| | import { Issuer, BaseClient, type UserinfoResponse, TokenSet } from "openid-client"; |
| | import { addHours, addYears } from "date-fns"; |
| | import { |
| | COOKIE_NAME, |
| | OPENID_CLIENT_ID, |
| | OPENID_CLIENT_SECRET, |
| | OPENID_PROVIDER_URL, |
| | OPENID_SCOPES, |
| | } from "$env/static/private"; |
| | import { sha256 } from "$lib/utils/sha256"; |
| | import { z } from "zod"; |
| | import { dev } from "$app/environment"; |
| | import type { Cookies } from "@sveltejs/kit"; |
| |
|
| | export interface OIDCSettings { |
| | redirectURI: string; |
| | } |
| |
|
| | export interface OIDCUserInfo { |
| | token: TokenSet; |
| | userData: UserinfoResponse; |
| | } |
| |
|
| | export const requiresUser = !!OPENID_CLIENT_ID && !!OPENID_CLIENT_SECRET; |
| |
|
| | export function refreshSessionCookie(cookies: Cookies, sessionId: string) { |
| | cookies.set(COOKIE_NAME, sessionId, { |
| | path: "/", |
| | |
| | sameSite: dev ? "lax" : "none", |
| | secure: !dev, |
| | httpOnly: true, |
| | expires: addYears(new Date(), 1), |
| | }); |
| | } |
| |
|
| | export const authCondition = (locals: App.Locals) => { |
| | return locals.user |
| | ? { userId: locals.user._id } |
| | : { sessionId: locals.sessionId, userId: { $exists: false } }; |
| | }; |
| |
|
| | |
| | |
| | |
| | export async function generateCsrfToken(sessionId: string, redirectUrl: string): Promise<string> { |
| | const data = { |
| | expiration: addHours(new Date(), 1).getTime(), |
| | redirectUrl, |
| | }; |
| |
|
| | return Buffer.from( |
| | JSON.stringify({ |
| | data, |
| | signature: await sha256(JSON.stringify(data) + "##" + sessionId), |
| | }) |
| | ).toString("base64"); |
| | } |
| |
|
| | async function getOIDCClient(settings: OIDCSettings): Promise<BaseClient> { |
| | const issuer = await Issuer.discover(OPENID_PROVIDER_URL); |
| | return new issuer.Client({ |
| | client_id: OPENID_CLIENT_ID, |
| | client_secret: OPENID_CLIENT_SECRET, |
| | redirect_uris: [settings.redirectURI], |
| | response_types: ["code"], |
| | }); |
| | } |
| |
|
| | export async function getOIDCAuthorizationUrl( |
| | settings: OIDCSettings, |
| | params: { sessionId: string } |
| | ): Promise<string> { |
| | const client = await getOIDCClient(settings); |
| | const csrfToken = await generateCsrfToken(params.sessionId, settings.redirectURI); |
| | const url = client.authorizationUrl({ |
| | scope: OPENID_SCOPES, |
| | state: csrfToken, |
| | }); |
| |
|
| | return url; |
| | } |
| |
|
| | export async function getOIDCUserData(settings: OIDCSettings, code: string): Promise<OIDCUserInfo> { |
| | const client = await getOIDCClient(settings); |
| | const token = await client.callback(settings.redirectURI, { code }); |
| | const userData = await client.userinfo(token); |
| |
|
| | return { token, userData }; |
| | } |
| |
|
| | export async function validateAndParseCsrfToken( |
| | token: string, |
| | sessionId: string |
| | ): Promise<{ |
| | |
| | redirectUrl: string; |
| | } | null> { |
| | try { |
| | const { data, signature } = z |
| | .object({ |
| | data: z.object({ |
| | expiration: z.number().int(), |
| | redirectUrl: z.string().url(), |
| | }), |
| | signature: z.string().length(64), |
| | }) |
| | .parse(JSON.parse(token)); |
| | const reconstructSign = await sha256(JSON.stringify(data) + "##" + sessionId); |
| |
|
| | if (data.expiration > Date.now() && signature === reconstructSign) { |
| | return { redirectUrl: data.redirectUrl }; |
| | } |
| | } catch (e) { |
| | console.error(e); |
| | } |
| | return null; |
| | } |
| |
|
