ci: finalize woodpecker pipeline

.env.example

@@ -1,30 +1,18 @@
 DATABASE_URL=file:local.db
 
-PUBLIC_AUTH_AUTHENTIK_ENABLE=1
+AUTH_DOMAIN=auth.lab.cazzzer.com
-AUTH_AUTHENTIK_REQUIRE_INVITE=0
+AUTH_CLIENT_ID=
-AUTH_AUTHENTIK_DOMAIN=auth.lab.cazzzer.com
+AUTH_CLIENT_SECRET=
-AUTH_AUTHENTIK_CLIENT_ID=
+GOOGLE_CLIENT_ID=
-AUTH_AUTHENTIK_CLIENT_SECRET=
+GOOGLE_CLIENT_SECRET=
 
-PUBLIC_AUTH_GOOGLE_ENABLE=1
+INVITE_TOKEN=GUjdsz9aREFTEBYDrA3AajUE8oVys2xW
-AUTH_GOOGLE_REQUIRE_INVITE=1
-AUTH_GOOGLE_CLIENT_ID=
-AUTH_GOOGLE_CLIENT_SECRET=
-
-AUTH_INVITE_TOKEN=GUjdsz9aREFTEBYDrA3AajUE8oVys2xW
-
-WG_PROVIDER=opnsense
 
 OPNSENSE_API_URL=https://opnsense.cazzzer.com
 OPNSENSE_API_KEY=
 OPNSENSE_API_SECRET=
 OPNSENSE_WG_IFNAME=wg2
 
-WG_QUICK_FILENAME=wg0.conf
-WG_QUICK_PRIVATE_KEY=MHV1/cTPiuOlEwwQ011dSn0e2c+sNRcPnA2e/74+N2E=
-WG_QUICK_ADDRESS=10.20.30.1,fd00::1
-WG_QUICK_LISTEN_PORT=51820
-
 IPV4_STARTING_ADDR=10.18.11.100
 IPV6_STARTING_ADDR=fd00:10:18:11::100:0
 IPV6_CLIENT_PREFIX_SIZE=112

.gitignore

@@ -22,6 +22,3 @@ vite.config.ts.timestamp-*
 
 # SQLite
 *.db
-
-# Generated wireguard configs
-wg*.conf

.woodpecker/build-image.yml

@@ -6,7 +6,7 @@ steps:
     settings:
       registry: gitea.cazzzer.com
       repo: ${CI_REPO,,}
-      # replace '/' in branch name
+      # replace invalid characters in branch name
       tags: ${CI_COMMIT_BRANCH/\//-}
       cache: true
       username:

README.md

@@ -27,3 +27,14 @@ bun install
 bun run prepare
 bun run dev
 ```
+
+## To Do
+
+- [ ] Proper invite page
+- [ ] Proper error page for login without invite
+- [ ] Support file provider (for wg-quick)
+- [ ] Fix accessibility issues (lighthouse)
+- [ ] Add title to profile page (lighthouse)
+- [ ] wg-quick scripts (maybe?)
+- [ ] Get rid of api routes (maybe?)
+- [ ] Get rid of custom result types (maybe?)

bun.lock

@@ -21,7 +21,6 @@
         "@tailwindcss/forms": "^0.5.10",
         "@tailwindcss/typography": "^0.5.16",
         "@types/better-sqlite3": "^7.6.13",
-        "@types/bun": "^1.2.13",
         "@types/eslint": "^9.6.1",
         "@types/qrcode-svg": "^1.1.5",
         "arctic": "^2.3.4",
@@ -282,8 +281,6 @@
 
     "@types/better-sqlite3": ["@types/better-sqlite3@7.6.13", "", { "dependencies": { "@types/node": "*" } }, "sha512-NMv9ASNARoKksWtsq/SHakpYAYnhBrQgGD8zkLYk/jaK8jUGn08CfEdTRgYhMypUQAfzSP8W6gNLe0q19/t4VA=="],
 
-    "@types/bun": ["@types/bun@1.2.13", "", { "dependencies": { "bun-types": "1.2.13" } }, "sha512-u6vXep/i9VBxoJl3GjZsl/BFIsvML8DfVDO0RYLEwtSZSp981kEO1V5NwRcO1CPJ7AmvpbnDCiMKo3JvbDEjAg=="],
-
     "@types/cookie": ["@types/cookie@0.6.0", "", {}, "sha512-4Kh9a6B2bQciAhf7FSuMRRkUWecJgJu9nPnx3yzpsfXX/c50REIqpHY4C82bXP90qrLtXtkDxTZosYO3UpOwlA=="],
 
     "@types/eslint": ["@types/eslint@9.6.1", "", { "dependencies": { "@types/estree": "*", "@types/json-schema": "*" } }, "sha512-FXx2pKgId/WyYo2jXw63kk7/+TY7u7AziEJxJAnSFzHlqTAS3Ync6SvgYAN/k4/PQpnnVuzoMuVnByKK2qp0ag=="],
@@ -366,8 +363,6 @@
 
     "buffer-from": ["buffer-from@1.1.2", "", {}, "sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ=="],
 
-    "bun-types": ["bun-types@1.2.13", "", { "dependencies": { "@types/node": "*" } }, "sha512-rRjA1T6n7wto4gxhAO/ErZEtOXyEZEmnIHQfl0Dt1QQSB4QV0iP6BZ9/YB5fZaHFQ2dwHFrmPaRQ9GGMX01k9Q=="],
-
     "callsites": ["callsites@3.1.0", "", {}, "sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ=="],
 
     "camelcase-css": ["camelcase-css@2.0.1", "", {}, "sha512-QOSvevhslijgYwRx6Rv7zKdMF8lbRmx+uQGx2+vDc+KI/eBnsy9kit5aj23AgGu3pa4t9AgwbnXWqS+iOY+2aA=="],

package.json

@@ -4,9 +4,9 @@
 	"license": "AGPL-3.0-or-later",
 	"type": "module",
 	"scripts": {
-		"dev": "bun x --bun vite dev",
+		"dev": "vite dev",
-		"build": "bun x --bun vite build",
+		"build": "vite build",
-		"preview": "bun x --bun vite preview",
+		"preview": "vite preview",
 		"check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
 		"check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
 		"format": "prettier --write .",
@@ -31,7 +31,6 @@
 		"@tailwindcss/forms": "^0.5.10",
 		"@tailwindcss/typography": "^0.5.16",
 		"@types/better-sqlite3": "^7.6.13",
-		"@types/bun": "^1.2.13",
 		"@types/eslint": "^9.6.1",
 		"@types/qrcode-svg": "^1.1.5",
 		"arctic": "^2.3.4",

src/lib/auth.ts

@@ -1,9 +0,0 @@
-import { envToBool } from '$lib/utils';
-import { env } from '$env/dynamic/public';
-
-export type AuthProvider = 'authentik' | 'google';
-
-export const enabledAuthProviders: Record<AuthProvider, boolean> = {
-	authentik: envToBool(env.PUBLIC_AUTH_AUTHENTIK_ENABLE),
-	google: envToBool(env.PUBLIC_AUTH_GOOGLE_ENABLE),
-};

src/lib/components/app/auth-form/auth-button.svelte

@@ -1,28 +0,0 @@
-<script lang="ts">
-	import { LucideLoaderCircle } from '@lucide/svelte';
-	import { Button } from '$lib/components/ui/button';
-
-	interface Props {
-		providerName: string;
-		displayName: string;
-		iconSrc: string;
-		inviteToken?: string;
-	}
-	let { providerName, displayName, inviteToken, iconSrc }: Props = $props();
-
-	let submitted = $state(false);
-</script>
-
-<form method="get" onsubmit={() => (submitted = true)} action="/auth/{providerName}">
-	{#if inviteToken}
-		<input type="hidden" value={inviteToken} name="invite" />
-	{/if}
-	<Button type="submit" disabled={submitted}>
-		{#if submitted}
-			<LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" />
-		{:else}
-			<img class="mr-2 h-4 w-4" alt="{displayName} Logo" src={iconSrc} />
-		{/if}
-		Sign {inviteToken ? 'up' : 'in'} with {displayName}
-	</Button>
-</form>

src/lib/components/app/auth-form/auth-form.svelte

@@ -1,26 +1,49 @@
 <script lang="ts">
+	import { LucideLoaderCircle } from '@lucide/svelte';
+	import { Button } from '$lib/components/ui/button';
 	import { cn } from '$lib/utils.js';
 	import googleIcon from '$lib/assets/google.svg';
-	import { enabledAuthProviders } from '$lib/auth';
-	import AuthButton from './auth-button.svelte';
 
-	interface Props {
+	let { inviteToken, class: className, ...rest }: {
 		inviteToken?: string;
 		class?: string;
-	}
+		rest?: { [p: string]: unknown }
-	let { inviteToken, class: className }: Props = $props();
+	} = $props();
+
+	let submitted = $state(false);
 </script>
 
-<div class={cn('flex gap-6', className)}>
+<div class={cn('flex gap-6', className)} {...rest}>
-	{#if enabledAuthProviders.authentik}
+	<form method="get" onsubmit={() => submitted = true}
-		<AuthButton
+				action="/auth/authentik{inviteToken ? `?invite=${inviteToken}` : ''}">
-			providerName="authentik"
+		<input type="hidden" value={inviteToken} name="invite" />
-			displayName="Authentik"
+		<Button type="submit" disabled={submitted}>
-			iconSrc="https://auth.cazzzer.com/static/dist/assets/icons/icon.svg"
+			{#if submitted}
-			{inviteToken}
+				<LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" />
-		/>
+			{:else}
-	{/if}
+				<img
-	{#if enabledAuthProviders.google}
+					class="mr-2 h-4 w-4"
-		<AuthButton providerName="google" displayName="Google" iconSrc={googleIcon} {inviteToken} />
+					alt="Authentik Logo"
-	{/if}
+					src="https://auth.cazzzer.com/static/dist/assets/icons/icon.svg"
+				/>
+			{/if}
+			Sign in with Authentik
+		</Button>
+	</form>
+	<form method="get" onsubmit={() => submitted = true}
+				action="/auth/google{inviteToken ? `?invite=${inviteToken}` : ''}">
+		<input type="hidden" value={inviteToken} name="invite" />
+		<Button type="submit" disabled={submitted}>
+			{#if submitted}
+				<LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" />
+			{:else}
+				<img
+					class="mr-2 h-4 w-4"
+					alt="Google Logo"
+					src={googleIcon}
+				/>
+			{/if}
+			Sign in with Google
+		</Button>
+	</form>
 </div>

src/lib/server/auth.ts

@@ -86,7 +86,7 @@ export async function validateSession(sessionId: string) {
 }
 
 export function isValidInviteToken(inviteToken: string) {
-	return inviteToken === env.AUTH_INVITE_TOKEN;
+	return inviteToken === env.INVITE_TOKEN;
 }
 
 export type SessionValidationResult = Awaited<ReturnType<typeof validateSession>>;

src/lib/server/oauth-providers/authentik.ts

@@ -1,34 +0,0 @@
-import { envToBool } from '$lib/utils';
-import { env } from '$env/dynamic/private';
-import { Authentik, decodeIdToken } from 'arctic';
-import { assertGuard } from 'typia';
-import type { IOAuthProvider } from '$lib/server/oauth';
-
-const authentikProvider = new Authentik(
-	env.AUTH_AUTHENTIK_DOMAIN,
-	env.AUTH_AUTHENTIK_CLIENT_ID,
-	env.AUTH_AUTHENTIK_CLIENT_SECRET,
-	`${env.ORIGIN}/auth/authentik/callback`,
-);
-
-export const authentik: IOAuthProvider = {
-	requireInvite: envToBool(env.AUTH_AUTHENTIK_REQUIRE_INVITE, true),
-	createAuthorizationURL: (state: string, codeVerifier: string) => {
-		const scopes = ['openid', 'profile'];
-		return authentikProvider.createAuthorizationURL(state, codeVerifier, scopes);
-	},
-	validateAuthorizationCode: async (code: string, codeVerifier: string) => {
-		const tokens = await authentikProvider.validateAuthorizationCode(code, codeVerifier);
-		const claims = decodeIdToken(tokens.idToken());
-		assertGuard<{
-			sub: string;
-			name: string;
-			preferred_username: string;
-		}>(claims);
-		return {
-			sub: claims.sub,
-			name: claims.name,
-			username: claims.preferred_username,
-		};
-	},
-};

src/lib/server/oauth-providers/google.ts

@@ -1,33 +0,0 @@
-import { decodeIdToken, Google } from 'arctic';
-import { env } from '$env/dynamic/private';
-import { envToBool } from '$lib/utils';
-import { assertGuard } from 'typia';
-import type { IOAuthProvider } from '$lib/server/oauth';
-
-const googleProvider = new Google(
-	env.AUTH_GOOGLE_CLIENT_ID,
-	env.AUTH_GOOGLE_CLIENT_SECRET,
-	`${env.ORIGIN}/auth/google/callback`,
-);
-
-export const google: IOAuthProvider = {
-	requireInvite: envToBool(env.AUTH_GOOGLE_REQUIRE_INVITE, true),
-	createAuthorizationURL: (state: string, codeVerifier: string) => {
-		const scopes = ['openid', 'profile', 'email'];
-		return googleProvider.createAuthorizationURL(state, codeVerifier, scopes);
-	},
-	validateAuthorizationCode: async (code: string, codeVerifier: string) => {
-		const tokens = await googleProvider.validateAuthorizationCode(code, codeVerifier);
-		const claims = decodeIdToken(tokens.idToken());
-		assertGuard<{
-			sub: string;
-			email: string;
-			name: string;
-		}>(claims);
-		return {
-			sub: claims.sub,
-			name: claims.name,
-			username: claims.email,
-		};
-	},
-};

src/lib/server/oauth-providers/index.ts

@@ -1,2 +0,0 @@
-export { authentik } from './authentik';
-export { google } from './google';

src/lib/server/oauth.ts

@@ -1,19 +1,15 @@
-import type { AuthProvider } from '$lib/auth';
+import { Authentik, Google } from 'arctic';
-import { authentik, google } from '$lib/server/oauth-providers';
+import { env } from '$env/dynamic/private';
 
-export interface IOAuthClaims {
+export const authentik = new Authentik(
-	sub: string;
+	env.AUTH_DOMAIN,
-	name: string;
+	env.AUTH_CLIENT_ID,
-	username: string;
+	env.AUTH_CLIENT_SECRET,
-}
+	`${env.ORIGIN}/auth/authentik/callback`,
+);
 
-export interface IOAuthProvider {
+export const google = new Google(
-	readonly requireInvite: boolean;
+	env.GOOGLE_CLIENT_ID,
-	createAuthorizationURL(state: string, codeVerifier: string): URL;
+	env.GOOGLE_CLIENT_SECRET,
-	validateAuthorizationCode(code: string, codeVerifier: string): Promise<IOAuthClaims>;
+	`${env.ORIGIN}/auth/google/callback`,
-}
+);
-
-export const oauthProviders: Record<AuthProvider, IOAuthProvider> = {
-	authentik,
-	google,
-};

src/lib/server/wg-provider.ts

@@ -1,32 +1,12 @@
-import { assertGuard } from 'typia';
+import { WgProviderOpnsense } from '$lib/server/wg-providers/opnsense';
 import { env } from '$env/dynamic/private';
 import type { IWgProvider } from '$lib/server/types';
-import { WgProviderOpnsense } from '$lib/server/wg-providers/opnsense';
-import { WgProviderWgQuick } from '$lib/server/wg-providers/wg-quick';
 
-const opnsense: IWgProvider = new WgProviderOpnsense({
+const wgProvider: IWgProvider = new WgProviderOpnsense({
 	opnsenseUrl: env.OPNSENSE_API_URL,
 	opnsenseApiKey: env.OPNSENSE_API_KEY,
 	opnsenseApiSecret: env.OPNSENSE_API_SECRET,
 	opnsenseWgIfname: env.OPNSENSE_WG_IFNAME,
 });
 
-const wgQuick: IWgProvider = new WgProviderWgQuick({
-	filename: env.WG_QUICK_FILENAME,
-	address: env.WG_QUICK_ADDRESS,
-	privateKey: env.WG_QUICK_PRIVATE_KEY,
-	listenPort: parseInt(env.WG_QUICK_LISTEN_PORT),
-});
-
-const providers = {
-	opnsense,
-	'wg-quick': wgQuick,
-};
-
-const chosenProvider = env.WG_PROVIDER?? 'wg-quick';
-assertGuard<keyof typeof providers>(chosenProvider, () =>
-	Error(`WG_PROVIDER must be one of ${Object.keys(providers).join(', ')}`),
-);
-
-const wgProvider = providers[chosenProvider];
 export default wgProvider;

src/lib/server/wg-providers/wg-quick/index.ts

@@ -1,76 +0,0 @@
-import assert from 'node:assert';
-import { appendFile } from 'node:fs/promises';
-import type { ClientConnection, CreateClientParams, IWgProvider, WgKeys } from '$lib/server/types';
-import { err, ok, type Result } from '$lib/types';
-import {
-	type IWgQuickInterfaceConfig,
-	wgGenPrivKey,
-	wgGenPsk,
-	wgGenPubKey,
-	wgPeerConfig,
-	wgQuickInterfaceConfig, wgQuickUp
-} from './snippets';
-import type { User } from '$lib/server/db/schema';
-
-export class WgProviderWgQuick implements IWgProvider {
-	private filename: string;
-	private publicKey?: string;
-	private config: IWgQuickInterfaceConfig;
-
-	constructor(params: WgQuickParams) {
-		this.filename = params.filename;
-		this.config = {
-			address: params.address,
-			privateKey: params.privateKey,
-			listenPort: params.listenPort,
-		};
-	}
-
-	async init(): Promise<Result<null, Error>> {
-		const file = Bun.file(this.filename);
-
-		this.publicKey = await wgGenPubKey(this.config.privateKey);
-		console.log(`wg-quick: running with public key: ${this.publicKey}`);
-		if (await file.exists()) {
-			// TODO: Check if the file is a valid WireGuard config file and our settings match
-			return ok(null);
-		}
-		await Bun.write(this.filename, wgQuickInterfaceConfig(this.config) + '\n');
-		console.log('created wg-quick config file', this.filename);
-		return wgQuickUp(this.filename);
-	}
-
-	getServerPublicKey(): string {
-		assert(this.publicKey, 'WgQuick public key not set, init() must be called first');
-		return this.publicKey;
-	}
-
-	async generateKeys(): Promise<Result<WgKeys, Error>> {
-		const privateKey = await wgGenPrivKey();
-		const publicKey = await wgGenPubKey(privateKey);
-		const preSharedKey = await wgGenPsk();
-		return ok({
-			publicKey,
-			privateKey,
-			preSharedKey,
-		});
-	}
-
-	async createClient(params: CreateClientParams): Promise<Result<null, Error>> {
-		const peerConfig = wgPeerConfig(params);
-		await appendFile(this.filename, peerConfig + `\n`);
-		return ok(null);
-	}
-
-	async findConnections(user: User): Promise<Result<ClientConnection[], Error>> {
-		return err(Error('WgProviderWgQuick: listing connection information is not yet supported'));
-	}
-
-	async deleteClient(publicKey: string): Promise<Result<null, Error>> {
-		return err(Error('WgProviderWgQuick: deleting client is not yet supported'));
-	}
-}
-
-interface WgQuickParams extends IWgQuickInterfaceConfig {
-	filename: string;
-}

src/lib/server/wg-providers/wg-quick/snippets.ts

@@ -1,59 +0,0 @@
-import { $ } from 'bun';
-import type { CreateClientParams } from '$lib/server/types';
-import { err, ok, type Result } from '$lib/types';
-
-export type IWgQuickInterfaceConfig = {
-	address: string;
-	privateKey: string;
-	listenPort: number;
-}
-
-export function wgQuickInterfaceConfig(params: IWgQuickInterfaceConfig): string {
-	return`\
-[Interface]
-Address = ${params.address}
-PrivateKey = ${params.privateKey}
-ListenPort = ${params.listenPort}
-`;
-}
-
-export function wgPeerConfig(params: CreateClientParams): string {
-	return`\
-[Peer]
-PublicKey = ${params.publicKey}
-PresharedKey = ${params.preSharedKey}
-AllowedIPs = ${params.allowedIps}
-# vpgen-user = ${params.user.username}
-`;
-}
-
-export async function runCommand(command: string): Promise<Result<null, Error>> {
-	const result = await $`${command}`;
-	if (result.exitCode !== 0) return err(Error(`'${command}' failed with exit code ${result.exitCode}\n${result.stderr.toString()}`));
-	return ok(null);
-}
-
-export async function wgQuickUp(ifname: string): Promise<Result<null, Error>> {
-	return runCommand(`wg-quick up ${ifname}`);
-}
-
-export async function wgQuickDown(ifname: string): Promise<Result<null, Error>> {
-	return runCommand(`wg-quick down ${ifname}`);
-}
-
-export async function wgReload(ifname: string): Promise<Result<null, Error>> {
-	return runCommand(`wg-quick strip ${ifname} | wg syncconf ${ifname} /dev/stdin`);
-	// return runCommand(`wg syncconf ${ifname} <(wg-quick strip ${ifname})`);
-}
-
-export async function wgGenPubKey(privateKey: string) {
-	return (await $`echo ${privateKey} | wg pubkey`.text()).trim();
-}
-
-export async function wgGenPrivKey() {
-	return (await $`wg genkey`.text()).trim();
-}
-
-export async function wgGenPsk() {
-	return (await $`wg genpsk`.text()).trim();
-}

src/lib/utils.ts

@@ -4,11 +4,3 @@ import { twMerge } from "tailwind-merge";
 export function cn(...inputs: ClassValue[]) {
 	return twMerge(clsx(inputs));
 }
-
-export function envToBool(value: string | undefined, defaultValue = false): boolean {
-	if (typeof value === "undefined") {
-		return defaultValue;
-	}
-
-	return ['true', '1', 'yes'].includes(value.toLowerCase());
-}

src/routes/auth/[provider]/+server.ts

@@ -1,36 +0,0 @@
-import { generateCodeVerifier, generateState } from 'arctic';
-import { oauthProviders } from '$lib/server/oauth';
-import { is } from 'typia';
-import { type AuthProvider, enabledAuthProviders } from '$lib/auth';
-
-export async function GET({ params: { provider }, url, cookies }) {
-	if (!is<AuthProvider>(provider) || !enabledAuthProviders[provider]) {
-		return new Response(null, { status: 404 });
-	}
-	const oauthProvider = oauthProviders[provider];
-
-	const inviteToken = url.searchParams.get('invite') ?? '';
-	const state = generateState();
-	const codeVerifier = generateCodeVerifier();
-	const authUrl = oauthProvider.createAuthorizationURL(state + inviteToken, codeVerifier);
-
-	cookies.set(`${provider}_oauth_state`, state, {
-		path: '/',
-		httpOnly: true,
-		maxAge: 60 * 10, // 10 minutes
-		sameSite: 'lax',
-	});
-	cookies.set(`${provider}_code_verifier`, codeVerifier, {
-		path: '/',
-		httpOnly: true,
-		maxAge: 60 * 10, // 10 minutes
-		sameSite: 'lax',
-	});
-
-	return new Response(null, {
-		status: 302,
-		headers: {
-			Location: authUrl.toString(),
-		},
-	});
-}

src/routes/auth/authentik/+server.ts

@@ -0,0 +1,30 @@
+import { generateState, generateCodeVerifier } from "arctic";
+import { authentik } from "$lib/server/oauth";
+
+import type { RequestEvent } from "@sveltejs/kit";
+
+export async function GET(event: RequestEvent): Promise<Response> {
+	const state = generateState();
+	const codeVerifier = generateCodeVerifier();
+	const url = authentik.createAuthorizationURL(state, codeVerifier, ["openid", "profile"]);
+
+	event.cookies.set("authentik_oauth_state", state, {
+		path: "/",
+		httpOnly: true,
+		maxAge: 60 * 10, // 10 minutes
+		sameSite: "lax"
+	});
+	event.cookies.set("authentik_code_verifier", codeVerifier, {
+		path: "/",
+		httpOnly: true,
+		maxAge: 60 * 10, // 10 minutes
+		sameSite: "lax"
+	});
+
+	return new Response(null, {
+		status: 302,
+		headers: {
+			Location: url.toString()
+		}
+	});
+}

src/routes/auth/authentik/callback/+server.ts

@@ -0,0 +1,84 @@
+import { createSession, setSessionTokenCookie } from '$lib/server/auth';
+import { authentik } from '$lib/server/oauth';
+import { decodeIdToken } from 'arctic';
+
+import type { RequestEvent } from '@sveltejs/kit';
+import type { OAuth2Tokens } from 'arctic';
+import { db } from '$lib/server/db';
+import { eq } from 'drizzle-orm';
+
+import * as table from '$lib/server/db/schema';
+
+export async function GET(event: RequestEvent): Promise<Response> {
+	const code = event.url.searchParams.get('code');
+	const state = event.url.searchParams.get('state');
+	const storedState = event.cookies.get('authentik_oauth_state') ?? null;
+	const codeVerifier = event.cookies.get('authentik_code_verifier') ?? null;
+
+	if (code === null || state === null || storedState === null || codeVerifier === null) {
+		return new Response(null, {
+			status: 400,
+		});
+	}
+	if (state !== storedState) {
+		return new Response(null, {
+			status: 400,
+		});
+	}
+
+	let tokens: OAuth2Tokens;
+	try {
+		tokens = await authentik.validateAuthorizationCode(code, codeVerifier);
+	} catch (e) {
+		// Invalid code or client credentials
+		return new Response(null, {
+			status: 400,
+		});
+	}
+	const claims = decodeIdToken(tokens.idToken()) as {
+		sub: string;
+		preferred_username: string;
+		name: string;
+	};
+	console.log('claims', claims);
+	const userId: string = claims.sub;
+	const username: string = claims.preferred_username;
+
+	const existingUser = await db.query.users.findFirst({ where: eq(table.users.id, userId) });
+
+	if (existingUser) {
+		const session = await createSession(existingUser.id);
+		setSessionTokenCookie(event.cookies, session.id, session.expiresAt);
+		return new Response(null, {
+			status: 302,
+			headers: {
+				Location: '/',
+			},
+		});
+	}
+
+	const user: table.User = {
+		id: userId,
+		authSource: 'authentik',
+		username,
+		name: claims.name as string,
+	};
+
+	try {
+		await db.insert(table.users).values(user);
+		const session = await createSession(user.id);
+		setSessionTokenCookie(event.cookies, session.id, session.expiresAt);
+	} catch (e) {
+		console.error('failed to create user', e);
+		return new Response(null, {
+			status: 500,
+		});
+	}
+
+	return new Response(null, {
+		status: 302,
+		headers: {
+			Location: '/',
+		},
+	});
+}

src/routes/auth/google/+server.ts

@@ -0,0 +1,32 @@
+import type { RequestHandler } from './$types';
+import { generateCodeVerifier, generateState } from 'arctic';
+import { google } from '$lib/server/oauth';
+
+export const GET: RequestHandler = ({ url, cookies }) => {
+	const inviteToken = url.searchParams.get('invite');
+
+	const state = generateState();
+	const codeVerifier = generateCodeVerifier();
+	const scopes = ['openid', 'profile', 'email'];
+	const authUrl = google.createAuthorizationURL(state + inviteToken, codeVerifier, scopes);
+
+	cookies.set('google_oauth_state', state, {
+		path: '/',
+		httpOnly: true,
+		maxAge: 60 * 10, // 10 minutes
+		sameSite: 'lax',
+	});
+	cookies.set('google_code_verifier', codeVerifier, {
+		path: '/',
+		httpOnly: true,
+		maxAge: 60 * 10, // 10 minutes
+		sameSite: 'lax',
+	});
+
+	return new Response(null, {
+		status: 302,
+		headers: {
+			Location: authUrl.toString(),
+		},
+	});
+};

src/routes/auth/google/callback/+page.server.ts

@@ -1,24 +1,21 @@
-import { is } from 'typia';
+import { createSession, isValidInviteToken, setSessionTokenCookie } from '$lib/server/auth';
-import type { PageServerLoad } from './$types';
-import { error, redirect } from '@sveltejs/kit';
-import { type AuthProvider, enabledAuthProviders } from '$lib/auth';
-import { oauthProviders } from '$lib/server/oauth';
-import { ArcticFetchError, OAuth2RequestError } from 'arctic';
 import { db } from '$lib/server/db';
 import * as table from '$lib/server/db/schema';
+import { google } from '$lib/server/oauth';
+import { error, redirect } from '@sveltejs/kit';
+import type { OAuth2Tokens } from 'arctic';
+import * as arctic from 'arctic';
 import { eq } from 'drizzle-orm';
-import { createSession, isValidInviteToken, setSessionTokenCookie } from '$lib/server/auth';
+import { assertGuard } from 'typia';
+import type { PageServerLoad } from './$types';
 
-export const load: PageServerLoad = async ({ params: { provider }, url, cookies }) => {
+export const load: PageServerLoad = async (event) => {
-	if (!is<AuthProvider>(provider) || !enabledAuthProviders[provider]) {
+	const { url, cookies } = event;
-		error(404);
-	}
 
-	const oauthProvider = oauthProviders[provider];
 	const code = url.searchParams.get('code');
 	const state = url.searchParams.get('state');
-	const storedState = cookies.get(`${provider}_oauth_state`) ?? null;
+	const storedState = cookies.get('google_oauth_state') ?? null;
-	const codeVerifier = cookies.get(`${provider}_code_verifier`) ?? null;
+	const codeVerifier = cookies.get('google_code_verifier') ?? null;
 
 	if (code === null || state === null || storedState === null || codeVerifier === null) {
 		error(400, 'Missing url parameters');
@@ -30,23 +27,35 @@ export const load: PageServerLoad = async ({ params: { provider }, url, cookies
 		error(400, 'Invalid state in url');
 	}
 
-	let claims;
+	let tokens: OAuth2Tokens;
 	try {
-		claims = await oauthProvider.validateAuthorizationCode(code, codeVerifier);
+		tokens = await google.validateAuthorizationCode(code, codeVerifier);
 	} catch (e) {
-		if (e instanceof OAuth2RequestError) {
+		if (e instanceof arctic.OAuth2RequestError) {
 			console.debug('Arctic: OAuth: invalid authorization code, credentials, or redirect URI', e);
-			error(400, 'Invalid authorization code');
+			throw error(400, 'Invalid authorization code');
 		}
-		if (e instanceof ArcticFetchError) {
+		if (e instanceof arctic.ArcticFetchError) {
 			console.debug('Arctic: failed to call `fetch()`', e);
 			error(400, 'Failed to validate authorization code');
 		}
-		console.error('Unexpected error validating authorization code', code, e);
+		console.error('Unxepcted error validating authorization code', code, e);
 		error(500);
 	}
 
-	const existingUser = await db.query.users.findFirst({ where: eq(table.users.id, claims.sub) });
+	const idToken = tokens.idToken();
+	const claims = arctic.decodeIdToken(idToken);
+
+	console.log('claims', claims);
+
+	assertGuard<{
+		sub: string;
+		email: string;
+		name: string;
+	}>(claims);
+
+	const userId = claims.sub;
+	const existingUser = await db.query.users.findFirst({ where: eq(table.users.id, userId) });
 
 	if (existingUser) {
 		const session = await createSession(existingUser.id);
@@ -54,22 +63,25 @@ export const load: PageServerLoad = async ({ params: { provider }, url, cookies
 		redirect(302, '/');
 	}
 
-	if (oauthProvider.requireInvite && !isValidInviteToken(stateInviteToken)) {
+	if (!isValidInviteToken(stateInviteToken)) {
 		const message =
 			stateInviteToken.length === 0 ? 'sign up with an invite link first' : 'invalid invite link';
 		error(403, 'Not Authorized: ' + message);
 	}
 
 	const user: table.User = {
-		id: claims.sub,
+		id: userId,
-		authSource: provider,
+		authSource: 'google',
-		username: claims.username,
+		username: claims.email,
 		name: claims.name,
 	};
+
+	// TODO: proper error handling, delete cookies
 	await db.insert(table.users).values(user);
-	console.log('created user', user, 'using provider', provider, 'with invite token', stateInviteToken);
+	console.log('created user', user, 'with invite token', stateInviteToken);
 
 	const session = await createSession(user.id);
+
 	setSessionTokenCookie(cookies, session.id, session.expiresAt);
 
 	redirect(302, '/');

src/routes/invite/[id]/+layout.server.ts

@@ -2,7 +2,6 @@ import type { LayoutServerLoad } from './$types';
 import { redirect } from '@sveltejs/kit';
 import { isValidInviteToken } from '$lib/server/auth';
 
-export const load: LayoutServerLoad = ({ params, locals }) => {
+export const load: LayoutServerLoad = ({ params }) => {
-	if (!isValidInviteToken(params.id)) redirect(302, '/');
+	if (!isValidInviteToken(params.id)) redirect(307, '/')
-	if (locals.user !== null) redirect(302, '/');
 };

src/routes/invite/[id]/+page.svelte

@@ -10,7 +10,7 @@
 </svelte:head>
 
 <h1 class="mb-2 scroll-m-20 text-center text-3xl font-extrabold tracking-tight lg:text-4xl">
-	You are invited to VPGen
+	Welcome to VPGen
 </h1>
 
-<AuthForm {inviteToken} />
+<AuthForm inviteToken={inviteToken} />