mirror of
https://github.com/versia-pub/server.git
synced 2026-03-13 05:49:16 +01:00
refactor: ♻️ Rewrite build system to fit the monorepo architecture
This commit is contained in:
Jesse Wierzbinski
parent
7de4b573e3
commit
90b6399407
217 changed files with 2143 additions and 1858 deletions
|
|
@ -1,4 +1,4 @@
|
|||
import { resolve } from "node:path";
|
||||
import { join } from "node:path";
|
||||
import { Scalar } from "@scalar/hono-api-reference";
|
||||
import { config } from "@versia-server/config";
|
||||
import { ApiError } from "@versia-server/kit";
|
||||
|
|
@ -113,7 +113,7 @@ export const appFactory = async (): Promise<Hono<HonoEnv>> => {
|
|||
const loader = new PluginLoader();
|
||||
|
||||
const plugins = await loader.loadPlugins(
|
||||
resolve("./plugins"),
|
||||
join(import.meta.dir, "plugins"),
|
||||
config.plugins?.autoload ?? true,
|
||||
config.plugins?.overrides.enabled,
|
||||
config.plugins?.overrides.disabled,
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
import { readdir } from "node:fs/promises";
|
||||
import { $, build } from "bun";
|
||||
import manifest from "./package.json" with { type: "json" };
|
||||
import { routes } from "./routes.ts";
|
||||
|
||||
console.log("Building...");
|
||||
|
|
@ -11,10 +12,7 @@ const pluginDirs = await readdir("plugins", { withFileTypes: true });
|
|||
|
||||
await build({
|
||||
entrypoints: [
|
||||
"packages/api/index.ts",
|
||||
// HACK: Include to avoid cyclical import errors
|
||||
"packages/config/index.ts",
|
||||
"cli/index.ts",
|
||||
...Object.values(manifest.exports).map((entry) => entry.import),
|
||||
// Force Bun to include endpoints
|
||||
...Object.values(routes),
|
||||
// Include all plugins
|
||||
|
|
@ -25,43 +23,24 @@ await build({
|
|||
outdir: "dist",
|
||||
target: "bun",
|
||||
splitting: true,
|
||||
minify: false,
|
||||
external: ["acorn", "@bull-board/ui"],
|
||||
minify: true,
|
||||
external: [
|
||||
...Object.keys(manifest.dependencies).filter((dep) =>
|
||||
dep.startsWith("@versia"),
|
||||
),
|
||||
"@bull-board/ui",
|
||||
],
|
||||
});
|
||||
|
||||
console.log("Copying files...");
|
||||
|
||||
// Fix Bun build mistake
|
||||
await $`sed -i 's/ProxiableUrl, url, sensitiveString, keyPair, exportedConfig/url, sensitiveString, keyPair, exportedConfig/g' dist/packages/config/*.js`;
|
||||
|
||||
// Copy Drizzle stuff
|
||||
await $`mkdir -p dist/packages/plugin-kit/tables`;
|
||||
await $`cp -rL packages/plugin-kit/tables/migrations dist/packages/plugin-kit/tables`;
|
||||
|
||||
// Copy plugin manifests
|
||||
await $`cp plugins/openid/manifest.json dist/plugins/openid/manifest.json`;
|
||||
|
||||
await $`mkdir -p dist/node_modules`;
|
||||
|
||||
// Copy Sharp to dist
|
||||
await $`mkdir -p dist/node_modules/@img`;
|
||||
await $`cp -rL node_modules/@img/sharp-libvips-linux* dist/node_modules/@img`;
|
||||
await $`cp -rL node_modules/@img/sharp-linux* dist/node_modules/@img`;
|
||||
|
||||
// Copy acorn to dist
|
||||
await $`cp -rL node_modules/acorn dist/node_modules/acorn`;
|
||||
|
||||
// Copy bull-board to dist
|
||||
await $`mkdir -p dist/node_modules/@bull-board`;
|
||||
await $`cp -rL node_modules/@bull-board/ui dist/node_modules/@bull-board/ui`;
|
||||
|
||||
// Copy the Bee Movie script from pages
|
||||
await $`cp beemovie.txt dist/beemovie.txt`;
|
||||
|
||||
// Copy package.json
|
||||
await $`cp package.json dist/package.json`;
|
||||
|
||||
// Fixes issues with sharp
|
||||
await $`cp -rL node_modules/detect-libc dist/node_modules/`;
|
||||
await $`cp -rL ../../node_modules/@bull-board/ui dist/node_modules/@bull-board/ui`;
|
||||
|
||||
console.log("Build complete!");
|
||||
|
|
|
|||
|
|
@ -1,19 +0,0 @@
|
|||
import process from "node:process";
|
||||
import { config } from "@versia-server/config";
|
||||
import { Youch } from "youch";
|
||||
import { createServer } from "@/server";
|
||||
import { appFactory } from "./app.ts";
|
||||
|
||||
process.on("SIGINT", () => {
|
||||
process.exit();
|
||||
});
|
||||
|
||||
process.on("uncaughtException", async (error) => {
|
||||
const youch = new Youch();
|
||||
|
||||
console.error(await youch.toANSI(error));
|
||||
});
|
||||
|
||||
await import("./setup.ts");
|
||||
|
||||
createServer(config, await appFactory());
|
||||
|
|
@ -36,11 +36,19 @@
|
|||
"scripts": {
|
||||
"dev": "bun run --hot index.ts",
|
||||
"build": "bun run build.ts",
|
||||
"schema:generate": "bun run classes/config/to-json-schema.ts > config/config.schema.json && bun run packages/plugin-kit/json-schema.ts > packages/plugin-kit/manifest.schema.json",
|
||||
"schema:generate": "bun run classes/config/to-json-schema.ts > config/config.schema.json && bun run packages/kit/json-schema.ts > packages/kit/manifest.schema.json",
|
||||
"docs:dev": "vitepress dev docs",
|
||||
"docs:build": "vitepress build docs",
|
||||
"docs:preview": "vitepress preview docs"
|
||||
},
|
||||
"exports": {
|
||||
".": {
|
||||
"import": "./app.ts"
|
||||
},
|
||||
"./setup": {
|
||||
"import": "./setup.ts"
|
||||
}
|
||||
},
|
||||
"dependencies": {
|
||||
"@versia-server/config": "workspace:*",
|
||||
"@versia-server/tests": "workspace:*",
|
||||
|
|
@ -65,10 +73,10 @@
|
|||
"hono-rate-limiter": "catalog:",
|
||||
"ip-matching": "catalog:",
|
||||
"qs": "catalog:",
|
||||
"magic-regexp": "catalog:",
|
||||
"altcha-lib": "catalog:",
|
||||
"@hono/zod-validator": "catalog:",
|
||||
"zod-validation-error": "catalog:",
|
||||
"confbox": "catalog:"
|
||||
"confbox": "catalog:",
|
||||
"oauth4webapi": "catalog:"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
45
packages/api/plugins/openid/errors.ts
Normal file
45
packages/api/plugins/openid/errors.ts
Normal file
|
|
@ -0,0 +1,45 @@
|
|||
import type { Context, TypedResponse } from "hono";
|
||||
|
||||
export const errors = {
|
||||
InvalidJWT: ["invalid_request", "Invalid JWT: could not verify"],
|
||||
MissingJWTFields: [
|
||||
"invalid_request",
|
||||
"Invalid JWT: missing required fields (aud, sub, exp, iss)",
|
||||
],
|
||||
InvalidSub: ["invalid_request", "Invalid JWT: sub is not a valid user ID"],
|
||||
UserNotFound: [
|
||||
"invalid_request",
|
||||
"Invalid JWT, could not find associated user",
|
||||
],
|
||||
MissingOauthPermission: [
|
||||
"unauthorized",
|
||||
"User missing required 'oauth' permission",
|
||||
],
|
||||
MissingApplication: [
|
||||
"invalid_request",
|
||||
"Invalid client_id: no associated API application found",
|
||||
],
|
||||
InvalidRedirectUri: [
|
||||
"invalid_request",
|
||||
"Invalid redirect_uri: does not match API application's redirect_uri",
|
||||
],
|
||||
InvalidScope: [
|
||||
"invalid_request",
|
||||
"Invalid scope: not a subset of the application's scopes",
|
||||
],
|
||||
};
|
||||
|
||||
export const errorRedirect = (
|
||||
context: Context,
|
||||
error: (typeof errors)[keyof typeof errors],
|
||||
extraParams?: URLSearchParams,
|
||||
): Response & TypedResponse<undefined, 302, "redirect"> => {
|
||||
const errorSearchParams = new URLSearchParams(extraParams);
|
||||
|
||||
errorSearchParams.append("error", error[0]);
|
||||
errorSearchParams.append("error_description", error[1]);
|
||||
|
||||
return context.redirect(
|
||||
`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
|
||||
);
|
||||
};
|
||||
105
packages/api/plugins/openid/index.ts
Normal file
105
packages/api/plugins/openid/index.ts
Normal file
|
|
@ -0,0 +1,105 @@
|
|||
import { RolePermission } from "@versia/client/schemas";
|
||||
import { keyPair, sensitiveString, url } from "@versia-server/config";
|
||||
import { ApiError, Hooks, Plugin } from "@versia-server/kit";
|
||||
import { User } from "@versia-server/kit/db";
|
||||
import { getCookie } from "hono/cookie";
|
||||
import { jwtVerify } from "jose";
|
||||
import { JOSEError, JWTExpired } from "jose/errors";
|
||||
import { z } from "zod";
|
||||
import authorizeRoute from "./routes/authorize.ts";
|
||||
import jwksRoute from "./routes/jwks.ts";
|
||||
import ssoLoginCallbackRoute from "./routes/oauth/callback.ts";
|
||||
import tokenRevokeRoute from "./routes/oauth/revoke.ts";
|
||||
import ssoLoginRoute from "./routes/oauth/sso.ts";
|
||||
import tokenRoute from "./routes/oauth/token.ts";
|
||||
import ssoIdRoute from "./routes/sso/:id/index.ts";
|
||||
import ssoRoute from "./routes/sso/index.ts";
|
||||
|
||||
const configSchema = z.object({
|
||||
forced: z.boolean().default(false),
|
||||
allow_registration: z.boolean().default(true),
|
||||
providers: z
|
||||
.array(
|
||||
z.object({
|
||||
name: z.string().min(1),
|
||||
id: z.string().min(1),
|
||||
url: z.string().min(1),
|
||||
client_id: z.string().min(1),
|
||||
client_secret: sensitiveString,
|
||||
icon: url.optional(),
|
||||
}),
|
||||
)
|
||||
.default([]),
|
||||
keys: keyPair,
|
||||
});
|
||||
|
||||
const plugin = new Plugin(configSchema);
|
||||
|
||||
// Test hook for screenshots
|
||||
plugin.registerHandler(Hooks.Response, (req) => {
|
||||
console.info("Request received:", req);
|
||||
return req;
|
||||
});
|
||||
|
||||
authorizeRoute(plugin);
|
||||
ssoRoute(plugin);
|
||||
ssoIdRoute(plugin);
|
||||
tokenRoute(plugin);
|
||||
tokenRevokeRoute(plugin);
|
||||
jwksRoute(plugin);
|
||||
ssoLoginRoute(plugin);
|
||||
ssoLoginCallbackRoute(plugin);
|
||||
|
||||
plugin.registerRoute("/admin/queues/api/*", (app) => {
|
||||
// Check for JWT when accessing the admin panel
|
||||
app.use("/admin/queues/api/*", async (context, next) => {
|
||||
const jwtCookie = getCookie(context, "jwt");
|
||||
|
||||
if (!jwtCookie) {
|
||||
throw new ApiError(401, "Missing JWT cookie");
|
||||
}
|
||||
|
||||
const { keys } = context.get("pluginConfig");
|
||||
|
||||
const result = await jwtVerify(jwtCookie, keys.public, {
|
||||
algorithms: ["EdDSA"],
|
||||
issuer: new URL(context.get("config").http.base_url).origin,
|
||||
}).catch((error) => {
|
||||
if (error instanceof JOSEError) {
|
||||
return error;
|
||||
}
|
||||
|
||||
throw error;
|
||||
});
|
||||
|
||||
if (result instanceof JOSEError) {
|
||||
if (result instanceof JWTExpired) {
|
||||
throw new ApiError(401, "JWT has expired");
|
||||
}
|
||||
|
||||
throw new ApiError(401, "Invalid JWT");
|
||||
}
|
||||
|
||||
const {
|
||||
payload: { sub },
|
||||
} = result;
|
||||
|
||||
if (!sub) {
|
||||
throw new ApiError(401, "Invalid JWT (no sub)");
|
||||
}
|
||||
|
||||
const user = await User.fromId(sub);
|
||||
|
||||
if (!user?.hasPermission(RolePermission.ManageInstanceFederation)) {
|
||||
throw new ApiError(
|
||||
403,
|
||||
`Missing '${RolePermission.ManageInstanceFederation}' permission`,
|
||||
);
|
||||
}
|
||||
|
||||
await next();
|
||||
});
|
||||
});
|
||||
|
||||
export type PluginType = typeof plugin;
|
||||
export default plugin;
|
||||
17
packages/api/plugins/openid/manifest.json
Normal file
17
packages/api/plugins/openid/manifest.json
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/versia-pub/server/refs/heads/main/packages/kit/manifest.schema.json",
|
||||
"name": "@versia/openid",
|
||||
"description": "OpenID authentication.",
|
||||
"version": "0.1.0",
|
||||
"authors": [
|
||||
{
|
||||
"name": "Jesse Wierzbinski",
|
||||
"email": "contact@cpluspatch.com",
|
||||
"url": "https://cpluspatch.com"
|
||||
}
|
||||
],
|
||||
"repository": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/versia-pub/server.git"
|
||||
}
|
||||
}
|
||||
404
packages/api/plugins/openid/routes/authorize.test.ts
Normal file
404
packages/api/plugins/openid/routes/authorize.test.ts
Normal file
|
|
@ -0,0 +1,404 @@
|
|||
import { afterAll, describe, expect, test } from "bun:test";
|
||||
import { RolePermission } from "@versia/client/schemas";
|
||||
import { config } from "@versia-server/config";
|
||||
import { Application } from "@versia-server/kit/db";
|
||||
import { fakeRequest, getTestUsers } from "@versia-server/tests";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
import { SignJWT } from "jose";
|
||||
import { randomString } from "@/math";
|
||||
|
||||
const { deleteUsers, tokens, users } = await getTestUsers(1);
|
||||
const privateKey = await crypto.subtle.importKey(
|
||||
"pkcs8",
|
||||
Buffer.from(
|
||||
config.plugins?.config?.["@versia/openid"].keys.private,
|
||||
"base64",
|
||||
),
|
||||
"Ed25519",
|
||||
false,
|
||||
["sign"],
|
||||
);
|
||||
|
||||
const application = await Application.insert({
|
||||
id: randomUUIDv7(),
|
||||
clientId: "test-client-id",
|
||||
redirectUri: "https://example.com/callback",
|
||||
scopes: "openid profile email",
|
||||
name: "Test Application",
|
||||
secret: "test-secret",
|
||||
});
|
||||
|
||||
afterAll(async () => {
|
||||
await deleteUsers();
|
||||
await application.delete();
|
||||
});
|
||||
|
||||
describe("/oauth/authorize", () => {
|
||||
test("should authorize and redirect with valid inputs", async () => {
|
||||
const jwt = await new SignJWT({
|
||||
sub: users[0].id,
|
||||
iss: config.http.base_url.origin,
|
||||
aud: application.data.clientId,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(privateKey);
|
||||
|
||||
const response = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: `jwt=${jwt}`,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUri,
|
||||
response_type: "code",
|
||||
scope: application.data.scopes,
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
const location = new URL(
|
||||
response.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params = new URLSearchParams(location.search);
|
||||
expect(location.origin + location.pathname).toBe(
|
||||
application.data.redirectUri,
|
||||
);
|
||||
expect(params.get("code")).toBeTruthy();
|
||||
expect(params.get("state")).toBe("test-state");
|
||||
});
|
||||
|
||||
test("should return error for invalid JWT", async () => {
|
||||
const response = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: "jwt=invalid-jwt",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUri,
|
||||
response_type: "code",
|
||||
scope: application.data.scopes,
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
const location = new URL(
|
||||
response.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params = new URLSearchParams(location.search);
|
||||
expect(params.get("error")).toBe("invalid_request");
|
||||
expect(params.get("error_description")).toBe(
|
||||
"Invalid JWT: could not verify",
|
||||
);
|
||||
});
|
||||
|
||||
test("should return error for missing required fields in JWT", async () => {
|
||||
const jwt = await new SignJWT({
|
||||
sub: users[0].id,
|
||||
iss: config.http.base_url.origin,
|
||||
aud: application.data.clientId,
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(privateKey);
|
||||
|
||||
const response = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: `jwt=${jwt}`,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUri,
|
||||
response_type: "code",
|
||||
scope: application.data.scopes,
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
const location = new URL(
|
||||
response.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params = new URLSearchParams(location.search);
|
||||
expect(params.get("error")).toBe("invalid_request");
|
||||
expect(params.get("error_description")).toBe(
|
||||
"Invalid JWT: missing required fields (aud, sub, exp, iss)",
|
||||
);
|
||||
});
|
||||
|
||||
test("should return error for user not found", async () => {
|
||||
const jwt = await new SignJWT({
|
||||
sub: "non-existent-user",
|
||||
aud: application.data.clientId,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iss: config.http.base_url.origin,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(privateKey);
|
||||
|
||||
const response = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: `jwt=${jwt}`,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUri,
|
||||
response_type: "code",
|
||||
scope: application.data.scopes,
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
const location = new URL(
|
||||
response.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params = new URLSearchParams(location.search);
|
||||
expect(params.get("error")).toBe("invalid_request");
|
||||
expect(params.get("error_description")).toBe(
|
||||
"Invalid JWT: sub is not a valid user ID",
|
||||
);
|
||||
|
||||
const jwt2 = await new SignJWT({
|
||||
sub: "23e42862-d5df-49a8-95b5-52d8c6a11aea",
|
||||
aud: application.data.clientId,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iss: config.http.base_url.origin,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(privateKey);
|
||||
|
||||
const response2 = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: `jwt=${jwt2}`,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUri,
|
||||
response_type: "code",
|
||||
scope: application.data.scopes,
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response2.status).toBe(302);
|
||||
const location2 = new URL(
|
||||
response2.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params2 = new URLSearchParams(location2.search);
|
||||
expect(params2.get("error")).toBe("invalid_request");
|
||||
expect(params2.get("error_description")).toBe(
|
||||
"Invalid JWT, could not find associated user",
|
||||
);
|
||||
});
|
||||
|
||||
test("should return error for user missing required permissions", async () => {
|
||||
const oldPermissions = config.permissions.default;
|
||||
config.permissions.default = [];
|
||||
|
||||
const jwt = await new SignJWT({
|
||||
sub: users[0].id,
|
||||
iss: config.http.base_url.origin,
|
||||
aud: application.data.clientId,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(privateKey);
|
||||
|
||||
const response = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: `jwt=${jwt}`,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUri,
|
||||
response_type: "code",
|
||||
scope: application.data.scopes,
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
const location = new URL(
|
||||
response.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params = new URLSearchParams(location.search);
|
||||
expect(params.get("error")).toBe("unauthorized");
|
||||
expect(params.get("error_description")).toBe(
|
||||
`User missing required '${RolePermission.OAuth}' permission`,
|
||||
);
|
||||
|
||||
config.permissions.default = oldPermissions;
|
||||
});
|
||||
|
||||
test("should return error for invalid client_id", async () => {
|
||||
const jwt = await new SignJWT({
|
||||
sub: users[0].id,
|
||||
aud: "invalid-client-id",
|
||||
iss: config.http.base_url.origin,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(privateKey);
|
||||
|
||||
const response = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: `jwt=${jwt}`,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: "invalid-client-id",
|
||||
redirect_uri: application.data.redirectUri,
|
||||
response_type: "code",
|
||||
scope: application.data.scopes,
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
const location = new URL(
|
||||
response.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params = new URLSearchParams(location.search);
|
||||
expect(params.get("error")).toBe("invalid_request");
|
||||
expect(params.get("error_description")).toBe(
|
||||
"Invalid client_id: no associated API application found",
|
||||
);
|
||||
});
|
||||
|
||||
test("should return error for invalid redirect_uri", async () => {
|
||||
const jwt = await new SignJWT({
|
||||
sub: users[0].id,
|
||||
iss: config.http.base_url.origin,
|
||||
aud: application.data.clientId,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(privateKey);
|
||||
|
||||
const response = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: `jwt=${jwt}`,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: "https://invalid.com/callback",
|
||||
response_type: "code",
|
||||
scope: application.data.scopes,
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
const location = new URL(
|
||||
response.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params = new URLSearchParams(location.search);
|
||||
expect(params.get("error")).toBe("invalid_request");
|
||||
expect(params.get("error_description")).toBe(
|
||||
"Invalid redirect_uri: does not match API application's redirect_uri",
|
||||
);
|
||||
});
|
||||
|
||||
test("should return error for invalid scope", async () => {
|
||||
const jwt = await new SignJWT({
|
||||
sub: users[0].id,
|
||||
iss: config.http.base_url.origin,
|
||||
aud: application.data.clientId,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(privateKey);
|
||||
|
||||
const response = await fakeRequest("/oauth/authorize", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
Cookie: `jwt=${jwt}`,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
redirect_uri: application.data.redirectUri,
|
||||
response_type: "code",
|
||||
scope: "invalid-scope",
|
||||
state: "test-state",
|
||||
code_challenge: randomString(43),
|
||||
code_challenge_method: "S256",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(302);
|
||||
const location = new URL(
|
||||
response.headers.get("Location") ?? "",
|
||||
config.http.base_url,
|
||||
);
|
||||
const params = new URLSearchParams(location.search);
|
||||
expect(params.get("error")).toBe("invalid_request");
|
||||
expect(params.get("error_description")).toBe(
|
||||
"Invalid scope: not a subset of the application's scopes",
|
||||
);
|
||||
});
|
||||
});
|
||||
278
packages/api/plugins/openid/routes/authorize.ts
Normal file
278
packages/api/plugins/openid/routes/authorize.ts
Normal file
|
|
@ -0,0 +1,278 @@
|
|||
import { RolePermission } from "@versia/client/schemas";
|
||||
import { auth, handleZodError, jsonOrForm } from "@versia-server/kit/api";
|
||||
import { Application, Token, User } from "@versia-server/kit/db";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
import { describeRoute } from "hono-openapi";
|
||||
import { validator } from "hono-openapi/zod";
|
||||
import { type JWTPayload, jwtVerify, SignJWT } from "jose";
|
||||
import { JOSEError } from "jose/errors";
|
||||
import { z } from "zod";
|
||||
import { randomString } from "@/math";
|
||||
import { errorRedirect, errors } from "../errors.ts";
|
||||
import type { PluginType } from "../index.ts";
|
||||
|
||||
export default (plugin: PluginType): void =>
|
||||
plugin.registerRoute("/oauth/authorize", (app) =>
|
||||
app.post(
|
||||
"/oauth/authorize",
|
||||
describeRoute({
|
||||
summary: "Main OpenID authorization endpoint",
|
||||
tags: ["OpenID"],
|
||||
responses: {
|
||||
302: {
|
||||
description: "Redirect to the application",
|
||||
},
|
||||
},
|
||||
}),
|
||||
plugin.middleware,
|
||||
auth({
|
||||
auth: false,
|
||||
}),
|
||||
jsonOrForm(),
|
||||
validator(
|
||||
"query",
|
||||
z.object({
|
||||
prompt: z
|
||||
.enum(["none", "login", "consent", "select_account"])
|
||||
.optional()
|
||||
.default("none"),
|
||||
max_age: z.coerce
|
||||
.number()
|
||||
.int()
|
||||
.optional()
|
||||
.default(60 * 60 * 24 * 7),
|
||||
}),
|
||||
handleZodError,
|
||||
),
|
||||
validator(
|
||||
"json",
|
||||
z
|
||||
.object({
|
||||
scope: z.string().optional(),
|
||||
redirect_uri: z
|
||||
.string()
|
||||
.url()
|
||||
.optional()
|
||||
.or(z.literal("urn:ietf:wg:oauth:2.0:oob")),
|
||||
response_type: z.enum([
|
||||
"code",
|
||||
"token",
|
||||
"none",
|
||||
"id_token",
|
||||
"code id_token",
|
||||
"code token",
|
||||
"token id_token",
|
||||
"code token id_token",
|
||||
]),
|
||||
client_id: z.string(),
|
||||
state: z.string().optional(),
|
||||
code_challenge: z.string().optional(),
|
||||
code_challenge_method: z
|
||||
.enum(["plain", "S256"])
|
||||
.optional(),
|
||||
})
|
||||
.refine(
|
||||
// Check if redirect_uri is valid for code flow
|
||||
(data) =>
|
||||
data.response_type.includes("code")
|
||||
? data.redirect_uri
|
||||
: true,
|
||||
"redirect_uri is required for code flow",
|
||||
),
|
||||
// Disable for Mastodon API compatibility
|
||||
/* .refine(
|
||||
// Check if code_challenge is valid for code flow
|
||||
(data) =>
|
||||
data.response_type.includes("code")
|
||||
? data.code_challenge
|
||||
: true,
|
||||
"code_challenge is required for code flow",
|
||||
), */
|
||||
handleZodError,
|
||||
),
|
||||
validator(
|
||||
"cookie",
|
||||
z.object({
|
||||
jwt: z.string(),
|
||||
}),
|
||||
handleZodError,
|
||||
),
|
||||
async (context) => {
|
||||
const { scope, redirect_uri, client_id, state } =
|
||||
context.req.valid("json");
|
||||
|
||||
const { jwt } = context.req.valid("cookie");
|
||||
|
||||
const { keys } = context.get("pluginConfig");
|
||||
|
||||
const errorSearchParams = new URLSearchParams(
|
||||
context.req.valid("json"),
|
||||
);
|
||||
|
||||
const result = await jwtVerify(jwt, keys.public, {
|
||||
algorithms: ["EdDSA"],
|
||||
audience: client_id,
|
||||
issuer: new URL(context.get("config").http.base_url).origin,
|
||||
}).catch((error) => {
|
||||
if (error instanceof JOSEError) {
|
||||
return null;
|
||||
}
|
||||
|
||||
throw error;
|
||||
});
|
||||
|
||||
if (!result) {
|
||||
return errorRedirect(
|
||||
context,
|
||||
errors.InvalidJWT,
|
||||
errorSearchParams,
|
||||
);
|
||||
}
|
||||
|
||||
const {
|
||||
payload: { aud, sub, exp },
|
||||
} = result;
|
||||
|
||||
if (!(aud && sub && exp)) {
|
||||
return errorRedirect(
|
||||
context,
|
||||
errors.MissingJWTFields,
|
||||
errorSearchParams,
|
||||
);
|
||||
}
|
||||
|
||||
if (!z.string().uuid().safeParse(sub).success) {
|
||||
return errorRedirect(
|
||||
context,
|
||||
errors.InvalidSub,
|
||||
errorSearchParams,
|
||||
);
|
||||
}
|
||||
|
||||
const user = await User.fromId(sub);
|
||||
|
||||
if (!user) {
|
||||
return errorRedirect(
|
||||
context,
|
||||
errors.UserNotFound,
|
||||
errorSearchParams,
|
||||
);
|
||||
}
|
||||
|
||||
if (!user.hasPermission(RolePermission.OAuth)) {
|
||||
return errorRedirect(
|
||||
context,
|
||||
errors.MissingOauthPermission,
|
||||
errorSearchParams,
|
||||
);
|
||||
}
|
||||
|
||||
const application = await Application.fromClientId(client_id);
|
||||
|
||||
if (!application) {
|
||||
return errorRedirect(
|
||||
context,
|
||||
errors.MissingApplication,
|
||||
errorSearchParams,
|
||||
);
|
||||
}
|
||||
|
||||
if (application.data.redirectUri !== redirect_uri) {
|
||||
return errorRedirect(
|
||||
context,
|
||||
errors.InvalidRedirectUri,
|
||||
errorSearchParams,
|
||||
);
|
||||
}
|
||||
|
||||
// Check that scopes are a subset of the application's scopes
|
||||
if (
|
||||
scope &&
|
||||
!scope
|
||||
.split(" ")
|
||||
.every((s) => application.data.scopes.includes(s))
|
||||
) {
|
||||
return errorRedirect(
|
||||
context,
|
||||
errors.InvalidScope,
|
||||
errorSearchParams,
|
||||
);
|
||||
}
|
||||
|
||||
const code = randomString(256, "base64url");
|
||||
|
||||
let payload: JWTPayload = {};
|
||||
|
||||
if (scope) {
|
||||
if (scope.split(" ").includes("openid")) {
|
||||
payload = {
|
||||
...payload,
|
||||
sub: user.id,
|
||||
iss: new URL(context.get("config").http.base_url)
|
||||
.origin,
|
||||
aud: client_id,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
};
|
||||
}
|
||||
if (scope.split(" ").includes("profile")) {
|
||||
payload = {
|
||||
...payload,
|
||||
name: user.data.displayName,
|
||||
preferred_username: user.data.username,
|
||||
picture: user.getAvatarUrl().href,
|
||||
updated_at: new Date(
|
||||
user.data.updatedAt,
|
||||
).toISOString(),
|
||||
};
|
||||
}
|
||||
if (scope.split(" ").includes("email")) {
|
||||
payload = {
|
||||
...payload,
|
||||
email: user.data.email,
|
||||
// TODO: Add verification system
|
||||
email_verified: true,
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
const idToken = await new SignJWT(payload)
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(keys.private);
|
||||
|
||||
await Token.insert({
|
||||
id: randomUUIDv7(),
|
||||
accessToken: randomString(64, "base64url"),
|
||||
code,
|
||||
scope: scope ?? application.data.scopes,
|
||||
tokenType: "Bearer",
|
||||
applicationId: application.id,
|
||||
redirectUri: redirect_uri ?? application.data.redirectUri,
|
||||
expiresAt: new Date(
|
||||
Date.now() + 60 * 60 * 24 * 14,
|
||||
).toISOString(),
|
||||
idToken: ["profile", "email", "openid"].some((s) =>
|
||||
scope?.split(" ").includes(s),
|
||||
)
|
||||
? idToken
|
||||
: null,
|
||||
clientId: client_id,
|
||||
userId: user.id,
|
||||
});
|
||||
|
||||
const redirectUri =
|
||||
redirect_uri === "urn:ietf:wg:oauth:2.0:oob"
|
||||
? new URL(
|
||||
"/oauth/code",
|
||||
context.get("config").http.base_url,
|
||||
)
|
||||
: new URL(redirect_uri ?? application.data.redirectUri);
|
||||
|
||||
redirectUri.searchParams.append("code", code);
|
||||
state && redirectUri.searchParams.append("state", state);
|
||||
|
||||
return context.redirect(redirectUri.toString());
|
||||
},
|
||||
),
|
||||
);
|
||||
35
packages/api/plugins/openid/routes/jwks.test.ts
Normal file
35
packages/api/plugins/openid/routes/jwks.test.ts
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
import { afterAll, describe, expect, test } from "bun:test";
|
||||
import { Application } from "@versia-server/kit/db";
|
||||
import { fakeRequest } from "@versia-server/tests";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
|
||||
const application = await Application.insert({
|
||||
id: randomUUIDv7(),
|
||||
clientId: "test-client-id",
|
||||
redirectUri: "https://example.com/callback",
|
||||
scopes: "openid profile email",
|
||||
secret: "test-secret",
|
||||
name: "Test Application",
|
||||
});
|
||||
|
||||
afterAll(async () => {
|
||||
await application.delete();
|
||||
});
|
||||
|
||||
describe("/.well-known/jwks", () => {
|
||||
test("should return JWK set with valid inputs", async () => {
|
||||
const response = await fakeRequest("/.well-known/jwks", {
|
||||
method: "GET",
|
||||
});
|
||||
|
||||
expect(response.status).toBe(200);
|
||||
const body = await response.json();
|
||||
expect(body.keys).toHaveLength(1);
|
||||
expect(body.keys[0].kty).toBe("OKP");
|
||||
expect(body.keys[0].use).toBe("sig");
|
||||
expect(body.keys[0].alg).toBe("EdDSA");
|
||||
expect(body.keys[0].kid).toBe("1");
|
||||
expect(body.keys[0].crv).toBe("Ed25519");
|
||||
expect(body.keys[0].x).toBeString();
|
||||
});
|
||||
});
|
||||
68
packages/api/plugins/openid/routes/jwks.ts
Normal file
68
packages/api/plugins/openid/routes/jwks.ts
Normal file
|
|
@ -0,0 +1,68 @@
|
|||
import { auth } from "@versia-server/kit/api";
|
||||
import { describeRoute } from "hono-openapi";
|
||||
import { resolver } from "hono-openapi/zod";
|
||||
import { exportJWK } from "jose";
|
||||
import { z } from "zod";
|
||||
import type { PluginType } from "../index.ts";
|
||||
|
||||
export default (plugin: PluginType): void => {
|
||||
plugin.registerRoute("/.well-known/jwks", (app) =>
|
||||
app.get(
|
||||
"/.well-known/jwks",
|
||||
describeRoute({
|
||||
summary: "JWK Set",
|
||||
tags: ["OpenID"],
|
||||
responses: {
|
||||
200: {
|
||||
description: "JWK Set",
|
||||
content: {
|
||||
"application/json": {
|
||||
schema: resolver(
|
||||
z.object({
|
||||
keys: z.array(
|
||||
z.object({
|
||||
kty: z.string().optional(),
|
||||
use: z.string(),
|
||||
alg: z.string(),
|
||||
kid: z.string(),
|
||||
crv: z.string().optional(),
|
||||
x: z.string().optional(),
|
||||
y: z.string().optional(),
|
||||
}),
|
||||
),
|
||||
}),
|
||||
),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
auth({
|
||||
auth: false,
|
||||
}),
|
||||
plugin.middleware,
|
||||
async (context) => {
|
||||
const jwk = await exportJWK(
|
||||
context.get("pluginConfig").keys?.public,
|
||||
);
|
||||
|
||||
// Remove the private key 💀
|
||||
jwk.d = undefined;
|
||||
|
||||
return context.json(
|
||||
{
|
||||
keys: [
|
||||
{
|
||||
...jwk,
|
||||
use: "sig",
|
||||
alg: "EdDSA",
|
||||
kid: "1",
|
||||
},
|
||||
],
|
||||
},
|
||||
200,
|
||||
);
|
||||
},
|
||||
),
|
||||
);
|
||||
};
|
||||
354
packages/api/plugins/openid/routes/oauth/callback.ts
Normal file
354
packages/api/plugins/openid/routes/oauth/callback.ts
Normal file
|
|
@ -0,0 +1,354 @@
|
|||
import {
|
||||
Account as AccountSchema,
|
||||
RolePermission,
|
||||
} from "@versia/client/schemas";
|
||||
import { ApiError } from "@versia-server/kit";
|
||||
import { handleZodError } from "@versia-server/kit/api";
|
||||
import { db, Media, Token, User } from "@versia-server/kit/db";
|
||||
import { searchManager } from "@versia-server/kit/search";
|
||||
import { OpenIdAccounts, Users } from "@versia-server/kit/tables";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
import { and, eq, isNull, type SQL } from "drizzle-orm";
|
||||
import { setCookie } from "hono/cookie";
|
||||
import { describeRoute } from "hono-openapi";
|
||||
import { validator } from "hono-openapi/zod";
|
||||
import { SignJWT } from "jose";
|
||||
import { z } from "zod";
|
||||
import { randomString } from "@/math.ts";
|
||||
import type { PluginType } from "../../index.ts";
|
||||
import { automaticOidcFlow } from "../../utils.ts";
|
||||
|
||||
export default (plugin: PluginType): void => {
|
||||
plugin.registerRoute("/oauth/sso/{issuer}/callback", (app) => {
|
||||
app.get(
|
||||
"/oauth/sso/:issuer/callback",
|
||||
describeRoute({
|
||||
summary: "SSO callback",
|
||||
tags: ["OpenID"],
|
||||
description:
|
||||
"After the user has authenticated to an external OpenID provider, they are redirected here to complete the OAuth flow and get a code",
|
||||
responses: {
|
||||
302: {
|
||||
description:
|
||||
"Redirect to frontend's consent route, or redirect to login page with error",
|
||||
},
|
||||
},
|
||||
}),
|
||||
plugin.middleware,
|
||||
validator(
|
||||
"param",
|
||||
z.object({
|
||||
issuer: z.string(),
|
||||
}),
|
||||
handleZodError,
|
||||
),
|
||||
validator(
|
||||
"query",
|
||||
z.object({
|
||||
client_id: z.string().optional(),
|
||||
flow: z.string(),
|
||||
link: z
|
||||
.string()
|
||||
.transform((v) =>
|
||||
["true", "1", "on"].includes(v.toLowerCase()),
|
||||
)
|
||||
.optional(),
|
||||
user_id: z.string().uuid().optional(),
|
||||
}),
|
||||
handleZodError,
|
||||
),
|
||||
async (context) => {
|
||||
const currentUrl = new URL(context.req.url);
|
||||
const redirectUrl = new URL(context.req.url);
|
||||
|
||||
// Correct some reverse proxies incorrectly setting the protocol as http, even if the original request was https
|
||||
// Looking at you, Traefik
|
||||
if (
|
||||
new URL(context.get("config").http.base_url).protocol ===
|
||||
"https:" &&
|
||||
currentUrl.protocol === "http:"
|
||||
) {
|
||||
currentUrl.protocol = "https:";
|
||||
redirectUrl.protocol = "https:";
|
||||
}
|
||||
|
||||
// Remove state query parameter from URL
|
||||
currentUrl.searchParams.delete("state");
|
||||
redirectUrl.searchParams.delete("state");
|
||||
// Remove issuer query parameter from URL (can cause redirect URI mismatches)
|
||||
redirectUrl.searchParams.delete("iss");
|
||||
redirectUrl.searchParams.delete("code");
|
||||
const { issuer: issuerParam } = context.req.valid("param");
|
||||
const {
|
||||
flow: flowId,
|
||||
user_id,
|
||||
link,
|
||||
} = context.req.valid("query");
|
||||
|
||||
const issuer = context
|
||||
.get("pluginConfig")
|
||||
.providers.find((provider) => provider.id === issuerParam);
|
||||
|
||||
if (!issuer) {
|
||||
throw new ApiError(404, "Issuer not found");
|
||||
}
|
||||
|
||||
const userInfo = await automaticOidcFlow(
|
||||
issuer,
|
||||
flowId,
|
||||
currentUrl,
|
||||
redirectUrl,
|
||||
(error, message, flow) => {
|
||||
const errorSearchParams = new URLSearchParams(
|
||||
Object.entries({
|
||||
redirect_uri: flow?.application?.redirectUri,
|
||||
client_id: flow?.application?.clientId,
|
||||
response_type: "code",
|
||||
scope: flow?.application?.scopes,
|
||||
}).filter(([_, value]) => value !== undefined) as [
|
||||
string,
|
||||
string,
|
||||
][],
|
||||
);
|
||||
|
||||
errorSearchParams.append("error", error);
|
||||
errorSearchParams.append("error_description", message);
|
||||
|
||||
return context.redirect(
|
||||
`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
|
||||
);
|
||||
},
|
||||
);
|
||||
|
||||
if (userInfo instanceof Response) {
|
||||
return userInfo;
|
||||
}
|
||||
|
||||
const { sub, email, preferred_username, picture } =
|
||||
userInfo.userInfo;
|
||||
const flow = userInfo.flow;
|
||||
|
||||
const errorSearchParams = new URLSearchParams(
|
||||
Object.entries({
|
||||
redirect_uri: flow.application?.redirectUri,
|
||||
client_id: flow.application?.clientId,
|
||||
response_type: "code",
|
||||
scope: flow.application?.scopes,
|
||||
}).filter(([_, value]) => value !== undefined) as [
|
||||
string,
|
||||
string,
|
||||
][],
|
||||
);
|
||||
|
||||
// If linking account
|
||||
if (link && user_id) {
|
||||
// Check if userId is equal to application.clientId
|
||||
if (!flow.application?.clientId.startsWith(user_id)) {
|
||||
return context.redirect(
|
||||
`${context.get("config").http.base_url}${
|
||||
context.get("config").frontend.routes.home
|
||||
}?${new URLSearchParams({
|
||||
oidc_account_linking_error:
|
||||
"Account linking error",
|
||||
oidc_account_linking_error_message: `User ID does not match application client ID (${user_id} != ${flow.application?.clientId})`,
|
||||
})}`,
|
||||
);
|
||||
}
|
||||
|
||||
// Check if account is already linked
|
||||
const account = await db.query.OpenIdAccounts.findFirst({
|
||||
where: (account): SQL | undefined =>
|
||||
and(
|
||||
eq(account.serverId, sub),
|
||||
eq(account.issuerId, issuer.id),
|
||||
),
|
||||
});
|
||||
|
||||
if (account) {
|
||||
return context.redirect(
|
||||
`${context.get("config").http.base_url}${
|
||||
context.get("config").frontend.routes.home
|
||||
}?${new URLSearchParams({
|
||||
oidc_account_linking_error:
|
||||
"Account already linked",
|
||||
oidc_account_linking_error_message:
|
||||
"This account has already been linked to this OpenID Connect provider.",
|
||||
})}`,
|
||||
);
|
||||
}
|
||||
|
||||
// Link the account
|
||||
await db.insert(OpenIdAccounts).values({
|
||||
id: randomUUIDv7(),
|
||||
serverId: sub,
|
||||
issuerId: issuer.id,
|
||||
userId: user_id,
|
||||
});
|
||||
|
||||
return context.redirect(
|
||||
`${context.get("config").http.base_url}${
|
||||
context.get("config").frontend.routes.home
|
||||
}?${new URLSearchParams({
|
||||
oidc_account_linked: "true",
|
||||
})}`,
|
||||
);
|
||||
}
|
||||
|
||||
let userId = (
|
||||
await db.query.OpenIdAccounts.findFirst({
|
||||
where: (account): SQL | undefined =>
|
||||
and(
|
||||
eq(account.serverId, sub),
|
||||
eq(account.issuerId, issuer.id),
|
||||
),
|
||||
})
|
||||
)?.userId;
|
||||
|
||||
if (!userId) {
|
||||
// Register new user
|
||||
if (context.get("pluginConfig").allow_registration) {
|
||||
let username =
|
||||
preferred_username ??
|
||||
email?.split("@")[0] ??
|
||||
randomString(8, "hex");
|
||||
|
||||
const usernameValidator =
|
||||
AccountSchema.shape.username.refine(
|
||||
async (value) =>
|
||||
!(await User.fromSql(
|
||||
and(
|
||||
eq(Users.username, value),
|
||||
isNull(Users.instanceId),
|
||||
),
|
||||
)),
|
||||
);
|
||||
|
||||
try {
|
||||
await usernameValidator.parseAsync(username);
|
||||
} catch {
|
||||
username = randomString(8, "hex");
|
||||
}
|
||||
|
||||
const doesEmailExist = email
|
||||
? !!(await User.fromSql(eq(Users.email, email)))
|
||||
: false;
|
||||
|
||||
const avatar = picture
|
||||
? await Media.fromUrl(new URL(picture))
|
||||
: null;
|
||||
|
||||
// Create new user
|
||||
const user = await User.register(username, {
|
||||
email: doesEmailExist ? undefined : email,
|
||||
avatar: avatar ?? undefined,
|
||||
});
|
||||
|
||||
// Add to search index
|
||||
await searchManager.addUser(user);
|
||||
|
||||
// Link account
|
||||
await db.insert(OpenIdAccounts).values({
|
||||
id: randomUUIDv7(),
|
||||
serverId: sub,
|
||||
issuerId: issuer.id,
|
||||
userId: user.id,
|
||||
});
|
||||
|
||||
userId = user.id;
|
||||
} else {
|
||||
errorSearchParams.append("error", "invalid_request");
|
||||
errorSearchParams.append(
|
||||
"error_description",
|
||||
"No user found with that account",
|
||||
);
|
||||
|
||||
return context.redirect(
|
||||
`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
const user = await User.fromId(userId);
|
||||
|
||||
if (!user) {
|
||||
errorSearchParams.append("error", "invalid_request");
|
||||
errorSearchParams.append(
|
||||
"error_description",
|
||||
"No user found with that account",
|
||||
);
|
||||
|
||||
return context.redirect(
|
||||
`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
|
||||
);
|
||||
}
|
||||
|
||||
if (!user.hasPermission(RolePermission.OAuth)) {
|
||||
errorSearchParams.append("error", "invalid_request");
|
||||
errorSearchParams.append(
|
||||
"error_description",
|
||||
`User does not have the '${RolePermission.OAuth}' permission`,
|
||||
);
|
||||
|
||||
return context.redirect(
|
||||
`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
|
||||
);
|
||||
}
|
||||
|
||||
if (!flow.application) {
|
||||
throw new ApiError(500, "Application not found");
|
||||
}
|
||||
|
||||
const code = randomString(32, "hex");
|
||||
|
||||
await Token.insert({
|
||||
id: randomUUIDv7(),
|
||||
accessToken: randomString(64, "base64url"),
|
||||
code,
|
||||
scope: flow.application.scopes,
|
||||
tokenType: "Bearer",
|
||||
userId: user.id,
|
||||
applicationId: flow.application.id,
|
||||
});
|
||||
|
||||
// Generate JWT
|
||||
const jwt = await new SignJWT({
|
||||
sub: user.id,
|
||||
iss: new URL(context.get("config").http.base_url).origin,
|
||||
aud: flow.application.clientId,
|
||||
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
||||
iat: Math.floor(Date.now() / 1000),
|
||||
nbf: Math.floor(Date.now() / 1000),
|
||||
})
|
||||
.setProtectedHeader({ alg: "EdDSA" })
|
||||
.sign(context.get("pluginConfig").keys?.private);
|
||||
|
||||
// Redirect back to application
|
||||
setCookie(context, "jwt", jwt, {
|
||||
httpOnly: true,
|
||||
secure: true,
|
||||
sameSite: "strict",
|
||||
path: "/",
|
||||
// 2 weeks
|
||||
maxAge: 60 * 60 * 24 * 14,
|
||||
});
|
||||
|
||||
return context.redirect(
|
||||
new URL(
|
||||
`${context.get("config").frontend.routes.consent}?${new URLSearchParams(
|
||||
{
|
||||
redirect_uri: flow.application.redirectUri,
|
||||
code,
|
||||
client_id: flow.application.clientId,
|
||||
application: flow.application.name,
|
||||
website: flow.application.website ?? "",
|
||||
scope: flow.application.scopes,
|
||||
response_type: "code",
|
||||
},
|
||||
).toString()}`,
|
||||
context.get("config").http.base_url,
|
||||
).toString(),
|
||||
);
|
||||
},
|
||||
);
|
||||
});
|
||||
};
|
||||
138
packages/api/plugins/openid/routes/oauth/revoke.test.ts
Normal file
138
packages/api/plugins/openid/routes/oauth/revoke.test.ts
Normal file
|
|
@ -0,0 +1,138 @@
|
|||
import { afterAll, describe, expect, test } from "bun:test";
|
||||
import { Application, Token } from "@versia-server/kit/db";
|
||||
import { fakeRequest, getTestUsers } from "@versia-server/tests";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
|
||||
const { deleteUsers, users } = await getTestUsers(1);
|
||||
|
||||
const application = await Application.insert({
|
||||
id: randomUUIDv7(),
|
||||
clientId: "test-client-id",
|
||||
redirectUri: "https://example.com/callback",
|
||||
scopes: "openid profile email",
|
||||
secret: "test-secret",
|
||||
name: "Test Application",
|
||||
});
|
||||
|
||||
const token = await Token.insert({
|
||||
id: randomUUIDv7(),
|
||||
code: "test-code",
|
||||
redirectUri: application.data.redirectUri,
|
||||
clientId: application.data.clientId,
|
||||
accessToken: "test-access-token",
|
||||
expiresAt: new Date(Date.now() + 3600 * 1000).toISOString(),
|
||||
createdAt: new Date().toISOString(),
|
||||
tokenType: "Bearer",
|
||||
scope: application.data.scopes,
|
||||
userId: users[0].id,
|
||||
applicationId: application.id,
|
||||
});
|
||||
|
||||
afterAll(async () => {
|
||||
await deleteUsers();
|
||||
await application.delete();
|
||||
await token.delete();
|
||||
});
|
||||
|
||||
describe("/oauth/revoke", () => {
|
||||
test("should revoke token with valid inputs", async () => {
|
||||
const response = await fakeRequest("/oauth/revoke", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
client_secret: application.data.secret,
|
||||
token: "test-access-token",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(200);
|
||||
const body = await response.json();
|
||||
expect(body).toEqual({});
|
||||
});
|
||||
|
||||
test("should return error for missing token", async () => {
|
||||
const response = await fakeRequest("/oauth/revoke", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
client_secret: application.data.secret,
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(401);
|
||||
const body = await response.json();
|
||||
expect(body.error).toBe("unauthorized_client");
|
||||
expect(body.error_description).toBe(
|
||||
"You are not authorized to revoke this token",
|
||||
);
|
||||
});
|
||||
|
||||
test("should return error for invalid client credentials", async () => {
|
||||
const response = await fakeRequest("/oauth/revoke", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
client_secret: "invalid-secret",
|
||||
token: "test-access-token",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(401);
|
||||
const body = await response.json();
|
||||
expect(body.error).toBe("unauthorized_client");
|
||||
expect(body.error_description).toBe(
|
||||
"You are not authorized to revoke this token",
|
||||
);
|
||||
});
|
||||
|
||||
test("should return error for token not found", async () => {
|
||||
const response = await fakeRequest("/oauth/revoke", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: application.data.clientId,
|
||||
client_secret: application.data.secret,
|
||||
token: "invalid-token",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(401);
|
||||
const body = await response.json();
|
||||
expect(body.error).toBe("unauthorized_client");
|
||||
expect(body.error_description).toBe(
|
||||
"You are not authorized to revoke this token",
|
||||
);
|
||||
});
|
||||
|
||||
test("should return error for unauthorized client", async () => {
|
||||
const response = await fakeRequest("/oauth/revoke", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
client_id: "unauthorized-client-id",
|
||||
client_secret: application.data.secret,
|
||||
token: "test-access-token",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(401);
|
||||
const body = await response.json();
|
||||
expect(body.error).toBe("unauthorized_client");
|
||||
expect(body.error_description).toBe(
|
||||
"You are not authorized to revoke this token",
|
||||
);
|
||||
});
|
||||
});
|
||||
92
packages/api/plugins/openid/routes/oauth/revoke.ts
Normal file
92
packages/api/plugins/openid/routes/oauth/revoke.ts
Normal file
|
|
@ -0,0 +1,92 @@
|
|||
import { handleZodError, jsonOrForm } from "@versia-server/kit/api";
|
||||
import { db, Token } from "@versia-server/kit/db";
|
||||
import { Tokens } from "@versia-server/kit/tables";
|
||||
import { and, eq } from "drizzle-orm";
|
||||
import { describeRoute } from "hono-openapi";
|
||||
import { resolver, validator } from "hono-openapi/zod";
|
||||
import { z } from "zod";
|
||||
import type { PluginType } from "../../index.ts";
|
||||
|
||||
export default (plugin: PluginType): void => {
|
||||
plugin.registerRoute("/oauth/revoke", (app) => {
|
||||
app.post(
|
||||
"/oauth/revoke",
|
||||
describeRoute({
|
||||
summary: "Revoke token",
|
||||
tags: ["OpenID"],
|
||||
responses: {
|
||||
200: {
|
||||
description: "Token deleted",
|
||||
content: {
|
||||
"application/json": {
|
||||
schema: resolver(z.object({})),
|
||||
},
|
||||
},
|
||||
},
|
||||
401: {
|
||||
description: "Authorization error",
|
||||
content: {
|
||||
"application/json": {
|
||||
schema: resolver(
|
||||
z.object({
|
||||
error: z.string(),
|
||||
error_description: z.string(),
|
||||
}),
|
||||
),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
jsonOrForm(),
|
||||
plugin.middleware,
|
||||
validator(
|
||||
"json",
|
||||
z.object({
|
||||
client_id: z.string(),
|
||||
client_secret: z.string(),
|
||||
token: z.string().optional(),
|
||||
}),
|
||||
handleZodError,
|
||||
),
|
||||
async (context) => {
|
||||
const { client_id, client_secret, token } =
|
||||
context.req.valid("json");
|
||||
|
||||
const foundToken = await Token.fromSql(
|
||||
and(
|
||||
eq(Tokens.accessToken, token ?? ""),
|
||||
eq(Tokens.clientId, client_id),
|
||||
),
|
||||
);
|
||||
|
||||
if (!(foundToken && token)) {
|
||||
return context.json(
|
||||
{
|
||||
error: "unauthorized_client",
|
||||
error_description:
|
||||
"You are not authorized to revoke this token",
|
||||
},
|
||||
401,
|
||||
);
|
||||
}
|
||||
|
||||
// Check if the client secret is correct
|
||||
if (foundToken.data.application?.secret !== client_secret) {
|
||||
return context.json(
|
||||
{
|
||||
error: "unauthorized_client",
|
||||
error_description:
|
||||
"You are not authorized to revoke this token",
|
||||
},
|
||||
401,
|
||||
);
|
||||
}
|
||||
|
||||
await db.delete(Tokens).where(eq(Tokens.accessToken, token));
|
||||
|
||||
return context.json({}, 200);
|
||||
},
|
||||
);
|
||||
});
|
||||
};
|
||||
137
packages/api/plugins/openid/routes/oauth/sso.ts
Normal file
137
packages/api/plugins/openid/routes/oauth/sso.ts
Normal file
|
|
@ -0,0 +1,137 @@
|
|||
import { handleZodError } from "@versia-server/kit/api";
|
||||
import { Application, db } from "@versia-server/kit/db";
|
||||
import { OpenIdLoginFlows } from "@versia-server/kit/tables";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
import { describeRoute } from "hono-openapi";
|
||||
import { validator } from "hono-openapi/zod";
|
||||
import {
|
||||
calculatePKCECodeChallenge,
|
||||
discoveryRequest,
|
||||
generateRandomCodeVerifier,
|
||||
processDiscoveryResponse,
|
||||
} from "oauth4webapi";
|
||||
import { z } from "zod";
|
||||
import type { PluginType } from "../../index.ts";
|
||||
import { oauthRedirectUri } from "../../utils.ts";
|
||||
|
||||
export default (plugin: PluginType): void => {
|
||||
plugin.registerRoute("/oauth/sso", (app) => {
|
||||
app.get(
|
||||
"/oauth/sso",
|
||||
describeRoute({
|
||||
summary: "Initiate SSO login flow",
|
||||
tags: ["OpenID"],
|
||||
responses: {
|
||||
302: {
|
||||
description:
|
||||
"Redirect to SSO login, or redirect to login page with error",
|
||||
},
|
||||
},
|
||||
}),
|
||||
plugin.middleware,
|
||||
validator(
|
||||
"query",
|
||||
z.object({
|
||||
issuer: z.string(),
|
||||
client_id: z.string().optional(),
|
||||
redirect_uri: z.string().url().optional(),
|
||||
scope: z.string().optional(),
|
||||
response_type: z.enum(["code"]).optional(),
|
||||
}),
|
||||
handleZodError,
|
||||
),
|
||||
async (context) => {
|
||||
// This is the Versia client's client_id, not the external OAuth provider's client_id
|
||||
const { issuer: issuerId, client_id } =
|
||||
context.req.valid("query");
|
||||
|
||||
const errorSearchParams = new URLSearchParams(
|
||||
context.req.valid("query"),
|
||||
);
|
||||
|
||||
if (!client_id || client_id === "undefined") {
|
||||
errorSearchParams.append("error", "invalid_request");
|
||||
errorSearchParams.append(
|
||||
"error_description",
|
||||
"client_id is required",
|
||||
);
|
||||
|
||||
return context.redirect(
|
||||
`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
|
||||
);
|
||||
}
|
||||
|
||||
const issuer = context
|
||||
.get("pluginConfig")
|
||||
.providers.find((provider) => provider.id === issuerId);
|
||||
|
||||
if (!issuer) {
|
||||
errorSearchParams.append("error", "invalid_request");
|
||||
errorSearchParams.append(
|
||||
"error_description",
|
||||
"issuer is invalid",
|
||||
);
|
||||
|
||||
return context.redirect(
|
||||
`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
|
||||
);
|
||||
}
|
||||
|
||||
const issuerUrl = new URL(issuer.url);
|
||||
|
||||
const authServer = await discoveryRequest(issuerUrl, {
|
||||
algorithm: "oidc",
|
||||
}).then((res) => processDiscoveryResponse(issuerUrl, res));
|
||||
|
||||
const codeVerifier = generateRandomCodeVerifier();
|
||||
|
||||
const application = await Application.fromClientId(client_id);
|
||||
|
||||
if (!application) {
|
||||
errorSearchParams.append("error", "invalid_request");
|
||||
errorSearchParams.append(
|
||||
"error_description",
|
||||
"client_id is invalid",
|
||||
);
|
||||
|
||||
return context.redirect(
|
||||
`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
|
||||
);
|
||||
}
|
||||
|
||||
// Store into database
|
||||
const newFlow = (
|
||||
await db
|
||||
.insert(OpenIdLoginFlows)
|
||||
.values({
|
||||
id: randomUUIDv7(),
|
||||
codeVerifier,
|
||||
applicationId: application.id,
|
||||
issuerId,
|
||||
})
|
||||
.returning()
|
||||
)[0];
|
||||
|
||||
const codeChallenge =
|
||||
await calculatePKCECodeChallenge(codeVerifier);
|
||||
|
||||
return context.redirect(
|
||||
`${authServer.authorization_endpoint}?${new URLSearchParams(
|
||||
{
|
||||
client_id: issuer.client_id,
|
||||
redirect_uri: `${oauthRedirectUri(
|
||||
context.get("config").http.base_url,
|
||||
issuerId,
|
||||
)}?flow=${newFlow.id}`,
|
||||
response_type: "code",
|
||||
scope: "openid profile email",
|
||||
// PKCE
|
||||
code_challenge_method: "S256",
|
||||
code_challenge: codeChallenge,
|
||||
},
|
||||
).toString()}`,
|
||||
);
|
||||
},
|
||||
);
|
||||
});
|
||||
};
|
||||
181
packages/api/plugins/openid/routes/oauth/token.test.ts
Normal file
181
packages/api/plugins/openid/routes/oauth/token.test.ts
Normal file
|
|
@ -0,0 +1,181 @@
|
|||
import { afterAll, describe, expect, test } from "bun:test";
|
||||
import { Application, Token } from "@versia-server/kit/db";
|
||||
import { fakeRequest, getTestUsers } from "@versia-server/tests";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
|
||||
const { deleteUsers, users } = await getTestUsers(1);
|
||||
|
||||
const application = await Application.insert({
|
||||
id: randomUUIDv7(),
|
||||
clientId: "test-client-id",
|
||||
redirectUri: "https://example.com/callback",
|
||||
scopes: "openid profile email",
|
||||
secret: "test-secret",
|
||||
name: "Test Application",
|
||||
});
|
||||
|
||||
const token = await Token.insert({
|
||||
id: randomUUIDv7(),
|
||||
code: "test-code",
|
||||
redirectUri: application.data.redirectUri,
|
||||
clientId: application.data.clientId,
|
||||
accessToken: "test-access-token",
|
||||
expiresAt: new Date(Date.now() + 3600 * 1000).toISOString(),
|
||||
createdAt: new Date().toISOString(),
|
||||
tokenType: "Bearer",
|
||||
scope: application.data.scopes,
|
||||
userId: users[0].id,
|
||||
});
|
||||
|
||||
afterAll(async () => {
|
||||
await deleteUsers();
|
||||
await application.delete();
|
||||
await token.delete();
|
||||
});
|
||||
|
||||
describe("/oauth/token", () => {
|
||||
test("should return token with valid inputs", async () => {
|
||||
const response = await fakeRequest("/oauth/token", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
grant_type: "authorization_code",
|
||||
code: "test-code",
|
||||
redirect_uri: application.data.redirectUri,
|
||||
client_id: application.data.clientId,
|
||||
client_secret: application.data.secret,
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(200);
|
||||
const body = await response.json();
|
||||
expect(body.access_token).toBe("test-access-token");
|
||||
expect(body.token_type).toBe("Bearer");
|
||||
expect(body.expires_in).toBeGreaterThan(0);
|
||||
});
|
||||
|
||||
test("should return error for missing code", async () => {
|
||||
const response = await fakeRequest("/oauth/token", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
grant_type: "authorization_code",
|
||||
redirect_uri: application.data.redirectUri,
|
||||
client_id: application.data.clientId,
|
||||
client_secret: application.data.secret,
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(401);
|
||||
const body = await response.json();
|
||||
expect(body.error).toBe("invalid_request");
|
||||
expect(body.error_description).toBe("Code is required");
|
||||
});
|
||||
|
||||
test("should return error for missing redirect_uri", async () => {
|
||||
const response = await fakeRequest("/oauth/token", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
grant_type: "authorization_code",
|
||||
code: "test-code",
|
||||
client_id: application.data.clientId,
|
||||
client_secret: application.data.secret,
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(401);
|
||||
const body = await response.json();
|
||||
expect(body.error).toBe("invalid_request");
|
||||
expect(body.error_description).toBe("Redirect URI is required");
|
||||
});
|
||||
|
||||
test("should return error for missing client_id", async () => {
|
||||
const response = await fakeRequest("/oauth/token", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
grant_type: "authorization_code",
|
||||
code: "test-code",
|
||||
redirect_uri: application.data.redirectUri,
|
||||
client_secret: application.data.secret,
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(401);
|
||||
const body = await response.json();
|
||||
expect(body.error).toBe("invalid_request");
|
||||
expect(body.error_description).toBe("Client ID is required");
|
||||
});
|
||||
|
||||
test("should return error for invalid client credentials", async () => {
|
||||
const response = await fakeRequest("/oauth/token", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
grant_type: "authorization_code",
|
||||
code: "test-code",
|
||||
redirect_uri: application.data.redirectUri,
|
||||
client_id: application.data.clientId,
|
||||
client_secret: "invalid-secret",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(401);
|
||||
const body = await response.json();
|
||||
expect(body.error).toBe("invalid_client");
|
||||
expect(body.error_description).toBe("Invalid client credentials");
|
||||
});
|
||||
|
||||
test("should return error for code not found", async () => {
|
||||
const response = await fakeRequest("/oauth/token", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
grant_type: "authorization_code",
|
||||
code: "invalid-code",
|
||||
redirect_uri: application.data.redirectUri,
|
||||
client_id: application.data.clientId,
|
||||
client_secret: application.data.secret,
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(401);
|
||||
const body = await response.json();
|
||||
expect(body.error).toBe("invalid_grant");
|
||||
expect(body.error_description).toBe("Code not found");
|
||||
});
|
||||
|
||||
test("should return error for unsupported grant type", async () => {
|
||||
const response = await fakeRequest("/oauth/token", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
grant_type: "refresh_token",
|
||||
code: "test-code",
|
||||
redirect_uri: application.data.redirectUri,
|
||||
client_id: application.data.clientId,
|
||||
client_secret: application.data.secret,
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(401);
|
||||
const body = await response.json();
|
||||
expect(body.error).toBe("unsupported_grant_type");
|
||||
expect(body.error_description).toBe("Unsupported grant type");
|
||||
});
|
||||
});
|
||||
206
packages/api/plugins/openid/routes/oauth/token.ts
Normal file
206
packages/api/plugins/openid/routes/oauth/token.ts
Normal file
|
|
@ -0,0 +1,206 @@
|
|||
import { handleZodError, jsonOrForm } from "@versia-server/kit/api";
|
||||
import { Application, Token } from "@versia-server/kit/db";
|
||||
import { Tokens } from "@versia-server/kit/tables";
|
||||
import { and, eq } from "drizzle-orm";
|
||||
import { describeRoute } from "hono-openapi";
|
||||
import { resolver, validator } from "hono-openapi/zod";
|
||||
import { z } from "zod";
|
||||
import type { PluginType } from "../../index.ts";
|
||||
|
||||
export default (plugin: PluginType): void => {
|
||||
plugin.registerRoute("/oauth/token", (app) => {
|
||||
app.post(
|
||||
"/oauth/token",
|
||||
describeRoute({
|
||||
summary: "Get token",
|
||||
tags: ["OpenID"],
|
||||
responses: {
|
||||
200: {
|
||||
description: "Token",
|
||||
content: {
|
||||
"application/json": {
|
||||
schema: resolver(
|
||||
z.object({
|
||||
access_token: z.string(),
|
||||
token_type: z.string(),
|
||||
expires_in: z
|
||||
.number()
|
||||
.optional()
|
||||
.nullable(),
|
||||
id_token: z
|
||||
.string()
|
||||
.optional()
|
||||
.nullable(),
|
||||
refresh_token: z
|
||||
.string()
|
||||
.optional()
|
||||
.nullable(),
|
||||
scope: z.string().optional(),
|
||||
created_at: z.number(),
|
||||
}),
|
||||
),
|
||||
},
|
||||
},
|
||||
},
|
||||
401: {
|
||||
description: "Authorization error",
|
||||
content: {
|
||||
"application/json": {
|
||||
schema: resolver(
|
||||
z.object({
|
||||
error: z.string(),
|
||||
error_description: z.string(),
|
||||
}),
|
||||
),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
jsonOrForm(),
|
||||
plugin.middleware,
|
||||
validator(
|
||||
"json",
|
||||
z.object({
|
||||
code: z.string().optional(),
|
||||
code_verifier: z.string().optional(),
|
||||
grant_type: z
|
||||
.enum([
|
||||
"authorization_code",
|
||||
"refresh_token",
|
||||
"client_credentials",
|
||||
"password",
|
||||
"urn:ietf:params:oauth:grant-type:device_code",
|
||||
"urn:ietf:params:oauth:grant-type:token-exchange",
|
||||
"urn:ietf:params:oauth:grant-type:saml2-bearer",
|
||||
"urn:openid:params:grant-type:ciba",
|
||||
])
|
||||
.default("authorization_code"),
|
||||
client_id: z.string().optional(),
|
||||
client_secret: z.string().optional(),
|
||||
username: z.string().trim().optional(),
|
||||
password: z.string().trim().optional(),
|
||||
redirect_uri: z.string().url().optional(),
|
||||
refresh_token: z.string().optional(),
|
||||
scope: z.string().optional(),
|
||||
assertion: z.string().optional(),
|
||||
audience: z.string().optional(),
|
||||
subject_token_type: z.string().optional(),
|
||||
subject_token: z.string().optional(),
|
||||
actor_token_type: z.string().optional(),
|
||||
actor_token: z.string().optional(),
|
||||
auth_req_id: z.string().optional(),
|
||||
}),
|
||||
handleZodError,
|
||||
),
|
||||
async (context) => {
|
||||
const {
|
||||
grant_type,
|
||||
code,
|
||||
redirect_uri,
|
||||
client_id,
|
||||
client_secret,
|
||||
} = context.req.valid("json");
|
||||
|
||||
switch (grant_type) {
|
||||
case "authorization_code": {
|
||||
if (!code) {
|
||||
return context.json(
|
||||
{
|
||||
error: "invalid_request",
|
||||
error_description: "Code is required",
|
||||
},
|
||||
401,
|
||||
);
|
||||
}
|
||||
|
||||
if (!redirect_uri) {
|
||||
return context.json(
|
||||
{
|
||||
error: "invalid_request",
|
||||
error_description:
|
||||
"Redirect URI is required",
|
||||
},
|
||||
401,
|
||||
);
|
||||
}
|
||||
|
||||
if (!client_id) {
|
||||
return context.json(
|
||||
{
|
||||
error: "invalid_request",
|
||||
error_description: "Client ID is required",
|
||||
},
|
||||
401,
|
||||
);
|
||||
}
|
||||
|
||||
// Verify the client_secret
|
||||
const client =
|
||||
await Application.fromClientId(client_id);
|
||||
|
||||
if (!client || client.data.secret !== client_secret) {
|
||||
return context.json(
|
||||
{
|
||||
error: "invalid_client",
|
||||
error_description:
|
||||
"Invalid client credentials",
|
||||
},
|
||||
401,
|
||||
);
|
||||
}
|
||||
|
||||
const token = await Token.fromSql(
|
||||
and(
|
||||
eq(Tokens.code, code),
|
||||
eq(Tokens.redirectUri, decodeURI(redirect_uri)),
|
||||
eq(Tokens.clientId, client_id),
|
||||
),
|
||||
);
|
||||
|
||||
if (!token) {
|
||||
return context.json(
|
||||
{
|
||||
error: "invalid_grant",
|
||||
error_description: "Code not found",
|
||||
},
|
||||
401,
|
||||
);
|
||||
}
|
||||
|
||||
// Invalidate the code
|
||||
await token.update({ code: null });
|
||||
|
||||
return context.json(
|
||||
{
|
||||
...token.toApi(),
|
||||
expires_in: token.data.expiresAt
|
||||
? Math.floor(
|
||||
(new Date(
|
||||
token.data.expiresAt,
|
||||
).getTime() -
|
||||
Date.now()) /
|
||||
1000,
|
||||
)
|
||||
: null,
|
||||
id_token: token.data.idToken,
|
||||
refresh_token: null,
|
||||
},
|
||||
200,
|
||||
);
|
||||
}
|
||||
|
||||
default:
|
||||
}
|
||||
|
||||
return context.json(
|
||||
{
|
||||
error: "unsupported_grant_type",
|
||||
error_description: "Unsupported grant type",
|
||||
},
|
||||
401,
|
||||
);
|
||||
},
|
||||
);
|
||||
});
|
||||
};
|
||||
38
packages/api/plugins/openid/routes/sso/:id/index.test.ts
Normal file
38
packages/api/plugins/openid/routes/sso/:id/index.test.ts
Normal file
|
|
@ -0,0 +1,38 @@
|
|||
import { afterAll, describe, expect, test } from "bun:test";
|
||||
import { fakeRequest, getTestUsers } from "@versia-server/tests";
|
||||
|
||||
const { deleteUsers, tokens } = await getTestUsers(1);
|
||||
|
||||
afterAll(async () => {
|
||||
await deleteUsers();
|
||||
});
|
||||
|
||||
// /api/v1/sso/:id
|
||||
describe("/api/v1/sso/:id", () => {
|
||||
test("should not find unknown issuer", async () => {
|
||||
const response = await fakeRequest("/api/v1/sso/unknown", {
|
||||
method: "GET",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
},
|
||||
});
|
||||
|
||||
expect(response.status).toBe(404);
|
||||
expect(await response.json()).toMatchObject({
|
||||
error: "Issuer with ID unknown not found in instance's OpenID configuration",
|
||||
});
|
||||
|
||||
const response2 = await fakeRequest("/api/v1/sso/unknown", {
|
||||
method: "DELETE",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
});
|
||||
|
||||
expect(response2.status).toBe(404);
|
||||
expect(await response2.json()).toMatchObject({
|
||||
error: "Issuer with ID unknown not found in instance's OpenID configuration",
|
||||
});
|
||||
});
|
||||
});
|
||||
152
packages/api/plugins/openid/routes/sso/:id/index.ts
Normal file
152
packages/api/plugins/openid/routes/sso/:id/index.ts
Normal file
|
|
@ -0,0 +1,152 @@
|
|||
import { RolePermission } from "@versia/client/schemas";
|
||||
import { ApiError } from "@versia-server/kit";
|
||||
import { auth, handleZodError } from "@versia-server/kit/api";
|
||||
import { db } from "@versia-server/kit/db";
|
||||
import { OpenIdAccounts } from "@versia-server/kit/tables";
|
||||
import { and, eq, type SQL } from "drizzle-orm";
|
||||
import { describeRoute } from "hono-openapi";
|
||||
import { resolver, validator } from "hono-openapi/zod";
|
||||
import { z } from "zod";
|
||||
import type { PluginType } from "../../../index.ts";
|
||||
|
||||
export default (plugin: PluginType): void => {
|
||||
plugin.registerRoute("/api/v1/sso/:id", (app) => {
|
||||
app.get(
|
||||
"/api/v1/sso/:id",
|
||||
describeRoute({
|
||||
summary: "Get linked account",
|
||||
tags: ["SSO"],
|
||||
responses: {
|
||||
200: {
|
||||
description: "Linked account",
|
||||
content: {
|
||||
"application/json": {
|
||||
schema: resolver(
|
||||
z.object({
|
||||
id: z.string(),
|
||||
name: z.string(),
|
||||
icon: z.string().optional(),
|
||||
}),
|
||||
),
|
||||
},
|
||||
},
|
||||
},
|
||||
404: ApiError.accountNotFound().schema,
|
||||
},
|
||||
}),
|
||||
auth({
|
||||
auth: true,
|
||||
permissions: [RolePermission.OAuth],
|
||||
}),
|
||||
plugin.middleware,
|
||||
validator("param", z.object({ id: z.string() }), handleZodError),
|
||||
async (context) => {
|
||||
const { id: issuerId } = context.req.valid("param");
|
||||
const { user } = context.get("auth");
|
||||
|
||||
const issuer = context
|
||||
.get("pluginConfig")
|
||||
.providers.find((provider) => provider.id === issuerId);
|
||||
|
||||
if (!issuer) {
|
||||
return context.json(
|
||||
{
|
||||
error: `Issuer with ID ${issuerId} not found in instance's OpenID configuration`,
|
||||
},
|
||||
404,
|
||||
);
|
||||
}
|
||||
|
||||
const account = await db.query.OpenIdAccounts.findFirst({
|
||||
where: (account): SQL | undefined =>
|
||||
and(
|
||||
eq(account.userId, user.id),
|
||||
eq(account.issuerId, issuerId),
|
||||
),
|
||||
});
|
||||
|
||||
if (!account) {
|
||||
throw new ApiError(
|
||||
404,
|
||||
"Account not found or is not linked to this issuer",
|
||||
);
|
||||
}
|
||||
|
||||
return context.json(
|
||||
{
|
||||
id: issuer.id,
|
||||
name: issuer.name,
|
||||
icon: issuer.icon?.proxied,
|
||||
},
|
||||
200,
|
||||
);
|
||||
},
|
||||
);
|
||||
|
||||
app.delete(
|
||||
"/api/v1/sso/:id",
|
||||
describeRoute({
|
||||
summary: "Unlink account",
|
||||
tags: ["SSO"],
|
||||
responses: {
|
||||
204: {
|
||||
description: "Account unlinked",
|
||||
},
|
||||
404: {
|
||||
description: "Account not found",
|
||||
content: {
|
||||
"application/json": {
|
||||
schema: resolver(ApiError.zodSchema),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
auth({
|
||||
auth: true,
|
||||
permissions: [RolePermission.OAuth],
|
||||
}),
|
||||
plugin.middleware,
|
||||
validator("param", z.object({ id: z.string() }), handleZodError),
|
||||
async (context) => {
|
||||
const { id: issuerId } = context.req.valid("param");
|
||||
const { user } = context.get("auth");
|
||||
|
||||
// Check if issuer exists
|
||||
const issuer = context
|
||||
.get("pluginConfig")
|
||||
.providers.find((provider) => provider.id === issuerId);
|
||||
|
||||
if (!issuer) {
|
||||
return context.json(
|
||||
{
|
||||
error: `Issuer with ID ${issuerId} not found in instance's OpenID configuration`,
|
||||
},
|
||||
404,
|
||||
);
|
||||
}
|
||||
|
||||
const account = await db.query.OpenIdAccounts.findFirst({
|
||||
where: (account): SQL | undefined =>
|
||||
and(
|
||||
eq(account.userId, user.id),
|
||||
eq(account.issuerId, issuerId),
|
||||
),
|
||||
});
|
||||
|
||||
if (!account) {
|
||||
throw new ApiError(
|
||||
404,
|
||||
"Account not found or is not linked to this issuer",
|
||||
);
|
||||
}
|
||||
|
||||
await db
|
||||
.delete(OpenIdAccounts)
|
||||
.where(eq(OpenIdAccounts.id, account.id));
|
||||
|
||||
return context.body(null, 204);
|
||||
},
|
||||
);
|
||||
});
|
||||
};
|
||||
45
packages/api/plugins/openid/routes/sso/index.test.ts
Normal file
45
packages/api/plugins/openid/routes/sso/index.test.ts
Normal file
|
|
@ -0,0 +1,45 @@
|
|||
import { afterAll, describe, expect, test } from "bun:test";
|
||||
import { fakeRequest, getTestUsers } from "@versia-server/tests";
|
||||
|
||||
const { deleteUsers, tokens } = await getTestUsers(1);
|
||||
|
||||
afterAll(async () => {
|
||||
await deleteUsers();
|
||||
});
|
||||
|
||||
describe("/api/v1/sso", () => {
|
||||
test("should return empty list", async () => {
|
||||
const response = await fakeRequest("/api/v1/sso", {
|
||||
method: "GET",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
},
|
||||
});
|
||||
|
||||
expect(response.status).toBe(200);
|
||||
expect(await response.json()).toMatchObject([]);
|
||||
});
|
||||
|
||||
test("should return an error if provider doesn't exist", async () => {
|
||||
const response = await fakeRequest("/api/v1/sso", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
issuer: "unknown",
|
||||
}),
|
||||
});
|
||||
|
||||
expect(response.status).toBe(404);
|
||||
expect(await response.json()).toMatchObject({
|
||||
error: "Issuer with ID unknown not found in instance's OpenID configuration",
|
||||
});
|
||||
});
|
||||
|
||||
/*
|
||||
Unfortunately, we cannot test actual linking, as it requires a valid OpenID provider
|
||||
setup in config, which we don't have in tests
|
||||
*/
|
||||
});
|
||||
171
packages/api/plugins/openid/routes/sso/index.ts
Normal file
171
packages/api/plugins/openid/routes/sso/index.ts
Normal file
|
|
@ -0,0 +1,171 @@
|
|||
import { RolePermission } from "@versia/client/schemas";
|
||||
import { ApiError } from "@versia-server/kit";
|
||||
import { auth, handleZodError } from "@versia-server/kit/api";
|
||||
import { Application, db } from "@versia-server/kit/db";
|
||||
import { OpenIdLoginFlows } from "@versia-server/kit/tables";
|
||||
import { randomUUIDv7 } from "bun";
|
||||
import { describeRoute } from "hono-openapi";
|
||||
import { resolver, validator } from "hono-openapi/zod";
|
||||
import {
|
||||
calculatePKCECodeChallenge,
|
||||
generateRandomCodeVerifier,
|
||||
} from "oauth4webapi";
|
||||
import { z } from "zod";
|
||||
import type { PluginType } from "../../index.ts";
|
||||
import { oauthDiscoveryRequest, oauthRedirectUri } from "../../utils.ts";
|
||||
|
||||
export default (plugin: PluginType): void => {
|
||||
plugin.registerRoute("/api/v1/sso", (app) => {
|
||||
app.get(
|
||||
"/api/v1/sso",
|
||||
describeRoute({
|
||||
summary: "Get linked accounts",
|
||||
tags: ["SSO"],
|
||||
responses: {
|
||||
200: {
|
||||
description: "Linked accounts",
|
||||
content: {
|
||||
"application/json": {
|
||||
schema: resolver(
|
||||
z.array(
|
||||
z.object({
|
||||
id: z.string(),
|
||||
name: z.string(),
|
||||
icon: z.string().optional(),
|
||||
}),
|
||||
),
|
||||
),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
auth({
|
||||
auth: true,
|
||||
permissions: [RolePermission.OAuth],
|
||||
}),
|
||||
plugin.middleware,
|
||||
async (context) => {
|
||||
const { user } = context.get("auth");
|
||||
|
||||
const linkedAccounts = await user.getLinkedOidcAccounts(
|
||||
context.get("pluginConfig").providers,
|
||||
);
|
||||
|
||||
return context.json(
|
||||
linkedAccounts.map((account) => ({
|
||||
id: account.id,
|
||||
name: account.name,
|
||||
icon: account.icon,
|
||||
})),
|
||||
200,
|
||||
);
|
||||
},
|
||||
);
|
||||
|
||||
app.post(
|
||||
"/api/v1/sso",
|
||||
describeRoute({
|
||||
summary: "Link account",
|
||||
tags: ["SSO"],
|
||||
responses: {
|
||||
302: {
|
||||
description: "Redirect to OpenID provider",
|
||||
},
|
||||
404: {
|
||||
description: "Issuer not found",
|
||||
content: {
|
||||
"application/json": {
|
||||
schema: resolver(ApiError.zodSchema),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
auth({
|
||||
auth: true,
|
||||
permissions: [RolePermission.OAuth],
|
||||
}),
|
||||
plugin.middleware,
|
||||
validator("json", z.object({ issuer: z.string() }), handleZodError),
|
||||
async (context) => {
|
||||
const { user } = context.get("auth");
|
||||
|
||||
const { issuer: issuerId } = context.req.valid("json");
|
||||
|
||||
const issuer = context
|
||||
.get("pluginConfig")
|
||||
.providers.find((provider) => provider.id === issuerId);
|
||||
|
||||
if (!issuer) {
|
||||
return context.json(
|
||||
{
|
||||
error: `Issuer with ID ${issuerId} not found in instance's OpenID configuration`,
|
||||
},
|
||||
404,
|
||||
);
|
||||
}
|
||||
|
||||
const authServer = await oauthDiscoveryRequest(
|
||||
new URL(issuer.url),
|
||||
);
|
||||
|
||||
const codeVerifier = generateRandomCodeVerifier();
|
||||
|
||||
const redirectUri = oauthRedirectUri(
|
||||
context.get("config").http.base_url,
|
||||
issuerId,
|
||||
);
|
||||
|
||||
const application = await Application.insert({
|
||||
id: randomUUIDv7(),
|
||||
clientId:
|
||||
user.id +
|
||||
Buffer.from(
|
||||
crypto.getRandomValues(new Uint8Array(32)),
|
||||
).toString("base64"),
|
||||
name: "Versia",
|
||||
redirectUri: redirectUri.toString(),
|
||||
scopes: "openid profile email",
|
||||
secret: "",
|
||||
});
|
||||
|
||||
// Store into database
|
||||
const newFlow = (
|
||||
await db
|
||||
.insert(OpenIdLoginFlows)
|
||||
.values({
|
||||
id: randomUUIDv7(),
|
||||
codeVerifier,
|
||||
issuerId,
|
||||
applicationId: application.id,
|
||||
})
|
||||
.returning()
|
||||
)[0];
|
||||
|
||||
const codeChallenge =
|
||||
await calculatePKCECodeChallenge(codeVerifier);
|
||||
|
||||
return context.redirect(
|
||||
`${authServer.authorization_endpoint}?${new URLSearchParams(
|
||||
{
|
||||
client_id: issuer.client_id,
|
||||
redirect_uri: `${redirectUri}?${new URLSearchParams(
|
||||
{
|
||||
flow: newFlow.id,
|
||||
link: "true",
|
||||
user_id: user.id,
|
||||
},
|
||||
)}`,
|
||||
response_type: "code",
|
||||
scope: "openid profile email",
|
||||
// PKCE
|
||||
code_challenge_method: "S256",
|
||||
code_challenge: codeChallenge,
|
||||
},
|
||||
).toString()}`,
|
||||
);
|
||||
},
|
||||
);
|
||||
});
|
||||
};
|
||||
217
packages/api/plugins/openid/utils.ts
Normal file
217
packages/api/plugins/openid/utils.ts
Normal file
|
|
@ -0,0 +1,217 @@
|
|||
import { type Application, db } from "@versia-server/kit/db";
|
||||
import type { OpenIdLoginFlows } from "@versia-server/kit/tables";
|
||||
import { eq, type InferSelectModel, type SQL } from "drizzle-orm";
|
||||
import {
|
||||
type AuthorizationResponseError,
|
||||
type AuthorizationServer,
|
||||
authorizationCodeGrantRequest,
|
||||
ClientSecretPost,
|
||||
discoveryRequest,
|
||||
expectNoState,
|
||||
getValidatedIdTokenClaims,
|
||||
processAuthorizationCodeResponse,
|
||||
processDiscoveryResponse,
|
||||
processUserInfoResponse,
|
||||
type ResponseBodyError,
|
||||
type TokenEndpointResponse,
|
||||
type UserInfoResponse,
|
||||
userInfoRequest,
|
||||
validateAuthResponse,
|
||||
} from "oauth4webapi";
|
||||
|
||||
export const oauthDiscoveryRequest = (
|
||||
issuerUrl: URL,
|
||||
): Promise<AuthorizationServer> => {
|
||||
return discoveryRequest(issuerUrl, {
|
||||
algorithm: "oidc",
|
||||
}).then((res) => processDiscoveryResponse(issuerUrl, res));
|
||||
};
|
||||
|
||||
export const oauthRedirectUri = (baseUrl: URL, issuer: string): URL =>
|
||||
new URL(`/oauth/sso/${issuer}/callback`, baseUrl);
|
||||
|
||||
const getFlow = (
|
||||
flowId: string,
|
||||
): Promise<
|
||||
| (InferSelectModel<typeof OpenIdLoginFlows> & {
|
||||
application?: typeof Application.$type | null;
|
||||
})
|
||||
| undefined
|
||||
> => {
|
||||
return db.query.OpenIdLoginFlows.findFirst({
|
||||
where: (flow): SQL | undefined => eq(flow.id, flowId),
|
||||
with: {
|
||||
application: true,
|
||||
},
|
||||
});
|
||||
};
|
||||
|
||||
const getAuthServer = (issuerUrl: URL): Promise<AuthorizationServer> => {
|
||||
return discoveryRequest(issuerUrl, {
|
||||
algorithm: "oidc",
|
||||
}).then((res) => processDiscoveryResponse(issuerUrl, res));
|
||||
};
|
||||
|
||||
const getParameters = (
|
||||
authServer: AuthorizationServer,
|
||||
clientId: string,
|
||||
currentUrl: URL,
|
||||
): URLSearchParams => {
|
||||
return validateAuthResponse(
|
||||
authServer,
|
||||
{
|
||||
client_id: clientId,
|
||||
},
|
||||
currentUrl,
|
||||
expectNoState,
|
||||
);
|
||||
};
|
||||
|
||||
const getOIDCResponse = (
|
||||
authServer: AuthorizationServer,
|
||||
clientId: string,
|
||||
clientSecret: string,
|
||||
redirectUri: URL,
|
||||
codeVerifier: string,
|
||||
parameters: URLSearchParams,
|
||||
): Promise<Response> => {
|
||||
return authorizationCodeGrantRequest(
|
||||
authServer,
|
||||
{
|
||||
client_id: clientId,
|
||||
},
|
||||
ClientSecretPost(clientSecret),
|
||||
parameters,
|
||||
redirectUri.toString(),
|
||||
codeVerifier,
|
||||
);
|
||||
};
|
||||
|
||||
const processOIDCResponse = (
|
||||
authServer: AuthorizationServer,
|
||||
clientId: string,
|
||||
oidcResponse: Response,
|
||||
): Promise<TokenEndpointResponse> => {
|
||||
return processAuthorizationCodeResponse(
|
||||
authServer,
|
||||
{
|
||||
client_id: clientId,
|
||||
},
|
||||
oidcResponse,
|
||||
);
|
||||
};
|
||||
|
||||
const getUserInfo = (
|
||||
authServer: AuthorizationServer,
|
||||
clientId: string,
|
||||
accessToken: string,
|
||||
sub: string,
|
||||
): Promise<UserInfoResponse> => {
|
||||
return userInfoRequest(
|
||||
authServer,
|
||||
{
|
||||
client_id: clientId,
|
||||
},
|
||||
accessToken,
|
||||
).then(
|
||||
async (res) =>
|
||||
await processUserInfoResponse(
|
||||
authServer,
|
||||
{
|
||||
client_id: clientId,
|
||||
},
|
||||
sub,
|
||||
res,
|
||||
),
|
||||
);
|
||||
};
|
||||
|
||||
export const automaticOidcFlow = async (
|
||||
issuer: {
|
||||
url: string;
|
||||
client_id: string;
|
||||
client_secret: string;
|
||||
},
|
||||
flowId: string,
|
||||
currentUrl: URL,
|
||||
redirectUrl: URL,
|
||||
errorFn: (
|
||||
error: string,
|
||||
message: string,
|
||||
flow:
|
||||
| (InferSelectModel<typeof OpenIdLoginFlows> & {
|
||||
application?: typeof Application.$type | null;
|
||||
})
|
||||
| null,
|
||||
) => Response,
|
||||
): Promise<
|
||||
| Response
|
||||
| {
|
||||
userInfo: UserInfoResponse;
|
||||
flow: InferSelectModel<typeof OpenIdLoginFlows> & {
|
||||
application?: typeof Application.$type | null;
|
||||
};
|
||||
claims: Record<string, unknown>;
|
||||
}
|
||||
> => {
|
||||
const flow = await getFlow(flowId);
|
||||
|
||||
if (!flow) {
|
||||
return errorFn("invalid_request", "Invalid flow", null);
|
||||
}
|
||||
|
||||
try {
|
||||
const issuerUrl = new URL(issuer.url);
|
||||
|
||||
const authServer = await getAuthServer(issuerUrl);
|
||||
|
||||
const parameters = await getParameters(
|
||||
authServer,
|
||||
issuer.client_id,
|
||||
currentUrl,
|
||||
);
|
||||
|
||||
const oidcResponse = await getOIDCResponse(
|
||||
authServer,
|
||||
issuer.client_id,
|
||||
issuer.client_secret,
|
||||
redirectUrl,
|
||||
flow.codeVerifier,
|
||||
parameters,
|
||||
);
|
||||
|
||||
const result = await processOIDCResponse(
|
||||
authServer,
|
||||
issuer.client_id,
|
||||
oidcResponse,
|
||||
);
|
||||
|
||||
const { access_token } = result;
|
||||
|
||||
const claims = getValidatedIdTokenClaims(result);
|
||||
|
||||
if (!claims) {
|
||||
return errorFn("invalid_request", "Invalid claims", flow);
|
||||
}
|
||||
|
||||
const { sub } = claims;
|
||||
|
||||
// Validate `sub`
|
||||
// Later, we'll use this to automatically set the user's data
|
||||
const userInfo = await getUserInfo(
|
||||
authServer,
|
||||
issuer.client_id,
|
||||
access_token,
|
||||
sub,
|
||||
);
|
||||
|
||||
return {
|
||||
userInfo,
|
||||
flow,
|
||||
claims,
|
||||
};
|
||||
} catch (e) {
|
||||
const error = e as ResponseBodyError | AuthorizationResponseError;
|
||||
return errorFn(error.error, error.error_description || "", flow);
|
||||
}
|
||||
};
|
||||
|
|
@ -1,8 +1,10 @@
|
|||
import { join } from "node:path";
|
||||
import { FileSystemRouter } from "bun";
|
||||
|
||||
// Returns the route filesystem path when given a URL
|
||||
export const routeMatcher = new FileSystemRouter({
|
||||
style: "nextjs",
|
||||
dir: "packages/api/routes",
|
||||
dir: join(import.meta.dir, "routes"),
|
||||
fileExtensions: [".ts", ".js"],
|
||||
});
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ import {
|
|||
qsQuery,
|
||||
} from "@versia-server/kit/api";
|
||||
import { User } from "@versia-server/kit/db";
|
||||
import { searchManager } from "@versia-server/kit/search";
|
||||
import { Users } from "@versia-server/kit/tables";
|
||||
import { and, eq, isNull } from "drizzle-orm";
|
||||
import { describeRoute } from "hono-openapi";
|
||||
|
|
@ -419,11 +420,14 @@ export default apiRoute((app) => {
|
|||
);
|
||||
}
|
||||
|
||||
await User.register(username, {
|
||||
const user = await User.register(username, {
|
||||
password,
|
||||
email,
|
||||
});
|
||||
|
||||
// Add to search index
|
||||
await searchManager.addUser(user);
|
||||
|
||||
return context.text("", 200);
|
||||
},
|
||||
);
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ export default apiRoute((app) =>
|
|||
const { user } = context.get("auth");
|
||||
const note = context.get("note");
|
||||
|
||||
await user.like(note);
|
||||
await note.like(user);
|
||||
|
||||
await note.reload(user.id);
|
||||
|
||||
|
|
|
|||
|
|
@ -110,7 +110,7 @@ export default apiRoute((app) => {
|
|||
emoji = unicodeEmoji;
|
||||
}
|
||||
|
||||
await user.react(note, emoji);
|
||||
await note.react(user, emoji);
|
||||
|
||||
// Reload note to get updated reactions
|
||||
await note.reload(user.id);
|
||||
|
|
@ -204,7 +204,7 @@ export default apiRoute((app) => {
|
|||
emoji = unicodeEmoji;
|
||||
}
|
||||
|
||||
await user.unreact(note, emoji);
|
||||
await note.unreact(user, emoji);
|
||||
|
||||
// Reload note to get updated reactions
|
||||
await note.reload(user.id);
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ export default apiRoute((app) =>
|
|||
const { user } = context.get("auth");
|
||||
const note = context.get("note");
|
||||
|
||||
const reblog = await user.reblog(note, visibility);
|
||||
const reblog = await note.reblog(user, visibility);
|
||||
|
||||
return context.json(await reblog.toApi(user), 200);
|
||||
},
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ export default apiRoute((app) =>
|
|||
const { user } = context.get("auth");
|
||||
const note = context.get("note");
|
||||
|
||||
await user.unlike(note);
|
||||
await note.unlike(user);
|
||||
|
||||
await note.reload(user.id);
|
||||
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ export default apiRoute((app) =>
|
|||
const { user } = context.get("auth");
|
||||
const note = context.get("note");
|
||||
|
||||
await user.unreblog(note);
|
||||
await note.unreblog(user);
|
||||
|
||||
const newNote = await Note.fromId(note.data.id, user.id);
|
||||
|
||||
|
|
|
|||
|
|
@ -11,12 +11,12 @@ import { ApiError } from "@versia-server/kit";
|
|||
import { apiRoute, auth, handleZodError } from "@versia-server/kit/api";
|
||||
import { db, Note, User } from "@versia-server/kit/db";
|
||||
import { parseUserAddress } from "@versia-server/kit/parsers";
|
||||
import { searchManager } from "@versia-server/kit/search";
|
||||
import { Instances, Notes, Users } from "@versia-server/kit/tables";
|
||||
import { and, eq, inArray, isNull, sql } from "drizzle-orm";
|
||||
import { describeRoute } from "hono-openapi";
|
||||
import { resolver, validator } from "hono-openapi/zod";
|
||||
import { z } from "zod";
|
||||
import { searchManager } from "~/classes/search/search-manager";
|
||||
|
||||
export default apiRoute((app) =>
|
||||
app.get(
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
import { config } from "@versia-server/config";
|
||||
import { Note, setupDatabase } from "@versia-server/kit/db";
|
||||
import { connection } from "@versia-server/kit/redis";
|
||||
import { searchManager } from "@versia-server/kit/search";
|
||||
import { serverLogger } from "@versia-server/logging";
|
||||
import { searchManager } from "../../classes/search/search-manager.ts";
|
||||
|
||||
const timeAtStart = performance.now();
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue