add login/logout relay for previews

Author: drankou

.env.example

@@ -43,6 +43,13 @@ NEXT_PUBLIC_E2B_DOMAIN=e2b.dev
 # ORY_KRATOS_ADMIN_URL=http://localhost:4434
 # ORY_HYDRA_ADMIN_URL=http://localhost:4445
 
+### Fixed host whose OAuth callback/logout relays are registered in Hydra. Set on
+### preview deployments only (dynamic preview hosts can't register their own
+### redirect URIs); leave unset on staging/production/local, where sign-in stays
+### host-direct. The relay paths (/api/auth/oauth/relay, /api/auth/oauth/logout-relay)
+### must be added to the OAuth2 client's redirect_uris / post_logout_redirect_uris.
+# ORY_OAUTH_RELAY_ORIGIN=https://e2b-staging.dev
+
 # ENABLE_USER_BOOTSTRAP=0
 
 ### Billing API URL (Required if NEXT_PUBLIC_INCLUDE_BILLING=1)

src/app/api/auth/oauth/callback/ory/route.ts

@@ -6,10 +6,10 @@ import { ensureOryUserBootstrapped } from '@/core/server/auth/ory/dashboard-boot
 import { exchangeOryCallback } from '@/core/server/auth/ory/oauth-client'
 import {
   E2B_OAUTH_FLOW_COOKIE,
-  OAUTH_CALLBACK_PATH,
   ORY_RECOVER_PATH,
   openOryFlowState,
 } from '@/core/server/auth/ory/oauth-flow'
+import { resolveOryRedirectUri } from '@/core/server/auth/ory/oauth-relay'
 import {
   E2B_SESSION_COOKIE,
   ORY_SIGNUP_METADATA_COOKIE,
@@ -49,7 +49,9 @@ export async function GET(request: NextRequest) {
       expectedState: flow.state,
       expectedNonce: flow.nonce,
       codeVerifier: flow.codeVerifier,
-      redirectUri: new URL(OAUTH_CALLBACK_PATH, origin).toString(),
+      // Must be byte-identical to the authorize-time value (the registered
+      // relay URI on previews), not the host the code was delivered to.
+      redirectUri: resolveOryRedirectUri(origin).redirectUri,
     })
   } catch (error) {
     l.error(
@@ -76,7 +78,7 @@ export async function GET(request: NextRequest) {
     // Don't strand the user with a half-provisioned login: end the Ory + Kratos
     // session via RP-logout (falling back to home if no id_token is available).
     const logoutUrl = tokens.idToken
-      ? buildOryLogoutUrl({ idToken: tokens.idToken, origin })
+      ? await buildOryLogoutUrl({ idToken: tokens.idToken, origin })
       : null
     return finalize(
       NextResponse.redirect(logoutUrl ?? new URL(ORY_POST_LOGOUT_PATH, origin))

src/app/api/auth/oauth/logout-relay/route.ts

@@ -0,0 +1,29 @@
+import 'server-only'
+
+import { type NextRequest, NextResponse } from 'next/server'
+import {
+  isAllowedRelayTarget,
+  openRelayState,
+} from '@/core/server/auth/ory/oauth-relay'
+import { ORY_POST_LOGOUT_PATH } from '@/core/server/auth/ory/signout'
+import { l } from '@/core/shared/clients/logger/logger'
+
+// Fixed-host post-logout relay (mirror of the login relay). Hydra returns here
+// after ending the session, with the sealed `state` carrying the preview origin;
+// we bounce the browser back to that preview's home. The sign-out route already
+// cleared the cookies on the preview before the Hydra hop, so this is a pure
+// redirect. See oauth-relay.ts.
+export async function GET(request: NextRequest) {
+  const origin = request.nextUrl.origin
+  const target = await openRelayState(request.nextUrl.searchParams.get('state'))
+
+  if (!target || !isAllowedRelayTarget(target)) {
+    l.warn(
+      { key: 'oauth_logout_relay:invalid_target' },
+      'Ory logout relay hit without a valid sealed target'
+    )
+    return NextResponse.redirect(new URL(ORY_POST_LOGOUT_PATH, origin))
+  }
+
+  return NextResponse.redirect(new URL(ORY_POST_LOGOUT_PATH, target))
+}

src/app/api/auth/oauth/relay/route.ts

@@ -0,0 +1,39 @@
+import 'server-only'
+
+import { type NextRequest, NextResponse } from 'next/server'
+import {
+  OAUTH_CALLBACK_PATH,
+  ORY_RECOVER_PATH,
+} from '@/core/server/auth/ory/oauth-flow'
+import {
+  isAllowedRelayTarget,
+  openRelayState,
+} from '@/core/server/auth/ory/oauth-relay'
+import { l } from '@/core/shared/clients/logger/logger'
+
+// Fixed-host relay for preview deployments. Hydra is configured with this host's
+// /api/auth/oauth/relay as the single registered redirect_uri; previews encode
+// their own origin in the sealed `state`. We bounce the browser — carrying
+// code/state/iss (and any error) verbatim — to the originating preview's real
+// callback, which finishes the PKCE exchange (its verifier never left that
+// origin). See oauth-relay.ts. Never touches cookies.
+export async function GET(request: NextRequest) {
+  const origin = request.nextUrl.origin
+  const state = request.nextUrl.searchParams.get('state')
+  const target = await openRelayState(state)
+
+  if (!target || !isAllowedRelayTarget(target)) {
+    l.warn(
+      {
+        key: 'oauth_relay:invalid_target',
+        context: { hasState: Boolean(state) },
+      },
+      'Ory relay hit without a valid sealed target'
+    )
+    return NextResponse.redirect(new URL(ORY_RECOVER_PATH, origin))
+  }
+
+  const destination = new URL(OAUTH_CALLBACK_PATH, target)
+  destination.search = request.nextUrl.search
+  return NextResponse.redirect(destination)
+}

src/app/api/auth/oauth/start/route.ts

@@ -7,11 +7,14 @@ import {
 import { buildOryAuthorizationRequest } from '@/core/server/auth/ory/oauth-client'
 import {
   E2B_OAUTH_FLOW_COOKIE,
-  OAUTH_CALLBACK_PATH,
   ORY_RECOVER_PATH,
   oryFlowCookieOptions,
   sealOryFlowState,
 } from '@/core/server/auth/ory/oauth-flow'
+import {
+  resolveOryRedirectUri,
+  sealRelayState,
+} from '@/core/server/auth/ory/oauth-relay'
 import { ORY_SIGNUP_METADATA_COOKIE } from '@/core/server/auth/ory/session-cookie'
 import {
   encodeOrySignupMetadata,
@@ -34,11 +37,17 @@ export async function GET(request: NextRequest) {
   const returnTo = normalizeOryReturnTo(
     request.nextUrl.searchParams.get('returnTo')
   )
-  const redirectUri = new URL(OAUTH_CALLBACK_PATH, origin).toString()
+  const { redirectUri, relayTarget } = resolveOryRedirectUri(origin)
 
   let authorization: Awaited<ReturnType<typeof buildOryAuthorizationRequest>>
   try {
-    authorization = await buildOryAuthorizationRequest(intent, redirectUri)
+    // Relay mode carries the preview origin in a sealed state; direct mode keeps
+    // the original two-arg call so staging/production behavior is unchanged.
+    authorization = relayTarget
+      ? await buildOryAuthorizationRequest(intent, redirectUri, {
+          state: await sealRelayState(relayTarget),
+        })
+      : await buildOryAuthorizationRequest(intent, redirectUri)
   } catch (error) {
     l.error(
       {

src/core/server/auth/ory/oauth-client.ts

@@ -93,7 +93,8 @@ function oryClient(env: OryOAuthEnv): oauth.Client {
 
 export async function buildOryAuthorizationRequest(
   intent: OryAuthIntent,
-  redirectUri: string
+  redirectUri: string,
+  options?: { state?: string }
 ): Promise<OryAuthorizationRequest> {
   const env = readOryOAuthEnv()
   const as = await discoverAuthorizationServer(env)
@@ -104,7 +105,9 @@ export async function buildOryAuthorizationRequest(
 
   const codeVerifier = oauth.generateRandomCodeVerifier()
   const codeChallenge = await oauth.calculatePKCECodeChallenge(codeVerifier)
-  const state = oauth.generateRandomState()
+  // In relay mode the caller supplies a sealed state carrying the preview
+  // origin; it doubles as the CSRF state validated at the callback.
+  const state = options?.state ?? oauth.generateRandomState()
   const nonce = oauth.generateRandomNonce()
 
   const url = new URL(as.authorization_endpoint)

src/core/server/auth/ory/oauth-relay.ts

@@ -0,0 +1,97 @@
+// OAuth callback relay for preview deployments. Ory does not allow wildcard
+// redirect URIs, so previews — whose host is dynamic per branch — cannot
+// register their own callback. Instead we register ONE stable callback on a
+// fixed host (ORY_OAUTH_RELAY_ORIGIN) and point Hydra there for every preview,
+// encoding the originating preview origin in the sealed OAuth `state`. The fixed
+// host bounces the browser (carrying code/state/iss) back to the preview's real
+// callback, which finishes the PKCE exchange using the same registered
+// redirect_uri string — the token request only requires the redirect_uri to
+// match the authorize-time value, not to be where the code was delivered.
+//
+// The PKCE verifier lives in a host-only cookie on the preview and never reaches
+// the relay. `state` is sealed with the shared cookie crypto (E2B_SESSION_SECRET,
+// identical across the fixed host and previews), so the target is tamper-proof.
+//
+// No next/headers import here so this stays importable from edge middleware
+// (signout.ts pulls it in for the post-logout path).
+
+import { EncryptJWT, jwtDecrypt } from 'jose'
+import { isLoopbackUrl } from '@/core/shared/schemas/url'
+import { CONTENT_ENCRYPTION, deriveKey, KEY_ALGORITHM } from './cookie-crypto'
+import { OAUTH_CALLBACK_PATH } from './oauth-flow'
+
+export const OAUTH_RELAY_PATH = '/api/auth/oauth/relay'
+export const OAUTH_LOGOUT_RELAY_PATH = '/api/auth/oauth/logout-relay'
+
+// The fixed host whose relay endpoints are registered in Hydra. Set on preview
+// deployments only; unset on staging/production/local, where the flow stays
+// host-direct and behaves exactly as before.
+export function readRelayOrigin(): string | undefined {
+  const value = process.env.ORY_OAUTH_RELAY_ORIGIN
+  if (!value) return undefined
+  return value.replace(/\/$/, '')
+}
+
+// Relay mode applies only when a fixed origin is configured AND differs from the
+// request origin. On the fixed host itself (and everywhere relay is unset) the
+// request resolves to its own callback, i.e. today's behavior.
+export function resolveOryRedirectUri(requestOrigin: string): {
+  redirectUri: string
+  relayTarget?: string
+} {
+  const relay = readRelayOrigin()
+  if (relay && relay !== requestOrigin) {
+    return {
+      redirectUri: new URL(OAUTH_RELAY_PATH, relay).toString(),
+      relayTarget: requestOrigin,
+    }
+  }
+
+  return { redirectUri: new URL(OAUTH_CALLBACK_PATH, requestOrigin).toString() }
+}
+
+// Carries the originating preview origin through Hydra in the OAuth `state`
+// (login) or RP-logout `state`. The random `r` gives the login state CSRF
+// entropy beyond the per-seal random IV.
+export async function sealRelayState(target: string): Promise<string> {
+  return new EncryptJWT({ t: target, r: crypto.randomUUID() })
+    .setProtectedHeader({ alg: KEY_ALGORITHM, enc: CONTENT_ENCRYPTION })
+    .setIssuedAt()
+    .encrypt(await deriveKey())
+}
+
+export async function openRelayState(
+  value: string | null | undefined
+): Promise<string | null> {
+  if (!value) return null
+
+  try {
+    const { payload } = await jwtDecrypt(value, await deriveKey())
+    return typeof payload.t === 'string' ? payload.t : null
+  } catch {
+    return null
+  }
+}
+
+// Open-redirect guard: a relay target must be a first-party origin. Production
+// requires HTTPS under NEXT_PUBLIC_E2B_DOMAIN (e.g. `*.e2b-staging.dev`); local
+// dev also accepts loopback so the relay path can be exercised across ports.
+export function isAllowedRelayTarget(target: string): boolean {
+  let url: URL
+  try {
+    url = new URL(target)
+  } catch {
+    return false
+  }
+
+  if (url.protocol === 'http:' && isLoopbackUrl(target)) {
+    return process.env.NODE_ENV !== 'production'
+  }
+
+  if (url.protocol !== 'https:') return false
+
+  const base = process.env.NEXT_PUBLIC_E2B_DOMAIN
+  if (!base) return false
+
+  return url.hostname === base || url.hostname.endsWith(`.${base}`)
+}

src/core/server/auth/ory/signout-flow.ts

@@ -32,5 +32,6 @@ export async function completeOrySignOut(origin = BASE_URL): Promise<string> {
 
   if (!idToken) return fallback
 
-  return buildOryLogoutUrl({ idToken, origin })?.toString() ?? fallback
+  const logoutUrl = await buildOryLogoutUrl({ idToken, origin })
+  return logoutUrl?.toString() ?? fallback
 }

src/core/server/auth/ory/signout.ts

@@ -1,19 +1,37 @@
+import {
+  OAUTH_LOGOUT_RELAY_PATH,
+  readRelayOrigin,
+  sealRelayState,
+} from './oauth-relay'
+
 export const ORY_POST_LOGOUT_PATH = '/'
 
 // Builds Hydra's RP-initiated logout URL. With the id_token as the hint Hydra
 // ends both its own OAuth2 session and (since it delegates login to Kratos) the
 // Kratos session, then returns the browser to post_logout_redirect_uri.
-export function buildOryLogoutUrl({
+export async function buildOryLogoutUrl({
   idToken,
   origin,
 }: {
   idToken: string
   origin: string
-}): URL | null {
+}): Promise<URL | null> {
   const issuer = process.env.ORY_HYDRA_PUBLIC_URL ?? process.env.ORY_SDK_URL
   if (!issuer) return null
 
-  const postLogoutUrl = new URL(ORY_POST_LOGOUT_PATH, origin)
+  // Previews can't register their dynamic host as a post_logout_redirect_uri,
+  // so route through the fixed relay host and carry the real origin in `state`
+  // (Hydra returns it to the post-logout URI). See oauth-relay.ts.
+  const relay = readRelayOrigin()
+  let postLogoutUrl: URL
+  let relayState: string | undefined
+  if (relay && relay !== origin) {
+    postLogoutUrl = new URL(OAUTH_LOGOUT_RELAY_PATH, relay)
+    relayState = await sealRelayState(origin)
+  } else {
+    postLogoutUrl = new URL(ORY_POST_LOGOUT_PATH, origin)
+  }
+
   const logoutUrl = new URL(
     `${issuer.replace(/\/$/, '')}/oauth2/sessions/logout`
   )
@@ -22,6 +40,7 @@ export function buildOryLogoutUrl({
     'post_logout_redirect_uri',
     postLogoutUrl.toString()
   )
+  if (relayState) logoutUrl.searchParams.set('state', relayState)
 
   return logoutUrl
 }

src/lib/env.ts

@@ -24,6 +24,10 @@ export const serverSchema = z.object({
   ORY_PROJECT_API_TOKEN: z.string().min(1).optional(),
   ORY_KRATOS_ADMIN_URL: z.url().optional(),
   ORY_HYDRA_ADMIN_URL: z.url().optional(),
+  // Fixed host whose OAuth callback/logout relays are registered in Hydra. Set
+  // on preview deployments (dynamic hosts can't register their own redirect
+  // URIs); unset on staging/production/local, where the flow stays host-direct.
+  ORY_OAUTH_RELAY_ORIGIN: z.url().optional(),
 
   OTEL_SERVICE_NAME: z.string().optional(),
   OTEL_EXPORTER_OTLP_ENDPOINT: z.url().optional(),