api9nin / src /app /api /auth /oidc /test /route.js
github-actions[bot]
deploy from github actions 2026-06-18
c8ae75d
Raw
History Blame Contribute Delete
2.96 kB
import { NextResponse } from "next/server";
import { cookies } from "next/headers";
import { getSettings } from "@/lib/localDb";
import { fetchOidcDiscovery, getPublicOrigin, probeOidcClientSecret } from "@/lib/auth/oidc";
import { verifyDashboardAuthToken } from "@/lib/auth/dashboardSession";
async function canAccessTestRoute() {
const settings = await getSettings();
if (settings.requireLogin === false) return true;
const cookieStore = await cookies();
const token = cookieStore.get("auth_token")?.value;
return await verifyDashboardAuthToken(token);
}
export async function POST(request) {
try {
if (!(await canAccessTestRoute())) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
const body = await request.json().catch(() => ({}));
const settings = await getSettings();
const issuerUrl = String(body.issuerUrl || settings.oidcIssuerUrl || "").trim();
const clientId = String(body.clientId || settings.oidcClientId || "").trim();
const scopes = String(body.scopes || settings.oidcScopes || "openid profile email").trim() || "openid profile email";
const clientSecret = String(
Object.prototype.hasOwnProperty.call(body, "clientSecret")
? body.clientSecret
: settings.oidcClientSecret || ""
).trim();
if (!issuerUrl) {
return NextResponse.json({ error: "Issuer URL is required" }, { status: 400 });
}
if (!clientId) {
return NextResponse.json({ error: "Client ID is required" }, { status: 400 });
}
const discovery = await fetchOidcDiscovery(issuerUrl);
const redirectUri = `${getPublicOrigin(request)}/api/auth/oidc/callback`;
const secretProbe = await probeOidcClientSecret({
tokenEndpoint: discovery.token_endpoint,
clientId,
clientSecret,
redirectUri,
});
if (secretProbe.tested && secretProbe.valid === false) {
return NextResponse.json({
ok: false,
discoveryOk: true,
clientSecretTested: true,
clientSecretValid: false,
issuerUrl,
clientId,
scopes,
redirectUri,
authorizationEndpoint: discovery.authorization_endpoint || "",
tokenEndpoint: discovery.token_endpoint || "",
jwksUri: discovery.jwks_uri || "",
error: `Discovery loaded, but the client secret is not valid: ${secretProbe.message}`,
});
}
return NextResponse.json({
ok: true,
discoveryOk: true,
clientSecretTested: secretProbe.tested,
clientSecretValid: secretProbe.valid,
issuerUrl,
clientId,
scopes,
redirectUri,
authorizationEndpoint: discovery.authorization_endpoint || "",
tokenEndpoint: discovery.token_endpoint || "",
jwksUri: discovery.jwks_uri || "",
message: secretProbe.message,
});
} catch (error) {
return NextResponse.json({ error: error.message || "OIDC test failed" }, { status: 500 });
}
}