get tokens

handle callback URL, check state parameter
get redirect to OAuth login showing authorization screen
2 changed files with 190 additions and 8 deletions
--- a/auth.js
+++ b/auth.js
@ -1,7 +1,173 @@
 import * as cookie from 'https://deno.land/std@0.188.0/http/cookie.ts'
 export class Auth {
  constructor({
    baseUrl,
    remoteBaseUrl,
    giteaAppBaseUrl,
    giteaApiBaseUrl,
    giteaWebBaseUrl,
    giteaClientId,
    giteaClientSecret
  }) {
    this.baseUrl = baseUrl
    this.remoteBaseUrl = remoteBaseUrl
    this.giteaAppBaseUrl = giteaAppBaseUrl
    this.giteaApiBaseUrl = giteaApiBaseUrl
    this.giteaWebBaseUrl = giteaWebBaseUrl
    this.giteaClientId = giteaClientId
    this.giteaClientSecret = giteaClientSecret
  }
  redirectUrl(state) {
    const url = new URL(
      this.giteaWebBaseUrl + '/login/oauth/authorize'
    )
    const search = new URLSearchParams()
    search.set('response_type', 'code')
    search.set('client_id', this.giteaClientId)
    search.set('redirect_uri', this.callbackUrl)
    search.set('state', state)
    url.search = search.toString()
    return url.toString()
  }
  buildState() {
    const timestamp = new Date().valueOf()
    const randomInt = Math.floor(Math.random() * 10000)
    // TODO: sign
    return `${randomInt}-${timestamp}`
  }
  get callbackUrl() {
    return this.remoteBaseUrl + '/api/auth/callback'
  }
  async redirect(event) {
-    event.respondWith(new Response(
+    const state = this.buildState()
-      'extract query and redirect', {status: 200}
+    const url = this.redirectUrl(state)
-    ))
+    const headers = new Headers({
      Location: url
    })
    cookie.setCookie(headers, {
      name: 'oauth.gitea.state',
      value: state,
    })
    event.respondWith(new Response('', {
      headers,
      status: 302,
    }))
  }
  get tokenEndpoint() {
    return (
      this.giteaAppBaseUrl +
      '/login/oauth/access_token'
    )
  }
  async getToken(code) {
    const resp = await fetch(this.tokenEndpoint, {
      method: 'POST',
      headers: {
        Accept: 'application/json',
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({
        grant_type: 'authorization_code',
        code,
        client_id: this.giteaClientId,
        client_secret: this.giteaClientSecret,
        redirect_uri: this.callbackUrl,
      }),
    })
    return await resp.json()
  }
  saveTokens(headers, data) {
    cookie.setCookie(headers, {
      name: 'oauth.gitea.accessToken',
      value: data.access_token,
    })
    cookie.setCookie(headers, {
      name: 'oauth.gitea.refreshToken',
      value: data.refresh_token,
    })
    cookie.setCookie(headers, {
      name: 'oauth.gitea.expires',
      value: String(
        Math.floor(new Date().valueOf() / 1000) +
        data.expires_in
      ),
    })
  }
  async callback(event) {
    const url = new URL(event.request.url)
    const { state, code } = Object.fromEntries(
      url.searchParams.entries()
    )
    const cookies = cookie.getCookies(
      event.request.headers
    )
    const headers = new Headers({
      Location: '/#/'
    })
    if (cookies['oauth.gitea.state'] !== state) {
      event.respondWith(new Response('invalid state', {
        status: 401,
      }))
      return
    }
    const data = await this.getToken(code)
    cookie.deleteCookie(headers, 'oauth.gitea.state')
    this.saveTokens(headers, data)
    event.respondWith(new Response('', {
      headers,
      status: 302,
    }))
  }
  async refreshToken(refresh_token) {
    const resp = await fetch(this.tokenEndpoint, {
      method: 'POST',
      headers: {
        Accept: 'application/json',
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({
        refresh_token,
        grant_type: 'refresh_token',
      })
    })
    return await resp.json()
  }
  async refresh(event) {
    const headers = new Headers()
    const cookies = cookie.getCookies(
      event.request.headers
    )
    const data = await this.refreshToken(body)
    this.saveTokens(headers, data)
    event.respondWith(
      new Response(JSON.stringify({}), {headers})
    )
  }
  async serve(event) {
    const {pathname} = new URL(event.request.url)
    const u = this.baseUrl
    if (pathname === `${u}/api/auth`) {
      await this.redirect(event)
    } else if (pathname === `${u}/api/auth/callback`) {
      await this.callback(event)
    } else if (pathname === `${u}/api/auth/refresh`) {
      await this.refresh(event)
    } else {
      event.respondWith(new Response(
        'Not Found', {status: 404}
      ))
    }
  }
 }
--- a/server.js
+++ b/server.js
@ -1,5 +1,5 @@
-//import { Auth } from "./auth.js"
+import { Auth } from "./auth.js"
-//import { Frontend } from "./frontend.js"
+import { Frontend } from "./frontend.js"
 export class Server {
  async getEnv(variables) {
@ -23,24 +23,40 @@ export class Server {
    const env = await this.getEnv([
      'PORT',
      'BASE_URL',
      'REMOTE_BASE_URL',
      'GITEA_APP_BASE_URL',
      'GITEA_API_BASE_URL',
      'GITEA_WEB_BASE_URL',
      'GITEA_CLIENT_ID',
      'GITEA_CLIENT_SECRET',
    ])
    this.port = env.PORT ?? 3000
    this.baseUrl = env.BASE_URL ?? '/macchiato'
    this.remoteBaseUrl = env.REMOTE_BASE_URL
    this.giteaAppBaseUrl = (
      env.GITEA_APP_BASE_URL ?? 'http://gitea:3000'
    )
    this.giteaApiBaseUrl = (
      env.GITEA_API_BASE_URL ?? 'http://gitea:3000/api/v1'
    )
    this.giteaWebBaseUrl = env.GITEA_WEB_BASE_URL
    this.giteaClientId = env.GITEA_CLIENT_ID
    this.giteaClientSecret = env.GITEA_CLIENT_SECRET
  }
  async init() {
    if (this.port === undefined) {
      await this.configure()
    }
-    this.auth = new Auth()
+    this.auth = new Auth({
      baseUrl: this.baseUrl,
      remoteBaseUrl: this.remoteBaseUrl,
      giteaAppBaseUrl: this.giteaAppBaseUrl,
      giteaApiBaseUrl: this.giteaApiBaseUrl,
      giteaWebBaseUrl: this.giteaWebBaseUrl,
      giteaClientId: this.giteaClientId,
      giteaClientSecret: this.giteaClientSecret,
    })
    this.frontend = new Frontend({
      appBaseUrl: this.giteaAppBaseUrl,
      apiBaseUrl: this.giteaApiBaseUrl,
@ -97,8 +113,8 @@ export class Server {
  async serveRequest(event) {
    const {pathname} = new URL(event.request.url)
-    if (pathname === `${this.baseUrl}/api/auth`) {
+    if (pathname.startsWith(`${this.baseUrl}/api/auth`)) {
-      await this.auth.redirect(event)
+      await this.auth.serve(event)
    } else {
      await this.frontend.serve(event)
    }
Author	SHA1	Message	Date
bat	939fb83119	get tokens	3 years ago
bat	2ebe7a3c0d	handle callback URL, check state parameter	3 years ago
bat	49a43f0698	get redirect to OAuth login showing authorization screen	3 years ago
bat	fd5cbe0114	split into methods	3 years ago
bat	3027d04584	use web base url for redirect in browser	3 years ago
bat	c207fcc949	add state to cookie so it can be confirmed in callback	3 years ago
bat	9b770cf95c	redirect to correct endpoint	3 years ago
bat	e6e73d7d84	add params to redirect URL	3 years ago
bat	499fff799f	pass gitea environment variables into auth	3 years ago
bat	0ba083fc9e	add env vars for auth	3 years ago