feat: Create an OAuth2 module for authenticating users

Author: Blckbrry-Pi

modules/auth_oauth2/config.ts

@@ -0,0 +1,11 @@
+export interface Config {
+    providers: Record<string, ProviderEndpoints | string>;
+}
+
+export interface ProviderEndpoints {
+    authorization: string;
+    token: string;
+    userinfo: string;
+    scopes: string;
+    userinfoKey: string;
+}

modules/auth_oauth2/db/migrations/20240508161825_/migration.sql

@@ -0,0 +1,45 @@
+-- CreateTable
+CREATE TABLE "OAuthUsers" (
+    "userId" UUID NOT NULL,
+    "provider" TEXT NOT NULL,
+    "sub" TEXT NOT NULL,
+    "createdAt" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "OAuthUsers_pkey" PRIMARY KEY ("provider","userId")
+);
+
+-- CreateTable
+CREATE TABLE "OAuthLoginAttempt" (
+    "id" TEXT NOT NULL,
+    "provider" TEXT NOT NULL,
+    "state" TEXT NOT NULL,
+    "codeVerifier" TEXT NOT NULL,
+    "targetUrl" TEXT NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+    "completedAt" TIMESTAMP(3),
+    "invalidatedAt" TIMESTAMP(3),
+
+    CONSTRAINT "OAuthLoginAttempt_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "OAuthCreds" (
+    "id" TEXT NOT NULL,
+    "provider" TEXT NOT NULL,
+    "accessToken" TEXT NOT NULL,
+    "refreshToken" TEXT NOT NULL,
+    "expiresAt" TIMESTAMP(3) NOT NULL,
+    "userToken" TEXT NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+    "loginAttemptId" TEXT NOT NULL,
+
+    CONSTRAINT "OAuthCreds_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "OAuthCreds_loginAttemptId_key" ON "OAuthCreds"("loginAttemptId");
+
+-- AddForeignKey
+ALTER TABLE "OAuthCreds" ADD CONSTRAINT "OAuthCreds_loginAttemptId_fkey" FOREIGN KEY ("loginAttemptId") REFERENCES "OAuthLoginAttempt"("id") ON DELETE RESTRICT ON UPDATE CASCADE;

modules/auth_oauth2/db/migrations/migration_lock.toml

@@ -0,0 +1,3 @@
+# Please do not edit this file manually
+# It should be added in your version-control system (i.e. Git)
+provider = "postgresql"

modules/auth_oauth2/db/schema.prisma

@@ -0,0 +1,48 @@
+// Do not modify this `datasource` block
+datasource db {
+	provider = "postgresql"
+	url      = env("DATABASE_URL")
+}
+
+model OAuthUsers {
+    userId          String      @db.Uuid
+
+    provider        String
+    sub             String
+    createdAt       DateTime    @default(now()) @db.Timestamp
+
+	@@id([provider, userId])
+}
+
+model OAuthLoginAttempt {
+	id              String      @id @default(uuid())
+
+	provider        String
+	state           String
+	codeVerifier    String
+	targetUrl       String
+
+	createdAt       DateTime    @default(now())
+	updatedAt       DateTime    @updatedAt
+	completedAt     DateTime?
+	invalidatedAt   DateTime?
+
+	creds           OAuthCreds?
+}
+
+model OAuthCreds {
+	id              String      @id @default(uuid())
+
+	provider        String
+	accessToken     String
+	refreshToken    String
+	expiresAt       DateTime
+	userToken       String
+
+	createdAt       DateTime    @default(now())
+	updatedAt       DateTime    @updatedAt
+
+	loginAttemptId  String            @unique
+	loginAttempt    OAuthLoginAttempt @relation(fields: [loginAttemptId], references: [id])
+}
+

modules/auth_oauth2/module.json

@@ -0,0 +1,58 @@
+{
+    "name": "OAuth2 Authentication Provider",
+    "description": "Authenticate users with OAuth 2.0.",
+    "icon": "key",
+    "tags": [
+        "core",
+        "user",
+        "auth"
+    ],
+    "authors": [
+        "rivet-gg",
+        "Skyler Calaman"
+    ],
+    "status": "beta",
+    "dependencies": {
+        "rate_limit": {},
+        "users": {},
+        "tokens": {}
+    },
+    "routes": {
+        "login_link": {
+            "name": "Login Link",
+            "description": "Generate a login link for accessing OpenGB.",
+            "method": "GET",
+            "pathPrefix": "/login/"
+        },
+        "login_callback": {
+            "name": "OAuth Redirect Callback",
+            "description": "Verify a user's OAuth login and create a session.",
+            "method": "GET",
+            "pathPrefix": "/callback/"
+        }
+    },
+    "scripts": {},
+    "errors": {
+        "already_friends": {
+            "name": "Already Friends"
+        },
+        "friend_request_not_found": {
+            "name": "Friend Request Not Found"
+        },
+        "friend_request_already_exists": {
+            "name": "Friend Request Already Exists"
+        },
+        "not_friend_request_recipient": {
+            "name": "Not Friend Request Recipient"
+        },
+        "friend_request_already_accepted": {
+            "name": "Friend Request Already Accepted"
+        },
+        "friend_request_already_declined": {
+            "name": "Friend Request Already Declined"
+        },
+        "cannot_send_to_self": {
+            "name": "Cannot Send to Self"
+        }
+    }
+}

modules/auth_oauth2/routes/login_callback.ts

@@ -0,0 +1,125 @@
+import {
+	RouteContext,
+	RuntimeError,
+	RouteRequest,
+	RouteResponse,
+} from "../module.gen.ts";
+
+import { getCodeVerifierFromCookie, getStateFromCookie, getLoginIdFromCookie } from "../utils/trace.ts";
+import { getFullConfig } from "../utils/env.ts";
+import { getClient } from "../utils/client.ts";
+import { getUserUniqueIdentifier } from "../utils/client.ts";
+
+export async function handle(
+	ctx: RouteContext,
+	req: RouteRequest,
+): Promise<RouteResponse> {
+	// Max 2 login attempts per IP per minute
+	ctx.modules.rateLimit.throttlePublic({ requests: 5, period: 60 });
+
+	// Ensure that the provider configurations are valid
+	const config = await getFullConfig(ctx.userConfig);
+	if (!config) throw new RuntimeError("invalid_config", { statusCode: 500 });
+
+	const loginId = getLoginIdFromCookie(ctx);
+	const codeVerifier = getCodeVerifierFromCookie(ctx);
+	const state = getStateFromCookie(ctx);
+
+	if (!loginId || !codeVerifier || !state) throw new RuntimeError("missing_login_data", { statusCode: 400 });
+
+
+	// Get the login attempt stored in the database
+	const loginAttempt = await ctx.db.oAuthLoginAttempt.findUnique({
+		where: { id: loginId, completedAt: null, invalidatedAt: null },
+	});
+
+	if (!loginAttempt) throw new RuntimeError("login_not_found", { statusCode: 400 });
+	if (loginAttempt.state !== state) throw new RuntimeError("invalid_state", { statusCode: 400 });
+	if (loginAttempt.codeVerifier !== codeVerifier) throw new RuntimeError("invalid_code_verifier", { statusCode: 400 });
+
+	// Get the provider config
+	const provider = config.providers[loginAttempt.provider];
+	if (!provider) throw new RuntimeError("invalid_provider", { statusCode: 400 });
+
+	// Get the oauth client
+	const client = getClient(config, provider.name, new URL(req.url));
+	if (!client.config.redirectUri) throw new RuntimeError("invalid_config", { statusCode: 500 });
+
+
+	// Get the URI that this request was made to
+	const uri = new URL(req.url);
+	const uriStr = uri.toString();
+
+	// Get the user's tokens and sub
+	let tokens: Awaited<ReturnType<typeof client.code.getToken>>;
+	let sub: string;
+	try {
+		tokens = await client.code.getToken(uriStr, { state, codeVerifier });
+		sub = await getUserUniqueIdentifier(tokens.accessToken, provider);
+	} catch (e) {
+		console.error(e);
+		throw new RuntimeError("invalid_oauth_response", { statusCode: 502 });
+	}
+
+	const expiresIn = tokens.expiresIn ?? 3600;
+	const expiry = new Date(Date.now() + expiresIn);
+
+	// Ensure the user is registered with this sub/provider combo
+	const user = await ctx.db.oAuthUsers.findFirst({
+		where: {
+			sub,
+			provider: loginAttempt.provider,
+		},
+	});
+
+	let userId: string;
+	if (user) {
+		userId = user.userId;
+	} else {
+		const { user: newUser } = await ctx.modules.users.createUser({ username: sub });
+		await ctx.db.oAuthUsers.create({
+			data: {
+				sub,
+				provider: loginAttempt.provider,
+				userId: newUser.id,
+			},
+		});
+
+		userId = newUser.id;
+	}
+
+	// Generate a token which the user can use to authenticate with this module
+	const { token } = await ctx.modules.users.createUserToken({ userId });
+
+	// Record the credentials
+	await ctx.db.oAuthCreds.create({
+		data: {
+			loginAttemptId: loginAttempt.id,
+			provider: provider.name,
+			accessToken: tokens.accessToken,
+			refreshToken: tokens.refreshToken ?? "",
+			userToken: token.token,
+			expiresAt: expiry,
+		},
+	});
+
+
+	const response = RouteResponse.redirect(loginAttempt.targetUrl, 303);
+
+    const headers = new Headers(response.headers);
+
+	// Clear login session cookies
+	const expireAttribs = `Path=/; Max-Age=0; SameSite=Lax; Expires=${new Date(0).toUTCString()}`;
+	headers.append("Set-Cookie", `login_id=EXPIRED; ${expireAttribs}`);
+	headers.append("Set-Cookie", `code_verifier=EXPIRED; ${expireAttribs}`);
+	headers.append("Set-Cookie", `state=EXPIRED; ${expireAttribs}`);
+
+	// Tell the browser to never cache this page
+	headers.set("Cache-Control", "no-store");
+
+	// Set token cookie
+	const cookieAttribs = `Path=/; Max-Age=${expiresIn}; SameSite=Lax; Expires=${expiry.toUTCString()}`;
+	headers.append("Set-Cookie", `token=${token.token}; ${cookieAttribs}`);
+
+	return new Response(response.body, { status: response.status, headers });
+}

modules/auth_oauth2/routes/login_link.ts

@@ -0,0 +1,91 @@
+import {
+	RouteContext,
+	RuntimeError,
+	RouteRequest,
+	RouteResponse,
+} from "../module.gen.ts";
+
+import { getFullConfig } from "../utils/env.ts";
+import { getClient } from "../utils/client.ts";
+import { generateStateStr } from "../utils/state.ts";
+
+// Maybe make different exported functions— `GET`, `POST`, etc?
+export async function handle(
+	ctx: RouteContext,
+	req: RouteRequest,
+): Promise<RouteResponse> {
+	// Max 5 login attempts per IP per minute
+	ctx.modules.rateLimit.throttlePublic({ requests: 5, period: 60 });
+
+	// Get the data from the RouteRequest query parameters
+	const url = new URL(req.url);
+	const provider = url.pathname.split("/").pop();
+	if (!provider) throw new RuntimeError(
+		"invalid_req",
+		{
+			statusCode: 400,
+			meta: {
+				err: "missing provider at end of URL",
+				path: url.pathname,
+				params: Object.fromEntries(url.searchParams.entries()),
+			},
+		},
+	);
+
+	const targetUrl = url.searchParams.get("targetUrl");
+	if (!targetUrl) throw new RuntimeError(
+		"invalid_req",
+		{
+			statusCode: 400,
+			meta: {
+				err: "missing targetUrl",
+				path: url.pathname,
+				params: Object.fromEntries(url.searchParams.entries()),
+			},
+		},
+	);
+
+    console.log({ provider, targetUrl });
+
+	// Ensure that the provider configurations are valid
+	const providers = await getFullConfig(ctx.userConfig);
+	if (!providers) throw new RuntimeError("invalid_config", { statusCode: 500 });
+
+	// Get the OAuth2 Client and generate a unique state string
+	const client = getClient(providers, provider, url);
+	const state = generateStateStr();
+
+	// Get the URI to eventually redirect the user to
+	const { uri, codeVerifier } = await client.code.getAuthorizationUri({ state });
+
+	// Create a login attempt to allow the module to later retrieve the login
+	// information
+	const { id: loginId } = await ctx.db.oAuthLoginAttempt.create({
+		data: {
+			provider,
+			targetUrl,
+			state,
+			codeVerifier,
+		},
+	});
+
+
+	// Build the response
+	const response = RouteResponse.redirect(
+		uri.toString(),
+		303,
+	);
+
+	const headers = new Headers(response.headers);
+
+	// Set login session cookies
+	const cookieOptions = `Path=/; SameSite=Lax; Max-Age=300; Expires=${new Date(Date.now() + 300 * 1000).toUTCString()}`;
+	headers.append("Set-Cookie", `login_id=${encodeURIComponent(loginId)}; ${cookieOptions}`);
+	headers.append("Set-Cookie", `code_verifier=${encodeURIComponent(codeVerifier)}; ${cookieOptions}`);
+	headers.append("Set-Cookie", `state=${encodeURIComponent(state)}; ${cookieOptions}`);
+
+	// Tell the browser to never cache this page
+	headers.set("Cache-Control", "no-store");
+
+	return new Response(response.body, { status: response.status, headers });
+}