mirror of
https://github.com/versia-pub/server.git
synced 2026-03-13 13:59:16 +01:00
refactor(api): ♻️ Rewrite full authentication code to go OpenID-only
This commit is contained in:
Jesse Wierzbinski
parent
132a3ed5ea
commit
4c430426d3
39 changed files with 3076 additions and 2009 deletions
|
|
@ -55,6 +55,7 @@
|
|||
"@versia-server/logging": "workspace:*",
|
||||
"@versia/client": "workspace:*",
|
||||
"@versia/sdk": "workspace:*",
|
||||
"openid-client": "catalog:",
|
||||
"youch": "catalog:",
|
||||
"hono": "catalog:",
|
||||
"hono-openapi": "catalog:",
|
||||
|
|
@ -66,7 +67,6 @@
|
|||
"unicode-emoji-json": "catalog:",
|
||||
"sharp": "catalog:",
|
||||
"iso-639-1": "catalog:",
|
||||
"jose": "catalog:",
|
||||
"zod-openapi": "catalog:",
|
||||
"@scalar/hono-api-reference": "catalog:",
|
||||
"hono-rate-limiter": "catalog:",
|
||||
|
|
@ -75,7 +75,6 @@
|
|||
"altcha-lib": "catalog:",
|
||||
"@hono/standard-validator": "catalog:",
|
||||
"zod-validation-error": "catalog:",
|
||||
"confbox": "catalog:",
|
||||
"oauth4webapi": "catalog:"
|
||||
"confbox": "catalog:"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,45 +0,0 @@
|
|||
import type { Context, TypedResponse } from "hono";
|
||||
|
||||
export const errors = {
|
||||
InvalidJWT: ["invalid_request", "Invalid JWT: could not verify"],
|
||||
MissingJWTFields: [
|
||||
"invalid_request",
|
||||
"Invalid JWT: missing required fields (aud, sub, exp, iss)",
|
||||
],
|
||||
InvalidSub: ["invalid_request", "Invalid JWT: sub is not a valid user ID"],
|
||||
UserNotFound: [
|
||||
"invalid_request",
|
||||
"Invalid JWT, could not find associated user",
|
||||
],
|
||||
MissingOauthPermission: [
|
||||
"unauthorized",
|
||||
"User missing required 'oauth' permission",
|
||||
],
|
||||
MissingApplication: [
|
||||
"invalid_request",
|
||||
"Invalid client_id: no associated API application found",
|
||||
],
|
||||
InvalidRedirectUri: [
|
||||
"invalid_request",
|
||||
"Invalid redirect_uri: does not match API application's redirect_uri",
|
||||
],
|
||||
InvalidScope: [
|
||||
"invalid_request",
|
||||
"Invalid scope: not a subset of the application's scopes",
|
||||
],
|
||||
};
|
||||
|
||||
export const errorRedirect = (
|
||||
context: Context,
|
||||
error: (typeof errors)[keyof typeof errors],
|
||||
extraParams?: URLSearchParams,
|
||||
): Response & TypedResponse<undefined, 302, "redirect"> => {
|
||||
const errorSearchParams = new URLSearchParams(extraParams);
|
||||
|
||||
errorSearchParams.append("error", error[0]);
|
||||
errorSearchParams.append("error_description", error[1]);
|
||||
|
||||
return context.redirect(
|
||||
`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
|
||||
);
|
||||
};
|
||||
|
|
@ -1,217 +0,0 @@
|
|||
import { type Application, db } from "@versia-server/kit/db";
|
||||
import type { OpenIdLoginFlows } from "@versia-server/kit/tables";
|
||||
import { eq, type InferSelectModel, type SQL } from "drizzle-orm";
|
||||
import {
|
||||
type AuthorizationResponseError,
|
||||
type AuthorizationServer,
|
||||
authorizationCodeGrantRequest,
|
||||
ClientSecretPost,
|
||||
discoveryRequest,
|
||||
expectNoState,
|
||||
getValidatedIdTokenClaims,
|
||||
processAuthorizationCodeResponse,
|
||||
processDiscoveryResponse,
|
||||
processUserInfoResponse,
|
||||
type ResponseBodyError,
|
||||
type TokenEndpointResponse,
|
||||
type UserInfoResponse,
|
||||
userInfoRequest,
|
||||
validateAuthResponse,
|
||||
} from "oauth4webapi";
|
||||
|
||||
export const oauthDiscoveryRequest = (
|
||||
issuerUrl: URL,
|
||||
): Promise<AuthorizationServer> => {
|
||||
return discoveryRequest(issuerUrl, {
|
||||
algorithm: "oidc",
|
||||
}).then((res) => processDiscoveryResponse(issuerUrl, res));
|
||||
};
|
||||
|
||||
export const oauthRedirectUri = (baseUrl: URL, issuer: string): URL =>
|
||||
new URL(`/oauth/sso/${issuer}/callback`, baseUrl);
|
||||
|
||||
const getFlow = (
|
||||
flowId: string,
|
||||
): Promise<
|
||||
| (InferSelectModel<typeof OpenIdLoginFlows> & {
|
||||
application?: typeof Application.$type | null;
|
||||
})
|
||||
| undefined
|
||||
> => {
|
||||
return db.query.OpenIdLoginFlows.findFirst({
|
||||
where: (flow): SQL | undefined => eq(flow.id, flowId),
|
||||
with: {
|
||||
application: true,
|
||||
},
|
||||
});
|
||||
};
|
||||
|
||||
const getAuthServer = (issuerUrl: URL): Promise<AuthorizationServer> => {
|
||||
return discoveryRequest(issuerUrl, {
|
||||
algorithm: "oidc",
|
||||
}).then((res) => processDiscoveryResponse(issuerUrl, res));
|
||||
};
|
||||
|
||||
const getParameters = (
|
||||
authServer: AuthorizationServer,
|
||||
clientId: string,
|
||||
currentUrl: URL,
|
||||
): URLSearchParams => {
|
||||
return validateAuthResponse(
|
||||
authServer,
|
||||
{
|
||||
client_id: clientId,
|
||||
},
|
||||
currentUrl,
|
||||
expectNoState,
|
||||
);
|
||||
};
|
||||
|
||||
const getOIDCResponse = (
|
||||
authServer: AuthorizationServer,
|
||||
clientId: string,
|
||||
clientSecret: string,
|
||||
redirectUri: URL,
|
||||
codeVerifier: string,
|
||||
parameters: URLSearchParams,
|
||||
): Promise<Response> => {
|
||||
return authorizationCodeGrantRequest(
|
||||
authServer,
|
||||
{
|
||||
client_id: clientId,
|
||||
},
|
||||
ClientSecretPost(clientSecret),
|
||||
parameters,
|
||||
redirectUri.toString(),
|
||||
codeVerifier,
|
||||
);
|
||||
};
|
||||
|
||||
const processOIDCResponse = (
|
||||
authServer: AuthorizationServer,
|
||||
clientId: string,
|
||||
oidcResponse: Response,
|
||||
): Promise<TokenEndpointResponse> => {
|
||||
return processAuthorizationCodeResponse(
|
||||
authServer,
|
||||
{
|
||||
client_id: clientId,
|
||||
},
|
||||
oidcResponse,
|
||||
);
|
||||
};
|
||||
|
||||
const getUserInfo = (
|
||||
authServer: AuthorizationServer,
|
||||
clientId: string,
|
||||
accessToken: string,
|
||||
sub: string,
|
||||
): Promise<UserInfoResponse> => {
|
||||
return userInfoRequest(
|
||||
authServer,
|
||||
{
|
||||
client_id: clientId,
|
||||
},
|
||||
accessToken,
|
||||
).then(
|
||||
async (res) =>
|
||||
await processUserInfoResponse(
|
||||
authServer,
|
||||
{
|
||||
client_id: clientId,
|
||||
},
|
||||
sub,
|
||||
res,
|
||||
),
|
||||
);
|
||||
};
|
||||
|
||||
export const automaticOidcFlow = async (
|
||||
issuer: {
|
||||
url: string;
|
||||
client_id: string;
|
||||
client_secret: string;
|
||||
},
|
||||
flowId: string,
|
||||
currentUrl: URL,
|
||||
redirectUrl: URL,
|
||||
errorFn: (
|
||||
error: string,
|
||||
message: string,
|
||||
flow:
|
||||
| (InferSelectModel<typeof OpenIdLoginFlows> & {
|
||||
application?: typeof Application.$type | null;
|
||||
})
|
||||
| null,
|
||||
) => Response,
|
||||
): Promise<
|
||||
| Response
|
||||
| {
|
||||
userInfo: UserInfoResponse;
|
||||
flow: InferSelectModel<typeof OpenIdLoginFlows> & {
|
||||
application?: typeof Application.$type | null;
|
||||
};
|
||||
claims: Record<string, unknown>;
|
||||
}
|
||||
> => {
|
||||
const flow = await getFlow(flowId);
|
||||
|
||||
if (!flow) {
|
||||
return errorFn("invalid_request", "Invalid flow", null);
|
||||
}
|
||||
|
||||
try {
|
||||
const issuerUrl = new URL(issuer.url);
|
||||
|
||||
const authServer = await getAuthServer(issuerUrl);
|
||||
|
||||
const parameters = getParameters(
|
||||
authServer,
|
||||
issuer.client_id,
|
||||
currentUrl,
|
||||
);
|
||||
|
||||
const oidcResponse = await getOIDCResponse(
|
||||
authServer,
|
||||
issuer.client_id,
|
||||
issuer.client_secret,
|
||||
redirectUrl,
|
||||
flow.codeVerifier,
|
||||
parameters,
|
||||
);
|
||||
|
||||
const result = await processOIDCResponse(
|
||||
authServer,
|
||||
issuer.client_id,
|
||||
oidcResponse,
|
||||
);
|
||||
|
||||
const { access_token } = result;
|
||||
|
||||
const claims = getValidatedIdTokenClaims(result);
|
||||
|
||||
if (!claims) {
|
||||
return errorFn("invalid_request", "Invalid claims", flow);
|
||||
}
|
||||
|
||||
const { sub } = claims;
|
||||
|
||||
// Validate `sub`
|
||||
// Later, we'll use this to automatically set the user's data
|
||||
const userInfo = await getUserInfo(
|
||||
authServer,
|
||||
issuer.client_id,
|
||||
access_token,
|
||||
sub,
|
||||
);
|
||||
|
||||
return {
|
||||
userInfo,
|
||||
flow,
|
||||
claims,
|
||||
};
|
||||
} catch (e) {
|
||||
const error = e as ResponseBodyError | AuthorizationResponseError;
|
||||
return errorFn(error.error, error.error_description || "", flow);
|
||||
}
|
||||
};
|
||||
|
|
@ -2,19 +2,17 @@ import { afterAll, describe, expect, test } from "bun:test";
|
|||
import { config } from "@versia-server/config";
|
||||
import { Application } from "@versia-server/kit/db";
|
||||
import { fakeRequest, getTestUsers } from "@versia-server/tests";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
import { randomString } from "@/math";
|
||||
|
||||
const { users, deleteUsers, passwords } = await getTestUsers(1);
|
||||
|
||||
// Create application
|
||||
const application = await Application.insert({
|
||||
id: randomUUIDv7(),
|
||||
id: randomString(32, "hex"),
|
||||
name: "Test Application",
|
||||
clientId: randomString(32, "hex"),
|
||||
secret: "test",
|
||||
redirectUri: "https://example.com",
|
||||
scopes: "read write",
|
||||
redirectUris: ["https://example.com"],
|
||||
scopes: ["read", "write"],
|
||||
});
|
||||
|
||||
afterAll(async () => {
|
||||
|
|
@ -31,7 +29,7 @@ describe("/api/auth/login", () => {
|
|||
formData.append("password", passwords[0]);
|
||||
|
||||
const response = await fakeRequest(
|
||||
`/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
|
||||
`/api/auth/login?client_id=${application.data.id}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
|
||||
{
|
||||
method: "POST",
|
||||
body: formData,
|
||||
|
|
@ -47,7 +45,7 @@ describe("/api/auth/login", () => {
|
|||
|
||||
expect(locationHeader.pathname).toBe("/oauth/consent");
|
||||
expect(locationHeader.searchParams.get("client_id")).toBe(
|
||||
application.data.clientId,
|
||||
application.data.id,
|
||||
);
|
||||
expect(locationHeader.searchParams.get("redirect_uri")).toBe(
|
||||
"https://example.com",
|
||||
|
|
@ -65,7 +63,7 @@ describe("/api/auth/login", () => {
|
|||
formData.append("password", passwords[0]);
|
||||
|
||||
const response = await fakeRequest(
|
||||
`/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
|
||||
`/api/auth/login?client_id=${application.data.id}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
|
||||
{
|
||||
method: "POST",
|
||||
body: formData,
|
||||
|
|
@ -81,7 +79,7 @@ describe("/api/auth/login", () => {
|
|||
|
||||
expect(locationHeader.pathname).toBe("/oauth/consent");
|
||||
expect(locationHeader.searchParams.get("client_id")).toBe(
|
||||
application.data.clientId,
|
||||
application.data.id,
|
||||
);
|
||||
expect(locationHeader.searchParams.get("redirect_uri")).toBe(
|
||||
"https://example.com",
|
||||
|
|
@ -99,7 +97,7 @@ describe("/api/auth/login", () => {
|
|||
formData.append("password", passwords[0]);
|
||||
|
||||
const response = await fakeRequest(
|
||||
`/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write&state=abc`,
|
||||
`/api/auth/login?client_id=${application.data.id}&redirect_uri=https://example.com&response_type=code&scope=read+write&state=abc`,
|
||||
{
|
||||
method: "POST",
|
||||
body: formData,
|
||||
|
|
@ -115,7 +113,7 @@ describe("/api/auth/login", () => {
|
|||
|
||||
expect(locationHeader.pathname).toBe("/oauth/consent");
|
||||
expect(locationHeader.searchParams.get("client_id")).toBe(
|
||||
application.data.clientId,
|
||||
application.data.id,
|
||||
);
|
||||
expect(locationHeader.searchParams.get("redirect_uri")).toBe(
|
||||
"https://example.com",
|
||||
|
|
@ -136,7 +134,7 @@ describe("/api/auth/login", () => {
|
|||
formData.append("password", "password");
|
||||
|
||||
const response = await fakeRequest(
|
||||
`/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
|
||||
`/api/auth/login?client_id=${application.data.id}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
|
||||
|
||||
{
|
||||
method: "POST",
|
||||
|
|
@ -169,7 +167,7 @@ describe("/api/auth/login", () => {
|
|||
formData.append("password", "password");
|
||||
|
||||
const response = await fakeRequest(
|
||||
`/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
|
||||
`/api/auth/login?client_id=${application.data.id}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
|
||||
{
|
||||
method: "POST",
|
||||
body: formData,
|
||||
|
|
@ -201,7 +199,7 @@ describe("/api/auth/login", () => {
|
|||
formData.append("password", "password");
|
||||
|
||||
const response = await fakeRequest(
|
||||
`/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
|
||||
`/api/auth/login?client_id=${application.data.id}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
|
||||
{
|
||||
method: "POST",
|
||||
body: formData,
|
||||
|
|
|
|||
|
|
@ -7,8 +7,8 @@ import { password as bunPassword } from "bun";
|
|||
import { eq, or } from "drizzle-orm";
|
||||
import type { Context } from "hono";
|
||||
import { setCookie } from "hono/cookie";
|
||||
import { sign } from "hono/jwt";
|
||||
import { describeRoute, validator } from "hono-openapi";
|
||||
import { SignJWT } from "jose";
|
||||
import { z } from "zod/v4";
|
||||
|
||||
const returnError = (
|
||||
|
|
@ -144,16 +144,17 @@ export default apiRoute((app) =>
|
|||
}
|
||||
|
||||
// Generate JWT
|
||||
const jwt = await new SignJWT({
|
||||
sub: user.id,
|
||||
iss: config.http.base_url.origin,
|
||||
aud: client_id,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(config.authentication.keys.private);
|
||||
const jwt = await sign(
|
||||
{
|
||||
sub: user.id,
|
||||
iss: config.http.base_url.origin,
|
||||
aud: client_id,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
},
|
||||
config.authentication.keys.private,
|
||||
);
|
||||
|
||||
const application = await Application.fromClientId(client_id);
|
||||
|
||||
|
|
|
|||
|
|
@ -1,75 +0,0 @@
|
|||
import { config } from "@versia-server/config";
|
||||
import { apiRoute, handleZodError } from "@versia-server/kit/api";
|
||||
import { db } from "@versia-server/kit/db";
|
||||
import { Applications, Tokens } from "@versia-server/kit/tables";
|
||||
import { and, eq } from "drizzle-orm";
|
||||
import { describeRoute, validator } from "hono-openapi";
|
||||
import { z } from "zod/v4";
|
||||
|
||||
/**
|
||||
* OAuth Code flow
|
||||
*/
|
||||
export default apiRoute((app) =>
|
||||
app.get(
|
||||
"/api/auth/redirect",
|
||||
describeRoute({
|
||||
summary: "OAuth Code flow",
|
||||
description:
|
||||
"Redirects to the application, or back to login if the code is invalid",
|
||||
tags: ["OpenID"],
|
||||
responses: {
|
||||
302: {
|
||||
description:
|
||||
"Redirects to the application, or back to login if the code is invalid",
|
||||
},
|
||||
},
|
||||
}),
|
||||
validator(
|
||||
"query",
|
||||
z.object({
|
||||
redirect_uri: z.url(),
|
||||
client_id: z.string(),
|
||||
code: z.string(),
|
||||
}),
|
||||
handleZodError,
|
||||
),
|
||||
async (context) => {
|
||||
const { redirect_uri, client_id, code } =
|
||||
context.req.valid("query");
|
||||
|
||||
const redirectToLogin = (error: string): Response =>
|
||||
context.redirect(
|
||||
`${config.frontend.routes.login}?${new URLSearchParams({
|
||||
...context.req.query,
|
||||
error: encodeURIComponent(error),
|
||||
}).toString()}`,
|
||||
);
|
||||
|
||||
const foundToken = await db
|
||||
.select()
|
||||
.from(Tokens)
|
||||
.leftJoin(
|
||||
Applications,
|
||||
eq(Tokens.applicationId, Applications.id),
|
||||
)
|
||||
.where(
|
||||
and(
|
||||
eq(Tokens.code, code),
|
||||
eq(Applications.clientId, client_id),
|
||||
),
|
||||
)
|
||||
.limit(1);
|
||||
|
||||
if (!foundToken || foundToken.length <= 0) {
|
||||
return redirectToLogin("Invalid code");
|
||||
}
|
||||
|
||||
// Redirect back to application
|
||||
return context.redirect(
|
||||
`${redirect_uri}?${new URLSearchParams({
|
||||
code,
|
||||
}).toString()}`,
|
||||
);
|
||||
},
|
||||
),
|
||||
);
|
||||
|
|
@ -1,124 +0,0 @@
|
|||
import { afterAll, describe, expect, test } from "bun:test";
|
||||
import { config } from "@versia-server/config";
|
||||
import { Application } from "@versia-server/kit/db";
|
||||
import { fakeRequest, getTestUsers } from "@versia-server/tests";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
import { randomString } from "@/math";
|
||||
|
||||
const { users, deleteUsers, passwords } = await getTestUsers(1);
|
||||
const token = randomString(32, "hex");
|
||||
const newPassword = randomString(16, "hex");
|
||||
|
||||
// Create application
|
||||
const application = await Application.insert({
|
||||
id: randomUUIDv7(),
|
||||
name: "Test Application",
|
||||
clientId: randomString(32, "hex"),
|
||||
secret: "test",
|
||||
redirectUri: "https://example.com",
|
||||
scopes: "read write",
|
||||
});
|
||||
|
||||
afterAll(async () => {
|
||||
await deleteUsers();
|
||||
await application.delete();
|
||||
});
|
||||
|
||||
// /api/auth/reset
|
||||
describe("/api/auth/reset", () => {
|
||||
test("should login with normal password", async () => {
|
||||
const formData = new FormData();
|
||||
|
||||
formData.append("identifier", users[0]?.data.username ?? "");
|
||||
formData.append("password", passwords[0]);
|
||||
|
||||
const response = await fakeRequest(
|
||||
`/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
|
||||
|
||||
{
|
||||
method: "POST",
|
||||
body: formData,
|
||||
},
|
||||
);
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
expect(response.headers.get("location")).toBeDefined();
|
||||
});
|
||||
|
||||
test("should reset password and refuse login with old password", async () => {
|
||||
await users[0]?.update({
|
||||
passwordResetToken: token,
|
||||
});
|
||||
|
||||
const formData = new FormData();
|
||||
|
||||
formData.append("identifier", users[0]?.data.username ?? "");
|
||||
formData.append("password", passwords[0]);
|
||||
|
||||
const response = await fakeRequest(
|
||||
`/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
|
||||
{
|
||||
method: "POST",
|
||||
body: formData,
|
||||
},
|
||||
);
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
expect(response.headers.get("location")).toBeDefined();
|
||||
const locationHeader = new URL(
|
||||
response.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
|
||||
expect(locationHeader.pathname).toBe("/oauth/reset");
|
||||
expect(locationHeader.searchParams.get("token")).toBe(token);
|
||||
});
|
||||
|
||||
test("should reset password and login with new password", async () => {
|
||||
const formData = new FormData();
|
||||
|
||||
formData.append("token", token);
|
||||
formData.append("password", newPassword);
|
||||
formData.append("password2", newPassword);
|
||||
|
||||
const response = await fakeRequest("/api/auth/reset", {
|
||||
method: "POST",
|
||||
body: formData,
|
||||
});
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
expect(response.headers.get("location")).toBeDefined();
|
||||
|
||||
const loginFormData = new FormData();
|
||||
|
||||
loginFormData.append("identifier", users[0]?.data.username ?? "");
|
||||
loginFormData.append("password", newPassword);
|
||||
|
||||
const loginResponse = await fakeRequest(
|
||||
`/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
|
||||
{
|
||||
method: "POST",
|
||||
body: loginFormData,
|
||||
},
|
||||
);
|
||||
|
||||
expect(loginResponse.status).toBe(302);
|
||||
expect(loginResponse.headers.get("location")).toBeDefined();
|
||||
const locationHeader = new URL(
|
||||
loginResponse.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
|
||||
expect(locationHeader.pathname).toBe("/oauth/consent");
|
||||
expect(locationHeader.searchParams.get("client_id")).toBe(
|
||||
application.data.clientId,
|
||||
);
|
||||
expect(locationHeader.searchParams.get("redirect_uri")).toBe(
|
||||
"https://example.com",
|
||||
);
|
||||
expect(locationHeader.searchParams.get("response_type")).toBe("code");
|
||||
expect(locationHeader.searchParams.get("scope")).toBe("read write");
|
||||
|
||||
expect(loginResponse.headers.get("Set-Cookie")).toMatch(/jwt=[^;]+;/);
|
||||
});
|
||||
});
|
||||
|
|
@ -1,80 +0,0 @@
|
|||
import { config } from "@versia-server/config";
|
||||
import { apiRoute, handleZodError } from "@versia-server/kit/api";
|
||||
import { User } from "@versia-server/kit/db";
|
||||
import { Users } from "@versia-server/kit/tables";
|
||||
import { password as bunPassword } from "bun";
|
||||
import { eq } from "drizzle-orm";
|
||||
import type { Context } from "hono";
|
||||
import { describeRoute, validator } from "hono-openapi";
|
||||
import { z } from "zod/v4";
|
||||
|
||||
const returnError = (
|
||||
context: Context,
|
||||
token: string,
|
||||
error: string,
|
||||
description: string,
|
||||
): Response => {
|
||||
const searchParams = new URLSearchParams();
|
||||
|
||||
searchParams.append("error", error);
|
||||
searchParams.append("error_description", description);
|
||||
searchParams.append("token", token);
|
||||
|
||||
return context.redirect(
|
||||
new URL(
|
||||
`${
|
||||
config.frontend.routes.password_reset
|
||||
}?${searchParams.toString()}`,
|
||||
config.http.base_url,
|
||||
).toString(),
|
||||
);
|
||||
};
|
||||
|
||||
export default apiRoute((app) =>
|
||||
app.post(
|
||||
"/api/auth/reset",
|
||||
describeRoute({
|
||||
summary: "Reset password",
|
||||
description: "Reset password",
|
||||
responses: {
|
||||
302: {
|
||||
description:
|
||||
"Redirect to the password reset page with a message",
|
||||
},
|
||||
},
|
||||
}),
|
||||
validator(
|
||||
"form",
|
||||
z.object({
|
||||
token: z.string().min(1),
|
||||
password: z.string().min(3).max(100),
|
||||
}),
|
||||
handleZodError,
|
||||
),
|
||||
async (context) => {
|
||||
const { token, password } = context.req.valid("form");
|
||||
|
||||
const user = await User.fromSql(
|
||||
eq(Users.passwordResetToken, token),
|
||||
);
|
||||
|
||||
if (!user) {
|
||||
return returnError(
|
||||
context,
|
||||
token,
|
||||
"invalid_token",
|
||||
"Invalid token",
|
||||
);
|
||||
}
|
||||
|
||||
await user.update({
|
||||
password: await bunPassword.hash(password),
|
||||
passwordResetToken: null,
|
||||
});
|
||||
|
||||
return context.redirect(
|
||||
`${config.frontend.routes.password_reset}?success=true`,
|
||||
);
|
||||
},
|
||||
),
|
||||
);
|
||||
|
|
@ -1,394 +0,0 @@
|
|||
import { afterAll, describe, expect, test } from "bun:test";
|
||||
import { RolePermission } from "@versia/client/schemas";
|
||||
import { config } from "@versia-server/config";
|
||||
import { Application } from "@versia-server/kit/db";
|
||||
import { fakeRequest, getTestUsers } from "@versia-server/tests";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
import { SignJWT } from "jose";
|
||||
import { randomString } from "@/math";
|
||||
|
||||
const { deleteUsers, tokens, users } = await getTestUsers(1);
|
||||
|
||||
const application = await Application.insert({
|
||||
id: randomUUIDv7(),
|
||||
clientId: "test-client-id",
|
||||
redirectUri: "https://example.com/callback",
|
||||
scopes: "openid profile email",
|
||||
name: "Test Application",
|
||||
secret: "test-secret",
|
||||
});
|
||||
|
||||
afterAll(async () => {
|
||||
await deleteUsers();
|
||||
await application.delete();
|
||||
});
|
||||
|
||||
describe("/oauth/authorize", () => {
|
||||
test("should authorize and redirect with valid inputs", async () => {
|
||||
const jwt = await new SignJWT({
|
||||
sub: users[0].id,
|
||||
iss: config.http.base_url.origin,
|
||||
aud: application.data.clientId,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(config.authentication.keys.private);
|
||||
|
||||
const response = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: `jwt=${jwt}`,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUri,
|
||||
response_type: "code",
|
||||
scope: application.data.scopes,
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
const location = new URL(
|
||||
response.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params = new URLSearchParams(location.search);
|
||||
expect(location.origin + location.pathname).toBe(
|
||||
application.data.redirectUri,
|
||||
);
|
||||
expect(params.get("code")).toBeTruthy();
|
||||
expect(params.get("state")).toBe("test-state");
|
||||
});
|
||||
|
||||
test("should return error for invalid JWT", async () => {
|
||||
const response = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: "jwt=invalid-jwt",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUri,
|
||||
response_type: "code",
|
||||
scope: application.data.scopes,
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
const location = new URL(
|
||||
response.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params = new URLSearchParams(location.search);
|
||||
expect(params.get("error")).toBe("invalid_request");
|
||||
expect(params.get("error_description")).toBe(
|
||||
"Invalid JWT: could not verify",
|
||||
);
|
||||
});
|
||||
|
||||
test("should return error for missing required fields in JWT", async () => {
|
||||
const jwt = await new SignJWT({
|
||||
sub: users[0].id,
|
||||
iss: config.http.base_url.origin,
|
||||
aud: application.data.clientId,
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(config.authentication.keys.private);
|
||||
|
||||
const response = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: `jwt=${jwt}`,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUri,
|
||||
response_type: "code",
|
||||
scope: application.data.scopes,
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
const location = new URL(
|
||||
response.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params = new URLSearchParams(location.search);
|
||||
expect(params.get("error")).toBe("invalid_request");
|
||||
expect(params.get("error_description")).toBe(
|
||||
"Invalid JWT: missing required fields (aud, sub, exp, iss)",
|
||||
);
|
||||
});
|
||||
|
||||
test("should return error for user not found", async () => {
|
||||
const jwt = await new SignJWT({
|
||||
sub: "non-existent-user",
|
||||
aud: application.data.clientId,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iss: config.http.base_url.origin,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(config.authentication.keys.private);
|
||||
|
||||
const response = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: `jwt=${jwt}`,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUri,
|
||||
response_type: "code",
|
||||
scope: application.data.scopes,
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
const location = new URL(
|
||||
response.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params = new URLSearchParams(location.search);
|
||||
expect(params.get("error")).toBe("invalid_request");
|
||||
expect(params.get("error_description")).toBe(
|
||||
"Invalid JWT: sub is not a valid user ID",
|
||||
);
|
||||
|
||||
const jwt2 = await new SignJWT({
|
||||
sub: "23e42862-d5df-49a8-95b5-52d8c6a11aea",
|
||||
aud: application.data.clientId,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iss: config.http.base_url.origin,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(config.authentication.keys.private);
|
||||
|
||||
const response2 = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: `jwt=${jwt2}`,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUri,
|
||||
response_type: "code",
|
||||
scope: application.data.scopes,
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response2.status).toBe(302);
|
||||
const location2 = new URL(
|
||||
response2.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params2 = new URLSearchParams(location2.search);
|
||||
expect(params2.get("error")).toBe("invalid_request");
|
||||
expect(params2.get("error_description")).toBe(
|
||||
"Invalid JWT, could not find associated user",
|
||||
);
|
||||
});
|
||||
|
||||
test("should return error for user missing required permissions", async () => {
|
||||
const oldPermissions = config.permissions.default;
|
||||
config.permissions.default = [];
|
||||
|
||||
const jwt = await new SignJWT({
|
||||
sub: users[0].id,
|
||||
iss: config.http.base_url.origin,
|
||||
aud: application.data.clientId,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(config.authentication.keys.private);
|
||||
|
||||
const response = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: `jwt=${jwt}`,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUri,
|
||||
response_type: "code",
|
||||
scope: application.data.scopes,
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
const location = new URL(
|
||||
response.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params = new URLSearchParams(location.search);
|
||||
expect(params.get("error")).toBe("unauthorized");
|
||||
expect(params.get("error_description")).toBe(
|
||||
`User missing required '${RolePermission.OAuth}' permission`,
|
||||
);
|
||||
|
||||
config.permissions.default = oldPermissions;
|
||||
});
|
||||
|
||||
test("should return error for invalid client_id", async () => {
|
||||
const jwt = await new SignJWT({
|
||||
sub: users[0].id,
|
||||
aud: "invalid-client-id",
|
||||
iss: config.http.base_url.origin,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(config.authentication.keys.private);
|
||||
|
||||
const response = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: `jwt=${jwt}`,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: "invalid-client-id",
|
||||
redirect_uri: application.data.redirectUri,
|
||||
response_type: "code",
|
||||
scope: application.data.scopes,
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
const location = new URL(
|
||||
response.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params = new URLSearchParams(location.search);
|
||||
expect(params.get("error")).toBe("invalid_request");
|
||||
expect(params.get("error_description")).toBe(
|
||||
"Invalid client_id: no associated API application found",
|
||||
);
|
||||
});
|
||||
|
||||
test("should return error for invalid redirect_uri", async () => {
|
||||
const jwt = await new SignJWT({
|
||||
sub: users[0].id,
|
||||
iss: config.http.base_url.origin,
|
||||
aud: application.data.clientId,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(config.authentication.keys.private);
|
||||
|
||||
const response = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: `jwt=${jwt}`,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: "https://invalid.com/callback",
|
||||
response_type: "code",
|
||||
scope: application.data.scopes,
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
const location = new URL(
|
||||
response.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params = new URLSearchParams(location.search);
|
||||
expect(params.get("error")).toBe("invalid_request");
|
||||
expect(params.get("error_description")).toBe(
|
||||
"Invalid redirect_uri: does not match API application's redirect_uri",
|
||||
);
|
||||
});
|
||||
|
||||
test("should return error for invalid scope", async () => {
|
||||
const jwt = await new SignJWT({
|
||||
sub: users[0].id,
|
||||
iss: config.http.base_url.origin,
|
||||
aud: application.data.clientId,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(config.authentication.keys.private);
|
||||
|
||||
const response = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: `jwt=${jwt}`,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUri,
|
||||
response_type: "code",
|
||||
scope: "invalid-scope",
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
const location = new URL(
|
||||
response.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params = new URLSearchParams(location.search);
|
||||
expect(params.get("error")).toBe("invalid_request");
|
||||
expect(params.get("error_description")).toBe(
|
||||
"Invalid scope: not a subset of the application's scopes",
|
||||
);
|
||||
});
|
||||
});
|
||||
|
|
@ -1,277 +0,0 @@
|
|||
import { RolePermission } from "@versia/client/schemas";
|
||||
import { config } from "@versia-server/config";
|
||||
import {
|
||||
apiRoute,
|
||||
auth,
|
||||
handleZodError,
|
||||
jsonOrForm,
|
||||
} from "@versia-server/kit/api";
|
||||
import { Application, Token, User } from "@versia-server/kit/db";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
import { describeRoute, validator } from "hono-openapi";
|
||||
import { type JWTPayload, jwtVerify, SignJWT } from "jose";
|
||||
import { JOSEError } from "jose/errors";
|
||||
import { z } from "zod/v4";
|
||||
import { randomString } from "@/math";
|
||||
import { errorRedirect, errors } from "../../../plugins/openid/errors.ts";
|
||||
|
||||
export default apiRoute((app) =>
|
||||
app.post(
|
||||
"/oauth/authorize",
|
||||
describeRoute({
|
||||
summary: "Main OpenID authorization endpoint",
|
||||
tags: ["OpenID"],
|
||||
responses: {
|
||||
302: {
|
||||
description: "Redirect to the application",
|
||||
},
|
||||
},
|
||||
}),
|
||||
auth({
|
||||
auth: false,
|
||||
}),
|
||||
jsonOrForm(),
|
||||
validator(
|
||||
"query",
|
||||
z.object({
|
||||
prompt: z
|
||||
.enum(["none", "login", "consent", "select_account"])
|
||||
.optional()
|
||||
.default("none"),
|
||||
max_age: z.coerce
|
||||
.number()
|
||||
.int()
|
||||
.optional()
|
||||
.default(60 * 60 * 24 * 7),
|
||||
}),
|
||||
handleZodError,
|
||||
),
|
||||
validator(
|
||||
"json",
|
||||
z
|
||||
.object({
|
||||
scope: z.string().optional(),
|
||||
redirect_uri: z
|
||||
.url()
|
||||
.optional()
|
||||
.or(z.literal("urn:ietf:wg:oauth:2.0:oob")),
|
||||
response_type: z.enum([
|
||||
"code",
|
||||
"token",
|
||||
"none",
|
||||
"id_token",
|
||||
"code id_token",
|
||||
"code token",
|
||||
"token id_token",
|
||||
"code token id_token",
|
||||
]),
|
||||
client_id: z.string(),
|
||||
state: z.string().optional(),
|
||||
code_challenge: z.string().optional(),
|
||||
code_challenge_method: z.enum(["plain", "S256"]).optional(),
|
||||
})
|
||||
.refine(
|
||||
// Check if redirect_uri is valid for code flow
|
||||
(data) =>
|
||||
data.response_type.includes("code")
|
||||
? data.redirect_uri
|
||||
: true,
|
||||
"redirect_uri is required for code flow",
|
||||
),
|
||||
// Disable for Mastodon API compatibility
|
||||
/* .refine(
|
||||
// Check if code_challenge is valid for code flow
|
||||
(data) =>
|
||||
data.response_type.includes("code")
|
||||
? data.code_challenge
|
||||
: true,
|
||||
"code_challenge is required for code flow",
|
||||
), */
|
||||
handleZodError,
|
||||
),
|
||||
validator(
|
||||
"cookie",
|
||||
z.object({
|
||||
jwt: z.string(),
|
||||
}),
|
||||
handleZodError,
|
||||
),
|
||||
async (context) => {
|
||||
const { scope, redirect_uri, client_id, state } =
|
||||
context.req.valid("json");
|
||||
|
||||
const { jwt } = context.req.valid("cookie");
|
||||
|
||||
const errorSearchParams = new URLSearchParams(
|
||||
context.req.valid("json"),
|
||||
);
|
||||
|
||||
const result = await jwtVerify(
|
||||
jwt,
|
||||
config.authentication.keys.public,
|
||||
{
|
||||
algorithms: ["EdDSA"],
|
||||
audience: client_id,
|
||||
issuer: new URL(context.get("config").http.base_url).origin,
|
||||
},
|
||||
).catch((error) => {
|
||||
if (error instanceof JOSEError) {
|
||||
return null;
|
||||
}
|
||||
|
||||
throw error;
|
||||
});
|
||||
|
||||
if (!result) {
|
||||
return errorRedirect(
|
||||
context,
|
||||
errors.InvalidJWT,
|
||||
errorSearchParams,
|
||||
);
|
||||
}
|
||||
|
||||
const {
|
||||
payload: { aud, sub, exp },
|
||||
} = result;
|
||||
|
||||
if (!(aud && sub && exp)) {
|
||||
return errorRedirect(
|
||||
context,
|
||||
errors.MissingJWTFields,
|
||||
errorSearchParams,
|
||||
);
|
||||
}
|
||||
|
||||
if (!z.uuid().safeParse(sub).success) {
|
||||
return errorRedirect(
|
||||
context,
|
||||
errors.InvalidSub,
|
||||
errorSearchParams,
|
||||
);
|
||||
}
|
||||
|
||||
const user = await User.fromId(sub);
|
||||
|
||||
if (!user) {
|
||||
return errorRedirect(
|
||||
context,
|
||||
errors.UserNotFound,
|
||||
errorSearchParams,
|
||||
);
|
||||
}
|
||||
|
||||
if (!user.hasPermission(RolePermission.OAuth)) {
|
||||
return errorRedirect(
|
||||
context,
|
||||
errors.MissingOauthPermission,
|
||||
errorSearchParams,
|
||||
);
|
||||
}
|
||||
|
||||
const application = await Application.fromClientId(client_id);
|
||||
|
||||
if (!application) {
|
||||
return errorRedirect(
|
||||
context,
|
||||
errors.MissingApplication,
|
||||
errorSearchParams,
|
||||
);
|
||||
}
|
||||
|
||||
if (application.data.redirectUri !== redirect_uri) {
|
||||
return errorRedirect(
|
||||
context,
|
||||
errors.InvalidRedirectUri,
|
||||
errorSearchParams,
|
||||
);
|
||||
}
|
||||
|
||||
// Check that scopes are a subset of the application's scopes
|
||||
if (
|
||||
scope &&
|
||||
!scope
|
||||
.split(" ")
|
||||
.every((s) => application.data.scopes.includes(s))
|
||||
) {
|
||||
return errorRedirect(
|
||||
context,
|
||||
errors.InvalidScope,
|
||||
errorSearchParams,
|
||||
);
|
||||
}
|
||||
|
||||
const code = randomString(256, "base64url");
|
||||
|
||||
let payload: JWTPayload = {};
|
||||
|
||||
if (scope) {
|
||||
if (scope.split(" ").includes("openid")) {
|
||||
payload = {
|
||||
...payload,
|
||||
sub: user.id,
|
||||
iss: new URL(context.get("config").http.base_url)
|
||||
.origin,
|
||||
aud: client_id,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
};
|
||||
}
|
||||
if (scope.split(" ").includes("profile")) {
|
||||
payload = {
|
||||
...payload,
|
||||
name: user.data.displayName,
|
||||
preferred_username: user.data.username,
|
||||
picture: user.getAvatarUrl().href,
|
||||
updated_at: new Date(user.data.updatedAt).toISOString(),
|
||||
};
|
||||
}
|
||||
if (scope.split(" ").includes("email")) {
|
||||
payload = {
|
||||
...payload,
|
||||
email: user.data.email,
|
||||
// TODO: Add verification system
|
||||
email_verified: true,
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
const idToken = await new SignJWT(payload)
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(config.authentication.keys.private);
|
||||
|
||||
await Token.insert({
|
||||
id: randomUUIDv7(),
|
||||
accessToken: randomString(64, "base64url"),
|
||||
code,
|
||||
scope: scope ?? application.data.scopes,
|
||||
tokenType: "Bearer",
|
||||
applicationId: application.id,
|
||||
redirectUri: redirect_uri ?? application.data.redirectUri,
|
||||
expiresAt: new Date(
|
||||
Date.now() + 60 * 60 * 24 * 14,
|
||||
).toISOString(),
|
||||
idToken: ["profile", "email", "openid"].some((s) =>
|
||||
scope?.split(" ").includes(s),
|
||||
)
|
||||
? idToken
|
||||
: null,
|
||||
clientId: client_id,
|
||||
userId: user.id,
|
||||
});
|
||||
|
||||
const redirectUri =
|
||||
redirect_uri === "urn:ietf:wg:oauth:2.0:oob"
|
||||
? new URL(
|
||||
"/oauth/code",
|
||||
context.get("config").http.base_url,
|
||||
)
|
||||
: new URL(redirect_uri ?? application.data.redirectUri);
|
||||
|
||||
redirectUri.searchParams.append("code", code);
|
||||
state && redirectUri.searchParams.append("state", state);
|
||||
|
||||
return context.redirect(redirectUri.toString());
|
||||
},
|
||||
),
|
||||
);
|
||||
|
|
@ -7,25 +7,20 @@ const { deleteUsers, users } = await getTestUsers(1);
|
|||
|
||||
const application = await Application.insert({
|
||||
id: randomUUIDv7(),
|
||||
clientId: "test-client-id",
|
||||
redirectUri: "https://example.com/callback",
|
||||
scopes: "openid profile email",
|
||||
redirectUris: ["https://example.com/callback"],
|
||||
scopes: ["openid", "profile", "email"],
|
||||
secret: "test-secret",
|
||||
name: "Test Application",
|
||||
});
|
||||
|
||||
const token = await Token.insert({
|
||||
id: randomUUIDv7(),
|
||||
code: "test-code",
|
||||
redirectUri: application.data.redirectUri,
|
||||
clientId: application.data.clientId,
|
||||
clientId: application.id,
|
||||
accessToken: "test-access-token",
|
||||
expiresAt: new Date(Date.now() + 3600 * 1000).toISOString(),
|
||||
createdAt: new Date().toISOString(),
|
||||
tokenType: "Bearer",
|
||||
scope: application.data.scopes,
|
||||
scopes: application.data.scopes,
|
||||
userId: users[0].id,
|
||||
applicationId: application.id,
|
||||
});
|
||||
|
||||
afterAll(async () => {
|
||||
|
|
@ -42,7 +37,7 @@ describe("/oauth/revoke", () => {
|
|||
"Content-Type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
client_id: application.data.id,
|
||||
client_secret: application.data.secret,
|
||||
token: "test-access-token",
|
||||
}),
|
||||
|
|
@ -60,7 +55,7 @@ describe("/oauth/revoke", () => {
|
|||
"Content-Type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
client_id: application.data.id,
|
||||
client_secret: application.data.secret,
|
||||
}),
|
||||
});
|
||||
|
|
@ -80,7 +75,7 @@ describe("/oauth/revoke", () => {
|
|||
"Content-Type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
client_id: application.data.id,
|
||||
client_secret: "invalid-secret",
|
||||
token: "test-access-token",
|
||||
}),
|
||||
|
|
@ -101,7 +96,7 @@ describe("/oauth/revoke", () => {
|
|||
"Content-Type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
client_id: application.data.id,
|
||||
client_secret: application.data.secret,
|
||||
token: "invalid-token",
|
||||
}),
|
||||
|
|
|
|||
|
|
@ -68,7 +68,7 @@ export default apiRoute((app) => {
|
|||
}
|
||||
|
||||
// Check if the client secret is correct
|
||||
if (foundToken.data.application?.secret !== client_secret) {
|
||||
if (foundToken.data.client?.secret !== client_secret) {
|
||||
return context.json(
|
||||
{
|
||||
error: "unauthorized_client",
|
||||
|
|
|
|||
|
|
@ -1,130 +0,0 @@
|
|||
import { config } from "@versia-server/config";
|
||||
import { apiRoute, handleZodError } from "@versia-server/kit/api";
|
||||
import { Application, db } from "@versia-server/kit/db";
|
||||
import { OpenIdLoginFlows } from "@versia-server/kit/tables";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
import { describeRoute, validator } from "hono-openapi";
|
||||
import {
|
||||
calculatePKCECodeChallenge,
|
||||
discoveryRequest,
|
||||
generateRandomCodeVerifier,
|
||||
processDiscoveryResponse,
|
||||
} from "oauth4webapi";
|
||||
import { z } from "zod/v4";
|
||||
import { oauthRedirectUri } from "../../../plugins/openid/utils.ts";
|
||||
|
||||
export default apiRoute((app) => {
|
||||
app.get(
|
||||
"/oauth/sso",
|
||||
describeRoute({
|
||||
summary: "Initiate SSO login flow",
|
||||
tags: ["OpenID"],
|
||||
responses: {
|
||||
302: {
|
||||
description:
|
||||
"Redirect to SSO login, or redirect to login page with error",
|
||||
},
|
||||
},
|
||||
}),
|
||||
validator(
|
||||
"query",
|
||||
z.object({
|
||||
issuer: z.string(),
|
||||
client_id: z.string().optional(),
|
||||
redirect_uri: z.url().optional(),
|
||||
scope: z.string().optional(),
|
||||
response_type: z.enum(["code"]).optional(),
|
||||
}),
|
||||
handleZodError,
|
||||
),
|
||||
async (context) => {
|
||||
// This is the Versia client's client_id, not the external OAuth provider's client_id
|
||||
const { issuer: issuerId, client_id } = context.req.valid("query");
|
||||
|
||||
const errorSearchParams = new URLSearchParams(
|
||||
context.req.valid("query"),
|
||||
);
|
||||
|
||||
if (!client_id || client_id === "undefined") {
|
||||
errorSearchParams.append("error", "invalid_request");
|
||||
errorSearchParams.append(
|
||||
"error_description",
|
||||
"client_id is required",
|
||||
);
|
||||
|
||||
return context.redirect(
|
||||
`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
|
||||
);
|
||||
}
|
||||
|
||||
const issuer = config.authentication.openid_providers.find(
|
||||
(provider) => provider.id === issuerId,
|
||||
);
|
||||
|
||||
if (!issuer) {
|
||||
errorSearchParams.append("error", "invalid_request");
|
||||
errorSearchParams.append(
|
||||
"error_description",
|
||||
"issuer is invalid",
|
||||
);
|
||||
|
||||
return context.redirect(
|
||||
`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
|
||||
);
|
||||
}
|
||||
|
||||
const issuerUrl = new URL(issuer.url);
|
||||
|
||||
const authServer = await discoveryRequest(issuerUrl, {
|
||||
algorithm: "oidc",
|
||||
}).then((res) => processDiscoveryResponse(issuerUrl, res));
|
||||
|
||||
const codeVerifier = generateRandomCodeVerifier();
|
||||
|
||||
const application = await Application.fromClientId(client_id);
|
||||
|
||||
if (!application) {
|
||||
errorSearchParams.append("error", "invalid_request");
|
||||
errorSearchParams.append(
|
||||
"error_description",
|
||||
"client_id is invalid",
|
||||
);
|
||||
|
||||
return context.redirect(
|
||||
`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
|
||||
);
|
||||
}
|
||||
|
||||
// Store into database
|
||||
const newFlow = (
|
||||
await db
|
||||
.insert(OpenIdLoginFlows)
|
||||
.values({
|
||||
id: randomUUIDv7(),
|
||||
codeVerifier,
|
||||
applicationId: application.id,
|
||||
issuerId,
|
||||
})
|
||||
.returning()
|
||||
)[0];
|
||||
|
||||
const codeChallenge =
|
||||
await calculatePKCECodeChallenge(codeVerifier);
|
||||
|
||||
return context.redirect(
|
||||
`${authServer.authorization_endpoint}?${new URLSearchParams({
|
||||
client_id: issuer.client_id,
|
||||
redirect_uri: `${oauthRedirectUri(
|
||||
context.get("config").http.base_url,
|
||||
issuerId,
|
||||
)}?flow=${newFlow.id}`,
|
||||
response_type: "code",
|
||||
scope: "openid profile email",
|
||||
// PKCE
|
||||
code_challenge_method: "S256",
|
||||
code_challenge: codeChallenge,
|
||||
}).toString()}`,
|
||||
);
|
||||
},
|
||||
);
|
||||
});
|
||||
|
|
@ -6,17 +6,21 @@ import {
|
|||
import { config } from "@versia-server/config";
|
||||
import { ApiError } from "@versia-server/kit";
|
||||
import { apiRoute, handleZodError } from "@versia-server/kit/api";
|
||||
import { db, Media, Token, User } from "@versia-server/kit/db";
|
||||
import { db, Media, User } from "@versia-server/kit/db";
|
||||
import { searchManager } from "@versia-server/kit/search";
|
||||
import { OpenIdAccounts, Users } from "@versia-server/kit/tables";
|
||||
import {
|
||||
AuthorizationCodes,
|
||||
OpenIdAccounts,
|
||||
Users,
|
||||
} from "@versia-server/kit/tables";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
import { and, eq, isNull, type SQL } from "drizzle-orm";
|
||||
import { setCookie } from "hono/cookie";
|
||||
import { sign } from "hono/jwt";
|
||||
import { describeRoute, validator } from "hono-openapi";
|
||||
import { SignJWT } from "jose";
|
||||
import * as client from "openid-client";
|
||||
import { z } from "zod/v4";
|
||||
import { randomString } from "@/math.ts";
|
||||
import { automaticOidcFlow } from "../../../../../plugins/openid/utils.ts";
|
||||
|
||||
export default apiRoute((app) => {
|
||||
app.get(
|
||||
|
|
@ -31,6 +35,7 @@ export default apiRoute((app) => {
|
|||
description:
|
||||
"Redirect to frontend's consent route, or redirect to login page with error",
|
||||
},
|
||||
422: ApiError.validationFailed().schema,
|
||||
},
|
||||
}),
|
||||
validator(
|
||||
|
|
@ -43,103 +48,94 @@ export default apiRoute((app) => {
|
|||
validator(
|
||||
"query",
|
||||
z.object({
|
||||
client_id: z.string().optional(),
|
||||
flow: z.string(),
|
||||
link: zBoolean.optional(),
|
||||
link: zBoolean.default(false),
|
||||
user_id: z.uuid().optional(),
|
||||
}),
|
||||
handleZodError,
|
||||
),
|
||||
async (context) => {
|
||||
const currentUrl = new URL(context.req.url);
|
||||
const redirectUrl = new URL(context.req.url);
|
||||
|
||||
// Correct some reverse proxies incorrectly setting the protocol as http, even if the original request was https
|
||||
// Looking at you, Traefik
|
||||
if (
|
||||
new URL(context.get("config").http.base_url).protocol ===
|
||||
"https:" &&
|
||||
currentUrl.protocol === "http:"
|
||||
) {
|
||||
currentUrl.protocol = "https:";
|
||||
redirectUrl.protocol = "https:";
|
||||
}
|
||||
|
||||
// Remove state query parameter from URL
|
||||
currentUrl.searchParams.delete("state");
|
||||
redirectUrl.searchParams.delete("state");
|
||||
// Remove issuer query parameter from URL (can cause redirect URI mismatches)
|
||||
redirectUrl.searchParams.delete("iss");
|
||||
redirectUrl.searchParams.delete("code");
|
||||
const { issuer: issuerParam } = context.req.valid("param");
|
||||
const { issuer: issuerId } = context.req.valid("param");
|
||||
const { flow: flowId, user_id, link } = context.req.valid("query");
|
||||
|
||||
const issuer = config.authentication.openid_providers.find(
|
||||
(provider) => provider.id === issuerParam,
|
||||
(provider) => provider.id === issuerId,
|
||||
);
|
||||
|
||||
if (!issuer) {
|
||||
throw new ApiError(404, "Issuer not found");
|
||||
throw new ApiError(422, "Unknown or invalid issuer");
|
||||
}
|
||||
|
||||
const userInfo = await automaticOidcFlow(
|
||||
issuer,
|
||||
flowId,
|
||||
currentUrl,
|
||||
redirectUrl,
|
||||
(error, message, flow) => {
|
||||
const errorSearchParams = new URLSearchParams(
|
||||
Object.entries({
|
||||
redirect_uri: flow?.application?.redirectUri,
|
||||
client_id: flow?.application?.clientId,
|
||||
response_type: "code",
|
||||
scope: flow?.application?.scopes,
|
||||
}).filter(([_, value]) => value !== undefined) as [
|
||||
string,
|
||||
string,
|
||||
][],
|
||||
);
|
||||
const flow = await db.query.OpenIdLoginFlows.findFirst({
|
||||
where: (flow): SQL | undefined => eq(flow.id, flowId),
|
||||
with: {
|
||||
application: true,
|
||||
},
|
||||
});
|
||||
|
||||
errorSearchParams.append("error", error);
|
||||
errorSearchParams.append("error_description", message);
|
||||
const redirectWithMessage = (
|
||||
parameters: Record<string, string | undefined>,
|
||||
route = config.frontend.routes.login,
|
||||
) => {
|
||||
const searchParams = new URLSearchParams(
|
||||
Object.entries(parameters).filter(
|
||||
([_, value]) => value !== undefined,
|
||||
) as [string, string][],
|
||||
);
|
||||
|
||||
return context.redirect(
|
||||
`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
|
||||
);
|
||||
return context.redirect(`${route}?${searchParams.toString()}`);
|
||||
};
|
||||
|
||||
if (!flow) {
|
||||
return redirectWithMessage({
|
||||
error: "invalid_request",
|
||||
error_description: "Invalid flow",
|
||||
});
|
||||
}
|
||||
|
||||
const oidcConfig = await client.discovery(
|
||||
issuer.url,
|
||||
issuer.client_id,
|
||||
issuer.client_secret,
|
||||
);
|
||||
|
||||
const tokens = await client.authorizationCodeGrant(
|
||||
oidcConfig,
|
||||
context.req.raw,
|
||||
{
|
||||
pkceCodeVerifier: flow.codeVerifier,
|
||||
expectedState: flow.state ?? undefined,
|
||||
idTokenExpected: true,
|
||||
},
|
||||
);
|
||||
|
||||
if (userInfo instanceof Response) {
|
||||
return userInfo;
|
||||
const claims = tokens.claims();
|
||||
|
||||
if (!claims) {
|
||||
return redirectWithMessage({
|
||||
error: "invalid_request",
|
||||
error_description: "Missing or invalid ID token",
|
||||
});
|
||||
}
|
||||
|
||||
const { sub, email, preferred_username, picture } =
|
||||
userInfo.userInfo;
|
||||
const flow = userInfo.flow;
|
||||
|
||||
const errorSearchParams = new URLSearchParams(
|
||||
Object.entries({
|
||||
redirect_uri: flow.application?.redirectUri,
|
||||
client_id: flow.application?.clientId,
|
||||
response_type: "code",
|
||||
scope: flow.application?.scopes,
|
||||
}).filter(([_, value]) => value !== undefined) as [
|
||||
string,
|
||||
string,
|
||||
][],
|
||||
const userInfo = await client.fetchUserInfo(
|
||||
oidcConfig,
|
||||
tokens.access_token,
|
||||
claims.sub,
|
||||
);
|
||||
|
||||
const { sub, email, preferred_username, picture } = userInfo;
|
||||
|
||||
// If linking account
|
||||
if (link && user_id) {
|
||||
// Check if userId is equal to application.clientId
|
||||
if (!flow.application?.clientId.startsWith(user_id)) {
|
||||
return context.redirect(
|
||||
`${context.get("config").http.base_url}${
|
||||
context.get("config").frontend.routes.home
|
||||
}?${new URLSearchParams({
|
||||
if (!flow.application?.id.startsWith(user_id)) {
|
||||
return redirectWithMessage(
|
||||
{
|
||||
oidc_account_linking_error: "Account linking error",
|
||||
oidc_account_linking_error_message: `User ID does not match application client ID (${user_id} != ${flow.application?.clientId})`,
|
||||
})}`,
|
||||
oidc_account_linking_error_message: `User ID does not match application client ID (${user_id} != ${flow.application?.id})`,
|
||||
},
|
||||
config.frontend.routes.home,
|
||||
);
|
||||
}
|
||||
|
||||
|
|
@ -153,15 +149,14 @@ export default apiRoute((app) => {
|
|||
});
|
||||
|
||||
if (account) {
|
||||
return context.redirect(
|
||||
`${context.get("config").http.base_url}${
|
||||
context.get("config").frontend.routes.home
|
||||
}?${new URLSearchParams({
|
||||
return redirectWithMessage(
|
||||
{
|
||||
oidc_account_linking_error:
|
||||
"Account already linked",
|
||||
oidc_account_linking_error_message:
|
||||
"This account has already been linked to this OpenID Connect provider.",
|
||||
})}`,
|
||||
},
|
||||
config.frontend.routes.home,
|
||||
);
|
||||
}
|
||||
|
||||
|
|
@ -244,42 +239,27 @@ export default apiRoute((app) => {
|
|||
|
||||
userId = user.id;
|
||||
} else {
|
||||
errorSearchParams.append("error", "invalid_request");
|
||||
errorSearchParams.append(
|
||||
"error_description",
|
||||
"No user found with that account",
|
||||
);
|
||||
|
||||
return context.redirect(
|
||||
`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
|
||||
);
|
||||
return redirectWithMessage({
|
||||
error: "invalid_request",
|
||||
error_description: "No user found with that account",
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
const user = await User.fromId(userId);
|
||||
|
||||
if (!user) {
|
||||
errorSearchParams.append("error", "invalid_request");
|
||||
errorSearchParams.append(
|
||||
"error_description",
|
||||
"No user found with that account",
|
||||
);
|
||||
|
||||
return context.redirect(
|
||||
`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
|
||||
);
|
||||
return redirectWithMessage({
|
||||
error: "invalid_request",
|
||||
error_description: "No user found with that account",
|
||||
});
|
||||
}
|
||||
|
||||
if (!user.hasPermission(RolePermission.OAuth)) {
|
||||
errorSearchParams.append("error", "invalid_request");
|
||||
errorSearchParams.append(
|
||||
"error_description",
|
||||
`User does not have the '${RolePermission.OAuth}' permission`,
|
||||
);
|
||||
|
||||
return context.redirect(
|
||||
`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
|
||||
);
|
||||
return redirectWithMessage({
|
||||
error: "invalid_request",
|
||||
error_description: `User does not have the '${RolePermission.OAuth}' permission`,
|
||||
});
|
||||
}
|
||||
|
||||
if (!flow.application) {
|
||||
|
|
@ -288,27 +268,26 @@ export default apiRoute((app) => {
|
|||
|
||||
const code = randomString(32, "hex");
|
||||
|
||||
await Token.insert({
|
||||
id: randomUUIDv7(),
|
||||
accessToken: randomString(64, "base64url"),
|
||||
await db.insert(AuthorizationCodes).values({
|
||||
clientId: flow.application.id,
|
||||
code,
|
||||
scope: flow.application.scopes,
|
||||
tokenType: "Bearer",
|
||||
expiresAt: new Date(Date.now() + 60 * 1000).toISOString(), // 1 minute
|
||||
redirectUri: flow.clientRedirectUri ?? undefined,
|
||||
userId: user.id,
|
||||
applicationId: flow.application.id,
|
||||
scopes: flow.clientScopes ?? [],
|
||||
});
|
||||
|
||||
// Generate JWT
|
||||
const jwt = await new SignJWT({
|
||||
sub: user.id,
|
||||
iss: new URL(context.get("config").http.base_url).origin,
|
||||
aud: flow.application.clientId,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(config.authentication.keys.private);
|
||||
const jwt = await sign(
|
||||
{
|
||||
sub: user.id,
|
||||
iss: new URL(context.get("config").http.base_url).origin,
|
||||
aud: flow.application.id,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
},
|
||||
config.authentication.keys.private,
|
||||
);
|
||||
|
||||
// Redirect back to application
|
||||
setCookie(context, "jwt", jwt, {
|
||||
|
|
@ -320,21 +299,17 @@ export default apiRoute((app) => {
|
|||
maxAge: 60 * 60 * 24 * 14,
|
||||
});
|
||||
|
||||
return context.redirect(
|
||||
new URL(
|
||||
`${context.get("config").frontend.routes.consent}?${new URLSearchParams(
|
||||
{
|
||||
redirect_uri: flow.application.redirectUri,
|
||||
code,
|
||||
client_id: flow.application.clientId,
|
||||
application: flow.application.name,
|
||||
website: flow.application.website ?? "",
|
||||
scope: flow.application.scopes,
|
||||
response_type: "code",
|
||||
},
|
||||
).toString()}`,
|
||||
context.get("config").http.base_url,
|
||||
).toString(),
|
||||
return redirectWithMessage(
|
||||
{
|
||||
redirect_uri: flow.clientRedirectUri ?? undefined,
|
||||
code,
|
||||
client_id: flow.application.id,
|
||||
application: flow.application.name,
|
||||
website: flow.application.website ?? "",
|
||||
scope: flow.clientScopes?.join(" "),
|
||||
state: flow.clientState ?? undefined,
|
||||
},
|
||||
config.frontend.routes.consent,
|
||||
);
|
||||
},
|
||||
);
|
||||
|
|
|
|||
122
packages/api/routes/api/oauth/sso/[issuer]/index.ts
Normal file
122
packages/api/routes/api/oauth/sso/[issuer]/index.ts
Normal file
|
|
@ -0,0 +1,122 @@
|
|||
import { config } from "@versia-server/config";
|
||||
import { ApiError } from "@versia-server/kit";
|
||||
import { apiRoute, handleZodError } from "@versia-server/kit/api";
|
||||
import { Application, db } from "@versia-server/kit/db";
|
||||
import { OpenIdLoginFlows } from "@versia-server/kit/tables";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
import { describeRoute, validator } from "hono-openapi";
|
||||
import * as client from "openid-client";
|
||||
import { z } from "zod/v4";
|
||||
import { oauthRedirectUri } from "@/lib";
|
||||
|
||||
export default apiRoute((app) => {
|
||||
app.post(
|
||||
"/oauth/sso/:issuer",
|
||||
describeRoute({
|
||||
summary: "Initiate SSO login flow",
|
||||
tags: ["OpenID"],
|
||||
responses: {
|
||||
302: {
|
||||
description:
|
||||
"Redirect to SSO provider's authorization endpoint",
|
||||
},
|
||||
422: ApiError.validationFailed().schema,
|
||||
},
|
||||
}),
|
||||
validator(
|
||||
"param",
|
||||
z.object({
|
||||
issuer: z.string(),
|
||||
}),
|
||||
handleZodError,
|
||||
),
|
||||
validator(
|
||||
"json",
|
||||
z.object({
|
||||
client_id: z.string(),
|
||||
redirect_uri: z.url(),
|
||||
scopes: z.string().array().default(["read"]),
|
||||
state: z.string().optional(),
|
||||
}),
|
||||
handleZodError,
|
||||
),
|
||||
async (context) => {
|
||||
// This is the Versia client's client_id, not the external OAuth provider's client_id
|
||||
const { client_id, redirect_uri, scopes, state } =
|
||||
context.req.valid("json");
|
||||
const { issuer: issuerId } = context.req.valid("param");
|
||||
|
||||
const issuer = config.authentication.openid_providers.find(
|
||||
(provider) => provider.id === issuerId,
|
||||
);
|
||||
|
||||
if (!issuer) {
|
||||
throw new ApiError(422, "Unknown or invalid issuer");
|
||||
}
|
||||
|
||||
const application = await Application.fromClientId(client_id);
|
||||
|
||||
if (!application) {
|
||||
throw new ApiError(422, "Unknown or invalid client_id");
|
||||
}
|
||||
|
||||
if (!application.data.redirectUris.includes(redirect_uri)) {
|
||||
throw new ApiError(
|
||||
422,
|
||||
"redirect_uri is not a subset of application's redirect_uris",
|
||||
);
|
||||
}
|
||||
// TODO: Validate oauth scopes
|
||||
|
||||
const oidcConfig = await client.discovery(
|
||||
issuer.url,
|
||||
issuer.client_id,
|
||||
issuer.client_secret,
|
||||
);
|
||||
const codeVerifier = client.randomPKCECodeVerifier();
|
||||
const codeChallenge =
|
||||
await client.calculatePKCECodeChallenge(codeVerifier);
|
||||
|
||||
const parameters: Record<string, string> = {
|
||||
scope: "openid profile email",
|
||||
code_challenge: codeChallenge,
|
||||
code_challenge_method: "S256",
|
||||
};
|
||||
|
||||
if (!oidcConfig.serverMetadata().supportsPKCE()) {
|
||||
parameters.state = client.randomState();
|
||||
}
|
||||
|
||||
// Store into database
|
||||
const newFlow = (
|
||||
await db
|
||||
.insert(OpenIdLoginFlows)
|
||||
.values({
|
||||
id: randomUUIDv7(),
|
||||
codeVerifier,
|
||||
state: parameters.state,
|
||||
clientState: state,
|
||||
clientRedirectUri: redirect_uri,
|
||||
clientScopes: scopes,
|
||||
applicationId: application.id,
|
||||
issuerId,
|
||||
})
|
||||
.returning()
|
||||
)[0];
|
||||
|
||||
parameters.redirect_uri = `${oauthRedirectUri(
|
||||
context.get("config").http.base_url,
|
||||
issuerId,
|
||||
)}?${new URLSearchParams({
|
||||
flow: newFlow.id,
|
||||
})}`;
|
||||
|
||||
const redirectTo = client.buildAuthorizationUrl(
|
||||
oidcConfig,
|
||||
parameters,
|
||||
);
|
||||
|
||||
return context.redirect(redirectTo);
|
||||
},
|
||||
);
|
||||
});
|
||||
|
|
@ -7,23 +7,18 @@ const { deleteUsers, users } = await getTestUsers(1);
|
|||
|
||||
const application = await Application.insert({
|
||||
id: randomUUIDv7(),
|
||||
clientId: "test-client-id",
|
||||
redirectUri: "https://example.com/callback",
|
||||
scopes: "openid profile email",
|
||||
redirectUris: ["https://example.com/callback"],
|
||||
scopes: ["openid", "profile", "email"],
|
||||
secret: "test-secret",
|
||||
name: "Test Application",
|
||||
});
|
||||
|
||||
const token = await Token.insert({
|
||||
id: randomUUIDv7(),
|
||||
code: "test-code",
|
||||
redirectUri: application.data.redirectUri,
|
||||
clientId: application.data.clientId,
|
||||
clientId: application.data.id,
|
||||
accessToken: "test-access-token",
|
||||
expiresAt: new Date(Date.now() + 3600 * 1000).toISOString(),
|
||||
createdAt: new Date().toISOString(),
|
||||
tokenType: "Bearer",
|
||||
scope: application.data.scopes,
|
||||
userId: users[0].id,
|
||||
});
|
||||
|
||||
|
|
@ -43,8 +38,8 @@ describe("/oauth/token", () => {
|
|||
body: JSON.stringify({
|
||||
grant_type: "authorization_code",
|
||||
code: "test-code",
|
||||
redirect_uri: application.data.redirectUri,
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUris[0],
|
||||
client_id: application.data.id,
|
||||
client_secret: application.data.secret,
|
||||
}),
|
||||
});
|
||||
|
|
@ -64,8 +59,8 @@ describe("/oauth/token", () => {
|
|||
},
|
||||
body: JSON.stringify({
|
||||
grant_type: "authorization_code",
|
||||
redirect_uri: application.data.redirectUri,
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUris[0],
|
||||
client_id: application.data.id,
|
||||
client_secret: application.data.secret,
|
||||
}),
|
||||
});
|
||||
|
|
@ -85,7 +80,7 @@ describe("/oauth/token", () => {
|
|||
body: JSON.stringify({
|
||||
grant_type: "authorization_code",
|
||||
code: "test-code",
|
||||
client_id: application.data.clientId,
|
||||
client_id: application.data.id,
|
||||
client_secret: application.data.secret,
|
||||
}),
|
||||
});
|
||||
|
|
@ -105,7 +100,7 @@ describe("/oauth/token", () => {
|
|||
body: JSON.stringify({
|
||||
grant_type: "authorization_code",
|
||||
code: "test-code",
|
||||
redirect_uri: application.data.redirectUri,
|
||||
redirect_uri: application.data.redirectUris[0],
|
||||
client_secret: application.data.secret,
|
||||
}),
|
||||
});
|
||||
|
|
@ -125,8 +120,8 @@ describe("/oauth/token", () => {
|
|||
body: JSON.stringify({
|
||||
grant_type: "authorization_code",
|
||||
code: "test-code",
|
||||
redirect_uri: application.data.redirectUri,
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUris[0],
|
||||
client_id: application.data.id,
|
||||
client_secret: "invalid-secret",
|
||||
}),
|
||||
});
|
||||
|
|
@ -146,8 +141,8 @@ describe("/oauth/token", () => {
|
|||
body: JSON.stringify({
|
||||
grant_type: "authorization_code",
|
||||
code: "invalid-code",
|
||||
redirect_uri: application.data.redirectUri,
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUris[0],
|
||||
client_id: application.data.id,
|
||||
client_secret: application.data.secret,
|
||||
}),
|
||||
});
|
||||
|
|
@ -167,8 +162,8 @@ describe("/oauth/token", () => {
|
|||
body: JSON.stringify({
|
||||
grant_type: "refresh_token",
|
||||
code: "test-code",
|
||||
redirect_uri: application.data.redirectUri,
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUris[0],
|
||||
client_id: application.data.id,
|
||||
client_secret: application.data.secret,
|
||||
}),
|
||||
});
|
||||
|
|
|
|||
|
|
@ -1,43 +1,35 @@
|
|||
import { Token as TokenSchema } from "@versia/client/schemas";
|
||||
import { apiRoute, handleZodError, jsonOrForm } from "@versia-server/kit/api";
|
||||
import { Application, Token } from "@versia-server/kit/db";
|
||||
import { Tokens } from "@versia-server/kit/tables";
|
||||
import { Application, db, Token } from "@versia-server/kit/db";
|
||||
import { AuthorizationCodes } from "@versia-server/kit/tables";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
import { and, eq } from "drizzle-orm";
|
||||
import { describeRoute, resolver, validator } from "hono-openapi";
|
||||
import { z } from "zod/v4";
|
||||
import { randomString } from "@/math";
|
||||
|
||||
export default apiRoute((app) => {
|
||||
app.post(
|
||||
"/oauth/token",
|
||||
describeRoute({
|
||||
summary: "Get token",
|
||||
summary: "Obtain a token",
|
||||
description:
|
||||
"Obtain an access token, to be used during API calls that are not public.",
|
||||
externalDocs: {
|
||||
url: "https://docs.joinmastodon.org/methods/oauth/#token",
|
||||
},
|
||||
tags: ["OpenID"],
|
||||
responses: {
|
||||
200: {
|
||||
description: "Token",
|
||||
content: {
|
||||
"application/json": {
|
||||
schema: resolver(
|
||||
z.object({
|
||||
access_token: z.string(),
|
||||
token_type: z.string(),
|
||||
expires_in: z
|
||||
.number()
|
||||
.optional()
|
||||
.nullable(),
|
||||
id_token: z.string().optional().nullable(),
|
||||
refresh_token: z
|
||||
.string()
|
||||
.optional()
|
||||
.nullable(),
|
||||
scope: z.string().optional(),
|
||||
created_at: z.number(),
|
||||
}),
|
||||
),
|
||||
schema: resolver(TokenSchema),
|
||||
},
|
||||
},
|
||||
},
|
||||
401: {
|
||||
description: "Authorization error",
|
||||
description: "Invalid grant",
|
||||
content: {
|
||||
"application/json": {
|
||||
schema: resolver(
|
||||
|
|
@ -55,135 +47,87 @@ export default apiRoute((app) => {
|
|||
validator(
|
||||
"json",
|
||||
z.object({
|
||||
code: z.string().optional(),
|
||||
code: z.string(),
|
||||
grant_type: z.enum([
|
||||
"authorization_code",
|
||||
"refresh_token",
|
||||
"client_credentials",
|
||||
]),
|
||||
code_verifier: z.string().optional(),
|
||||
grant_type: z
|
||||
.enum([
|
||||
"authorization_code",
|
||||
"refresh_token",
|
||||
"client_credentials",
|
||||
"password",
|
||||
"urn:ietf:params:oauth:grant-type:device_code",
|
||||
"urn:ietf:params:oauth:grant-type:token-exchange",
|
||||
"urn:ietf:params:oauth:grant-type:saml2-bearer",
|
||||
"urn:openid:params:grant-type:ciba",
|
||||
])
|
||||
.default("authorization_code"),
|
||||
client_id: z.string().optional(),
|
||||
client_secret: z.string().optional(),
|
||||
username: z.string().trim().optional(),
|
||||
password: z.string().trim().optional(),
|
||||
redirect_uri: z.url().optional(),
|
||||
client_id: z.string(),
|
||||
client_secret: z.string(),
|
||||
redirect_uri: z.url(),
|
||||
refresh_token: z.string().optional(),
|
||||
scope: z.string().optional(),
|
||||
assertion: z.string().optional(),
|
||||
audience: z.string().optional(),
|
||||
subject_token_type: z.string().optional(),
|
||||
subject_token: z.string().optional(),
|
||||
actor_token_type: z.string().optional(),
|
||||
actor_token: z.string().optional(),
|
||||
auth_req_id: z.string().optional(),
|
||||
scope: z.string().default("read"),
|
||||
}),
|
||||
handleZodError,
|
||||
),
|
||||
async (context) => {
|
||||
const { grant_type, code, redirect_uri, client_id, client_secret } =
|
||||
const { code, client_id, client_secret, redirect_uri } =
|
||||
context.req.valid("json");
|
||||
|
||||
switch (grant_type) {
|
||||
case "authorization_code": {
|
||||
if (!code) {
|
||||
return context.json(
|
||||
{
|
||||
error: "invalid_request",
|
||||
error_description: "Code is required",
|
||||
},
|
||||
401,
|
||||
);
|
||||
}
|
||||
// Verify the client_secret
|
||||
const client = await Application.fromClientId(client_id);
|
||||
|
||||
if (!redirect_uri) {
|
||||
return context.json(
|
||||
{
|
||||
error: "invalid_request",
|
||||
error_description: "Redirect URI is required",
|
||||
},
|
||||
401,
|
||||
);
|
||||
}
|
||||
|
||||
if (!client_id) {
|
||||
return context.json(
|
||||
{
|
||||
error: "invalid_request",
|
||||
error_description: "Client ID is required",
|
||||
},
|
||||
401,
|
||||
);
|
||||
}
|
||||
|
||||
// Verify the client_secret
|
||||
const client = await Application.fromClientId(client_id);
|
||||
|
||||
if (!client || client.data.secret !== client_secret) {
|
||||
return context.json(
|
||||
{
|
||||
error: "invalid_client",
|
||||
error_description: "Invalid client credentials",
|
||||
},
|
||||
401,
|
||||
);
|
||||
}
|
||||
|
||||
const token = await Token.fromSql(
|
||||
and(
|
||||
eq(Tokens.code, code),
|
||||
eq(Tokens.redirectUri, decodeURI(redirect_uri)),
|
||||
eq(Tokens.clientId, client_id),
|
||||
),
|
||||
);
|
||||
|
||||
if (!token) {
|
||||
return context.json(
|
||||
{
|
||||
error: "invalid_grant",
|
||||
error_description: "Code not found",
|
||||
},
|
||||
401,
|
||||
);
|
||||
}
|
||||
|
||||
// Invalidate the code
|
||||
await token.update({ code: null });
|
||||
|
||||
return context.json(
|
||||
{
|
||||
...token.toApi(),
|
||||
expires_in: token.data.expiresAt
|
||||
? Math.floor(
|
||||
(new Date(
|
||||
token.data.expiresAt,
|
||||
).getTime() -
|
||||
Date.now()) /
|
||||
1000,
|
||||
)
|
||||
: null,
|
||||
id_token: token.data.idToken,
|
||||
refresh_token: null,
|
||||
},
|
||||
200,
|
||||
);
|
||||
}
|
||||
|
||||
default:
|
||||
if (!client || client.data.secret !== client_secret) {
|
||||
return context.json(
|
||||
{
|
||||
error: "invalid_client",
|
||||
error_description: "Invalid client credentials",
|
||||
},
|
||||
401,
|
||||
);
|
||||
}
|
||||
|
||||
const authorizationCode =
|
||||
await db.query.AuthorizationCodes.findFirst({
|
||||
where: (codeTable) =>
|
||||
and(
|
||||
eq(codeTable.code, code),
|
||||
eq(codeTable.redirectUri, redirect_uri),
|
||||
eq(codeTable.clientId, client.id),
|
||||
),
|
||||
});
|
||||
|
||||
if (
|
||||
!authorizationCode ||
|
||||
new Date(authorizationCode.expiresAt).getTime() < Date.now()
|
||||
) {
|
||||
return context.json(
|
||||
{
|
||||
error: "invalid_grant",
|
||||
error_description:
|
||||
"Authorization code not found or expired",
|
||||
},
|
||||
404,
|
||||
);
|
||||
}
|
||||
|
||||
const token = await Token.insert({
|
||||
accessToken: randomString(64, "base64url"),
|
||||
clientId: client.id,
|
||||
id: randomUUIDv7(),
|
||||
userId: authorizationCode.userId,
|
||||
});
|
||||
|
||||
// Invalidate the code
|
||||
await db
|
||||
.delete(AuthorizationCodes)
|
||||
.where(eq(AuthorizationCodes.code, authorizationCode.code));
|
||||
|
||||
return context.json(
|
||||
{
|
||||
error: "unsupported_grant_type",
|
||||
error_description: "Unsupported grant type",
|
||||
...token.toApi(),
|
||||
expires_in: token.data.expiresAt
|
||||
? Math.floor(
|
||||
(new Date(token.data.expiresAt).getTime() -
|
||||
Date.now()) /
|
||||
1000,
|
||||
)
|
||||
: null,
|
||||
refresh_token: null,
|
||||
},
|
||||
401,
|
||||
200,
|
||||
);
|
||||
},
|
||||
);
|
||||
|
|
|
|||
|
|
@ -5,7 +5,6 @@ import {
|
|||
import { ApiError } from "@versia-server/kit";
|
||||
import { apiRoute, handleZodError, jsonOrForm } from "@versia-server/kit/api";
|
||||
import { Application } from "@versia-server/kit/db";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
import { describeRoute, resolver, validator } from "hono-openapi";
|
||||
import { z } from "zod/v4";
|
||||
import { randomString } from "@/math";
|
||||
|
|
@ -64,14 +63,13 @@ export default apiRoute((app) =>
|
|||
context.req.valid("json");
|
||||
|
||||
const app = await Application.insert({
|
||||
id: randomUUIDv7(),
|
||||
id: randomString(32, "base64url"),
|
||||
name: client_name,
|
||||
redirectUri: Array.isArray(redirect_uris)
|
||||
? redirect_uris.join("\n")
|
||||
: redirect_uris,
|
||||
scopes,
|
||||
redirectUris: Array.isArray(redirect_uris)
|
||||
? redirect_uris
|
||||
: [redirect_uris],
|
||||
scopes: scopes.split(" "),
|
||||
website: website || undefined,
|
||||
clientId: randomString(32, "base64url"),
|
||||
secret: randomString(64, "base64url"),
|
||||
});
|
||||
|
||||
|
|
|
|||
|
|
@ -6,15 +6,9 @@ import { Application, db } from "@versia-server/kit/db";
|
|||
import { OpenIdLoginFlows } from "@versia-server/kit/tables";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
import { describeRoute, resolver, validator } from "hono-openapi";
|
||||
import {
|
||||
calculatePKCECodeChallenge,
|
||||
generateRandomCodeVerifier,
|
||||
} from "oauth4webapi";
|
||||
import * as client from "openid-client";
|
||||
import { z } from "zod/v4";
|
||||
import {
|
||||
oauthDiscoveryRequest,
|
||||
oauthRedirectUri,
|
||||
} from "../../../../plugins/openid/utils.ts";
|
||||
import { oauthRedirectUri } from "@/lib";
|
||||
|
||||
export default apiRoute((app) => {
|
||||
app.get(
|
||||
|
|
@ -105,9 +99,24 @@ export default apiRoute((app) => {
|
|||
);
|
||||
}
|
||||
|
||||
const authServer = await oauthDiscoveryRequest(new URL(issuer.url));
|
||||
const oidcConfig = await client.discovery(
|
||||
issuer.url,
|
||||
issuer.client_id,
|
||||
issuer.client_secret,
|
||||
);
|
||||
const codeVerifier = client.randomPKCECodeVerifier();
|
||||
const codeChallenge =
|
||||
await client.calculatePKCECodeChallenge(codeVerifier);
|
||||
|
||||
const codeVerifier = generateRandomCodeVerifier();
|
||||
const parameters: Record<string, string> = {
|
||||
scope: "openid profile email",
|
||||
code_challenge: codeChallenge,
|
||||
code_challenge_method: "S256",
|
||||
};
|
||||
|
||||
if (!oidcConfig.serverMetadata().supportsPKCE()) {
|
||||
parameters.state = client.randomState();
|
||||
}
|
||||
|
||||
const redirectUri = oauthRedirectUri(
|
||||
context.get("config").http.base_url,
|
||||
|
|
@ -115,15 +124,14 @@ export default apiRoute((app) => {
|
|||
);
|
||||
|
||||
const application = await Application.insert({
|
||||
id: randomUUIDv7(),
|
||||
clientId:
|
||||
id:
|
||||
user.id +
|
||||
Buffer.from(
|
||||
crypto.getRandomValues(new Uint8Array(32)),
|
||||
).toString("base64"),
|
||||
name: "Versia",
|
||||
redirectUri: redirectUri.toString(),
|
||||
scopes: "openid profile email",
|
||||
redirectUris: [redirectUri.href],
|
||||
scopes: ["openid", "profile", "email"],
|
||||
secret: "",
|
||||
});
|
||||
|
||||
|
|
@ -134,30 +142,28 @@ export default apiRoute((app) => {
|
|||
.values({
|
||||
id: randomUUIDv7(),
|
||||
codeVerifier,
|
||||
state: parameters.state,
|
||||
issuerId,
|
||||
applicationId: application.id,
|
||||
})
|
||||
.returning()
|
||||
)[0];
|
||||
|
||||
const codeChallenge =
|
||||
await calculatePKCECodeChallenge(codeVerifier);
|
||||
parameters.redirect_uri = `${oauthRedirectUri(
|
||||
config.http.base_url,
|
||||
issuerId,
|
||||
)}?${new URLSearchParams({
|
||||
flow: newFlow.id,
|
||||
link: "true",
|
||||
user_id: user.id,
|
||||
})}`;
|
||||
|
||||
return context.redirect(
|
||||
`${authServer.authorization_endpoint}?${new URLSearchParams({
|
||||
client_id: issuer.client_id,
|
||||
redirect_uri: `${redirectUri}?${new URLSearchParams({
|
||||
flow: newFlow.id,
|
||||
link: "true",
|
||||
user_id: user.id,
|
||||
})}`,
|
||||
response_type: "code",
|
||||
scope: "openid profile email",
|
||||
// PKCE
|
||||
code_challenge_method: "S256",
|
||||
code_challenge: codeChallenge,
|
||||
}).toString()}`,
|
||||
const redirectTo = client.buildAuthorizationUrl(
|
||||
oidcConfig,
|
||||
parameters,
|
||||
);
|
||||
|
||||
return context.redirect(redirectTo);
|
||||
},
|
||||
);
|
||||
});
|
||||
|
|
|
|||
|
|
@ -1,35 +0,0 @@
|
|||
import { afterAll, describe, expect, test } from "bun:test";
|
||||
import { Application } from "@versia-server/kit/db";
|
||||
import { fakeRequest } from "@versia-server/tests";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
|
||||
const application = await Application.insert({
|
||||
id: randomUUIDv7(),
|
||||
clientId: "test-client-id",
|
||||
redirectUri: "https://example.com/callback",
|
||||
scopes: "openid profile email",
|
||||
secret: "test-secret",
|
||||
name: "Test Application",
|
||||
});
|
||||
|
||||
afterAll(async () => {
|
||||
await application.delete();
|
||||
});
|
||||
|
||||
describe("/.well-known/jwks", () => {
|
||||
test("should return JWK set with valid inputs", async () => {
|
||||
const response = await fakeRequest("/.well-known/jwks", {
|
||||
method: "GET",
|
||||
});
|
||||
|
||||
expect(response.status).toBe(200);
|
||||
const body = await response.json();
|
||||
expect(body.keys).toHaveLength(1);
|
||||
expect(body.keys[0].kty).toBe("OKP");
|
||||
expect(body.keys[0].use).toBe("sig");
|
||||
expect(body.keys[0].alg).toBe("EdDSA");
|
||||
expect(body.keys[0].kid).toBe("1");
|
||||
expect(body.keys[0].crv).toBe("Ed25519");
|
||||
expect(body.keys[0].x).toBeString();
|
||||
});
|
||||
});
|
||||
|
|
@ -1,62 +0,0 @@
|
|||
import { config } from "@versia-server/config";
|
||||
import { apiRoute, auth } from "@versia-server/kit/api";
|
||||
import { describeRoute, resolver } from "hono-openapi";
|
||||
import { exportJWK } from "jose";
|
||||
import { z } from "zod/v4";
|
||||
|
||||
export default apiRoute((app) => {
|
||||
app.get(
|
||||
"/.well-known/jwks",
|
||||
describeRoute({
|
||||
summary: "JWK Set",
|
||||
tags: ["OpenID"],
|
||||
responses: {
|
||||
200: {
|
||||
description: "JWK Set",
|
||||
content: {
|
||||
"application/json": {
|
||||
schema: resolver(
|
||||
z.object({
|
||||
keys: z.array(
|
||||
z.object({
|
||||
kty: z.string().optional(),
|
||||
use: z.string(),
|
||||
alg: z.string(),
|
||||
kid: z.string(),
|
||||
crv: z.string().optional(),
|
||||
x: z.string().optional(),
|
||||
y: z.string().optional(),
|
||||
}),
|
||||
),
|
||||
}),
|
||||
),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
auth({
|
||||
auth: false,
|
||||
}),
|
||||
async (context) => {
|
||||
const jwk = await exportJWK(config.authentication.keys.private);
|
||||
|
||||
// Remove the private key 💀
|
||||
jwk.d = undefined;
|
||||
|
||||
return context.json(
|
||||
{
|
||||
keys: [
|
||||
{
|
||||
...jwk,
|
||||
use: "sig",
|
||||
alg: "EdDSA",
|
||||
kid: "1",
|
||||
},
|
||||
],
|
||||
},
|
||||
200,
|
||||
);
|
||||
},
|
||||
);
|
||||
});
|
||||
|
|
@ -1,65 +0,0 @@
|
|||
import { config } from "@versia-server/config";
|
||||
import { apiRoute } from "@versia-server/kit/api";
|
||||
import { describeRoute, resolver } from "hono-openapi";
|
||||
import { z } from "zod/v4";
|
||||
|
||||
export default apiRoute((app) =>
|
||||
app.get(
|
||||
"/.well-known/openid-configuration",
|
||||
describeRoute({
|
||||
summary: "OpenID Configuration",
|
||||
tags: ["OpenID"],
|
||||
responses: {
|
||||
200: {
|
||||
description: "OpenID Configuration",
|
||||
content: {
|
||||
"application/json": {
|
||||
schema: resolver(
|
||||
z.object({
|
||||
issuer: z.string(),
|
||||
authorization_endpoint: z.string(),
|
||||
token_endpoint: z.string(),
|
||||
userinfo_endpoint: z.string(),
|
||||
jwks_uri: z.string(),
|
||||
response_types_supported: z.array(
|
||||
z.string(),
|
||||
),
|
||||
subject_types_supported: z.array(
|
||||
z.string(),
|
||||
),
|
||||
id_token_signing_alg_values_supported:
|
||||
z.array(z.string()),
|
||||
scopes_supported: z.array(z.string()),
|
||||
token_endpoint_auth_methods_supported:
|
||||
z.array(z.string()),
|
||||
claims_supported: z.array(z.string()),
|
||||
}),
|
||||
),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
(context) => {
|
||||
const baseUrl = config.http.base_url;
|
||||
return context.json(
|
||||
{
|
||||
issuer: baseUrl.origin.toString(),
|
||||
authorization_endpoint: `${baseUrl.origin}/oauth/authorize`,
|
||||
token_endpoint: `${baseUrl.origin}/oauth/token`,
|
||||
userinfo_endpoint: `${baseUrl.origin}/api/v1/accounts/verify_credentials`,
|
||||
jwks_uri: `${baseUrl.origin}/.well-known/jwks`,
|
||||
response_types_supported: ["code"],
|
||||
subject_types_supported: ["public"],
|
||||
id_token_signing_alg_values_supported: ["EdDSA"],
|
||||
scopes_supported: ["openid", "profile", "email"],
|
||||
token_endpoint_auth_methods_supported: [
|
||||
"client_secret_basic",
|
||||
],
|
||||
claims_supported: ["sub"],
|
||||
},
|
||||
200,
|
||||
);
|
||||
},
|
||||
),
|
||||
);
|
||||
Loading…
Add table
Add a link
Reference in a new issue