versia-pub/server
2
0
Fork 0
mirror of https://github.com/versia-pub/server.git synced 2026-03-13 05:49:16 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(api): ♻️ Move /api/v1/sso to OpenID plugin

Browse source
This commit is contained in:
Jesse Wierzbinski 2024-09-24 14:42:39 +02:00
parent c7ec678a3e
commit 96d1805925
No known key found for this signature in database
12 changed files with 710 additions and 249 deletions
Download patch file Download diff file Expand all files Collapse all files

2
plugins/openid/index.ts
View file

@ -1,6 +1,7 @@
import { Hooks, Plugin, PluginConfigManager } from "@versia/kit";
import { z } from "zod";
import authorizeRoute from "./routes/authorize";
import ssoRoute from "./routes/sso";
const configManager = new PluginConfigManager(
z.object({
@ -66,6 +67,7 @@ plugin.registerHandler(Hooks.Response, (req) => {
return req;
});
authorizeRoute(plugin);
ssoRoute(plugin);
export type PluginType = typeof plugin;
export default plugin;

404
plugins/openid/routes/authorize.test.ts Normal file
View file

@ -0,0 +1,404 @@
import { afterAll, beforeAll, describe, expect, test } from "bun:test";
import { randomString } from "@/math";
import { eq } from "drizzle-orm";
import { SignJWT } from "jose";
import { db } from "~/drizzle/db";
import { Applications, RolePermissions } from "~/drizzle/schema";
import { config } from "~/packages/config-manager";
import { fakeRequest, getTestUsers } from "~/tests/utils";
const { deleteUsers, tokens, users } = await getTestUsers(1);
const clientId = "test-client-id";
const redirectUri = "https://example.com/callback";
const scope = "openid profile email";
const secret = "test-secret";
const privateKey = await crypto.subtle.importKey(
"pkcs8",
Buffer.from(config.plugins?.["@versia/openid"].keys.private, "base64"),
"Ed25519",
false,
["sign"],
);
beforeAll(async () => {
await db.insert(Applications).values({
clientId: clientId,
redirectUri: redirectUri,
scopes: scope,
name: "Test Application",
secret,
});
});
afterAll(async () => {
await deleteUsers();
await db.delete(Applications).where(eq(Applications.clientId, clientId));
});
describe("/oauth/authorize", () => {
test("should authorize and redirect with valid inputs", async () => {
const jwt = await new SignJWT({
sub: users[0].id,
iss: new URL(config.http.base_url).origin,
aud: clientId,
exp: Math.floor(Date.now() / 1000) + 60 * 60,
iat: Math.floor(Date.now() / 1000),
nbf: Math.floor(Date.now() / 1000),
})
.setProtectedHeader({ alg: "EdDSA" })
.sign(privateKey);
const response = await fakeRequest("/oauth/authorize", {
method: "POST",
headers: {
Authorization: `Bearer ${tokens[0]?.accessToken}`,
"Content-Type": "application/json",
Cookie: `jwt=${jwt}`,
},
body: JSON.stringify({
client_id: clientId,
redirect_uri: redirectUri,
response_type: "code",
scope,
state: "test-state",
code_challenge: randomString(43),
code_challenge_method: "S256",
}),
});
expect(response.status).toBe(302);
const location = new URL(
response.headers.get("Location") ?? "",
config.http.base_url,
);
const params = new URLSearchParams(location.search);
expect(location.origin + location.pathname).toBe(redirectUri);
expect(params.get("code")).toBeTruthy();
expect(params.get("state")).toBe("test-state");
});
test("should return error for invalid JWT", async () => {
const response = await fakeRequest("/oauth/authorize", {
method: "POST",
headers: {
Authorization: `Bearer ${tokens[0]?.accessToken}`,
"Content-Type": "application/json",
Cookie: "jwt=invalid-jwt",
},
body: JSON.stringify({
client_id: clientId,
redirect_uri: redirectUri,
response_type: "code",
scope,
state: "test-state",
code_challenge: randomString(43),
code_challenge_method: "S256",
}),
});
expect(response.status).toBe(302);
const location = new URL(
response.headers.get("Location") ?? "",
config.http.base_url,
);
const params = new URLSearchParams(location.search);
expect(params.get("error")).toBe("invalid_request");
expect(params.get("error_description")).toBe(
"Invalid JWT, could not verify",
);
});
test("should return error for missing required fields in JWT", async () => {
const jwt = await new SignJWT({
sub: users[0].id,
iss: new URL(config.http.base_url).origin,
aud: clientId,
})
.setProtectedHeader({ alg: "EdDSA" })
.sign(privateKey);
const response = await fakeRequest("/oauth/authorize", {
method: "POST",
headers: {
Authorization: `Bearer ${tokens[0]?.accessToken}`,
"Content-Type": "application/json",
Cookie: `jwt=${jwt}`,
},
body: JSON.stringify({
client_id: clientId,
redirect_uri: redirectUri,
response_type: "code",
scope,
state: "test-state",
code_challenge: randomString(43),
code_challenge_method: "S256",
}),
});
expect(response.status).toBe(302);
const location = new URL(
response.headers.get("Location") ?? "",
config.http.base_url,
);
const params = new URLSearchParams(location.search);
expect(params.get("error")).toBe("invalid_request");
expect(params.get("error_description")).toBe(
"Invalid JWT, missing required fields (aud, sub, exp)",
);
});
test("should return error for user not found", async () => {
const jwt = await new SignJWT({
sub: "non-existent-user",
aud: clientId,
exp: Math.floor(Date.now() / 1000) + 60 * 60,
iss: new URL(config.http.base_url).origin,
iat: Math.floor(Date.now() / 1000),
nbf: Math.floor(Date.now() / 1000),
})
.setProtectedHeader({ alg: "EdDSA" })
.sign(privateKey);
const response = await fakeRequest("/oauth/authorize", {
method: "POST",
headers: {
Authorization: `Bearer ${tokens[0]?.accessToken}`,
"Content-Type": "application/json",
Cookie: `jwt=${jwt}`,
},
body: JSON.stringify({
client_id: clientId,
redirect_uri: redirectUri,
response_type: "code",
scope,
state: "test-state",
code_challenge: randomString(43),
code_challenge_method: "S256",
}),
});
expect(response.status).toBe(302);
const location = new URL(
response.headers.get("Location") ?? "",
config.http.base_url,
);
const params = new URLSearchParams(location.search);
expect(params.get("error")).toBe("invalid_request");
expect(params.get("error_description")).toBe(
"Invalid JWT, sub is not a valid user ID",
);
const jwt2 = await new SignJWT({
sub: "23e42862-d5df-49a8-95b5-52d8c6a11aea",
aud: clientId,
exp: Math.floor(Date.now() / 1000) + 60 * 60,
iss: new URL(config.http.base_url).origin,
iat: Math.floor(Date.now() / 1000),
nbf: Math.floor(Date.now() / 1000),
})
.setProtectedHeader({ alg: "EdDSA" })
.sign(privateKey);
const response2 = await fakeRequest("/oauth/authorize", {
method: "POST",
headers: {
Authorization: `Bearer ${tokens[0]?.accessToken}`,
"Content-Type": "application/json",
Cookie: `jwt=${jwt2}`,
},
body: JSON.stringify({
client_id: clientId,
redirect_uri: redirectUri,
response_type: "code",
scope,
state: "test-state",
code_challenge: randomString(43),
code_challenge_method: "S256",
}),
});
expect(response2.status).toBe(302);
const location2 = new URL(
response2.headers.get("Location") ?? "",
config.http.base_url,
);
const params2 = new URLSearchParams(location2.search);
expect(params2.get("error")).toBe("invalid_request");
expect(params2.get("error_description")).toBe(
"Invalid JWT, could not find associated user",
);
});
test("should return error for user missing required permissions", async () => {
const oldPermissions = config.permissions.default;
config.permissions.default = [];
const jwt = await new SignJWT({
sub: users[0].id,
iss: new URL(config.http.base_url).origin,
aud: clientId,
exp: Math.floor(Date.now() / 1000) + 60 * 60,
iat: Math.floor(Date.now() / 1000),
nbf: Math.floor(Date.now() / 1000),
})
.setProtectedHeader({ alg: "EdDSA" })
.sign(privateKey);
const response = await fakeRequest("/oauth/authorize", {
method: "POST",
headers: {
Authorization: `Bearer ${tokens[0]?.accessToken}`,
"Content-Type": "application/json",
Cookie: `jwt=${jwt}`,
},
body: JSON.stringify({
client_id: clientId,
redirect_uri: redirectUri,
response_type: "code",
scope,
state: "test-state",
code_challenge: randomString(43),
code_challenge_method: "S256",
}),
});
expect(response.status).toBe(302);
const location = new URL(
response.headers.get("Location") ?? "",
config.http.base_url,
);
const params = new URLSearchParams(location.search);
expect(params.get("error")).toBe("invalid_request");
expect(params.get("error_description")).toBe(
`User is missing the required permission ${RolePermissions.OAuth}`,
);
config.permissions.default = oldPermissions;
});
test("should return error for invalid client_id", async () => {
const jwt = await new SignJWT({
sub: users[0].id,
aud: "invalid-client-id",
iss: new URL(config.http.base_url).origin,
exp: Math.floor(Date.now() / 1000) + 60 * 60,
iat: Math.floor(Date.now() / 1000),
nbf: Math.floor(Date.now() / 1000),
})
.setProtectedHeader({ alg: "EdDSA" })
.sign(privateKey);
const response = await fakeRequest("/oauth/authorize", {
method: "POST",
headers: {
Authorization: `Bearer ${tokens[0]?.accessToken}`,
"Content-Type": "application/json",
Cookie: `jwt=${jwt}`,
},
body: JSON.stringify({
client_id: "invalid-client-id",
redirect_uri: redirectUri,
response_type: "code",
scope,
state: "test-state",
code_challenge: randomString(43),
code_challenge_method: "S256",
}),
});
expect(response.status).toBe(302);
const location = new URL(
response.headers.get("Location") ?? "",
config.http.base_url,
);
const params = new URLSearchParams(location.search);
expect(params.get("error")).toBe("invalid_request");
expect(params.get("error_description")).toBe(
"Invalid client_id: no associated application found",
);
});
test("should return error for invalid redirect_uri", async () => {
const jwt = await new SignJWT({
sub: users[0].id,
iss: new URL(config.http.base_url).origin,
aud: clientId,
exp: Math.floor(Date.now() / 1000) + 60 * 60,
iat: Math.floor(Date.now() / 1000),
nbf: Math.floor(Date.now() / 1000),
})
.setProtectedHeader({ alg: "EdDSA" })
.sign(privateKey);
const response = await fakeRequest("/oauth/authorize", {
method: "POST",
headers: {
Authorization: `Bearer ${tokens[0]?.accessToken}`,
"Content-Type": "application/json",
Cookie: `jwt=${jwt}`,
},
body: JSON.stringify({
client_id: clientId,
redirect_uri: "https://invalid.com/callback",
response_type: "code",
scope,
state: "test-state",
code_challenge: randomString(43),
code_challenge_method: "S256",
}),
});
expect(response.status).toBe(302);
const location = new URL(
response.headers.get("Location") ?? "",
config.http.base_url,
);
const params = new URLSearchParams(location.search);
expect(params.get("error")).toBe("invalid_request");
expect(params.get("error_description")).toBe(
"Invalid redirect_uri: does not match application's redirect_uri",
);
});
test("should return error for invalid scope", async () => {
const jwt = await new SignJWT({
sub: users[0].id,
iss: new URL(config.http.base_url).origin,
aud: clientId,
exp: Math.floor(Date.now() / 1000) + 60 * 60,
iat: Math.floor(Date.now() / 1000),
nbf: Math.floor(Date.now() / 1000),
})
.setProtectedHeader({ alg: "EdDSA" })
.sign(privateKey);
const response = await fakeRequest("/oauth/authorize", {
method: "POST",
headers: {
Authorization: `Bearer ${tokens[0]?.accessToken}`,
"Content-Type": "application/json",
Cookie: `jwt=${jwt}`,
},
body: JSON.stringify({
client_id: clientId,
redirect_uri: redirectUri,
response_type: "code",
scope: "invalid-scope",
state: "test-state",
code_challenge: randomString(43),
code_challenge_method: "S256",
}),
});
expect(response.status).toBe(302);
const location = new URL(
response.headers.get("Location") ?? "",
config.http.base_url,
);
const params = new URLSearchParams(location.search);
expect(params.get("error")).toBe("invalid_scope");
expect(params.get("error_description")).toBe(
"Invalid scope: not a subset of the application's scopes",
);
});
});

12
plugins/openid/routes/authorize.ts
View file

@ -159,6 +159,18 @@ export default (plugin: PluginType) =>
);
}
if (!z.string().uuid().safeParse(sub).success) {
errorSearchParams.append("error", "invalid_request");
errorSearchParams.append(
"error_description",
"Invalid JWT, sub is not a valid user ID",
);
return context.redirect(
`${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
);
}
const user = await User.fromId(sub);
if (!user) {

45
plugins/openid/routes/sso/index.test.ts Normal file
View file

@ -0,0 +1,45 @@
import { afterAll, describe, expect, test } from "bun:test";
import { fakeRequest, getTestUsers } from "~/tests/utils";
const { deleteUsers, tokens } = await getTestUsers(1);
afterAll(async () => {
await deleteUsers();
});
describe("/api/v1/sso", () => {
test("should return empty list", async () => {
const response = await fakeRequest("/api/v1/sso", {
method: "GET",
headers: {
Authorization: `Bearer ${tokens[0]?.accessToken}`,
},
});
expect(response.status).toBe(200);
expect(await response.json()).toMatchObject([]);
});
test("should return an error if provider doesn't exist", async () => {
const response = await fakeRequest("/api/v1/sso", {
method: "POST",
headers: {
Authorization: `Bearer ${tokens[0]?.accessToken}`,
"Content-Type": "application/json",
},
body: JSON.stringify({
issuer: "unknown",
}),
});
expect(response.status).toBe(404);
expect(await response.json()).toMatchObject({
error: "Issuer unknown not found",
});
});
/*
Unfortunately, we cannot test actual linking, as it requires a valid OpenID provider
setup in config, which we don't have in tests
*/
});

223
plugins/openid/routes/sso/index.ts Normal file
View file

@ -0,0 +1,223 @@
import { auth } from "@/api";
import {
calculatePKCECodeChallenge,
generateRandomCodeVerifier,
} from "oauth4webapi";
import { z } from "zod";
import { db } from "~/drizzle/db";
import {
Applications,
OpenIdLoginFlows,
RolePermissions,
} from "~/drizzle/schema";
import { ErrorSchema } from "~/types/api";
import type { PluginType } from "../..";
import { oauthDiscoveryRequest, oauthRedirectUri } from "../../utils";
export default (plugin: PluginType) => {
plugin.registerRoute("/api/v1/sso", (app) => {
app.openapi(
{
method: "get",
path: "/api/v1/sso",
summary: "Get linked accounts",
middleware: [
auth(
{
required: true,
},
{
required: [RolePermissions.OAuth],
},
),
plugin.middleware,
],
responses: {
200: {
description: "Linked accounts",
content: {
"application/json": {
schema: z.array(
z.object({
id: z.string(),
name: z.string(),
icon: z.string().optional(),
}),
),
},
},
},
401: {
description: "Unauthorized",
content: {
"application/json": {
schema: ErrorSchema,
},
},
},
},
},
async (context) => {
const { user } = context.get("auth");
if (!user) {
return context.json(
{
error: "Unauthorized",
},
401,
);
}
const linkedAccounts = await user.getLinkedOidcAccounts();
return context.json(
linkedAccounts.map((account) => ({
id: account.id,
name: account.name,
icon: account.icon,
})),
200,
);
},
);
app.openapi(
{
method: "post",
path: "/api/v1/sso",
summary: "Link account",
middleware: [
auth(
{
required: true,
},
{
required: [RolePermissions.OAuth],
},
),
],
request: {
body: {
content: {
"application/json": {
schema: z.object({
issuer: z.string(),
}),
},
},
},
},
responses: {
302: {
description: "Redirect to OpenID provider",
},
401: {
description: "Unauthorized",
content: {
"application/json": {
schema: ErrorSchema,
},
},
},
404: {
description: "Issuer not found",
content: {
"application/json": {
schema: ErrorSchema,
},
},
},
},
},
async (context) => {
const { user } = context.get("auth");
if (!user) {
return context.json(
{
error: "Unauthorized",
},
401,
);
}
const { issuer: issuerId } = context.req.valid("json");
const issuer = context
.get("pluginConfig")
.providers.find((provider) => provider.id === issuerId);
if (!issuer) {
return context.json(
{
error: `Issuer with ID ${issuerId} not found in instance's OpenID configuration`,
},
404,
);
}
const authServer = await oauthDiscoveryRequest(issuer.url);
const codeVerifier = generateRandomCodeVerifier();
const redirectUri = oauthRedirectUri(
issuerId,
context.get("config").http.base_url,
);
const application = (
await db
.insert(Applications)
.values({
clientId:
user.id +
Buffer.from(
crypto.getRandomValues(new Uint8Array(32)),
).toString("base64"),
name: "Versia",
redirectUri,
scopes: "openid profile email",
secret: "",
})
.returning()
)[0];
// Store into database
const newFlow = (
await db
.insert(OpenIdLoginFlows)
.values({
codeVerifier,
issuerId,
applicationId: application.id,
})
.returning()
)[0];
const codeChallenge =
await calculatePKCECodeChallenge(codeVerifier);
return context.redirect(
`${authServer.authorization_endpoint}?${new URLSearchParams(
{
client_id: issuer.client_id,
redirect_uri: `${redirectUri}?${new URLSearchParams(
{
flow: newFlow.id,
link: "true",
user_id: user.id,
},
)}`,
response_type: "code",
scope: "openid profile email",
// PKCE
code_challenge_method: "S256",
code_challenge: codeChallenge,
},
).toString()}`,
);
},
);
});
};

18
plugins/openid/utils.ts Normal file
View file

@ -0,0 +1,18 @@
import {
type AuthorizationServer,
discoveryRequest,
processDiscoveryResponse,
} from "oauth4webapi";
export const oauthDiscoveryRequest = (
issuerUrl: string | URL,
): Promise<AuthorizationServer> => {
const issuerUrlurl = new URL(issuerUrl);
return discoveryRequest(issuerUrlurl, {
algorithm: "oidc",
}).then((res) => processDiscoveryResponse(issuerUrlurl, res));
};
export const oauthRedirectUri = (baseUrl: string, issuer: string) =>
new URL(`/oauth/sso/${issuer}/callback`, baseUrl).toString();