forked from atinux/nuxt-auth-utils
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathworkos.ts
126 lines (113 loc) · 4.07 KB
/
workos.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
import type { H3Event } from 'h3'
import { eventHandler, getQuery, sendRedirect, getRequestIP, getRequestHeader } from 'h3'
import { withQuery } from 'ufo'
import { defu } from 'defu'
import { handleMissingConfiguration, handleAccessTokenErrorResponse, getOAuthRedirectURL, requestAccessToken } from '../utils'
import { useRuntimeConfig } from '#imports'
import type { OAuthConfig } from '#auth-utils'
/**
* WorkOS OAuth Configuration
* @see https://workos.com/docs/reference/user-management/authentication
*/
export interface OAuthWorkOSConfig {
/**
* WorkOS OAuth Client ID
* @default process.env.NUXT_OAUTH_WORKOS_CLIENT_ID
*/
clientId?: string
/**
* WorkOS OAuth Client Secret (API Key)
* @default process.env.NUXT_OAUTH_WORKOS_CLIENT_SECRET
*/
clientSecret?: string
/**
* WorkOS OAuth Connection ID (Not required for WorkOS)
* @default process.env.NUXT_OAUTH_WORKOS_CONNECTION_ID
*/
connectionId?: string
/**
* WorkOS OAuth screen hint
* @default 'sign-in'
*/
screenHint?: 'sign-in' | 'sign-up'
/**
* Redirect URL to to allow overriding for situations like prod failing to determine public hostname
* @default process.env.NUXT_OAUTH_WORKOS_REDIRECT_URL or current URL
*/
redirectURL?: string
}
export interface OAuthWorkOSUser {
object: 'user'
id: string
email: string
first_name: string | null
last_name: string | null
email_verified: boolean
profile_picture_url: string | null
created_at: string
updated_at: string
}
export type OAuthWorkOSAuthenticationMethod = 'SSO' | 'Password' | 'AppleOAuth' | 'GitHubOAuth' | 'GoogleOAuth' | 'MicrosoftOAuth' | 'MagicAuth' | 'Impersonation'
export interface OAuthWorkOSAuthenticateResponse {
user: OAuthWorkOSUser
organization_id: string | null
access_token: string
refresh_token: string
error: string | null
error_description: string | null
authentication_method: OAuthWorkOSAuthenticationMethod
}
export interface OAuthWorkOSTokens {
access_token: string
refresh_token: string
}
export function defineOAuthWorkOSEventHandler({ config, onSuccess, onError }: OAuthConfig<OAuthWorkOSConfig, OAuthWorkOSUser, OAuthWorkOSTokens>) {
return eventHandler(async (event: H3Event) => {
config = defu(config, useRuntimeConfig(event).oauth?.workos, { screen_hint: 'sign-in' }) as OAuthWorkOSConfig
if (!config.clientId || !config.clientSecret) {
return handleMissingConfiguration(event, 'workos', ['clientId', 'clientSecret'], onError)
}
const query = getQuery<{ code?: string, state?: string, error?: string, error_description?: string, returnURL?: string }>(event)
const redirectURL = config.redirectURL || getOAuthRedirectURL(event)
if (query.error) {
return handleAccessTokenErrorResponse(event, 'workos', query, onError)
}
if (!query.code) {
// Redirect to WorkOS Oauth page
return sendRedirect(
event,
withQuery('https://api.workos.com/user_management/authorize', {
response_type: 'code',
provider: 'authkit',
client_id: config.clientId,
redirect_uri: redirectURL,
connection_id: config.connectionId,
screen_hint: config.screenHint,
}),
)
}
const ip_address = getRequestIP(event)
const user_agent = getRequestHeader(event, 'user-agent')
const authenticateResponse: OAuthWorkOSAuthenticateResponse = await requestAccessToken('https://api.workos.com/user_management/authenticate', {
headers: {
'Content-Type': 'application/json',
},
body: {
grant_type: 'authorization_code',
client_id: config.clientId,
client_secret: config.clientSecret,
redirect_uri: redirectURL,
ip_address,
user_agent,
code: query.code,
},
})
if (authenticateResponse.error) {
return handleAccessTokenErrorResponse(event, 'workos', authenticateResponse, onError)
}
return onSuccess(event, {
tokens: { access_token: authenticateResponse.access_token, refresh_token: authenticateResponse.refresh_token },
user: authenticateResponse.user,
})
})
}