CaZzzer/vpgen
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: CaZzzer:develop
Branches Tags
CaZzzer:develop
CaZzzer:feature/wg-quick
CaZzzer:feature/invite
CaZzzer:feature/auth
CaZzzer:feature/auth-1
CaZzzer:feature/ci
CaZzzer:feature/api
CaZzzer:feature/provider-interface-1
CaZzzer:feature/provider-interface
CaZzzer:feature/logging
CaZzzer:feature/qrcode
CaZzzer:feature/trailing-slashes
CaZzzer:feature/opnsense
CaZzzer:master
...
pull from: CaZzzer:feature/api
Branches Tags
CaZzzer:feature/wg-quick
CaZzzer:develop
CaZzzer:feature/invite
CaZzzer:feature/auth
CaZzzer:feature/auth-1
CaZzzer:feature/ci
CaZzzer:feature/api
CaZzzer:feature/provider-interface-1
CaZzzer:feature/provider-interface
CaZzzer:feature/logging
CaZzzer:feature/qrcode
CaZzzer:feature/trailing-slashes
CaZzzer:feature/opnsense
CaZzzer:master

3 Commits
develop ... feature/ap

Author SHA1 Message Date
Yuri Tatishchev
bb641cb51e
WIP: attempt to refactor api routes into server load functions 2025-04-12 01:27:48 -07:00
Yuri Tatishchev
5b72ab28dd
WIP: temp 2025-04-11 18:43:51 -07:00
Yuri Tatishchev
8f20c168a2
WIP: auth: improve handling of invite tokens 2025-04-11 18:39:45 -07:00
10 changed files with 207 additions and 56 deletions
Show Stats Expand all files Collapse all files

9
README.md
View File

@ -18,7 +18,7 @@ and [wg-quick](https://www.wireguard.com/quickstart/) for standalone setups.
## Development
Development uses bun.
An additional prepare step is needed to set up typia for type validation.
An additional prepare step is needed to set up typia for type validation.
For example .env settings, see [.env.example](.env.example)
@ -27,3 +27,10 @@ bun install
bun run prepare
bun run dev
```
## To Do
- [ ] Proper invite page
- [ ] Proper error page for login without invite
- [ ] Support file provider (for wg-quick)
- [ ] wg-quick scripts (maybe?)

32
src/lib/components/app/auth-form/auth-form.svelte
View File

@ -4,21 +4,21 @@
import { cn } from '$lib/utils.js';
import googleIcon from '$lib/assets/google.svg';
let { inviteToken, class: className, ...rest }: { inviteToken?: string; class?: string; rest?: { [p: string]: unknown } } = $props();
let { inviteToken, class: className, ...rest }: {
inviteToken?: string;
class?: string;
rest?: { [p: string]: unknown }
} = $props();
let isLoading = $state(false);
let submitted = $state(false);
</script>
<div class={cn('flex gap-6', className)} {...rest}>
<form method="get" action="/auth/authentik{inviteToken ? `?invite=${inviteToken}` : ''}">
<form method="get" onsubmit={() => submitted = true}
action="/auth/authentik{inviteToken ? `?invite=${inviteToken}` : ''}">
<input type="hidden" value={inviteToken} name="invite" />
<Button
type="submit"
onclick={() => {
isLoading = true;
}}
>
{#if isLoading}
<Button type="submit" disabled={submitted}>
{#if submitted}
<LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" />
{:else}
<img
@ -30,15 +30,11 @@
Sign in with Authentik
</Button>
</form>
<form method="get" action="/auth/google">
<form method="get" onsubmit={() => submitted = true}
action="/auth/google{inviteToken ? `?invite=${inviteToken}` : ''}">
<input type="hidden" value={inviteToken} name="invite" />
<Button
type="submit"
onclick={() => {
isLoading = true;
}}
>
{#if isLoading}
<Button type="submit" disabled={submitted}>
{#if submitted}
<LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" />
{:else}
<img

8
src/routes/auth/google/+server.ts
View File

@ -8,7 +8,7 @@ export const GET: RequestHandler = ({ url, cookies }) => {
const state = generateState();
const codeVerifier = generateCodeVerifier();
const scopes = ['openid', 'profile', 'email'];
const authUrl = google.createAuthorizationURL(state, codeVerifier, scopes);
const authUrl = google.createAuthorizationURL(state + inviteToken, codeVerifier, scopes);
cookies.set('google_oauth_state', state, {
path: '/',
@ -22,12 +22,6 @@ export const GET: RequestHandler = ({ url, cookies }) => {
maxAge: 60 * 10, // 10 minutes
sameSite: 'lax',
});
if (inviteToken !== null) cookies.set('invite_token', inviteToken, {
path: '/',
httpOnly: true,
maxAge: 60 * 10, // 10 minutes
sameSite: 'lax',
});
return new Response(null, {
status: 302,

108
src/routes/auth/google/callback/+page.server.ts Normal file
View File

@ -0,0 +1,108 @@
import { error } from '@sveltejs/kit';
import * as arctic from 'arctic';
import { google } from '$lib/server/oauth';
import { db } from '$lib/server/db';
import { eq } from 'drizzle-orm';
import * as table from '$lib/server/db/schema';
import { createSession, isValidInviteToken, setSessionTokenCookie } from '$lib/server/auth';
import type { OAuth2Tokens } from 'arctic';
import { assertGuard } from 'typia';
import type { PageServerLoad } from './$types';
export const load: PageServerLoad = async ({ url, cookies }) => {
const code = url.searchParams.get('code');
const state = url.searchParams.get('state');
const storedState = cookies.get('google_oauth_state') ?? null;
const codeVerifier = cookies.get('google_code_verifier') ?? null;
if (code === null || state === null || storedState === null || codeVerifier === null) {
error(400, 'Missing url parameters');
return;
}
const stateGeneratedToken = state.slice(0, storedState.length);
const stateInviteToken = state.slice(storedState.length);
if (stateGeneratedToken !== storedState) {
return new Response(null, {
status: 400,
});
}
let tokens: OAuth2Tokens;
try {
tokens = await google.validateAuthorizationCode(code, codeVerifier);
} catch (e) {
if (e instanceof arctic.OAuth2RequestError) {
console.debug('Arctic: OAuth: invalid authorization code, credentials, or redirect URI', e);
return new Response(null, {
status: 400,
});
}
if (e instanceof arctic.ArcticFetchError) {
console.debug('Arctic: failed to call `fetch()`', e);
return new Response(null, {
status: 400,
});
}
return new Response(null, {
status: 500,
});
}
const idToken = tokens.idToken();
const claims = arctic.decodeIdToken(idToken);
console.log('claims', claims);
assertGuard<{
sub: string;
email: string;
name: string;
}>(claims);
const userId = claims.sub;
const existingUser = await db.query.users.findFirst({ where: eq(table.users.id, userId) });
if (existingUser) {
const session = await createSession(existingUser.id);
setSessionTokenCookie(event, session.id, session.expiresAt);
return new Response(null, {
status: 302,
headers: {
Location: '/',
},
});
}
if (!isValidInviteToken(stateInviteToken)) {
const message =
stateInviteToken.length === 0 ? 'sign up with an invite link first' : 'invalid invite link';
return new Response('Not Authorized: ' + message, {
status: 403,
});
}
const user: table.User = {
id: userId,
authSource: 'google',
username: claims.email,
name: claims.name,
};
// TODO: proper error handling, delete cookies
await db.insert(table.users).values(user);
console.log('created user', user, 'with invite token', stateInviteToken);
const session = await createSession(user.id);
setSessionTokenCookie(event, session.id, session.expiresAt);
return new Response(null, {
status: 302,
headers: {
Location: '/',
},
});
};

23
src/routes/auth/google/callback/+server.ts
View File

@ -13,8 +13,7 @@ export const GET: RequestHandler = async (event) => {
const code = url.searchParams.get('code');
const state = url.searchParams.get('state');
const storedState = cookies.get('google_oauth_state') ?? null;
const codeVerifier = cookies.get('google_code_verifier', ) ?? null;
const inviteToken = cookies.get('invite_token') ?? null;
const codeVerifier = cookies.get('google_code_verifier') ?? null;
if (code === null || state === null || storedState === null || codeVerifier === null) {
return new Response(null, {
@ -22,6 +21,14 @@ export const GET: RequestHandler = async (event) => {
});
}
const stateGeneratedToken = state.slice(0, storedState.length);
const stateInviteToken = state.slice(storedState.length);
if (stateGeneratedToken !== storedState) {
return new Response(null, {
status: 400,
});
}
let tokens: OAuth2Tokens;
try {
tokens = await google.validateAuthorizationCode(code, codeVerifier);
@ -69,10 +76,12 @@ export const GET: RequestHandler = async (event) => {
});
}
// TODO: proper error page
if (inviteToken === null || !isValidInviteToken(inviteToken)) {
return new Response(null, {
status: 400,
if (!isValidInviteToken(stateInviteToken)) {
const message =
stateInviteToken.length === 0 ? 'sign up with an invite link first' : 'invalid invite link';
return new Response('Not Authorized: ' + message, {
status: 403,
});
}
@ -85,7 +94,7 @@ export const GET: RequestHandler = async (event) => {
// TODO: proper error handling, delete cookies
await db.insert(table.users).values(user);
console.log('created user', user, 'with invite token', inviteToken);
console.log('created user', user, 'with invite token', stateInviteToken);
const session = await createSession(user.id);

47
src/routes/connections/+page.server.ts Normal file
View File

@ -0,0 +1,47 @@
import type { PageServerLoad } from './$types';
import type { ConnectionDetails } from '$lib/connections';
import { findDevices } from '$lib/server/devices';
import wgProvider from '$lib/server/wg-provider';
import { error } from '@sveltejs/kit';
export const load: PageServerLoad = async ({ locals, setHeaders, depends }) => {
if (!locals.user) {
error(401, 'Unauthorized');
}
console.debug('/connections');
const peersResult = await wgProvider.findConnections(locals.user);
if (peersResult._tag === 'err') return error(500, peersResult.error.message);
const devices = await findDevices(locals.user.id);
console.debug('/connections: fetched db devices');
// TODO: this is all garbage performance
// filter devices with no recent handshakes
const peers = peersResult.value.filter((peer) => peer.latestHandshake);
// start from devices, to treat db as the source of truth
const connections: ConnectionDetails[] = [];
for (const device of devices) {
const peerData = peers.find((peer) => peer.publicKey === device.publicKey);
if (!peerData) continue;
connections.push({
deviceId: device.id,
deviceName: device.name,
devicePublicKey: device.publicKey,
deviceIps: peerData.allowedIps.split(','),
endpoint: peerData.endpoint,
// swap rx and tx, since the opnsense values are from the server perspective
transferRx: peerData.transferTx,
transferTx: peerData.transferRx,
latestHandshake: peerData.latestHandshake,
});
}
setHeaders({
'Cache-Control': 'max-age=5',
});
depends('connections');
return { connections };
};

4
src/routes/connections/+page.svelte
View File

@ -1,6 +1,6 @@
<script lang="ts">
import type { PageData } from './$types';
import { invalidate } from '$app/navigation';
import { invalidate, invalidateAll } from '$app/navigation';
import * as Table from '$lib/components/ui/table';
import { Badge } from '$lib/components/ui/badge';
@ -10,7 +10,7 @@
// refresh every 5 seconds
const interval = setInterval(() => {
console.log('Refreshing connections');
invalidate('/api/connections');
invalidate('/connections');
}, 5000);
return () => clearInterval(interval);

9
src/routes/connections/+page.ts
View File

@ -1,9 +0,0 @@
import type { PageLoad } from './$types';
import type { ConnectionDetails } from '$lib/connections';
export const load: PageLoad = async ({ fetch }) => {
const res = await fetch('/api/connections');
const connections = await res.json() as ConnectionDetails[];
return { connections };
};

14
src/routes/devices/+page.server.ts
View File

@ -1,7 +1,15 @@
import type { Actions } from './$types';
import { createDevice } from '$lib/server/devices';
import type { Actions, PageServerLoad } from './$types';
import { createDevice, findDevices, mapDeviceToDetails } from '$lib/server/devices';
import { error, fail, redirect } from '@sveltejs/kit';
import wgProvider from '$lib/server/wg-provider';
export const load: PageServerLoad = async (event) => {
if (!event.locals.user) {
error(401, 'Unauthorized');
}
const devices = await findDevices(event.locals.user.id);
return { devices };
};
export const actions = {
create: async (event) => {

9
src/routes/devices/+page.ts
View File

@ -1,9 +0,0 @@
import type { PageLoad } from './$types';
import type { DeviceDetails } from '$lib/devices';
export const load: PageLoad = async ({ fetch }) => {
const res = await fetch('/api/devices');
const { devices } = await res.json() as { devices: DeviceDetails[] };
return { devices };
};