessions the user has. Not populated if it's not a user logging in.",
      "allOf": [
        {
          "$ref": "#/definitions/SessionCounts"
        }
      ]
    },
    "client": {
      "type": "object",
      "additionalProperties": true
@@ -29,6 +37,38 @@
    }
  },
  "definitions": {
    "SessionCounts": {
      "description": "Information about how many sessions the user has",
      "type": "object",
      "required": [
        "compat",
        "oauth2",
        "personal",
        "total"
      ],
      "properties": {
        "total": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "oauth2": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "compat": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "personal": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        }
      }
    },
    "GrantType": {
      "type": "string",
      "enum": [