feat(auth): setup OpenAuth (#94)

* feat(auth): try out setting up OpenAuth

Doesn’t work, needs to run from `/`

* refactor: add i18n types + small code changes

* fix: ui adjustments

* feat: better handling (#83)

* feat: add tryCatch helper function

* feat: add neverthrow + tryCatch helper

* feat: reorganise api routes for better endpoints protections

* feat: add caddy proxy to dev environment

everything can be served directly from `localhost`
API routes will be proxied to :1993 and web routes to :3000

incomplete attempt to get OpenAuth working from another root

* fix: malformed package.json

* chore: add `unstorage` patch for use with OpenAuth

* chore: add `openauth` patch

Waiting for PR [#236](sst/openauth#236) to be merged

* chore: remove unused login and signup routes

this is now managed by OpenAuth

* feat: add `APP_URL` config option + include api version in `API_BASE`

* chore: add logo to public dir

* fix: update unstorage adapter

* feat: get OpenAuth working properly

* feat: handle config errors gracefully

Now pretty printing errors for better usability and clarity for user

* chore: adjust tests to new config requirements

* ci: run on all branches

* fix(config): api base base computation

* feat: implement logout

* refactor: move `setTokens`

* feat: implement auth check on API

* chore: use unstorage fsDriver instead of memory

signing key changes on every server reload is highly irritating

* fix: correct config test

* chore: remove unused

* fix: type mismatch

* fix: locale types

Author: finxol

.github/workflows/pipeline.yml

@@ -3,7 +3,7 @@ name: Karr CI
 on:
     push:
         branches:
-            - main
+            - "**"
         tags-ignore:
             - "v*" # Ignore version tags
     pull_request:

.gitignore

@@ -40,6 +40,7 @@ yarn-error.log*
 logs
 *.log
 .pnpm-debug.log*
+**/tmp
 
 # Misc
 .DS_Store

apps/api/package.json

@@ -16,16 +16,19 @@
     },
     "dependencies": {
         "@hono/node-server": "catalog:",
+        "@karr/auth": "workspace:*",
         "@karr/config": "workspace:*",
         "@karr/db": "workspace:*",
         "@karr/util": "workspace:*",
+        "@openauthjs/openauth": "catalog:",
         "drizzle-kit": "catalog:",
         "drizzle-orm": "catalog:",
         "drizzle-zod": "catalog:",
         "hono": "catalog:",
         "neverthrow": "catalog:",
         "ofetch": "catalog:",
         "postgres": "catalog:",
+        "unstorage": "catalog:",
         "zod": "catalog:"
     },
     "devDependencies": {

apps/api/src/lib/auth.ts

@@ -1,11 +1,16 @@
 import crypto from "node:crypto"
-import { and, eq } from "drizzle-orm"
+import { eq } from "drizzle-orm"
+import { Context } from "hono"
+import { getCookie } from "hono/cookie"
 import { err, ok } from "neverthrow"
 
 import db from "@karr/db"
 import { accountsTable } from "@karr/db/schemas/accounts.js"
 import { tryCatch } from "@karr/util"
 import logger from "@karr/util/logger"
+import { client } from "@karr/auth/client"
+import { subjects } from "@karr/auth/subjects"
+import { setTokens } from "@/routes/auth/issuer"
 
 export async function authenticate(email: string, password: string) {
     const user = await tryCatch(
@@ -92,33 +97,32 @@ export async function register(email: string, password: string) {
     return ok(token)
 }
 
-export async function isAuthenticated(userId: string, token: string) {
-    const user = await tryCatch(
-        db
-            .select({
-                id: accountsTable.id,
-                email: accountsTable.email,
-                blocked: accountsTable.blocked,
-                verified: accountsTable.verified
-            })
-            .from(accountsTable)
-            .where(and(eq(accountsTable.token, token), eq(accountsTable.id, userId)))
-            .limit(1)
-    )
+/**
+ * Check if the user is authenticated
+ * @param ctx The request context
+ * @returns true if the user is authenticated
+ */
+export async function isAuthenticated(ctx: Context) {
+    const accessToken = getCookie(ctx, "access_token")
+    const refreshToken = getCookie(ctx, "refresh_token")
 
-    if (user.error) {
+    if (!accessToken) {
         return false
     }
 
-    if (!user || user.value.length === 0 || user.value[0] === undefined) {
-        return false
-    }
+    const verified = await client.verify(subjects, accessToken, {
+        refresh: refreshToken
+    })
 
-    if (user.value[0].id !== userId) {
+    if (verified.err) {
+        console.error("Error verifying token:", verified.err)
         return false
     }
+    if (verified.tokens) {
+        setTokens(ctx, verified.tokens)
+    }
 
-    return true
+    return verified.subject
 }
 
 export async function logout(token: string) {

apps/api/src/lib/helpers.ts

@@ -69,7 +69,7 @@ export async function handleRequest<T>(c: Context, fn: () => Promise<T>) {
 
     return c.json({
         timestamp: new Date().getTime(),
-        data: out
+        data: out.value
     })
 }
 

apps/api/src/lib/types.d.ts

@@ -5,6 +5,18 @@ import type { specialStatusTable } from "@/db/schemas/specialstatus"
 import type { userPrefsTable } from "@/db/schemas/userprefs"
 import type { usersTable } from "@/db/schemas/users"
 
+export type UserSubject = {
+    type: "user"
+    properties: {
+        userID: string
+    }
+}
+
+export type AppVariables = {
+    userSubject?: UserSubject
+    // Add other context variables here if needed
+}
+
 export interface DataResponse<T> {
     timestamp?: number
     data: T

apps/api/src/main.ts

@@ -1,5 +1,4 @@
 import { serve } from "@hono/node-server"
-import type { Hono } from "hono"
 
 import { API_PORT, LOG_LEVEL, logLevels, PRODUCTION } from "@karr/config"
 import { drizzleMigrate } from "@karr/db/migrate"
@@ -25,7 +24,7 @@ try {
     await drizzleMigrate()
 
     // Build the server
-    const app: Hono = build()
+    const app = build()
 
     // Start the server
     serve({

apps/api/src/routes/auth/issuer.ts

@@ -0,0 +1,144 @@
+import { issuer } from "@openauthjs/openauth"
+import { GithubProvider } from "@openauthjs/openauth/provider/github"
+import { PasswordProvider } from "@openauthjs/openauth/provider/password"
+import { PasswordUI } from "@openauthjs/openauth/ui/password"
+import { Select } from "@openauthjs/openauth/ui/select"
+import type { Theme } from "@openauthjs/openauth/ui/theme"
+import { Tokens } from "@openauthjs/openauth/client"
+import { setCookie } from "hono/cookie"
+import { Context } from "hono"
+import fsDriver from "unstorage/drivers/fs"
+
+import { callbackUrl, client } from "@karr/auth/client"
+import { subjects } from "@karr/auth/subjects"
+import { API_BASE } from "@karr/config"
+import { logger } from "@karr/util/logger"
+
+import { responseErrorObject } from "@/lib/helpers"
+import { UnStorage } from "./unstorage-adapter"
+
+async function getUser(provider: string, email: string) {
+    console.log(provider, email)
+    // Get user from database and return user ID
+    return "123"
+}
+
+const THEME_OPENAUTH: Theme = {
+    title: "Karr Auth",
+    logo: "/logo-tmp.jpg",
+    background: {
+        dark: "hsl(132 2% 10%)",
+        light: "hsl(140 20% 97%)"
+    },
+    primary: {
+        dark: "hsl(132 74% 32%)",
+        light: "hsl(132 64% 32%)"
+    },
+    font: {
+        family: "Varela Round, sans-serif"
+    },
+    css: ``
+}
+
+const app = issuer({
+    basePath: `${API_BASE}/auth`,
+    select: Select({
+        providers: {
+            github: {
+                display: "GitHub"
+            },
+            password: {
+                display: "a password"
+            }
+        }
+    }),
+    providers: {
+        github: GithubProvider({
+            clientSecret: "fc0f07b9daf343cd160226990cb55519c5cfb728",
+            clientID: "Ov23lic9kjugi9TMB1oj",
+            scopes: ["email"]
+        }),
+        password: PasswordProvider(
+            PasswordUI({
+                copy: {
+                    error_email_taken: "This email is already taken."
+                },
+                sendCode: async (email, code) => {
+                    console.log(email, code)
+                }
+            })
+        )
+    },
+    storage: UnStorage({
+        driver: fsDriver({ base: "./tmp" })
+    }),
+    subjects,
+    theme: THEME_OPENAUTH,
+    async allow(input, _req) {
+        console.log("Allow check:", {
+            audience: input.audience,
+            clientID: input.clientID,
+            redirectURI: input.redirectURI
+        })
+
+        return true // TODO: restrict. For testing, allow all
+    },
+    async success(ctx, value) {
+        logger.info("Success", value)
+        if (value.provider === "github") {
+            console.log(value.tokenset.access)
+            return ctx.subject("user", {
+                userID: "test"
+            })
+        } else if (value.provider === "password") {
+            const userID = await getUser(value.provider, value.email)
+            return ctx.subject("user", {
+                userID
+            })
+        }
+
+        throw new Error("Invalid provider")
+    }
+})
+
+app.get("/callback", async (ctx) => {
+    const url = new URL(ctx.req.url)
+    const code = ctx.req.query("code")
+    const error = ctx.req.query("error")
+    const next = ctx.req.query("next") ?? `${url.origin}/`
+
+    if (error)
+        return responseErrorObject(ctx, {
+            message: error,
+            cause: ctx.req.query("error_description")
+        })
+
+    if (!code) return responseErrorObject(ctx, { message: "No code provided" }, 400)
+
+    const exchanged = await client.exchange(code, callbackUrl)
+
+    if (exchanged.err) return ctx.json(exchanged.err, 400)
+
+    logger.debug("Exchanged tokens", exchanged.tokens)
+
+    setTokens(ctx, exchanged.tokens)
+
+    return ctx.redirect(next)
+})
+
+export function setTokens(ctx: Context, tokens: Tokens) {
+    setCookie(ctx, "access_token", tokens.access, {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        maxAge: tokens.expiresIn
+    })
+    setCookie(ctx, "refresh_token", tokens.refresh, {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        maxAge: 60 * 60 * 24 * 400 // 400 days
+    })
+}
+
+export default app

apps/api/src/routes/auth/unstorage-adapter.ts

@@ -0,0 +1,101 @@
+/**
+ * Configure OpenAuth to use unstorage as a store.
+ *
+ * This enables you to use any unstorage driver as a store.
+ * Please refer to [unstorage docs](https://unstorage.unjs.io/drivers) for details on possible drivers.
+ *
+ * By default, it uses the memory driver.
+ *
+ * :::caution
+ * The default memory driver is not meant to be used in production.
+ * :::
+ *
+ * ```ts
+ * import { UnStorage } from "@openauthjs/openauth/storage/unstorage"
+ *
+ * const storage = UnStorage()
+ *
+ * export default issuer({
+ *   storage,
+ *   // ...
+ * })
+ * ```
+ *
+ * Optionally, you can specify a driver.
+ *
+ * ```ts
+ * import fsDriver from "unstorage/drivers/fs";
+ *
+ * UnStorage({
+ *   driver: fsDriver({ base: "./tmp" }),
+ * })
+ * ```
+ *
+ * @packageDocumentation
+ */
+import { joinKey, splitKey, StorageAdapter } from "@openauthjs/openauth/storage/storage"
+import { createStorage, type Driver as UnstorageDriver } from "unstorage"
+
+//eslint-disable-next-line @typescript-eslint/no-explicit-any
+type Entry = { value: Record<string, any> | undefined; expiry?: number }
+
+export function UnStorage({ driver }: { driver?: UnstorageDriver } = {}): StorageAdapter {
+    const store = createStorage<Entry>({
+        driver: driver
+    })
+
+    return {
+        async get(key: string[]) {
+            const k = joinKey(key)
+            const entry = await store.getItem(k)
+
+            if (!entry) {
+                return undefined
+            }
+
+            if (entry.expiry && Date.now() >= entry.expiry) {
+                await store.removeItem(k)
+                return undefined
+            }
+
+            return entry.value
+        },
+
+        //eslint-disable-next-line @typescript-eslint/no-explicit-any
+        async set(key: string[], value: any, expiry?: Date) {
+            const k = joinKey(key)
+
+            await store.setItem(k, {
+                value,
+                expiry: expiry ? expiry.getTime() : undefined
+            } satisfies Entry)
+        },
+
+        async remove(key: string[]) {
+            const k = joinKey(key)
+            await store.removeItem(k)
+        },
+
+        async *scan(prefix: string[]) {
+            const now = Date.now()
+            const prefixStr = joinKey(prefix)
+
+            // Get all keys matching our prefix
+            const keys = await store.getKeys(prefixStr)
+
+            for (const key of keys) {
+                // Get the entry for this key
+                const entry = await store.getItem(key)
+
+                if (!entry) continue
+                if (entry.expiry && now >= entry.expiry) {
+                    // Clean up expired entries as we go
+                    await store.removeItem(key)
+                    continue
+                }
+
+                yield [splitKey(key), entry.value]
+            }
+        }
+    }
+}