feat: add oidc

packages/auth/server/lib/utils/handle-oauth-authorize-url.ts

@@ -0,0 +1,86 @@
+import { CodeChallengeMethod, OAuth2Client, generateCodeVerifier, generateState } from 'arctic';
+import type { Context } from 'hono';
+import { setCookie } from 'hono/cookie';
+
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+
+import type { OAuthClientOptions } from '../../config';
+import { sessionCookieOptions } from '../session/session-cookies';
+import { getOpenIdConfiguration } from './open-id';
+
+type HandleOAuthAuthorizeUrlOptions = {
+  /**
+   * Hono context.
+   */
+  c: Context;
+
+  /**
+   * OAuth client options.
+   */
+  clientOptions: OAuthClientOptions;
+
+  /**
+   * Optional redirect path to redirect the user somewhere on the app after authorization.
+   */
+  redirectPath?: string;
+};
+
+const oauthCookieMaxAge = 60 * 10; // 10 minutes.
+
+export const handleOAuthAuthorizeUrl = async (options: HandleOAuthAuthorizeUrlOptions) => {
+  const { c, clientOptions, redirectPath } = options;
+
+  if (!clientOptions.clientId || !clientOptions.clientSecret) {
+    throw new AppError(AppErrorCode.NOT_SETUP);
+  }
+
+  const { authorization_endpoint } = await getOpenIdConfiguration(clientOptions.wellKnownUrl, {
+    requiredScopes: clientOptions.scope,
+  });
+
+  const oAuthClient = new OAuth2Client(
+    clientOptions.clientId,
+    clientOptions.clientSecret,
+    clientOptions.redirectUrl,
+  );
+
+  const scopes = clientOptions.scope;
+  const state = generateState();
+
+  const codeVerifier = generateCodeVerifier();
+
+  const url = oAuthClient.createAuthorizationURLWithPKCE(
+    authorization_endpoint,
+    state,
+    CodeChallengeMethod.S256,
+    codeVerifier,
+    scopes,
+  );
+
+  // Allow user to select account during login.
+  url.searchParams.append('prompt', 'login');
+
+  setCookie(c, `${clientOptions.id}_oauth_state`, state, {
+    ...sessionCookieOptions,
+    sameSite: 'lax',
+    maxAge: oauthCookieMaxAge,
+  });
+
+  setCookie(c, `${clientOptions.id}_code_verifier`, codeVerifier, {
+    ...sessionCookieOptions,
+    sameSite: 'lax',
+    maxAge: oauthCookieMaxAge,
+  });
+
+  if (redirectPath) {
+    setCookie(c, `${clientOptions.id}_redirect_path`, `${state} ${redirectPath}`, {
+      ...sessionCookieOptions,
+      sameSite: 'lax',
+      maxAge: oauthCookieMaxAge,
+    });
+  }
+
+  return c.json({
+    redirectUrl: url.toString(),
+  });
+};

packages/auth/server/lib/utils/handle-oauth-callback-url.ts

@@ -0,0 +1,192 @@
+import { OAuth2Client, decodeIdToken } from 'arctic';
+import type { Context } from 'hono';
+import { deleteCookie } from 'hono/cookie';
+
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { onCreateUserHook } from '@documenso/lib/server-only/user/create-user';
+import { prisma } from '@documenso/prisma';
+import { UserSecurityAuditLogType } from '@documenso/prisma/client';
+
+import type { OAuthClientOptions } from '../../config';
+import { AuthenticationErrorCode } from '../errors/error-codes';
+import { onAuthorize } from './authorizer';
+import { getOpenIdConfiguration } from './open-id';
+
+type HandleOAuthCallbackUrlOptions = {
+  c: Context;
+  clientOptions: OAuthClientOptions;
+};
+
+export const handleOAuthCallbackUrl = async (options: HandleOAuthCallbackUrlOptions) => {
+  const { c, clientOptions } = options;
+
+  if (!clientOptions.clientId || !clientOptions.clientSecret) {
+    throw new AppError(AppErrorCode.NOT_SETUP);
+  }
+
+  const { token_endpoint } = await getOpenIdConfiguration(clientOptions.wellKnownUrl, {
+    requiredScopes: clientOptions.scope,
+  });
+
+  const oAuthClient = new OAuth2Client(
+    clientOptions.clientId,
+    clientOptions.clientSecret,
+    clientOptions.redirectUrl,
+  );
+
+  const requestMeta = c.get('requestMetadata');
+
+  const code = c.req.query('code');
+  const state = c.req.query('state');
+
+  const storedState = deleteCookie(c, `${clientOptions.id}_oauth_state`);
+  const storedCodeVerifier = deleteCookie(c, `${clientOptions.id}_code_verifier`);
+  const storedRedirectPath = deleteCookie(c, `${clientOptions.id}_redirect_path`) ?? '';
+
+  if (!code || !storedState || state !== storedState || !storedCodeVerifier) {
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'Invalid or missing state',
+    });
+  }
+
+  // eslint-disable-next-line prefer-const
+  let [redirectState, redirectPath] = storedRedirectPath.split(' ');
+
+  if (redirectState !== storedState || !redirectPath) {
+    redirectPath = '/documents';
+  }
+
+  const tokens = await oAuthClient.validateAuthorizationCode(
+    token_endpoint,
+    code,
+    storedCodeVerifier,
+  );
+
+  const accessToken = tokens.accessToken();
+  const accessTokenExpiresAt = tokens.accessTokenExpiresAt();
+  const idToken = tokens.idToken();
+
+  // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+  const claims = decodeIdToken(tokens.idToken()) as Record<string, unknown>;
+
+  const email = claims.email;
+  const name = claims.name;
+  const sub = claims.sub;
+
+  if (typeof email !== 'string' || typeof name !== 'string' || typeof sub !== 'string') {
+    throw new AppError(AuthenticationErrorCode.InvalidRequest, {
+      message: 'Invalid claims',
+    });
+  }
+
+  if (claims.email_verified !== true) {
+    throw new AppError(AuthenticationErrorCode.UnverifiedEmail, {
+      message: 'Account email is not verified',
+    });
+  }
+
+  // Find the account if possible.
+  const existingAccount = await prisma.account.findFirst({
+    where: {
+      provider: clientOptions.id,
+      providerAccountId: sub,
+    },
+    include: {
+      user: true,
+    },
+  });
+
+  // Directly log in user if account already exists.
+  if (existingAccount) {
+    await onAuthorize({ userId: existingAccount.user.id }, c);
+
+    return c.redirect(redirectPath, 302);
+  }
+
+  const userWithSameEmail = await prisma.user.findFirst({
+    where: {
+      email: email,
+    },
+  });
+
+  // Handle existing user but no account.
+  if (userWithSameEmail) {
+    await prisma.$transaction(async (tx) => {
+      await tx.account.create({
+        data: {
+          type: 'oauth',
+          provider: clientOptions.id,
+          providerAccountId: sub,
+          access_token: accessToken,
+          expires_at: Math.floor(accessTokenExpiresAt.getTime() / 1000),
+          token_type: 'Bearer',
+          id_token: idToken,
+          userId: userWithSameEmail.id,
+        },
+      });
+
+      // Log link event.
+      await tx.userSecurityAuditLog.create({
+        data: {
+          userId: userWithSameEmail.id,
+          ipAddress: requestMeta.ipAddress,
+          userAgent: requestMeta.userAgent,
+          type: UserSecurityAuditLogType.ACCOUNT_SSO_LINK,
+        },
+      });
+
+      // If account already exists in an unverified state, remove the password to ensure
+      // they cannot sign in since we cannot confirm the password was set by the user.
+      if (!userWithSameEmail.emailVerified) {
+        await tx.user.update({
+          where: {
+            id: userWithSameEmail.id,
+          },
+          data: {
+            emailVerified: new Date(),
+            password: null, // Todo: Check this
+          },
+        });
+      }
+    });
+
+    await onAuthorize({ userId: userWithSameEmail.id }, c);
+
+    return c.redirect(redirectPath, 302);
+  }
+
+  // Handle new user.
+  const createdUser = await prisma.$transaction(async (tx) => {
+    const user = await tx.user.create({
+      data: {
+        email: email,
+        name: name,
+        emailVerified: new Date(),
+      },
+    });
+
+    await tx.account.create({
+      data: {
+        type: 'oauth',
+        provider: clientOptions.id,
+        providerAccountId: sub,
+        access_token: accessToken,
+        expires_at: Math.floor(accessTokenExpiresAt.getTime() / 1000),
+        token_type: 'Bearer',
+        id_token: idToken,
+        userId: user.id,
+      },
+    });
+
+    return user;
+  });
+
+  await onCreateUserHook(createdUser).catch((err) => {
+    // Todo: Add logging.
+    console.error(err);
+  });
+
+  await onAuthorize({ userId: createdUser.id }, c);
+
+  return c.redirect(redirectPath, 302);
+};

packages/auth/server/lib/utils/open-id.ts

@@ -0,0 +1,44 @@
+import { z } from 'zod';
+
+const ZOpenIdConfigurationSchema = z.object({
+  authorization_endpoint: z.string(),
+  token_endpoint: z.string(),
+  scopes_supported: z.array(z.string()).optional(),
+});
+
+type OpenIdConfiguration = z.infer<typeof ZOpenIdConfigurationSchema>;
+
+type GetOpenIdConfigurationOptions = {
+  requiredScopes?: string[];
+};
+
+export const getOpenIdConfiguration = async (
+  wellKnownUrl: string,
+  options: GetOpenIdConfigurationOptions = {},
+): Promise<OpenIdConfiguration> => {
+  const response = await fetch(wellKnownUrl);
+
+  if (!response.ok) {
+    throw new Error(`Failed to fetch OIDC configuration: ${response.statusText}`);
+  }
+
+  const rawConfig = await response.json();
+
+  const config = ZOpenIdConfigurationSchema.parse(rawConfig);
+
+  // Validate required endpoints
+  if (!config.authorization_endpoint) {
+    throw new Error('Missing authorization_endpoint in OIDC configuration');
+  }
+
+  const supportedScopes = config.scopes_supported ?? [];
+  const requiredScopes = options.requiredScopes ?? [];
+
+  const unsupportedScopes = requiredScopes.filter((scope) => !supportedScopes.includes(scope));
+
+  if (unsupportedScopes.length > 0) {
+    throw new Error(`Requested scopes not supported by provider: ${unsupportedScopes.join(', ')}`);
+  }
+
+  return config;
+};