coyotte508's picture
coyotte508 HF staff
🐛 Fix "signin with HF" within space + CSRF (#236)
767afa7 unverified
raw
history blame
3.24 kB
import { Issuer, BaseClient, type UserinfoResponse, TokenSet } from "openid-client";
import { addHours, addYears } from "date-fns";
import {
COOKIE_NAME,
OPENID_CLIENT_ID,
OPENID_CLIENT_SECRET,
OPENID_PROVIDER_URL,
} from "$env/static/private";
import { sha256 } from "$lib/utils/sha256";
import { z } from "zod";
import { dev } from "$app/environment";
import type { Cookies } from "@sveltejs/kit";
export interface OIDCSettings {
redirectURI: string;
}
export interface OIDCUserInfo {
token: TokenSet;
userData: UserinfoResponse;
}
export const requiresUser = !!OPENID_CLIENT_ID && !!OPENID_CLIENT_SECRET;
export function refreshSessionCookie(cookies: Cookies, sessionId: string) {
cookies.set(COOKIE_NAME, sessionId, {
path: "/",
// So that it works inside the space's iframe
sameSite: dev ? "lax" : "none",
secure: !dev,
httpOnly: true,
expires: addYears(new Date(), 1),
});
}
export const OIDC_SCOPES = "openid profile";
export const authCondition = (locals: App.Locals) => {
return locals.user
? { userId: locals.user._id }
: { sessionId: locals.sessionId, userId: { $exists: false } };
};
/**
* Generates a CSRF token using the user sessionId. Note that we don't need a secret because sessionId is enough.
*/
export async function generateCsrfToken(sessionId: string, redirectUrl: string): Promise<string> {
const data = {
expiration: addHours(new Date(), 1).getTime(),
redirectUrl,
};
return Buffer.from(
JSON.stringify({
data,
signature: await sha256(JSON.stringify(data) + "##" + sessionId),
})
).toString("base64");
}
async function getOIDCClient(settings: OIDCSettings): Promise<BaseClient> {
const issuer = await Issuer.discover(OPENID_PROVIDER_URL);
return new issuer.Client({
client_id: OPENID_CLIENT_ID,
client_secret: OPENID_CLIENT_SECRET,
redirect_uris: [settings.redirectURI],
response_types: ["code"],
});
}
export async function getOIDCAuthorizationUrl(
settings: OIDCSettings,
params: { sessionId: string }
): Promise<string> {
const client = await getOIDCClient(settings);
const csrfToken = await generateCsrfToken(params.sessionId, settings.redirectURI);
const url = client.authorizationUrl({
scope: OIDC_SCOPES,
state: csrfToken,
});
return url;
}
export async function getOIDCUserData(settings: OIDCSettings, code: string): Promise<OIDCUserInfo> {
const client = await getOIDCClient(settings);
const token = await client.callback(settings.redirectURI, { code });
const userData = await client.userinfo(token);
return { token, userData };
}
export async function validateAndParseCsrfToken(
token: string,
sessionId: string
): Promise<{
/** This is the redirect url that was passed to the OIDC provider */
redirectUrl: string;
} | null> {
try {
const { data, signature } = z
.object({
data: z.object({
expiration: z.number().int(),
redirectUrl: z.string().url(),
}),
signature: z.string().length(64),
})
.parse(JSON.parse(token));
const reconstructSign = await sha256(JSON.stringify(data) + "##" + sessionId);
if (data.expiration > Date.now() && signature === reconstructSign) {
return { redirectUrl: data.redirectUrl };
}
} catch (e) {
console.error(e);
}
return null;
}