| | import { |
| | Issuer, |
| | type BaseClient, |
| | type UserinfoResponse, |
| | type TokenSet, |
| | custom, |
| | } from "openid-client"; |
| | import { addHours, addWeeks } from "date-fns"; |
| | import { config } from "$lib/server/config"; |
| | import { sha256 } from "$lib/utils/sha256"; |
| | import { z } from "zod"; |
| | import { dev } from "$app/environment"; |
| | import type { Cookies } from "@sveltejs/kit"; |
| | import { collections } from "$lib/server/database"; |
| | import JSON5 from "json5"; |
| | import { logger } from "$lib/server/logger"; |
| | import { ObjectId } from "mongodb"; |
| | import type { Cookie } from "elysia"; |
| | import { adminTokenManager } from "./adminToken"; |
| |
|
| | export interface OIDCSettings { |
| | redirectURI: string; |
| | } |
| |
|
| | export interface OIDCUserInfo { |
| | token: TokenSet; |
| | userData: UserinfoResponse; |
| | } |
| |
|
| | const stringWithDefault = (value: string) => |
| | z |
| | .string() |
| | .default(value) |
| | .transform((el) => (el ? el : value)); |
| |
|
| | export const OIDConfig = z |
| | .object({ |
| | CLIENT_ID: stringWithDefault(config.OPENID_CLIENT_ID), |
| | CLIENT_SECRET: stringWithDefault(config.OPENID_CLIENT_SECRET), |
| | PROVIDER_URL: stringWithDefault(config.OPENID_PROVIDER_URL), |
| | SCOPES: stringWithDefault(config.OPENID_SCOPES), |
| | NAME_CLAIM: stringWithDefault(config.OPENID_NAME_CLAIM).refine( |
| | (el) => !["preferred_username", "email", "picture", "sub"].includes(el), |
| | { message: "nameClaim cannot be one of the restricted keys." } |
| | ), |
| | TOLERANCE: stringWithDefault(config.OPENID_TOLERANCE), |
| | RESOURCE: stringWithDefault(config.OPENID_RESOURCE), |
| | ID_TOKEN_SIGNED_RESPONSE_ALG: z.string().optional(), |
| | }) |
| | .parse(JSON5.parse(config.OPENID_CONFIG || "{}")); |
| |
|
| | export const requiresUser = !!OIDConfig.CLIENT_ID && !!OIDConfig.CLIENT_SECRET; |
| |
|
| | const sameSite = z |
| | .enum(["lax", "none", "strict"]) |
| | .default(dev || config.ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none") |
| | .parse(config.COOKIE_SAMESITE === "" ? undefined : config.COOKIE_SAMESITE); |
| |
|
| | const secure = z |
| | .boolean() |
| | .default(!(dev || config.ALLOW_INSECURE_COOKIES === "true")) |
| | .parse(config.COOKIE_SECURE === "" ? undefined : config.COOKIE_SECURE === "true"); |
| |
|
| | export function refreshSessionCookie(cookies: Cookies, sessionId: string) { |
| | cookies.set(config.COOKIE_NAME, sessionId, { |
| | path: "/", |
| | |
| | sameSite, |
| | secure, |
| | httpOnly: true, |
| | expires: addWeeks(new Date(), 2), |
| | }); |
| | } |
| |
|
| | export async function findUser(sessionId: string) { |
| | const session = await collections.sessions.findOne({ sessionId }); |
| |
|
| | if (!session) { |
| | return null; |
| | } |
| |
|
| | return await collections.users.findOne({ _id: session.userId }); |
| | } |
| | export const authCondition = (locals: App.Locals) => { |
| | if (!locals.user && !locals.sessionId) { |
| | throw new Error("User or sessionId is required"); |
| | } |
| |
|
| | return locals.user |
| | ? { userId: locals.user._id } |
| | : { sessionId: locals.sessionId, userId: { $exists: false } }; |
| | }; |
| |
|
| | |
| | |
| | |
| | export async function generateCsrfToken(sessionId: string, redirectUrl: string): Promise<string> { |
| | const data = { |
| | expiration: addHours(new Date(), 1).getTime(), |
| | redirectUrl, |
| | }; |
| |
|
| | return Buffer.from( |
| | JSON.stringify({ |
| | data, |
| | signature: await sha256(JSON.stringify(data) + "##" + sessionId), |
| | }) |
| | ).toString("base64"); |
| | } |
| |
|
| | async function getOIDCClient(settings: OIDCSettings): Promise<BaseClient> { |
| | const issuer = await Issuer.discover(OIDConfig.PROVIDER_URL); |
| |
|
| | const client_config: ConstructorParameters<typeof issuer.Client>[0] = { |
| | client_id: OIDConfig.CLIENT_ID, |
| | client_secret: OIDConfig.CLIENT_SECRET, |
| | redirect_uris: [settings.redirectURI], |
| | response_types: ["code"], |
| | [custom.clock_tolerance]: OIDConfig.TOLERANCE || undefined, |
| | id_token_signed_response_alg: OIDConfig.ID_TOKEN_SIGNED_RESPONSE_ALG || undefined, |
| | }; |
| |
|
| | const alg_supported = issuer.metadata["id_token_signing_alg_values_supported"]; |
| |
|
| | if (Array.isArray(alg_supported)) { |
| | client_config.id_token_signed_response_alg ??= alg_supported[0]; |
| | } |
| |
|
| | return new issuer.Client(client_config); |
| | } |
| |
|
| | export async function getOIDCAuthorizationUrl( |
| | settings: OIDCSettings, |
| | params: { sessionId: string } |
| | ): Promise<string> { |
| | const client = await getOIDCClient(settings); |
| | const csrfToken = await generateCsrfToken(params.sessionId, settings.redirectURI); |
| |
|
| | return client.authorizationUrl({ |
| | scope: OIDConfig.SCOPES, |
| | state: csrfToken, |
| | resource: OIDConfig.RESOURCE || undefined, |
| | }); |
| | } |
| |
|
| | export async function getOIDCUserData( |
| | settings: OIDCSettings, |
| | code: string, |
| | iss?: string |
| | ): Promise<OIDCUserInfo> { |
| | const client = await getOIDCClient(settings); |
| | const token = await client.callback(settings.redirectURI, { code, iss }); |
| | const userData = await client.userinfo(token); |
| |
|
| | return { token, userData }; |
| | } |
| |
|
| | export async function validateAndParseCsrfToken( |
| | token: string, |
| | sessionId: string |
| | ): Promise<{ |
| | |
| | redirectUrl: string; |
| | } | null> { |
| | try { |
| | const { data, signature } = z |
| | .object({ |
| | data: z.object({ |
| | expiration: z.number().int(), |
| | redirectUrl: z.string().url(), |
| | }), |
| | signature: z.string().length(64), |
| | }) |
| | .parse(JSON.parse(token)); |
| |
|
| | const reconstructSign = await sha256(JSON.stringify(data) + "##" + sessionId); |
| |
|
| | if (data.expiration > Date.now() && signature === reconstructSign) { |
| | return { redirectUrl: data.redirectUrl }; |
| | } |
| | } catch (e) { |
| | logger.error(e); |
| | } |
| | return null; |
| | } |
| |
|
| | type CookieRecord = |
| | | { type: "elysia"; value: Record<string, Cookie<string | undefined>> } |
| | | { type: "svelte"; value: Cookies }; |
| | type HeaderRecord = |
| | | { type: "elysia"; value: Record<string, string | undefined> } |
| | | { type: "svelte"; value: Headers }; |
| |
|
| | export async function authenticateRequest( |
| | headers: HeaderRecord, |
| | cookie: CookieRecord, |
| | isApi?: boolean |
| | ): Promise<App.Locals & { secretSessionId: string }> { |
| | |
| | |
| | |
| | const token = |
| | cookie.type === "elysia" |
| | ? cookie.value[config.COOKIE_NAME].value |
| | : cookie.value.get(config.COOKIE_NAME); |
| |
|
| | let email = null; |
| | if (config.TRUSTED_EMAIL_HEADER) { |
| | if (headers.type === "elysia") { |
| | email = headers.value[config.TRUSTED_EMAIL_HEADER]; |
| | } else { |
| | email = headers.value.get(config.TRUSTED_EMAIL_HEADER); |
| | } |
| | } |
| |
|
| | let secretSessionId: string | null = null; |
| | let sessionId: string | null = null; |
| |
|
| | if (email) { |
| | secretSessionId = sessionId = await sha256(email); |
| | return { |
| | user: { |
| | _id: new ObjectId(sessionId.slice(0, 24)), |
| | name: email, |
| | email, |
| | createdAt: new Date(), |
| | updatedAt: new Date(), |
| | hfUserId: email, |
| | avatarUrl: "", |
| | logoutDisabled: true, |
| | }, |
| | sessionId, |
| | secretSessionId, |
| | isAdmin: adminTokenManager.isAdmin(sessionId), |
| | }; |
| | } |
| |
|
| | if (token) { |
| | secretSessionId = token; |
| | sessionId = await sha256(token); |
| | const user = await findUser(sessionId); |
| | return { |
| | user: user ?? undefined, |
| | sessionId, |
| | secretSessionId, |
| | isAdmin: user?.isAdmin || adminTokenManager.isAdmin(sessionId), |
| | }; |
| | } |
| |
|
| | if (isApi) { |
| | const authorization = |
| | headers.type === "elysia" |
| | ? headers.value["Authorization"] |
| | : headers.value.get("Authorization"); |
| | if (authorization?.startsWith("Bearer ")) { |
| | const token = authorization.slice(7); |
| | const hash = await sha256(token); |
| | sessionId = secretSessionId = hash; |
| |
|
| | const cacheHit = await collections.tokenCaches.findOne({ tokenHash: hash }); |
| | if (cacheHit) { |
| | const user = await collections.users.findOne({ hfUserId: cacheHit.userId }); |
| | if (!user) { |
| | throw new Error("User not found"); |
| | } |
| | return { |
| | user, |
| | sessionId, |
| | secretSessionId, |
| | isAdmin: user.isAdmin || adminTokenManager.isAdmin(sessionId), |
| | }; |
| | } |
| |
|
| | const response = await fetch("https://huggingface.co/api/whoami-v2", { |
| | headers: { Authorization: `Bearer ${token}` }, |
| | }); |
| |
|
| | if (!response.ok) { |
| | throw new Error("Unauthorized"); |
| | } |
| |
|
| | const data = await response.json(); |
| | const user = await collections.users.findOne({ hfUserId: data.id }); |
| | if (!user) { |
| | throw new Error("User not found"); |
| | } |
| |
|
| | await collections.tokenCaches.insertOne({ |
| | tokenHash: hash, |
| | userId: data.id, |
| | createdAt: new Date(), |
| | updatedAt: new Date(), |
| | }); |
| |
|
| | return { |
| | user, |
| | sessionId, |
| | secretSessionId, |
| | isAdmin: user.isAdmin || adminTokenManager.isAdmin(sessionId), |
| | }; |
| | } |
| | } |
| |
|
| | |
| | secretSessionId = crypto.randomUUID(); |
| | sessionId = await sha256(secretSessionId); |
| |
|
| | if (await collections.sessions.findOne({ sessionId })) { |
| | throw new Error("Session ID collision"); |
| | } |
| |
|
| | return { user: undefined, sessionId, secretSessionId, isAdmin: false }; |
| | } |
| |
|
