server/plugins/openid/routes/oauth/sso.ts

import { createRoute, z } from "@hono/zod-openapi";
import { db } from "@versia/kit/db";
import { OpenIdLoginFlows } from "@versia/kit/tables";
import {
    calculatePKCECodeChallenge,
    discoveryRequest,
    generateRandomCodeVerifier,
    processDiscoveryResponse,
} from "oauth4webapi";
import { Application } from "~/packages/database-interface/application.ts";
import type { PluginType } from "../../index.ts";
import { oauthRedirectUri } from "../../utils.ts";

export const schemas = {
    query: z.object({
        issuer: z.string(),
        client_id: z.string().optional(),
        redirect_uri: z.string().url().optional(),
        scope: z.string().optional(),
        response_type: z.enum(["code"]).optional(),
    }),
};

export default (plugin: PluginType) => {
    plugin.registerRoute("/oauth/sso", (app) => {
        app.openapi(
            createRoute({
                method: "get",
                path: "/oauth/sso",
                summary: "Initiate SSO login flow",
                request: {
                    query: schemas.query,
                },
                middleware: [plugin.middleware],
                responses: {
                    302: {
                        description:
                            "Redirect to SSO login, or redirect to login page with error",
                    },
                },
            }),
            async (context) => {
                // This is the Versia client's client_id, not the external OAuth provider's client_id
                const { issuer: issuerId, client_id } =
                    context.req.valid("query");

                const errorSearchParams = new URLSearchParams(
                    context.req.valid("query"),
                );

                if (!client_id || client_id === "undefined") {
                    errorSearchParams.append("error", "invalid_request");
                    errorSearchParams.append(
                        "error_description",
                        "client_id is required",
                    );

                    return context.redirect(
                        `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
                    );
                }

                const issuer = context
                    .get("pluginConfig")
                    .providers.find((provider) => provider.id === issuerId);

                if (!issuer) {
                    errorSearchParams.append("error", "invalid_request");
                    errorSearchParams.append(
                        "error_description",
                        "issuer is invalid",
                    );

                    return context.redirect(
                        `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
                    );
                }

                const issuerUrl = new URL(issuer.url);

                const authServer = await discoveryRequest(issuerUrl, {
                    algorithm: "oidc",
                }).then((res) => processDiscoveryResponse(issuerUrl, res));

                const codeVerifier = generateRandomCodeVerifier();

                const application = await Application.fromClientId(client_id);

                if (!application) {
                    errorSearchParams.append("error", "invalid_request");
                    errorSearchParams.append(
                        "error_description",
                        "client_id is invalid",
                    );

                    return context.redirect(
                        `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
                    );
                }

                // Store into database
                const newFlow = (
                    await db
                        .insert(OpenIdLoginFlows)
                        .values({
                            codeVerifier,
                            applicationId: application.id,
                            issuerId,
                        })
                        .returning()
                )[0];

                const codeChallenge =
                    await calculatePKCECodeChallenge(codeVerifier);

                return context.redirect(
                    `${authServer.authorization_endpoint}?${new URLSearchParams(
                        {
                            client_id: issuer.client_id,
                            redirect_uri: `${oauthRedirectUri(
                                context.get("config").http.base_url,
                                issuerId,
                            )}?flow=${newFlow.id}`,
                            response_type: "code",
                            scope: "openid profile email",
                            // PKCE
                            code_challenge_method: "S256",
                            code_challenge: codeChallenge,
                        },
                    ).toString()}`,
                );
            },
        );
    });
};
refactor(plugin): :truck: Move SSO login route to OpenID plugin 2024-10-11 14:39:25 +02:00			`import { createRoute, z } from "@hono/zod-openapi";`
refactor(plugin): :truck: Move SSO login callback route to OpenID plugin 2024-10-11 15:15:06 +02:00			`import { db } from "@versia/kit/db";`
			`import { OpenIdLoginFlows } from "@versia/kit/tables";`
refactor(plugin): :truck: Move SSO login route to OpenID plugin 2024-10-11 14:39:25 +02:00			`import {`
			`calculatePKCECodeChallenge,`
			`discoveryRequest,`
			`generateRandomCodeVerifier,`
			`processDiscoveryResponse,`
			`} from "oauth4webapi";`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`import { Application } from "~/packages/database-interface/application.ts";`
refactor(plugin): :truck: Move SSO login route to OpenID plugin 2024-10-11 14:39:25 +02:00			`import type { PluginType } from "../../index.ts";`
			`import { oauthRedirectUri } from "../../utils.ts";`

			`export const schemas = {`
			`query: z.object({`
			`issuer: z.string(),`
			`client_id: z.string().optional(),`
			`redirect_uri: z.string().url().optional(),`
			`scope: z.string().optional(),`
			`response_type: z.enum(["code"]).optional(),`
			`}),`
			`};`

			`export default (plugin: PluginType) => {`
			`plugin.registerRoute("/oauth/sso", (app) => {`
			`app.openapi(`
			`createRoute({`
			`method: "get",`
			`path: "/oauth/sso",`
			`summary: "Initiate SSO login flow",`
			`request: {`
			`query: schemas.query,`
			`},`
fix(plugin): :bug: Add missing plugin middleware to some OIDC plugin routes 2024-10-11 17:16:03 +02:00			`middleware: [plugin.middleware],`
refactor(plugin): :truck: Move SSO login route to OpenID plugin 2024-10-11 14:39:25 +02:00			`responses: {`
			`302: {`
			`description:`
			`"Redirect to SSO login, or redirect to login page with error",`
			`},`
			`},`
			`}),`
			`async (context) => {`
			`// This is the Versia client's client_id, not the external OAuth provider's client_id`
			`const { issuer: issuerId, client_id } =`
			`context.req.valid("query");`

			`const errorSearchParams = new URLSearchParams(`
			`context.req.valid("query"),`
			`);`

			`if (!client_id \|\| client_id === "undefined") {`
			`errorSearchParams.append("error", "invalid_request");`
			`errorSearchParams.append(`
			`"error_description",`
			`"client_id is required",`
			`);`

			`return context.redirect(`
			`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
			`);`
			`}`

			`const issuer = context`
			`.get("pluginConfig")`
			`.providers.find((provider) => provider.id === issuerId);`

			`if (!issuer) {`
			`errorSearchParams.append("error", "invalid_request");`
			`errorSearchParams.append(`
			`"error_description",`
			`"issuer is invalid",`
			`);`

			`return context.redirect(`
			`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
			`);`
			`}`

			`const issuerUrl = new URL(issuer.url);`

			`const authServer = await discoveryRequest(issuerUrl, {`
			`algorithm: "oidc",`
			`}).then((res) => processDiscoveryResponse(issuerUrl, res));`

			`const codeVerifier = generateRandomCodeVerifier();`

refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`const application = await Application.fromClientId(client_id);`
refactor(plugin): :truck: Move SSO login route to OpenID plugin 2024-10-11 14:39:25 +02:00
			`if (!application) {`
			`errorSearchParams.append("error", "invalid_request");`
			`errorSearchParams.append(`
			`"error_description",`
			`"client_id is invalid",`
			`);`

			`return context.redirect(`
			`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
			`);`
			`}`

			`// Store into database`
			`const newFlow = (`
			`await db`
			`.insert(OpenIdLoginFlows)`
			`.values({`
			`codeVerifier,`
			`applicationId: application.id,`
			`issuerId,`
			`})`
			`.returning()`
			`)[0];`

			`const codeChallenge =`
			`await calculatePKCECodeChallenge(codeVerifier);`

			`return context.redirect(`
			`${authServer.authorization_endpoint}?${new URLSearchParams(
			`{`
			`client_id: issuer.client_id,`
			redirect_uri: `${oauthRedirectUri(
			`context.get("config").http.base_url,`
fix(api): :bug: Fix incorrect order of function parameters 2024-10-11 17:09:51 +02:00			`issuerId,`
refactor(plugin): :truck: Move SSO login route to OpenID plugin 2024-10-11 14:39:25 +02:00			)}?flow=${newFlow.id}`,
			`response_type: "code",`
			`scope: "openid profile email",`
			`// PKCE`
			`code_challenge_method: "S256",`
			`code_challenge: codeChallenge,`
			`},`
			).toString()}`,
			`);`
			`},`
			`);`
			`});`
			`};`