@commonpub/layer 0.20.0 → 0.21.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@commonpub/layer",
-  "version": "0.20.0",
+  "version": "0.21.0",
   "type": "module",
   "main": "./nuxt.config.ts",
   "files": [
@@ -52,14 +52,14 @@
     "zod": "^4.3.6",
     "@commonpub/auth": "0.6.0",
     "@commonpub/docs": "0.6.2",
-    "@commonpub/config": "0.12.0",
-    "@commonpub/explainer": "0.7.12",
     "@commonpub/editor": "0.7.9",
-    "@commonpub/protocol": "0.9.9",
     "@commonpub/learning": "0.5.2",
+    "@commonpub/explainer": "0.7.12",
     "@commonpub/schema": "0.16.0",
-    "@commonpub/server": "2.50.0",
-    "@commonpub/ui": "0.8.5"
+    "@commonpub/config": "0.12.0",
+    "@commonpub/server": "2.51.0",
+    "@commonpub/ui": "0.8.5",
+    "@commonpub/protocol": "0.9.9"
   },
   "devDependencies": {
     "@testing-library/jest-dom": "^6.9.1",

package/server/api/auth/mastodon/callback.get.ts

@@ -0,0 +1,144 @@
+/**
+ * GET /api/auth/mastodon/callback?code=<auth_code>&state=<state>
+ *
+ * Phase 2a — server side of the Mastodon-login flow. Exchanges the
+ * auth code for an access token, verifies the remote account, then
+ * routes to one of three outcomes:
+ *
+ *   1. **Already linked** — `findUserByFederatedAccount` finds a local
+ *      user. Mint a Better Auth session, redirect to dashboard. (Or
+ *      to `returnTo` if the start request specified it.)
+ *
+ *   2. **Currently logged-in user adding a link** — `event.context.auth`
+ *      has a user. Call `linkFederatedAccount` with the grant; redirect
+ *      to settings.
+ *
+ *   3. **Anonymous + first-time** — call `storePendingLink` (existing
+ *      v1 SSO machinery). Redirect to login form with the link token;
+ *      Phase 2b's UI will consume the token to auto-provision a fresh
+ *      local account or link to an existing user the visitor signs in
+ *      as.
+ *
+ * Gated by `features.identity.signInWithRemote`.
+ */
+import { z } from 'zod';
+import type { H3Event } from 'h3';
+import {
+  consumeMastodonLoginState,
+  createFederatedSession,
+  exchangeCodeAndVerify,
+  findUserByFederatedAccount,
+  getOrRegisterRemoteClient,
+  linkFederatedAccount,
+  storePendingLink,
+} from '@commonpub/server';
+
+const callbackSchema = z.object({
+  code: z.string().min(1),
+  state: z.string().min(1),
+  // OAuth error responses come back as ?error=...&error_description=...
+  // We surface a friendly message rather than crashing.
+  error: z.string().optional(),
+  error_description: z.string().optional(),
+});
+
+function setSessionCookie(event: H3Event, token: string, expiresAt: Date): void {
+  setCookie(event, 'better-auth.session_token', token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+    expires: expiresAt,
+  });
+}
+
+export default defineEventHandler(async (event) => {
+  const config = useConfig();
+  if (!config.features.identity.signInWithRemote) {
+    throw createError({ statusCode: 404, statusMessage: 'Not found' });
+  }
+
+  const db = useDB();
+  const params = parseQueryParams(event, callbackSchema);
+
+  if (params.error) {
+    // Remote denied / errored. Surface back to the login page with the
+    // OAuth error message so the UI can render it cleanly.
+    const msg = encodeURIComponent(params.error_description || params.error);
+    return sendRedirect(event, `/auth/login?mastodon_error=${msg}`, 302);
+  }
+
+  // Single-use, atomic. Returns null if expired / already consumed.
+  const loginState = await consumeMastodonLoginState(db, params.state);
+  if (!loginState) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: 'Invalid or expired login state. Please try again.',
+    });
+  }
+
+  // Re-read the cached client credentials for this host; they were
+  // stored by the start route during `getOrRegisterRemoteClient`.
+  // Pass the same redirectUri so we don't mistakenly re-register.
+  const creds = await getOrRegisterRemoteClient(db, loginState.host, loginState.redirectUri);
+
+  // Exchange + verify in one atomic-ish step. Throws on token-exchange
+  // failure or 4xx on verifyCredentials.
+  let verified: Awaited<ReturnType<typeof exchangeCodeAndVerify>>;
+  try {
+    verified = await exchangeCodeAndVerify(loginState.host, creds, params.code);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : 'Unknown error';
+    throw createError({
+      statusCode: 502,
+      statusMessage: `Sign-in via ${loginState.host} failed: ${msg}`,
+    });
+  }
+
+  const ipAddress =
+    getRequestHeader(event, 'x-forwarded-for')?.split(',')[0]?.trim()
+    ?? getRequestHeader(event, 'x-real-ip')
+    ?? undefined;
+  const userAgent = getRequestHeader(event, 'user-agent') ?? undefined;
+
+  // Outcome 1: identity already linked → log them in, redirect.
+  const existingLink = await findUserByFederatedAccount(db, verified.profile.actorUri);
+  if (existingLink) {
+    const session = await createFederatedSession(db, existingLink.userId, ipAddress, userAgent);
+    setSessionCookie(event, session.sessionToken, session.expiresAt);
+    return sendRedirect(event, loginState.returnTo ?? '/dashboard', 302);
+  }
+
+  // Outcome 2: a user is signed in locally and wants to add this link.
+  const auth = event.context.auth;
+  if (auth?.user) {
+    await linkFederatedAccount(
+      db,
+      auth.user.id,
+      verified.profile.actorUri,
+      loginState.host,
+      {
+        preferredUsername: verified.profile.username,
+        displayName: verified.profile.displayName,
+        avatarUrl: verified.profile.avatarUrl,
+      },
+      {
+        accessToken: verified.accessToken,
+        scopes: verified.scopes,
+        softwareKind: verified.softwareKind,
+      },
+    );
+    return sendRedirect(event, '/settings/account?federated=linked', 302);
+  }
+
+  // Outcome 3: anonymous + first-time → store as pending link, hand
+  // the opaque token to the login UI. Phase 2b's UI consumes the token.
+  const linkToken = await storePendingLink(db, {
+    actorUri: verified.profile.actorUri,
+    username: verified.profile.username,
+    instanceDomain: loginState.host,
+    displayName: verified.profile.displayName,
+    avatarUrl: verified.profile.avatarUrl,
+  });
+  return sendRedirect(event, `/auth/login?federated=true&linkToken=${linkToken}`, 302);
+});

package/server/api/auth/mastodon/start.get.ts

@@ -0,0 +1,71 @@
+/**
+ * GET /api/auth/mastodon/start?host=<domain>[&returnTo=<path>]
+ *
+ * Phase 2a — server side of "Sign in via @user@host" / "Link a
+ * Mastodon-API account". CommonPub plays the OAuth client role here:
+ * registers itself with the remote, then redirects the user to the
+ * remote's `/oauth/authorize`.
+ *
+ * Gated by `features.identity.signInWithRemote`. When the flag is off,
+ * this route 404s — no leakage of new endpoints to scrapers.
+ *
+ * The companion `callback.get.ts` handles the auth code return.
+ */
+import { z } from 'zod';
+import {
+  buildAuthorizeUrl,
+  getOrRegisterRemoteClient,
+  isValidHost,
+  storeMastodonLoginState,
+} from '@commonpub/server';
+
+const startSchema = z.object({
+  host: z.string().min(3).max(253),
+  returnTo: z.string().optional(),
+});
+
+export default defineEventHandler(async (event) => {
+  const config = useConfig();
+  if (!config.features.identity.signInWithRemote) {
+    throw createError({ statusCode: 404, statusMessage: 'Not found' });
+  }
+
+  const db = useDB();
+  const { host: rawHost, returnTo } = parseQueryParams(event, startSchema);
+  const host = rawHost.trim().toLowerCase();
+
+  if (!isValidHost(host)) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: `Invalid host: ${rawHost}`,
+    });
+  }
+
+  const redirectUri = `https://${config.instance.domain}/api/auth/mastodon/callback`;
+
+  // Get or register our OAuth client at the remote. First call to a
+  // given host hits the network (megalodon's `registerApp` →
+  // POST /api/v1/apps); subsequent calls read the cache.
+  let creds: Awaited<ReturnType<typeof getOrRegisterRemoteClient>>;
+  try {
+    creds = await getOrRegisterRemoteClient(db, host, redirectUri);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : 'Unknown registration error';
+    throw createError({
+      statusCode: 502,
+      statusMessage: `Could not register CommonPub at ${host}: ${msg}`,
+    });
+  }
+
+  // Mint a CSRF state token bound to this (host, redirectUri, returnTo)
+  // tuple. Single-use, 10-min TTL.
+  const state = await storeMastodonLoginState(db, {
+    host,
+    redirectUri,
+    returnTo,
+  });
+
+  // Redirect the user to the remote's authorize endpoint.
+  const authUrl = buildAuthorizeUrl(host, creds, state);
+  return sendRedirect(event, authUrl, 302);
+});