Ryan/documenso
1
0
Fork 1
mirror of https://github.com/documenso/documenso.git synced 2025-11-21 04:01:45 +10:00
Code Issues Packages Projects Releases Wiki Activity

fix: auth

Browse Source
This commit is contained in:
David Nguyen
2025-02-09 00:46:25 +11:00
parent f5bfec1990
commit e128e9369e
13 changed files with 188 additions and 142 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
packages/auth/client/index.ts
View File

@ -1,109 +1,112 @@
import type { ClientResponse } from 'hono/client';
import type { ClientResponse, InferRequestType } from 'hono/client';
import { hc } from 'hono/client';
import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
import { AppError } from '@documenso/lib/errors/app-error';
import type { AuthAppType } from '../server';
import { handleSignInRedirect } from '../server/lib/utils/redirect';
import type {
TForgotPasswordSchema,
TResetPasswordSchema,
TSignInSchema,
TSignUpSchema,
TUpdatePasswordSchema,
TVerifyEmailSchema,
} from '../server/types/email-password';
import type { TPasskeyAuthorizeSchema } from '../server/types/passkey';
type AuthClientType = ReturnType<typeof hc<AuthAppType>>;
type TEmailPasswordSignin = InferRequestType<
AuthClientType['email-password']['authorize']['$post']
>['json'] & { redirectPath?: string };
type TPasskeySignin = InferRequestType<AuthClientType['passkey']['authorize']['$post']>['json'] & {
redirectPath?: string;
};
export class AuthClient {
public client: ReturnType<typeof hc<AuthAppType>>;
public client: AuthClientType;
private signOutRedirectUrl: string = '/signin';
private signOutredirectPath: string = '/signin';
constructor(options: { baseUrl: string }) {
this.client = hc<AuthAppType>(options.baseUrl);
}
public async signOut() {
public async signOut({ redirectPath }: { redirectPath?: string } = {}) {
await this.client.signout.$post();
window.location.href = this.signOutRedirectUrl;
window.location.href = redirectPath ?? this.signOutredirectPath;
}
public async session() {
return this.client.session.$get();
}
private async handleResponse<T>(response: ClientResponse<T>) {
private async handleError<T>(response: ClientResponse<T>): Promise<void> {
if (!response.ok) {
const error = await response.json();
throw AppError.parseError(error);
}
if (response.headers.get('content-type')?.includes('application/json')) {
return response.json();
}
return response.text();
}
public emailPassword = {
signIn: async (data: TSignInSchema & { redirectUrl?: string }) => {
const response = await this.client['email-password'].authorize
.$post({ json: data })
.then(this.handleResponse);
signIn: async (data: TEmailPasswordSignin) => {
const response = await this.client['email-password'].authorize.$post({ json: data });
await this.handleError(response);
if (data.redirectUrl) {
window.location.href = data.redirectUrl;
}
handleSignInRedirect(data.redirectPath);
},
return response;
updatePassword: async (data: TUpdatePasswordSchema) => {
const response = await this.client['email-password']['update-password'].$post({ json: data });
await this.handleError(response);
},
forgotPassword: async (data: TForgotPasswordSchema) => {
const response = await this.client['email-password']['forgot-password'].$post({ json: data });
return this.handleResponse(response);
await this.handleError(response);
},
resetPassword: async (data: TResetPasswordSchema) => {
const response = await this.client['email-password']['reset-password'].$post({ json: data });
return this.handleResponse(response);
await this.handleError(response);
},
signUp: async (data: TSignUpSchema) => {
const response = await this.client['email-password']['signup'].$post({ json: data });
return this.handleResponse(response);
await this.handleError(response);
},
verifyEmail: async (data: TVerifyEmailSchema) => {
const response = await this.client['email-password']['verify-email'].$post({ json: data });
return this.handleResponse(response);
await this.handleError(response);
return response.json();
},
};
public passkey = {
signIn: async (data: TPasskeyAuthorizeSchema & { redirectUrl?: string }) => {
const response = await this.client['passkey'].authorize
.$post({ json: data })
.then(this.handleResponse);
signIn: async (data: TPasskeySignin) => {
const response = await this.client['passkey'].authorize.$post({ json: data });
await this.handleError(response);
if (data.redirectUrl) {
window.location.href = data.redirectUrl;
}
return response;
handleSignInRedirect(data.redirectPath);
},
};
public google = {
signIn: async () => {
const response = await this.client['google'].authorize.$post().then(this.handleResponse);
signIn: async ({ redirectPath }: { redirectPath?: string } = {}) => {
const response = await this.client['google'].authorize.$post({ json: { redirectPath } });
await this.handleError(response);
if (response.redirectUrl) {
window.location.href = response.redirectUrl;
const data = await response.json();
// Redirect to external Google auth URL.
if (data.redirectUrl) {
window.location.href = data.redirectUrl;
}
return response;
},
};
}

25
packages/auth/server/lib/session/session-cookies.ts
View File

@ -1,6 +1,7 @@
import type { Context } from 'hono';
import { getSignedCookie, setSignedCookie } from 'hono/cookie';
import { deleteCookie, getSignedCookie, setSignedCookie } from 'hono/cookie';
import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
import { appLog } from '@documenso/lib/utils/debugger';
import { env } from '@documenso/lib/utils/env';
@ -16,6 +17,12 @@ const getAuthSecret = () => {
return authSecret;
};
const getAuthDomain = () => {
const url = new URL(NEXT_PUBLIC_WEBAPP_URL());
return url.hostname;
};
export const extractSessionCookieFromHeaders = (headers: Headers): string | null => {
const cookieHeader = headers.get('cookie') || '';
const cookiePairs = cookieHeader.split(';');
@ -51,10 +58,24 @@ export const setSessionCookie = async (c: Context, sessionToken: string) => {
path: '/',
// sameSite: '', // whats the default? we need to change this for embed right?
// secure: true,
domain: 'localhost', // todo
domain: getAuthDomain(),
}).catch((err) => {
appLog('SetSessionCookie', `Error setting signed cookie: ${err}`);
throw err;
});
};
/**
* Set the session cookie into the Hono context.
*
* @param c - The Hono context.
* @param sessionToken - The session token to set.
*/
export const deleteSessionCookie = (c: Context) => {
deleteCookie(c, sessionCookieName, {
path: '/',
secure: true,
domain: getAuthDomain(),
});
};

28
packages/auth/server/lib/utils/redirect.ts Normal file
View File

@ -0,0 +1,28 @@
import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
/**
* Handle an optional redirect path.
*/
export const handleRequestRedirect = (redirectUrl?: string) => {
if (!redirectUrl) {
return;
}
const url = new URL(redirectUrl, NEXT_PUBLIC_WEBAPP_URL());
if (url.origin !== NEXT_PUBLIC_WEBAPP_URL()) {
window.location.href = '/documents';
} else {
window.location.href = redirectUrl;
}
};
export const handleSignInRedirect = (redirectUrl: string = '/documents') => {
const url = new URL(redirectUrl, NEXT_PUBLIC_WEBAPP_URL());
if (url.origin !== NEXT_PUBLIC_WEBAPP_URL()) {
window.location.href = '/documents';
} else {
window.location.href = redirectUrl;
}
};

89
packages/auth/server/routes/google.ts
View File

@ -1,21 +1,22 @@
import { zValidator } from '@hono/zod-validator';
import { Google, decodeIdToken, generateCodeVerifier, generateState } from 'arctic';
import { Hono } from 'hono';
import { getCookie, setCookie } from 'hono/cookie';
import { deleteCookie, setCookie } from 'hono/cookie';
import { z } from 'zod';
import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
import { setupTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/setup-2fa';
import { env } from '@documenso/lib/utils/env';
import { prisma } from '@documenso/prisma';
import { AuthenticationErrorCode } from '../lib/errors/error-codes';
import { onAuthorize } from '../lib/utils/authorizer';
import { getRequiredSession } from '../lib/utils/get-session';
import type { HonoAuthContext } from '../types/context';
const options = {
clientId: env('NEXT_PRIVATE_GOOGLE_CLIENT_ID'),
clientSecret: env('NEXT_PRIVATE_GOOGLE_CLIENT_SECRET'),
redirectUri: 'http://localhost:3000/api/auth/google/callback',
clientId: env('NEXT_PRIVATE_GOOGLE_CLIENT_ID') ?? '',
clientSecret: env('NEXT_PRIVATE_GOOGLE_CLIENT_SECRET') ?? '',
redirectUri: `${NEXT_PUBLIC_WEBAPP_URL()}/api/auth/google/callback`,
scope: ['openid', 'email', 'profile'],
id: 'google',
};
@ -24,55 +25,62 @@ const google = new Google(options.clientId, options.clientSecret, options.redire
// todo: NEXT_PRIVATE_OIDC_WELL_KNOWN???
const ZGoogleAuthorizeSchema = z.object({
redirectPath: z.string().optional(),
});
export const googleRoute = new Hono<HonoAuthContext>()
/**
* Authorize endpoint.
*/
.post('/authorize', (c) => {
.post('/authorize', zValidator('json', ZGoogleAuthorizeSchema), (c) => {
const scopes = options.scope;
const state = generateState();
const codeVerifier = generateCodeVerifier();
const url = google.createAuthorizationURL(state, codeVerifier, scopes);
const { redirectPath } = c.req.valid('json');
setCookie(c, 'google_oauth_state', state, {
path: '/',
httpOnly: true,
secure: env('NODE_ENV') === 'production',
secure: env('NODE_ENV') === 'production', // Todo: Check.
maxAge: 60 * 10, // 10 minutes
sameSite: 'lax',
sameSite: 'lax', // Todo??
});
setCookie(c, 'google_code_verifier', codeVerifier, {
path: '/',
httpOnly: true,
// Todo: Might not be node_env but something vite specific?
secure: env('NODE_ENV') === 'production',
secure: env('NODE_ENV') === 'production', // Todo: Check.
maxAge: 60 * 10, // 10 minutes
sameSite: 'lax',
sameSite: 'lax', // Todo??
});
// return new Response(null, {
// status: 302,
// headers: {
// Location: url.toString()
// }
// });
if (redirectPath) {
setCookie(c, 'google_redirect_path', `${state}:${redirectPath}`, {
path: '/',
httpOnly: true,
secure: env('NODE_ENV') === 'production', // Todo: Check.
maxAge: 60 * 10, // 10 minutes
sameSite: 'lax', // Todo??
});
}
return c.json({
redirectUrl: url,
redirectUrl: url.toString(),
});
})
/**
* Google callback verification.
*/
.get('/callback', async (c) => {
// Todo: Use ZValidator to validate query params.
const code = c.req.query('code');
const state = c.req.query('state');
const storedState = getCookie(c, 'google_oauth_state');
const storedCodeVerifier = getCookie(c, 'google_code_verifier');
const storedState = deleteCookie(c, 'google_oauth_state');
const storedCodeVerifier = deleteCookie(c, 'google_code_verifier');
if (!code || !storedState || state !== storedState || !storedCodeVerifier) {
throw new AppError(AppErrorCode.INVALID_REQUEST, {
@ -80,18 +88,23 @@ export const googleRoute = new Hono<HonoAuthContext>()
});
}
const storedredirectPath = deleteCookie(c, 'google_redirect_path') ?? '';
// eslint-disable-next-line prefer-const
let [redirectState, redirectPath] = storedredirectPath.split(':');
if (redirectState !== storedState || !redirectPath) {
redirectPath = '/documents';
}
const tokens = await google.validateAuthorizationCode(code, storedCodeVerifier);
const accessToken = tokens.accessToken();
const accessTokenExpiresAt = tokens.accessTokenExpiresAt();
const idToken = tokens.idToken();
console.log(tokens);
// eslint-disable-next-line @typescript-eslint/consistent-type-assertions
const claims = decodeIdToken(tokens.idToken()) as Record<string, unknown>;
console.log(claims);
const googleEmail = claims.email;
const googleName = claims.name;
const googleSub = claims.sub;
@ -127,7 +140,7 @@ export const googleRoute = new Hono<HonoAuthContext>()
if (existingAccount) {
await onAuthorize({ userId: existingAccount.user.id }, c);
return c.redirect('/documents', 302); // Todo: Redirect
return c.redirect(redirectPath, 302);
}
const userWithSameEmail = await prisma.user.findFirst({
@ -154,7 +167,7 @@ export const googleRoute = new Hono<HonoAuthContext>()
// Todo: Link account
await onAuthorize({ userId: userWithSameEmail.id }, c);
return c.redirect('/documents', 302); // Todo: Redirect
return c.redirect(redirectPath, 302);
}
// Handle new user.
@ -184,21 +197,5 @@ export const googleRoute = new Hono<HonoAuthContext>()
await onAuthorize({ userId: createdUser.id }, c);
return c.redirect('/documents', 302); // Todo: Redirect
})
/**
* Setup passkey authentication.
*/
.post('/setup', async (c) => {
const { user } = await getRequiredSession(c);
const result = await setupTwoFactorAuthentication({
user,
});
return c.json({
success: true,
secret: result.secret,
uri: result.uri,
});
return c.redirect(redirectPath, 302);
});

11
packages/auth/server/routes/sign-out.ts
View File

@ -1,11 +1,10 @@
import { Hono } from 'hono';
import { deleteCookie, getSignedCookie } from 'hono/cookie';
import { invalidateSession, validateSessionToken } from '../lib/session/session';
import { deleteSessionCookie, getSessionCookie } from '../lib/session/session-cookies';
export const signOutRoute = new Hono().post('/signout', async (c) => {
// todo: secret
const sessionId = await getSignedCookie(c, 'secret', 'sessionId');
const sessionId = await getSessionCookie(c);
if (!sessionId) {
return new Response('No session found', { status: 401 });
@ -19,11 +18,7 @@ export const signOutRoute = new Hono().post('/signout', async (c) => {
await invalidateSession(session.id);
deleteCookie(c, 'sessionId', {
path: '/',
secure: true,
domain: 'example.com',
});
deleteSessionCookie(c);
return c.status(200);
});