@import url("/assets/md.css")feat: oidc attempt 1

@import url("/assets/md.css")

1 files changed, 55 insertions, 0 deletions

diff --git a/src/routes/login/+server.ts b/src/routes/login/+server.ts
new file mode 100644
index 0000000..4a032d4
--- /dev/null
+++ b/src/routes/login/+server.ts
@@ -0,0 +1,55 @@
+import { getAuthorizeUrl } from '$lib/auth.server.js';
+import { error, redirect } from '@sveltejs/kit';
+
+export const GET = async (event) => {
+  let target = event.url.searchParams.get('next') ?? '/';
+  let desiredScopes =
+    event.url.searchParams.get('scope') ?? 'profile vm-own-read';
+  if (new URL(target, event.url.href).host !== event.url.host) target = '/';
+  const existingScopes = (event.cookies.get('oid__scopes') ?? '').split(' ');
+  const authed = await event.locals.auth();
+  const missingScopes = !!desiredScopes
+    .split(' ')
+    .find((v) => !existingScopes.includes(v));
+  if (
+    // if we're not authenticated
+    !authed ||
+    // or we're missing scopes
+    missingScopes
+  ) {
+    const { nonce, redirectTo } = await getAuthorizeUrl(
+      event.url.href,
+      desiredScopes.split(' ')
+    );
+    if (nonce) {
+      let existingNonces = [];
+      try {
+        const n = JSON.parse(event.cookies.get('pending-auth-nonces') ?? '[]');
+        if (Array.isArray(n) && n.length && typeof n[0] === 'string')
+          existingNonces = n;
+      } catch (error) {
+        // revoke all existing nonces
+      }
+      event.cookies.set(
+        'pending-auth-nonces',
+        JSON.stringify([...existingNonces, nonce]),
+        {
+          path: '/',
+          httpOnly: true,
+          secure: true,
+          sameSite: true,
+        }
+      );
+    } else
+      event.cookies.delete('pending-auth-nonces', {
+        path: '/',
+      });
+    event.cookies.delete('next', {
+      path: target,
+    });
+    throw redirect(303, redirectTo);
+  } else {
+    throw redirect(303, target);
+  }
+};
+export const POST = GET;