2024-05-17 03:49:59 +02:00
|
|
|
import type { InferInsertModel } from "drizzle-orm";
|
2024-08-28 17:01:56 +02:00
|
|
|
import type { Context } from "hono";
|
2024-05-17 03:49:59 +02:00
|
|
|
import {
|
|
|
|
|
type AuthorizationServer,
|
|
|
|
|
authorizationCodeGrantRequest,
|
|
|
|
|
discoveryRequest,
|
|
|
|
|
expectNoState,
|
|
|
|
|
getValidatedIdTokenClaims,
|
|
|
|
|
isOAuth2Error,
|
|
|
|
|
processAuthorizationCodeOpenIDResponse,
|
|
|
|
|
processDiscoveryResponse,
|
|
|
|
|
processUserInfoResponse,
|
|
|
|
|
userInfoRequest,
|
|
|
|
|
validateAuthResponse,
|
|
|
|
|
} from "oauth4webapi";
|
2024-06-29 05:50:56 +02:00
|
|
|
import type { Application } from "~/classes/functions/application";
|
2024-05-29 02:59:49 +02:00
|
|
|
import { db } from "~/drizzle/db";
|
|
|
|
|
import { type Applications, OpenIdAccounts } from "~/drizzle/schema";
|
|
|
|
|
import { config } from "~/packages/config-manager";
|
2024-05-17 03:49:59 +02:00
|
|
|
|
|
|
|
|
export class OAuthManager {
|
|
|
|
|
public issuer: (typeof config.oidc.providers)[0];
|
|
|
|
|
|
2024-06-13 04:26:43 +02:00
|
|
|
constructor(public issuerId: string) {
|
2024-05-17 03:49:59 +02:00
|
|
|
const found = config.oidc.providers.find(
|
2024-06-13 04:26:43 +02:00
|
|
|
(provider) => provider.id === this.issuerId,
|
2024-05-17 03:49:59 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (!found) {
|
2024-06-13 04:26:43 +02:00
|
|
|
throw new Error(`Issuer ${this.issuerId} not found`);
|
2024-05-17 03:49:59 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
this.issuer = found;
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-03 13:51:19 +02:00
|
|
|
static async getFlow(flowId: string) {
|
2024-05-17 03:49:59 +02:00
|
|
|
return await db.query.OpenIdLoginFlows.findFirst({
|
|
|
|
|
where: (flow, { eq }) => eq(flow.id, flowId),
|
|
|
|
|
with: {
|
|
|
|
|
application: true,
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-03 13:51:19 +02:00
|
|
|
static async getAuthServer(issuerUrl: URL) {
|
2024-05-17 03:49:59 +02:00
|
|
|
return await discoveryRequest(issuerUrl, {
|
|
|
|
|
algorithm: "oidc",
|
|
|
|
|
}).then((res) => processDiscoveryResponse(issuerUrl, res));
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-03 13:51:19 +02:00
|
|
|
static getParameters(
|
2024-05-17 03:49:59 +02:00
|
|
|
authServer: AuthorizationServer,
|
|
|
|
|
issuer: (typeof config.oidc.providers)[0],
|
|
|
|
|
currentUrl: URL,
|
|
|
|
|
) {
|
|
|
|
|
return validateAuthResponse(
|
|
|
|
|
authServer,
|
|
|
|
|
{
|
|
|
|
|
client_id: issuer.client_id,
|
|
|
|
|
client_secret: issuer.client_secret,
|
|
|
|
|
},
|
|
|
|
|
currentUrl,
|
|
|
|
|
expectNoState,
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-03 13:51:19 +02:00
|
|
|
static async getOIDCResponse(
|
2024-05-17 03:49:59 +02:00
|
|
|
authServer: AuthorizationServer,
|
|
|
|
|
issuer: (typeof config.oidc.providers)[0],
|
|
|
|
|
redirectUri: string,
|
|
|
|
|
codeVerifier: string,
|
|
|
|
|
parameters: URLSearchParams,
|
|
|
|
|
) {
|
|
|
|
|
return await authorizationCodeGrantRequest(
|
|
|
|
|
authServer,
|
|
|
|
|
{
|
|
|
|
|
client_id: issuer.client_id,
|
|
|
|
|
client_secret: issuer.client_secret,
|
|
|
|
|
},
|
|
|
|
|
parameters,
|
|
|
|
|
redirectUri,
|
|
|
|
|
codeVerifier,
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-03 13:51:19 +02:00
|
|
|
static async processOIDCResponse(
|
2024-05-17 03:49:59 +02:00
|
|
|
authServer: AuthorizationServer,
|
|
|
|
|
issuer: (typeof config.oidc.providers)[0],
|
|
|
|
|
oidcResponse: Response,
|
|
|
|
|
) {
|
|
|
|
|
return await processAuthorizationCodeOpenIDResponse(
|
|
|
|
|
authServer,
|
|
|
|
|
{
|
|
|
|
|
client_id: issuer.client_id,
|
|
|
|
|
client_secret: issuer.client_secret,
|
|
|
|
|
},
|
|
|
|
|
oidcResponse,
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-03 13:51:19 +02:00
|
|
|
static async getUserInfo(
|
2024-05-17 03:49:59 +02:00
|
|
|
authServer: AuthorizationServer,
|
|
|
|
|
issuer: (typeof config.oidc.providers)[0],
|
2024-06-13 04:26:43 +02:00
|
|
|
accessToken: string,
|
2024-05-17 03:49:59 +02:00
|
|
|
sub: string,
|
|
|
|
|
) {
|
|
|
|
|
return await userInfoRequest(
|
|
|
|
|
authServer,
|
|
|
|
|
{
|
|
|
|
|
client_id: issuer.client_id,
|
|
|
|
|
client_secret: issuer.client_secret,
|
|
|
|
|
},
|
2024-06-13 04:26:43 +02:00
|
|
|
accessToken,
|
2024-05-17 03:49:59 +02:00
|
|
|
).then(
|
|
|
|
|
async (res) =>
|
|
|
|
|
await processUserInfoResponse(
|
|
|
|
|
authServer,
|
|
|
|
|
{
|
|
|
|
|
client_id: issuer.client_id,
|
|
|
|
|
client_secret: issuer.client_secret,
|
|
|
|
|
},
|
|
|
|
|
sub,
|
|
|
|
|
res,
|
|
|
|
|
),
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-03 13:51:19 +02:00
|
|
|
static processOAuth2Error(
|
2024-05-17 03:49:59 +02:00
|
|
|
application: InferInsertModel<typeof Applications> | null,
|
|
|
|
|
) {
|
|
|
|
|
return {
|
|
|
|
|
redirect_uri: application?.redirectUri,
|
|
|
|
|
client_id: application?.clientId,
|
|
|
|
|
response_type: "code",
|
|
|
|
|
scope: application?.scopes,
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-14 11:05:04 +02:00
|
|
|
async linkUserInDatabase(userId: string, sub: string): Promise<void> {
|
|
|
|
|
await db.insert(OpenIdAccounts).values({
|
|
|
|
|
serverId: sub,
|
|
|
|
|
issuerId: this.issuer.id,
|
2024-10-03 13:41:58 +02:00
|
|
|
userId,
|
2024-06-14 11:05:04 +02:00
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-17 03:49:59 +02:00
|
|
|
async linkUser(
|
|
|
|
|
userId: string,
|
2024-08-28 17:01:56 +02:00
|
|
|
context: Context,
|
2024-05-17 03:49:59 +02:00
|
|
|
// Return value of automaticOidcFlow
|
|
|
|
|
oidcFlowData: Exclude<
|
|
|
|
|
Awaited<
|
|
|
|
|
ReturnType<typeof OAuthManager.prototype.automaticOidcFlow>
|
|
|
|
|
>,
|
|
|
|
|
Response
|
|
|
|
|
>,
|
|
|
|
|
) {
|
|
|
|
|
const { flow, userInfo } = oidcFlowData;
|
|
|
|
|
|
|
|
|
|
// Check if userId is equal to application.clientId
|
2024-05-17 08:58:27 +02:00
|
|
|
if (!flow.application?.clientId.startsWith(userId)) {
|
2024-08-28 17:01:56 +02:00
|
|
|
return context.redirect(
|
|
|
|
|
`${config.http.base_url}${
|
2024-05-17 06:05:06 +02:00
|
|
|
config.frontend.routes.home
|
|
|
|
|
}?${new URLSearchParams({
|
2024-05-17 03:49:59 +02:00
|
|
|
oidc_account_linking_error: "Account linking error",
|
|
|
|
|
oidc_account_linking_error_message: `User ID does not match application client ID (${userId} != ${flow.application?.clientId})`,
|
|
|
|
|
})}`,
|
2024-08-28 17:01:56 +02:00
|
|
|
);
|
2024-05-17 03:49:59 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check if account is already linked
|
|
|
|
|
const account = await db.query.OpenIdAccounts.findFirst({
|
|
|
|
|
where: (account, { eq, and }) =>
|
|
|
|
|
and(
|
|
|
|
|
eq(account.serverId, userInfo.sub),
|
|
|
|
|
eq(account.issuerId, this.issuer.id),
|
|
|
|
|
),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (account) {
|
2024-08-28 17:01:56 +02:00
|
|
|
return context.redirect(
|
|
|
|
|
`${config.http.base_url}${
|
2024-05-17 06:05:06 +02:00
|
|
|
config.frontend.routes.home
|
|
|
|
|
}?${new URLSearchParams({
|
2024-05-17 03:49:59 +02:00
|
|
|
oidc_account_linking_error: "Account already linked",
|
|
|
|
|
oidc_account_linking_error_message:
|
|
|
|
|
"This account has already been linked to this OpenID Connect provider.",
|
|
|
|
|
})}`,
|
2024-08-28 17:01:56 +02:00
|
|
|
);
|
2024-05-17 03:49:59 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Link the account
|
2024-06-14 11:05:04 +02:00
|
|
|
await this.linkUserInDatabase(userId, userInfo.sub);
|
2024-05-17 03:49:59 +02:00
|
|
|
|
2024-08-28 17:01:56 +02:00
|
|
|
return context.redirect(
|
|
|
|
|
`${config.http.base_url}${
|
2024-05-17 06:05:06 +02:00
|
|
|
config.frontend.routes.home
|
|
|
|
|
}?${new URLSearchParams({
|
2024-05-17 03:49:59 +02:00
|
|
|
oidc_account_linked: "true",
|
|
|
|
|
})}`,
|
2024-08-28 17:01:56 +02:00
|
|
|
);
|
2024-05-17 03:49:59 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
async automaticOidcFlow(
|
|
|
|
|
flowId: string,
|
|
|
|
|
currentUrl: URL,
|
2024-06-11 03:58:51 +02:00
|
|
|
redirectUrl: URL,
|
2024-05-17 03:49:59 +02:00
|
|
|
errorFn: (
|
|
|
|
|
error: string,
|
|
|
|
|
message: string,
|
|
|
|
|
app: Application | null,
|
|
|
|
|
) => Response,
|
|
|
|
|
) {
|
2024-10-03 13:51:19 +02:00
|
|
|
const flow = await OAuthManager.getFlow(flowId);
|
2024-05-17 03:49:59 +02:00
|
|
|
|
|
|
|
|
if (!flow) {
|
|
|
|
|
return errorFn("invalid_request", "Invalid flow", null);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const issuerUrl = new URL(this.issuer.url);
|
|
|
|
|
|
2024-10-03 13:51:19 +02:00
|
|
|
const authServer = await OAuthManager.getAuthServer(issuerUrl);
|
2024-05-17 03:49:59 +02:00
|
|
|
|
2024-10-03 13:51:19 +02:00
|
|
|
const parameters = await OAuthManager.getParameters(
|
2024-05-17 03:49:59 +02:00
|
|
|
authServer,
|
|
|
|
|
this.issuer,
|
|
|
|
|
currentUrl,
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (isOAuth2Error(parameters)) {
|
|
|
|
|
return errorFn(
|
|
|
|
|
parameters.error,
|
|
|
|
|
parameters.error_description || "",
|
|
|
|
|
flow.application,
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-03 13:51:19 +02:00
|
|
|
const oidcResponse = await OAuthManager.getOIDCResponse(
|
2024-05-17 03:49:59 +02:00
|
|
|
authServer,
|
|
|
|
|
this.issuer,
|
2024-06-11 03:58:51 +02:00
|
|
|
redirectUrl.toString(),
|
2024-05-17 03:49:59 +02:00
|
|
|
flow.codeVerifier,
|
|
|
|
|
parameters,
|
|
|
|
|
);
|
|
|
|
|
|
2024-10-03 13:51:19 +02:00
|
|
|
const result = await OAuthManager.processOIDCResponse(
|
2024-05-17 03:49:59 +02:00
|
|
|
authServer,
|
|
|
|
|
this.issuer,
|
|
|
|
|
oidcResponse,
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (isOAuth2Error(result)) {
|
|
|
|
|
return errorFn(
|
|
|
|
|
result.error,
|
|
|
|
|
result.error_description || "",
|
|
|
|
|
flow.application,
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const { access_token } = result;
|
|
|
|
|
|
|
|
|
|
const claims = getValidatedIdTokenClaims(result);
|
|
|
|
|
const { sub } = claims;
|
|
|
|
|
|
|
|
|
|
// Validate `sub`
|
|
|
|
|
// Later, we'll use this to automatically set the user's data
|
2024-10-03 13:51:19 +02:00
|
|
|
const userInfo = await OAuthManager.getUserInfo(
|
2024-05-17 03:49:59 +02:00
|
|
|
authServer,
|
|
|
|
|
this.issuer,
|
|
|
|
|
access_token,
|
|
|
|
|
sub,
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
return {
|
2024-10-03 13:41:58 +02:00
|
|
|
userInfo,
|
|
|
|
|
flow,
|
|
|
|
|
claims,
|
2024-05-17 03:49:59 +02:00
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
}
|
