mirror of
https://github.com/documenso/documenso.git
synced 2025-11-17 02:01:33 +10:00
205 lines
5.7 KiB
TypeScript
205 lines
5.7 KiB
TypeScript
import { Google, decodeIdToken, generateCodeVerifier, generateState } from 'arctic';
|
|
import { Hono } from 'hono';
|
|
import { getCookie, setCookie } from 'hono/cookie';
|
|
|
|
import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
|
|
import { setupTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/setup-2fa';
|
|
import { env } from '@documenso/lib/utils/env';
|
|
import { prisma } from '@documenso/prisma';
|
|
|
|
import { AuthenticationErrorCode } from '../lib/errors/error-codes';
|
|
import { onAuthorize } from '../lib/utils/authorizer';
|
|
import { getRequiredSession } from '../lib/utils/get-session';
|
|
import type { HonoAuthContext } from '../types/context';
|
|
|
|
const options = {
|
|
clientId: env('NEXT_PRIVATE_GOOGLE_CLIENT_ID'),
|
|
clientSecret: env('NEXT_PRIVATE_GOOGLE_CLIENT_SECRET'),
|
|
redirectUri: 'http://localhost:3000/api/auth/google/callback',
|
|
scope: ['openid', 'email', 'profile'],
|
|
id: 'google',
|
|
};
|
|
|
|
const google = new Google(options.clientId, options.clientSecret, options.redirectUri);
|
|
|
|
// todo: NEXT_PRIVATE_OIDC_WELL_KNOWN???
|
|
|
|
export const googleRoute = new Hono<HonoAuthContext>()
|
|
/**
|
|
* Authorize endpoint.
|
|
*/
|
|
.post('/authorize', (c) => {
|
|
const scopes = options.scope;
|
|
const state = generateState();
|
|
const codeVerifier = generateCodeVerifier();
|
|
const url = google.createAuthorizationURL(state, codeVerifier, scopes);
|
|
|
|
setCookie(c, 'google_oauth_state', state, {
|
|
path: '/',
|
|
httpOnly: true,
|
|
secure: env('NODE_ENV') === 'production',
|
|
maxAge: 60 * 10, // 10 minutes
|
|
sameSite: 'lax',
|
|
});
|
|
|
|
setCookie(c, 'google_code_verifier', codeVerifier, {
|
|
path: '/',
|
|
httpOnly: true,
|
|
// Todo: Might not be node_env but something vite specific?
|
|
secure: env('NODE_ENV') === 'production',
|
|
maxAge: 60 * 10, // 10 minutes
|
|
sameSite: 'lax',
|
|
});
|
|
|
|
// return new Response(null, {
|
|
// status: 302,
|
|
// headers: {
|
|
// Location: url.toString()
|
|
// }
|
|
// });
|
|
|
|
return c.json({
|
|
redirectUrl: url,
|
|
});
|
|
})
|
|
/**
|
|
* Google callback verification.
|
|
*/
|
|
.get('/callback', async (c) => {
|
|
// Todo: Use ZValidator to validate query params.
|
|
|
|
const code = c.req.query('code');
|
|
const state = c.req.query('state');
|
|
|
|
const storedState = getCookie(c, 'google_oauth_state');
|
|
const storedCodeVerifier = getCookie(c, 'google_code_verifier');
|
|
|
|
if (!code || !storedState || state !== storedState || !storedCodeVerifier) {
|
|
throw new AppError(AppErrorCode.INVALID_REQUEST, {
|
|
message: 'Invalid or missing state',
|
|
});
|
|
}
|
|
|
|
const tokens = await google.validateAuthorizationCode(code, storedCodeVerifier);
|
|
const accessToken = tokens.accessToken();
|
|
const accessTokenExpiresAt = tokens.accessTokenExpiresAt();
|
|
const idToken = tokens.idToken();
|
|
|
|
console.log(tokens);
|
|
|
|
// eslint-disable-next-line @typescript-eslint/consistent-type-assertions
|
|
const claims = decodeIdToken(tokens.idToken()) as Record<string, unknown>;
|
|
|
|
console.log(claims);
|
|
|
|
const googleEmail = claims.email;
|
|
const googleName = claims.name;
|
|
const googleSub = claims.sub;
|
|
|
|
if (
|
|
typeof googleEmail !== 'string' ||
|
|
typeof googleName !== 'string' ||
|
|
typeof googleSub !== 'string'
|
|
) {
|
|
throw new AppError(AuthenticationErrorCode.InvalidRequest, {
|
|
message: 'Invalid google claims',
|
|
});
|
|
}
|
|
|
|
if (claims.email_verified !== true) {
|
|
throw new AppError(AuthenticationErrorCode.UnverifiedEmail, {
|
|
message: 'Account email is not verified',
|
|
});
|
|
}
|
|
|
|
// Find the account if possible.
|
|
const existingAccount = await prisma.account.findFirst({
|
|
where: {
|
|
provider: 'google',
|
|
providerAccountId: googleSub,
|
|
},
|
|
include: {
|
|
user: true,
|
|
},
|
|
});
|
|
|
|
// Directly log in user if account already exists.
|
|
if (existingAccount) {
|
|
await onAuthorize({ userId: existingAccount.user.id }, c);
|
|
|
|
return c.redirect('/documents', 302); // Todo: Redirect
|
|
}
|
|
|
|
const userWithSameEmail = await prisma.user.findFirst({
|
|
where: {
|
|
email: googleEmail,
|
|
},
|
|
});
|
|
|
|
// Handle existing user but no account.
|
|
if (userWithSameEmail) {
|
|
await prisma.account.create({
|
|
data: {
|
|
type: 'oauth',
|
|
provider: 'google',
|
|
providerAccountId: googleSub,
|
|
access_token: accessToken,
|
|
expires_at: Math.floor(accessTokenExpiresAt.getTime() / 1000),
|
|
token_type: 'Bearer',
|
|
id_token: idToken,
|
|
userId: userWithSameEmail.id,
|
|
},
|
|
});
|
|
|
|
// Todo: Link account
|
|
await onAuthorize({ userId: userWithSameEmail.id }, c);
|
|
|
|
return c.redirect('/documents', 302); // Todo: Redirect
|
|
}
|
|
|
|
// Handle new user.
|
|
const createdUser = await prisma.$transaction(async (tx) => {
|
|
const user = await tx.user.create({
|
|
data: {
|
|
email: googleEmail,
|
|
name: googleName,
|
|
},
|
|
});
|
|
|
|
await tx.account.create({
|
|
data: {
|
|
type: 'oauth',
|
|
provider: 'google',
|
|
providerAccountId: googleSub,
|
|
access_token: accessToken,
|
|
expires_at: Math.floor(accessTokenExpiresAt.getTime() / 1000),
|
|
token_type: 'Bearer',
|
|
id_token: idToken,
|
|
userId: user.id,
|
|
},
|
|
});
|
|
|
|
return user;
|
|
});
|
|
|
|
await onAuthorize({ userId: createdUser.id }, c);
|
|
|
|
return c.redirect('/documents', 302); // Todo: Redirect
|
|
})
|
|
/**
|
|
* Setup passkey authentication.
|
|
*/
|
|
.post('/setup', async (c) => {
|
|
const { user } = await getRequiredSession(c);
|
|
|
|
const result = await setupTwoFactorAuthentication({
|
|
user,
|
|
});
|
|
|
|
return c.json({
|
|
success: true,
|
|
secret: result.secret,
|
|
uri: result.uri,
|
|
});
|
|
});
|