@commonpub/layer 0.3.17 → 0.3.19

package/server/api/auth/federated/callback.get.ts

@@ -1,4 +1,5 @@
-import { consumeOAuthState, exchangeCodeForToken, linkFederatedAccount } from '@commonpub/server';
+import { consumeOAuthState, exchangeCodeForToken, linkFederatedAccount, findUserByFederatedAccount, createFederatedSession, storePendingLink } from '@commonpub/server';
+import type { H3Event } from 'h3';
 import { z } from 'zod';
 
 const callbackSchema = z.object({
@@ -6,16 +7,30 @@ const callbackSchema = z.object({
   state: z.string(),
 });
 
+/**
+ * Set the Better Auth session cookie after federated login.
+ */
+function setSessionCookie(event: H3Event, token: string, expiresAt: Date): void {
+  setCookie(event, 'better-auth.session_token', token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+    expires: expiresAt,
+  });
+}
+
 /**
  * OAuth2 callback handler for federated login.
- * Exchanges authorization code for token, links federated account.
+ * Exchanges authorization code for token, links federated account,
+ * creates a session, and redirects.
  */
 export default defineEventHandler(async (event) => {
   requireFeature('federation');
   const db = useDB();
   const { code, state: stateToken } = parseQueryParams(event, callbackSchema);
 
-  // Retrieve and consume the stored OAuth state (single-use, 10min TTL)
+  // Retrieve and consume the stored OAuth state (single-use, atomic)
   const oauthState = await consumeOAuthState(db, stateToken);
   if (!oauthState) {
     throw createError({
@@ -33,14 +48,19 @@ export default defineEventHandler(async (event) => {
     });
   }
 
+  const ipAddress = getRequestHeader(event, 'x-forwarded-for')?.split(',')[0]?.trim()
+    ?? getRequestHeader(event, 'x-real-ip')
+    ?? undefined;
+  const userAgent = getRequestHeader(event, 'user-agent') ?? undefined;
+
   // Check if a local user is already linked to this federated account
-  const { findUserByFederatedAccount } = await import('@commonpub/server');
   const existingLink = await findUserByFederatedAccount(db, tokenResult.user.actorUri);
 
   if (existingLink) {
-    // User already linked — redirect to dashboard
-    // In a full implementation, this would also create a Better Auth session
-    return sendRedirect(event, `/dashboard?federated=linked&user=${existingLink.username}`, 302);
+    // User already linked — create session and redirect to dashboard
+    const session = await createFederatedSession(db, existingLink.userId, ipAddress, userAgent);
+    setSessionCookie(event, session.sessionToken, session.expiresAt);
+    return sendRedirect(event, '/dashboard', 302);
   }
 
   // Check if the current user is logged in — if so, link to their account
@@ -55,13 +75,15 @@ export default defineEventHandler(async (event) => {
     return sendRedirect(event, '/settings/account?federated=linked', 302);
   }
 
-  // Not logged in and no existing link — redirect to login page with federated context
-  // The user needs to either create an account or log in to link
-  const params = new URLSearchParams({
-    federated: 'true',
+  // Not logged in and no existing link — store verified identity in a server-side token.
+  // Only the opaque token is passed to the client; the actorUri is never exposed in the URL.
+  const linkToken = await storePendingLink(db, {
     actorUri: tokenResult.user.actorUri,
     username: tokenResult.user.username,
-    instance: oauthState.instanceDomain,
+    instanceDomain: oauthState.instanceDomain,
+    displayName: tokenResult.user.displayName ?? undefined,
+    avatarUrl: tokenResult.user.avatarUrl ?? undefined,
   });
-  return sendRedirect(event, `/auth/login?${params.toString()}`, 302);
+
+  return sendRedirect(event, `/auth/login?federated=true&linkToken=${linkToken}`, 302);
 });

package/server/api/auth/federated/link.post.ts

@@ -0,0 +1,82 @@
+import { linkFederatedAccount, consumePendingLink } from '@commonpub/server';
+import { z } from 'zod';
+
+const linkSchema = z.object({
+  /** Local credentials */
+  identity: z.string().min(1),
+  password: z.string().min(1),
+  /** Server-side link token from the OAuth callback — proves the federated identity was verified */
+  linkToken: z.string().min(1),
+});
+
+/**
+ * Link a verified federated identity to a local account.
+ * The linkToken is a server-side opaque token stored during the OAuth callback.
+ * It proves the federated identity was authenticated — the actorUri is never
+ * sent from the client, preventing identity hijacking.
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('federation');
+  const db = useDB();
+  const body = await parseBody(event, linkSchema);
+
+  // Step 1: Consume the pending link token (single-use, 10min TTL)
+  const pendingLink = await consumePendingLink(db, body.linkToken);
+  if (!pendingLink) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: 'Link token is invalid or expired. Please start the federated login again.',
+    });
+  }
+
+  // Step 2: Resolve identity to email
+  const { email } = await $fetch<{ email: string }>('/api/resolve-identity', {
+    method: 'POST',
+    body: { identity: body.identity },
+  }).catch(() => {
+    throw createError({ statusCode: 401, statusMessage: 'Invalid credentials.' });
+  });
+
+  // Step 3: Authenticate via Better Auth sign-in (also creates session + sets cookie)
+  const signInResponse = await $fetch<{ user?: { id: string }; session?: { token: string; expiresAt: string } }>(
+    '/api/auth/sign-in/email',
+    {
+      method: 'POST',
+      body: { email, password: body.password },
+    },
+  ).catch(() => {
+    throw createError({ statusCode: 401, statusMessage: 'Invalid credentials.' });
+  });
+
+  if (!signInResponse?.user?.id || !signInResponse?.session?.token) {
+    throw createError({ statusCode: 401, statusMessage: 'Invalid credentials.' });
+  }
+
+  const userId = signInResponse.user.id;
+
+  // Step 4: Link the verified federated identity (from server-side token, NOT client input)
+  try {
+    await linkFederatedAccount(db, userId, pendingLink.actorUri, pendingLink.instanceDomain, {
+      preferredUsername: pendingLink.username,
+      displayName: pendingLink.displayName,
+      avatarUrl: pendingLink.avatarUrl,
+    });
+  } catch (err: unknown) {
+    const msg = err instanceof Error ? err.message : 'Failed to link account';
+    throw createError({ statusCode: 409, statusMessage: msg });
+  }
+
+  // Step 5: Use the session Better Auth created — set cookie for the client
+  setCookie(event, 'better-auth.session_token', signInResponse.session.token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+    expires: new Date(signInResponse.session.expiresAt),
+  });
+
+  return {
+    success: true,
+    linked: true,
+  };
+});

package/server/api/messages/index.get.ts

@@ -1,4 +1,4 @@
-import { listConversations } from '@commonpub/server';
+import { listConversations, getConversationUnreadCounts } from '@commonpub/server';
 import { users } from '@commonpub/schema';
 import { inArray } from 'drizzle-orm';
 
@@ -6,11 +6,14 @@ export default defineEventHandler(async (event) => {
   const db = useDB();
   const user = requireAuth(event);
 
-  const conversations = await listConversations(db, user.id);
+  const [conversationList, unreadCounts] = await Promise.all([
+    listConversations(db, user.id),
+    getConversationUnreadCounts(db, user.id),
+  ]);
 
   // Collect all unique participant IDs
   const allIds = new Set<string>();
-  for (const conv of conversations) {
+  for (const conv of conversationList) {
     for (const id of (conv.participants ?? [])) {
       allIds.add(id);
     }
@@ -28,9 +31,10 @@ export default defineEventHandler(async (event) => {
     }
   }
 
-  // Replace participant IDs with resolved user objects
-  return conversations.map((conv) => ({
+  // Replace participant IDs with resolved user objects, include unread count
+  return conversationList.map((conv) => ({
     ...conv,
+    unreadCount: unreadCounts[conv.id] ?? 0,
     participants: (conv.participants ?? []).map((id: string) => {
       const u = userMap.get(id);
       return u ? { username: u.username, displayName: u.displayName, avatarUrl: u.avatarUrl } : { username: id, displayName: null, avatarUrl: null };