feat: Give the auth_oauth2 module its own flow management

Author: Blckbrry-Pi

modules/auth_oauth2/db/migrations/20240508161825_/migration.sql

@@ -0,0 +1,14 @@
+-- CreateTable
+CREATE TABLE "LoginAttempts" (
+    "id" TEXT NOT NULL,
+    "providerId" TEXT NOT NULL,
+    "state" TEXT NOT NULL,
+    "codeVerifier" TEXT NOT NULL,
+    "identifier" TEXT,
+    "startedAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "expiresAt" TIMESTAMP(3) NOT NULL,
+    "completedAt" TIMESTAMP(3),
+    "invalidatedAt" TIMESTAMP(3),
+
+    CONSTRAINT "LoginAttempts_pkey" PRIMARY KEY ("id")
+);

modules/auth_oauth2/db/migrations/20240701012627_init/migration.sql

@@ -4,45 +4,17 @@ datasource db {
 	url      = env("DATABASE_URL")
 }
 
-model OAuthUsers {
-    userId          String      @db.Uuid
-
-    provider        String
-    sub             String
-    createdAt       DateTime    @default(now()) @db.Timestamp
-
-	@@id([provider, userId])
-}
-
-model OAuthLoginAttempt {
+model LoginAttempts {
 	id              String      @id @default(uuid())
 
-	provider        String
+	providerId      String
 	state           String
 	codeVerifier    String
-	targetUrl       String
 
-	createdAt       DateTime    @default(now())
-	updatedAt       DateTime    @updatedAt
-	completedAt     DateTime?
-	invalidatedAt   DateTime?
-
-	creds           OAuthCreds?
-}
+	identifier      String?
 
-model OAuthCreds {
-	id              String      @id @default(uuid())
-
-	provider        String
-	accessToken     String
-	refreshToken    String
+	startedAt       DateTime    @default(now())
 	expiresAt       DateTime
-	userToken       String
-
-	createdAt       DateTime    @default(now())
-	updatedAt       DateTime    @updatedAt
-
-	loginAttemptId  String            @unique
-	loginAttempt    OAuthLoginAttempt @relation(fields: [loginAttemptId], references: [id])
+	completedAt     DateTime?
+	invalidatedAt   DateTime?
 }
-

modules/auth_oauth2/db/schema.prisma

@@ -14,24 +14,30 @@
     "status": "beta",
     "dependencies": {
         "rate_limit": {},
+        "auth_providers": {},
         "users": {},
         "tokens": {}
     },
     "routes": {
-        "login_link": {
-            "name": "Login Link",
-            "description": "Generate a login link for accessing OpenGB.",
-            "method": "GET",
-            "pathPrefix": "/login/"
-        },
         "login_callback": {
             "name": "OAuth Redirect Callback",
             "description": "Verify a user's OAuth login and create a session.",
             "method": "GET",
             "pathPrefix": "/callback/"
         }
     },
-    "scripts": {},
+    "scripts": {
+        "start_login": {
+            "name": "Start Login",
+            "description": "Start the OAuth login process. Returns a URL to redirect the user to and a flow token.",
+            "public": true
+        },
+        "get_status": {
+            "name": "Get Status",
+            "description": "Check the status of a OAuth login using the flow token. Returns the status of the login flow.",
+            "public": true
+        }
+    },
     "errors": {
         "already_friends": {
             "name": "Already Friends"

modules/auth_oauth2/module.json

@@ -5,121 +5,100 @@ import {
 	RouteResponse,
 } from "../module.gen.ts";
 
-import { getCodeVerifierFromCookie, getStateFromCookie, getLoginIdFromCookie } from "../utils/trace.ts";
 import { getFullConfig } from "../utils/env.ts";
 import { getClient } from "../utils/client.ts";
 import { getUserUniqueIdentifier } from "../utils/client.ts";
 
+import { compareConstantTime, stateToDataStr } from "../utils/state.ts";
+import { OAUTH_DONE_HTML } from "../utils/pages.ts";
+
 export async function handle(
 	ctx: RouteContext,
 	req: RouteRequest,
 ): Promise<RouteResponse> {
-	// Max 2 login attempts per IP per minute
+	// Max 5 login attempts per IP per minute
 	ctx.modules.rateLimit.throttlePublic({ requests: 5, period: 60 });
 
 	// Ensure that the provider configurations are valid
-	const config = await getFullConfig(ctx.userConfig);
+	const config = await getFullConfig(ctx.config);
 	if (!config) throw new RuntimeError("invalid_config", { statusCode: 500 });
 
-	const loginId = getLoginIdFromCookie(ctx);
-	const codeVerifier = getCodeVerifierFromCookie(ctx);
-	const state = getStateFromCookie(ctx);
+	// Get the URI that this request was made to
+	const uri = new URL(req.url);
 
-	if (!loginId || !codeVerifier || !state) throw new RuntimeError("missing_login_data", { statusCode: 400 });
+	// Get the state from the URI
+	const redirectedState = uri.searchParams.get("state");
+	if (!redirectedState) {
+		throw new RuntimeError("missing_state", { statusCode: 400 });
+	}
 
+	// Extract the data from the state
+	const stateData = await stateToDataStr(config.oauthSecret, redirectedState);
+	const { flowId, providerId } = JSON.parse(stateData);
 
 	// Get the login attempt stored in the database
-	const loginAttempt = await ctx.db.oAuthLoginAttempt.findUnique({
-		where: { id: loginId, completedAt: null, invalidatedAt: null },
+	const loginAttempt = await ctx.db.loginAttempts.findUnique({
+		where: {
+			id: flowId,
+		},
 	});
-
 	if (!loginAttempt) throw new RuntimeError("login_not_found", { statusCode: 400 });
-	if (loginAttempt.state !== state) throw new RuntimeError("invalid_state", { statusCode: 400 });
-	if (loginAttempt.codeVerifier !== codeVerifier) throw new RuntimeError("invalid_code_verifier", { statusCode: 400 });
+
+	// Check if the login attempt is valid
+	if (loginAttempt.completedAt) {
+		throw new RuntimeError("login_already_completed", { statusCode: 400 });
+	}
+	if (loginAttempt.invalidatedAt) {
+		throw new RuntimeError("login_cancelled", { statusCode: 400 });
+	}
+	if (new Date(loginAttempt.expiresAt) < new Date()) {
+		throw new RuntimeError("login_expired", { statusCode: 400 });
+	}
+
+	// Check if the provider ID and state match
+	const providerIdMatch = compareConstantTime(loginAttempt.providerId, providerId);
+	const stateMatch = compareConstantTime(loginAttempt.state, redirectedState);
+	if (!providerIdMatch || !stateMatch) throw new RuntimeError("invalid_state", { statusCode: 400 });
+
+	const { state, codeVerifier } = loginAttempt;
 
 	// Get the provider config
-	const provider = config.providers[loginAttempt.provider];
+	const provider = config.providers[providerId];
 	if (!provider) throw new RuntimeError("invalid_provider", { statusCode: 400 });
 
 	// Get the oauth client
-	const client = getClient(config, provider.name, new URL(req.url));
+	const client = getClient(config, provider.name);
 	if (!client.config.redirectUri) throw new RuntimeError("invalid_config", { statusCode: 500 });
 
-
-	// Get the URI that this request was made to
-	const uri = new URL(req.url);
-	const uriStr = uri.toString();
-
 	// Get the user's tokens and sub
 	let tokens: Awaited<ReturnType<typeof client.code.getToken>>;
-	let sub: string;
+	let ident: string;
 	try {
-		tokens = await client.code.getToken(uriStr, { state, codeVerifier });
-		sub = await getUserUniqueIdentifier(tokens.accessToken, provider);
+		tokens = await client.code.getToken(uri.toString(), { state, codeVerifier });
+		ident = await getUserUniqueIdentifier(tokens.accessToken, provider);
 	} catch (e) {
 		console.error(e);
 		throw new RuntimeError("invalid_oauth_response", { statusCode: 502 });
 	}
 
-	const expiresIn = tokens.expiresIn ?? 3600;
-	const expiry = new Date(Date.now() + expiresIn);
-
-	// Ensure the user is registered with this sub/provider combo
-	const user = await ctx.db.oAuthUsers.findFirst({
+	// Update the login attempt
+	await ctx.db.loginAttempts.update({
 		where: {
-			sub,
-			provider: loginAttempt.provider,
+			id: flowId,
 		},
-	});
-
-	let userId: string;
-	if (user) {
-		userId = user.userId;
-	} else {
-		const { user: newUser } = await ctx.modules.users.createUser({ username: sub });
-		await ctx.db.oAuthUsers.create({
-			data: {
-				sub,
-				provider: loginAttempt.provider,
-				userId: newUser.id,
-			},
-		});
-
-		userId = newUser.id;
-	}
-
-	// Generate a token which the user can use to authenticate with this module
-	const { token } = await ctx.modules.users.createUserToken({ userId });
-
-	// Record the credentials
-	await ctx.db.oAuthCreds.create({
 		data: {
-			loginAttemptId: loginAttempt.id,
-			provider: provider.name,
-			accessToken: tokens.accessToken,
-			refreshToken: tokens.refreshToken ?? "",
-			userToken: token.token,
-			expiresAt: expiry,
+			identifier: ident,
+			completedAt: new Date(),
 		},
 	});
 
-
-	const response = RouteResponse.redirect(loginAttempt.targetUrl, 303);
-
-    const headers = new Headers(response.headers);
-
-	// Clear login session cookies
-	const expireAttribs = `Path=/; Max-Age=0; SameSite=Lax; Expires=${new Date(0).toUTCString()}`;
-	headers.append("Set-Cookie", `login_id=EXPIRED; ${expireAttribs}`);
-	headers.append("Set-Cookie", `code_verifier=EXPIRED; ${expireAttribs}`);
-	headers.append("Set-Cookie", `state=EXPIRED; ${expireAttribs}`);
-
-	// Tell the browser to never cache this page
-	headers.set("Cache-Control", "no-store");
-
-	// Set token cookie
-	const cookieAttribs = `Path=/; Max-Age=${expiresIn}; SameSite=Lax; Expires=${expiry.toUTCString()}`;
-	headers.append("Set-Cookie", `token=${token.token}; ${cookieAttribs}`);
-
-	return new Response(response.body, { status: response.status, headers });
+	return new RouteResponse(
+		OAUTH_DONE_HTML,
+		{
+			status: 200,
+			headers: {
+				"Content-Type": "text/html",
+			},
+		},
+	);
 }