CaZzzer/vpgen
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WIP: auth: improve handling of invite tokens

Browse Source
This commit is contained in:
Yuri Tatishchev 2025-04-08 10:56:13 -07:00
parent 12a3001aec
commit 8f20c168a2
Signed by: CaZzzer
SSH Key Fingerprint: SHA256:sqXB3fe0LMpfH+IeM/vlmxKdso52kssrIJBlwKXVe1U
3 changed files with 31 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
src/lib/components/app/auth-form/auth-form.svelte
View File

@ -4,21 +4,21 @@
import { cn } from '$lib/utils.js'; import { cn } from '$lib/utils.js';
import googleIcon from '$lib/assets/google.svg'; import googleIcon from '$lib/assets/google.svg';
let { inviteToken, class: className, ...rest }: { inviteToken?: string; class?: string; rest?: { [p: string]: unknown } } = $props(); let { inviteToken, class: className, ...rest }: {
inviteToken?: string;
class?: string;
rest?: { [p: string]: unknown }
} = $props();
let isLoading = $state(false); let submitted = $state(false);
</script> </script>
<div class={cn('flex gap-6', className)} {...rest}> <div class={cn('flex gap-6', className)} {...rest}>
<form method="get" action="/auth/authentik{inviteToken ? `?invite=${inviteToken}` : ''}"> <form method="get" onsubmit={() => submitted = true}
action="/auth/authentik{inviteToken ? `?invite=${inviteToken}` : ''}">
<input type="hidden" value={inviteToken} name="invite" /> <input type="hidden" value={inviteToken} name="invite" />
<Button <Button type="submit" disabled={submitted}>
type="submit" {#if submitted}
onclick={() => {
isLoading = true;
}}
>
{#if isLoading}
<LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" /> <LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" />
{:else} {:else}
<img <img
@ -30,15 +30,11 @@
Sign in with Authentik Sign in with Authentik
</Button> </Button>
</form> </form>
<form method="get" action="/auth/google"> <form method="get" onsubmit={() => submitted = true}
action="/auth/google{inviteToken ? `?invite=${inviteToken}` : ''}">
<input type="hidden" value={inviteToken} name="invite" /> <input type="hidden" value={inviteToken} name="invite" />
<Button <Button type="submit" disabled={submitted}>
type="submit" {#if submitted}
onclick={() => {
isLoading = true;
}}
>
{#if isLoading}
<LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" /> <LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" />
{:else} {:else}
<img <img

8
src/routes/auth/google/+server.ts
View File

@ -8,7 +8,7 @@ export const GET: RequestHandler = ({ url, cookies }) => {
const state = generateState(); const state = generateState();
const codeVerifier = generateCodeVerifier(); const codeVerifier = generateCodeVerifier();
const scopes = ['openid', 'profile', 'email']; const scopes = ['openid', 'profile', 'email'];
const authUrl = google.createAuthorizationURL(state, codeVerifier, scopes); const authUrl = google.createAuthorizationURL(state + inviteToken, codeVerifier, scopes);
cookies.set('google_oauth_state', state, { cookies.set('google_oauth_state', state, {
path: '/', path: '/',
@ -22,12 +22,6 @@ export const GET: RequestHandler = ({ url, cookies }) => {
maxAge: 60 * 10, // 10 minutes maxAge: 60 * 10, // 10 minutes
sameSite: 'lax', sameSite: 'lax',
}); });
if (inviteToken !== null) cookies.set('invite_token', inviteToken, {
path: '/',
httpOnly: true,
maxAge: 60 * 10, // 10 minutes
sameSite: 'lax',
});
return new Response(null, { return new Response(null, {
status: 302, status: 302,

23
src/routes/auth/google/callback/+server.ts
View File

@ -13,8 +13,7 @@ export const GET: RequestHandler = async (event) => {
const code = url.searchParams.get('code'); const code = url.searchParams.get('code');
const state = url.searchParams.get('state'); const state = url.searchParams.get('state');
const storedState = cookies.get('google_oauth_state') ?? null; const storedState = cookies.get('google_oauth_state') ?? null;
const codeVerifier = cookies.get('google_code_verifier', ) ?? null; const codeVerifier = cookies.get('google_code_verifier') ?? null;
const inviteToken = cookies.get('invite_token') ?? null;
if (code === null || state === null || storedState === null || codeVerifier === null) { if (code === null || state === null || storedState === null || codeVerifier === null) {
return new Response(null, { return new Response(null, {
@ -22,6 +21,14 @@ export const GET: RequestHandler = async (event) => {
}); });
} }
const stateGeneratedToken = state.slice(0, storedState.length);
const stateInviteToken = state.slice(storedState.length);
if (stateGeneratedToken !== storedState) {
return new Response(null, {
status: 400,
});
}
let tokens: OAuth2Tokens; let tokens: OAuth2Tokens;
try { try {
tokens = await google.validateAuthorizationCode(code, codeVerifier); tokens = await google.validateAuthorizationCode(code, codeVerifier);
@ -69,10 +76,12 @@ export const GET: RequestHandler = async (event) => {
}); });
} }
// TODO: proper error page if (!isValidInviteToken(stateInviteToken)) {
if (inviteToken === null || !isValidInviteToken(inviteToken)) { const message =
return new Response(null, { stateInviteToken.length === 0 ? 'sign up with an invite link first' : 'invalid invite link';
status: 400,
return new Response('Not Authorized: ' + message, {
status: 403,
}); });
} }
@ -85,7 +94,7 @@ export const GET: RequestHandler = async (event) => {
// TODO: proper error handling, delete cookies // TODO: proper error handling, delete cookies
await db.insert(table.users).values(user); await db.insert(table.users).values(user);
console.log('created user', user, 'with invite token', inviteToken); console.log('created user', user, 'with invite token', stateInviteToken);
const session = await createSession(user.id); const session = await createSession(user.id);