versia-pub/server
2
0
Fork 0
mirror of https://github.com/versia-pub/server.git synced 2026-03-13 05:49:16 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(database): ♻️ Move Applications to our custom ORM

Browse source
This commit is contained in:
Jesse Wierzbinski 2024-10-23 17:56:47 +02:00
parent e8827bccfa
commit 9e96eca032
No known key found for this signature in database
23 changed files with 424 additions and 381 deletions
Download patch file Download diff file Expand all files Collapse all files

93
plugins/openid/routes/authorize.test.ts
View file

@ -1,17 +1,12 @@
import { afterAll, beforeAll, describe, expect, test } from "bun:test";
import { afterAll, describe, expect, test } from "bun:test";
import { randomString } from "@/math";
import { db } from "@versia/kit/db";
import { eq } from "@versia/kit/drizzle";
import { Applications, RolePermissions } from "@versia/kit/tables";
import { RolePermissions } from "@versia/kit/tables";
import { SignJWT } from "jose";
import { config } from "~/packages/config-manager";
import { Application } from "~/packages/database-interface/application";
import { fakeRequest, getTestUsers } from "~/tests/utils";
const { deleteUsers, tokens, users } = await getTestUsers(1);
const clientId = "test-client-id";
const redirectUri = "https://example.com/callback";
const scope = "openid profile email";
const secret = "test-secret";
const privateKey = await crypto.subtle.importKey(
"pkcs8",
Buffer.from(
@ -23,19 +18,17 @@ const privateKey = await crypto.subtle.importKey(
["sign"],
);
beforeAll(async () => {
await db.insert(Applications).values({
clientId,
redirectUri,
scopes: scope,
name: "Test Application",
secret,
});
const application = await Application.insert({
clientId: "test-client-id",
redirectUri: "https://example.com/callback",
scopes: "openid profile email",
name: "Test Application",
secret: "test-secret",
});
afterAll(async () => {
await deleteUsers();
await db.delete(Applications).where(eq(Applications.clientId, clientId));
await application.delete();
});
describe("/oauth/authorize", () => {
@ -43,7 +36,7 @@ describe("/oauth/authorize", () => {
const jwt = await new SignJWT({
sub: users[0].id,
iss: new URL(config.http.base_url).origin,
aud: clientId,
aud: application.data.clientId,
exp: Math.floor(Date.now() / 1000) + 60 * 60,
iat: Math.floor(Date.now() / 1000),
nbf: Math.floor(Date.now() / 1000),
@ -59,10 +52,10 @@ describe("/oauth/authorize", () => {
Cookie: `jwt=${jwt}`,
},
body: JSON.stringify({
client_id: clientId,
redirect_uri: redirectUri,
client_id: application.data.clientId,
redirect_uri: application.data.redirectUri,
response_type: "code",
scope,
scope: application.data.scopes,
state: "test-state",
code_challenge: randomString(43),
code_challenge_method: "S256",
@ -75,7 +68,9 @@ describe("/oauth/authorize", () => {
config.http.base_url,
);
const params = new URLSearchParams(location.search);
expect(location.origin + location.pathname).toBe(redirectUri);
expect(location.origin + location.pathname).toBe(
application.data.redirectUri,
);
expect(params.get("code")).toBeTruthy();
expect(params.get("state")).toBe("test-state");
});
@ -89,10 +84,10 @@ describe("/oauth/authorize", () => {
Cookie: "jwt=invalid-jwt",
},
body: JSON.stringify({
client_id: clientId,
redirect_uri: redirectUri,
client_id: application.data.clientId,
redirect_uri: application.data.redirectUri,
response_type: "code",
scope,
scope: application.data.scopes,
state: "test-state",
code_challenge: randomString(43),
code_challenge_method: "S256",
@ -115,7 +110,7 @@ describe("/oauth/authorize", () => {
const jwt = await new SignJWT({
sub: users[0].id,
iss: new URL(config.http.base_url).origin,
aud: clientId,
aud: application.data.clientId,
})
.setProtectedHeader({ alg: "EdDSA" })
.sign(privateKey);
@ -128,10 +123,10 @@ describe("/oauth/authorize", () => {
Cookie: `jwt=${jwt}`,
},
body: JSON.stringify({
client_id: clientId,
redirect_uri: redirectUri,
client_id: application.data.clientId,
redirect_uri: application.data.redirectUri,
response_type: "code",
scope,
scope: application.data.scopes,
state: "test-state",
code_challenge: randomString(43),
code_challenge_method: "S256",
@ -153,7 +148,7 @@ describe("/oauth/authorize", () => {
test("should return error for user not found", async () => {
const jwt = await new SignJWT({
sub: "non-existent-user",
aud: clientId,
aud: application.data.clientId,
exp: Math.floor(Date.now() / 1000) + 60 * 60,
iss: new URL(config.http.base_url).origin,
iat: Math.floor(Date.now() / 1000),
@ -170,10 +165,10 @@ describe("/oauth/authorize", () => {
Cookie: `jwt=${jwt}`,
},
body: JSON.stringify({
client_id: clientId,
redirect_uri: redirectUri,
client_id: application.data.clientId,
redirect_uri: application.data.redirectUri,
response_type: "code",
scope,
scope: application.data.scopes,
state: "test-state",
code_challenge: randomString(43),
code_challenge_method: "S256",
@ -193,7 +188,7 @@ describe("/oauth/authorize", () => {
const jwt2 = await new SignJWT({
sub: "23e42862-d5df-49a8-95b5-52d8c6a11aea",
aud: clientId,
aud: application.data.clientId,
exp: Math.floor(Date.now() / 1000) + 60 * 60,
iss: new URL(config.http.base_url).origin,
iat: Math.floor(Date.now() / 1000),
@ -210,10 +205,10 @@ describe("/oauth/authorize", () => {
Cookie: `jwt=${jwt2}`,
},
body: JSON.stringify({
client_id: clientId,
redirect_uri: redirectUri,
client_id: application.data.clientId,
redirect_uri: application.data.redirectUri,
response_type: "code",
scope,
scope: application.data.scopes,
state: "test-state",
code_challenge: randomString(43),
code_challenge_method: "S256",
@ -239,7 +234,7 @@ describe("/oauth/authorize", () => {
const jwt = await new SignJWT({
sub: users[0].id,
iss: new URL(config.http.base_url).origin,
aud: clientId,
aud: application.data.clientId,
exp: Math.floor(Date.now() / 1000) + 60 * 60,
iat: Math.floor(Date.now() / 1000),
nbf: Math.floor(Date.now() / 1000),
@ -255,10 +250,10 @@ describe("/oauth/authorize", () => {
Cookie: `jwt=${jwt}`,
},
body: JSON.stringify({
client_id: clientId,
redirect_uri: redirectUri,
client_id: application.data.clientId,
redirect_uri: application.data.redirectUri,
response_type: "code",
scope,
scope: application.data.scopes,
state: "test-state",
code_challenge: randomString(43),
code_challenge_method: "S256",
@ -300,9 +295,9 @@ describe("/oauth/authorize", () => {
},
body: JSON.stringify({
client_id: "invalid-client-id",
redirect_uri: redirectUri,
redirect_uri: application.data.redirectUri,
response_type: "code",
scope,
scope: application.data.scopes,
state: "test-state",
code_challenge: randomString(43),
code_challenge_method: "S256",
@ -325,7 +320,7 @@ describe("/oauth/authorize", () => {
const jwt = await new SignJWT({
sub: users[0].id,
iss: new URL(config.http.base_url).origin,
aud: clientId,
aud: application.data.clientId,
exp: Math.floor(Date.now() / 1000) + 60 * 60,
iat: Math.floor(Date.now() / 1000),
nbf: Math.floor(Date.now() / 1000),
@ -341,10 +336,10 @@ describe("/oauth/authorize", () => {
Cookie: `jwt=${jwt}`,
},
body: JSON.stringify({
client_id: clientId,
client_id: application.data.clientId,
redirect_uri: "https://invalid.com/callback",
response_type: "code",
scope,
scope: application.data.scopes,
state: "test-state",
code_challenge: randomString(43),
code_challenge_method: "S256",
@ -367,7 +362,7 @@ describe("/oauth/authorize", () => {
const jwt = await new SignJWT({
sub: users[0].id,
iss: new URL(config.http.base_url).origin,
aud: clientId,
aud: application.data.clientId,
exp: Math.floor(Date.now() / 1000) + 60 * 60,
iat: Math.floor(Date.now() / 1000),
nbf: Math.floor(Date.now() / 1000),
@ -383,8 +378,8 @@ describe("/oauth/authorize", () => {
Cookie: `jwt=${jwt}`,
},
body: JSON.stringify({
client_id: clientId,
redirect_uri: redirectUri,
client_id: application.data.clientId,
redirect_uri: application.data.redirectUri,
response_type: "code",
scope: "invalid-scope",
state: "test-state",

15
plugins/openid/routes/authorize.ts
View file

@ -6,6 +6,7 @@ import { type JWTPayload, SignJWT, jwtVerify } from "jose";
import { JOSEError } from "jose/errors";
import { z } from "zod";
import { TokenType } from "~/classes/functions/token";
import { Application } from "~/packages/database-interface/application.ts";
import { User } from "~/packages/database-interface/user";
import type { PluginType } from "../index.ts";
@ -197,9 +198,7 @@ export default (plugin: PluginType) =>
);
}
const application = await db.query.Applications.findFirst({
where: (app, { eq }) => eq(app.clientId, client_id),
});
const application = await Application.fromClientId(client_id);
if (!application) {
errorSearchParams.append("error", "invalid_request");
@ -213,7 +212,7 @@ export default (plugin: PluginType) =>
);
}
if (application.redirectUri !== redirect_uri) {
if (application.data.redirectUri !== redirect_uri) {
errorSearchParams.append("error", "invalid_request");
errorSearchParams.append(
"error_description",
@ -230,7 +229,7 @@ export default (plugin: PluginType) =>
scope &&
!scope
.split(" ")
.every((s) => application.scopes.includes(s))
.every((s) => application.data.scopes.includes(s))
) {
errorSearchParams.append("error", "invalid_scope");
errorSearchParams.append(
@ -288,10 +287,10 @@ export default (plugin: PluginType) =>
await db.insert(Tokens).values({
accessToken: randomString(64, "base64url"),
code,
scope: scope ?? application.scopes,
scope: scope ?? application.data.scopes,
tokenType: TokenType.Bearer,
applicationId: application.id,
redirectUri: redirect_uri ?? application.redirectUri,
redirectUri: redirect_uri ?? application.data.redirectUri,
expiresAt: new Date(
Date.now() + 60 * 60 * 24 * 14,
).toISOString(),
@ -310,7 +309,7 @@ export default (plugin: PluginType) =>
"/oauth/code",
context.get("config").http.base_url,
)
: new URL(redirect_uri ?? application.redirectUri);
: new URL(redirect_uri ?? application.data.redirectUri);
redirectUri.searchParams.append("code", code);
state && redirectUri.searchParams.append("state", state);

27
plugins/openid/routes/jwks.test.ts
View file

@ -1,26 +1,17 @@
import { afterAll, beforeAll, describe, expect, test } from "bun:test";
import { db } from "@versia/kit/db";
import { eq } from "drizzle-orm";
import { Applications } from "~/drizzle/schema";
import { afterAll, describe, expect, test } from "bun:test";
import { Application } from "~/packages/database-interface/application";
import { fakeRequest } from "~/tests/utils";
const clientId = "test-client-id";
const redirectUri = "https://example.com/callback";
const scope = "openid profile email";
const secret = "test-secret";
beforeAll(async () => {
await db.insert(Applications).values({
clientId,
redirectUri,
scopes: scope,
name: "Test Application",
secret,
});
const application = await Application.insert({
clientId: "test-client-id",
redirectUri: "https://example.com/callback",
scopes: "openid profile email",
secret: "test-secret",
name: "Test Application",
});
afterAll(async () => {
await db.delete(Applications).where(eq(Applications.clientId, clientId));
await application.delete();
});
describe("/.well-known/jwks", () => {

56
plugins/openid/routes/oauth/revoke.test.ts
View file

@ -1,38 +1,30 @@
import { afterAll, beforeAll, describe, expect, test } from "bun:test";
import { db } from "@versia/kit/db";
import { eq } from "@versia/kit/drizzle";
import { Applications, Tokens } from "@versia/kit/tables";
import { Tokens } from "@versia/kit/tables";
import { Application } from "~/packages/database-interface/application";
import { fakeRequest, getTestUsers } from "~/tests/utils";
const { deleteUsers, users } = await getTestUsers(1);
const clientId = "test-client-id";
const redirectUri = "https://example.com/callback";
const scope = "openid profile email";
const secret = "test-secret";
const application = await Application.insert({
clientId: "test-client-id",
redirectUri: "https://example.com/callback",
scopes: "openid profile email",
secret: "test-secret",
name: "Test Application",
});
beforeAll(async () => {
const application = (
await db
.insert(Applications)
.values({
clientId,
redirectUri,
scopes: scope,
name: "Test Application",
secret,
})
.returning()
)[0];
await db.insert(Tokens).values({
code: "test-code",
redirectUri,
clientId,
redirectUri: application.data.redirectUri,
clientId: application.data.clientId,
accessToken: "test-access-token",
expiresAt: new Date(Date.now() + 3600 * 1000).toISOString(),
createdAt: new Date().toISOString(),
tokenType: "Bearer",
scope,
scope: application.data.scopes,
userId: users[0].id,
applicationId: application.id,
});
@ -40,8 +32,10 @@ beforeAll(async () => {
afterAll(async () => {
await deleteUsers();
await db.delete(Applications).where(eq(Applications.clientId, clientId));
await db.delete(Tokens).where(eq(Tokens.clientId, clientId));
await application.delete();
await db
.delete(Tokens)
.where(eq(Tokens.clientId, application.data.clientId));
});
describe("/oauth/revoke", () => {
@ -52,8 +46,8 @@ describe("/oauth/revoke", () => {
"Content-Type": "application/json",
},
body: JSON.stringify({
client_id: clientId,
client_secret: secret,
client_id: application.data.clientId,
client_secret: application.data.secret,
token: "test-access-token",
}),
});
@ -70,8 +64,8 @@ describe("/oauth/revoke", () => {
"Content-Type": "application/json",
},
body: JSON.stringify({
client_id: clientId,
client_secret: secret,
client_id: application.data.clientId,
client_secret: application.data.secret,
}),
});
@ -90,7 +84,7 @@ describe("/oauth/revoke", () => {
"Content-Type": "application/json",
},
body: JSON.stringify({
client_id: clientId,
client_id: application.data.clientId,
client_secret: "invalid-secret",
token: "test-access-token",
}),
@ -111,8 +105,8 @@ describe("/oauth/revoke", () => {
"Content-Type": "application/json",
},
body: JSON.stringify({
client_id: clientId,
client_secret: secret,
client_id: application.data.clientId,
client_secret: application.data.secret,
token: "invalid-token",
}),
});
@ -133,7 +127,7 @@ describe("/oauth/revoke", () => {
},
body: JSON.stringify({
client_id: "unauthorized-client-id",
client_secret: secret,
client_secret: application.data.secret,
token: "test-access-token",
}),
});

6
plugins/openid/routes/oauth/sso.ts
View file

@ -7,6 +7,7 @@ import {
generateRandomCodeVerifier,
processDiscoveryResponse,
} from "oauth4webapi";
import { Application } from "~/packages/database-interface/application.ts";
import type { PluginType } from "../../index.ts";
import { oauthRedirectUri } from "../../utils.ts";
@ -83,10 +84,7 @@ export default (plugin: PluginType) => {
const codeVerifier = generateRandomCodeVerifier();
const application = await db.query.Applications.findFirst({
where: (application, { eq }) =>
eq(application.clientId, client_id),
});
const application = await Application.fromClientId(client_id);
if (!application) {
errorSearchParams.append("error", "invalid_request");

71
plugins/openid/routes/oauth/token.test.ts
View file

@ -1,41 +1,40 @@
import { afterAll, beforeAll, describe, expect, test } from "bun:test";
import { db } from "@versia/kit/db";
import { eq } from "@versia/kit/drizzle";
import { Applications, Tokens } from "@versia/kit/tables";
import { Tokens } from "@versia/kit/tables";
import { Application } from "~/packages/database-interface/application";
import { fakeRequest, getTestUsers } from "~/tests/utils";
const { deleteUsers, users } = await getTestUsers(1);
const clientId = "test-client-id";
const redirectUri = "https://example.com/callback";
const scope = "openid profile email";
const secret = "test-secret";
const application = await Application.insert({
clientId: "test-client-id",
redirectUri: "https://example.com/callback",
scopes: "openid profile email",
secret: "test-secret",
name: "Test Application",
});
beforeAll(async () => {
await db.insert(Applications).values({
clientId,
redirectUri,
scopes: scope,
name: "Test Application",
secret,
});
await db.insert(Tokens).values({
code: "test-code",
redirectUri,
clientId,
redirectUri: application.data.redirectUri,
clientId: application.data.clientId,
accessToken: "test-access-token",
expiresAt: new Date(Date.now() + 3600 * 1000).toISOString(),
createdAt: new Date().toISOString(),
tokenType: "Bearer",
scope,
scope: application.data.scopes,
userId: users[0].id,
});
});
afterAll(async () => {
await deleteUsers();
await db.delete(Applications).where(eq(Applications.clientId, clientId));
await db.delete(Tokens).where(eq(Tokens.clientId, clientId));
await application.delete();
await db
.delete(Tokens)
.where(eq(Tokens.clientId, application.data.clientId));
});
describe("/oauth/token", () => {
@ -48,9 +47,9 @@ describe("/oauth/token", () => {
body: JSON.stringify({
grant_type: "authorization_code",
code: "test-code",
redirect_uri: redirectUri,
client_id: clientId,
client_secret: secret,
redirect_uri: application.data.redirectUri,
client_id: application.data.clientId,
client_secret: application.data.secret,
}),
});
@ -69,9 +68,9 @@ describe("/oauth/token", () => {
},
body: JSON.stringify({
grant_type: "authorization_code",
redirect_uri: redirectUri,
client_id: clientId,
client_secret: secret,
redirect_uri: application.data.redirectUri,
client_id: application.data.clientId,
client_secret: application.data.secret,
}),
});
@ -90,8 +89,8 @@ describe("/oauth/token", () => {
body: JSON.stringify({
grant_type: "authorization_code",
code: "test-code",
client_id: clientId,
client_secret: secret,
client_id: application.data.clientId,
client_secret: application.data.secret,
}),
});
@ -110,8 +109,8 @@ describe("/oauth/token", () => {
body: JSON.stringify({
grant_type: "authorization_code",
code: "test-code",
redirect_uri: redirectUri,
client_secret: secret,
redirect_uri: application.data.redirectUri,
client_secret: application.data.secret,
}),
});
@ -130,8 +129,8 @@ describe("/oauth/token", () => {
body: JSON.stringify({
grant_type: "authorization_code",
code: "test-code",
redirect_uri: redirectUri,
client_id: clientId,
redirect_uri: application.data.redirectUri,
client_id: application.data.clientId,
client_secret: "invalid-secret",
}),
});
@ -151,9 +150,9 @@ describe("/oauth/token", () => {
body: JSON.stringify({
grant_type: "authorization_code",
code: "invalid-code",
redirect_uri: redirectUri,
client_id: clientId,
client_secret: secret,
redirect_uri: application.data.redirectUri,
client_id: application.data.clientId,
client_secret: application.data.secret,
}),
});
@ -172,9 +171,9 @@ describe("/oauth/token", () => {
body: JSON.stringify({
grant_type: "refresh_token",
code: "test-code",
redirect_uri: redirectUri,
client_id: clientId,
client_secret: secret,
redirect_uri: application.data.redirectUri,
client_id: application.data.clientId,
client_secret: application.data.secret,
}),
});

9
plugins/openid/routes/oauth/token.ts
View file

@ -3,6 +3,7 @@ import { createRoute, z } from "@hono/zod-openapi";
import { db } from "@versia/kit/db";
import { eq } from "@versia/kit/drizzle";
import { Tokens } from "@versia/kit/tables";
import { Application } from "~/packages/database-interface/application.ts";
import type { PluginType } from "../../index.ts";
export const schemas = {
@ -140,12 +141,10 @@ export default (plugin: PluginType) => {
}
// Verify the client_secret
const client = await db.query.Applications.findFirst({
where: (application, { eq }) =>
eq(application.clientId, client_id),
});
const client =
await Application.fromClientId(client_id);
if (!client || client.secret !== client_secret) {
if (!client || client.data.secret !== client_secret) {
return context.json(
{
error: "invalid_client",

34
plugins/openid/routes/sso/index.ts
View file

@ -1,10 +1,7 @@
import { auth } from "@/api";
import { db } from "@versia/kit/db";
import {
Applications,
OpenIdLoginFlows,
RolePermissions,
} from "@versia/kit/tables";
import { Application } from "@versia/kit/db";
import { OpenIdLoginFlows, RolePermissions } from "@versia/kit/tables";
import {
calculatePKCECodeChallenge,
generateRandomCodeVerifier,
@ -169,22 +166,17 @@ export default (plugin: PluginType) => {
issuerId,
);
const application = (
await db
.insert(Applications)
.values({
clientId:
user.id +
Buffer.from(
crypto.getRandomValues(new Uint8Array(32)),
).toString("base64"),
name: "Versia",
redirectUri,
scopes: "openid profile email",
secret: "",
})
.returning()
)[0];
const application = await Application.insert({
clientId:
user.id +
Buffer.from(
crypto.getRandomValues(new Uint8Array(32)),
).toString("base64"),
name: "Versia",
redirectUri,
scopes: "openid profile email",
secret: "",
});
// Store into database
const newFlow = (