feat: add Salesforce, Slack and Heroku OAuth providers (#382)

Co-authored-by: Alessandro <[email protected]>
Co-authored-by: Sébastien Chopin <[email protected]>

Author: 3 people

README.md

@@ -16,7 +16,7 @@ Add Authentication to Nuxt applications with secured & sealed cookies sessions.
 ## Features
 
 - [Hybrid Rendering](#hybrid-rendering) support (SSR / CSR / SWR / Prerendering)
-- [30+ OAuth Providers](#supported-oauth-providers)
+- [40+ OAuth Providers](#supported-oauth-providers)
 - [Password Hashing](#password-hashing)
 - [WebAuthn (passkey)](#webauthn-passkey)
 - [`useUserSession()` Vue composable](#vue-composable)
@@ -226,6 +226,7 @@ It can also be set using environment variables:
 - GitLab
 - Gitea
 - Google
+- Heroku
 - Hubspot
 - Instagram
 - Kick
@@ -237,7 +238,9 @@ It can also be set using environment variables:
 - Microsoft
 - PayPal
 - Polar
+- Salesforce
 - Seznam
+- Slack
 - Spotify
 - Steam
 - Strava

playground/.env.example

@@ -125,3 +125,15 @@ NUXT_OAUTH_KICK_REDIRECT_URL=
 #LiveChat
 NUXT_OAUTH_LIVECHAT_CLIENT_ID=
 NUXT_OAUTH_LIVECHAT_CLIENT_SECRET=
+#Salesforce
+NUXT_OAUTH_SALESFORCE_CLIENT_ID=
+NUXT_OAUTH_SALESFORCE_CLIENT_SECRET=
+NUXT_OAUTH_SALESFORCE_REDIRECT_URL=
+#Slack
+NUXT_OAUTH_SLACK_CLIENT_ID=
+NUXT_OAUTH_SLACK_CLIENT_SECRET=
+NUXT_OAUTH_SLACK_REDIRECT_URL=
+#Heroku
+NUXT_OAUTH_HEROKU_CLIENT_ID=
+NUXT_OAUTH_HEROKU_CLIENT_SECRET=
+NUXT_OAUTH_HEROKU_REDIRECT_URL=

playground/app.vue

@@ -230,6 +230,24 @@ const providers = computed(() =>
       disabled: Boolean(user.value?.kick),
       icon: 'i-simple-icons-kick',
     },
+    {
+      label: user.value?.salesforce || 'Salesforce',
+      to: `/auth/salesforce`,
+      disabled: Boolean(user.value?.salesforce),
+      icon: 'i-simple-icons-salesforce',
+    },
+    {
+      label: user.value?.slack || 'Slack',
+      to: '/auth/slack',
+      disabled: Boolean(user.value?.slack),
+      icon: 'i-simple-icons-slack',
+    },
+    {
+      label: user.value?.heroku || 'Heroku',
+      to: '/auth/heroku',
+      disabled: Boolean(user.value?.heroku),
+      icon: 'i-simple-icons-heroku',
+    },
   ].map(p => ({
     ...p,
     prefetch: false,

playground/auth.d.ts

@@ -40,6 +40,9 @@ declare module '#auth-utils' {
     apple?: string
     azureb2c?: string
     kick?: string
+    salesforce?: string
+    slack?: string
+    heroku?: string
   }
 
   interface UserSession {

playground/server/routes/auth/heroku.ts

@@ -0,0 +1,13 @@
+export default defineOAuthHerokuEventHandler({
+  config: {},
+  async onSuccess(event, { user }) {
+    await setUserSession(event, {
+      user: {
+        heroku: user?.name,
+      },
+      loggedInAt: Date.now(),
+    })
+
+    return sendRedirect(event, '/')
+  },
+})

playground/server/routes/auth/salesforce.ts

@@ -0,0 +1,13 @@
+export default defineOAuthSalesforceEventHandler({
+  config: {},
+  async onSuccess(event, { user }) {
+    await setUserSession(event, {
+      user: {
+        salesforce: user?.name,
+      },
+      loggedInAt: Date.now(),
+    })
+
+    return sendRedirect(event, '/')
+  },
+})

playground/server/routes/auth/slack.ts

@@ -0,0 +1,13 @@
+export default defineOAuthSlackEventHandler({
+  config: {},
+  async onSuccess(event, { user }) {
+    await setUserSession(event, {
+      user: {
+        slack: user?.name,
+      },
+      loggedInAt: Date.now(),
+    })
+
+    return sendRedirect(event, '/')
+  },
+})

src/module.ts

@@ -446,5 +446,27 @@ export default defineNuxtModule<ModuleOptions>({
       clientId: '',
       clientSecret: '',
     })
+    // Salesforce OAuth
+    runtimeConfig.oauth.salesforce = defu(runtimeConfig.oauth.salesforce, {
+      clientId: '',
+      clientSecret: '',
+      redirectURL: '',
+      baseURL: '',
+      scope: '',
+    })
+    // Slack OAuth
+    runtimeConfig.oauth.slack = defu(runtimeConfig.oauth.slack, {
+      clientId: '',
+      clientSecret: '',
+      redirectURL: '',
+      scope: '',
+    })
+    // Heroku OAuth
+    runtimeConfig.oauth.heroku = defu(runtimeConfig.oauth.heroku, {
+      clientId: '',
+      clientSecret: '',
+      redirectURL: '',
+      scope: '',
+    })
   },
 })

src/runtime/server/lib/oauth/heroku.ts

@@ -0,0 +1,128 @@
+import type { H3Event } from 'h3'
+import { eventHandler, getQuery, sendRedirect } from 'h3'
+import { withQuery } from 'ufo'
+import { defu } from 'defu'
+import { handleMissingConfiguration, handleAccessTokenErrorResponse, getOAuthRedirectURL, requestAccessToken, handleState, handleInvalidState } from '../utils'
+import { useRuntimeConfig, createError } from '#imports'
+import type { OAuthConfig } from '#auth-utils'
+
+export interface OAuthHerokuConfig {
+  /**
+   * Heroku OAuth Client ID
+   * @default process.env.NUXT_OAUTH_HEROKU_CLIENT_ID
+   */
+  clientId?: string
+  /**
+   * Heroku OAuth Client Secret
+   * @default process.env.NUXT_OAUTH_HEROKU_CLIENT_SECRET
+   */
+  clientSecret?: string
+  /**
+   * Heroku OAuth Scope
+   * @default ['identity']
+   * @see https://devcenter.heroku.com/articles/oauth#scopes
+   * @example ['identity']
+   */
+  scope?: string[]
+  /**
+   * Heroku OAuth Authorization URL
+   * @default 'https://id.heroku.com/oauth/authorize'
+   */
+  authorizationURL?: string
+  /**
+   * Heroku OAuth Authorization URL
+   * @default 'https://id.heroku.com/oauth/token'
+   */
+  tokenURL?: string
+  /**
+   * Extra authorization parameters to provide to the authorization URL
+   * @default {}
+   */
+  authorizationParams?: Record<string, string>
+  /**
+   * Redirect URL to allow overriding for situations like prod failing to determine public hostname
+   * @default process.env.NUXT_OAUTH_HEROKU_REDIRECT_URL or current URL
+   */
+  redirectURL?: string
+}
+
+export function defineOAuthHerokuEventHandler({
+  config,
+  onSuccess,
+  onError,
+}: OAuthConfig<OAuthHerokuConfig>) {
+  return eventHandler(async (event: H3Event) => {
+    const runtimeConfig = useRuntimeConfig(event).oauth?.heroku
+    const baseURL = 'https://id.heroku.com'
+    config = defu(config, runtimeConfig, {
+      authorizationURL: `${baseURL}/oauth/authorize`,
+      tokenURL: `${baseURL}/oauth/token`,
+      authorizationParams: {},
+    }) as OAuthHerokuConfig
+
+    const query = getQuery<{ code?: string, state?: string, error?: string }>(event)
+
+    if (query.error) {
+      const error = createError({
+        statusCode: 401,
+        message: `Heroku login failed: ${query.error || 'Unknown error'}`,
+        data: query,
+      })
+      if (!onError) throw error
+      return onError(event, error)
+    }
+
+    if (!config.clientId || !config.clientSecret) {
+      return handleMissingConfiguration(event, 'heroku', ['clientId', 'clientSecret'], onError)
+    }
+
+    const redirectURL = config.redirectURL || getOAuthRedirectURL(event)
+    const state = await handleState(event)
+
+    if (!query.code) {
+      config.scope = config.scope || ['identity']
+      return sendRedirect(
+        event,
+        withQuery(config.authorizationURL as string, {
+          response_type: 'code',
+          client_id: config.clientId,
+          redirect_uri: redirectURL,
+          scope: config.scope.join(' '),
+          state,
+          ...config.authorizationParams,
+        }),
+      )
+    }
+
+    if (query.state !== state) {
+      handleInvalidState(event, 'heroku', onError)
+    }
+
+    const tokens = await requestAccessToken(config.tokenURL as string, {
+      body: {
+        grant_type: 'authorization_code',
+        client_id: config.clientId,
+        client_secret: config.clientSecret,
+        redirect_uri: redirectURL,
+        code: query.code,
+      },
+    })
+
+    if (tokens.error) {
+      return handleAccessTokenErrorResponse(event, 'heroku', tokens, onError)
+    }
+
+    const accessToken = tokens.access_token
+    const user = await $fetch(`https://api.heroku.com/account`, {
+      headers: {
+        Accept: 'application/vnd.heroku+json; version=3',
+        Authorization: `Bearer ${accessToken}`,
+      },
+    })
+
+    return onSuccess(event, {
+      user,
+      tokens,
+    })
+  })
+}