server/plugins/openid/routes/sso/index.ts

import { auth } from "@/api";
import { Application, db } from "@versia/kit/db";
import { OpenIdLoginFlows, RolePermissions } from "@versia/kit/tables";
import {
    calculatePKCECodeChallenge,
    generateRandomCodeVerifier,
} from "oauth4webapi";
import { z } from "zod";
import { ErrorSchema } from "~/types/api";
import type { PluginType } from "../../index.ts";
import { oauthDiscoveryRequest, oauthRedirectUri } from "../../utils.ts";

export default (plugin: PluginType): void => {
    plugin.registerRoute("/api/v1/sso", (app) => {
        app.openapi(
            {
                method: "get",
                path: "/api/v1/sso",
                summary: "Get linked accounts",
                middleware: [
                    auth({
                        auth: true,
                        permissions: [RolePermissions.OAuth],
                    }),
                    plugin.middleware,
                ] as const,
                responses: {
                    200: {
                        description: "Linked accounts",
                        content: {
                            "application/json": {
                                schema: z.array(
                                    z.object({
                                        id: z.string(),
                                        name: z.string(),
                                        icon: z.string().optional(),
                                    }),
                                ),
                            },
                        },
                    },
                },
            },
            async (context) => {
                const { user } = context.get("auth");

                const linkedAccounts = await user.getLinkedOidcAccounts(
                    context.get("pluginConfig").providers,
                );

                return context.json(
                    linkedAccounts.map((account) => ({
                        id: account.id,
                        name: account.name,
                        icon: account.icon,
                    })),
                    200,
                );
            },
        );

        app.openapi(
            {
                method: "post",
                path: "/api/v1/sso",
                summary: "Link account",
                middleware: [
                    auth({
                        auth: true,
                        permissions: [RolePermissions.OAuth],
                    }),
                    plugin.middleware,
                ] as const,
                request: {
                    body: {
                        content: {
                            "application/json": {
                                schema: z.object({
                                    issuer: z.string(),
                                }),
                            },
                        },
                    },
                },
                responses: {
                    302: {
                        description: "Redirect to OpenID provider",
                    },
                    404: {
                        description: "Issuer not found",
                        content: {
                            "application/json": {
                                schema: ErrorSchema,
                            },
                        },
                    },
                },
            },
            async (context) => {
                const { user } = context.get("auth");

                const { issuer: issuerId } = context.req.valid("json");

                const issuer = context
                    .get("pluginConfig")
                    .providers.find((provider) => provider.id === issuerId);

                if (!issuer) {
                    return context.json(
                        {
                            error: `Issuer with ID ${issuerId} not found in instance's OpenID configuration`,
                        },
                        404,
                    );
                }

                const authServer = await oauthDiscoveryRequest(issuer.url);

                const codeVerifier = generateRandomCodeVerifier();

                const redirectUri = oauthRedirectUri(
                    context.get("config").http.base_url,
                    issuerId,
                );

                const application = await Application.insert({
                    clientId:
                        user.id +
                        Buffer.from(
                            crypto.getRandomValues(new Uint8Array(32)),
                        ).toString("base64"),
                    name: "Versia",
                    redirectUri,
                    scopes: "openid profile email",
                    secret: "",
                });

                // Store into database
                const newFlow = (
                    await db
                        .insert(OpenIdLoginFlows)
                        .values({
                            codeVerifier,
                            issuerId,
                            applicationId: application.id,
                        })
                        .returning()
                )[0];

                const codeChallenge =
                    await calculatePKCECodeChallenge(codeVerifier);

                return context.redirect(
                    `${authServer.authorization_endpoint}?${new URLSearchParams(
                        {
                            client_id: issuer.client_id,
                            redirect_uri: `${redirectUri}?${new URLSearchParams(
                                {
                                    flow: newFlow.id,
                                    link: "true",
                                    user_id: user.id,
                                },
                            )}`,
                            response_type: "code",
                            scope: "openid profile email",
                            // PKCE
                            code_challenge_method: "S256",
                            code_challenge: codeChallenge,
                        },
                    ).toString()}`,
                );
            },
        );
    });
};
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`import { auth } from "@/api";`
refactor(database): :truck: Only import ORM table data from @versia/kit 2024-11-01 21:05:54 +01:00			`import { Application, db } from "@versia/kit/db";`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`import { OpenIdLoginFlows, RolePermissions } from "@versia/kit/tables";`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`import {`
			`calculatePKCECodeChallenge,`
			`generateRandomCodeVerifier,`
			`} from "oauth4webapi";`
			`import { z } from "zod";`
			`import { ErrorSchema } from "~/types/api";`
refactor: :truck: Explicitely add extensions to all imports 2024-10-04 15:22:48 +02:00			`import type { PluginType } from "../../index.ts";`
			`import { oauthDiscoveryRequest, oauthRedirectUri } from "../../utils.ts";`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00
refactor: :recycle: Always use explicit types in every function 2024-11-02 00:43:33 +01:00			`export default (plugin: PluginType): void => {`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`plugin.registerRoute("/api/v1/sso", (app) => {`
			`app.openapi(`
			`{`
			`method: "get",`
			`path: "/api/v1/sso",`
			`summary: "Get linked accounts",`
			`middleware: [`
refactor(api): :recycle: Improve authentication checker API 2024-12-30 19:18:31 +01:00			`auth({`
			`auth: true,`
			`permissions: [RolePermissions.OAuth],`
			`}),`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`plugin.middleware,`
refactor(api): :recycle: Upgrade zod-openapi to 0.18.3 Needed to add "as const" to all middleware handlers :) 2024-12-30 18:20:22 +01:00			`] as const,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`responses: {`
			`200: {`
			`description: "Linked accounts",`
			`content: {`
			`"application/json": {`
			`schema: z.array(`
			`z.object({`
			`id: z.string(),`
			`name: z.string(),`
			`icon: z.string().optional(),`
			`}),`
			`),`
			`},`
			`},`
			`},`
			`},`
			`},`
			`async (context) => {`
			`const { user } = context.get("auth");`

refactor(config): :fire: Remove old oidc section in config 2024-10-11 17:03:33 +02:00			`const linkedAccounts = await user.getLinkedOidcAccounts(`
			`context.get("pluginConfig").providers,`
			`);`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00
			`return context.json(`
			`linkedAccounts.map((account) => ({`
			`id: account.id,`
			`name: account.name,`
			`icon: account.icon,`
			`})),`
			`200,`
			`);`
			`},`
			`);`

			`app.openapi(`
			`{`
			`method: "post",`
			`path: "/api/v1/sso",`
			`summary: "Link account",`
			`middleware: [`
refactor(api): :recycle: Improve authentication checker API 2024-12-30 19:18:31 +01:00			`auth({`
			`auth: true,`
			`permissions: [RolePermissions.OAuth],`
			`}),`
fix(plugin): :bug: Add missing plugin middleware to some OIDC plugin routes 2024-10-11 17:16:03 +02:00			`plugin.middleware,`
refactor(api): :recycle: Upgrade zod-openapi to 0.18.3 Needed to add "as const" to all middleware handlers :) 2024-12-30 18:20:22 +01:00			`] as const,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`request: {`
			`body: {`
			`content: {`
			`"application/json": {`
			`schema: z.object({`
			`issuer: z.string(),`
			`}),`
			`},`
			`},`
			`},`
			`},`
			`responses: {`
			`302: {`
			`description: "Redirect to OpenID provider",`
			`},`
			`404: {`
			`description: "Issuer not found",`
			`content: {`
			`"application/json": {`
			`schema: ErrorSchema,`
			`},`
			`},`
			`},`
			`},`
			`},`
			`async (context) => {`
			`const { user } = context.get("auth");`

			`const { issuer: issuerId } = context.req.valid("json");`

			`const issuer = context`
			`.get("pluginConfig")`
			`.providers.find((provider) => provider.id === issuerId);`

			`if (!issuer) {`
			`return context.json(`
			`{`
			error: `Issuer with ID ${issuerId} not found in instance's OpenID configuration`,
			`},`
			`404,`
			`);`
			`}`

			`const authServer = await oauthDiscoveryRequest(issuer.url);`

			`const codeVerifier = generateRandomCodeVerifier();`

			`const redirectUri = oauthRedirectUri(`
			`context.get("config").http.base_url,`
fix(api): :bug: Fix incorrect order of function parameters 2024-10-11 17:09:51 +02:00			`issuerId,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`);`

refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`const application = await Application.insert({`
			`clientId:`
			`user.id +`
			`Buffer.from(`
			`crypto.getRandomValues(new Uint8Array(32)),`
			`).toString("base64"),`
			`name: "Versia",`
			`redirectUri,`
			`scopes: "openid profile email",`
			`secret: "",`
			`});`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00
			`// Store into database`
			`const newFlow = (`
			`await db`
			`.insert(OpenIdLoginFlows)`
			`.values({`
			`codeVerifier,`
			`issuerId,`
			`applicationId: application.id,`
			`})`
			`.returning()`
			`)[0];`

			`const codeChallenge =`
			`await calculatePKCECodeChallenge(codeVerifier);`

			`return context.redirect(`
			`${authServer.authorization_endpoint}?${new URLSearchParams(
			`{`
			`client_id: issuer.client_id,`
			redirect_uri: `${redirectUri}?${new URLSearchParams(
			`{`
			`flow: newFlow.id,`
			`link: "true",`
			`user_id: user.id,`
			`},`
			)}`,
			`response_type: "code",`
			`scope: "openid profile email",`
			`// PKCE`
			`code_challenge_method: "S256",`
			`code_challenge: codeChallenge,`
			`},`
			).toString()}`,
			`);`
			`},`
			`);`
			`});`
			`};`