2024-08-29 20:32:04 +02:00
|
|
|
import { auth, jsonOrForm } from "@/api";
|
|
|
|
|
import { randomString } from "@/math";
|
2025-02-05 21:49:39 +01:00
|
|
|
import { z } from "@hono/zod-openapi";
|
2024-11-03 17:45:21 +01:00
|
|
|
import { Application, Token, User } from "@versia/kit/db";
|
|
|
|
|
import { RolePermissions } from "@versia/kit/tables";
|
2024-08-29 20:32:04 +02:00
|
|
|
import { type JWTPayload, SignJWT, jwtVerify } from "jose";
|
|
|
|
|
import { JOSEError } from "jose/errors";
|
2024-12-30 16:47:48 +01:00
|
|
|
import { errorRedirect, errors } from "../errors.ts";
|
2024-10-04 15:22:48 +02:00
|
|
|
import type { PluginType } from "../index.ts";
|
2024-08-29 20:32:04 +02:00
|
|
|
|
|
|
|
|
const schemas = {
|
|
|
|
|
query: z.object({
|
|
|
|
|
prompt: z
|
|
|
|
|
.enum(["none", "login", "consent", "select_account"])
|
|
|
|
|
.optional()
|
|
|
|
|
.default("none"),
|
|
|
|
|
max_age: z.coerce
|
|
|
|
|
.number()
|
|
|
|
|
.int()
|
|
|
|
|
.optional()
|
|
|
|
|
.default(60 * 60 * 24 * 7),
|
|
|
|
|
}),
|
|
|
|
|
json: z
|
|
|
|
|
.object({
|
|
|
|
|
scope: z.string().optional(),
|
|
|
|
|
redirect_uri: z
|
|
|
|
|
.string()
|
|
|
|
|
.url()
|
|
|
|
|
.optional()
|
|
|
|
|
.or(z.literal("urn:ietf:wg:oauth:2.0:oob")),
|
|
|
|
|
response_type: z.enum([
|
|
|
|
|
"code",
|
|
|
|
|
"token",
|
|
|
|
|
"none",
|
|
|
|
|
"id_token",
|
|
|
|
|
"code id_token",
|
|
|
|
|
"code token",
|
|
|
|
|
"token id_token",
|
|
|
|
|
"code token id_token",
|
|
|
|
|
]),
|
|
|
|
|
client_id: z.string(),
|
|
|
|
|
state: z.string().optional(),
|
|
|
|
|
code_challenge: z.string().optional(),
|
|
|
|
|
code_challenge_method: z.enum(["plain", "S256"]).optional(),
|
|
|
|
|
})
|
|
|
|
|
.refine(
|
|
|
|
|
// Check if redirect_uri is valid for code flow
|
|
|
|
|
(data) =>
|
|
|
|
|
data.response_type.includes("code") ? data.redirect_uri : true,
|
|
|
|
|
"redirect_uri is required for code flow",
|
|
|
|
|
),
|
|
|
|
|
// Disable for Mastodon API compatibility
|
|
|
|
|
/* .refine(
|
|
|
|
|
// Check if code_challenge is valid for code flow
|
|
|
|
|
(data) =>
|
|
|
|
|
data.response_type.includes("code")
|
|
|
|
|
? data.code_challenge
|
|
|
|
|
: true,
|
|
|
|
|
"code_challenge is required for code flow",
|
|
|
|
|
), */
|
|
|
|
|
cookies: z.object({
|
|
|
|
|
jwt: z.string(),
|
|
|
|
|
}),
|
|
|
|
|
};
|
|
|
|
|
|
2024-11-02 00:43:33 +01:00
|
|
|
export default (plugin: PluginType): void =>
|
2024-08-29 20:32:04 +02:00
|
|
|
plugin.registerRoute("/oauth/authorize", (app) =>
|
|
|
|
|
app.openapi(
|
|
|
|
|
{
|
|
|
|
|
method: "post",
|
|
|
|
|
path: "/oauth/authorize",
|
|
|
|
|
middleware: [
|
|
|
|
|
auth({
|
2024-12-30 19:18:31 +01:00
|
|
|
auth: false,
|
2024-08-29 20:32:04 +02:00
|
|
|
}),
|
|
|
|
|
jsonOrForm(),
|
|
|
|
|
plugin.middleware,
|
2024-12-30 18:20:22 +01:00
|
|
|
] as const,
|
2024-08-29 20:32:04 +02:00
|
|
|
responses: {
|
|
|
|
|
302: {
|
|
|
|
|
description: "Redirect to the application",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
request: {
|
|
|
|
|
query: schemas.query,
|
|
|
|
|
body: {
|
|
|
|
|
content: {
|
|
|
|
|
"application/json": {
|
|
|
|
|
schema: schemas.json,
|
|
|
|
|
},
|
|
|
|
|
"application/x-www-form-urlencoded": {
|
|
|
|
|
schema: schemas.json,
|
|
|
|
|
},
|
|
|
|
|
"multipart/form-data": {
|
|
|
|
|
schema: schemas.json,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
cookies: schemas.cookies,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
async (context) => {
|
|
|
|
|
const { scope, redirect_uri, client_id, state } =
|
|
|
|
|
context.req.valid("json");
|
|
|
|
|
|
|
|
|
|
const { jwt } = context.req.valid("cookie");
|
|
|
|
|
|
|
|
|
|
const { keys } = context.get("pluginConfig");
|
|
|
|
|
|
|
|
|
|
const errorSearchParams = new URLSearchParams(
|
2024-12-30 16:47:48 +01:00
|
|
|
context.req.valid("json"),
|
2024-08-29 20:32:04 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
const result = await jwtVerify(jwt, keys.public, {
|
|
|
|
|
algorithms: ["EdDSA"],
|
|
|
|
|
audience: client_id,
|
|
|
|
|
issuer: new URL(context.get("config").http.base_url).origin,
|
|
|
|
|
}).catch((error) => {
|
|
|
|
|
if (error instanceof JOSEError) {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
throw error;
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (!result) {
|
2024-12-30 16:47:48 +01:00
|
|
|
return errorRedirect(
|
|
|
|
|
context,
|
|
|
|
|
errors.InvalidJWT,
|
|
|
|
|
errorSearchParams,
|
2024-08-29 20:32:04 +02:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const {
|
|
|
|
|
payload: { aud, sub, exp },
|
|
|
|
|
} = result;
|
|
|
|
|
|
|
|
|
|
if (!(aud && sub && exp)) {
|
2024-12-30 16:47:48 +01:00
|
|
|
return errorRedirect(
|
|
|
|
|
context,
|
|
|
|
|
errors.MissingJWTFields,
|
|
|
|
|
errorSearchParams,
|
2024-08-29 20:32:04 +02:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2024-09-24 14:42:39 +02:00
|
|
|
if (!z.string().uuid().safeParse(sub).success) {
|
2024-12-30 16:47:48 +01:00
|
|
|
return errorRedirect(
|
|
|
|
|
context,
|
|
|
|
|
errors.InvalidSub,
|
|
|
|
|
errorSearchParams,
|
2024-09-24 14:42:39 +02:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2024-08-29 20:32:04 +02:00
|
|
|
const user = await User.fromId(sub);
|
|
|
|
|
|
|
|
|
|
if (!user) {
|
2024-12-30 16:47:48 +01:00
|
|
|
return errorRedirect(
|
|
|
|
|
context,
|
|
|
|
|
errors.UserNotFound,
|
|
|
|
|
errorSearchParams,
|
2024-08-29 20:32:04 +02:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!user.hasPermission(RolePermissions.OAuth)) {
|
2024-12-30 16:47:48 +01:00
|
|
|
return errorRedirect(
|
|
|
|
|
context,
|
|
|
|
|
errors.MissingOauthPermission,
|
|
|
|
|
errorSearchParams,
|
2024-08-29 20:32:04 +02:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-23 17:56:47 +02:00
|
|
|
const application = await Application.fromClientId(client_id);
|
2024-08-29 20:32:04 +02:00
|
|
|
|
|
|
|
|
if (!application) {
|
2024-12-30 16:47:48 +01:00
|
|
|
return errorRedirect(
|
|
|
|
|
context,
|
|
|
|
|
errors.MissingApplication,
|
|
|
|
|
errorSearchParams,
|
2024-08-29 20:32:04 +02:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-23 17:56:47 +02:00
|
|
|
if (application.data.redirectUri !== redirect_uri) {
|
2024-12-30 16:47:48 +01:00
|
|
|
return errorRedirect(
|
|
|
|
|
context,
|
|
|
|
|
errors.InvalidRedirectUri,
|
|
|
|
|
errorSearchParams,
|
2024-08-29 20:32:04 +02:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check that scopes are a subset of the application's scopes
|
|
|
|
|
if (
|
|
|
|
|
scope &&
|
|
|
|
|
!scope
|
|
|
|
|
.split(" ")
|
2024-10-23 17:56:47 +02:00
|
|
|
.every((s) => application.data.scopes.includes(s))
|
2024-08-29 20:32:04 +02:00
|
|
|
) {
|
2024-12-30 16:47:48 +01:00
|
|
|
return errorRedirect(
|
|
|
|
|
context,
|
|
|
|
|
errors.InvalidScope,
|
|
|
|
|
errorSearchParams,
|
2024-08-29 20:32:04 +02:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const code = randomString(256, "base64url");
|
|
|
|
|
|
|
|
|
|
let payload: JWTPayload = {};
|
|
|
|
|
|
|
|
|
|
if (scope) {
|
|
|
|
|
if (scope.split(" ").includes("openid")) {
|
|
|
|
|
payload = {
|
|
|
|
|
...payload,
|
|
|
|
|
sub: user.id,
|
|
|
|
|
iss: new URL(context.get("config").http.base_url)
|
|
|
|
|
.origin,
|
|
|
|
|
aud: client_id,
|
|
|
|
|
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
|
|
|
|
iat: Math.floor(Date.now() / 1000),
|
|
|
|
|
nbf: Math.floor(Date.now() / 1000),
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
if (scope.split(" ").includes("profile")) {
|
|
|
|
|
payload = {
|
|
|
|
|
...payload,
|
|
|
|
|
name: user.data.displayName,
|
|
|
|
|
preferred_username: user.data.username,
|
2025-02-15 02:47:29 +01:00
|
|
|
picture: user.getAvatarUrl(),
|
2024-08-29 20:32:04 +02:00
|
|
|
updated_at: new Date(
|
|
|
|
|
user.data.updatedAt,
|
|
|
|
|
).toISOString(),
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
if (scope.split(" ").includes("email")) {
|
|
|
|
|
payload = {
|
|
|
|
|
...payload,
|
|
|
|
|
email: user.data.email,
|
|
|
|
|
// TODO: Add verification system
|
|
|
|
|
email_verified: true,
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const idToken = await new SignJWT(payload)
|
|
|
|
|
.setProtectedHeader({ alg: "EdDSA" })
|
|
|
|
|
.sign(keys.private);
|
|
|
|
|
|
2024-11-03 17:45:21 +01:00
|
|
|
await Token.insert({
|
2024-08-29 20:32:04 +02:00
|
|
|
accessToken: randomString(64, "base64url"),
|
2024-10-03 13:41:58 +02:00
|
|
|
code,
|
2024-10-23 17:56:47 +02:00
|
|
|
scope: scope ?? application.data.scopes,
|
2024-11-03 17:45:21 +01:00
|
|
|
tokenType: "Bearer",
|
2024-08-29 20:32:04 +02:00
|
|
|
applicationId: application.id,
|
2024-10-23 17:56:47 +02:00
|
|
|
redirectUri: redirect_uri ?? application.data.redirectUri,
|
2024-08-29 20:32:04 +02:00
|
|
|
expiresAt: new Date(
|
|
|
|
|
Date.now() + 60 * 60 * 24 * 14,
|
|
|
|
|
).toISOString(),
|
|
|
|
|
idToken: ["profile", "email", "openid"].some((s) =>
|
|
|
|
|
scope?.split(" ").includes(s),
|
|
|
|
|
)
|
|
|
|
|
? idToken
|
|
|
|
|
: null,
|
|
|
|
|
clientId: client_id,
|
|
|
|
|
userId: user.id,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const redirectUri =
|
|
|
|
|
redirect_uri === "urn:ietf:wg:oauth:2.0:oob"
|
|
|
|
|
? new URL(
|
|
|
|
|
"/oauth/code",
|
|
|
|
|
context.get("config").http.base_url,
|
|
|
|
|
)
|
2024-10-23 17:56:47 +02:00
|
|
|
: new URL(redirect_uri ?? application.data.redirectUri);
|
2024-08-29 20:32:04 +02:00
|
|
|
|
|
|
|
|
redirectUri.searchParams.append("code", code);
|
|
|
|
|
state && redirectUri.searchParams.append("state", state);
|
|
|
|
|
|
2024-09-04 23:31:58 +02:00
|
|
|
return context.redirect(redirectUri.toString());
|
2024-08-29 20:32:04 +02:00
|
|
|
},
|
|
|
|
|
),
|
|
|
|
|
);
|
