@mulverse/mulguard-core 1.0.0

package/src/lib/init.ts

@@ -0,0 +1,236 @@
+import * as jwt from "../jwt.js"
+import { createCallbackUrl } from "./utils/callback-url.js"
+import * as cookie from "./utils/cookie.js"
+import { createCSRFToken } from "./actions/callback/oauth/csrf-token.js"
+
+import { AdapterError, EventError } from "../errors.js"
+import parseProviders from "./utils/providers.js"
+import { setLogger, type LoggerInstance } from "./utils/logger.js"
+import { merge } from "./utils/merge.js"
+
+import type { InternalOptions, RequestInternal } from "../types.js"
+import type { AuthConfig } from "../index.js"
+import { createServerActionsAdapter } from "../adapters/server-actions-helpers.js"
+
+interface InitParams {
+  url: URL
+  authOptions: AuthConfig
+  providerId?: string
+  action: InternalOptions["action"]
+  /** Callback URL value extracted from the incoming request. */
+  callbackUrl?: string
+  /** CSRF token value extracted from the incoming request. From body if POST, from query if GET */
+  csrfToken?: string
+  /** Is the incoming request a POST request? */
+  csrfDisabled: boolean
+  isPost: boolean
+  cookies: RequestInternal["cookies"]
+}
+
+export const defaultCallbacks: InternalOptions["callbacks"] = {
+  signIn() {
+    return true
+  },
+  redirect({ url, baseUrl }) {
+    if (url.startsWith("/")) return `${baseUrl}${url}`
+    else if (new URL(url).origin === baseUrl) return url
+    return baseUrl
+  },
+  session({ session }) {
+    return {
+      user: {
+        name: session.user?.name,
+        email: session.user?.email,
+        image: session.user?.image,
+      },
+      expires: session.expires?.toISOString?.() ?? session.expires,
+    }
+  },
+  jwt({ token }) {
+    return token
+  },
+}
+
+/** Initialize all internal options and cookies. */
+export async function init({
+  authOptions: config,
+  providerId,
+  action,
+  url,
+  cookies: reqCookies,
+  callbackUrl: reqCallbackUrl,
+  csrfToken: reqCsrfToken,
+  csrfDisabled,
+  isPost,
+}: InitParams): Promise<{
+  options: InternalOptions
+  cookies: cookie.Cookie[]
+}> {
+  const logger = setLogger(config)
+  const { providers, provider } = parseProviders({ url, providerId, config })
+
+  const maxAge = 30 * 24 * 60 * 60 // Sessions expire after 30 days of being idle by default
+
+  let isOnRedirectProxy = false
+  if (
+    (provider?.type === "oauth" || provider?.type === "oidc") &&
+    provider.redirectProxyUrl
+  ) {
+    try {
+      isOnRedirectProxy =
+        new URL(provider.redirectProxyUrl).origin === url.origin
+    } catch {
+      throw new TypeError(
+        `redirectProxyUrl must be a valid URL. Received: ${provider.redirectProxyUrl}`
+      )
+    }
+  }
+
+  // User provided options are overridden by other options,
+  // except for the options with special handling above
+  const options: InternalOptions = {
+    debug: false,
+    pages: {},
+    theme: {
+      colorScheme: "auto",
+      logo: "",
+      brandColor: "",
+      buttonText: "",
+    },
+    // Custom options override defaults
+    ...config,
+    // These computed settings can have values in userOptions but we override them
+    // and are request-specific.
+    url,
+    action,
+    // @ts-expect-errors
+    provider,
+    cookies: merge(
+      cookie.defaultCookies(
+        config.useSecureCookies ?? url.protocol === "https:"
+      ),
+      config.cookies
+    ),
+    providers,
+    // Session options
+    session: {
+      // If no adapter or serverActions specified, force use of JSON Web Tokens (stateless)
+      strategy: (config.adapter || config.serverActions) ? "database" : "jwt",
+      maxAge,
+      updateAge: 24 * 60 * 60,
+      generateSessionToken: () => crypto.randomUUID(),
+      ...config.session,
+    },
+    // JWT options
+    jwt: {
+      secret: config.secret!, // Asserted in assert.ts
+      maxAge: config.session?.maxAge ?? maxAge, // default to same as `session.maxAge`
+      encode: jwt.encode,
+      decode: jwt.decode,
+      ...config.jwt,
+    },
+    // Event messages
+    events: eventsErrorHandler(config.events ?? {}, logger),
+    adapter: adapterErrorHandler(
+      config.adapter || (config.serverActions ? createServerActionsAdapter(config.serverActions) : undefined),
+      logger
+    ),
+    // Callback functions
+    callbacks: { ...defaultCallbacks, ...config.callbacks },
+    logger,
+    callbackUrl: url.origin,
+    isOnRedirectProxy,
+    experimental: {
+      ...config.experimental,
+    },
+  }
+
+  // Init cookies
+
+  const cookies: cookie.Cookie[] = []
+
+  if (csrfDisabled) {
+    options.csrfTokenVerified = true
+  } else {
+    const {
+      csrfToken,
+      cookie: csrfCookie,
+      csrfTokenVerified,
+    } = await createCSRFToken({
+      options,
+      cookieValue: reqCookies?.[options.cookies.csrfToken.name],
+      isPost,
+      bodyValue: reqCsrfToken,
+    })
+
+    options.csrfToken = csrfToken
+    options.csrfTokenVerified = csrfTokenVerified
+
+    if (csrfCookie) {
+      cookies.push({
+        name: options.cookies.csrfToken.name,
+        value: csrfCookie,
+        options: options.cookies.csrfToken.options,
+      })
+    }
+  }
+
+  const { callbackUrl, callbackUrlCookie } = await createCallbackUrl({
+    options,
+    cookieValue: reqCookies?.[options.cookies.callbackUrl.name],
+    paramValue: reqCallbackUrl,
+  })
+  options.callbackUrl = callbackUrl
+  if (callbackUrlCookie) {
+    cookies.push({
+      name: options.cookies.callbackUrl.name,
+      value: callbackUrlCookie,
+      options: options.cookies.callbackUrl.options,
+    })
+  }
+
+  return { options, cookies }
+}
+
+type Method = (...args: any[]) => Promise<any>
+
+/** Wraps an object of methods and adds error handling. */
+function eventsErrorHandler(
+  methods: Partial<InternalOptions["events"]>,
+  logger: LoggerInstance
+): Partial<InternalOptions["events"]> {
+  return Object.keys(methods).reduce<any>((acc, name) => {
+    acc[name] = async (...args: any[]) => {
+      try {
+        const method: Method = methods[name as keyof Method]
+        return await method(...args)
+      } catch (e) {
+        logger.error(new EventError(e as Error))
+      }
+    }
+    return acc
+  }, {})
+}
+
+/** Handles adapter induced errors. */
+function adapterErrorHandler(
+  adapter: AuthConfig["adapter"],
+  logger: LoggerInstance
+) {
+  if (!adapter) return
+
+  return Object.keys(adapter).reduce<any>((acc, name) => {
+    acc[name] = async (...args: any[]) => {
+      try {
+        logger.debug(`adapter_${name}`, { args })
+        const method: Method = adapter[name as keyof Method]
+        return await method(...args)
+      } catch (e) {
+        const error = new AdapterError(e as Error)
+        logger.error(error)
+        throw error
+      }
+    }
+    return acc
+  }, {})
+}

package/src/lib/pages/error.tsx

@@ -0,0 +1,106 @@
+import type { ErrorPageParam, Theme } from "../../types.js"
+
+/**
+ * The following errors are passed as error query parameters to the default or overridden error page.
+ *
+ * [Documentation](https://authjs.dev/guides/pages/error)
+ */
+
+export interface ErrorProps {
+  url?: URL
+  theme?: Theme
+  error?: ErrorPageParam
+}
+
+interface ErrorView {
+  status: number
+  heading: string
+  message: JSX.Element
+  signin?: JSX.Element
+}
+
+/** Renders an error page. */
+export default function ErrorPage(props: ErrorProps) {
+  const { url, error = "default", theme } = props
+  const signinPageUrl = `${url}/signin`
+
+  const errors: Record<ErrorPageParam | "default", ErrorView> = {
+    default: {
+      status: 200,
+      heading: "Error",
+      message: (
+        <p>
+          <a className="site" href={url?.origin}>
+            {url?.host}
+          </a>
+        </p>
+      ),
+    },
+    Configuration: {
+      status: 500,
+      heading: "Server error",
+      message: (
+        <div>
+          <p>There is a problem with the server configuration.</p>
+          <p>Check the server logs for more information.</p>
+        </div>
+      ),
+    },
+    AccessDenied: {
+      status: 403,
+      heading: "Access Denied",
+      message: (
+        <div>
+          <p>You do not have permission to sign in.</p>
+          <p>
+            <a className="button" href={signinPageUrl}>
+              Sign in
+            </a>
+          </p>
+        </div>
+      ),
+    },
+    Verification: {
+      status: 403,
+      heading: "Unable to sign in",
+      message: (
+        <div>
+          <p>The sign in link is no longer valid.</p>
+          <p>It may have been used already or it may have expired.</p>
+        </div>
+      ),
+      signin: (
+        <a className="button" href={signinPageUrl}>
+          Sign in
+        </a>
+      ),
+    },
+  }
+
+  const { status, heading, message, signin } = errors[error] ?? errors.default
+
+  return {
+    status,
+    html: (
+      <div className="error">
+        {theme?.brandColor && (
+          <style
+            dangerouslySetInnerHTML={{
+              __html: `
+        :root {
+          --brand-color: ${theme?.brandColor}
+        }
+      `,
+            }}
+          />
+        )}
+        <div className="card">
+          {theme?.logo && <img src={theme?.logo} alt="Logo" className="logo" />}
+          <h1>{heading}</h1>
+          <div className="message">{message}</div>
+          {signin}
+        </div>
+      </div>
+    ),
+  }
+}

package/src/lib/pages/index.ts

@@ -0,0 +1,181 @@
+import { renderToString } from "preact-render-to-string"
+import ErrorPage from "./error.js"
+import SigninPage from "./signin.js"
+import SignoutPage from "./signout.js"
+import css from "./styles.js"
+import VerifyRequestPage from "./verify-request.js"
+import { UnknownAction } from "../../errors.js"
+
+import type {
+  InternalOptions,
+  RequestInternal,
+  ResponseInternal,
+  InternalProvider,
+  PublicProvider,
+} from "../../types.js"
+import type { Cookie } from "../utils/cookie.js"
+
+function send({
+  html,
+  title,
+  status,
+  cookies,
+  theme,
+  headTags,
+}: any): ResponseInternal {
+  return {
+    cookies,
+    status,
+    headers: { "Content-Type": "text/html" },
+    body: `<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0"><style>${css}</style><title>${title}</title>${
+      headTags ?? ""
+    }</head><body class="__next-auth-theme-${
+      theme?.colorScheme ?? "auto"
+    }"><div class="page">${renderToString(html)}</div></body></html>`,
+  }
+}
+
+type RenderPageParams = {
+  query?: RequestInternal["query"]
+  cookies?: Cookie[]
+} & Partial<
+  Pick<
+    InternalOptions,
+    "url" | "callbackUrl" | "csrfToken" | "providers" | "theme" | "pages"
+  >
+>
+
+/**
+ * Unless the user defines their [own pages](https://authjs.dev/reference/core#pages),
+ * we render a set of default ones, using Preact SSR.
+ */
+export default function renderPage(params: RenderPageParams) {
+  const { url, theme, query, cookies, pages, providers } = params
+
+  return {
+    csrf(skip: boolean, options: InternalOptions, cookies: Cookie[]) {
+      if (!skip) {
+        return {
+          headers: {
+            "Content-Type": "application/json",
+            "Cache-Control": "private, no-cache, no-store",
+            Expires: "0",
+            Pragma: "no-cache",
+          },
+          body: { csrfToken: options.csrfToken },
+          cookies,
+        }
+      }
+      options.logger.warn("csrf-disabled")
+      cookies.push({
+        name: options.cookies.csrfToken.name,
+        value: "",
+        options: { ...options.cookies.csrfToken.options, maxAge: 0 },
+      })
+      return { status: 404, cookies }
+    },
+    providers(providers: InternalProvider[]) {
+      return {
+        headers: { "Content-Type": "application/json" },
+        body: providers.reduce<Record<string, PublicProvider>>(
+          (acc, { id, name, type, signinUrl, callbackUrl }) => {
+            acc[id] = { id, name, type, signinUrl, callbackUrl }
+            return acc
+          },
+          {}
+        ),
+      }
+    },
+    signin(providerId?: string, error?: any) {
+      if (providerId) throw new UnknownAction("Unsupported action")
+      if (pages?.signIn) {
+        let signinUrl = `${pages.signIn}${
+          pages.signIn.includes("?") ? "&" : "?"
+        }${new URLSearchParams({ callbackUrl: params.callbackUrl ?? "/" })}`
+        if (error) signinUrl = `${signinUrl}&${new URLSearchParams({ error })}`
+        return { redirect: signinUrl, cookies }
+      }
+
+      // If we have a webauthn provider with conditional UI and
+      // a simpleWebAuthnBrowserScript is defined, we need to
+      // render the script in the page.
+      const webauthnProvider = providers?.find(
+        (p): p is InternalProvider<"webauthn"> =>
+          p.type === "webauthn" &&
+          p.enableConditionalUI &&
+          !!p.simpleWebAuthnBrowserVersion
+      )
+
+      let simpleWebAuthnBrowserScript = ""
+      if (webauthnProvider) {
+        const { simpleWebAuthnBrowserVersion } = webauthnProvider
+        simpleWebAuthnBrowserScript = `<script src="https://unpkg.com/@simplewebauthn/browser@${simpleWebAuthnBrowserVersion}/dist/bundle/index.umd.min.js" crossorigin="anonymous"></script>`
+      }
+
+      return send({
+        cookies,
+        theme,
+        html: SigninPage({
+          csrfToken: params.csrfToken,
+          // We only want to render providers
+          providers: params.providers?.filter(
+            (provider) =>
+              // Always render oauth and email type providers
+              ["email", "oauth", "oidc"].includes(provider.type) ||
+              // Only render credentials type provider if credentials are defined
+              (provider.type === "credentials" && provider.credentials) ||
+              // Only render webauthn type provider if formFields are defined
+              (provider.type === "webauthn" && provider.formFields) ||
+              // Don't render other provider types
+              false
+          ),
+          callbackUrl: params.callbackUrl,
+          theme: params.theme,
+          error,
+          ...query,
+        }),
+        title: "Sign In",
+        headTags: simpleWebAuthnBrowserScript,
+      })
+    },
+    signout() {
+      if (pages?.signOut) return { redirect: pages.signOut, cookies }
+      return send({
+        cookies,
+        theme,
+        html: SignoutPage({ csrfToken: params.csrfToken, url, theme }),
+        title: "Sign Out",
+      })
+    },
+    verifyRequest(props?: any) {
+      if (pages?.verifyRequest)
+        return {
+          redirect: `${pages.verifyRequest}${url?.search ?? ""}`,
+          cookies,
+        }
+      return send({
+        cookies,
+        theme,
+        html: VerifyRequestPage({ url, theme, ...props }),
+        title: "Verify Request",
+      })
+    },
+    error(error?: string) {
+      if (pages?.error) {
+        return {
+          redirect: `${pages.error}${
+            pages.error.includes("?") ? "&" : "?"
+          }error=${error}`,
+          cookies,
+        }
+      }
+      return send({
+        cookies,
+        theme,
+        // @ts-expect-error fix error type
+        ...ErrorPage({ url, theme, error }),
+        title: "Error",
+      })
+    },
+  }
+}