get tokens

handle callback URL, check state parameter
get redirect to OAuth login showing authorization screen
2 changed files with 190 additions and 8 deletions
--- a/auth.js
+++ b/auth.js
@ -1,7 +1,173 @@
+import * as cookie from 'https://deno.land/std@0.188.0/http/cookie.ts'
+
 export class Auth {
+  constructor({
+    baseUrl,
+    remoteBaseUrl,
+    giteaAppBaseUrl,
+    giteaApiBaseUrl,
+    giteaWebBaseUrl,
+    giteaClientId,
+    giteaClientSecret
+  }) {
+    this.baseUrl = baseUrl
+    this.remoteBaseUrl = remoteBaseUrl
+    this.giteaAppBaseUrl = giteaAppBaseUrl
+    this.giteaApiBaseUrl = giteaApiBaseUrl
+    this.giteaWebBaseUrl = giteaWebBaseUrl
+    this.giteaClientId = giteaClientId
+    this.giteaClientSecret = giteaClientSecret
+  }
+
+  redirectUrl(state) {
+    const url = new URL(
+      this.giteaWebBaseUrl + '/login/oauth/authorize'
+    )
+    const search = new URLSearchParams()
+    search.set('response_type', 'code')
+    search.set('client_id', this.giteaClientId)
+    search.set('redirect_uri', this.callbackUrl)
+    search.set('state', state)
+    url.search = search.toString()
+    return url.toString()
+  }
+
+  buildState() {
+    const timestamp = new Date().valueOf()
+    const randomInt = Math.floor(Math.random() * 10000)
+    // TODO: sign
+    return `${randomInt}-${timestamp}`
+  }
+
+  get callbackUrl() {
+    return this.remoteBaseUrl + '/api/auth/callback'
+  }
+
  async redirect(event) {
+    const state = this.buildState()
+    const url = this.redirectUrl(state)
+    const headers = new Headers({
+      Location: url
+    })
+    cookie.setCookie(headers, {
+      name: 'oauth.gitea.state',
+      value: state,
+    })
+    event.respondWith(new Response('', {
+      headers,
+      status: 302,
+    }))
+  }
+
+  get tokenEndpoint() {
+    return (
+      this.giteaAppBaseUrl +
+      '/login/oauth/access_token'
+    )
+  }
+
+  async getToken(code) {
+    const resp = await fetch(this.tokenEndpoint, {
+      method: 'POST',
+      headers: {
+        Accept: 'application/json',
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        grant_type: 'authorization_code',
+        code,
+        client_id: this.giteaClientId,
+        client_secret: this.giteaClientSecret,
+        redirect_uri: this.callbackUrl,
+      }),
+    })
+    return await resp.json()
+  }
+
+  saveTokens(headers, data) {
+    cookie.setCookie(headers, {
+      name: 'oauth.gitea.accessToken',
+      value: data.access_token,
+    })
+    cookie.setCookie(headers, {
+      name: 'oauth.gitea.refreshToken',
+      value: data.refresh_token,
+    })
+    cookie.setCookie(headers, {
+      name: 'oauth.gitea.expires',
+      value: String(
+        Math.floor(new Date().valueOf() / 1000) +
+        data.expires_in
+      ),
+    })
+  }
+
+  async callback(event) {
+    const url = new URL(event.request.url)
+    const { state, code } = Object.fromEntries(
+      url.searchParams.entries()
+    )
+    const cookies = cookie.getCookies(
+      event.request.headers
+    )
+    const headers = new Headers({
+      Location: '/#/'
+    })
+    if (cookies['oauth.gitea.state'] !== state) {
+      event.respondWith(new Response('invalid state', {
+        status: 401,
+      }))
+      return
+    }
+    const data = await this.getToken(code)
+    cookie.deleteCookie(headers, 'oauth.gitea.state')
+    this.saveTokens(headers, data)
+    event.respondWith(new Response('', {
+      headers,
+      status: 302,
+    }))
+  }
+
+  async refreshToken(refresh_token) {
+    const resp = await fetch(this.tokenEndpoint, {
+      method: 'POST',
+      headers: {
+        Accept: 'application/json',
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        refresh_token,
+        grant_type: 'refresh_token',
+      })
+    })
+    return await resp.json()
+  }
+
+  async refresh(event) {
+    const headers = new Headers()
+    const cookies = cookie.getCookies(
+      event.request.headers
+    )
+    const data = await this.refreshToken(body)
+    this.saveTokens(headers, data)
+    event.respondWith(
+      new Response(JSON.stringify({}), {headers})
+    )
+  }
+
+  async serve(event) {
+    const {pathname} = new URL(event.request.url)
+    const u = this.baseUrl
+    if (pathname === `${u}/api/auth`) {
+      await this.redirect(event)
+    } else if (pathname === `${u}/api/auth/callback`) {
+      await this.callback(event)
+    } else if (pathname === `${u}/api/auth/refresh`) {
+      await this.refresh(event)
+    } else {
      event.respondWith(new Response(
-      'extract query and redirect', {status: 200}
+        'Not Found', {status: 404}
      ))
    }
+  }
 }
--- a/server.js
+++ b/server.js
@ -1,5 +1,5 @@
-//import { Auth } from "./auth.js"
-//import { Frontend } from "./frontend.js"
+import { Auth } from "./auth.js"
+import { Frontend } from "./frontend.js"

 export class Server {
  async getEnv(variables) {
@ -23,24 +23,40 @@ export class Server {
    const env = await this.getEnv([
      'PORT',
      'BASE_URL',
+      'REMOTE_BASE_URL',
      'GITEA_APP_BASE_URL',
      'GITEA_API_BASE_URL',
+      'GITEA_WEB_BASE_URL',
+      'GITEA_CLIENT_ID',
+      'GITEA_CLIENT_SECRET',
    ])
    this.port = env.PORT ?? 3000
    this.baseUrl = env.BASE_URL ?? '/macchiato'
+    this.remoteBaseUrl = env.REMOTE_BASE_URL
    this.giteaAppBaseUrl = (
      env.GITEA_APP_BASE_URL ?? 'http://gitea:3000'
    )
    this.giteaApiBaseUrl = (
      env.GITEA_API_BASE_URL ?? 'http://gitea:3000/api/v1'
    )
+    this.giteaWebBaseUrl = env.GITEA_WEB_BASE_URL
+    this.giteaClientId = env.GITEA_CLIENT_ID
+    this.giteaClientSecret = env.GITEA_CLIENT_SECRET
  }

  async init() {
    if (this.port === undefined) {
      await this.configure()
    }
-    this.auth = new Auth()
+    this.auth = new Auth({
+      baseUrl: this.baseUrl,
+      remoteBaseUrl: this.remoteBaseUrl,
+      giteaAppBaseUrl: this.giteaAppBaseUrl,
+      giteaApiBaseUrl: this.giteaApiBaseUrl,
+      giteaWebBaseUrl: this.giteaWebBaseUrl,
+      giteaClientId: this.giteaClientId,
+      giteaClientSecret: this.giteaClientSecret,
+    })
    this.frontend = new Frontend({
      appBaseUrl: this.giteaAppBaseUrl,
      apiBaseUrl: this.giteaApiBaseUrl,
@ -97,8 +113,8 @@ export class Server {

  async serveRequest(event) {
    const {pathname} = new URL(event.request.url)
-    if (pathname === `${this.baseUrl}/api/auth`) {
-      await this.auth.redirect(event)
+    if (pathname.startsWith(`${this.baseUrl}/api/auth`)) {
+      await this.auth.serve(event)
    } else {
      await this.frontend.serve(event)
    }
Author	SHA1	Message	Date
bat	939fb83119	get tokens	3 years ago
bat	2ebe7a3c0d	handle callback URL, check state parameter	3 years ago
bat	49a43f0698	get redirect to OAuth login showing authorization screen	3 years ago
bat	fd5cbe0114	split into methods	3 years ago
bat	3027d04584	use web base url for redirect in browser	3 years ago
bat	c207fcc949	add state to cookie so it can be confirmed in callback	3 years ago
bat	9b770cf95c	redirect to correct endpoint	3 years ago
bat	e6e73d7d84	add params to redirect URL	3 years ago
bat	499fff799f	pass gitea environment variables into auth	3 years ago
bat	0ba083fc9e	add env vars for auth	3 years ago