@import url("/assets/md.css")feat: oidc attempt 82845345

@import url("/assets/md.css")

1 files changed, 32 insertions, 47 deletions

diff --git a/src/routes/login/callback/+server.ts b/src/routes/login/callback/+server.ts
index 32b1647..1de7811 100644
--- a/src/routes/login/callback/+server.ts
+++ b/src/routes/login/callback/+server.ts
@@ -1,5 +1,6 @@
+import { base } from '$app/paths';
 import * as auth from '$lib/auth.server.js';
-import { error, json, redirect } from '@sveltejs/kit';
+import { error, isHttpError, isRedirect, json, redirect } from '@sveltejs/kit';
 import * as client from 'openid-client';
 
 // Pre-checker for nonce, not the primary implementation
@@ -18,63 +19,47 @@ const handleNonce = (nonce: string | null, nonceCookie: string | undefined) => {
 };
 export const GET = async (event) => {
   const sp = event.url.searchParams;
-  const params = {
-    sessionState: sp.get('session_state'),
-    iss: sp.get('iss'),
-    code: sp.get('code'),
-    nonce: sp.get('nonce'),
-  };
-  if (!params.sessionState || !params.iss || !params.code)
-    throw error(400, 'Missing one of session_state, iss, code');
 
   const remainingNonces = handleNonce(
-    params.nonce,
+    sp.get('nonce'),
     event.cookies.get('pending-auth-nonces')
   );
 
   try {
-    const tk = await auth.authorizeNewSession(
+    const tokens = await auth.authorizeNewSession(
       new URL(event.url.href),
-      params.nonce ?? undefined
+      sp.get('nonce') ?? undefined
     );
 
-    for (const [k, v] of Object.entries({
-      oid__access_token: tk.access_token,
-      oid__token_type: tk.token_type,
-      oid__expires_at: '' + (Date.now() + (tk.expiresIn() ?? 0) * 1000),
-      oid__refresh_token: tk.refresh_token,
-      oid__sub: tk.claims()!.sub,
-      'pending-auth-nonces': JSON.stringify(remainingNonces),
-    }))
-      if (v)
-        event.cookies.set(k, v, {
-          path: '/',
-          secure: true,
-          httpOnly: true,
-          sameSite: true,
-        });
-    if (tk.scope)
-      event.cookies.set('oid__scopes', tk.scope, {
-        path: '/',
-        secure: true,
-        httpOnly: true,
-        sameSite: true,
-      });
-
-    console.warn(
-      'New Session:',
-      await client.fetchUserInfo(
-        await auth.getConfig(),
-        tk.access_token,
-        tk.claims()!.sub
-      )
-    );
+    auth.setCookies(event.cookies, tokens);
+    event.cookies.set('pending-auth-nonces', JSON.stringify(remainingNonces), {
+      path: '/',
+      secure: true,
+      sameSite: true,
+      httpOnly: true,
+    });
 
-    return json({
-      sub: tk.claims()!.sub,
-      at: tk.access_token,
+    let target = event.cookies.get('next') ?? '/';
+    if (new URL(target, event.url.href).host !== event.url.host) target = '/';
+    event.cookies.delete('next', {
+      path: '/',
     });
+    throw redirect(
+      303,
+      `${base}/login/callback/ok?next=${encodeURIComponent(target)}`
+    );
   } catch (e) {
-    throw redirect(307, '/login');
+    if (isRedirect(e) || isHttpError(e)) throw e;
+    // @ts-ignore
+    if (e?.cause?.error === 'invalid_grant')
+      throw error(
+        403,
+        'Invalid Grant Provided - Does your account have access to all requested resources?'
+      );
+    else
+      throw error(
+        500,
+        `Could not authorize new session: ${JSON.stringify(e, null, 2)}`
+      );
   }
 };