mstoeck3/forensic-pathways
2
0
Fork 0
Code Issues 17 Pull Requests Projects Releases Activity

api unification

Browse Source
This commit is contained in:
overcuriousity
2025-07-24 20:13:11 +02:00
parent f76999ed2e
commit 209f173d7a
7 changed files with 408 additions and 617 deletions
Download Patch File Download Diff File Expand all files Collapse all files

243
src/utils/auth.ts
View File

@@ -1,13 +1,49 @@
// src/utils/auth.ts - SERVER-SIDE ONLY (remove client-side functions)
import { SignJWT, jwtVerify, type JWTPayload } from 'jose';
import { serialize, parse } from 'cookie';
import { config } from 'dotenv';
// src/utils/auth.js (FIXED - Cleaned up and enhanced debugging)
import type { AstroGlobal } from 'astro';
import jwt from 'jsonwebtoken';
import crypto from 'crypto';
import { config } from 'dotenv';
import { SignJWT, jwtVerify, type JWTPayload } from 'jose';
import { serialize, parse as parseCookie } from 'cookie';
// Load environment variables
config();
// JWT session constants
const SECRET_KEY = new TextEncoder().encode(
process.env.AUTH_SECRET ||
process.env.OIDC_CLIENT_SECRET ||
'cc24-hub-default-secret-key-change-in-production'
);
const SESSION_DURATION = 6 * 60 * 60; // 6 hours in seconds
// Types
export interface SessionData {
userId: string;
email: string;
authenticated: boolean;
exp: number;
}
export interface AuthContext {
authenticated: boolean;
session: SessionData | null;
userEmail: string;
userId: string;
}
export interface UserInfo {
sub?: string;
preferred_username?: string;
email?: string;
given_name?: string;
family_name?: string;
}
export interface AuthStateData {
state: string;
returnTo: string;
}
// Environment variables - use runtime access for server-side
function getEnv(key: string): string {
const value = process.env[key];
@@ -17,59 +53,25 @@ function getEnv(key: string): string {
return value;
}
const SECRET_KEY = new TextEncoder().encode(
process.env.AUTH_SECRET ||
process.env.OIDC_CLIENT_SECRET ||
'cc24-hub-default-secret-key-change-in-production'
);
const SESSION_DURATION = 6 * 60 * 60; // 6 hours in seconds
export interface SessionData {
userId: string;
email: string;
authenticated: boolean;
exp: number;
}
export interface UserInfo {
sub: string;
preferred_username?: string;
email?: string;
}
export interface AuthContext {
authenticated: boolean;
session: SessionData | null;
userEmail: string;
userId: string;
}
export interface AuthStateData {
state: string;
returnTo: string;
}
// Create a signed JWT session token with email
export async function createSession(userId: string, email: string): Promise<string> {
const exp = Math.floor(Date.now() / 1000) + SESSION_DURATION;
// Session management functions
export function getSessionFromRequest(request: Request): string | null {
const cookieHeader = request.headers.get('cookie');
console.log('[DEBUG] Cookie header:', cookieHeader ? 'present' : 'missing');
return await new SignJWT({
userId,
email,
authenticated: true,
exp
})
.setProtectedHeader({ alg: 'HS256' })
.setExpirationTime(exp)
.sign(SECRET_KEY);
if (!cookieHeader) return null;
const cookies = parseCookie(cookieHeader);
console.log('[DEBUG] Parsed cookies:', Object.keys(cookies));
console.log('[DEBUG] Session cookie found:', !!cookies.session);
return cookies.session || null;
}
// Verify and decode a session token
export async function verifySession(token: string): Promise<SessionData | null> {
export async function verifySession(sessionToken: string): Promise<SessionData | null> {
try {
const { payload } = await jwtVerify(token, SECRET_KEY);
console.log('[DEBUG] Verifying session token, length:', sessionToken.length);
const { payload } = await jwtVerify(sessionToken, SECRET_KEY);
console.log('[DEBUG] JWT verification successful, payload keys:', Object.keys(payload));
// Validate payload structure and cast properly
if (
@@ -78,6 +80,7 @@ export async function verifySession(token: string): Promise<SessionData | null>
typeof payload.authenticated === 'boolean' &&
typeof payload.exp === 'number'
) {
console.log('[DEBUG] Session validation successful for user:', payload.userId);
return {
userId: payload.userId,
email: payload.email,
@@ -86,49 +89,62 @@ export async function verifySession(token: string): Promise<SessionData | null>
};
}
console.log('[DEBUG] Session payload validation failed, payload:', payload);
return null;
} catch (error) {
console.log('Session verification failed:', error);
console.log('[DEBUG] Session verification failed:', error.message);
return null;
}
}
// Get session from request cookies
export function getSessionFromRequest(request: Request): string | null {
const cookieHeader = request.headers.get('cookie');
if (!cookieHeader) return null;
export async function createSession(userId: string, email: string): Promise<string> {
const exp = Math.floor(Date.now() / 1000) + SESSION_DURATION;
console.log('[DEBUG] Creating session for user:', userId, 'exp:', exp);
const cookies = parse(cookieHeader);
return cookies.session || null;
const token = await new SignJWT({
userId,
email,
authenticated: true,
exp
})
.setProtectedHeader({ alg: 'HS256' })
.setExpirationTime(exp)
.sign(SECRET_KEY);
console.log('[DEBUG] Session token created, length:', token.length);
return token;
}
// Create session cookie
export function createSessionCookie(token: string): string {
export function createSessionCookie(sessionToken: string): string {
const publicBaseUrl = getEnv('PUBLIC_BASE_URL');
const isProduction = process.env.NODE_ENV === 'production';
const isSecure = publicBaseUrl.startsWith('https://') || isProduction;
return serialize('session', token, {
const cookie = serialize('session', sessionToken, {
httpOnly: true,
secure: isSecure,
sameSite: 'lax',
maxAge: SESSION_DURATION,
path: '/'
});
console.log('[DEBUG] Created session cookie:', cookie.substring(0, 100) + '...');
return cookie;
}
// Clear session cookie
export function clearSessionCookie(): string {
const publicBaseUrl = getEnv('PUBLIC_BASE_URL');
const isSecure = publicBaseUrl.startsWith('https://');
return serialize('session', '', {
httpOnly: true,
secure: isSecure,
sameSite: 'lax',
maxAge: 0,
path: '/'
});
// Authentication utility functions
export function getUserEmail(userInfo: UserInfo): string {
return userInfo.email || userInfo.preferred_username || 'unknown@example.com';
}
export function logAuthEvent(event: string, details?: any): void {
const timestamp = new Date().toISOString();
console.log(`[AUTH ${timestamp}] ${event}`, details ? JSON.stringify(details) : '');
}
// Generate random state for CSRF protection
export function generateState(): string {
return crypto.randomUUID();
}
// Generate OIDC authorization URL
@@ -149,7 +165,7 @@ export function generateAuthUrl(state: string): string {
}
// Exchange authorization code for tokens
export async function exchangeCodeForTokens(code: string): Promise<any> {
export async function exchangeCodeForTokens(code: string): Promise<{ access_token: string }> {
const oidcEndpoint = getEnv('OIDC_ENDPOINT');
const clientId = getEnv('OIDC_CLIENT_ID');
const clientSecret = getEnv('OIDC_CLIENT_SECRET');
@@ -196,27 +212,7 @@ export async function getUserInfo(accessToken: string): Promise<UserInfo> {
return await response.json();
}
// Generate random state for CSRF protection
export function generateState(): string {
return crypto.randomUUID();
}
// Log authentication events for debugging
export function logAuthEvent(event: string, details?: any) {
const timestamp = new Date().toISOString();
console.log(`[AUTH ${timestamp}] ${event}`, details ? JSON.stringify(details) : '');
}
// Helper function to safely get email from user info
export function getUserEmail(userInfo: UserInfo): string {
return userInfo.email ||
`${userInfo.preferred_username || userInfo.sub || 'unknown'}@cc24.dev`;
}
/**
* CONSOLIDATED: Parse and validate auth state from cookies
* Replaces duplicated cookie parsing in callback.ts and process.ts
*/
// Parse and validate auth state from cookies
export function parseAuthState(request: Request): {
isValid: boolean;
stateData: AuthStateData | null;
@@ -224,7 +220,7 @@ export function parseAuthState(request: Request): {
} {
try {
const cookieHeader = request.headers.get('cookie');
const cookies = cookieHeader ? parse(cookieHeader) : {};
const cookies = cookieHeader ? parseCookie(cookieHeader) : {};
if (!cookies.auth_state) {
return { isValid: false, stateData: null, error: 'No auth state cookie' };
@@ -242,10 +238,7 @@ export function parseAuthState(request: Request): {
}
}
/**
* CONSOLIDATED: Verify state parameter against stored state
* Replaces duplicated verification logic in callback.ts and process.ts
*/
// Verify state parameter against stored state
export function verifyAuthState(request: Request, receivedState: string): {
isValid: boolean;
stateData: AuthStateData | null;
@@ -307,6 +300,8 @@ export async function createSessionWithCookie(userInfo: UserInfo): Promise<{
*/
export async function withAuth(Astro: AstroGlobal): Promise<AuthContext | Response> {
const authRequired = process.env.AUTHENTICATION_NECESSARY !== 'false';
console.log('[DEBUG PAGE] Auth required:', authRequired);
console.log('[DEBUG PAGE] Request URL:', Astro.url.toString());
// If auth not required, return mock context
if (!authRequired) {
@@ -320,7 +315,10 @@ export async function withAuth(Astro: AstroGlobal): Promise<AuthContext | Respon
// Check session
const sessionToken = getSessionFromRequest(Astro.request);
console.log('[DEBUG PAGE] Session token found:', !!sessionToken);
if (!sessionToken) {
console.log('[DEBUG PAGE] No session token, redirecting to login');
const loginUrl = `/api/auth/login?returnTo=${encodeURIComponent(Astro.url.toString())}`;
return new Response(null, {
status: 302,
@@ -329,7 +327,10 @@ export async function withAuth(Astro: AstroGlobal): Promise<AuthContext | Respon
}
const session = await verifySession(sessionToken);
console.log('[DEBUG PAGE] Session verification result:', !!session);
if (!session) {
console.log('[DEBUG PAGE] Session verification failed, redirecting to login');
const loginUrl = `/api/auth/login?returnTo=${encodeURIComponent(Astro.url.toString())}`;
return new Response(null, {
status: 302,
@@ -337,6 +338,7 @@ export async function withAuth(Astro: AstroGlobal): Promise<AuthContext | Respon
});
}
console.log('[DEBUG PAGE] Page authentication successful for user:', session.userId);
return {
authenticated: true,
session,
@@ -366,7 +368,10 @@ export async function withAPIAuth(request: Request): Promise<{
}
const sessionToken = getSessionFromRequest(request);
console.log('[DEBUG] Session token found:', !!sessionToken);
if (!sessionToken) {
console.log('[DEBUG] No session token found');
return {
authenticated: false,
userId: '',
@@ -375,7 +380,10 @@ export async function withAPIAuth(request: Request): Promise<{
}
const session = await verifySession(sessionToken);
console.log('[DEBUG] Session verification result:', !!session);
if (!session) {
console.log('[DEBUG] Session verification failed');
return {
authenticated: false,
userId: '',
@@ -383,38 +391,11 @@ export async function withAPIAuth(request: Request): Promise<{
};
}
console.log('[DEBUG] Authentication successful for user:', session.userId);
return {
authenticated: true,
userId: session.userId,
session,
authRequired: true
};
}
/**
* Helper to create consistent API auth error responses
*/
export function createAuthErrorResponse(message: string = 'Authentication required'): Response {
return new Response(JSON.stringify({ error: message }), {
status: 401,
headers: { 'Content-Type': 'application/json' }
});
}
/**
* CONSOLIDATED: Create consistent API responses
*/
export function createAPIResponse(data: any, status: number = 200): Response {
return new Response(JSON.stringify(data), {
status,
headers: { 'Content-Type': 'application/json' }
});
}
export function createBadRequestResponse(message: string = 'Bad request'): Response {
return createAPIResponse({ error: message }, 400);
}
export function createSuccessResponse(data: any = { success: true }): Response {
return createAPIResponse(data, 200);
}