fix: auth

packages/auth/server/lib/session/session-cookies.ts

@@ -1,6 +1,7 @@
 import type { Context } from 'hono';
-import { getSignedCookie, setSignedCookie } from 'hono/cookie';
+import { deleteCookie, getSignedCookie, setSignedCookie } from 'hono/cookie';
 
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
 import { appLog } from '@documenso/lib/utils/debugger';
 import { env } from '@documenso/lib/utils/env';
 
@@ -16,6 +17,12 @@ const getAuthSecret = () => {
   return authSecret;
 };
 
+const getAuthDomain = () => {
+  const url = new URL(NEXT_PUBLIC_WEBAPP_URL());
+
+  return url.hostname;
+};
+
 export const extractSessionCookieFromHeaders = (headers: Headers): string | null => {
   const cookieHeader = headers.get('cookie') || '';
   const cookiePairs = cookieHeader.split(';');
@@ -51,10 +58,24 @@ export const setSessionCookie = async (c: Context, sessionToken: string) => {
     path: '/',
     // sameSite: '', // whats the default? we need to change this for embed right?
     // secure: true,
-    domain: 'localhost', // todo
+    domain: getAuthDomain(),
   }).catch((err) => {
     appLog('SetSessionCookie', `Error setting signed cookie: ${err}`);
 
     throw err;
   });
 };
+
+/**
+ * Set the session cookie into the Hono context.
+ *
+ * @param c - The Hono context.
+ * @param sessionToken - The session token to set.
+ */
+export const deleteSessionCookie = (c: Context) => {
+  deleteCookie(c, sessionCookieName, {
+    path: '/',
+    secure: true,
+    domain: getAuthDomain(),
+  });
+};

packages/auth/server/lib/utils/redirect.ts

@@ -0,0 +1,28 @@
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+
+/**
+ * Handle an optional redirect path.
+ */
+export const handleRequestRedirect = (redirectUrl?: string) => {
+  if (!redirectUrl) {
+    return;
+  }
+
+  const url = new URL(redirectUrl, NEXT_PUBLIC_WEBAPP_URL());
+
+  if (url.origin !== NEXT_PUBLIC_WEBAPP_URL()) {
+    window.location.href = '/documents';
+  } else {
+    window.location.href = redirectUrl;
+  }
+};
+
+export const handleSignInRedirect = (redirectUrl: string = '/documents') => {
+  const url = new URL(redirectUrl, NEXT_PUBLIC_WEBAPP_URL());
+
+  if (url.origin !== NEXT_PUBLIC_WEBAPP_URL()) {
+    window.location.href = '/documents';
+  } else {
+    window.location.href = redirectUrl;
+  }
+};

packages/auth/server/routes/google.ts

@@ -1,21 +1,22 @@
+import { zValidator } from '@hono/zod-validator';
 import { Google, decodeIdToken, generateCodeVerifier, generateState } from 'arctic';
 import { Hono } from 'hono';
-import { getCookie, setCookie } from 'hono/cookie';
+import { deleteCookie, setCookie } from 'hono/cookie';
+import { z } from 'zod';
 
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
 import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
-import { setupTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/setup-2fa';
 import { env } from '@documenso/lib/utils/env';
 import { prisma } from '@documenso/prisma';
 
 import { AuthenticationErrorCode } from '../lib/errors/error-codes';
 import { onAuthorize } from '../lib/utils/authorizer';
-import { getRequiredSession } from '../lib/utils/get-session';
 import type { HonoAuthContext } from '../types/context';
 
 const options = {
-  clientId: env('NEXT_PRIVATE_GOOGLE_CLIENT_ID'),
-  clientSecret: env('NEXT_PRIVATE_GOOGLE_CLIENT_SECRET'),
-  redirectUri: 'http://localhost:3000/api/auth/google/callback',
+  clientId: env('NEXT_PRIVATE_GOOGLE_CLIENT_ID') ?? '',
+  clientSecret: env('NEXT_PRIVATE_GOOGLE_CLIENT_SECRET') ?? '',
+  redirectUri: `${NEXT_PUBLIC_WEBAPP_URL()}/api/auth/google/callback`,
   scope: ['openid', 'email', 'profile'],
   id: 'google',
 };
@@ -24,55 +25,62 @@ const google = new Google(options.clientId, options.clientSecret, options.redire
 
 // todo: NEXT_PRIVATE_OIDC_WELL_KNOWN???
 
+const ZGoogleAuthorizeSchema = z.object({
+  redirectPath: z.string().optional(),
+});
+
 export const googleRoute = new Hono<HonoAuthContext>()
   /**
    * Authorize endpoint.
    */
-  .post('/authorize', (c) => {
+  .post('/authorize', zValidator('json', ZGoogleAuthorizeSchema), (c) => {
     const scopes = options.scope;
     const state = generateState();
+
     const codeVerifier = generateCodeVerifier();
     const url = google.createAuthorizationURL(state, codeVerifier, scopes);
 
+    const { redirectPath } = c.req.valid('json');
+
     setCookie(c, 'google_oauth_state', state, {
       path: '/',
       httpOnly: true,
-      secure: env('NODE_ENV') === 'production',
+      secure: env('NODE_ENV') === 'production', // Todo: Check.
       maxAge: 60 * 10, // 10 minutes
-      sameSite: 'lax',
+      sameSite: 'lax', // Todo??
     });
 
     setCookie(c, 'google_code_verifier', codeVerifier, {
       path: '/',
       httpOnly: true,
-      // Todo: Might not be node_env but something vite specific?
-      secure: env('NODE_ENV') === 'production',
+      secure: env('NODE_ENV') === 'production', // Todo: Check.
       maxAge: 60 * 10, // 10 minutes
-      sameSite: 'lax',
+      sameSite: 'lax', // Todo??
     });
 
-    // return new Response(null, {
-    //   status: 302,
-    //   headers: {
-    //     Location: url.toString()
-    //   }
-    // });
+    if (redirectPath) {
+      setCookie(c, 'google_redirect_path', `${state}:${redirectPath}`, {
+        path: '/',
+        httpOnly: true,
+        secure: env('NODE_ENV') === 'production', // Todo: Check.
+        maxAge: 60 * 10, // 10 minutes
+        sameSite: 'lax', // Todo??
+      });
+    }
 
     return c.json({
-      redirectUrl: url,
+      redirectUrl: url.toString(),
     });
   })
   /**
    * Google callback verification.
    */
   .get('/callback', async (c) => {
-    // Todo: Use ZValidator to validate query params.
-
     const code = c.req.query('code');
     const state = c.req.query('state');
 
-    const storedState = getCookie(c, 'google_oauth_state');
-    const storedCodeVerifier = getCookie(c, 'google_code_verifier');
+    const storedState = deleteCookie(c, 'google_oauth_state');
+    const storedCodeVerifier = deleteCookie(c, 'google_code_verifier');
 
     if (!code || !storedState || state !== storedState || !storedCodeVerifier) {
       throw new AppError(AppErrorCode.INVALID_REQUEST, {
@@ -80,18 +88,23 @@ export const googleRoute = new Hono<HonoAuthContext>()
       });
     }
 
+    const storedredirectPath = deleteCookie(c, 'google_redirect_path') ?? '';
+
+    // eslint-disable-next-line prefer-const
+    let [redirectState, redirectPath] = storedredirectPath.split(':');
+
+    if (redirectState !== storedState || !redirectPath) {
+      redirectPath = '/documents';
+    }
+
     const tokens = await google.validateAuthorizationCode(code, storedCodeVerifier);
     const accessToken = tokens.accessToken();
     const accessTokenExpiresAt = tokens.accessTokenExpiresAt();
     const idToken = tokens.idToken();
 
-    console.log(tokens);
-
     // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
     const claims = decodeIdToken(tokens.idToken()) as Record<string, unknown>;
 
-    console.log(claims);
-
     const googleEmail = claims.email;
     const googleName = claims.name;
     const googleSub = claims.sub;
@@ -127,7 +140,7 @@ export const googleRoute = new Hono<HonoAuthContext>()
     if (existingAccount) {
       await onAuthorize({ userId: existingAccount.user.id }, c);
 
-      return c.redirect('/documents', 302); // Todo: Redirect
+      return c.redirect(redirectPath, 302);
     }
 
     const userWithSameEmail = await prisma.user.findFirst({
@@ -154,7 +167,7 @@ export const googleRoute = new Hono<HonoAuthContext>()
       // Todo: Link account
       await onAuthorize({ userId: userWithSameEmail.id }, c);
 
-      return c.redirect('/documents', 302); // Todo: Redirect
+      return c.redirect(redirectPath, 302);
     }
 
     // Handle new user.
@@ -184,21 +197,5 @@ export const googleRoute = new Hono<HonoAuthContext>()
 
     await onAuthorize({ userId: createdUser.id }, c);
 
-    return c.redirect('/documents', 302); // Todo: Redirect
-  })
-  /**
-   * Setup passkey authentication.
-   */
-  .post('/setup', async (c) => {
-    const { user } = await getRequiredSession(c);
-
-    const result = await setupTwoFactorAuthentication({
-      user,
-    });
-
-    return c.json({
-      success: true,
-      secret: result.secret,
-      uri: result.uri,
-    });
+    return c.redirect(redirectPath, 302);
   });

packages/auth/server/routes/sign-out.ts

@@ -1,11 +1,10 @@
 import { Hono } from 'hono';
-import { deleteCookie, getSignedCookie } from 'hono/cookie';
 
 import { invalidateSession, validateSessionToken } from '../lib/session/session';
+import { deleteSessionCookie, getSessionCookie } from '../lib/session/session-cookies';
 
 export const signOutRoute = new Hono().post('/signout', async (c) => {
-  // todo: secret
-  const sessionId = await getSignedCookie(c, 'secret', 'sessionId');
+  const sessionId = await getSessionCookie(c);
 
   if (!sessionId) {
     return new Response('No session found', { status: 401 });
@@ -19,11 +18,7 @@ export const signOutRoute = new Hono().post('/signout', async (c) => {
 
   await invalidateSession(session.id);
 
-  deleteCookie(c, 'sessionId', {
-    path: '/',
-    secure: true,
-    domain: 'example.com',
-  });
+  deleteSessionCookie(c);
 
   return c.status(200);
 });