mstoeck3/forensic-pathways
2
0
Fork 0
Code Issues 3 Pull Requests Projects Releases Activity
forensic-pathways/src/utils/auth.ts
overcuriousity 209f173d7a api unification
2025-07-24 20:13:11 +02:00

401 lines
12 KiB
TypeScript
Raw Blame History

// src/utils/auth.js (FIXED - Cleaned up and enhanced debugging)
import type { AstroGlobal } from 'astro';
import crypto from 'crypto';
import { config } from 'dotenv';
import { SignJWT, jwtVerify, type JWTPayload } from 'jose';
import { serialize, parse as parseCookie } from 'cookie';
// Load environment variables
config();
// JWT session constants
const SECRET_KEY = new TextEncoder().encode(
process.env.AUTH_SECRET ||
process.env.OIDC_CLIENT_SECRET ||
'cc24-hub-default-secret-key-change-in-production'
);
const SESSION_DURATION = 6 * 60 * 60; // 6 hours in seconds
// Types
export interface SessionData {
userId: string;
email: string;
authenticated: boolean;
exp: number;
}
export interface AuthContext {
authenticated: boolean;
session: SessionData | null;
userEmail: string;
userId: string;
}
export interface UserInfo {
sub?: string;
preferred_username?: string;
email?: string;
given_name?: string;
family_name?: string;
}
export interface AuthStateData {
state: string;
returnTo: string;
}
// Environment variables - use runtime access for server-side
function getEnv(key: string): string {
const value = process.env[key];
if (!value) {
throw new Error(`Missing environment variable: ${key}`);
}
return value;
}
// Session management functions
export function getSessionFromRequest(request: Request): string | null {
const cookieHeader = request.headers.get('cookie');
console.log('[DEBUG] Cookie header:', cookieHeader ? 'present' : 'missing');
if (!cookieHeader) return null;
const cookies = parseCookie(cookieHeader);
console.log('[DEBUG] Parsed cookies:', Object.keys(cookies));
console.log('[DEBUG] Session cookie found:', !!cookies.session);
return cookies.session || null;
}
export async function verifySession(sessionToken: string): Promise<SessionData | null> {
try {
console.log('[DEBUG] Verifying session token, length:', sessionToken.length);
const { payload } = await jwtVerify(sessionToken, SECRET_KEY);
console.log('[DEBUG] JWT verification successful, payload keys:', Object.keys(payload));
// Validate payload structure and cast properly
if (
typeof payload.userId === 'string' &&
typeof payload.email === 'string' &&
typeof payload.authenticated === 'boolean' &&
typeof payload.exp === 'number'
) {
console.log('[DEBUG] Session validation successful for user:', payload.userId);
return {
userId: payload.userId,
email: payload.email,
authenticated: payload.authenticated,
exp: payload.exp
};
}
console.log('[DEBUG] Session payload validation failed, payload:', payload);
return null;
} catch (error) {
console.log('[DEBUG] Session verification failed:', error.message);
return null;
}
}
export async function createSession(userId: string, email: string): Promise<string> {
const exp = Math.floor(Date.now() / 1000) + SESSION_DURATION;
console.log('[DEBUG] Creating session for user:', userId, 'exp:', exp);
const token = await new SignJWT({
userId,
email,
authenticated: true,
exp
})
.setProtectedHeader({ alg: 'HS256' })
.setExpirationTime(exp)
.sign(SECRET_KEY);
console.log('[DEBUG] Session token created, length:', token.length);
return token;
}
export function createSessionCookie(sessionToken: string): string {
const publicBaseUrl = getEnv('PUBLIC_BASE_URL');
const isProduction = process.env.NODE_ENV === 'production';
const isSecure = publicBaseUrl.startsWith('https://') || isProduction;
const cookie = serialize('session', sessionToken, {
httpOnly: true,
secure: isSecure,
sameSite: 'lax',
maxAge: SESSION_DURATION,
path: '/'
});
console.log('[DEBUG] Created session cookie:', cookie.substring(0, 100) + '...');
return cookie;
}
// Authentication utility functions
export function getUserEmail(userInfo: UserInfo): string {
return userInfo.email || userInfo.preferred_username || 'unknown@example.com';
}
export function logAuthEvent(event: string, details?: any): void {
const timestamp = new Date().toISOString();
console.log(`[AUTH ${timestamp}] ${event}`, details ? JSON.stringify(details) : '');
}
// Generate random state for CSRF protection
export function generateState(): string {
return crypto.randomUUID();
}
// Generate OIDC authorization URL
export function generateAuthUrl(state: string): string {
const oidcEndpoint = getEnv('OIDC_ENDPOINT');
const clientId = getEnv('OIDC_CLIENT_ID');
const publicBaseUrl = getEnv('PUBLIC_BASE_URL');
const params = new URLSearchParams({
response_type: 'code',
client_id: clientId,
redirect_uri: `${publicBaseUrl}/auth/callback`,
scope: 'openid profile email',
state: state
});
return `${oidcEndpoint}/apps/oidc/authorize?${params.toString()}`;
}
// Exchange authorization code for tokens
export async function exchangeCodeForTokens(code: string): Promise<{ access_token: string }> {
const oidcEndpoint = getEnv('OIDC_ENDPOINT');
const clientId = getEnv('OIDC_CLIENT_ID');
const clientSecret = getEnv('OIDC_CLIENT_SECRET');
const publicBaseUrl = getEnv('PUBLIC_BASE_URL');
const response = await fetch(`${oidcEndpoint}/apps/oidc/token`, {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'Authorization': `Basic ${Buffer.from(`${clientId}:${clientSecret}`).toString('base64')}`
},
body: new URLSearchParams({
grant_type: 'authorization_code',
code: code,
redirect_uri: `${publicBaseUrl}/auth/callback`
})
});
if (!response.ok) {
const error = await response.text();
console.error('Token exchange failed:', error);
throw new Error('Failed to exchange authorization code');
}
return await response.json();
}
// Get user info from OIDC provider
export async function getUserInfo(accessToken: string): Promise<UserInfo> {
const oidcEndpoint = getEnv('OIDC_ENDPOINT');
const response = await fetch(`${oidcEndpoint}/apps/oidc/userinfo`, {
headers: {
'Authorization': `Bearer ${accessToken}`
}
});
if (!response.ok) {
const error = await response.text();
console.error('Userinfo request failed:', error);
throw new Error('Failed to get user info');
}
return await response.json();
}
// Parse and validate auth state from cookies
export function parseAuthState(request: Request): {
isValid: boolean;
stateData: AuthStateData | null;
error?: string
} {
try {
const cookieHeader = request.headers.get('cookie');
const cookies = cookieHeader ? parseCookie(cookieHeader) : {};
if (!cookies.auth_state) {
return { isValid: false, stateData: null, error: 'No auth state cookie' };
}
const stateData = JSON.parse(decodeURIComponent(cookies.auth_state));
if (!stateData.state || !stateData.returnTo) {
return { isValid: false, stateData: null, error: 'Invalid state data structure' };
}
return { isValid: true, stateData };
} catch (error) {
return { isValid: false, stateData: null, error: 'Failed to parse auth state' };
}
}
// Verify state parameter against stored state
export function verifyAuthState(request: Request, receivedState: string): {
isValid: boolean;
stateData: AuthStateData | null;
error?: string;
} {
const { isValid, stateData, error } = parseAuthState(request);
if (!isValid || !stateData) {
logAuthEvent('State parsing failed', { error });
return { isValid: false, stateData: null, error };
}
if (stateData.state !== receivedState) {
logAuthEvent('State mismatch', {
received: receivedState,
stored: stateData.state
});
return {
isValid: false,
stateData: null,
error: 'State parameter mismatch'
};
}
return { isValid: true, stateData };
}
/**
* CONSOLIDATED: Create session with cookie headers
* Replaces duplicated session creation in callback.ts and process.ts
*/
export async function createSessionWithCookie(userInfo: UserInfo): Promise<{
sessionToken: string;
sessionCookie: string;
clearStateCookie: string;
userId: string;
userEmail: string;
}> {
const userId = userInfo.sub || userInfo.preferred_username || 'unknown';
const userEmail = getUserEmail(userInfo);
const sessionToken = await createSession(userId, userEmail);
const sessionCookie = createSessionCookie(sessionToken);
const clearStateCookie = 'auth_state=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0';
return {
sessionToken,
sessionCookie,
clearStateCookie,
userId,
userEmail
};
}
/**
* CONSOLIDATED: Replace repeated auth patterns in .astro pages
* Usage: const authResult = await withAuth(Astro);
* if (authResult instanceof Response) return authResult;
*/
export async function withAuth(Astro: AstroGlobal): Promise<AuthContext | Response> {
const authRequired = process.env.AUTHENTICATION_NECESSARY !== 'false';
console.log('[DEBUG PAGE] Auth required:', authRequired);
console.log('[DEBUG PAGE] Request URL:', Astro.url.toString());
// If auth not required, return mock context
if (!authRequired) {
return {
authenticated: true,
session: null,
userEmail: 'anonymous@example.com',
userId: 'anonymous'
};
}
// Check session
const sessionToken = getSessionFromRequest(Astro.request);
console.log('[DEBUG PAGE] Session token found:', !!sessionToken);
if (!sessionToken) {
console.log('[DEBUG PAGE] No session token, redirecting to login');
const loginUrl = `/api/auth/login?returnTo=${encodeURIComponent(Astro.url.toString())}`;
return new Response(null, {
status: 302,
headers: { 'Location': loginUrl }
});
}
const session = await verifySession(sessionToken);
console.log('[DEBUG PAGE] Session verification result:', !!session);
if (!session) {
console.log('[DEBUG PAGE] Session verification failed, redirecting to login');
const loginUrl = `/api/auth/login?returnTo=${encodeURIComponent(Astro.url.toString())}`;
return new Response(null, {
status: 302,
headers: { 'Location': loginUrl }
});
}
console.log('[DEBUG PAGE] Page authentication successful for user:', session.userId);
return {
authenticated: true,
session,
userEmail: session.email,
userId: session.userId
};
}
/**
* CONSOLIDATED: Replace repeated auth patterns in API endpoints
* Enhanced version with better return structure
*/
export async function withAPIAuth(request: Request): Promise<{
authenticated: boolean;
userId: string;
session?: SessionData;
authRequired: boolean;
}> {
const authRequired = process.env.AUTHENTICATION_NECESSARY !== 'false';
if (!authRequired) {
return {
authenticated: true,
userId: 'anonymous',
authRequired: false
};
}
const sessionToken = getSessionFromRequest(request);
console.log('[DEBUG] Session token found:', !!sessionToken);
if (!sessionToken) {
console.log('[DEBUG] No session token found');
return {
authenticated: false,
userId: '',
authRequired: true
};
}
const session = await verifySession(sessionToken);
console.log('[DEBUG] Session verification result:', !!session);
if (!session) {
console.log('[DEBUG] Session verification failed');
return {
authenticated: false,
userId: '',
authRequired: true
};
}
console.log('[DEBUG] Authentication successful for user:', session.userId);
return {
authenticated: true,
userId: session.userId,
session,
authRequired: true
};
}
Reference in New Issue View Git Blame Copy Permalink