feat(core,schemas): add get user social identities token secret API (#7494)

* feat(core,schemas): add get user social identities token secret API

add get users social identities token secret API

* feat(core): add api docs

add api docs

* fix(core): fix patch connector API

fix patch connector API enableTokenStorage not updated bug

Author: simeng-li

packages/core/src/queries/secret.ts

@@ -7,15 +7,16 @@ import {
   type SecretSocialConnectorRelationPayload,
   SecretSocialConnectorRelations,
   SecretType,
+  type SocialTokenSetSecret,
 } from '@logto/schemas';
 import { sql, type CommonQueryMethods } from '@silverhand/slonik';
 
 import { buildInsertIntoWithPool } from '../database/insert-into.js';
 import SchemaQueries from '../utils/SchemaQueries.js';
 import { convertToIdentifiers } from '../utils/sql.js';
 
-const secrets = convertToIdentifiers(Secrets);
-const secretSocialConnectorRelations = convertToIdentifiers(SecretSocialConnectorRelations);
+const secrets = convertToIdentifiers(Secrets, true);
+const secretSocialConnectorRelations = convertToIdentifiers(SecretSocialConnectorRelations, true);
 
 class SecretQueries extends SchemaQueries<SecretKeys, CreateSecret, Secret> {
   constructor(pool: CommonQueryMethods) {
@@ -61,6 +62,24 @@ class SecretQueries extends SchemaQueries<SecretKeys, CreateSecret, Secret> {
       });
     });
   }
+
+  /**
+   * For user federated token exchange use, we need to find the secret by user id and social target.
+   */
+  public async findSocialTokenSetSecretByUserIdAndTarget(userId: string, target: string) {
+    return this.pool.maybeOne<SocialTokenSetSecret>(sql`
+        select ${sql.join(Object.values(secrets.fields), sql`, `)},
+          ${secretSocialConnectorRelations.fields.connectorId},
+          ${secretSocialConnectorRelations.fields.identityId},
+          ${secretSocialConnectorRelations.fields.target}
+        from ${secrets.table}
+        join ${secretSocialConnectorRelations.table}
+          on ${secrets.fields.id} = ${secretSocialConnectorRelations.fields.secretId}
+        where ${secrets.fields.userId} = ${userId}
+          and ${secrets.fields.type} = ${SecretType.FederatedTokenSet}
+          and ${secretSocialConnectorRelations.fields.target} = ${target}
+    `);
+  }
 }
 
 export default SecretQueries;

packages/core/src/routes/admin-user/social.openapi.json

@@ -68,6 +68,22 @@
           }
         }
       }
+    },
+    "/api/users/{userId}/identities/{target}/secret": {
+      "get": {
+        "tags": ["Dev feature"],
+        "parameters": [],
+        "responses": {
+          "200": {
+            "description": "Token set record of the social identity. (For security reasons, encrypted token details will be omitted from the response.)"
+          },
+          "404": {
+            "description": "User social identity not found, or no token set record exists for the user's social identity."
+          }
+        },
+        "summary": "Retrieve the social provider token set for the current user.",
+        "description": "This API retrieves the token set record associated with the current user's social identity from the Logto Secret Vault. The operation is only available if the corresponding social connector has token set storage enabled. If a token set record exists for the user's social identity, it will be returned.  "
+      }
     }
   }
 }

packages/core/src/routes/admin-user/social.ts

@@ -4,6 +4,7 @@ import {
   identityGuard,
   identitiesGuard,
   userProfileResponseGuard,
+  desensitizedSocialTokenSetSecretGuard,
 } from '@logto/schemas';
 import { has } from '@silverhand/essentials';
 import { object, record, string, unknown } from 'zod';
@@ -12,6 +13,7 @@ import RequestError from '#src/errors/RequestError/index.js';
 import koaGuard from '#src/middleware/koa-guard.js';
 import assertThat from '#src/utils/assert-that.js';
 
+import { EnvSet } from '../../env-set/index.js';
 import { transpileUserProfileResponse } from '../../utils/user.js';
 import type { ManagementApiRouter, RouterInitArgs } from '../types.js';
 
@@ -21,6 +23,7 @@ export default function adminUserSocialRoutes<T extends ManagementApiRouter>(
   const {
     queries: {
       users: { findUserById, updateUserById, hasUserWithIdentity, deleteUserIdentity },
+      secrets: secretQueries,
     },
     connectors: { getLogtoConnectorById },
   } = tenant;
@@ -154,4 +157,40 @@ export default function adminUserSocialRoutes<T extends ManagementApiRouter>(
       return next();
     }
   );
+
+  if (EnvSet.values.isDevFeaturesEnabled) {
+    router.get(
+      '/users/:userId/identities/:target/secret',
+      koaGuard({
+        params: object({ userId: string(), target: string() }),
+        response: desensitizedSocialTokenSetSecretGuard,
+        status: [200, 404],
+      }),
+      async (ctx, next) => {
+        const {
+          params: { userId, target },
+        } = ctx.guard;
+
+        const { identities } = await findUserById(userId);
+        if (!has(identities, target)) {
+          throw new RequestError({ code: 'user.identity_not_exist', status: 404 });
+        }
+
+        const secret = await secretQueries.findSocialTokenSetSecretByUserIdAndTarget(
+          userId,
+          target
+        );
+
+        if (!secret) {
+          throw new RequestError({ code: 'entity.not_found', status: 404 });
+        }
+
+        const { encryptedDek, iv, authTag, ciphertext, ...rest } = secret;
+
+        ctx.body = rest;
+
+        return next();
+      }
+    );
+  }
 }

packages/core/src/routes/connector/index.ts

@@ -319,6 +319,7 @@ export default function connectorRoutes<T extends ManagementApiRouter>(
           config: conditional(config && (cleanDeep(config) as JsonObject)),
           metadata: conditional(metadata && cleanDeep(metadata)),
           syncProfile,
+          enableTokenStorage,
         },
         where: { id },
         jsonbMode: 'replace',

packages/schemas/src/types/secrets.ts

@@ -2,6 +2,7 @@ import { z } from 'zod';
 
 import { SecretSocialConnectorRelations } from '../db-entries/secret-social-connector-relation.js';
 import { type CreateSecret, Secrets } from '../db-entries/secret.js';
+import { SecretType } from '../foundations/index.js';
 
 export const encryptedSecretGuard = Secrets.guard.pick({
   encryptedDek: true,
@@ -49,3 +50,30 @@ export const secretSocialConnectorRelationPayloadGuard =
 export type SecretSocialConnectorRelationPayload = z.infer<
   typeof secretSocialConnectorRelationPayloadGuard
 >;
+
+export const socialTokenSetSecretGuard = Secrets.guard.extend({
+  type: z.literal(SecretType.FederatedTokenSet),
+  metadata: socialConnectorTokenSetMetadataGuard,
+  connectorId: z.string(),
+  identityId: z.string(),
+  target: z.string(),
+});
+
+/**
+ * Social token set secret type
+ * - Secret type is `FederatedTokenSet`
+ * - Metadata is the social connector token set metadata
+ * - Joined with the social connector relation
+ */
+export type SocialTokenSetSecret = z.infer<typeof socialTokenSetSecretGuard>;
+
+export const desensitizedSocialTokenSetSecretGuard = socialTokenSetSecretGuard.omit({
+  encryptedDek: true,
+  iv: true,
+  authTag: true,
+  ciphertext: true,
+});
+
+export type DesensitizedSocialTokenSetSecret = z.infer<
+  typeof desensitizedSocialTokenSetSecretGuard
+>;