CaZzzer/vpgen
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

auth: refactor common oauth provider logic, add options to disable providers and require invites

Browse Source
This commit is contained in:
Yuri Tatishchev 2025-05-02 15:53:21 -07:00
parent f9a27cbbb7
commit 94514ec965
Signed by: CaZzzer
SSH Key Fingerprint: SHA256:sqXB3fe0LMpfH+IeM/vlmxKdso52kssrIJBlwKXVe1U
14 changed files with 182 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
.env.example
View File

@ -1,12 +1,17 @@
DATABASE_URL=file:local.db DATABASE_URL=file:local.db
AUTH_DOMAIN=auth.lab.cazzzer.com PUBLIC_AUTH_AUTHENTIK_ENABLE=1
AUTH_CLIENT_ID= AUTH_AUTHENTIK_REQUIRE_INVITE=0
AUTH_CLIENT_SECRET= AUTH_AUTHENTIK_DOMAIN=auth.lab.cazzzer.com
GOOGLE_CLIENT_ID= AUTH_AUTHENTIK_CLIENT_ID=
GOOGLE_CLIENT_SECRET= AUTH_AUTHENTIK_CLIENT_SECRET=
INVITE_TOKEN=GUjdsz9aREFTEBYDrA3AajUE8oVys2xW PUBLIC_AUTH_GOOGLE_ENABLE=1
AUTH_GOOGLE_REQUIRE_INVITE=1
AUTH_GOOGLE_CLIENT_ID=
AUTH_GOOGLE_CLIENT_SECRET=
AUTH_INVITE_TOKEN=GUjdsz9aREFTEBYDrA3AajUE8oVys2xW
OPNSENSE_API_URL=https://opnsense.cazzzer.com OPNSENSE_API_URL=https://opnsense.cazzzer.com
OPNSENSE_API_KEY= OPNSENSE_API_KEY=

9
src/lib/auth.ts Normal file
View File

@ -0,0 +1,9 @@
import { envToBool } from '$lib/utils';
import { env } from '$env/dynamic/public';
export type AuthProvider = 'authentik' | 'google';
export const enabledAuthProviders: Record<AuthProvider, boolean> = {
authentik: envToBool(env.PUBLIC_AUTH_AUTHENTIK_ENABLE),
google: envToBool(env.PUBLIC_AUTH_GOOGLE_ENABLE),
};

5
src/lib/components/app/auth-form/auth-form.svelte
View File

@ -3,6 +3,7 @@
import { Button } from '$lib/components/ui/button'; import { Button } from '$lib/components/ui/button';
import { cn } from '$lib/utils.js'; import { cn } from '$lib/utils.js';
import googleIcon from '$lib/assets/google.svg'; import googleIcon from '$lib/assets/google.svg';
import { enabledAuthProviders } from '$lib/auth';
let { inviteToken, class: className, ...rest }: { let { inviteToken, class: className, ...rest }: {
inviteToken?: string; inviteToken?: string;
@ -14,6 +15,7 @@
</script> </script>
<div class={cn('flex gap-6', className)} {...rest}> <div class={cn('flex gap-6', className)} {...rest}>
{#if enabledAuthProviders.authentik }
<form method="get" onsubmit={() => submitted = true} <form method="get" onsubmit={() => submitted = true}
action="/auth/authentik{inviteToken ? `?invite=${inviteToken}` : ''}"> action="/auth/authentik{inviteToken ? `?invite=${inviteToken}` : ''}">
<input type="hidden" value={inviteToken} name="invite" /> <input type="hidden" value={inviteToken} name="invite" />
@ -30,6 +32,8 @@
Sign in with Authentik Sign in with Authentik
</Button> </Button>
</form> </form>
{/if}
{#if enabledAuthProviders.google }
<form method="get" onsubmit={() => submitted = true} <form method="get" onsubmit={() => submitted = true}
action="/auth/google{inviteToken ? `?invite=${inviteToken}` : ''}"> action="/auth/google{inviteToken ? `?invite=${inviteToken}` : ''}">
<input type="hidden" value={inviteToken} name="invite" /> <input type="hidden" value={inviteToken} name="invite" />
@ -46,4 +50,5 @@
Sign in with Google Sign in with Google
</Button> </Button>
</form> </form>
{/if}
</div> </div>

2
src/lib/server/auth.ts
View File

@ -86,7 +86,7 @@ export async function validateSession(sessionId: string) {
} }
export function isValidInviteToken(inviteToken: string) { export function isValidInviteToken(inviteToken: string) {
return inviteToken === env.INVITE_TOKEN; return inviteToken === env.AUTH_INVITE_TOKEN;
} }
export type SessionValidationResult = Awaited<ReturnType<typeof validateSession>>; export type SessionValidationResult = Awaited<ReturnType<typeof validateSession>>;

34
src/lib/server/oauth-providers/authentik.ts Normal file
View File

@ -0,0 +1,34 @@
import { envToBool } from '$lib/utils';
import { env } from '$env/dynamic/private';
import { Authentik, decodeIdToken } from 'arctic';
import { assertGuard } from 'typia';
import type { IOAuthProvider } from '$lib/server/oauth';
const authentikProvider = new Authentik(
env.AUTH_AUTHENTIK_DOMAIN,
env.AUTH_AUTHENTIK_CLIENT_ID,
env.AUTH_AUTHENTIK_CLIENT_SECRET,
`${env.ORIGIN}/auth/authentik/callback`,
);
export const authentik: IOAuthProvider = {
requireInvite: envToBool(env.AUTH_AUTHENTIK_REQUIRE_INVITE, true),
createAuthorizationURL: (state: string, codeVerifier: string) => {
const scopes = ['openid', 'profile'];
return authentikProvider.createAuthorizationURL(state, codeVerifier, scopes);
},
validateAuthorizationCode: async (code: string, codeVerifier: string) => {
const tokens = await authentikProvider.validateAuthorizationCode(code, codeVerifier);
const claims = decodeIdToken(tokens.idToken());
assertGuard<{
sub: string;
name: string;
preferred_username: string;
}>(claims);
return {
sub: claims.sub,
name: claims.name,
username: claims.preferred_username,
};
},
};

33
src/lib/server/oauth-providers/google.ts Normal file
View File

@ -0,0 +1,33 @@
import { decodeIdToken, Google } from 'arctic';
import { env } from '$env/dynamic/private';
import { envToBool } from '$lib/utils';
import { assertGuard } from 'typia';
import type { IOAuthProvider } from '$lib/server/oauth';
const googleProvider = new Google(
env.AUTH_GOOGLE_CLIENT_ID,
env.AUTH_GOOGLE_CLIENT_SECRET,
`${env.ORIGIN}/auth/google/callback`,
);
export const google: IOAuthProvider = {
requireInvite: envToBool(env.AUTH_GOOGLE_REQUIRE_INVITE, true),
createAuthorizationURL: (state: string, codeVerifier: string) => {
const scopes = ['openid', 'profile', 'email'];
return googleProvider.createAuthorizationURL(state, codeVerifier, scopes);
},
validateAuthorizationCode: async (code: string, codeVerifier: string) => {
const tokens = await googleProvider.validateAuthorizationCode(code, codeVerifier);
const claims = decodeIdToken(tokens.idToken());
assertGuard<{
sub: string;
email: string;
name: string;
}>(claims);
return {
sub: claims.sub,
name: claims.name,
username: claims.email,
};
},
};

2
src/lib/server/oauth-providers/index.ts Normal file
View File

@ -0,0 +1,2 @@
export { authentik } from './authentik';
export { google } from './google';

30
src/lib/server/oauth.ts
View File

@ -1,15 +1,19 @@
import { Authentik, Google } from 'arctic'; import type { AuthProvider } from '$lib/auth';
import { env } from '$env/dynamic/private'; import { authentik, google } from '$lib/server/oauth-providers';
export const authentik = new Authentik( export interface IOAuthClaims {
env.AUTH_DOMAIN, sub: string;
env.AUTH_CLIENT_ID, name: string;
env.AUTH_CLIENT_SECRET, username: string;
`${env.ORIGIN}/auth/authentik/callback`, }
);
export const google = new Google( export interface IOAuthProvider {
env.GOOGLE_CLIENT_ID, readonly requireInvite: boolean;
env.GOOGLE_CLIENT_SECRET, createAuthorizationURL(state: string, codeVerifier: string): URL;
`${env.ORIGIN}/auth/google/callback`, validateAuthorizationCode(code: string, codeVerifier: string): Promise<IOAuthClaims>;
); }
export const oauthProviders: Record<AuthProvider, IOAuthProvider> = {
authentik,
google,
};

8
src/lib/utils.ts
View File

@ -4,3 +4,11 @@ import { twMerge } from "tailwind-merge";
export function cn(...inputs: ClassValue[]) { export function cn(...inputs: ClassValue[]) {
return twMerge(clsx(inputs)); return twMerge(clsx(inputs));
} }
export function envToBool(value: string | undefined, defaultValue = false): boolean {
if (typeof value === "undefined") {
return defaultValue;
}
return ['true', '1', 'yes'].includes(value.toLowerCase());
}

36
src/routes/auth/[provider]/+server.ts Normal file
View File

@ -0,0 +1,36 @@
import { generateCodeVerifier, generateState } from 'arctic';
import { oauthProviders } from '$lib/server/oauth';
import { is } from 'typia';
import { type AuthProvider, enabledAuthProviders } from '$lib/auth';
export async function GET(event) {
const { provider } = event.params;
if (!is<AuthProvider>(provider) || !enabledAuthProviders[provider]) {
return new Response(null, { status: 404 });
}
const oauthProvider = oauthProviders[provider];
const state = generateState();
const codeVerifier = generateCodeVerifier();
const url = oauthProvider.createAuthorizationURL(state, codeVerifier);
event.cookies.set(`${provider}_oauth_state`, state, {
path: '/',
httpOnly: true,
maxAge: 60 * 10, // 10 minutes
sameSite: 'lax',
});
event.cookies.set(`${provider}_code_verifier`, codeVerifier, {
path: '/',
httpOnly: true,
maxAge: 60 * 10, // 10 minutes
sameSite: 'lax',
});
return new Response(null, {
status: 302,
headers: {
Location: url.toString(),
},
});
}

64
src/routes/auth/google/callback/+page.server.ts → src/routes/auth/[provider]/callback/+page.server.ts
View File

@ -1,21 +1,24 @@
import { createSession, isValidInviteToken, setSessionTokenCookie } from '$lib/server/auth'; import { is } from 'typia';
import type { PageServerLoad } from './$types';
import { error, redirect } from '@sveltejs/kit';
import { type AuthProvider, enabledAuthProviders } from '$lib/auth';
import { oauthProviders } from '$lib/server/oauth';
import { ArcticFetchError, OAuth2RequestError } from 'arctic';
import { db } from '$lib/server/db'; import { db } from '$lib/server/db';
import * as table from '$lib/server/db/schema'; import * as table from '$lib/server/db/schema';
import { google } from '$lib/server/oauth';
import { error, redirect } from '@sveltejs/kit';
import type { OAuth2Tokens } from 'arctic';
import * as arctic from 'arctic';
import { eq } from 'drizzle-orm'; import { eq } from 'drizzle-orm';
import { assertGuard } from 'typia'; import { createSession, isValidInviteToken, setSessionTokenCookie } from '$lib/server/auth';
import type { PageServerLoad } from './$types';
export const load: PageServerLoad = async (event) => { export const load: PageServerLoad = async ({ params: { provider }, url, cookies }) => {
const { url, cookies } = event; if (!is<AuthProvider>(provider) || !enabledAuthProviders[provider]) {
error(404);
}
const oauthProvider = oauthProviders[provider];
const code = url.searchParams.get('code'); const code = url.searchParams.get('code');
const state = url.searchParams.get('state'); const state = url.searchParams.get('state');
const storedState = cookies.get('google_oauth_state') ?? null; const storedState = cookies.get(`${provider}_oauth_state`) ?? null;
const codeVerifier = cookies.get('google_code_verifier') ?? null; const codeVerifier = cookies.get(`${provider}_code_verifier`) ?? null;
if (code === null || state === null || storedState === null || codeVerifier === null) { if (code === null || state === null || storedState === null || codeVerifier === null) {
error(400, 'Missing url parameters'); error(400, 'Missing url parameters');
@ -27,35 +30,23 @@ export const load: PageServerLoad = async (event) => {
error(400, 'Invalid state in url'); error(400, 'Invalid state in url');
} }
let tokens: OAuth2Tokens; let claims;
try { try {
tokens = await google.validateAuthorizationCode(code, codeVerifier); claims = await oauthProvider.validateAuthorizationCode(code, codeVerifier);
} catch (e) { } catch (e) {
if (e instanceof arctic.OAuth2RequestError) { if (e instanceof OAuth2RequestError) {
console.debug('Arctic: OAuth: invalid authorization code, credentials, or redirect URI', e); console.debug('Arctic: OAuth: invalid authorization code, credentials, or redirect URI', e);
throw error(400, 'Invalid authorization code'); error(400, 'Invalid authorization code');
} }
if (e instanceof arctic.ArcticFetchError) { if (e instanceof ArcticFetchError) {
console.debug('Arctic: failed to call `fetch()`', e); console.debug('Arctic: failed to call `fetch()`', e);
error(400, 'Failed to validate authorization code'); error(400, 'Failed to validate authorization code');
} }
console.error('Unxepcted error validating authorization code', code, e); console.error('Unexpected error validating authorization code', code, e);
error(500); error(500);
} }
const idToken = tokens.idToken(); const existingUser = await db.query.users.findFirst({ where: eq(table.users.id, claims.sub) });
const claims = arctic.decodeIdToken(idToken);
console.log('claims', claims);
assertGuard<{
sub: string;
email: string;
name: string;
}>(claims);
const userId = claims.sub;
const existingUser = await db.query.users.findFirst({ where: eq(table.users.id, userId) });
if (existingUser) { if (existingUser) {
const session = await createSession(existingUser.id); const session = await createSession(existingUser.id);
@ -63,25 +54,22 @@ export const load: PageServerLoad = async (event) => {
redirect(302, '/'); redirect(302, '/');
} }
if (!isValidInviteToken(stateInviteToken)) { if (oauthProvider.requireInvite && !isValidInviteToken(stateInviteToken)) {
const message = const message =
stateInviteToken.length === 0 ? 'sign up with an invite link first' : 'invalid invite link'; stateInviteToken.length === 0 ? 'sign up with an invite link first' : 'invalid invite link';
error(403, 'Not Authorized: ' + message); error(403, 'Not Authorized: ' + message);
} }
const user: table.User = { const user: table.User = {
id: userId, id: claims.sub,
authSource: 'google', authSource: provider,
username: claims.email, username: claims.username,
name: claims.name, name: claims.name,
}; };
// TODO: proper error handling, delete cookies
await db.insert(table.users).values(user); await db.insert(table.users).values(user);
console.log('created user', user, 'with invite token', stateInviteToken); console.log('created user', user, 'using provider', provider, 'with invite token', stateInviteToken);
const session = await createSession(user.id); const session = await createSession(user.id);
setSessionTokenCookie(cookies, session.id, session.expiresAt); setSessionTokenCookie(cookies, session.id, session.expiresAt);
redirect(302, '/'); redirect(302, '/');

30
src/routes/auth/authentik/+server.ts
View File

@ -1,30 +0,0 @@
import { generateState, generateCodeVerifier } from "arctic";
import { authentik } from "$lib/server/oauth";
import type { RequestEvent } from "@sveltejs/kit";
export async function GET(event: RequestEvent): Promise<Response> {
const state = generateState();
const codeVerifier = generateCodeVerifier();
const url = authentik.createAuthorizationURL(state, codeVerifier, ["openid", "profile"]);
event.cookies.set("authentik_oauth_state", state, {
path: "/",
httpOnly: true,
maxAge: 60 * 10, // 10 minutes
sameSite: "lax"
});
event.cookies.set("authentik_code_verifier", codeVerifier, {
path: "/",
httpOnly: true,
maxAge: 60 * 10, // 10 minutes
sameSite: "lax"
});
return new Response(null, {
status: 302,
headers: {
Location: url.toString()
}
});
}

84
src/routes/auth/authentik/callback/+server.ts
View File

@ -1,84 +0,0 @@
import { createSession, setSessionTokenCookie } from '$lib/server/auth';
import { authentik } from '$lib/server/oauth';
import { decodeIdToken } from 'arctic';
import type { RequestEvent } from '@sveltejs/kit';
import type { OAuth2Tokens } from 'arctic';
import { db } from '$lib/server/db';
import { eq } from 'drizzle-orm';
import * as table from '$lib/server/db/schema';
export async function GET(event: RequestEvent): Promise<Response> {
const code = event.url.searchParams.get('code');
const state = event.url.searchParams.get('state');
const storedState = event.cookies.get('authentik_oauth_state') ?? null;
const codeVerifier = event.cookies.get('authentik_code_verifier') ?? null;
if (code === null || state === null || storedState === null || codeVerifier === null) {
return new Response(null, {
status: 400,
});
}
if (state !== storedState) {
return new Response(null, {
status: 400,
});
}
let tokens: OAuth2Tokens;
try {
tokens = await authentik.validateAuthorizationCode(code, codeVerifier);
} catch (e) {
// Invalid code or client credentials
return new Response(null, {
status: 400,
});
}
const claims = decodeIdToken(tokens.idToken()) as {
sub: string;
preferred_username: string;
name: string;
};
console.log('claims', claims);
const userId: string = claims.sub;
const username: string = claims.preferred_username;
const existingUser = await db.query.users.findFirst({ where: eq(table.users.id, userId) });
if (existingUser) {
const session = await createSession(existingUser.id);
setSessionTokenCookie(event.cookies, session.id, session.expiresAt);
return new Response(null, {
status: 302,
headers: {
Location: '/',
},
});
}
const user: table.User = {
id: userId,
authSource: 'authentik',
username,
name: claims.name as string,
};
try {
await db.insert(table.users).values(user);
const session = await createSession(user.id);
setSessionTokenCookie(event.cookies, session.id, session.expiresAt);
} catch (e) {
console.error('failed to create user', e);
return new Response(null, {
status: 500,
});
}
return new Response(null, {
status: 302,
headers: {
Location: '/',
},
});
}

32
src/routes/auth/google/+server.ts
View File

@ -1,32 +0,0 @@
import type { RequestHandler } from './$types';
import { generateCodeVerifier, generateState } from 'arctic';
import { google } from '$lib/server/oauth';
export const GET: RequestHandler = ({ url, cookies }) => {
const inviteToken = url.searchParams.get('invite');
const state = generateState();
const codeVerifier = generateCodeVerifier();
const scopes = ['openid', 'profile', 'email'];
const authUrl = google.createAuthorizationURL(state + inviteToken, codeVerifier, scopes);
cookies.set('google_oauth_state', state, {
path: '/',
httpOnly: true,
maxAge: 60 * 10, // 10 minutes
sameSite: 'lax',
});
cookies.set('google_code_verifier', codeVerifier, {
path: '/',
httpOnly: true,
maxAge: 60 * 10, // 10 minutes
sameSite: 'lax',
});
return new Response(null, {
status: 302,
headers: {
Location: authUrl.toString(),
},
});
};