Spaces:
Running
Running
File size: 4,548 Bytes
e69cb4a e4a770a 64d3841 fa3b3b4 c6129c3 e69cb4a de2df1a 64d3841 e4a770a f09c5f3 ddbe7d2 2e28042 64d3841 e69cb4a c6129c3 e69cb4a c6129c3 e69cb4a f09c5f3 e69cb4a 64d3841 bc30bd1 de2df1a 64d3841 e4a770a 64d3841 e4a770a d5559df e4a770a 2e28042 64d3841 2e28042 64d3841 767afa7 64d3841 e69cb4a 64d3841 e69cb4a 64d3841 e69cb4a 64d3841 767afa7 e69cb4a 64d3841 e69cb4a 64d3841 767afa7 64d3841 767afa7 64d3841 767afa7 64d3841 ddbe7d2 64d3841 767afa7 64d3841 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 |
import { Issuer, BaseClient, type UserinfoResponse, TokenSet, custom } from "openid-client";
import { addHours, addWeeks } from "date-fns";
import {
COOKIE_NAME,
OPENID_CLIENT_ID,
OPENID_CLIENT_SECRET,
OPENID_PROVIDER_URL,
OPENID_SCOPES,
OPENID_NAME_CLAIM,
OPENID_TOLERANCE,
OPENID_RESOURCE,
OPENID_CONFIG,
ALLOW_INSECURE_COOKIES,
} from "$env/static/private";
import { sha256 } from "$lib/utils/sha256";
import { z } from "zod";
import { dev } from "$app/environment";
import type { Cookies } from "@sveltejs/kit";
import { collections } from "./database";
import JSON5 from "json5";
import { logger } from "$lib/server/logger";
export interface OIDCSettings {
redirectURI: string;
}
export interface OIDCUserInfo {
token: TokenSet;
userData: UserinfoResponse;
}
const stringWithDefault = (value: string) =>
z
.string()
.default(value)
.transform((el) => (el ? el : value));
export const OIDConfig = z
.object({
CLIENT_ID: stringWithDefault(OPENID_CLIENT_ID),
CLIENT_SECRET: stringWithDefault(OPENID_CLIENT_SECRET),
PROVIDER_URL: stringWithDefault(OPENID_PROVIDER_URL),
SCOPES: stringWithDefault(OPENID_SCOPES),
NAME_CLAIM: stringWithDefault(OPENID_NAME_CLAIM).refine(
(el) => !["preferred_username", "email", "picture", "sub"].includes(el),
{ message: "nameClaim cannot be one of the restricted keys." }
),
TOLERANCE: stringWithDefault(OPENID_TOLERANCE),
RESOURCE: stringWithDefault(OPENID_RESOURCE),
})
.parse(JSON5.parse(OPENID_CONFIG));
export const requiresUser = !!OIDConfig.CLIENT_ID && !!OIDConfig.CLIENT_SECRET;
export function refreshSessionCookie(cookies: Cookies, sessionId: string) {
cookies.set(COOKIE_NAME, sessionId, {
path: "/",
// So that it works inside the space's iframe
sameSite: dev || ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none",
secure: !dev && !(ALLOW_INSECURE_COOKIES === "true"),
httpOnly: true,
expires: addWeeks(new Date(), 2),
});
}
export async function findUser(sessionId: string) {
const session = await collections.sessions.findOne({ sessionId });
if (!session) {
return null;
}
return await collections.users.findOne({ _id: session.userId });
}
export const authCondition = (locals: App.Locals) => {
return locals.user
? { userId: locals.user._id }
: { sessionId: locals.sessionId, userId: { $exists: false } };
};
/**
* Generates a CSRF token using the user sessionId. Note that we don't need a secret because sessionId is enough.
*/
export async function generateCsrfToken(sessionId: string, redirectUrl: string): Promise<string> {
const data = {
expiration: addHours(new Date(), 1).getTime(),
redirectUrl,
};
return Buffer.from(
JSON.stringify({
data,
signature: await sha256(JSON.stringify(data) + "##" + sessionId),
})
).toString("base64");
}
async function getOIDCClient(settings: OIDCSettings): Promise<BaseClient> {
const issuer = await Issuer.discover(OIDConfig.PROVIDER_URL);
return new issuer.Client({
client_id: OIDConfig.CLIENT_ID,
client_secret: OIDConfig.CLIENT_SECRET,
redirect_uris: [settings.redirectURI],
response_types: ["code"],
[custom.clock_tolerance]: OIDConfig.TOLERANCE || undefined,
});
}
export async function getOIDCAuthorizationUrl(
settings: OIDCSettings,
params: { sessionId: string }
): Promise<string> {
const client = await getOIDCClient(settings);
const csrfToken = await generateCsrfToken(params.sessionId, settings.redirectURI);
return client.authorizationUrl({
scope: OIDConfig.SCOPES,
state: csrfToken,
resource: OIDConfig.RESOURCE || undefined,
});
}
export async function getOIDCUserData(settings: OIDCSettings, code: string): Promise<OIDCUserInfo> {
const client = await getOIDCClient(settings);
const token = await client.callback(settings.redirectURI, { code });
const userData = await client.userinfo(token);
return { token, userData };
}
export async function validateAndParseCsrfToken(
token: string,
sessionId: string
): Promise<{
/** This is the redirect url that was passed to the OIDC provider */
redirectUrl: string;
} | null> {
try {
const { data, signature } = z
.object({
data: z.object({
expiration: z.number().int(),
redirectUrl: z.string().url(),
}),
signature: z.string().length(64),
})
.parse(JSON.parse(token));
const reconstructSign = await sha256(JSON.stringify(data) + "##" + sessionId);
if (data.expiration > Date.now() && signature === reconstructSign) {
return { redirectUrl: data.redirectUrl };
}
} catch (e) {
logger.error(e);
}
return null;
}
|