server/plugins/openid/routes/sso/index.ts

import { RolePermission } from "@versia/client/schemas";
import { ApiError } from "@versia-server/kit";
import { auth, handleZodError } from "@versia-server/kit/api";
import { Application, db } from "@versia-server/kit/db";
import { OpenIdLoginFlows } from "@versia-server/kit/tables";
import { randomUUIDv7 } from "bun";
import { describeRoute } from "hono-openapi";
import { resolver, validator } from "hono-openapi/zod";
import {
    calculatePKCECodeChallenge,
    generateRandomCodeVerifier,
} from "oauth4webapi";
import { z } from "zod";
import type { PluginType } from "../../index.ts";
import { oauthDiscoveryRequest, oauthRedirectUri } from "../../utils.ts";

export default (plugin: PluginType): void => {
    plugin.registerRoute("/api/v1/sso", (app) => {
        app.get(
            "/api/v1/sso",
            describeRoute({
                summary: "Get linked accounts",
                tags: ["SSO"],
                responses: {
                    200: {
                        description: "Linked accounts",
                        content: {
                            "application/json": {
                                schema: resolver(
                                    z.array(
                                        z.object({
                                            id: z.string(),
                                            name: z.string(),
                                            icon: z.string().optional(),
                                        }),
                                    ),
                                ),
                            },
                        },
                    },
                },
            }),
            auth({
                auth: true,
                permissions: [RolePermission.OAuth],
            }),
            plugin.middleware,
            async (context) => {
                const { user } = context.get("auth");

                const linkedAccounts = await user.getLinkedOidcAccounts(
                    context.get("pluginConfig").providers,
                );

                return context.json(
                    linkedAccounts.map((account) => ({
                        id: account.id,
                        name: account.name,
                        icon: account.icon,
                    })),
                    200,
                );
            },
        );

        app.post(
            "/api/v1/sso",
            describeRoute({
                summary: "Link account",
                tags: ["SSO"],
                responses: {
                    302: {
                        description: "Redirect to OpenID provider",
                    },
                    404: {
                        description: "Issuer not found",
                        content: {
                            "application/json": {
                                schema: resolver(ApiError.zodSchema),
                            },
                        },
                    },
                },
            }),
            auth({
                auth: true,
                permissions: [RolePermission.OAuth],
            }),
            plugin.middleware,
            validator("json", z.object({ issuer: z.string() }), handleZodError),
            async (context) => {
                const { user } = context.get("auth");

                const { issuer: issuerId } = context.req.valid("json");

                const issuer = context
                    .get("pluginConfig")
                    .providers.find((provider) => provider.id === issuerId);

                if (!issuer) {
                    return context.json(
                        {
                            error: `Issuer with ID ${issuerId} not found in instance's OpenID configuration`,
                        },
                        404,
                    );
                }

                const authServer = await oauthDiscoveryRequest(
                    new URL(issuer.url),
                );

                const codeVerifier = generateRandomCodeVerifier();

                const redirectUri = oauthRedirectUri(
                    context.get("config").http.base_url,
                    issuerId,
                );

                const application = await Application.insert({
                    id: randomUUIDv7(),
                    clientId:
                        user.id +
                        Buffer.from(
                            crypto.getRandomValues(new Uint8Array(32)),
                        ).toString("base64"),
                    name: "Versia",
                    redirectUri: redirectUri.toString(),
                    scopes: "openid profile email",
                    secret: "",
                });

                // Store into database
                const newFlow = (
                    await db
                        .insert(OpenIdLoginFlows)
                        .values({
                            id: randomUUIDv7(),
                            codeVerifier,
                            issuerId,
                            applicationId: application.id,
                        })
                        .returning()
                )[0];

                const codeChallenge =
                    await calculatePKCECodeChallenge(codeVerifier);

                return context.redirect(
                    `${authServer.authorization_endpoint}?${new URLSearchParams(
                        {
                            client_id: issuer.client_id,
                            redirect_uri: `${redirectUri}?${new URLSearchParams(
                                {
                                    flow: newFlow.id,
                                    link: "true",
                                    user_id: user.id,
                                },
                            )}`,
                            response_type: "code",
                            scope: "openid profile email",
                            // PKCE
                            code_challenge_method: "S256",
                            code_challenge: codeChallenge,
                        },
                    ).toString()}`,
                );
            },
        );
    });
};
refactor(api): :fire: Remove old @versia/client version 2025-03-22 18:04:47 +01:00			`import { RolePermission } from "@versia/client/schemas";`
refactor: :truck: Rename @versia/kit to @versia-server/kit 2025-06-15 23:50:34 +02:00			`import { ApiError } from "@versia-server/kit";`
			`import { auth, handleZodError } from "@versia-server/kit/api";`
			`import { Application, db } from "@versia-server/kit/db";`
			`import { OpenIdLoginFlows } from "@versia-server/kit/tables";`
refactor(database): :heavy_minus_sign: Remove dependency on pg_uuidv7 extension 2025-03-30 22:10:33 +02:00			`import { randomUUIDv7 } from "bun";`
refactor(api): :recycle: Move from @hono/zod-openapi to hono-openapi hono-openapi is easier to work with and generates better OpenAPI definitions 2025-03-29 03:30:06 +01:00			`import { describeRoute } from "hono-openapi";`
			`import { resolver, validator } from "hono-openapi/zod";`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`import {`
			`calculatePKCECodeChallenge,`
			`generateRandomCodeVerifier,`
			`} from "oauth4webapi";`
refactor(api): :recycle: Move from @hono/zod-openapi to hono-openapi hono-openapi is easier to work with and generates better OpenAPI definitions 2025-03-29 03:30:06 +01:00			`import { z } from "zod";`
refactor: :truck: Explicitely add extensions to all imports 2024-10-04 15:22:48 +02:00			`import type { PluginType } from "../../index.ts";`
			`import { oauthDiscoveryRequest, oauthRedirectUri } from "../../utils.ts";`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00
refactor: :recycle: Always use explicit types in every function 2024-11-02 00:43:33 +01:00			`export default (plugin: PluginType): void => {`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`plugin.registerRoute("/api/v1/sso", (app) => {`
refactor(api): :recycle: Move from @hono/zod-openapi to hono-openapi hono-openapi is easier to work with and generates better OpenAPI definitions 2025-03-29 03:30:06 +01:00			`app.get(`
			`"/api/v1/sso",`
			`describeRoute({`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`summary: "Get linked accounts",`
fix(api): :bug: Add tags to all API routes that were missing one 2025-03-28 22:12:07 +01:00			`tags: ["SSO"],`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`responses: {`
			`200: {`
			`description: "Linked accounts",`
			`content: {`
			`"application/json": {`
refactor(api): :recycle: Move from @hono/zod-openapi to hono-openapi hono-openapi is easier to work with and generates better OpenAPI definitions 2025-03-29 03:30:06 +01:00			`schema: resolver(`
			`z.array(`
			`z.object({`
			`id: z.string(),`
			`name: z.string(),`
			`icon: z.string().optional(),`
			`}),`
			`),`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`),`
			`},`
			`},`
			`},`
			`},`
refactor(api): :recycle: Move from @hono/zod-openapi to hono-openapi hono-openapi is easier to work with and generates better OpenAPI definitions 2025-03-29 03:30:06 +01:00			`}),`
			`auth({`
			`auth: true,`
			`permissions: [RolePermission.OAuth],`
			`}),`
			`plugin.middleware,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`async (context) => {`
			`const { user } = context.get("auth");`

refactor(config): :fire: Remove old oidc section in config 2024-10-11 17:03:33 +02:00			`const linkedAccounts = await user.getLinkedOidcAccounts(`
			`context.get("pluginConfig").providers,`
			`);`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00
			`return context.json(`
			`linkedAccounts.map((account) => ({`
			`id: account.id,`
			`name: account.name,`
			`icon: account.icon,`
			`})),`
			`200,`
			`);`
			`},`
			`);`

refactor(api): :recycle: Move from @hono/zod-openapi to hono-openapi hono-openapi is easier to work with and generates better OpenAPI definitions 2025-03-29 03:30:06 +01:00			`app.post(`
			`"/api/v1/sso",`
			`describeRoute({`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`summary: "Link account",`
fix(api): :bug: Add tags to all API routes that were missing one 2025-03-28 22:12:07 +01:00			`tags: ["SSO"],`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`responses: {`
			`302: {`
			`description: "Redirect to OpenID provider",`
			`},`
			`404: {`
			`description: "Issuer not found",`
			`content: {`
			`"application/json": {`
refactor(api): :recycle: Move from @hono/zod-openapi to hono-openapi hono-openapi is easier to work with and generates better OpenAPI definitions 2025-03-29 03:30:06 +01:00			`schema: resolver(ApiError.zodSchema),`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`},`
			`},`
			`},`
			`},`
refactor(api): :recycle: Move from @hono/zod-openapi to hono-openapi hono-openapi is easier to work with and generates better OpenAPI definitions 2025-03-29 03:30:06 +01:00			`}),`
			`auth({`
			`auth: true,`
			`permissions: [RolePermission.OAuth],`
			`}),`
			`plugin.middleware,`
			`validator("json", z.object({ issuer: z.string() }), handleZodError),`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`async (context) => {`
			`const { user } = context.get("auth");`

			`const { issuer: issuerId } = context.req.valid("json");`

			`const issuer = context`
			`.get("pluginConfig")`
			`.providers.find((provider) => provider.id === issuerId);`

			`if (!issuer) {`
			`return context.json(`
			`{`
			error: `Issuer with ID ${issuerId} not found in instance's OpenID configuration`,
			`},`
			`404,`
			`);`
			`}`

refactor(api): :recycle: Use URL literal instead of strings 2025-02-01 16:32:18 +01:00			`const authServer = await oauthDiscoveryRequest(`
			`new URL(issuer.url),`
			`);`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00
			`const codeVerifier = generateRandomCodeVerifier();`

			`const redirectUri = oauthRedirectUri(`
			`context.get("config").http.base_url,`
fix(api): :bug: Fix incorrect order of function parameters 2024-10-11 17:09:51 +02:00			`issuerId,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`);`

refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`const application = await Application.insert({`
refactor(database): :heavy_minus_sign: Remove dependency on pg_uuidv7 extension 2025-03-30 22:10:33 +02:00			`id: randomUUIDv7(),`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`clientId:`
			`user.id +`
			`Buffer.from(`
			`crypto.getRandomValues(new Uint8Array(32)),`
			`).toString("base64"),`
			`name: "Versia",`
refactor(api): :recycle: Use URL literal instead of strings 2025-02-01 16:32:18 +01:00			`redirectUri: redirectUri.toString(),`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`scopes: "openid profile email",`
			`secret: "",`
			`});`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00
			`// Store into database`
			`const newFlow = (`
			`await db`
			`.insert(OpenIdLoginFlows)`
			`.values({`
refactor(database): :heavy_minus_sign: Remove dependency on pg_uuidv7 extension 2025-03-30 22:10:33 +02:00			`id: randomUUIDv7(),`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`codeVerifier,`
			`issuerId,`
			`applicationId: application.id,`
			`})`
			`.returning()`
			`)[0];`

			`const codeChallenge =`
			`await calculatePKCECodeChallenge(codeVerifier);`

			`return context.redirect(`
			`${authServer.authorization_endpoint}?${new URLSearchParams(
			`{`
			`client_id: issuer.client_id,`
			redirect_uri: `${redirectUri}?${new URLSearchParams(
			`{`
			`flow: newFlow.id,`
			`link: "true",`
			`user_id: user.id,`
			`},`
			)}`,
			`response_type: "code",`
			`scope: "openid profile email",`
			`// PKCE`
			`code_challenge_method: "S256",`
			`code_challenge: codeChallenge,`
			`},`
			).toString()}`,
			`);`
			`},`
			`);`
			`});`
			`};`