mirror of
https://github.com/pocket-id/pocket-id.git
synced 2026-02-07 00:40:38 +00:00
feat: device authorization endpoint (#270)
Co-authored-by: Elias Schneider <login@eliasschneider.com>
This commit is contained in:
Kyle Mendell
GitHub
@@ -24,7 +24,7 @@ const authenticationHandle: Handle = async ({ event, resolve }) => {
|
||||
const { isSignedIn, isAdmin } = verifyJwt(event.cookies.get(ACCESS_TOKEN_COOKIE_NAME));
|
||||
|
||||
const isUnauthenticatedOnlyPath = event.url.pathname.startsWith('/login') || event.url.pathname.startsWith('/lc')
|
||||
const isPublicPath = ['/authorize', '/health'].includes(event.url.pathname);
|
||||
const isPublicPath = ['/authorize', '/device', '/health'].includes(event.url.pathname);
|
||||
const isAdminPath = event.url.pathname.startsWith('/settings/admin');
|
||||
|
||||
if (!isUnauthenticatedOnlyPath && !isPublicPath && !isSignedIn) {
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
import Logo from '../logo.svelte';
|
||||
import HeaderAvatar from './header-avatar.svelte';
|
||||
|
||||
const authUrls = [/^\/authorize$/, /^\/login(?:\/.*)?$/, /^\/logout$/];
|
||||
const authUrls = [/^\/authorize$/, /^\/device$/, /^\/login(?:\/.*)?$/, /^\/logout$/];
|
||||
|
||||
let isAuthPage = $derived(
|
||||
!page.error && authUrls.some((pattern) => pattern.test(page.url.pathname))
|
||||
|
||||
27
frontend/src/lib/components/scope-list.svelte
Normal file
27
frontend/src/lib/components/scope-list.svelte
Normal file
@@ -0,0 +1,27 @@
|
||||
<script lang="ts">
|
||||
import { m } from '$lib/paraglide/messages';
|
||||
import { LucideMail, LucideUser, LucideUsers } from 'lucide-svelte';
|
||||
import ScopeItem from './scope-item.svelte';
|
||||
|
||||
let { scope }: { scope: string } = $props();
|
||||
</script>
|
||||
|
||||
<div class="flex flex-col gap-3" data-testid="scopes">
|
||||
{#if scope!.includes('email')}
|
||||
<ScopeItem icon={LucideMail} name={m.email()} description={m.view_your_email_address()} />
|
||||
{/if}
|
||||
{#if scope!.includes('profile')}
|
||||
<ScopeItem
|
||||
icon={LucideUser}
|
||||
name={m.profile()}
|
||||
description={m.view_your_profile_information()}
|
||||
/>
|
||||
{/if}
|
||||
{#if scope!.includes('groups')}
|
||||
<ScopeItem
|
||||
icon={LucideUsers}
|
||||
name={m.groups()}
|
||||
description={m.view_the_groups_you_are_a_member_of()}
|
||||
/>
|
||||
{/if}
|
||||
</div>
|
||||
@@ -1,5 +1,6 @@
|
||||
import type {
|
||||
AuthorizeResponse,
|
||||
OidcDeviceCodeInfo,
|
||||
OidcClient,
|
||||
OidcClientCreate,
|
||||
OidcClientMetaData,
|
||||
@@ -8,6 +9,7 @@ import type {
|
||||
import type { Paginated, SearchPaginationSortRequest } from '$lib/types/pagination.type';
|
||||
import APIService from './api-service';
|
||||
|
||||
|
||||
class OidcService extends APIService {
|
||||
async authorize(
|
||||
clientId: string,
|
||||
@@ -92,6 +94,15 @@ class OidcService extends APIService {
|
||||
const res = await this.api.put(`/oidc/clients/${id}/allowed-user-groups`, { userGroupIds });
|
||||
return res.data as OidcClientWithAllowedUserGroups;
|
||||
}
|
||||
|
||||
async verifyDeviceCode(userCode: string) {
|
||||
return await this.api.post(`/oidc/device/verify?code=${userCode}`);
|
||||
}
|
||||
|
||||
async getDeviceCodeInfo(userCode: string): Promise<OidcDeviceCodeInfo> {
|
||||
const response = await this.api.get(`/oidc/device/info?code=${userCode}`);
|
||||
return response.data;
|
||||
}
|
||||
}
|
||||
|
||||
export default OidcService;
|
||||
|
||||
@@ -23,6 +23,12 @@ export type OidcClientCreateWithLogo = OidcClientCreate & {
|
||||
logo: File | null | undefined;
|
||||
};
|
||||
|
||||
export type OidcDeviceCodeInfo = {
|
||||
scope: string;
|
||||
authorizationRequired: boolean;
|
||||
client: OidcClientMetaData;
|
||||
};
|
||||
|
||||
export type AuthorizeResponse = {
|
||||
code: string;
|
||||
callbackURL: string;
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
import { slide } from 'svelte/transition';
|
||||
import type { PageData } from './$types';
|
||||
import ClientProviderImages from './components/client-provider-images.svelte';
|
||||
import ScopeItem from './components/scope-item.svelte';
|
||||
import ScopeItem from '$lib/components/scope-item.svelte';
|
||||
|
||||
const webauthnService = new WebAuthnService();
|
||||
const oidService = new OidcService();
|
||||
|
||||
9
frontend/src/routes/device/+page.server.ts
Normal file
9
frontend/src/routes/device/+page.server.ts
Normal file
@@ -0,0 +1,9 @@
|
||||
import type { PageServerLoad } from './$types';
|
||||
|
||||
export const load: PageServerLoad = async ({ url }) => {
|
||||
const code = url.searchParams.get('code');
|
||||
|
||||
return {
|
||||
code
|
||||
};
|
||||
};
|
||||
124
frontend/src/routes/device/+page.svelte
Normal file
124
frontend/src/routes/device/+page.svelte
Normal file
@@ -0,0 +1,124 @@
|
||||
<script lang="ts">
|
||||
import SignInWrapper from '$lib/components/login-wrapper.svelte';
|
||||
import ScopeList from '$lib/components/scope-list.svelte';
|
||||
import { Button } from '$lib/components/ui/button';
|
||||
import * as Card from '$lib/components/ui/card';
|
||||
import { Input } from '$lib/components/ui/input';
|
||||
import { m } from '$lib/paraglide/messages';
|
||||
import OIDCService from '$lib/services/oidc-service';
|
||||
import WebAuthnService from '$lib/services/webauthn-service';
|
||||
import appConfigStore from '$lib/stores/application-configuration-store';
|
||||
import userStore from '$lib/stores/user-store';
|
||||
import type { OidcDeviceCodeInfo } from '$lib/types/oidc.type';
|
||||
import { getAxiosErrorMessage } from '$lib/utils/error-util';
|
||||
import { startAuthentication } from '@simplewebauthn/browser';
|
||||
import { onMount } from 'svelte';
|
||||
import { slide } from 'svelte/transition';
|
||||
import ClientProviderImages from '../authorize/components/client-provider-images.svelte';
|
||||
import LoginLogoErrorSuccessIndicator from '../login/components/login-logo-error-success-indicator.svelte';
|
||||
|
||||
let { data } = $props();
|
||||
|
||||
const oidcService = new OIDCService();
|
||||
const webauthnService = new WebAuthnService();
|
||||
|
||||
let userCode = $state(data.code || '');
|
||||
let isLoading = $state(false);
|
||||
let deviceInfo: OidcDeviceCodeInfo | undefined = $state();
|
||||
let success = $state(false);
|
||||
let errorMessage: string | null = $state(null);
|
||||
let authorizationRequired = $state(false);
|
||||
|
||||
onMount(() => {
|
||||
if (data.code && $userStore) {
|
||||
authorize();
|
||||
}
|
||||
});
|
||||
|
||||
async function authorize() {
|
||||
isLoading = true;
|
||||
try {
|
||||
// Get access token if not signed in
|
||||
if (!$userStore) {
|
||||
const loginOptions = await webauthnService.getLoginOptions();
|
||||
const authResponse = await startAuthentication(loginOptions);
|
||||
const user = await webauthnService.finishLogin(authResponse);
|
||||
userStore.setUser(user);
|
||||
}
|
||||
|
||||
const info = await oidcService.getDeviceCodeInfo(userCode);
|
||||
deviceInfo = info;
|
||||
|
||||
if (info.authorizationRequired && !authorizationRequired) {
|
||||
authorizationRequired = true;
|
||||
isLoading = false;
|
||||
return;
|
||||
}
|
||||
|
||||
await oidcService.verifyDeviceCode(userCode);
|
||||
|
||||
success = true;
|
||||
} catch (e) {
|
||||
errorMessage = getAxiosErrorMessage(e);
|
||||
} finally {
|
||||
isLoading = false;
|
||||
}
|
||||
}
|
||||
</script>
|
||||
|
||||
<svelte:head>
|
||||
<title>{m.authorize_device()}</title>
|
||||
</svelte:head>
|
||||
|
||||
<SignInWrapper
|
||||
animate={!$appConfigStore.disableAnimations}
|
||||
showAlternativeSignInMethodButton={$userStore == null}
|
||||
>
|
||||
<div class="flex justify-center">
|
||||
{#if deviceInfo?.client}
|
||||
<ClientProviderImages client={deviceInfo.client} {success} error={!!errorMessage} />
|
||||
{:else}
|
||||
<LoginLogoErrorSuccessIndicator {success} error={!!errorMessage} />
|
||||
{/if}
|
||||
</div>
|
||||
<h1 class="font-playfair mt-5 text-4xl font-bold">{m.authorize_device()}</h1>
|
||||
{#if errorMessage}
|
||||
<p class="text-muted-foreground mt-2">
|
||||
{errorMessage}. {m.please_try_again()}
|
||||
</p>
|
||||
{:else if success}
|
||||
<p class="text-muted-foreground mt-2">{m.the_device_has_been_authorized()}</p>
|
||||
{:else if authorizationRequired}
|
||||
<div transition:slide={{ duration: 300 }}>
|
||||
<Card.Root class="mt-6">
|
||||
<Card.Header class="pb-5">
|
||||
<p class="text-muted-foreground text-start">
|
||||
{@html m.client_wants_to_access_the_following_information({
|
||||
client: deviceInfo!.client.name
|
||||
})}
|
||||
</p>
|
||||
</Card.Header>
|
||||
<Card.Content data-testid="scopes">
|
||||
<ScopeList scope={deviceInfo!.scope} />
|
||||
</Card.Content>
|
||||
</Card.Root>
|
||||
</div>
|
||||
{:else}
|
||||
<p class="text-muted-foreground mt-2">{m.enter_code_displayed_in_previous_step()}</p>
|
||||
<form id="device-code-form" onsubmit={authorize} class="w-full max-w-[450px]">
|
||||
<Input id="user-code" class="mt-7" placeholder={m.code()} bind:value={userCode} type="text" />
|
||||
</form>
|
||||
{/if}
|
||||
{#if !success}
|
||||
<div class="mt-10 flex w-full justify-stretch gap-2">
|
||||
<Button href="/" class="w-full" variant="secondary">{m.cancel()}</Button>
|
||||
{#if !errorMessage}
|
||||
<Button form="device-code-form" class="w-full" onclick={authorize} {isLoading}
|
||||
>{m.authorize()}</Button
|
||||
>
|
||||
{:else}
|
||||
<Button class="w-full" on:click={() => (errorMessage = null)}>{m.try_again()}</Button>
|
||||
{/if}
|
||||
</div>
|
||||
{/if}
|
||||
</SignInWrapper>
|
||||
@@ -31,7 +31,7 @@
|
||||
<title>{m.sign_in()}</title>
|
||||
</svelte:head>
|
||||
|
||||
<SignInWrapper animate={!$appConfigStore.disableAnimations}>
|
||||
<SignInWrapper>
|
||||
<div class="flex h-full flex-col justify-center">
|
||||
<div class="bg-muted mx-auto rounded-2xl p-3">
|
||||
<Logo class="h-10 w-10" />
|
||||
|
||||
Reference in New Issue
Block a user