auth: refactor common oauth provider logic, add options to disable providers and require invites

2025-05-02 15:53:21 -07:00 · 2025-05-02 15:53:21 -07:00 · 94514ec965
commit 94514ec965
parent f9a27cbbb7
14 changed files with 182 additions and 204 deletions
--- a/.env.example
+++ b/.env.example
@ -1,12 +1,17 @@
 DATABASE_URL=file:local.db

-AUTH_DOMAIN=auth.lab.cazzzer.com
-AUTH_CLIENT_ID=
-AUTH_CLIENT_SECRET=
-GOOGLE_CLIENT_ID=
-GOOGLE_CLIENT_SECRET=
+PUBLIC_AUTH_AUTHENTIK_ENABLE=1
+AUTH_AUTHENTIK_REQUIRE_INVITE=0
+AUTH_AUTHENTIK_DOMAIN=auth.lab.cazzzer.com
+AUTH_AUTHENTIK_CLIENT_ID=
+AUTH_AUTHENTIK_CLIENT_SECRET=

-INVITE_TOKEN=GUjdsz9aREFTEBYDrA3AajUE8oVys2xW
+PUBLIC_AUTH_GOOGLE_ENABLE=1
+AUTH_GOOGLE_REQUIRE_INVITE=1
+AUTH_GOOGLE_CLIENT_ID=
+AUTH_GOOGLE_CLIENT_SECRET=
+
+AUTH_INVITE_TOKEN=GUjdsz9aREFTEBYDrA3AajUE8oVys2xW

 OPNSENSE_API_URL=https://opnsense.cazzzer.com
 OPNSENSE_API_KEY=
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@ -0,0 +1,9 @@
+import { envToBool } from '$lib/utils';
+import { env } from '$env/dynamic/public';
+
+export type AuthProvider = 'authentik' | 'google';
+
+export const enabledAuthProviders: Record<AuthProvider, boolean> = {
+	authentik: envToBool(env.PUBLIC_AUTH_AUTHENTIK_ENABLE),
+	google: envToBool(env.PUBLIC_AUTH_GOOGLE_ENABLE),
+};
--- a/src/lib/components/app/auth-form/auth-form.svelte
+++ b/src/lib/components/app/auth-form/auth-form.svelte
@ -3,6 +3,7 @@
 	import { Button } from '$lib/components/ui/button';
 	import { cn } from '$lib/utils.js';
 	import googleIcon from '$lib/assets/google.svg';
+	import { enabledAuthProviders } from '$lib/auth';

 	let { inviteToken, class: className, ...rest }: {
 		inviteToken?: string;
@ -14,6 +15,7 @@
 </script>

 <div class={cn('flex gap-6', className)} {...rest}>
+	{#if enabledAuthProviders.authentik }
 	<form method="get" onsubmit={() => submitted = true}
 				action="/auth/authentik{inviteToken ? `?invite=${inviteToken}` : ''}">
 		<input type="hidden" value={inviteToken} name="invite" />
@ -30,6 +32,8 @@
 			Sign in with Authentik
 		</Button>
 	</form>
+	{/if}
+	{#if enabledAuthProviders.google }
 	<form method="get" onsubmit={() => submitted = true}
 				action="/auth/google{inviteToken ? `?invite=${inviteToken}` : ''}">
 		<input type="hidden" value={inviteToken} name="invite" />
@ -46,4 +50,5 @@
 			Sign in with Google
 		</Button>
 	</form>
+	{/if}
 </div>
--- a/src/lib/server/auth.ts
+++ b/src/lib/server/auth.ts
@ -86,7 +86,7 @@ export async function validateSession(sessionId: string) {
 }

 export function isValidInviteToken(inviteToken: string) {
-	return inviteToken === env.INVITE_TOKEN;
+	return inviteToken === env.AUTH_INVITE_TOKEN;
 }

 export type SessionValidationResult = Awaited<ReturnType<typeof validateSession>>;
--- a/src/lib/server/oauth-providers/authentik.ts
+++ b/src/lib/server/oauth-providers/authentik.ts
@ -0,0 +1,34 @@
+import { envToBool } from '$lib/utils';
+import { env } from '$env/dynamic/private';
+import { Authentik, decodeIdToken } from 'arctic';
+import { assertGuard } from 'typia';
+import type { IOAuthProvider } from '$lib/server/oauth';
+
+const authentikProvider = new Authentik(
+	env.AUTH_AUTHENTIK_DOMAIN,
+	env.AUTH_AUTHENTIK_CLIENT_ID,
+	env.AUTH_AUTHENTIK_CLIENT_SECRET,
+	`${env.ORIGIN}/auth/authentik/callback`,
+);
+
+export const authentik: IOAuthProvider = {
+	requireInvite: envToBool(env.AUTH_AUTHENTIK_REQUIRE_INVITE, true),
+	createAuthorizationURL: (state: string, codeVerifier: string) => {
+		const scopes = ['openid', 'profile'];
+		return authentikProvider.createAuthorizationURL(state, codeVerifier, scopes);
+	},
+	validateAuthorizationCode: async (code: string, codeVerifier: string) => {
+		const tokens = await authentikProvider.validateAuthorizationCode(code, codeVerifier);
+		const claims = decodeIdToken(tokens.idToken());
+		assertGuard<{
+			sub: string;
+			name: string;
+			preferred_username: string;
+		}>(claims);
+		return {
+			sub: claims.sub,
+			name: claims.name,
+			username: claims.preferred_username,
+		};
+	},
+};
--- a/src/lib/server/oauth-providers/google.ts
+++ b/src/lib/server/oauth-providers/google.ts
@ -0,0 +1,33 @@
+import { decodeIdToken, Google } from 'arctic';
+import { env } from '$env/dynamic/private';
+import { envToBool } from '$lib/utils';
+import { assertGuard } from 'typia';
+import type { IOAuthProvider } from '$lib/server/oauth';
+
+const googleProvider = new Google(
+	env.AUTH_GOOGLE_CLIENT_ID,
+	env.AUTH_GOOGLE_CLIENT_SECRET,
+	`${env.ORIGIN}/auth/google/callback`,
+);
+
+export const google: IOAuthProvider = {
+	requireInvite: envToBool(env.AUTH_GOOGLE_REQUIRE_INVITE, true),
+	createAuthorizationURL: (state: string, codeVerifier: string) => {
+		const scopes = ['openid', 'profile', 'email'];
+		return googleProvider.createAuthorizationURL(state, codeVerifier, scopes);
+	},
+	validateAuthorizationCode: async (code: string, codeVerifier: string) => {
+		const tokens = await googleProvider.validateAuthorizationCode(code, codeVerifier);
+		const claims = decodeIdToken(tokens.idToken());
+		assertGuard<{
+			sub: string;
+			email: string;
+			name: string;
+		}>(claims);
+		return {
+			sub: claims.sub,
+			name: claims.name,
+			username: claims.email,
+		};
+	},
+};
--- a/src/lib/server/oauth-providers/index.ts
+++ b/src/lib/server/oauth-providers/index.ts
@ -0,0 +1,2 @@
+export { authentik } from './authentik';
+export { google } from './google';
--- a/src/lib/server/oauth.ts
+++ b/src/lib/server/oauth.ts
@ -1,15 +1,19 @@
-import { Authentik, Google } from 'arctic';
-import { env } from '$env/dynamic/private';
+import type { AuthProvider } from '$lib/auth';
+import { authentik, google } from '$lib/server/oauth-providers';

-export const authentik = new Authentik(
-	env.AUTH_DOMAIN,
-	env.AUTH_CLIENT_ID,
-	env.AUTH_CLIENT_SECRET,
-	`${env.ORIGIN}/auth/authentik/callback`,
-);
+export interface IOAuthClaims {
+	sub: string;
+	name: string;
+	username: string;
+}

-export const google = new Google(
-	env.GOOGLE_CLIENT_ID,
-	env.GOOGLE_CLIENT_SECRET,
-	`${env.ORIGIN}/auth/google/callback`,
-);
+export interface IOAuthProvider {
+	readonly requireInvite: boolean;
+	createAuthorizationURL(state: string, codeVerifier: string): URL;
+	validateAuthorizationCode(code: string, codeVerifier: string): Promise<IOAuthClaims>;
+}
+
+export const oauthProviders: Record<AuthProvider, IOAuthProvider> = {
+	authentik,
+	google,
+};
--- a/src/lib/utils.ts
+++ b/src/lib/utils.ts
@ -4,3 +4,11 @@ import { twMerge } from "tailwind-merge";
 export function cn(...inputs: ClassValue[]) {
 	return twMerge(clsx(inputs));
 }
+
+export function envToBool(value: string | undefined, defaultValue = false): boolean {
+	if (typeof value === "undefined") {
+		return defaultValue;
+	}
+
+	return ['true', '1', 'yes'].includes(value.toLowerCase());
+}
--- a/src/routes/auth/[provider]/+server.ts
+++ b/src/routes/auth/[provider]/+server.ts
@ -0,0 +1,36 @@
+import { generateCodeVerifier, generateState } from 'arctic';
+import { oauthProviders } from '$lib/server/oauth';
+import { is } from 'typia';
+import { type AuthProvider, enabledAuthProviders } from '$lib/auth';
+
+export async function GET(event) {
+	const { provider } = event.params;
+	if (!is<AuthProvider>(provider) || !enabledAuthProviders[provider]) {
+		return new Response(null, { status: 404 });
+	}
+	const oauthProvider = oauthProviders[provider];
+
+	const state = generateState();
+	const codeVerifier = generateCodeVerifier();
+	const url = oauthProvider.createAuthorizationURL(state, codeVerifier);
+
+	event.cookies.set(`${provider}_oauth_state`, state, {
+		path: '/',
+		httpOnly: true,
+		maxAge: 60 * 10, // 10 minutes
+		sameSite: 'lax',
+	});
+	event.cookies.set(`${provider}_code_verifier`, codeVerifier, {
+		path: '/',
+		httpOnly: true,
+		maxAge: 60 * 10, // 10 minutes
+		sameSite: 'lax',
+	});
+
+	return new Response(null, {
+		status: 302,
+		headers: {
+			Location: url.toString(),
+		},
+	});
+}
--- a/src/routes/auth/[provider]/callback/+page.server.ts
+++ b/src/routes/auth/[provider]/callback/+page.server.ts
@ -1,21 +1,24 @@
-import { createSession, isValidInviteToken, setSessionTokenCookie } from '$lib/server/auth';
+import { is } from 'typia';
+import type { PageServerLoad } from './$types';
+import { error, redirect } from '@sveltejs/kit';
+import { type AuthProvider, enabledAuthProviders } from '$lib/auth';
+import { oauthProviders } from '$lib/server/oauth';
+import { ArcticFetchError, OAuth2RequestError } from 'arctic';
 import { db } from '$lib/server/db';
 import * as table from '$lib/server/db/schema';
-import { google } from '$lib/server/oauth';
-import { error, redirect } from '@sveltejs/kit';
-import type { OAuth2Tokens } from 'arctic';
-import * as arctic from 'arctic';
 import { eq } from 'drizzle-orm';
-import { assertGuard } from 'typia';
-import type { PageServerLoad } from './$types';
+import { createSession, isValidInviteToken, setSessionTokenCookie } from '$lib/server/auth';

-export const load: PageServerLoad = async (event) => {
-	const { url, cookies } = event;
+export const load: PageServerLoad = async ({ params: { provider }, url, cookies }) => {
+	if (!is<AuthProvider>(provider) || !enabledAuthProviders[provider]) {
+		error(404);
+	}

+	const oauthProvider = oauthProviders[provider];
 	const code = url.searchParams.get('code');
 	const state = url.searchParams.get('state');
-	const storedState = cookies.get('google_oauth_state') ?? null;
-	const codeVerifier = cookies.get('google_code_verifier') ?? null;
+	const storedState = cookies.get(`${provider}_oauth_state`) ?? null;
+	const codeVerifier = cookies.get(`${provider}_code_verifier`) ?? null;

 	if (code === null || state === null || storedState === null || codeVerifier === null) {
 		error(400, 'Missing url parameters');
@ -27,35 +30,23 @@ export const load: PageServerLoad = async (event) => {
 		error(400, 'Invalid state in url');
 	}

-	let tokens: OAuth2Tokens;
+	let claims;
 	try {
-		tokens = await google.validateAuthorizationCode(code, codeVerifier);
+		claims = await oauthProvider.validateAuthorizationCode(code, codeVerifier);
 	} catch (e) {
-		if (e instanceof arctic.OAuth2RequestError) {
+		if (e instanceof OAuth2RequestError) {
 			console.debug('Arctic: OAuth: invalid authorization code, credentials, or redirect URI', e);
-			throw error(400, 'Invalid authorization code');
+			error(400, 'Invalid authorization code');
 		}
-		if (e instanceof arctic.ArcticFetchError) {
+		if (e instanceof ArcticFetchError) {
 			console.debug('Arctic: failed to call `fetch()`', e);
 			error(400, 'Failed to validate authorization code');
 		}
-		console.error('Unxepcted error validating authorization code', code, e);
+		console.error('Unexpected error validating authorization code', code, e);
 		error(500);
 	}

-	const idToken = tokens.idToken();
-	const claims = arctic.decodeIdToken(idToken);
-
-	console.log('claims', claims);
-
-	assertGuard<{
-		sub: string;
-		email: string;
-		name: string;
-	}>(claims);
-
-	const userId = claims.sub;
-	const existingUser = await db.query.users.findFirst({ where: eq(table.users.id, userId) });
+	const existingUser = await db.query.users.findFirst({ where: eq(table.users.id, claims.sub) });

 	if (existingUser) {
 		const session = await createSession(existingUser.id);
@ -63,25 +54,22 @@ export const load: PageServerLoad = async (event) => {
 		redirect(302, '/');
 	}

-	if (!isValidInviteToken(stateInviteToken)) {
+	if (oauthProvider.requireInvite && !isValidInviteToken(stateInviteToken)) {
 		const message =
 			stateInviteToken.length === 0 ? 'sign up with an invite link first' : 'invalid invite link';
 		error(403, 'Not Authorized: ' + message);
 	}

 	const user: table.User = {
-		id: userId,
-		authSource: 'google',
-		username: claims.email,
+		id: claims.sub,
+		authSource: provider,
+		username: claims.username,
 		name: claims.name,
 	};
-
-	// TODO: proper error handling, delete cookies
 	await db.insert(table.users).values(user);
-	console.log('created user', user, 'with invite token', stateInviteToken);
+	console.log('created user', user, 'using provider', provider, 'with invite token', stateInviteToken);

 	const session = await createSession(user.id);
-
 	setSessionTokenCookie(cookies, session.id, session.expiresAt);

 	redirect(302, '/');
--- a/src/routes/auth/authentik/+server.ts
+++ b/src/routes/auth/authentik/+server.ts
@ -1,30 +0,0 @@
-import { generateState, generateCodeVerifier } from "arctic";
-import { authentik } from "$lib/server/oauth";
-
-import type { RequestEvent } from "@sveltejs/kit";
-
-export async function GET(event: RequestEvent): Promise<Response> {
-	const state = generateState();
-	const codeVerifier = generateCodeVerifier();
-	const url = authentik.createAuthorizationURL(state, codeVerifier, ["openid", "profile"]);
-
-	event.cookies.set("authentik_oauth_state", state, {
-		path: "/",
-		httpOnly: true,
-		maxAge: 60 * 10, // 10 minutes
-		sameSite: "lax"
-	});
-	event.cookies.set("authentik_code_verifier", codeVerifier, {
-		path: "/",
-		httpOnly: true,
-		maxAge: 60 * 10, // 10 minutes
-		sameSite: "lax"
-	});
-
-	return new Response(null, {
-		status: 302,
-		headers: {
-			Location: url.toString()
-		}
-	});
-}
--- a/src/routes/auth/authentik/callback/+server.ts
+++ b/src/routes/auth/authentik/callback/+server.ts
@ -1,84 +0,0 @@
-import { createSession, setSessionTokenCookie } from '$lib/server/auth';
-import { authentik } from '$lib/server/oauth';
-import { decodeIdToken } from 'arctic';
-
-import type { RequestEvent } from '@sveltejs/kit';
-import type { OAuth2Tokens } from 'arctic';
-import { db } from '$lib/server/db';
-import { eq } from 'drizzle-orm';
-
-import * as table from '$lib/server/db/schema';
-
-export async function GET(event: RequestEvent): Promise<Response> {
-	const code = event.url.searchParams.get('code');
-	const state = event.url.searchParams.get('state');
-	const storedState = event.cookies.get('authentik_oauth_state') ?? null;
-	const codeVerifier = event.cookies.get('authentik_code_verifier') ?? null;
-
-	if (code === null || state === null || storedState === null || codeVerifier === null) {
-		return new Response(null, {
-			status: 400,
-		});
-	}
-	if (state !== storedState) {
-		return new Response(null, {
-			status: 400,
-		});
-	}
-
-	let tokens: OAuth2Tokens;
-	try {
-		tokens = await authentik.validateAuthorizationCode(code, codeVerifier);
-	} catch (e) {
-		// Invalid code or client credentials
-		return new Response(null, {
-			status: 400,
-		});
-	}
-	const claims = decodeIdToken(tokens.idToken()) as {
-		sub: string;
-		preferred_username: string;
-		name: string;
-	};
-	console.log('claims', claims);
-	const userId: string = claims.sub;
-	const username: string = claims.preferred_username;
-
-	const existingUser = await db.query.users.findFirst({ where: eq(table.users.id, userId) });
-
-	if (existingUser) {
-		const session = await createSession(existingUser.id);
-		setSessionTokenCookie(event.cookies, session.id, session.expiresAt);
-		return new Response(null, {
-			status: 302,
-			headers: {
-				Location: '/',
-			},
-		});
-	}
-
-	const user: table.User = {
-		id: userId,
-		authSource: 'authentik',
-		username,
-		name: claims.name as string,
-	};
-
-	try {
-		await db.insert(table.users).values(user);
-		const session = await createSession(user.id);
-		setSessionTokenCookie(event.cookies, session.id, session.expiresAt);
-	} catch (e) {
-		console.error('failed to create user', e);
-		return new Response(null, {
-			status: 500,
-		});
-	}
-
-	return new Response(null, {
-		status: 302,
-		headers: {
-			Location: '/',
-		},
-	});
-}
--- a/src/routes/auth/google/+server.ts
+++ b/src/routes/auth/google/+server.ts
@ -1,32 +0,0 @@
-import type { RequestHandler } from './$types';
-import { generateCodeVerifier, generateState } from 'arctic';
-import { google } from '$lib/server/oauth';
-
-export const GET: RequestHandler = ({ url, cookies }) => {
-	const inviteToken = url.searchParams.get('invite');
-
-	const state = generateState();
-	const codeVerifier = generateCodeVerifier();
-	const scopes = ['openid', 'profile', 'email'];
-	const authUrl = google.createAuthorizationURL(state + inviteToken, codeVerifier, scopes);
-
-	cookies.set('google_oauth_state', state, {
-		path: '/',
-		httpOnly: true,
-		maxAge: 60 * 10, // 10 minutes
-		sameSite: 'lax',
-	});
-	cookies.set('google_code_verifier', codeVerifier, {
-		path: '/',
-		httpOnly: true,
-		maxAge: 60 * 10, // 10 minutes
-		sameSite: 'lax',
-	});
-
-	return new Response(null, {
-		status: 302,
-		headers: {
-			Location: authUrl.toString(),
-		},
-	});
-};