From dddef149aea597a145e3717b2c461b251e0f6a8d Mon Sep 17 00:00:00 2001 From: memdmp Date: Wed, 20 Aug 2025 13:39:01 +0200 Subject: feat: oidc attempt 82845345 --- src/app.d.ts | 14 +++- src/hooks.server.ts | 118 ++++++++++++++++++++++++------ src/lib/auth.server.ts | 36 ++++++++- src/lib/auth.ts | 37 ++++++++++ src/lib/oncePromise.ts | 16 ++-- src/lib/util-types.ts | 4 + src/routes/+error.svelte | 1 + src/routes/+layout.server.ts | 4 +- src/routes/+layout.svelte | 12 ++- src/routes/+page.svelte | 26 ------- src/routes/+server.ts | 3 + src/routes/api/v1/whoami/+server.ts | 9 +++ src/routes/home/+page.svelte | 34 +++++++++ src/routes/login/+server.ts | 16 ++-- src/routes/login/callback/+server.ts | 79 ++++++++------------ src/routes/login/callback/ok/+page.svelte | 13 ++++ src/routes/login/undo/+server.ts | 16 ++++ src/routes/logout/+server.ts | 14 ++++ src/routes/vms/+page.svelte | 16 ++++ 19 files changed, 356 insertions(+), 112 deletions(-) create mode 100644 src/lib/auth.ts create mode 100644 src/lib/util-types.ts delete mode 100644 src/routes/+page.svelte create mode 100644 src/routes/+server.ts create mode 100644 src/routes/api/v1/whoami/+server.ts create mode 100644 src/routes/home/+page.svelte create mode 100644 src/routes/login/callback/ok/+page.svelte create mode 100644 src/routes/login/undo/+server.ts create mode 100644 src/routes/logout/+server.ts create mode 100644 src/routes/vms/+page.svelte diff --git a/src/app.d.ts b/src/app.d.ts index cfeb8a5..4f96a65 100644 --- a/src/app.d.ts +++ b/src/app.d.ts @@ -1,11 +1,21 @@ // See https://svelte.dev/docs/kit/types#app.d.ts + +import type { authHandler } from './hooks.server'; + // for information about these interfaces -type Session = unknown; declare global { namespace App { // interface Error {} interface Locals { - auth: () => Promise; + /** + * Undefined: not authorized + * Null: failed to validate/renew token + */ + auth: () => Promise; + /** + * Removes Authentication Cookies + */ + logout: () => void; } // interface PageData {} // interface PageState {} diff --git a/src/hooks.server.ts b/src/hooks.server.ts index 2fe3744..05b8b18 100644 --- a/src/hooks.server.ts +++ b/src/hooks.server.ts @@ -1,32 +1,104 @@ +import oncePromise from '$lib/oncePromise'; +import type { Defined, Unpromise } from '$lib/util-types'; +import type { RequestEvent, Transport } from '@sveltejs/kit'; import * as auth from './lib/auth.server'; import * as client from 'openid-client'; // https://svelte.dev/docs/kit/hooks#Server-hooks-handle -export const handle = ({ event, resolve }) => { - event.locals.auth = async () => { - const accessToken = event.cookies.get('oid__access_token'); - const sub = event.cookies.get('oid__sub'); - console.warn({ accessToken, sub }); - if (accessToken && sub) { +export const authHandler = ( + event: RequestEvent>, string | null> +) => + oncePromise(async () => { + let refreshToken = event.cookies.get('oid__refresh_token'); + let accessToken = event.cookies.get('oid__access_token'); + let expiry = Number(event.cookies.get('oid__expires_at')); + if ( + refreshToken && + (!accessToken || isNaN(expiry) || expiry - 60 * 1000 >= Date.now()) + ) { try { - const userInfo = await client - .fetchUserInfo(await auth.getConfig(), accessToken, sub) - .catch((e) => { - console.warn(e); - - return null; - }); - console.warn({ - userInfo, - accessToken, - sub, - }); - } catch (error) {} - } else if (accessToken || sub) { - event.cookies.delete('access-token', { path: '/' }); - event.cookies.delete('sub', { path: '/' }); + const tokens = await client.refreshTokenGrant( + await auth.getConfig(), + refreshToken + ); + auth.setCookies(event.cookies, tokens); + accessToken = tokens.access_token; + refreshToken = tokens.refresh_token ?? refreshToken; + expiry = tokens.expires_in + ? Date.now() + tokens.expires_in * 1000 + : expiry; + } catch (error) { + return null; + } } - return null; + if (accessToken) { + try { + const introspectionResponse = await client.tokenIntrospection( + await auth.getConfig(), + accessToken + ); + if (!introspectionResponse.active) { + auth.unsetCookies(event.cookies); + return null; + } + return { + tokens: { + scope: introspectionResponse.scope, + token_type: introspectionResponse.token_type as Lowercase, + expires_at: expiry, + }, + userInfo: await client + .fetchUserInfo( + await auth.getConfig(), + accessToken, + introspectionResponse.sub ?? '' + ) + .catch((e) => { + auth.unsetCookies(event.cookies); + throw e; + }), + __is_session: 1, + }; + } catch (error) { + return null; + } + } else auth.unsetCookies(event.cookies); + return undefined; + }); +export type Session = Defined< + Unpromise>> +>; +export type ClientSession = Omit & { + tokens: { + scope?: string; + token_type?: Lowercase; + expires_at?: number; + }; +}; +() => { + // just a type sanity check to ensure ClientSession is always a subset of Session + let session!: Session; + let clientSession: ClientSession = session satisfies ClientSession; + void clientSession; +}; + +export const filterSession = ( + value: T +): T extends Session ? ClientSession : T => { + type RT = T extends Session ? ClientSession : T; + if (value === null || value === undefined) return value as RT; + // clients probably shouldnt get tokens in js land (we trust the client with the token, but only over HTTP; we want to maximize the annoyance of CSRF successes) + const v = structuredClone(value) as ClientSession; + v.tokens = { + expires_at: value.tokens.expires_at, + scope: value.tokens.scope, + token_type: value.tokens.token_type, }; + return v as RT; +}; + +export const handle = ({ event, resolve }) => { + event.locals.auth = authHandler(event); + event.locals.logout = () => auth.unsetCookies(event.cookies); return resolve(event); }; diff --git a/src/lib/auth.server.ts b/src/lib/auth.server.ts index 77e0dd7..f762cef 100644 --- a/src/lib/auth.server.ts +++ b/src/lib/auth.server.ts @@ -2,6 +2,7 @@ import { env as env_priv } from '$env/dynamic/private'; import { env } from '$env/dynamic/public'; import * as client from 'openid-client'; import oncePromise from './oncePromise'; +import type { Cookies } from '@sveltejs/kit'; const server = new URL(env.PUBLIC_AUTH_KEYCLOAK_ISSUER); const clientId = env_priv.PRIVATE_AUTH_KEYCLOAK_ID; @@ -10,7 +11,10 @@ const redirectPath = '/login/callback'; // Only trigger discovery on first client.discovery (resetting the function after a failed discovery) export const getConfig = oncePromise(() => - client.discovery(server, clientId, clientSecret) + client.discovery(server, clientId, clientSecret).then((config) => { + client.useJwtResponseMode(config); + return config; + }) ); const codeVerifier = client.randomPKCECodeVerifier(); @@ -71,3 +75,33 @@ export const authorizeNewSession = async ( return tokens; }; + +export const unsetCookies = (cookies: Cookies) => { + for (const v of [ + 'oid__access_token', + 'oid__refresh_token', + 'oid__token_type', + 'oid__expires_at', + 'oid__scopes', + ]) + if (cookies.get(v)) cookies.delete(v, { path: '/' }); +}; +export const setCookies = ( + cookies: Cookies, + tokens: client.TokenEndpointResponse & client.TokenEndpointResponseHelpers +) => { + for (const [k, v] of Object.entries({ + oid__access_token: tokens.access_token, + oid__refresh_token: tokens.refresh_token, + oid__token_type: tokens.token_type, + oid__expires_at: '' + (Date.now() + (tokens.expiresIn() ?? 0) * 1000), + oid__scopes: tokens.scope, + })) + if (v) + cookies.set(k, v, { + path: '/', + secure: true, + httpOnly: true, + sameSite: true, + }); +}; diff --git a/src/lib/auth.ts b/src/lib/auth.ts new file mode 100644 index 0000000..dd6b043 --- /dev/null +++ b/src/lib/auth.ts @@ -0,0 +1,37 @@ +import { browser } from '$app/environment'; +import { base } from '$app/paths'; +import { redirect } from '@sveltejs/kit'; +import type { ClientSession } from '../hooks.server'; +import { goto } from '$app/navigation'; + +/** + * Returns `true` if scopes are all included in session, otherwise either attempts to re-login with the new scope added (unless `getScopeOnFail` is false) and returns false + * + * Check the return value of this, even if getScopeOnFail is true; navigating client-side may not stop thread immediately! + */ +export const checkScope = ( + session: ClientSession, + /** The scopes we want */ + neededScopes: string[], + /** Redirect to login page if the scopes aren't found */ + getScopeOnFail = false, + /** The target URL if redirecting */ + next?: string +) => { + const scopes = session.tokens.scope?.split(' ') ?? []; + if (!neededScopes.find((v) => !scopes.includes(v))) return true; + else if (getScopeOnFail) { + const targetUrl = `${base}/login?${ + next || browser + ? `next=${next ?? encodeURIComponent(location.href)}&` + : '' + }scope=${encodeURIComponent( + [...scopes, ...neededScopes] + .filter((v, i, a) => a.indexOf(v) === i) + .join(' ') + )}`; + if (browser) goto(targetUrl); + else throw redirect(307, targetUrl); + } + return false; +}; diff --git a/src/lib/oncePromise.ts b/src/lib/oncePromise.ts index f6ce775..6ce6287 100644 --- a/src/lib/oncePromise.ts +++ b/src/lib/oncePromise.ts @@ -10,13 +10,19 @@ const ensurePromise = (maybePromise: T | PromiseLike): Promise => ? (maybePromise as Promise) : Promise.resolve(maybePromise); /** Returns a function that caches successful promises until time runs out, and throws away unsuccessful ones */ -export const oncePromise = (create: () => Promise, timeout = -1) => { +export const oncePromise = ( + create: () => Promise, + retries = true, + timeout = -1 +) => { let getPromise = (): Promise => { const oldGetPromise = getPromise, - promise = ensurePromise(create()).catch((e) => { - getPromise = oldGetPromise; - throw e; - }), + promise = retries + ? ensurePromise(create()).catch((e) => { + getPromise = oldGetPromise; + throw e; + }) + : ensurePromise(create()), expires = timeout > 0 ? performance.now() + timeout : 0; return (getPromise = expires ? ((() => diff --git a/src/lib/util-types.ts b/src/lib/util-types.ts new file mode 100644 index 0000000..861edcf --- /dev/null +++ b/src/lib/util-types.ts @@ -0,0 +1,4 @@ +export type Unpromise> = T extends Promise + ? U + : never; +export type Defined = T extends undefined | null ? never : T; diff --git a/src/routes/+error.svelte b/src/routes/+error.svelte index a19e467..c7cd13f 100644 --- a/src/routes/+error.svelte +++ b/src/routes/+error.svelte @@ -4,3 +4,4 @@

HTTP {page.status}

{page.error?.message}

+

Go Home

diff --git a/src/routes/+layout.server.ts b/src/routes/+layout.server.ts index afdac71..c6f56da 100644 --- a/src/routes/+layout.server.ts +++ b/src/routes/+layout.server.ts @@ -1,5 +1,7 @@ +import { filterSession } from '../hooks.server'; + export const load = async ({ locals }) => { return { - // session: await locals.auth(), + session: filterSession(await locals.auth()), }; }; diff --git a/src/routes/+layout.svelte b/src/routes/+layout.svelte index 1980c3a..dc81706 100644 --- a/src/routes/+layout.svelte +++ b/src/routes/+layout.svelte @@ -13,8 +13,16 @@