Add new OAuth verification page

server/api/auth/login/index.ts

@@ -89,6 +89,17 @@ export default apiRoute<{
 		},
 	});
 
-	// Redirect back to application
-	return Response.redirect(`${redirect_uri}?code=${code}`, 302);
+	// Redirect to OAuth confirmation screen
+	return Response.redirect(
+		`/oauth/redirect?` +
+			new URLSearchParams({
+				redirect_uri,
+				code,
+				client_id,
+				application: application.name,
+				website: application.website ?? "",
+				scope: scopes.join(" "),
+			}).toString(),
+		302
+	);
 });

server/api/auth/redirect/index.ts

@@ -0,0 +1,58 @@
+import { apiRoute, applyConfig } from "@api";
+import { client } from "~database/datasource";
+import { userRelations } from "~database/entities/User";
+
+export const meta = applyConfig({
+	allowedMethods: ["POST"],
+	ratelimits: {
+		max: 4,
+		duration: 60,
+	},
+	route: "/auth/redirect",
+	auth: {
+		required: false,
+	},
+});
+
+/**
+ * OAuth Code flow
+ */
+export default apiRoute<{
+	email: string;
+	password: string;
+}>(async (req, matchedRoute) => {
+	const redirect_uri = decodeURIComponent(matchedRoute.query.redirect_uri);
+	const client_id = matchedRoute.query.client_id;
+	const code = matchedRoute.query.code;
+
+	const redirectToLogin = (error: string) =>
+		Response.redirect(
+			`/oauth/authorize?` +
+				new URLSearchParams({
+					...matchedRoute.query,
+					error: encodeURIComponent(error),
+				}).toString(),
+			302
+		);
+
+	// Get token
+	const token = await client.token.findFirst({
+		where: {
+			code,
+			application: {
+				client_id,
+			},
+		},
+		include: {
+			user: {
+				include: userRelations,
+			},
+			application: true,
+		},
+	});
+
+	if (!token) return redirectToLogin("Invalid code");
+
+	// Redirect back to application
+	return Response.redirect(`${redirect_uri}?code=${code}`, 302);
+});