fix(transaction): check transaction identifier (#68)

* fix(transaction): check transaction identifier

* check if transaction with identifier already exists
* Return 409 conflict if transaction identifier already exists

Closes: #62

* fix(transaction): check identifier before saving

* the check now tries to fetch all transactions with a given identifier from a tenant before proceeding

Closes: #62

* fix(transaction): update spec

* add 409 error to transaction spec
* add description of unique transaction_id to spec

Closes: #62

* fix(transaction): add length check

add if transaction slice is bigger than 0

Co-authored-by: Frederic Jahn <[email protected]>

---------

Co-authored-by: Stefan Jacobi <[email protected]>
Co-authored-by: Frederic Jahn <[email protected]>

server/api/services/transaction_service.go

@@ -62,6 +62,17 @@ func (ts *transactionService) Initialize(userId string, transaction *models.Tran
 		return nil, echo.NewHTTPError(http.StatusNotFound, "unable to find user")
 	}
 
+	foundTransaction, err := ts.transactionPersister.GetByIdentifier(transaction.Identifier, ts.tenant.ID)
+	if err != nil {
+		ts.logger.Error(err)
+		return nil, echo.NewHTTPError(http.StatusInternalServerError, "unable to search for transaction")
+	}
+
+	if foundTransaction != nil && len(*foundTransaction) > 0 {
+		ts.logger.Error("transaction already exists")
+		return nil, echo.NewHTTPError(http.StatusConflict, "transaction already exists")
+	}
+
 	// check for better error handling as BeginLogin can throw a BadRequestError AND normal errors (but same type)
 	if len(webauthnUser.WebauthnCredentials) == 0 {
 		return nil, echo.NewHTTPError(

server/persistence/persisters/transaction_persister.go

@@ -12,6 +12,7 @@ import (
 
 type TransactionPersister interface {
 	Create(transaction *models.Transaction) error
+	GetByIdentifier(identifier string, tenantID uuid.UUID) (*models.Transactions, error)
 	ListByUserId(userId uuid.UUID, tenantId uuid.UUID) (*models.Transactions, error)
 	GetByUserId(userId uuid.UUID, tenantId uuid.UUID) (*models.Transaction, error)
 	GetByChallenge(challenge string, tenantId uuid.UUID) (*models.Transaction, error)
@@ -65,6 +66,19 @@ func (p *transactionPersister) ListByUserId(userId uuid.UUID, tenantId uuid.UUID
 	return &transactions, nil
 }
 
+func (p *transactionPersister) GetByIdentifier(identifier string, tenantId uuid.UUID) (*models.Transactions, error) {
+	transactions := models.Transactions{}
+	err := p.database.Eager().Where("identifier = ? AND tenant_id = ?", identifier, tenantId).All(&transactions)
+	if err != nil && errors.Is(err, sql.ErrNoRows) {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, fmt.Errorf("failed to list transactions by user id: %w", err)
+	}
+
+	return &transactions, nil
+}
+
 func (p *transactionPersister) GetByChallenge(challenge string, tenantId uuid.UUID) (*models.Transaction, error) {
 	transaction := models.Transaction{}
 	err := p.database.Eager().Where("challenge = ? AND tenant_id = ?", challenge, tenantId).First(&transaction)

spec/passkey-server.yaml

@@ -1,6 +1,6 @@
 openapi: 3.1.0
 info:
-  version: '1.1'
+  version: '1.2'
   title: passkey-server
   description: 'This API shall represent the private and public endpoints for passkey registration, management and authentication'
   termsOfService: 'https://www.hanko.io/terms'
@@ -263,6 +263,8 @@ paths:
           $ref: '#/components/responses/error'
         '404':
           $ref: '#/components/responses/error'
+        '409':
+          $ref: '#/components/responses/error'
         '500':
           $ref: '#/components/responses/error'
       servers:
@@ -578,6 +580,7 @@ components:
               transaction_id:
                 type: string
                 maxLength: 128
+                description: Needs to be a tenant-wide unique identifier
               transaction_data:
                 type: object
             required: