add oauth2

Author: robb-j

api-server/source/admin/append-registrations.ts

@@ -1,6 +1,6 @@
 import { assertRequestBody, defineRoute, HTTPError, useRandom } from "gruber";
 
-import { _startEmailLogin } from "../auth/login.ts";
+import { AuthLib } from "../auth/auth-lib.ts";
 import {
   RegistrationRecord,
   RegistrationTable,
@@ -33,6 +33,7 @@ export const appendRegistrationsRoute = defineRoute({
     authz: useAuthz,
     sql: useDatabase,
     random: useRandom,
+    authLib: AuthLib.use,
   },
   async handler({
     request,
@@ -44,6 +45,7 @@ export const appendRegistrationsRoute = defineRoute({
     store,
     email,
     random,
+    authLib,
   }) {
     await authz.assert(request, { scope: "admin" });
 
@@ -119,20 +121,16 @@ export const appendRegistrationsRoute = defineRoute({
     // Send login emails to new users
     if (sendEmail) {
       for (const user of result.users.records) {
-        const login = {
+        await authLib.startEmailLogin({
+          method: "email",
           token: random.uuid(),
           code: random.number(0, 999_999),
           redirectUri,
           uses: 5,
-        };
-
-        await _startEmailLogin(
-          store,
-          email,
-          login,
-          user.email,
-          appConfig.auth.loginMaxAge,
-        );
+          payload: {
+            emailAddress: user.email,
+          },
+        });
       }
     }
 

api-server/source/auth/auth-lib.ts

@@ -1,11 +1,113 @@
-// NOTE: to be converted to a union type in the future for more methods
-export interface LoginRequest {
+import cookie from "cookie";
+import { HTTPError, loader, Store, TokenService } from "gruber";
+import { AppConfig } from "../config.ts";
+import {
+  EmailService,
+  useAppConfig,
+  useEmail,
+  useStore,
+  useTokens,
+} from "../lib/mod.ts";
+
+export interface EmailLoginRequest {
+  method: "email";
   token: string;
   payload: {
     emailAddress: string;
   };
   code: number;
-  method: "email";
   redirectUri: string;
   uses: number;
 }
+
+export interface OauthLoginRequest {
+  method: "oauth";
+  provider: "google";
+  token: string;
+  redirectUri: string;
+}
+
+export type LoginRequest = EmailLoginRequest | OauthLoginRequest;
+
+export class AuthLib {
+  static use = loader(() => {
+    return new AuthLib(useTokens(), useAppConfig(), useStore(), useEmail());
+  });
+
+  appConfig: AppConfig;
+  tokens: TokenService;
+  store: Store;
+  email: EmailService;
+  constructor(
+    tokens: TokenService,
+    appConfig: AppConfig,
+    store: Store,
+    email: EmailService,
+  ) {
+    this.tokens = tokens;
+    this.appConfig = appConfig;
+    this.store = store;
+    this.email = email;
+  }
+
+  async startEmailLogin(init: EmailLoginRequest) {
+    // Store the login to be retrieved on clicking through from the email
+    this.store.set<LoginRequest>(`/auth/request/${init.token}`, init, {
+      maxAge: this.appConfig.auth.loginMaxAge,
+    });
+
+    // Generate the magic link to send the client with the token + code in it
+    const magicLink = new URL(init.redirectUri);
+    magicLink.searchParams.set("method", "email");
+    magicLink.searchParams.set("token", init.token);
+    magicLink.searchParams.set("code", init.code.toString());
+
+    // Send the email
+    const sent = await this.email.sendTemplated({
+      to: { emailAddress: init.payload.emailAddress },
+      type: "login",
+      arguments: {
+        oneTimeCode: init.code,
+        magicLink: magicLink.toString(),
+      },
+    });
+
+    if (!sent) {
+      throw HTTPError.internalServerError("login email failed");
+    }
+  }
+
+  async finish(login: LoginRequest, userId: number, scope: string) {
+    // Generate a session token for the user
+    const sessionToken = await this.tokens.sign(scope, {
+      maxAge: this.appConfig.auth.sessionMaxAge,
+      userId: userId,
+    });
+
+    // Generate headers to set the session token and clear the login token
+    const headers = new Headers();
+    headers.append(
+      "Set-Cookie",
+      cookie.serialize(this.appConfig.auth.sessionCookie, sessionToken, {
+        httpOnly: true,
+        maxAge: this.appConfig.auth.sessionMaxAge / 1_000,
+        secure: this.appConfig.server.url.protocol === "https:",
+      }),
+    );
+    headers.append(
+      "Set-Cookie",
+      cookie.serialize(this.appConfig.auth.loginCookie, "", {
+        expires: new Date(0),
+      }),
+    );
+
+    // Clear the login from the store
+    await this.store.delete(`/auth/request/${login.token}`);
+
+    return { headers, sessionToken };
+  }
+}
+
+export function parseScopes(input: string) {
+  return new Set(input.split(/\s+/).filter((s) => s));
+}

api-server/source/auth/auth-repo.ts

@@ -3,6 +3,8 @@ import { loader, SqlDependency } from "gruber";
 import {
   assertRequestParam,
   ConferenceTable,
+  Oauth2TokenRecord,
+  OAuth2TokenTable,
   RegistrationTable,
   useDatabase,
   UserTable,
@@ -38,4 +40,8 @@ export class AuthRepo {
       this.sql`id = ${assertRequestParam(id)}`,
     );
   }
+
+  createToken(init: Omit<Oauth2TokenRecord, "id" | "created_at">) {
+    return OAuth2TokenTable.insertOne(this.sql, init);
+  }
 }

api-server/source/auth/auth-routes.ts

@@ -1,5 +1,6 @@
 import { loginRoute } from "./login.ts";
 import { getAuthRoute } from "./me.ts";
+import { oauthRoute } from "./oauth.ts";
 import { verifyRoute } from "./verify.ts";
 
-export const authRoutes = [loginRoute, verifyRoute, getAuthRoute];
+export const authRoutes = [loginRoute, verifyRoute, getAuthRoute, oauthRoute];

api-server/source/auth/login.ts

@@ -1,70 +1,34 @@
 import cookie from "cookie";
-import {
-  assertRequestBody,
-  defineRoute,
-  HTTPError,
-  Store,
-  Structure,
-} from "gruber";
+import { assertRequestBody, defineRoute, HTTPError, Structure } from "gruber";
 
 import {
   commponDependencies,
   ConferenceRecord,
-  EmailService,
   emailStructure,
+  GOOGLE_CALENDAR_SCOPE,
+  GoogleRepo,
   trimEmail,
+  undefinedStructure,
 } from "../lib/mod.ts";
-import { LoginRequest } from "./auth-lib.ts";
+import { AuthLib, LoginRequest, parseScopes } from "./auth-lib.ts";
 import { AuthRepo } from "./auth-repo.ts";
 
 const LoginBody = Structure.union([
   Structure.object({
+    type: Structure.literal("email"),
     emailAddress: emailStructure(),
     redirectUri: Structure.string(),
     conferenceId: Structure.union([Structure.null(), Structure.number()]),
   }),
+  Structure.object({
+    type: Structure.literal("oauth"),
+    provider: Structure.literal("google"),
+    redirectUri: Structure.string(),
+    conferenceId: Structure.union([Structure.null(), Structure.number()]),
+    scope: Structure.union([Structure.string(), undefinedStructure()]),
+  }),
 ]);
 
-// This is exported so that it can be used in the tito webhook too
-export async function _startEmailLogin(
-  store: Store,
-  email: EmailService,
-  login: Omit<LoginRequest, "method" | "payload">,
-  emailAddress: string,
-  maxAge: number,
-) {
-  // Store the login to be retrieved on clicking through from the email
-  store.set<LoginRequest>(
-    `/auth/request/${login.token}`,
-    {
-      ...login,
-      method: "email",
-      payload: { emailAddress },
-    },
-    { maxAge },
-  );
-
-  // Generate the magic link to send the client with the token + code in it
-  const magicLink = new URL(login.redirectUri);
-  magicLink.searchParams.set("method", "email");
-  magicLink.searchParams.set("token", login.token);
-  magicLink.searchParams.set("code", login.code.toString());
-
-  // Send the email
-  const sent = await email.sendTemplated({
-    to: { emailAddress },
-    type: "login",
-    arguments: {
-      oneTimeCode: login.code,
-      magicLink: magicLink.toString(),
-    },
-  });
-
-  if (!sent) {
-    throw HTTPError.internalServerError("login email failed");
-  }
-}
-
 function stripRedirect(input: string) {
   const url = new URL(input);
   url.search = "";
@@ -89,13 +53,14 @@ export const loginRoute = defineRoute({
   dependencies: {
     ...commponDependencies,
     repo: AuthRepo.use,
+    lib: AuthLib.use,
+    google: GoogleRepo.use,
   },
-  async handler({ request, authz, store, random, email, appConfig, repo }) {
+  async handler({ request, store, random, lib, appConfig, repo, google }) {
     // NOTE: it previously short-circuited the login if there was an active session
     // this cased confusion so was taken out
 
     const body = await assertRequestBody(LoginBody, request);
-    const emailAddress = trimEmail(body.emailAddress);
 
     const conference = body.conferenceId
       ? await repo.getConference(body.conferenceId)
@@ -110,28 +75,32 @@ export const loginRoute = defineRoute({
       uses: 5,
     };
 
-    if (body.emailAddress) {
+    const cookieOptions = {
+      httpOnly: true,
+      maxAge: appConfig.auth.loginMaxAge / 1_000,
+      secure: appConfig.server.url.protocol === "https:",
+    };
+
+    if (body.type === "email") {
+      const emailAddress = trimEmail(body.emailAddress);
+
       // TODO: should it verify conference registration too?
       const user = await repo.getUserByEmail(emailAddress);
       if (!user) throw HTTPError.unauthorized();
 
       // Send the email login, throwing if it fails
-      await _startEmailLogin(
-        store,
-        email,
-        login,
-        emailAddress,
-        appConfig.auth.loginMaxAge,
-      );
+      await lib.startEmailLogin({
+        ...login,
+        method: "email",
+        payload: { emailAddress },
+      });
 
       // Set the login cookie on the client
       const headers = new Headers();
       headers.set(
         "Set-Cookie",
         cookie.serialize(appConfig.auth.loginCookie, login.token, {
-          httpOnly: true,
-          maxAge: appConfig.auth.loginMaxAge / 1_000,
-          secure: appConfig.server.url.protocol === "https:",
+          ...cookieOptions,
         }),
       );
 
@@ -140,6 +109,40 @@ export const loginRoute = defineRoute({
       return Response.json({ token: login.token }, { headers });
     }
 
+    if (body.type === "oauth") {
+      const scope = [
+        "https://www.googleapis.com/auth/userinfo.email",
+        "openid",
+        "profile",
+      ];
+
+      const requested = body.scope
+        ? parseScopes(body.scope)
+        : new Set<string>();
+
+      if (requested.has("calendar")) {
+        scope.push(GOOGLE_CALENDAR_SCOPE);
+      }
+
+      await store.set<LoginRequest>(`/auth/request/${login.token}`, {
+        ...login,
+        method: "oauth",
+        provider: "google",
+      });
+
+      const headers = new Headers();
+      headers.set(
+        "Set-Cookie",
+        cookie.serialize("oauth2-state", login.token, cookieOptions),
+      );
+
+      const url = google.authUrl(scope, login.token, requested);
+
+      // NOTE: you cannot access headers.location from JavaScript
+      // This method would make more sense as a GET request, then cookies can be set too
+      return Response.json({ location: url }, { headers });
+    }
+
     throw HTTPError.notImplemented();
   },
 });