From 7fdaea73c5c67565202e19d6182fc215427919c3 Mon Sep 17 00:00:00 2001 From: memdmp Date: Tue, 19 Aug 2025 20:40:19 +0000 Subject: feat: oidc attempt 1 --- src/routes/login/+server.ts | 55 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 src/routes/login/+server.ts (limited to 'src/routes/login/+server.ts') diff --git a/src/routes/login/+server.ts b/src/routes/login/+server.ts new file mode 100644 index 0000000..4a032d4 --- /dev/null +++ b/src/routes/login/+server.ts @@ -0,0 +1,55 @@ +import { getAuthorizeUrl } from '$lib/auth.server.js'; +import { error, redirect } from '@sveltejs/kit'; + +export const GET = async (event) => { + let target = event.url.searchParams.get('next') ?? '/'; + let desiredScopes = + event.url.searchParams.get('scope') ?? 'profile vm-own-read'; + if (new URL(target, event.url.href).host !== event.url.host) target = '/'; + const existingScopes = (event.cookies.get('oid__scopes') ?? '').split(' '); + const authed = await event.locals.auth(); + const missingScopes = !!desiredScopes + .split(' ') + .find((v) => !existingScopes.includes(v)); + if ( + // if we're not authenticated + !authed || + // or we're missing scopes + missingScopes + ) { + const { nonce, redirectTo } = await getAuthorizeUrl( + event.url.href, + desiredScopes.split(' ') + ); + if (nonce) { + let existingNonces = []; + try { + const n = JSON.parse(event.cookies.get('pending-auth-nonces') ?? '[]'); + if (Array.isArray(n) && n.length && typeof n[0] === 'string') + existingNonces = n; + } catch (error) { + // revoke all existing nonces + } + event.cookies.set( + 'pending-auth-nonces', + JSON.stringify([...existingNonces, nonce]), + { + path: '/', + httpOnly: true, + secure: true, + sameSite: true, + } + ); + } else + event.cookies.delete('pending-auth-nonces', { + path: '/', + }); + event.cookies.delete('next', { + path: target, + }); + throw redirect(303, redirectTo); + } else { + throw redirect(303, target); + } +}; +export const POST = GET; -- cgit v1.2.3