First commit, working Recurse.com OAuth for ONE user with Oslo

reedspool · reedspool · commit aa02920c1537 · 2024-03-04T12:57:47.000-08:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,14 @@
+.DS_Store
+.idea
+*.log
+tmp/
+
+*.tern-port
+node_modules/
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+*.tsbuildinfo
+.npm
+.eslintcache
+*.env
diff --git a/README.md b/README.md
@@ -0,0 +1,13 @@
+Following [Lucia Getting Started in Express tutorial](https://lucia-auth.com/getting-started/express)
+
+Node >=20 required (or see notes about Oslo installation for Node <20 [here](https://oslo.js.org))
+
+```sh
+npm install;
+```
+
+Get your Client ID and Client Secret by going to https://recurse.com/settings/apps, and click 'Create OAuth Application'. Use `http://localhost:3001/myOauth2RedirectUri` as the Redirect URI.
+
+```sh
+node --env-file=config.env index.js
+```
diff --git a/config.env.template b/config.env.template
@@ -0,0 +1,2 @@
+OAUTH_CLIENT_ID=<your client id>
+OAUTH_CLIENT_SECRET=<your client secret>
diff --git a/index.js b/index.js
@@ -0,0 +1,163 @@
+import { OAuth2Client, generateState } from "oslo/oauth2";
+import { OAuth2RequestError } from "oslo/oauth2";
+import express from "express";
+
+const app = express();
+const port = process.env.PORT || 3001;
+const authorizeEndpoint = "https://recurse.com/oauth/authorize";
+// TODO P.B. found this required `www` though authorize doesn't.
+const tokenEndpoint = "https://www.recurse.com/oauth/token";
+
+// DO NOT COMMIT
+// From https://www.recurse.com/settings/apps
+const clientId = process.env.OAUTH_CLIENT_ID;
+const clientSecret = process.env.OAUTH_CLIENT_SECRET;
+
+console.log(clientId, clientSecret);
+
+const client = new OAuth2Client(clientId, authorizeEndpoint, tokenEndpoint, {
+	redirectURI: `http://localhost:${port}/myOauth2RedirectUri`,
+});
+
+// TODO: Use Lucia to put this in user's session
+const newUserSession = () => ({
+	state: null,
+	refresh_token: null,
+	access_token: null,
+});
+
+let userSession = newUserSession();
+
+const page = ({ body, title }) => `
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <title>${title}</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <link rel="shortcut icon" type="image/png" href="favicon.png" />
+  </head>
+  <body>
+    ${body}
+  </body>
+</html>
+`;
+
+app.get("/", async (req, res) => {
+	let authenticated = false;
+	if (userSession.refresh_token) {
+		try {
+			// Again the oslo docs are wrong, or at least inspecific.
+			// Source don't lie, though! https://github.com/pilcrowOnPaper/oslo/blob/main/src/oauth2/index.ts#L76
+			const { access_token, refresh_token } = await client.refreshAccessToken(
+				userSession.refresh_token,
+				{
+					credentials: clientSecret,
+					authenticateWith: "request_body",
+				},
+			);
+
+			userSession.access_token = access_token;
+			userSession.refresh_token = refresh_token;
+
+			authenticated = true;
+		} catch (e) {
+			if (e instanceof OAuth2RequestError) {
+				// see https://www.rfc-editor.org/rfc/rfc6749#section-5.2
+				const { request, message, description } = e;
+
+				throw e;
+			}
+			// unknown error
+			throw e;
+		}
+	}
+	const body = `
+	<h1>Recurse OAuth Example with Oslo</h1>
+	<p>${
+		authenticated
+			? 'You\'re logged in already - <a href="/logout">logout</a>'
+			: '<a href="/getAuthorizationUrl">Authorize</a>'
+	}
+    </p>
+	`;
+	res.send(
+		page({
+			title: "Homepage",
+			body,
+		}),
+	);
+});
+
+app.get("/logout", async (req, res) => {
+	userSession = newUserSession();
+
+	res.redirect("/");
+});
+
+app.get("/getAuthorizationUrl", async (req, res) => {
+	userSession.state = generateState();
+	const url = await client.createAuthorizationURL({
+		state: userSession.state,
+		scope: ["user:email"],
+	});
+	res.redirect(url);
+});
+
+app.get("/myOauth2RedirectUri", async (req, res) => {
+	const { state, code } = req.query;
+
+	if (!userSession.state || !state || userSession.state !== state) {
+		// TODO: Don't crash the server!
+		throw new Error("State didn't match");
+	}
+
+	try {
+		// NOTE: This is different from the Oslo OAuth2 docs, they use camel case
+		const { access_token, refresh_token } =
+			await client.validateAuthorizationCode(code, {
+				credentials: clientSecret,
+				authenticateWith: "request_body",
+			});
+
+		userSession.access_token = access_token;
+		userSession.refresh_token = refresh_token;
+
+		res.redirect("/");
+		return;
+	} catch (e) {
+		if (e instanceof OAuth2RequestError) {
+			// see https://www.rfc-editor.org/rfc/rfc6749#section-5.2
+			const { request, message, description } = e;
+
+			throw e;
+		}
+		// unknown error
+		throw e;
+	}
+});
+
+//
+// Final 404/5XX handlers
+//
+app.use(function (err, req, res, next) {
+	console.error("5XX", err, req, next);
+	res.status(err?.status || 500);
+
+	res.send("5XX");
+});
+
+app.use(function (req, res) {
+	res.status(404);
+	res.send("4XX");
+});
+const listener = app.listen(port, () => {
+	console.log(`Server is available at http://localhost:${port}`);
+});
+
+// So I can kill from local terminal with Ctrl-c
+// From https://github.com/strongloop/node-foreman/issues/118#issuecomment-475902308
+process.on("SIGINT", () => {
+	listener.close(() => {
+		process.exit(0);
+	});
+});
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+OAUTH_CLIENT_ID=<your client id>`
	`2`	`+OAUTH_CLIENT_SECRET=<your client secret>`