Spaces:
Running
Running
| import { error, redirect } from "@sveltejs/kit"; | |
| import { getOIDCUserData, validateAndParseCsrfToken } from "$lib/server/auth"; | |
| import { z } from "zod"; | |
| import { base } from "$app/paths"; | |
| import { config } from "$lib/server/config"; | |
| import JSON5 from "json5"; | |
| import { updateUser } from "./updateUser.js"; | |
| const sanitizeJSONEnv = (val: string, fallback: string) => { | |
| const raw = (val ?? "").trim(); | |
| const unquoted = raw.startsWith("`") && raw.endsWith("`") ? raw.slice(1, -1) : raw; | |
| return unquoted || fallback; | |
| }; | |
| const parseJSONEnv = (val: string, fallback: string) => { | |
| try { | |
| return JSON5.parse(sanitizeJSONEnv(val, fallback)); | |
| } catch (e) { | |
| console.warn(`Failed to parse environment variable as JSON5, using fallback: ${fallback}`, e); | |
| return JSON5.parse(fallback); | |
| } | |
| }; | |
| const allowedUserEmails = z | |
| .array(z.string().email()) | |
| .optional() | |
| .default([]) | |
| .parse(parseJSONEnv(config.ALLOWED_USER_EMAILS, "[]")); | |
| const allowedUserDomains = z | |
| .array(z.string().regex(/\.\w+$/)) // Contains at least a dot | |
| .optional() | |
| .default([]) | |
| .parse(parseJSONEnv(config.ALLOWED_USER_DOMAINS, "[]")); | |
| export async function GET({ url, locals, cookies, request, getClientAddress }) { | |
| const { error: errorName, error_description: errorDescription } = z | |
| .object({ | |
| error: z.string().optional(), | |
| error_description: z.string().optional(), | |
| }) | |
| .parse(Object.fromEntries(url.searchParams.entries())); | |
| if (errorName) { | |
| throw error(400, errorName + (errorDescription ? ": " + errorDescription : "")); | |
| } | |
| const { code, state, iss } = z | |
| .object({ | |
| code: z.string(), | |
| state: z.string(), | |
| iss: z.string().optional(), | |
| }) | |
| .parse(Object.fromEntries(url.searchParams.entries())); | |
| const csrfToken = Buffer.from(state, "base64").toString("utf-8"); | |
| const validatedToken = await validateAndParseCsrfToken(csrfToken, locals.sessionId); | |
| if (!validatedToken) { | |
| throw error(403, "Invalid or expired CSRF token"); | |
| } | |
| const { token, userData } = await getOIDCUserData( | |
| { redirectURI: validatedToken.redirectUrl }, | |
| code, | |
| iss | |
| ); | |
| const tokenIssuer = (() => { | |
| if (typeof token.issuer === "string") return token.issuer; | |
| const claims = typeof token.claims === "function" ? token.claims() : undefined; | |
| if (claims && typeof claims.iss === "string") return claims.iss; | |
| if (typeof token.iss === "string") return token.iss; | |
| return ""; | |
| })(); | |
| const issuerCandidate = [iss, tokenIssuer, config.OPENID_PROVIDER_URL] | |
| .filter((value): value is string => typeof value === "string") | |
| .map((value) => value.toLowerCase()) | |
| .join(" "); | |
| const isHuggingFaceProvider = issuerCandidate.includes("huggingface.co"); | |
| // Filter by allowed user emails or domains | |
| if (allowedUserEmails.length > 0 || allowedUserDomains.length > 0) { | |
| if (!userData.email) { | |
| throw error(403, "User not allowed: email not returned"); | |
| } | |
| const emailVerified = userData.email_verified ?? true; | |
| if (!emailVerified) { | |
| throw error(403, "User not allowed: email not verified"); | |
| } | |
| const emailDomain = userData.email.split("@")[1]; | |
| const isEmailAllowed = allowedUserEmails.includes(userData.email); | |
| const isDomainAllowed = allowedUserDomains.includes(emailDomain); | |
| if (!isEmailAllowed && !isDomainAllowed) { | |
| throw error(403, "User not allowed"); | |
| } | |
| } | |
| await updateUser({ | |
| userData, | |
| locals, | |
| cookies, | |
| userAgent: request.headers.get("user-agent") ?? undefined, | |
| ip: getClientAddress(), | |
| authProvider: isHuggingFaceProvider ? "huggingface" : "oidc", | |
| accessToken: isHuggingFaceProvider ? (token.access_token ?? undefined) : undefined, | |
| }); | |
| return redirect(302, `${base}/`); | |
| } | |