server/plugins/openid/index.ts

import { RolePermission } from "@versia/client/schemas";
import { Hooks, Plugin } from "@versia/kit";
import { User } from "@versia/kit/db";
import { getCookie } from "hono/cookie";
import { jwtVerify } from "jose";
import { JOSEError, JWTExpired } from "jose/errors";
import { z } from "zod";
import { keyPair, sensitiveString, url } from "~/classes/config/schema.ts";
import { ApiError } from "~/classes/errors/api-error.ts";
import authorizeRoute from "./routes/authorize.ts";
import jwksRoute from "./routes/jwks.ts";
import ssoLoginCallbackRoute from "./routes/oauth/callback.ts";
import tokenRevokeRoute from "./routes/oauth/revoke.ts";
import ssoLoginRoute from "./routes/oauth/sso.ts";
import tokenRoute from "./routes/oauth/token.ts";
import ssoIdRoute from "./routes/sso/:id/index.ts";
import ssoRoute from "./routes/sso/index.ts";

const configSchema = z.object({
    forced: z.boolean().default(false),
    allow_registration: z.boolean().default(true),
    providers: z
        .array(
            z.object({
                name: z.string().min(1),
                id: z.string().min(1),
                url: z.string().min(1),
                client_id: z.string().min(1),
                client_secret: sensitiveString,
                icon: url.optional(),
            }),
        )
        .default([]),
    keys: keyPair,
});

const plugin = new Plugin(configSchema);

// Test hook for screenshots
plugin.registerHandler(Hooks.Response, (req) => {
    console.info("Request received:", req);
    return req;
});

authorizeRoute(plugin);
ssoRoute(plugin);
ssoIdRoute(plugin);
tokenRoute(plugin);
tokenRevokeRoute(plugin);
jwksRoute(plugin);
ssoLoginRoute(plugin);
ssoLoginCallbackRoute(plugin);

plugin.registerRoute("/admin/queues/api/*", (app) => {
    // Check for JWT when accessing the admin panel
    app.use("/admin/queues/api/*", async (context, next) => {
        const jwtCookie = getCookie(context, "jwt");

        if (!jwtCookie) {
            throw new ApiError(401, "Missing JWT cookie");
        }

        const { keys } = context.get("pluginConfig");

        const result = await jwtVerify(jwtCookie, keys.public, {
            algorithms: ["EdDSA"],
            issuer: new URL(context.get("config").http.base_url).origin,
        }).catch((error) => {
            if (error instanceof JOSEError) {
                return error;
            }

            throw error;
        });

        if (result instanceof JOSEError) {
            if (result instanceof JWTExpired) {
                throw new ApiError(401, "JWT has expired");
            }

            throw new ApiError(401, "Invalid JWT");
        }

        const {
            payload: { sub },
        } = result;

        if (!sub) {
            throw new ApiError(401, "Invalid JWT (no sub)");
        }

        const user = await User.fromId(sub);

        if (!user?.hasPermission(RolePermission.ManageInstanceFederation)) {
            throw new ApiError(
                403,
                `Missing '${RolePermission.ManageInstanceFederation}' permission`,
            );
        }

        await next();
    });
});

export type PluginType = typeof plugin;
export default plugin;
refactor(api): :fire: Remove old @versia/client version 2025-03-22 18:04:47 +01:00			`import { RolePermission } from "@versia/client/schemas";`
refactor(api): :recycle: Move all SSO account linking endpoint logic to OpenID plugin 2024-09-25 12:31:35 +02:00			`import { Hooks, Plugin } from "@versia/kit";`
fix(api): :bug: Fix missing FormData acceptance for registration route 2024-10-24 18:48:11 +02:00			`import { User } from "@versia/kit/db";`
chore: :arrow_up: Upgrade dependencies 2024-12-18 20:42:40 +01:00			`import { getCookie } from "hono/cookie";`
feat(federation): :sparkles: Add UI to view BullMQ metadata 2024-11-25 13:09:28 +01:00			`import { jwtVerify } from "jose";`
			`import { JOSEError, JWTExpired } from "jose/errors";`
refactor(api): :recycle: Move from @hono/zod-openapi to hono-openapi hono-openapi is easier to work with and generates better OpenAPI definitions 2025-03-29 03:30:06 +01:00			`import { z } from "zod";`
chore: :arrow_up: Upgrade to Biome 2.0 2025-04-10 19:15:31 +02:00			`import { keyPair, sensitiveString, url } from "~/classes/config/schema.ts";`
refactor(api): :recycle: Throw ApiError instead of returning error JSON 2024-12-30 18:00:23 +01:00			`import { ApiError } from "~/classes/errors/api-error.ts";`
refactor: :truck: Explicitely add extensions to all imports 2024-10-04 15:22:48 +02:00			`import authorizeRoute from "./routes/authorize.ts";`
refactor(plugin): :truck: Move JWKS well-known endpoint to OpenID plugin 2024-10-07 12:52:22 +02:00			`import jwksRoute from "./routes/jwks.ts";`
refactor(plugin): :truck: Move SSO login callback route to OpenID plugin 2024-10-11 15:15:06 +02:00			`import ssoLoginCallbackRoute from "./routes/oauth/callback.ts";`
refactor: :truck: Explicitely add extensions to all imports 2024-10-04 15:22:48 +02:00			`import tokenRevokeRoute from "./routes/oauth/revoke.ts";`
refactor(plugin): :truck: Move SSO login route to OpenID plugin 2024-10-11 14:39:25 +02:00			`import ssoLoginRoute from "./routes/oauth/sso.ts";`
refactor: :truck: Explicitely add extensions to all imports 2024-10-04 15:22:48 +02:00			`import tokenRoute from "./routes/oauth/token.ts";`
			`import ssoIdRoute from "./routes/sso/:id/index.ts";`
			`import ssoRoute from "./routes/sso/index.ts";`
refactor(plugin): :recycle: Move parts of OpenID logic to plugin 2024-08-29 20:32:04 +02:00
feat(federation): :sparkles: Add UI to view BullMQ metadata 2024-11-25 13:09:28 +01:00			`const configSchema = z.object({`
			`forced: z.boolean().default(false),`
			`allow_registration: z.boolean().default(true),`
			`providers: z`
			`.array(`
			`z.object({`
			`name: z.string().min(1),`
			`id: z.string().min(1),`
			`url: z.string().min(1),`
			`client_id: z.string().min(1),`
refactor(config): :recycle: Redo config structure from scratch, simplify validation code, improve checks, add support for loading sensitive data from paths 2025-02-15 02:47:29 +01:00			`client_secret: sensitiveString,`
fix(media): :bug: Don't proxy media from trusted origins, use new ProxiedUrl class 2025-03-30 23:44:50 +02:00			`icon: url.optional(),`
feat(cli): :sparkles: Add generate-keys CLI command 2024-10-24 18:18:39 +02:00			`}),`
feat(federation): :sparkles: Add UI to view BullMQ metadata 2024-11-25 13:09:28 +01:00			`)`
			`.default([]),`
refactor(config): :recycle: Redo config structure from scratch, simplify validation code, improve checks, add support for loading sensitive data from paths 2025-02-15 02:47:29 +01:00			`keys: keyPair,`
feat(federation): :sparkles: Add UI to view BullMQ metadata 2024-11-25 13:09:28 +01:00			`});`

			`const plugin = new Plugin(configSchema);`
refactor(plugin): :recycle: Move parts of OpenID logic to plugin 2024-08-29 20:32:04 +02:00
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`// Test hook for screenshots`
refactor(plugin): :recycle: Move parts of OpenID logic to plugin 2024-08-29 20:32:04 +02:00			`plugin.registerHandler(Hooks.Response, (req) => {`
			`console.info("Request received:", req);`
			`return req;`
			`});`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00
refactor(plugin): :recycle: Move parts of OpenID logic to plugin 2024-08-29 20:32:04 +02:00			`authorizeRoute(plugin);`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`ssoRoute(plugin);`
refactor(api): :recycle: Move all SSO account linking endpoint logic to OpenID plugin 2024-09-25 12:31:35 +02:00			`ssoIdRoute(plugin);`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`tokenRoute(plugin);`
			`tokenRevokeRoute(plugin);`
refactor(plugin): :truck: Move JWKS well-known endpoint to OpenID plugin 2024-10-07 12:52:22 +02:00			`jwksRoute(plugin);`
refactor(plugin): :truck: Move SSO login route to OpenID plugin 2024-10-11 14:39:25 +02:00			`ssoLoginRoute(plugin);`
refactor(plugin): :truck: Move SSO login callback route to OpenID plugin 2024-10-11 15:15:06 +02:00			`ssoLoginCallbackRoute(plugin);`
refactor(plugin): :recycle: Move parts of OpenID logic to plugin 2024-08-29 20:32:04 +02:00
fix(api): :bug: Don't require JWT cookie for static content in bull-board UI 2025-04-18 14:38:00 +02:00			`plugin.registerRoute("/admin/queues/api/*", (app) => {`
feat(federation): :sparkles: Add UI to view BullMQ metadata 2024-11-25 13:09:28 +01:00			`// Check for JWT when accessing the admin panel`
fix(api): :bug: Don't require JWT cookie for static content in bull-board UI 2025-04-18 14:38:00 +02:00			`app.use("/admin/queues/api/*", async (context, next) => {`
feat(federation): :sparkles: Add UI to view BullMQ metadata 2024-11-25 13:09:28 +01:00			`const jwtCookie = getCookie(context, "jwt");`

			`if (!jwtCookie) {`
refactor(api): :recycle: Throw ApiError instead of returning error JSON 2024-12-30 18:00:23 +01:00			`throw new ApiError(401, "Missing JWT cookie");`
feat(federation): :sparkles: Add UI to view BullMQ metadata 2024-11-25 13:09:28 +01:00			`}`

			`const { keys } = context.get("pluginConfig");`

			`const result = await jwtVerify(jwtCookie, keys.public, {`
			`algorithms: ["EdDSA"],`
			`issuer: new URL(context.get("config").http.base_url).origin,`
			`}).catch((error) => {`
			`if (error instanceof JOSEError) {`
			`return error;`
			`}`

			`throw error;`
			`});`

			`if (result instanceof JOSEError) {`
			`if (result instanceof JWTExpired) {`
refactor(api): :recycle: Throw ApiError instead of returning error JSON 2024-12-30 18:00:23 +01:00			`throw new ApiError(401, "JWT has expired");`
feat(federation): :sparkles: Add UI to view BullMQ metadata 2024-11-25 13:09:28 +01:00			`}`

refactor(api): :recycle: Throw ApiError instead of returning error JSON 2024-12-30 18:00:23 +01:00			`throw new ApiError(401, "Invalid JWT");`
feat(federation): :sparkles: Add UI to view BullMQ metadata 2024-11-25 13:09:28 +01:00			`}`

			`const {`
			`payload: { sub },`
			`} = result;`

			`if (!sub) {`
refactor(api): :recycle: Throw ApiError instead of returning error JSON 2024-12-30 18:00:23 +01:00			`throw new ApiError(401, "Invalid JWT (no sub)");`
feat(federation): :sparkles: Add UI to view BullMQ metadata 2024-11-25 13:09:28 +01:00			`}`

			`const user = await User.fromId(sub);`

refactor(api): :fire: Remove old @versia/client version 2025-03-22 18:04:47 +01:00			`if (!user?.hasPermission(RolePermission.ManageInstanceFederation)) {`
refactor(api): :recycle: Throw ApiError instead of returning error JSON 2024-12-30 18:00:23 +01:00			`throw new ApiError(`
feat(federation): :sparkles: Add UI to view BullMQ metadata 2024-11-25 13:09:28 +01:00			`403,`
refactor(api): :fire: Remove old @versia/client version 2025-03-22 18:04:47 +01:00			`Missing '${RolePermission.ManageInstanceFederation}' permission`,
feat(federation): :sparkles: Add UI to view BullMQ metadata 2024-11-25 13:09:28 +01:00			`);`
			`}`

			`await next();`
			`});`
			`});`

refactor(plugin): :recycle: Move parts of OpenID logic to plugin 2024-08-29 20:32:04 +02:00			`export type PluginType = typeof plugin;`
			`export default plugin;`