import { getCookies, setCookie } from "https://deno.land/std/http/cookie.ts"; import { rootValRef } from "https://esm.town/v/andreterron/rootValRef"; import { getAuthCookie, setAuthCookie } from "https://esm.town/v/postpostscript/authIdBase"; import { html, htmlResponse, Layout, RawHTML } from "https://esm.town/v/postpostscript/htmlComponentLibrary"; import { generate, verify, verifyThirdParty } from "https://esm.town/v/postpostscript/jwks"; import { decode, type JWTPayload, type JWTVerifyOptions } from "https://esm.town/v/postpostscript/jwksUtils"; import { getValEndpointFromName, getValEndpointFromUrl, getValUrlFromName, } from "https://esm.town/v/postpostscript/meta"; import { Profile } from "https://esm.town/v/postpostscript/ProfileImage"; import type { MaybePromise } from "https://esm.town/v/postpostscript/typeUtils"; import type { HonoRequest } from "npm:hono"; type MaybeMethod = T | ((req: Request, payload: JWTPayload) => MaybePromise); type MaybeNameMethod = T | ((req: Request, name: string) => MaybePromise); export type AuthMiddlewareOptions = { rootVal?: ReturnType; verify?: JWTVerifyOptions; requestScope?: MaybeNameMethod; title?: string; templates?: Partial; }; async function normalizeOption(value: MaybeMethod, req: Request, payload: JWTPayload): Promise { return value instanceof Function ? await value(req, payload) : value; } export function getRequestContextRequest(context: ImplementsRequestContext) { return "raw" in context.req ? context.req.raw : context.req; } export interface ImplementsRequestContext< Env extends { Variables: AuthContextVariables } = { Variables: AuthContextVariables }, > { req: Request | HonoRequest; set: Env extends { Variables: infer Variables } ? (key: K, value: Variables[K]) => void : (key: string, value: any) => void; get: Env extends { Variables: infer Variables } ? (key: K) => Variables[K] : (key: string) => any; } export function authWrapperCookie( handler: (req: Request, context: ImplementsRequestContext) => MaybePromise, options: AuthMiddlewareOptions & { rootPath?: string; optional?: boolean; createResponse?: ( context: ImplementsRequestContext, content: RawHTML, init?: ResponseInit, ) => MaybePromise; } = {}, ) { const middleware = authMiddlewareCookie(options); return (req: Request) => { const data = new Map(); const context = { req, set(key, value) { return data.set(key, value); }, get(key) { return data.get(key); }, }; return middleware(context, () => { return handler(req, context); }); }; } export function authWrapperToken( handler: (req: Request, context: ImplementsRequestContext) => MaybePromise, options: AuthMiddlewareOptions & { createResponse?: ( context: ImplementsRequestContext, content: unknown, init?: ResponseInit, ) => MaybePromise; } = {}, ) { const middleware = authMiddlewareToken(options); return (req: Request) => { const data = new Map(); const context = { req, set(key, value) { return data.set(key, value); }, get(key) { return data.get(key); }, }; return middleware(context, () => { return handler(req, context); }); }; } export function authMiddlewareToken( options: Omit, "requestScope"> & { createResponse?: (context: Context, content: unknown, init?: ResponseInit) => MaybePromise; } = {}, ) { const { rootVal: { handle, name }, createResponse, verify } = { rootVal: rootValRef(), createResponse: (context: Context, content: unknown, init: ResponseInit = {}) => { return Response.json(content, init); }, ...options, }; const HANDLER_NAME = `@${handle}/${name}`; return async (context: Context, next: () => void) => { const req = getRequestContextRequest(context); const qs = new URLSearchParams(req.url.split("?")[1]); const token = req.headers.get("Authorization")?.replace(/^Bearer\s+/, ""); let payload; try { payload = token && await verifyThirdParty(token, { issuer: `@${handle}/authId`, audience: HANDLER_NAME, async custom(payload) { const author = payload.iss.split("/")[0]; return { scope: [`${author}/authId/id`], }; }, ...verify, }); } catch (e) { console.log("auth token validation failed", e); } if (!payload) { return createResponse(context, { "error": "invalid Authorization token", }, { status: 403, }); } context.set("token", token); context.set("auth", payload); return next(); }; } export function authMiddlewareTokenQS( options: Omit, "requestScope"> & { createResponse?: (context: Context, content: unknown, init?: ResponseInit) => MaybePromise; } = {}, ) { const { rootVal: { handle, name }, createResponse, verify } = { rootVal: rootValRef(), createResponse: (context: Context, content: unknown, init: ResponseInit = {}) => { return Response.json(content, init); }, ...options, }; const HANDLER_NAME = `@${handle}/${name}`; return async (context: Context, next: () => void) => { const req = getRequestContextRequest(context); const { searchParams } = new URL(req.url); const token = searchParams.get("token"); let payload; try { payload = token && await verifyThirdParty(token, { issuer: `@${handle}/authId`, audience: HANDLER_NAME, async custom(payload) { const author = payload.iss.split("/")[0]; return { scope: [`${author}/authId/id`], }; }, ...verify, }); } catch (e) { console.log("qs token validation failed", e); } if (!payload) { return createResponse(context, { "error": "invalid Authorization token", }, { status: 403, }); } context.set("token", token); context.set("auth", payload); return next(); }; } export function authMiddlewareCookie( options: AuthMiddlewareOptions & { rootPath?: string; optional?: boolean; createResponse?: (context: Context, content: RawHTML, init?: ResponseInit) => MaybePromise; } = {}, ) { const { rootVal: { handle, name }, title, requestScope, verify, rootPath: _rootPath, optional, createResponse } = { rootVal: rootValRef(), title: undefined, requestScope: [], rootPath: "/", createResponse: (context: Context, content: RawHTML, init: ResponseInit = {}) => { const _title = `${title ?? HANDLER_NAME} - Sign In`; return new Response( Layout({ title, }, { default() { return html`

${_title}

${content} `; }, }).toString(), { ...init, headers: { ...init?.headers, "Content-Type": "text/html", }, }, ); }, ...options, }; const HANDLER_NAME = `@${handle}/${name}`; const ENDPOINT = getValEndpointFromName(HANDLER_NAME); const rootPath = (_rootPath.startsWith("/") ? _rootPath : `/${_rootPath}`).replace(/\/+$/, ""); const templates = { ...defaultTemplates, ...options.templates, }; function verifyAuthToken(token: string, req: Request) { return verifyThirdParty(token, { issuer: `@${handle}/authId`, audience: HANDLER_NAME, async custom(payload) { const author = payload.iss.split("/")[0]; return { scope: [`${author}/authId/id`], }; }, ...verify, }); } return async (context: Context, next: () => void) => { const req = getRequestContextRequest(context); let { pathname, searchParams: qs } = new URL(req.url); pathname = pathname.replace(/\/+$/, "").slice(rootPath.length); const cookie = getAuthCookie(req); let payload; try { payload = cookie && await verifyAuthToken(cookie, req); } catch (e) { console.log("cookie token validation failed", e); } if (payload && pathname === "/login") { return Response.redirect(ENDPOINT + rootPath); } if (pathname === "/login" || (pathname === "/logout" && req.method === "POST")) { if (req.method === "GET") { const token = qs.get("token"); const clientToken = qs.get("clientToken"); qs.delete("token"); qs.delete("clientToken"); let failReason: RawHTML | undefined; const tokenDecoded = token && await decode(token); const [tokenPayload, clientTokenPayload] = await Promise.all([ token && verifyAuthToken(token, req).catch((e) => { console.log("error while parsing token qs", e); failReason = html`token validation failed: ${e.message}`; }), tokenDecoded && clientToken && verifyThirdParty(clientToken, { audience: [HANDLER_NAME, tokenDecoded.iss], issuer: HANDLER_NAME, custom: { scope: `${HANDLER_NAME}/requestAuth`, maxUses: 1, }, }).catch((e) => { console.log("error validating clientToken", e, clientToken); failReason = html`clientToken validation failed: ${e.message}`; }), ]); if (tokenPayload && clientTokenPayload) { if (tokenPayload.clientTokenId === clientTokenPayload.jti) { const { searchParams } = new URL(ENDPOINT + clientTokenPayload.returnTo.slice(HANDLER_NAME.length)); const res = new Response(undefined, { status: 302, headers: { Location: ENDPOINT + (searchParams.get("returnTo") || rootPath), }, }); setAuthCookie(res, token); return res; } failReason = html`clientToken validation failed: client token id mismatch`; } if (token || clientToken) { return createResponse(context, templates.failedLogin(failReason), { status: 403, }); } return createResponse(context, templates.signInForm); } else if (req.method === "POST") { const formData = await req.formData(); const username = formData.get("username")?.trim().replace(/^\@/, "").match(/^\w+$/)?.[0]; const val = "authId"; // formData.get("val")?.trim().match(/^\w+$/)?.[0]; if (!(username && val)) { return createResponse(context, templates.signInForm, { status: 400, }); } const name = `@${username}/${val}`; const authEndpoint = getValEndpointFromName(name); const returnToPath = (qs.get("returnTo") || "").replace(/\/*(login|logout)\/*$/, ""); const returnQS = new URLSearchParams(); if (returnToPath.slice(1)) { returnQS.set("returnTo", rootPath + returnToPath); } const newPayload = { iss: HANDLER_NAME, scope: `${HANDLER_NAME}/requestAuth`, aud: [name, HANDLER_NAME], returnTo: HANDLER_NAME + rootPath + "/login" + (returnQS.size ? `?${returnQS}` : ""), }; newPayload.requestScope = requestScope instanceof Function ? await requestScope(req, name) : requestScope; const token = await generate(newPayload, "15m"); const authQS = new URLSearchParams(); authQS.set("clientToken", token); return Response.redirect(`${authEndpoint}?${authQS}`); } } else if (pathname === "/logout" && req.method !== "POST") { const res = await createResponse(context, templates.loggedOut); setAuthCookie(res, undefined); return res; } if (!payload && !optional) { const qs = new URLSearchParams(); pathname && qs.set("returnTo", pathname); return Response.redirect(`${ENDPOINT}${rootPath}/login${qs.size ? `?${qs}` : ""}`); } context.set("token", cookie); context.set("auth", payload); return next(); }; } export const signInFormBase = html` `; export const signInForm = html` ${signInFormBase}

If you haven't set up the required Vals jwks and authId yet, there is a guide at @postpostscript/authIdUserGuide

`; export const defaultTemplates = { signInForm, loggedOut: html`

You are now logged out! You can close this tab.

${signInForm} `, failedLogin: (reason: unknown) => html` ${signInForm} `, }; export function userDisplay(payload: JWTPayload) { return payload.sub.replace(/\/.*/, ""); } export function userActionsDisplay( payload: JWTPayload, { order = ["language", "profile", "username", "logout"], parts = {} as Record, } = {}, ) { const username = userDisplay(payload); const _parts: Record = { language: html` Signed in as `, profile: html` ${Profile(username)} `, username: html` ${username} `, logout: html` Log Out `, ...parts, }; return html` ${order.map(key => _parts[key])} `; } export type AuthContextVariables = { token: string; auth: JWTPayload; }; export type HonoEnv = { Variables: AuthContextVariables; }; export type HonoEnvOptional = { Variables: Partial; };