Add new OAuth verification page

2026-03-13 22:09:16 +01:00 · 2024-03-13 17:02:50 -10:00 · 2024-03-13 17:02:50 -10:00 · 9ec3d96f9d
commit 9ec3d96f9d
parent 626b2cb311
6 changed files with 201 additions and 3 deletions
--- a/server/api/auth/login/index.ts
+++ b/server/api/auth/login/index.ts
@ -89,6 +89,17 @@ export default apiRoute<{
 		},
 	});

-	// Redirect back to application
-	return Response.redirect(`${redirect_uri}?code=${code}`, 302);
+	// Redirect to OAuth confirmation screen
+	return Response.redirect(
+		`/oauth/redirect?` +
+			new URLSearchParams({
+				redirect_uri,
+				code,
+				client_id,
+				application: application.name,
+				website: application.website ?? "",
+				scope: scopes.join(" "),
+			}).toString(),
+		302
+	);
 });
--- a/server/api/auth/redirect/index.ts
+++ b/server/api/auth/redirect/index.ts
@ -0,0 +1,58 @@
+import { apiRoute, applyConfig } from "@api";
+import { client } from "~database/datasource";
+import { userRelations } from "~database/entities/User";
+
+export const meta = applyConfig({
+	allowedMethods: ["POST"],
+	ratelimits: {
+		max: 4,
+		duration: 60,
+	},
+	route: "/auth/redirect",
+	auth: {
+		required: false,
+	},
+});
+
+/**
+ * OAuth Code flow
+ */
+export default apiRoute<{
+	email: string;
+	password: string;
+}>(async (req, matchedRoute) => {
+	const redirect_uri = decodeURIComponent(matchedRoute.query.redirect_uri);
+	const client_id = matchedRoute.query.client_id;
+	const code = matchedRoute.query.code;
+
+	const redirectToLogin = (error: string) =>
+		Response.redirect(
+			`/oauth/authorize?` +
+				new URLSearchParams({
+					...matchedRoute.query,
+					error: encodeURIComponent(error),
+				}).toString(),
+			302
+		);
+
+	// Get token
+	const token = await client.token.findFirst({
+		where: {
+			code,
+			application: {
+				client_id,
+			},
+		},
+		include: {
+			user: {
+				include: userRelations,
+			},
+			application: true,
+		},
+	});
+
+	if (!token) return redirectToLogin("Invalid code");
+
+	// Redirect back to application
+	return Response.redirect(`${redirect_uri}?code=${code}`, 302);
+});
--- a/server/api/oauth/callback/[issuer]/index.ts
+++ b/server/api/oauth/callback/[issuer]/index.ts
@ -184,7 +184,15 @@ export default apiRoute(async (req, matchedRoute, extraData) => {

 	// Redirect back to application
 	return Response.redirect(
-		`${flow.application.redirect_uris}?code=${code}`,
+		`/oauth/redirect?` +
+			new URLSearchParams({
+				redirect_uri: flow.application.redirect_uris,
+				code,
+				client_id: flow.application.client_id,
+				application: flow.application.name,
+				website: flow.application.website ?? "",
+				scope: flow.application.scopes,
+			}).toString(),
 		302
 	);
 });