add authentik login

src/routes/auth/authentik/+server.ts

@@ -0,0 +1,30 @@
+import { generateState, generateCodeVerifier } from "arctic";
+import { authentik } from "$lib/server/oauth";
+
+import type { RequestEvent } from "@sveltejs/kit";
+
+export async function GET(event: RequestEvent): Promise<Response> {
+	const state = generateState();
+	const codeVerifier = generateCodeVerifier();
+	const url = authentik.createAuthorizationURL(state, codeVerifier, ["openid", "profile"]);
+
+	event.cookies.set("authentik_oauth_state", state, {
+		path: "/",
+		httpOnly: true,
+		maxAge: 60 * 10, // 10 minutes
+		sameSite: "lax"
+	});
+	event.cookies.set("authentik_code_verifier", codeVerifier, {
+		path: "/",
+		httpOnly: true,
+		maxAge: 60 * 10, // 10 minutes
+		sameSite: "lax"
+	});
+
+	return new Response(null, {
+		status: 302,
+		headers: {
+			Location: url.toString()
+		}
+	});
+}

src/routes/auth/authentik/callback/+server.ts

@@ -0,0 +1,78 @@
+import { createSession, setSessionTokenCookie } from "$lib/server/auth";
+import { authentik } from "$lib/server/oauth";
+import { decodeIdToken } from "arctic";
+
+import type { RequestEvent } from "@sveltejs/kit";
+import type { OAuth2Tokens } from "arctic";
+import { db } from '$lib/server/db';
+import { eq } from 'drizzle-orm';
+
+import * as table from '$lib/server/db/schema';
+
+export async function GET(event: RequestEvent): Promise<Response> {
+	const code = event.url.searchParams.get("code");
+	const state = event.url.searchParams.get("state");
+	const storedState = event.cookies.get("authentik_oauth_state") ?? null;
+	const codeVerifier = event.cookies.get("authentik_code_verifier") ?? null;
+	if (code === null || state === null || storedState === null || codeVerifier === null) {
+		return new Response(null, {
+			status: 400
+		});
+	}
+	if (state !== storedState) {
+		return new Response(null, {
+			status: 400
+		});
+	}
+
+	let tokens: OAuth2Tokens;
+	try {
+		tokens = await authentik.validateAuthorizationCode(code, codeVerifier);
+	} catch (e) {
+		// Invalid code or client credentials
+		return new Response(null, {
+			status: 400
+		});
+	}
+	const claims = decodeIdToken(tokens.idToken());
+	console.log("claims", claims);
+	const userId: string = claims.sub;
+	const username: string = claims.preferred_username;
+
+	const [existingUser] = await db.select().from(table.user).where(eq(table.user.id, userId));
+
+	if (existingUser) {
+		const session = await createSession(existingUser.id);
+		setSessionTokenCookie(event, session.id, session.expiresAt);
+		return new Response(null, {
+			status: 302,
+			headers: {
+				Location: "/"
+			}
+		});
+	}
+
+	const user: table.User = {
+		id: userId,
+		username,
+		name: claims.name as string,
+	};
+
+	try {
+		await db.insert(table.user).values(user);
+		const session = await createSession(user.id);
+		setSessionTokenCookie(event, session.id, session.expiresAt);
+	} catch (e) {
+		console.error('failed to create user', e);
+		return new Response(null, {
+			status: 500
+		});
+	}
+
+	return new Response(null, {
+		status: 302,
+		headers: {
+			Location: "/"
+		}
+	});
+}