Add api endpoint to list all authorized clients by user

[kingjan1999]

Resolves #953

As already mentioned in #953, I'm rather beginner in Go, so I'm open to comments and suggestions for improvement and ask for leniency for possible mistakes.

Signed-off-by: Jan Beckmann king-jan1999@hotmail.de

[aeneasr]

I really think we need pagination here, because this can be a lot! Examples can be found here, here and here.

[kingjan1999]

Thanks, I adapted it. However, I was a bit unsure in consent/manager_memory.go as FindPreviouslyGrantedConsentRequests depends now on the newly created FindPreviouslyGrantedConsentRequestsByUser (which requires a limit and offset now) and does not support limit and offset. As you'll see, I've used a little workaround that I'm personally not 100% satisfied with.

[aeneasr]

I see, I don't think this solution will work with SQL as they don't support negative offset (I think).

[aeneasr]

Oh sorry, I didn't see that you duplicated the other method. Then it will obviously work. I agree that it's not the cleanest solution but it does get the job done for now. So from my side, this is fine.

[aeneasr]

You can revert this logic to == and add rs = append(rs, c) in the loop, it is easier to read!

[aeneasr]

The problem with exposing this is that acceptance of the consent request could overwrite this value and potentially mess stuff up. I haven't checked if that's actually the case but it could be an issue in some regression. I think it would be ok to copy this struct 1:1 and there set the consent_request value. If the order of the fields is the same, you can easily convert the type:

var foo HandledConsentRequest
var bar = NewTypeWithJSON(HandledConsentRequest)

[kingjan1999]

I called it HandledConsentRequestResponse now but other suggestions are very welcome

[aeneasr]

How about PreviousConsentSession? :)

[aeneasr]

This looks very solid already. It is really important though that we have a test for the SDK as well (sdk_test.go) and check that the values are populated properly (and also check that e.g. client secrets are removed). Once that is done and the things are addressed, I think this is good to go!

[aeneasr]

I'm pinging you @kingjan1999 so this doesn't get lost in your notifications. This looks already very solid, just a few things which I mentioned during review :)

[kingjan1999]

Thanks for your help @arekkas ! I hope I have implemented all your proposals.

When Swagger generated the SDK, some files (concerning JSONWebKeys) appeared for unknown reasons, which I have now simply commited.

[aeneasr]

The only thing left is the naming of the one struct and then this is good to get merged from my side! Thank you so much for your contribution :)

[kingjan1999]

Thanks for your naming suggestion @arekkas ! I've implemented it accordingly.

[aeneasr]

Perfect!

[aeneasr]

I took another pass. Unfortunately, I have to nag you with some minor things (just newlines that were removed/added) and also some naming and error handling things.

Once those are addressed, I truly believe it's good to merge (unless I missed something).

Thank you, you're awesome! :)

[aeneasr]

The error must be handled here!

[aeneasr]

You can rewrite this to return m.resolveHandledConsentRequests(a)

[aeneasr]

Re-add newline

[aeneasr]

Remove newline

[aeneasr]

Re-add newline

[aeneasr]

Remove newline

[aeneasr]

Add a newline on top of start, end := ..

[aeneasr]

Re-add this newline

[aeneasr]

I think the naming should be listUserConsentSessions. With the current naming, I would expect the method to be like listUserClientConsentSessions(user, client string)

[aeneasr]

So one issue with this is that the HTTP handler function will return errNoPreviousConsentFound which is a "dumb" error (meaning it will return a 500 status code with no context in the API). On the same hand, this error is required to be returned for the consent_strategy to work. Since you duplicated the methods and this particular method is not used in the consent_strategy, you can remove the err == sql.ErrNoRows check and just return return nil, sqlcon.HandleError(err).

Please also add a test for this. It should check that sqlcon.ErrNoRows is returned when we expect that no session exist in the store. This will return a proper 404 error in the API which I think is to be expected here.

In the handler, you may want to choose to ignore the error of type sqlcon.ErrNoRows and instead just write an empty array. This will return [] instead of a 404 which might be a better suited response.

[kingjan1999]

Thanks for your help and your feedback! I have gladly implemented your suggestions.

However, I'm a little unsure at this point and need your help: Does db.Select really return an ErrNoRows error if no rows could be found? According to my understanding of SQLX / Go SQL documentation, this does not happen here. I have not been able to force such behaviour in my experiments.

Or did I misunderstand and the manager should generate and return an sqlcon.ErrNoRows?

[aeneasr]

Thank you for the updates! The newly generated SDK breaks tests because the methods have been renamed:

consent/sdk_test.go:121:24: sdk.ListUserClientConsentSessions undefined (type *hydra.CodeGenSDK has no field or method ListUserClientConsentSessions)
consent/sdk_test.go:128:23: sdk.ListUserClientConsentSessions undefined (type *hydra.CodeGenSDK has no field or method ListUserClientConsentSessions)

[aeneasr]

Thank you so much for your hard work!