handle callback URL, check state parameter

auth.js

@@ -55,4 +55,52 @@ export class Auth {
       status: 302,
     }))
   }
+
+  getToken(code) {
+    this._code = code
+    return 'test'
+  }
+
+  async callback(event) {
+    const url = new URL(event.request.url)
+    const { state, code } = Object.fromEntries(
+      url.searchParams.entries()
+    )
+    const cookies = cookie.getCookies(
+      event.request.headers
+    )
+    const headers = new Headers({
+      Location: '/#/'
+    })
+    if (cookies['oauth.gitea.state'] !== state) {
+      event.respondWith(new Response('invalid state', {
+        status: 401,
+      }))
+      return
+    }
+    const token = await this.getToken(code)
+    cookie.deleteCookie(headers, 'oauth.gitea.state')
+    cookie.setCookie(headers, {
+      name: 'oauth.gitea.token',
+      value: token,
+    })
+    event.respondWith(new Response('', {
+      headers,
+      status: 302,
+    }))
+  }
+
+  async serve(event) {
+    const {pathname} = new URL(event.request.url)
+    const u = this.baseUrl
+    if (pathname === `${u}/api/auth`) {
+      await this.redirect(event)
+    } else if (pathname === `${u}/api/auth/callback`) {
+      await this.callback(event)
+    } else {
+      event.respondWith(new Response(
+        'Not Found', {status: 404}
+      ))
+    }
+  }
 }

server.js

@@ -112,8 +112,8 @@ export class Server {
 
   async serveRequest(event) {
     const {pathname} = new URL(event.request.url)
-    if (pathname === `${this.baseUrl}/api/auth`) {
-      await this.auth.redirect(event)
+    if (pathname.startsWith(`${this.baseUrl}/api/auth`)) {
+      await this.auth.serve(event)
     } else {
       await this.frontend.serve(event)
     }