update
This commit is contained in:
@@ -8,9 +8,14 @@ export async function initializeOIDC(): Promise<void> {
|
||||
try {
|
||||
const issuer = await Issuer.discover(config.oidc.issuerUrl);
|
||||
|
||||
const redirectUris = [config.oidc.redirectUri];
|
||||
if (config.oidc.iosRedirectUri) {
|
||||
redirectUris.push(config.oidc.iosRedirectUri);
|
||||
}
|
||||
|
||||
oidcClient = new issuer.Client({
|
||||
client_id: config.oidc.clientId,
|
||||
redirect_uris: [config.oidc.redirectUri],
|
||||
redirect_uris: redirectUris,
|
||||
response_types: ['code'],
|
||||
token_endpoint_auth_method: 'none', // PKCE flow - no client secret
|
||||
});
|
||||
@@ -33,27 +38,35 @@ export interface AuthSession {
|
||||
codeVerifier: string;
|
||||
state: string;
|
||||
nonce: string;
|
||||
redirectUri?: string;
|
||||
}
|
||||
|
||||
export function createAuthSession(): AuthSession {
|
||||
export function createAuthSession(redirectUri?: string): AuthSession {
|
||||
return {
|
||||
codeVerifier: generators.codeVerifier(),
|
||||
state: generators.state(),
|
||||
nonce: generators.nonce(),
|
||||
redirectUri,
|
||||
};
|
||||
}
|
||||
|
||||
export function getAuthorizationUrl(session: AuthSession): string {
|
||||
export function getAuthorizationUrl(session: AuthSession, redirectUri?: string): string {
|
||||
const client = getOIDCClient();
|
||||
const codeChallenge = generators.codeChallenge(session.codeVerifier);
|
||||
|
||||
return client.authorizationUrl({
|
||||
const params: Record<string, string> = {
|
||||
scope: 'openid profile email',
|
||||
state: session.state,
|
||||
nonce: session.nonce,
|
||||
code_challenge: codeChallenge,
|
||||
code_challenge_method: 'S256',
|
||||
});
|
||||
};
|
||||
|
||||
if (redirectUri) {
|
||||
params.redirect_uri = redirectUri;
|
||||
}
|
||||
|
||||
return client.authorizationUrl(params);
|
||||
}
|
||||
|
||||
export async function handleCallback(
|
||||
@@ -62,8 +75,10 @@ export async function handleCallback(
|
||||
): Promise<TokenSet> {
|
||||
const client = getOIDCClient();
|
||||
|
||||
const redirectUri = session.redirectUri || config.oidc.redirectUri;
|
||||
|
||||
const tokenSet = await client.callback(
|
||||
config.oidc.redirectUri,
|
||||
redirectUri,
|
||||
params,
|
||||
{
|
||||
code_verifier: session.codeVerifier,
|
||||
@@ -114,4 +129,21 @@ export async function verifyToken(tokenSet: TokenSet): Promise<boolean> {
|
||||
} catch {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
export async function verifyBearerToken(accessToken: string): Promise<AuthenticatedUser> {
|
||||
const client = getOIDCClient();
|
||||
|
||||
const userInfo = await client.userinfo(accessToken);
|
||||
|
||||
const id = String(userInfo.sub);
|
||||
const username = String(userInfo.preferred_username || userInfo.name || id);
|
||||
const email = String(userInfo.email || '');
|
||||
const fullName = String(userInfo.name || '') || null;
|
||||
|
||||
if (!email) {
|
||||
throw new Error('Email not provided by OIDC provider');
|
||||
}
|
||||
|
||||
return { id, username, fullName, email };
|
||||
}
|
||||
@@ -17,6 +17,7 @@ export const config = {
|
||||
redirectUri:
|
||||
process.env.OIDC_REDIRECT_URI ||
|
||||
"http://localhost:3001/api/auth/callback",
|
||||
iosRedirectUri: process.env.OIDC_IOS_REDIRECT_URI || "timetracker://oauth/callback",
|
||||
},
|
||||
|
||||
session: {
|
||||
|
||||
@@ -1,19 +1,34 @@
|
||||
import { Request, Response, NextFunction } from 'express';
|
||||
import { prisma } from '../prisma/client';
|
||||
import type { AuthenticatedRequest, AuthenticatedUser } from '../types';
|
||||
import { getOIDCClient, verifyBearerToken } from '../auth/oidc';
|
||||
|
||||
export function requireAuth(
|
||||
export async function requireAuth(
|
||||
req: AuthenticatedRequest,
|
||||
res: Response,
|
||||
next: NextFunction
|
||||
): void {
|
||||
if (!req.session?.user) {
|
||||
res.status(401).json({ error: 'Unauthorized' });
|
||||
return;
|
||||
): Promise<void> {
|
||||
// 1. Session-based auth (web frontend)
|
||||
if (req.session?.user) {
|
||||
req.user = req.session.user as AuthenticatedUser;
|
||||
return next();
|
||||
}
|
||||
|
||||
req.user = req.session.user as AuthenticatedUser;
|
||||
next();
|
||||
|
||||
// 2. Bearer token auth (iOS / native clients)
|
||||
const authHeader = req.headers.authorization;
|
||||
if (authHeader?.startsWith('Bearer ')) {
|
||||
const accessToken = authHeader.slice(7);
|
||||
try {
|
||||
const user = await verifyBearerToken(accessToken);
|
||||
req.user = user;
|
||||
return next();
|
||||
} catch {
|
||||
res.status(401).json({ error: 'Unauthorized' });
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
res.status(401).json({ error: 'Unauthorized' });
|
||||
}
|
||||
|
||||
export function optionalAuth(
|
||||
@@ -42,4 +57,4 @@ export async function syncUser(user: AuthenticatedUser): Promise<void> {
|
||||
email: user.email,
|
||||
},
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
@@ -26,10 +26,11 @@ router.get("/login", async (req, res) => {
|
||||
try {
|
||||
await ensureOIDC();
|
||||
|
||||
const session = createAuthSession();
|
||||
const redirectUri = req.query.redirect_uri as string | undefined;
|
||||
const session = createAuthSession(redirectUri);
|
||||
req.session.oidc = session;
|
||||
|
||||
const authorizationUrl = getAuthorizationUrl(session);
|
||||
const authorizationUrl = getAuthorizationUrl(session, redirectUri);
|
||||
res.redirect(authorizationUrl);
|
||||
} catch (error) {
|
||||
console.error("Login error:", error);
|
||||
@@ -88,4 +89,60 @@ router.get("/me", requireAuth, (req: AuthenticatedRequest, res) => {
|
||||
res.json(req.user);
|
||||
});
|
||||
|
||||
// POST /auth/token - Exchange authorization code for tokens (for native apps)
|
||||
// The session cookie set during /auth/login is sent automatically by ASWebAuthenticationSession,
|
||||
// so req.session.oidc contains the original state/nonce for validation.
|
||||
router.post("/token", async (req, res) => {
|
||||
try {
|
||||
await ensureOIDC();
|
||||
|
||||
const { code, state, code_verifier, redirect_uri } = req.body;
|
||||
|
||||
if (!code || !state || !code_verifier || !redirect_uri) {
|
||||
res.status(400).json({ error: "Missing required parameters: code, state, code_verifier, redirect_uri" });
|
||||
return;
|
||||
}
|
||||
|
||||
const oidcSession = req.session.oidc;
|
||||
if (!oidcSession) {
|
||||
res.status(400).json({ error: "No active OIDC session. Initiate login first." });
|
||||
return;
|
||||
}
|
||||
|
||||
// Validate that the returned state matches what was stored in the session
|
||||
if (oidcSession.state !== state) {
|
||||
res.status(400).json({ error: "State mismatch" });
|
||||
return;
|
||||
}
|
||||
|
||||
// Use the session's own codeVerifier (generated by the backend during /auth/login)
|
||||
// rather than a client-supplied one, to prevent verifier substitution attacks.
|
||||
const session = {
|
||||
codeVerifier: oidcSession.codeVerifier,
|
||||
state: oidcSession.state,
|
||||
nonce: oidcSession.nonce,
|
||||
redirectUri: redirect_uri,
|
||||
};
|
||||
|
||||
const tokenSet = await handleCallback({ code, state }, session);
|
||||
|
||||
const user = await getUserInfo(tokenSet);
|
||||
await syncUser(user);
|
||||
|
||||
// Clear OIDC session state now that it has been consumed
|
||||
delete req.session.oidc;
|
||||
|
||||
res.json({
|
||||
access_token: tokenSet.access_token,
|
||||
id_token: tokenSet.id_token,
|
||||
token_type: tokenSet.token_type,
|
||||
expires_in: tokenSet.expires_in,
|
||||
user,
|
||||
});
|
||||
} catch (error) {
|
||||
console.error("Token exchange error:", error);
|
||||
res.status(500).json({ error: "Failed to exchange token" });
|
||||
}
|
||||
});
|
||||
|
||||
export default router;
|
||||
|
||||
Reference in New Issue
Block a user