File size: 3,235 Bytes
64d3841 767afa7 64d3841 2e28042 64d3841 2e28042 64d3841 2e28042 64d3841 767afa7 64d3841 767afa7 64d3841 767afa7 64d3841 767afa7 64d3841 767afa7 64d3841 767afa7 64d3841 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 |
import { Issuer, BaseClient, type UserinfoResponse, TokenSet } from "openid-client";
import { addHours, addYears } from "date-fns";
import {
COOKIE_NAME,
OPENID_CLIENT_ID,
OPENID_CLIENT_SECRET,
OPENID_PROVIDER_URL,
} from "$env/static/private";
import { sha256 } from "$lib/utils/sha256";
import { z } from "zod";
import { dev } from "$app/environment";
import type { Cookies } from "@sveltejs/kit";
export interface OIDCSettings {
redirectURI: string;
}
export interface OIDCUserInfo {
token: TokenSet;
userData: UserinfoResponse;
}
export const requiresUser = !!OPENID_CLIENT_ID && !!OPENID_CLIENT_SECRET;
export function refreshSessionCookie(cookies: Cookies, sessionId: string) {
cookies.set(COOKIE_NAME, sessionId, {
path: "/",
// So that it works inside the space's iframe
sameSite: dev ? "lax" : "none",
secure: !dev,
httpOnly: true,
expires: addYears(new Date(), 1),
});
}
export const OIDC_SCOPES = "openid profile";
export const authCondition = (locals: App.Locals) => {
return locals.user
? { userId: locals.user._id }
: { sessionId: locals.sessionId, userId: { $exists: false } };
};
/**
* Generates a CSRF token using the user sessionId. Note that we don't need a secret because sessionId is enough.
*/
export async function generateCsrfToken(sessionId: string, redirectUrl: string): Promise<string> {
const data = {
expiration: addHours(new Date(), 1).getTime(),
redirectUrl,
};
return Buffer.from(
JSON.stringify({
data,
signature: await sha256(JSON.stringify(data) + "##" + sessionId),
})
).toString("base64");
}
async function getOIDCClient(settings: OIDCSettings): Promise<BaseClient> {
const issuer = await Issuer.discover(OPENID_PROVIDER_URL);
return new issuer.Client({
client_id: OPENID_CLIENT_ID,
client_secret: OPENID_CLIENT_SECRET,
redirect_uris: [settings.redirectURI],
response_types: ["code"],
});
}
export async function getOIDCAuthorizationUrl(
settings: OIDCSettings,
params: { sessionId: string }
): Promise<string> {
const client = await getOIDCClient(settings);
const csrfToken = await generateCsrfToken(params.sessionId, settings.redirectURI);
const url = client.authorizationUrl({
scope: OIDC_SCOPES,
state: csrfToken,
});
return url;
}
export async function getOIDCUserData(settings: OIDCSettings, code: string): Promise<OIDCUserInfo> {
const client = await getOIDCClient(settings);
const token = await client.callback(settings.redirectURI, { code });
const userData = await client.userinfo(token);
return { token, userData };
}
export async function validateAndParseCsrfToken(
token: string,
sessionId: string
): Promise<{
/** This is the redirect url that was passed to the OIDC provider */
redirectUrl: string;
} | null> {
try {
const { data, signature } = z
.object({
data: z.object({
expiration: z.number().int(),
redirectUrl: z.string().url(),
}),
signature: z.string().length(64),
})
.parse(JSON.parse(token));
const reconstructSign = await sha256(JSON.stringify(data) + "##" + sessionId);
if (data.expiration > Date.now() && signature === reconstructSign) {
return { redirectUrl: data.redirectUrl };
}
} catch (e) {
console.error(e);
}
return null;
}
|