WIP: auth: improve handling of invite tokens

2025-04-08 10:56:13 -07:00 · 2025-04-08 10:56:13 -07:00 · 8f20c168a2
commit 8f20c168a2
parent 12a3001aec
3 changed files with 31 additions and 32 deletions
--- a/src/lib/components/app/auth-form/auth-form.svelte
+++ b/src/lib/components/app/auth-form/auth-form.svelte
@ -4,21 +4,21 @@
 	import { cn } from '$lib/utils.js';
 	import googleIcon from '$lib/assets/google.svg';

-	let { inviteToken, class: className, ...rest }: { inviteToken?: string; class?: string; rest?: { [p: string]: unknown } } = $props();
+	let { inviteToken, class: className, ...rest }: {
+		inviteToken?: string;
+		class?: string;
+		rest?: { [p: string]: unknown }
+	} = $props();

-	let isLoading = $state(false);
+	let submitted = $state(false);
 </script>

 <div class={cn('flex gap-6', className)} {...rest}>
-	<form method="get" action="/auth/authentik{inviteToken ? `?invite=${inviteToken}` : ''}">
+	<form method="get" onsubmit={() => submitted = true}
+				action="/auth/authentik{inviteToken ? `?invite=${inviteToken}` : ''}">
 		<input type="hidden" value={inviteToken} name="invite" />
-		<Button
-			type="submit"
-			onclick={() => {
-				isLoading = true;
-			}}
-		>
-			{#if isLoading}
+		<Button type="submit" disabled={submitted}>
+			{#if submitted}
 				<LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" />
 			{:else}
 				<img
@ -30,15 +30,11 @@
 			Sign in with Authentik
 		</Button>
 	</form>
-	<form method="get" action="/auth/google">
+	<form method="get" onsubmit={() => submitted = true}
+				action="/auth/google{inviteToken ? `?invite=${inviteToken}` : ''}">
 		<input type="hidden" value={inviteToken} name="invite" />
-		<Button
-			type="submit"
-			onclick={() => {
-				isLoading = true;
-			}}
-		>
-			{#if isLoading}
+		<Button type="submit" disabled={submitted}>
+			{#if submitted}
 				<LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" />
 			{:else}
 				<img
--- a/src/routes/auth/google/+server.ts
+++ b/src/routes/auth/google/+server.ts
@ -8,7 +8,7 @@ export const GET: RequestHandler = ({ url, cookies }) => {
 	const state = generateState();
 	const codeVerifier = generateCodeVerifier();
 	const scopes = ['openid', 'profile', 'email'];
-	const authUrl = google.createAuthorizationURL(state, codeVerifier, scopes);
+	const authUrl = google.createAuthorizationURL(state + inviteToken, codeVerifier, scopes);

 	cookies.set('google_oauth_state', state, {
 		path: '/',
@ -22,12 +22,6 @@ export const GET: RequestHandler = ({ url, cookies }) => {
 		maxAge: 60 * 10, // 10 minutes
 		sameSite: 'lax',
 	});
-	if (inviteToken !== null) cookies.set('invite_token', inviteToken, {
-		path: '/',
-		httpOnly: true,
-		maxAge: 60 * 10, // 10 minutes
-		sameSite: 'lax',
-	});

 	return new Response(null, {
 		status: 302,
--- a/src/routes/auth/google/callback/+server.ts
+++ b/src/routes/auth/google/callback/+server.ts
@ -13,8 +13,7 @@ export const GET: RequestHandler = async (event) => {
 	const code = url.searchParams.get('code');
 	const state = url.searchParams.get('state');
 	const storedState = cookies.get('google_oauth_state') ?? null;
-	const codeVerifier = cookies.get('google_code_verifier', ) ?? null;
-	const inviteToken = cookies.get('invite_token') ?? null;
+	const codeVerifier = cookies.get('google_code_verifier') ?? null;

 	if (code === null || state === null || storedState === null || codeVerifier === null) {
 		return new Response(null, {
@ -22,6 +21,14 @@ export const GET: RequestHandler = async (event) => {
 		});
 	}

+	const stateGeneratedToken = state.slice(0, storedState.length);
+	const stateInviteToken = state.slice(storedState.length);
+	if (stateGeneratedToken !== storedState) {
+		return new Response(null, {
+			status: 400,
+		});
+	}
+
 	let tokens: OAuth2Tokens;
 	try {
 		tokens = await google.validateAuthorizationCode(code, codeVerifier);
@ -69,10 +76,12 @@ export const GET: RequestHandler = async (event) => {
 		});
 	}

-	// TODO: proper error page
-	if (inviteToken === null || !isValidInviteToken(inviteToken)) {
-		return new Response(null, {
-			status: 400,
+	if (!isValidInviteToken(stateInviteToken)) {
+		const message =
+			stateInviteToken.length === 0 ? 'sign up with an invite link first' : 'invalid invite link';
+
+		return new Response('Not Authorized: ' + message, {
+			status: 403,
 		});
 	}

@ -85,7 +94,7 @@ export const GET: RequestHandler = async (event) => {

 	// TODO: proper error handling, delete cookies
 	await db.insert(table.users).values(user);
-	console.log('created user', user, 'with invite token', inviteToken);
+	console.log('created user', user, 'with invite token', stateInviteToken);

 	const session = await createSession(user.id);