Seperate out OAuth API

hhvrc · hhvrc · commit 8148fb3f38de · 2025-09-16T16:56:27.000+02:00
diff --git a/src/lib/api/index.ts b/src/lib/api/index.ts
@@ -59,5 +59,4 @@ export const shockersV2Api = new ShockersV2Api(DefaultApiV2Configuration);
 export const publicShockerSharesApi = new PublicShockerSharesApi(DefaultApiV1Configuration);
 export const shockerSharesV1Api = new ShockerSharesV1Api(DefaultApiV1Configuration);
 export const shockerSharesV2Api = new ShockerSharesV2Api(DefaultApiV2Configuration);
-export const oauthApi = new OAuthApi(DefaultApiV1Configuration);
 export const usersApi = new UsersApi(DefaultApiV1Configuration);
diff --git a/src/lib/api/next/ResponseError.ts b/src/lib/api/next/ResponseError.ts
@@ -0,0 +1,9 @@
+export class ResponseError extends Error {
+  override name = 'ResponseError';
+  constructor(
+    public response: Response,
+    msg?: string
+  ) {
+    super(msg ?? `HTTP ${response.status} ${response.statusText}`);
+  }
+}
diff --git a/src/lib/api/next/TransformError.ts b/src/lib/api/next/TransformError.ts
@@ -0,0 +1,6 @@
+export class TransformError extends Error {
+  override name = 'TransformError';
+  constructor(message: string) {
+    super(message);
+  }
+}
diff --git a/src/lib/api/next/base.ts b/src/lib/api/next/base.ts
@@ -0,0 +1,98 @@
+import { PUBLIC_BACKEND_API_DOMAIN } from '$env/static/public';
+import { ResponseError } from './ResponseError';
+
+const BaseUrl = `https://${PUBLIC_BACKEND_API_DOMAIN}`;
+
+type ApiVersion = 1 | 2;
+export type Path = `/${ApiVersion}/${string}`;
+
+export function GetBackendUrl(path: Path) {
+  return BaseUrl + path;
+}
+
+export async function GetJson<T>(
+  path: Path,
+  expectedStatus = 200,
+  transformer: (data: unknown) => T
+): Promise<T> {
+  const res = await fetch(BaseUrl + path, {
+    headers: { accept: 'application/json' },
+    method: 'GET',
+    redirect: 'error',
+  });
+
+  if (res.status !== expectedStatus) {
+    throw new ResponseError(res, `Unexpected status ${res.status}`);
+  }
+
+  const contentType = res.headers.get('content-type') ?? '';
+  if (!contentType.includes('application/json')) {
+    throw new ResponseError(res, `Expected JSON but got ${contentType}`);
+  }
+
+  const data = await res.json();
+
+  return transformer(data);
+}
+
+export async function PostJson<T>(
+  path: Path,
+  body: unknown,
+  expectedStatus = 200,
+  transformer: (data: unknown) => T
+): Promise<T> {
+  const url = GetBackendUrl(path);
+
+  const res = await fetch(url, {
+    method: 'POST',
+    headers: {
+      'content-type': 'application/json',
+      accept: 'application/json',
+    },
+    body: JSON.stringify(body),
+    redirect: 'error',
+  });
+
+  if (res.status !== expectedStatus) {
+    throw new ResponseError(res, `Unexpected status ${res.status} for POST ${url}`);
+  }
+
+  const contentType = res.headers.get('content-type') ?? '';
+  if (!contentType.includes('application/json')) {
+    throw new ResponseError(res, `Expected JSON but got ${contentType}`);
+  }
+
+  const data = await res.json();
+
+  return transformer(data);
+}
+
+export async function PostRedirect(
+  path: Path,
+  expectedStatus: 302 | 303 | 307 | 308 = 302
+): Promise<void> {
+  const url = BaseUrl + path;
+  const res = await fetch(url, { method: 'POST', redirect: 'manual' });
+
+  if (res.status !== expectedStatus) {
+    throw new ResponseError(res, `Unexpected status ${res.status} for POST ${url}`);
+  }
+
+  const loc = res.headers.get('Location');
+  if (!loc) throw new ResponseError(res, 'Missing Location header');
+
+  const target = new URL(loc, url); // handles absolute or relative
+
+  // Restrict which domains we can be redirected to
+  const allowedHosts = new Set([PUBLIC_BACKEND_API_DOMAIN, 'accounts.google.com', 'github.com']);
+
+  if (!allowedHosts.has(target.hostname)) {
+    throw new ResponseError(res, `Blocked redirect to disallowed host ${target.href}`);
+  }
+
+  if (target.protocol !== 'https:') {
+    throw new ResponseError(res, `Blocked non-HTTPS redirect to ${target.href}`);
+  }
+
+  window.location.assign(target.toString());
+}
diff --git a/src/lib/api/next/models/LoginOkResponse.ts b/src/lib/api/next/models/LoginOkResponse.ts
@@ -0,0 +1,10 @@
+import type { RoleType } from './RoleType';
+
+export interface LoginOkResponse {
+  accountId: string;
+  accountName: string;
+  accountEmail: string;
+  isVerified: boolean;
+  profileImage: string;
+  accountRoles: RoleType[];
+}
diff --git a/src/lib/api/next/models/OAuthFinalizeRequest.ts b/src/lib/api/next/models/OAuthFinalizeRequest.ts
@@ -0,0 +1,5 @@
+export interface OAuthFinalizeRequest {
+  username?: string | null;
+  email: string | null;
+  password: string | null;
+}
diff --git a/src/lib/api/next/models/OAuthSignupData.ts b/src/lib/api/next/models/OAuthSignupData.ts
@@ -0,0 +1,6 @@
+export interface OAuthSignupData {
+  provider: string;
+  email: string | null;
+  displayName: string | null;
+  expiresAt: Date;
+}
diff --git a/src/lib/api/next/models/RoleType.ts b/src/lib/api/next/models/RoleType.ts
@@ -0,0 +1,6 @@
+export enum RoleType {
+  Support = 'Support',
+  Staff = 'Staff',
+  Admin = 'Admin',
+  System = 'System',
+}
diff --git a/src/lib/api/next/models/index.ts b/src/lib/api/next/models/index.ts
@@ -0,0 +1,4 @@
+export * from './LoginOkResponse';
+export * from './OAuthFinalizeRequest';
+export * from './OAuthSignupData';
+export * from './RoleType';
diff --git a/src/lib/api/next/oauth.ts b/src/lib/api/next/oauth.ts
@@ -0,0 +1,30 @@
+import { GetJson, PostJson, PostRedirect } from './base';
+import type { LoginOkResponse, OAuthFinalizeRequest, OAuthSignupData } from './models';
+import {
+  TransformLoginOkResponse,
+  TransformOAuthSignupData,
+  ValidateStringArray,
+} from './transformers';
+
+export function OAuthListProviders(): Promise<string[]> {
+  return GetJson<string[]>('/1/oauth/providers', 200, ValidateStringArray);
+}
+
+export function OAuthAuthorize(provider: string, flow: 'LoginOrCreate' | 'Link') {
+  const providerEnc = encodeURIComponent(provider);
+  const flowEnc = encodeURIComponent(flow);
+  return PostRedirect(`/1/oauth/${providerEnc}/authorize?flow=${flowEnc}`, 302);
+}
+
+export async function OAuthSignupGetData(provider: string) {
+  const providerEnc = encodeURIComponent(provider);
+  return GetJson<OAuthSignupData>(`/1/oauth/${providerEnc}/data`, 200, TransformOAuthSignupData);
+}
+
+export async function OAuthSignupFinalize(
+  provider: string,
+  payload: OAuthFinalizeRequest
+): Promise<LoginOkResponse> {
+  const providerEnc = encodeURIComponent(provider);
+  return PostJson(`/1/oauth/${providerEnc}/finalize`, payload, 200, TransformLoginOkResponse);
+}
diff --git a/src/lib/api/next/transformers/LoginOkResponse.ts b/src/lib/api/next/transformers/LoginOkResponse.ts
@@ -0,0 +1,30 @@
+import { isBoolean, isObject, isString } from '$lib/typeguards';
+import { TransformError } from '../TransformError';
+import type { LoginOkResponse } from '../models';
+import { IsRoleType } from './RoleType';
+
+export function TransformLoginOkResponse(data: unknown): LoginOkResponse {
+  if (!isObject(data)) {
+    throw new TransformError('Expected object for LoginOkResponse');
+  }
+
+  if (!Object.hasOwn(data, 'accountId') || !isString(data.accountId))
+    throw new TransformError('Expected string: accountId');
+  if (!Object.hasOwn(data, 'accountName') || !isString(data.accountName))
+    throw new TransformError('Expected string: accountName');
+  if (!Object.hasOwn(data, 'accountEmail') || !isString(data.accountEmail))
+    throw new TransformError('Expected string: accountEmail');
+  if (!Object.hasOwn(data, 'isVerified') || !isBoolean(data.isVerified))
+    throw new TransformError('Expected boolean: isVerified');
+  if (!Object.hasOwn(data, 'profileImage') || !isString(data.profileImage))
+    throw new TransformError('Expected string: profileImage');
+  if (
+    !Object.hasOwn(data, 'accountRoles') ||
+    !Array.isArray(data.accountRoles) ||
+    !data.accountRoles.every(IsRoleType)
+  ) {
+    throw new TransformError('Expected RoleType[]: accountRoles');
+  }
+
+  return data as LoginOkResponse;
+}
diff --git a/src/lib/api/next/transformers/OAuthSignupData.ts b/src/lib/api/next/transformers/OAuthSignupData.ts
@@ -0,0 +1,34 @@
+import { isObject, isString, isStringOrNull } from '$lib/typeguards';
+import { TransformError } from '../TransformError';
+import type { OAuthSignupData } from '../models/OAuthSignupData';
+
+export function TransformOAuthSignupData(data: unknown): OAuthSignupData {
+  if (!isObject(data)) {
+    throw new TransformError('Expected object for OAuthSignupData');
+  }
+
+  if (!Object.hasOwn(data, 'provider') || !isString(data.provider)) {
+    throw new TransformError('Expected string: provider');
+  }
+  if (!Object.hasOwn(data, 'email') || !isStringOrNull(data.email)) {
+    throw new TransformError('Expected string|null: email');
+  }
+  if (!Object.hasOwn(data, 'displayName') || !isStringOrNull(data.displayName)) {
+    throw new TransformError('Expected string|null: displayName');
+  }
+  if (!Object.hasOwn(data, 'expiresAt') || !isString(data.expiresAt)) {
+    throw new TransformError('Expected string: expiresAt');
+  }
+
+  const expiresAt = new Date(data.expiresAt);
+  if (Number.isNaN(expiresAt.getTime())) {
+    throw new TransformError('Invalid date: expiresAt');
+  }
+
+  return {
+    provider: data.provider,
+    email: data.email ?? null,
+    displayName: data.displayName ?? null,
+    expiresAt,
+  };
+}
diff --git a/src/lib/api/next/transformers/RoleType.ts b/src/lib/api/next/transformers/RoleType.ts
@@ -0,0 +1,5 @@
+import { RoleType } from '../models';
+
+export function IsRoleType(value: unknown): value is RoleType {
+  return typeof value === 'string' && Object.values(RoleType).includes(value as RoleType);
+}
diff --git a/src/lib/api/next/transformers/StringArray.ts b/src/lib/api/next/transformers/StringArray.ts
@@ -0,0 +1,6 @@
+import { isString } from '$lib/typeguards';
+
+export function ValidateStringArray(data: unknown): string[] {
+  if (!Array.isArray(data) || !data.every(isString)) throw new Error();
+  return data;
+}
diff --git a/src/lib/api/next/transformers/index.ts b/src/lib/api/next/transformers/index.ts
@@ -0,0 +1,3 @@
+export * from './LoginOkResponse';
+export * from './OAuthSignupData';
+export * from './StringArray';
diff --git a/src/lib/typeguards/basicGuards.ts b/src/lib/typeguards/basicGuards.ts
@@ -16,3 +16,7 @@ export function isArrayBuffer(value: unknown): value is ArrayBuffer {
 export function isDate(value: unknown): value is Date {
   return value instanceof Date;
 }
+
+export function isStringOrNull(value: unknown): value is string | null {
+  return isString(value) || value === null;
+}
diff --git a/src/routes/(anonymous)/login/+page.svelte b/src/routes/(anonymous)/login/+page.svelte
@@ -3,6 +3,7 @@
   import { page } from '$app/state';
   import { PUBLIC_BACKEND_API_DOMAIN } from '$env/static/public';
   import { accountV2Api } from '$lib/api';
+  import { OAuthAuthorize } from '$lib/api/next/oauth';
   import Container from '$lib/components/Container.svelte';
   import Turnstile from '$lib/components/Turnstile.svelte';
   import PasswordInput from '$lib/components/input/PasswordInput.svelte';
@@ -55,9 +56,7 @@
 
   async function startOAuth() {
     const provider = 'discord';
-
-    // Set the current URL as the redirect URL so we can come back here after OAuth
-    window.location.href = `https://${PUBLIC_BACKEND_API_DOMAIN}/1/oauth/${provider}/authorize`;
+    await OAuthAuthorize(provider, 'LoginOrCreate');
   }
 
   let canSubmit = $derived(
diff --git a/src/routes/(anonymous)/oauth/[provider]/create/+page.svelte b/src/routes/(anonymous)/oauth/[provider]/create/+page.svelte
@@ -1,7 +1,7 @@
 <script lang="ts">
   import { goto } from '$app/navigation';
   import { page } from '$app/state';
-  import { oauthApi } from '$lib/api';
+  import { OAuthSignupFinalize, OAuthSignupGetData } from '$lib/api/next/oauth';
   import Container from '$lib/components/Container.svelte';
   import EmailInput from '$lib/components/input/EmailInput.svelte';
   import UsernameInput from '$lib/components/input/UsernameInput.svelte';
@@ -29,7 +29,7 @@
     }
 
     try {
-      const account = await oauthApi.oAuthOAuthSignupFinalize(page.params.provider!, {
+      const account = await OAuthSignupFinalize(page.params.provider!, {
         username,
         email,
         password,
@@ -64,8 +64,7 @@
   }
 
   onMount(() => {
-    oauthApi
-      .oAuthOAuthSignupGetData(page.params.provider!)
+    OAuthSignupGetData(page.params.provider!)
       .then((data) => {
         if (data.displayName) {
           username = data.displayName;
diff --git a/src/routes/(authenticated)/settings/connections/+page.svelte b/src/routes/(authenticated)/settings/connections/+page.svelte
@@ -4,9 +4,9 @@
   import RotateCcw from '@lucide/svelte/icons/rotate-ccw';
   import Unlink from '@lucide/svelte/icons/unlink';
   import { page } from '$app/state';
-  import { PUBLIC_BACKEND_API_DOMAIN } from '$env/static/public';
-  import { accountV1Api, oauthApi } from '$lib/api';
-  import type { OAuthConnectionResponse } from '$lib/api/internal/v1';
+  import { accountV1Api } from '$lib/api';
+  import type { OAuthConnectionResponse } from '$lib/api/internal/v1/models';
+  import { OAuthAuthorize, OAuthListProviders } from '$lib/api/next/oauth';
   import Container from '$lib/components/Container.svelte';
   import { Button } from '$lib/components/ui/button';
   import * as Card from '$lib/components/ui/card';
@@ -56,7 +56,7 @@
 
     try {
       const [provResp, connResp] = await Promise.all([
-        oauthApi.oAuthListOAuthProviders(),
+        OAuthListProviders(),
         accountV1Api.authenticatedAccountListOAuthConnections(),
       ]);
 
@@ -86,7 +86,7 @@
   async function beginLink(providerKey: string) {
     actionBusy = providerKey;
     try {
-      window.location.href = `https://${PUBLIC_BACKEND_API_DOMAIN}/1/account/connections/${providerKey}/link`;
+      await OAuthAuthorize(providerKey, 'Link');
     } catch (err) {
       await handleApiError(err);
     } finally {
