feat: handle GitHub OAuth directly, thru JWTs

site/.env.example

@@ -6,3 +6,7 @@ DATABASE_URL=
 GITHUB_CLIENT_ID=
 GITHUB_CLIENT_SECRET=
 MAPBOX_ACCESS_TOKEN=
+
+JWT_EXP=30d
+JWT_ALG=HS512
+JWT_KEY=

site/package.json

@@ -15,10 +15,13 @@
     "testsrc": "mocha -r esm test/**"
   },
   "dependencies": {
+    "@polka/parse": "^1.0.0-next.1",
     "@polka/send": "^1.0.0-next.2",
     "devalue": "^1.1.0",
     "do-not-zip": "^1.0.0",
     "golden-fleece": "^1.0.9",
+    "httpie": "^1.1.1",
+    "jsonwebtoken": "^8.5.1",
     "limax": "^1.7.0",
     "marked": "^0.6.1",
     "pg": "^7.10.0",

site/src/backend/auth.js

@@ -0,0 +1,149 @@
+import polka from 'polka';
+import devalue from 'devalue';
+import send from '@polka/send';
+import { get, post } from 'httpie';
+import { json } from '@polka/parse';
+import { parse, stringify } from 'querystring';
+import { decode, sign, verify } from './token';
+import { find, query } from '../utils/db';
+
+const {
+	BASEURL,
+	GITHUB_CLIENT_ID,
+	GITHUB_CLIENT_SECRET,
+} = process.env;
+
+const OAuth = 'https://github.com/login/oauth';
+
+function exit(res, code, msg='') {
+	send(res, code, msg.charAt(0).toUpperCase() + msg.substring(1));
+}
+
+function onError(err, req, res) {
+	const code = err.code || err.status || 500;
+	res.headersSent || send(res, code, err.message || err);
+}
+
+/**
+ * Middleware to determine User validity
+ */
+export async function isUser(req, res) {
+	const abort = exit.bind(null, res, 401);
+
+	const auth = req.headers.authorization;
+	if (!auth) return abort('Missing Authorization header');
+
+	const [scheme, token] = auth.split(' ');
+	if (scheme !== 'Bearer' || !token) return abort('Invalid Authorization format');
+
+	let data;
+	const decoded = decode(token, { complete:true });
+	if (!decoded || !decoded.header) return abort('Invalid token');
+
+	try {
+		data = await verify(token);
+	} catch (err) {
+		return abort(err.message);
+	}
+
+	const { uid, username } = data;
+	if (!uid || !username) return abort('Invalid token payload');
+
+	try {
+		const row = await find(`select * from users where uid = $1 and username = $2 limit 1`, [uid, username]);
+		return row || abort('Invalid token');
+	} catch (err) {
+		console.error('Auth.isUser', err);
+		return send(res, 500, 'Unknown error occurred');
+	}
+}
+
+export function toUser(obj={}) {
+	const { uid, username, name:displayName, avatar } = obj;
+	const token = sign({ uid, username });
+	return { uid, username, displayName, avatar, token };
+}
+
+export function API() {
+	const app = polka({ onError }).use(json());
+
+	if (GITHUB_CLIENT_ID) {
+		app.get('/auth/login', (req, res) => {
+			try {
+				console.log('inside');
+
+				const Location = `${OAuth}/authorize?` + stringify({
+					scope: 'read:user',
+					client_id: GITHUB_CLIENT_ID,
+					redirect_uri: `${BASEURL}/auth/callback`,
+				});
+
+				send(res, 302, Location, { Location });
+			} catch (err) {
+				//
+			}
+		});
+
+		app.get('/auth/callback', async (req, res) => {
+			try {
+				// Trade "code" for "access_token"
+				const r1 = await post(`${OAuth}/access_token?` + stringify({
+					code: req.query.code,
+					client_id: GITHUB_CLIENT_ID,
+					client_secret: GITHUB_CLIENT_SECRET,
+				}));
+
+				// Now fetch User details
+				const { access_token } = parse(r1.data);
+				const r2 = await get('https://api.github.com/user', {
+					headers: {
+						'User-Agent': 'svelte.dev',
+						Authorization: `token ${access_token}`
+					}
+				});
+
+				const { id, name, avatar_url, login } = r2.data;
+
+				// Upsert `users` table
+				const [user] = await query(`
+					insert into users(uid, name, username, avatar, token)
+					values ($1, $2, $3, $4, $5) on conflict (uid) do update
+					set (name, username, avatar, token) = ($2, $3, $4, $5)
+					returning *
+				`, [id, name, login, avatar_url, access_token]);
+
+				send(res, 200, `
+					<script>
+						window.opener.postMessage({
+							user: ${devalue(toUser(user))}
+						}, window.location.origin);
+					</script>
+				`, {
+					'Content-Type': 'text/html; charset=utf-8'
+				});
+			} catch (err) {
+				console.error('OAuth Callback', err);
+				send(res, 500, err.data, {
+					'Content-Type': err.headers['content-type'],
+					'Content-Length': err.headers['content-length']
+				});
+			}
+		});
+	} else {
+		// Print "Misconfigured" error
+		app.get('/auth/login', (req, res) => {
+			send(res, 500, `
+				<body style="font-family: sans-serif; background: rgb(255,215,215); border: 2px solid red; margin: 0; padding: 1em;">
+					<h1>Missing .env file</h1>
+					<p>In order to use GitHub authentication, you will need to <a target="_blank" href="https://github.com/settings/developers">register an OAuth application</a> with <code>gist</code> and <code>read:user</code> scopes, and create a .env file:</p>
+					<pre>GITHUB_CLIENT_ID=[YOUR_APP_ID]\nGITHUB_CLIENT_SECRET=[YOUR_APP_SECRET]\nBASEURL=http://localhost:3000</pre>
+					<p>The <code>BASEURL</code> variable should match the callback URL specified for your app.</p>
+				</body>
+			`, {
+				'Content-Type': 'text/html; charset=utf-8'
+			});
+		});
+	}
+
+	return app;
+}

site/src/backend/token.js

@@ -0,0 +1,22 @@
+import * as jwt from 'jsonwebtoken';
+
+const { JWT_KEY, JWT_ALG, JWT_EXP } = process.env;
+
+const CONFIG = {
+	expiresIn: JWT_EXP,
+	issuer: 'https://svelte.dev',
+	audience: 'https://svelte.dev',
+	algorithm: JWT_ALG,
+};
+
+export const decode = jwt.decode;
+
+export function sign(obj, opts, cb) {
+	opts = Object.assign({}, opts, CONFIG);
+	return jwt.sign(obj, JWT_KEY, opts, cb);
+}
+
+export function verify(str, opts, cb) {
+	opts = Object.assign({}, opts, CONFIG);
+	return jwt.verify(str, JWT_KEY, opts, cb);
+}

site/src/server.js

@@ -1,118 +1,33 @@
-import 'dotenv/config';
 import sirv from 'sirv';
-import polka from 'polka';
-import devalue from 'devalue';
-import session from 'express-session';
-import passport from 'passport';
-import { Strategy } from 'passport-github';
-import sessionFileStore from 'session-file-store';
 import * as sapper from '@sapper/server';
-
-const app = polka();
-
-if (process.env.GITHUB_CLIENT_ID) {
-	const FileStore = sessionFileStore(session);
-
-	passport.use(new Strategy({
-		clientID: process.env.GITHUB_CLIENT_ID,
-		clientSecret: process.env.GITHUB_CLIENT_SECRET,
-		callbackURL: `${process.env.BASEURL}/auth/callback`,
-		userAgent: 'svelte.dev'
-	}, (accessToken, refreshToken, profile, callback) => {
-		return callback(null, {
-			token: accessToken,
-			id: profile.id,
-			username: profile.username,
-			displayName: profile.displayName,
-			photo: profile.photos && profile.photos[0] && profile.photos[0].value
-		});
-	}));
-
-	passport.serializeUser((user, cb) => {
-		cb(null, user);
-	});
-
-	passport.deserializeUser((obj, cb) => {
-		cb(null, obj);
-	});
-
-	app
-		.use(session({
-			secret: 'svelte',
-			resave: true,
-			saveUninitialized: true,
-			cookie: {
-				maxAge: 31536000
-			},
-			store: new FileStore({
-				path: process.env.NOW ? `/tmp/sessions` : `.sessions`
-			})
-		}))
-
-		.use(passport.initialize())
-		.use(passport.session())
-
-		.get('/auth/login', (req, res, next) => {
-			const { returnTo } = req.query;
-			req.session.returnTo = returnTo ? decodeURIComponent(returnTo) : '/';
-			next();
-		}, passport.authenticate('github', { scope: ['gist', 'read:user'] }))
-
-		.post('/auth/logout', (req, res) => {
-			req.logout();
-			res.end('ok');
+import { API } from './backend/auth';
+
+const { PORT=3000 } = process.env;
+
+API()
+	.use(
+		sirv('static', {
+			setHeaders(res) {
+				res.setHeader('Access-Control-Allow-Origin', '*');
+				res.hasHeader('Cache-Control') || res.setHeader('Cache-Control', 'max-age=600'); // 10min default
+			}
+		}),
+
+		sapper.middleware({
+			// TODO update Sapper so that we can pass props to the client
+			props: req => {
+				const user = req.user;
+
+				return {
+					user: user && {
+						// strip access token
+						id: user.id,
+						username: user.username,
+						displayName: user.displayName,
+						photo: user.photo
+					}
+				};
+			}
 		})
-
-		.get('/auth/callback', passport.authenticate('github', { failureRedirect: '/auth/error' }), (req, res) => {
-			const { id, username, displayName, photo } = req.session.passport && req.session.passport.user;
-
-			res.setHeader('Content-Type', 'text/html; charset=utf-8');
-
-			res.end(`
-				<script>
-					window.opener.postMessage({
-						user: ${devalue({ id, username, displayName, photo })}
-					}, window.location.origin);
-				</script>
-			`);
-		});
-} else {
-	app.get('/auth/login', (req, res) => {
-		res.writeHead(500);
-		res.end(`
-			<body style="font-family: sans-serif; background: rgb(255,215,215); border: 2px solid red; margin: 0; padding: 1em;">
-				<h1>Missing .env file</h1>
-				<p>In order to use GitHub authentication, you will need to <a target="_blank" href="https://github.com/settings/developers">register an OAuth application</a> with <code>gist</code> and <code>read:user</code> scopes, and create a .env file:</p>
-
-				<pre>GITHUB_CLIENT_ID=[YOUR_APP_ID]\nGITHUB_CLIENT_SECRET=[YOUR_APP_SECRET]\nBASEURL=http://localhost:3000</pre>
-
-				<p>The <code>BASEURL</code> variable should match the callback URL specified for your app.</p>
-			</body>
-		`);
-	});
-}
-
-app.use(
-	sirv('static', {
-		setHeaders(res) {
-			res.setHeader('Access-Control-Allow-Origin', '*');
-			res.hasHeader('Cache-Control') || res.setHeader('Cache-Control', 'max-age=600'); // 10min default
-		}
-	}),
-	sapper.middleware({
-		// TODO update Sapper so that we can pass props to the client
-		props: req => {
-			const user = req.session && req.session.passport && req.session.passport.user;
-
-			return {
-				user: user && {
-					// strip access token
-					id: user.id,
-					username: user.username,
-					displayName: user.displayName,
-					photo: user.photo
-				}
-			};
-		}
-	})
-).listen(process.env.PORT);
+	)
+	.listen(PORT);