mirror of
https://github.com/versia-pub/server.git
synced 2026-03-13 22:09:16 +01:00
refactor(api): ♻️ Rewrite full authentication code to go OpenID-only
This commit is contained in:
Jesse Wierzbinski
parent
132a3ed5ea
commit
4c430426d3
39 changed files with 3076 additions and 2009 deletions
|
|
@ -1,35 +0,0 @@
|
|||
import { afterAll, describe, expect, test } from "bun:test";
|
||||
import { Application } from "@versia-server/kit/db";
|
||||
import { fakeRequest } from "@versia-server/tests";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
|
||||
const application = await Application.insert({
|
||||
id: randomUUIDv7(),
|
||||
clientId: "test-client-id",
|
||||
redirectUri: "https://example.com/callback",
|
||||
scopes: "openid profile email",
|
||||
secret: "test-secret",
|
||||
name: "Test Application",
|
||||
});
|
||||
|
||||
afterAll(async () => {
|
||||
await application.delete();
|
||||
});
|
||||
|
||||
describe("/.well-known/jwks", () => {
|
||||
test("should return JWK set with valid inputs", async () => {
|
||||
const response = await fakeRequest("/.well-known/jwks", {
|
||||
method: "GET",
|
||||
});
|
||||
|
||||
expect(response.status).toBe(200);
|
||||
const body = await response.json();
|
||||
expect(body.keys).toHaveLength(1);
|
||||
expect(body.keys[0].kty).toBe("OKP");
|
||||
expect(body.keys[0].use).toBe("sig");
|
||||
expect(body.keys[0].alg).toBe("EdDSA");
|
||||
expect(body.keys[0].kid).toBe("1");
|
||||
expect(body.keys[0].crv).toBe("Ed25519");
|
||||
expect(body.keys[0].x).toBeString();
|
||||
});
|
||||
});
|
||||
|
|
@ -1,62 +0,0 @@
|
|||
import { config } from "@versia-server/config";
|
||||
import { apiRoute, auth } from "@versia-server/kit/api";
|
||||
import { describeRoute, resolver } from "hono-openapi";
|
||||
import { exportJWK } from "jose";
|
||||
import { z } from "zod/v4";
|
||||
|
||||
export default apiRoute((app) => {
|
||||
app.get(
|
||||
"/.well-known/jwks",
|
||||
describeRoute({
|
||||
summary: "JWK Set",
|
||||
tags: ["OpenID"],
|
||||
responses: {
|
||||
200: {
|
||||
description: "JWK Set",
|
||||
content: {
|
||||
"application/json": {
|
||||
schema: resolver(
|
||||
z.object({
|
||||
keys: z.array(
|
||||
z.object({
|
||||
kty: z.string().optional(),
|
||||
use: z.string(),
|
||||
alg: z.string(),
|
||||
kid: z.string(),
|
||||
crv: z.string().optional(),
|
||||
x: z.string().optional(),
|
||||
y: z.string().optional(),
|
||||
}),
|
||||
),
|
||||
}),
|
||||
),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
auth({
|
||||
auth: false,
|
||||
}),
|
||||
async (context) => {
|
||||
const jwk = await exportJWK(config.authentication.keys.private);
|
||||
|
||||
// Remove the private key 💀
|
||||
jwk.d = undefined;
|
||||
|
||||
return context.json(
|
||||
{
|
||||
keys: [
|
||||
{
|
||||
...jwk,
|
||||
use: "sig",
|
||||
alg: "EdDSA",
|
||||
kid: "1",
|
||||
},
|
||||
],
|
||||
},
|
||||
200,
|
||||
);
|
||||
},
|
||||
);
|
||||
});
|
||||
|
|
@ -1,65 +0,0 @@
|
|||
import { config } from "@versia-server/config";
|
||||
import { apiRoute } from "@versia-server/kit/api";
|
||||
import { describeRoute, resolver } from "hono-openapi";
|
||||
import { z } from "zod/v4";
|
||||
|
||||
export default apiRoute((app) =>
|
||||
app.get(
|
||||
"/.well-known/openid-configuration",
|
||||
describeRoute({
|
||||
summary: "OpenID Configuration",
|
||||
tags: ["OpenID"],
|
||||
responses: {
|
||||
200: {
|
||||
description: "OpenID Configuration",
|
||||
content: {
|
||||
"application/json": {
|
||||
schema: resolver(
|
||||
z.object({
|
||||
issuer: z.string(),
|
||||
authorization_endpoint: z.string(),
|
||||
token_endpoint: z.string(),
|
||||
userinfo_endpoint: z.string(),
|
||||
jwks_uri: z.string(),
|
||||
response_types_supported: z.array(
|
||||
z.string(),
|
||||
),
|
||||
subject_types_supported: z.array(
|
||||
z.string(),
|
||||
),
|
||||
id_token_signing_alg_values_supported:
|
||||
z.array(z.string()),
|
||||
scopes_supported: z.array(z.string()),
|
||||
token_endpoint_auth_methods_supported:
|
||||
z.array(z.string()),
|
||||
claims_supported: z.array(z.string()),
|
||||
}),
|
||||
),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
(context) => {
|
||||
const baseUrl = config.http.base_url;
|
||||
return context.json(
|
||||
{
|
||||
issuer: baseUrl.origin.toString(),
|
||||
authorization_endpoint: `${baseUrl.origin}/oauth/authorize`,
|
||||
token_endpoint: `${baseUrl.origin}/oauth/token`,
|
||||
userinfo_endpoint: `${baseUrl.origin}/api/v1/accounts/verify_credentials`,
|
||||
jwks_uri: `${baseUrl.origin}/.well-known/jwks`,
|
||||
response_types_supported: ["code"],
|
||||
subject_types_supported: ["public"],
|
||||
id_token_signing_alg_values_supported: ["EdDSA"],
|
||||
scopes_supported: ["openid", "profile", "email"],
|
||||
token_endpoint_auth_methods_supported: [
|
||||
"client_secret_basic",
|
||||
],
|
||||
claims_supported: ["sub"],
|
||||
},
|
||||
200,
|
||||
);
|
||||
},
|
||||
),
|
||||
);
|
||||
Loading…
Add table
Add a link
Reference in a new issue