WIP: auth: improve handling of invite tokens

2025-04-08 22:06:52 -07:00
9 changed files with 24 additions and 193 deletions
--- a/.editorconfig
+++ b/.editorconfig
@@ -1,10 +0,0 @@
-[*]
-charset = utf-8
-insert_final_newline = true
-end_of_line = lf
-
-indent_style = tab
-indent_size = 2
-max_line_length = 100
-quote_type = single
-trim_trailing_whitespace = true
--- a/.zed/settings.json
+++ b/.zed/settings.json
@@ -1,7 +0,0 @@
-// Folder-specific settings
-//
-// For a full list of overridable settings, and general information on folder-specific settings,
-// see the documentation: https://zed.dev/docs/configuring-zed#settings-files
-{
-	"formatter": "prettier"
-}
--- a/README.md
+++ b/README.md
@@ -27,10 +27,3 @@ bun install
 bun run prepare
 bun run dev
 ```
-
-## To Do
-
- [ ] Proper invite page
- [ ] Proper error page for login without invite
- [ ] Support file provider (for wg-quick)
- [ ] wg-quick scripts (maybe?)
--- a/src/routes/auth/google/callback/+page.server.ts
+++ b/src/routes/auth/google/callback/+page.server.ts
@@ -1,108 +0,0 @@
-import { error } from '@sveltejs/kit';
-import * as arctic from 'arctic';
-import { google } from '$lib/server/oauth';
-import { db } from '$lib/server/db';
-import { eq } from 'drizzle-orm';
-import * as table from '$lib/server/db/schema';
-import { createSession, isValidInviteToken, setSessionTokenCookie } from '$lib/server/auth';
-import type { OAuth2Tokens } from 'arctic';
-import { assertGuard } from 'typia';
-import type { PageServerLoad } from './$types';
-
-export const load: PageServerLoad = async ({ url, cookies }) => {
-	const code = url.searchParams.get('code');
-	const state = url.searchParams.get('state');
-	const storedState = cookies.get('google_oauth_state') ?? null;
-	const codeVerifier = cookies.get('google_code_verifier') ?? null;
-
-	if (code === null || state === null || storedState === null || codeVerifier === null) {
-		error(400, 'Missing url parameters');
-		return;
-	}
-
-	const stateGeneratedToken = state.slice(0, storedState.length);
-	const stateInviteToken = state.slice(storedState.length);
-	if (stateGeneratedToken !== storedState) {
-		return new Response(null, {
-			status: 400,
-		});
-	}
-
-	let tokens: OAuth2Tokens;
-	try {
-		tokens = await google.validateAuthorizationCode(code, codeVerifier);
-	} catch (e) {
-		if (e instanceof arctic.OAuth2RequestError) {
-			console.debug('Arctic: OAuth: invalid authorization code, credentials, or redirect URI', e);
-			return new Response(null, {
-				status: 400,
-			});
-		}
-		if (e instanceof arctic.ArcticFetchError) {
-			console.debug('Arctic: failed to call `fetch()`', e);
-			return new Response(null, {
-				status: 400,
-			});
-		}
-
-		return new Response(null, {
-			status: 500,
-		});
-	}
-
-	const idToken = tokens.idToken();
-	const claims = arctic.decodeIdToken(idToken);
-
-	console.log('claims', claims);
-
-	assertGuard<{
-		sub: string;
-		email: string;
-		name: string;
-	}>(claims);
-
-	const userId = claims.sub;
-	const existingUser = await db.query.users.findFirst({ where: eq(table.users.id, userId) });
-
-	if (existingUser) {
-		const session = await createSession(existingUser.id);
-		setSessionTokenCookie(event, session.id, session.expiresAt);
-		return new Response(null, {
-			status: 302,
-			headers: {
-				Location: '/',
-			},
-		});
-	}
-
-	if (!isValidInviteToken(stateInviteToken)) {
-		const message =
-			stateInviteToken.length === 0 ? 'sign up with an invite link first' : 'invalid invite link';
-
-		return new Response('Not Authorized: ' + message, {
-			status: 403,
-		});
-	}
-
-	const user: table.User = {
-		id: userId,
-		authSource: 'google',
-		username: claims.email,
-		name: claims.name,
-	};
-
-	// TODO: proper error handling, delete cookies
-	await db.insert(table.users).values(user);
-	console.log('created user', user, 'with invite token', stateInviteToken);
-
-	const session = await createSession(user.id);
-
-	setSessionTokenCookie(event, session.id, session.expiresAt);
-
-	return new Response(null, {
-		status: 302,
-		headers: {
-			Location: '/',
-		},
-	});
-};
--- a/src/routes/connections/+page.server.ts
+++ b/src/routes/connections/+page.server.ts
@@ -1,47 +0,0 @@
-import type { PageServerLoad } from './$types';
-import type { ConnectionDetails } from '$lib/connections';
-import { findDevices } from '$lib/server/devices';
-import wgProvider from '$lib/server/wg-provider';
-import { error } from '@sveltejs/kit';
-
-export const load: PageServerLoad = async ({ locals, setHeaders, depends }) => {
-	if (!locals.user) {
-		error(401, 'Unauthorized');
-	}
-	console.debug('/connections');
-
-	const peersResult = await wgProvider.findConnections(locals.user);
-	if (peersResult._tag === 'err') return error(500, peersResult.error.message);
-
-	const devices = await findDevices(locals.user.id);
-	console.debug('/connections: fetched db devices');
-
-	// TODO: this is all garbage performance
-	// filter devices with no recent handshakes
-	const peers = peersResult.value.filter((peer) => peer.latestHandshake);
-
-	// start from devices, to treat db as the source of truth
-	const connections: ConnectionDetails[] = [];
-	for (const device of devices) {
-		const peerData = peers.find((peer) => peer.publicKey === device.publicKey);
-		if (!peerData) continue;
-		connections.push({
-			deviceId: device.id,
-			deviceName: device.name,
-			devicePublicKey: device.publicKey,
-			deviceIps: peerData.allowedIps.split(','),
-			endpoint: peerData.endpoint,
-			// swap rx and tx, since the opnsense values are from the server perspective
-			transferRx: peerData.transferTx,
-			transferTx: peerData.transferRx,
-			latestHandshake: peerData.latestHandshake,
-		});
-	}
-
-	setHeaders({
-		'Cache-Control': 'max-age=5',
-	});
-
-	depends('connections');
-	return { connections };
-};
--- a/src/routes/connections/+page.svelte
+++ b/src/routes/connections/+page.svelte
@@ -1,6 +1,6 @@
 <script lang="ts">
 	import type { PageData } from './$types';
-	import { invalidate, invalidateAll } from '$app/navigation';
+	import { invalidate } from '$app/navigation';
 	import * as Table from '$lib/components/ui/table';
 	import { Badge } from '$lib/components/ui/badge';

@@ -10,7 +10,7 @@
 		// refresh every 5 seconds
 		const interval = setInterval(() => {
 			console.log('Refreshing connections');
-			invalidate('/connections');
+			invalidate('/api/connections');
 		}, 5000);

 		return () => clearInterval(interval);
--- a/src/routes/connections/+page.ts
+++ b/src/routes/connections/+page.ts
@@ -0,0 +1,9 @@
+import type { PageLoad } from './$types';
+import type { ConnectionDetails } from '$lib/connections';
+
+export const load: PageLoad = async ({ fetch }) => {
+	const res = await fetch('/api/connections');
+	const connections = await res.json() as ConnectionDetails[];
+
+	return { connections };
+};
--- a/src/routes/devices/+page.server.ts
+++ b/src/routes/devices/+page.server.ts
@@ -1,15 +1,7 @@
-import type { Actions, PageServerLoad } from './$types';
-import { createDevice, findDevices, mapDeviceToDetails } from '$lib/server/devices';
+import type { Actions } from './$types';
+import { createDevice } from '$lib/server/devices';
 import { error, fail, redirect } from '@sveltejs/kit';
-
-export const load: PageServerLoad = async (event) => {
-	if (!event.locals.user) {
-		error(401, 'Unauthorized');
-	}
-
-	const devices = await findDevices(event.locals.user.id);
-	return { devices };
-};
+import wgProvider from '$lib/server/wg-provider';

 export const actions = {
 	create: async (event) => {
--- a/src/routes/devices/+page.ts
+++ b/src/routes/devices/+page.ts
@@ -0,0 +1,9 @@
+import type { PageLoad } from './$types';
+import type { DeviceDetails } from '$lib/devices';
+
+export const load: PageLoad = async ({ fetch }) => {
+	const res = await fetch('/api/devices');
+	const { devices } = await res.json() as { devices: DeviceDetails[] };
+
+	return { devices };
+};