-
Notifications
You must be signed in to change notification settings - Fork 42
Expand file tree
/
Copy pathoauth-state.ts
More file actions
64 lines (52 loc) · 2.11 KB
/
oauth-state.ts
File metadata and controls
64 lines (52 loc) · 2.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
import 'server-only';
import { z } from 'zod';
import { createOAuthState, verifyOAuthState } from '@/lib/integrations/oauth-state';
import { validateReturnPath } from '@/lib/integrations/validate-return-path';
const GITLAB_OAUTH_STATE_PREFIX = 'gitlab:';
export const DEFAULT_GITLAB_OAUTH_INSTANCE_URL = 'https://gitlab.com';
function isHttpsInstanceUrl(value: string): boolean {
try {
return new URL(value).protocol === 'https:';
} catch {
return false;
}
}
const GitLabOAuthStatePayloadSchema = z.object({
owner: z.discriminatedUnion('type', [
z.object({ type: z.literal('user'), id: z.string().min(1) }),
z.object({ type: z.literal('org'), id: z.string().min(1) }),
]),
instanceUrl: z.string().url().refine(isHttpsInstanceUrl).optional(),
customCredentialsRef: z.string().min(1).optional(),
returnTo: z
.string()
.refine(value => validateReturnPath(value) !== null)
.optional(),
});
export type GitLabOAuthStatePayload = z.infer<typeof GitLabOAuthStatePayloadSchema>;
export type VerifiedGitLabOAuthState = Omit<GitLabOAuthStatePayload, 'instanceUrl'> & {
instanceUrl: string;
userId: string;
};
export function createGitLabOAuthState(payload: GitLabOAuthStatePayload, userId: string): string {
const encodedPayload = Buffer.from(JSON.stringify(payload)).toString('base64url');
return createOAuthState(`${GITLAB_OAUTH_STATE_PREFIX}${encodedPayload}`, userId);
}
export function verifyGitLabOAuthState(state: string | null): VerifiedGitLabOAuthState | null {
const verified = verifyOAuthState(state);
if (!verified?.owner.startsWith(GITLAB_OAUTH_STATE_PREFIX)) return null;
const encodedPayload = verified.owner.slice(GITLAB_OAUTH_STATE_PREFIX.length);
if (!encodedPayload) return null;
try {
const decodedJson = Buffer.from(encodedPayload, 'base64url').toString('utf8');
const parsed = GitLabOAuthStatePayloadSchema.safeParse(JSON.parse(decodedJson));
if (!parsed.success) return null;
return {
...parsed.data,
instanceUrl: parsed.data.instanceUrl ?? DEFAULT_GITLAB_OAUTH_INSTANCE_URL,
userId: verified.userId,
};
} catch {
return null;
}
}