Instantly authorize OAuth2 requests

darthmaim · darthmaim · commit 67a9e4eea20b · 2025-01-12T22:43:44.000+01:00
diff --git a/apps/web/app/(authorize)/authorize/[id]/actions.ts b/apps/web/app/(authorize)/authorize/[id]/actions.ts
@@ -15,7 +15,7 @@ import { cookies } from 'next/headers';
 import { userCookie } from '@/lib/cookie';
 import { getFormDataString } from '@/lib/form-data';
 import { cancelAuthorizationRequest } from '../helper';
-import { AuthorizationRequestData } from '../types';
+import { AuthorizationRequest, AuthorizationRequestData } from '../types';
 import { OAuth2ErrorCode } from '@/lib/oauth/error';
 import { notExpired } from '@/lib/db/helper';
 
@@ -50,19 +50,18 @@ export async function authorize(id: string, _: FormState, formData: FormData): P
 export async function authorizeInternal(
   id: string,
   accountIds: string[],
-  emailId: string | undefined
+  emailId: string | undefined | null
 ) {
   const authorizationRequest = await db.authorizationRequest.findUnique({
     where: { id, state: 'Pending', ...notExpired },
-  });
+  }) as AuthorizationRequest | null;
 
   if(!authorizationRequest) {
     return { error: 'Authorization request not found' };
   }
 
-  // get data
-  const data = authorizationRequest.data as unknown as AuthorizationRequestData;
-  const scopes = data.scope.split(' ') as Scope[];
+  // get scopes
+  const scopes = authorizationRequest.data.scope.split(' ') as Scope[];
 
   // verify at least one account was selected
   if((hasGW2Scopes(scopes) || scopes.includes(Scope.Accounts)) && accountIds.length === 0) {
@@ -104,8 +103,8 @@ export async function authorizeInternal(
         data: {
           ...identifier,
           scope: scopes,
-          redirectUri: authorizationRequest.type === 'OAuth2' ? (data as AuthorizationRequestData.OAuth2).redirect_uri : undefined,
-          codeChallenge: `${data.code_challenge_method}:${data.code_challenge}`,
+          redirectUri: authorizationRequest.type === 'OAuth2' ? authorizationRequest.data.redirect_uri : undefined,
+          codeChallenge: `${authorizationRequest.data.code_challenge_method}:${authorizationRequest.data.code_challenge}`,
           token: generateCode(),
           expiresAt: expiresAt(60),
           accounts: { connect: accountIds.map((id) => ({ id })) },
@@ -121,8 +120,8 @@ export async function authorizeInternal(
 
   switch(authorizationRequest.type) {
     case AuthorizationRequestType.OAuth2: {
-      const url = await createRedirectUrl((data as AuthorizationRequestData.OAuth2).redirect_uri, {
-        state: data.state,
+      const url = await createRedirectUrl(authorizationRequest.data.redirect_uri, {
+        state: authorizationRequest.data.state,
         code: authorization.token,
       });
 
@@ -141,7 +140,7 @@ export async function cancelAuthorization(id: string) {
 
   switch(authRequest.type) {
     case AuthorizationRequestType.OAuth2: {
-      const data = authRequest.data as unknown as AuthorizationRequestData<typeof authRequest.type>;
+      const data = authRequest.data;
 
       const cancelUrl = await createRedirectUrl(data.redirect_uri, {
         state: data.state,
diff --git a/apps/web/app/(authorize)/authorize/[id]/page.tsx b/apps/web/app/(authorize)/authorize/[id]/page.tsx
@@ -28,8 +28,9 @@ import Link from 'next/link';
 import { Select } from '@gw2treasures/ui/components/Form/Select';
 import { PageProps } from '@/lib/next';
 import { isExpired } from '@/lib/date';
-import { AuthorizationRequestData } from '../types';
+import { AuthorizationRequest } from '../types';
 import { normalizeScopes } from 'app/(authorize)/oauth2/authorize/validate';
+import { cancelAuthorizationRequest } from '../helper';
 
 const getPendingAuthorizationRequest = cache(
   (id: string) => db.authorizationRequest.findUnique({
@@ -44,7 +45,7 @@ export default async function AuthorizePage({ params }: PageProps<{ id: string }
   const returnUrl = `/authorize/${id}`;
 
   // get the request
-  const authRequest = await getPendingAuthorizationRequest(id);
+  const authRequest = await getPendingAuthorizationRequest(id) as (AuthorizationRequest & { client: NonNullable<Awaited<ReturnType<typeof getPendingAuthorizationRequest>>>['client'] }) | null;
 
   if(!authRequest) {
     return <Notice type="error">Authorization request not found.</Notice>;
@@ -55,7 +56,6 @@ export default async function AuthorizePage({ params }: PageProps<{ id: string }
   }
 
   const { client } = authRequest;
-  const request = authRequest.data as unknown as AuthorizationRequestData;
 
   // get current user
   const session = await getSession();
@@ -65,43 +65,45 @@ export default async function AuthorizePage({ params }: PageProps<{ id: string }
   const previousAuthorization = session ? await getPreviousAuthorization(client.id, session.userId) : undefined;
   const previousScope = new Set(previousAuthorization?.scope as Scope[]);
   const previousAccountIds = previousAuthorization?.accounts.map(({ id }) => id) ?? [];
-  const scopes = new Set(decodeURIComponent(request.scope).split(' ') as Scope[]);
+  const scopes = new Set(decodeURIComponent(authRequest.data.scope).split(' ') as Scope[]);
 
   // normalize the previous scopes
   normalizeScopes(previousScope);
 
   // if `include_granted_scopes` is set add all previous scopes to the current scopes
-  if(request.include_granted_scopes) {
+  if(authRequest.data.include_granted_scopes) {
     previousScope.forEach((scope) => scopes.add(scope));
   }
 
   // normalize the current scopes
   normalizeScopes(scopes);
 
-  const verifiedAccountsOnly = scopes.has(Scope.Accounts_Verified) && request.verified_accounts_only === 'true';
+  const verifiedAccountsOnly = scopes.has(Scope.Accounts_Verified) && authRequest.data.verified_accounts_only === 'true';
 
   // get new/existing scopes
   const newScopes = Array.from(scopes).filter((scope) => !previousScope.has(scope));
   const oldScopes = Array.from(previousScope).filter((scope) => scopes.has(scope));
 
   const redirect_uri = authRequest.type === 'OAuth2' ?
-    new URL((request as AuthorizationRequestData.OAuth2).redirect_uri)
+    new URL(authRequest.data.redirect_uri)
     : undefined;
 
 
   // handle prompt!=consent
   const allPreviouslyAuthorized = newScopes.length === 0;
   let autoAuthorizeState: FormState | undefined;
-  if(allPreviouslyAuthorized && request.prompt !== 'consent') {
+  if(allPreviouslyAuthorized && authRequest.data.prompt !== 'consent') {
     autoAuthorizeState = await authorizeInternal(id, previousAccountIds, previousAuthorization?.emailId ?? undefined);
   }
 
   // handle prompt=none
-  if(!allPreviouslyAuthorized && request.prompt === 'none') {
+  if(!allPreviouslyAuthorized && authRequest.data.prompt === 'none') {
+    await cancelAuthorizationRequest(authRequest.id);
+
     switch(authRequest.type) {
       case AuthorizationRequestType.OAuth2: {
-        const errorUrl = await createRedirectUrl((request as AuthorizationRequestData.OAuth2).redirect_uri, {
-          state: request.state,
+        const errorUrl = await createRedirectUrl(authRequest.data.redirect_uri, {
+          state: authRequest.data.state,
           error: OAuth2ErrorCode.access_denied,
           error_description: 'user not previously authorized',
         });
diff --git a/apps/web/app/(authorize)/authorize/helper.ts b/apps/web/app/(authorize)/authorize/helper.ts
@@ -1,8 +1,11 @@
-import { AuthorizationRequest, AuthorizationRequestType, Prisma } from '@gw2me/database';
-import { AuthorizationRequestData } from './types';
+import { Authorization, AuthorizationRequestType, AuthorizationType, Prisma } from '@gw2me/database';
+import { AuthorizationRequestData, AuthorizationRequest } from './types';
 import { db } from '@/lib/db';
 import { expiresAt } from '@/lib/date';
 import { notExpired } from '@/lib/db/helper';
+import { getSession } from '@/lib/session';
+import { normalizeScopes } from '../oauth2/authorize/validate';
+import { Scope } from '@gw2me/client';
 
 export async function createAuthorizationRequest<T extends AuthorizationRequestType>(type: T, data: AuthorizationRequestData<T>): Promise<AuthorizationRequest> {
   // TODO: verify???
@@ -16,7 +19,7 @@ export async function createAuthorizationRequest<T extends AuthorizationRequestT
     }
   });
 
-  return authorizationRequest;
+  return authorizationRequest as AuthorizationRequest;
 }
 
 export async function cancelAuthorizationRequest(id: string) {
@@ -29,5 +32,33 @@ export async function cancelAuthorizationRequest(id: string) {
     throw new Error('Authorization request could not be canceled.');
   }
 
-  return canceled;
+  return canceled as AuthorizationRequest;
+}
+
+export async function getPreviousAuthorizationMatchingScopes(authorizationRequest: AuthorizationRequest): Promise<false | (Authorization & { accounts: { id: string }[] })> {
+  const session = await getSession();
+
+  // if the user is not logged in, we need to show the auth/login screen
+  if(!session) {
+    return false;
+  }
+
+  // get requested scopes
+  const scopes = new Set(authorizationRequest.data.scope.split(' ') as Scope[]);
+  normalizeScopes(scopes);
+
+  console.log('[getPreviousAuthorizationMatchingScopes]', { clientId: authorizationRequest.clientId, userId: session.userId, scopes });
+
+  // get previous authorization
+  const previousAuthorization = await db.authorization.findFirst({
+    where: {
+      clientId: authorizationRequest.clientId,
+      userId: session.userId,
+      type: { not: AuthorizationType.Code },
+      scope: { hasEvery: Array.from(scopes) }
+    },
+    include: { accounts: { select: { id: true }}}
+  });
+
+  return previousAuthorization ?? false;
 }
diff --git a/apps/web/app/(authorize)/authorize/types.ts b/apps/web/app/(authorize)/authorize/types.ts
@@ -1,5 +1,5 @@
 /* eslint-disable @typescript-eslint/no-namespace */
-import { AuthorizationRequestType } from '@gw2me/database';
+import type { AuthorizationRequest as DbAuthorizationRequest, AuthorizationRequestType } from '@gw2me/database';
 
 export namespace AuthorizationRequestData {
   interface Common {
@@ -25,3 +25,9 @@ export type AuthorizationRequestData<T extends AuthorizationRequestType = Author
   T extends 'OAuth2' ? AuthorizationRequestData.OAuth2 :
   T extends 'FedCM' ? AuthorizationRequestData.FedCM :
   never;
+
+export namespace AuthorizationRequest {
+  export type OAuth2 = DbAuthorizationRequest & { type: 'OAuth2', data: AuthorizationRequestData.OAuth2 };
+  export type FedCM = DbAuthorizationRequest & { type: 'FedCM', data: AuthorizationRequestData.FedCM };
+}
+export type AuthorizationRequest = AuthorizationRequest.OAuth2 | AuthorizationRequest.FedCM;
diff --git a/apps/web/app/(authorize)/oauth2/authorize/page.tsx b/apps/web/app/(authorize)/oauth2/authorize/page.tsx
@@ -3,18 +3,49 @@ import { validateRequest } from './validate';
 import { Notice } from '@gw2treasures/ui/components/Notice/Notice';
 import { AuthorizationRequestType } from '@gw2me/database';
 import { PageProps } from '@/lib/next';
-import { createAuthorizationRequest } from 'app/(authorize)/authorize/helper';
+import { cancelAuthorizationRequest, createAuthorizationRequest, getPreviousAuthorizationMatchingScopes } from 'app/(authorize)/authorize/helper';
+import { authorizeInternal } from 'app/(authorize)/authorize/[id]/actions';
+import { createRedirectUrl } from '@/lib/redirectUrl';
+import { OAuth2ErrorCode } from '@/lib/oauth/error';
 
 export default async function AuthorizePage({ searchParams }: PageProps) {
   // validate request
   const { error, request } = await validateRequest(await searchParams);
 
   // show unrecoverable error
+  // TODO: convert this page to a route and redirect to an error page instead?
   if(error !== undefined) {
     return <Notice type="error">{error}</Notice>;
   }
 
   // create and redirect to auth request
-  const { id } = await createAuthorizationRequest(AuthorizationRequestType.OAuth2, request);
-  redirect(`/authorize/${id}`);
+  const authorizationRequest = await createAuthorizationRequest(AuthorizationRequestType.OAuth2, request);
+
+  // if the prompt was not consent, we can try to instantly authorize the request
+  if(request.prompt !== 'consent') {
+    // check if the user has previously authorized the same scopes
+    const previousAuthorization = await getPreviousAuthorizationMatchingScopes(authorizationRequest);
+
+    if(previousAuthorization) {
+      // authorize the request. If this fails for some reason, we just ignore it and continue to redirect the user to the auth screen
+      await authorizeInternal(authorizationRequest.id, previousAuthorization.accounts.map(({ id }) => id), previousAuthorization.emailId);
+    } else if(request.prompt === 'none') {
+      // if the request has prompt=none, we have to cancel the authorization request and redirect the user back
+      await cancelAuthorizationRequest(authorizationRequest.id);
+
+      const errorUrl = await createRedirectUrl(request.redirect_uri, {
+        state: request.state,
+        error: OAuth2ErrorCode.access_denied,
+        error_description: 'user not previously authorized',
+      });
+
+      redirect(errorUrl.toString());
+    }
+  }
+
+  redirect(`/authorize/${authorizationRequest.id}`);
 }
+
+export const metadata = {
+  title: 'Authorize'
+};
diff --git a/apps/web/app/(authorize)/oauth2/authorize/validate.ts b/apps/web/app/(authorize)/oauth2/authorize/validate.ts
@@ -6,7 +6,7 @@ import { ClientType } from '@gw2me/database';
 import { redirect } from 'next/navigation';
 import { cache } from 'react';
 import { createRedirectUrl } from '@/lib/redirectUrl';
-import { AuthorizeRequestParams } from 'app/authorize/types';
+import type { AuthorizationRequestData } from 'app/(authorize)/authorize/types';
 
 export const getApplicationByClientId = cache(async function getApplicationByClientId(clientId: string | undefined) {
   assert(clientId, OAuth2ErrorCode.invalid_request, 'client_id is missing');
@@ -34,12 +34,12 @@ export const getApplicationByClientId = cache(async function getApplicationByCli
   return client;
 });
 
-async function verifyClientId({ client_id }: Partial<AuthorizeRequestParams>) {
+async function verifyClientId({ client_id }: Partial<AuthorizationRequestData.OAuth2>) {
   await getApplicationByClientId(client_id);
 }
 
 /** @see https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2 */
-async function verifyRedirectUri({ client_id, redirect_uri }: Partial<AuthorizeRequestParams>) {
+async function verifyRedirectUri({ client_id, redirect_uri }: Partial<AuthorizationRequestData.OAuth2>) {
   assert(redirect_uri, OAuth2ErrorCode.invalid_request, 'redirect_uri is missing');
 
   const url = tryOrFail(() => new URL(redirect_uri), OAuth2ErrorCode.invalid_request, 'invalid redirect_uri');
@@ -55,15 +55,15 @@ async function verifyRedirectUri({ client_id, redirect_uri }: Partial<AuthorizeR
 }
 
 /** @see https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.1 */
-function verifyResponseType({ response_type }: Partial<AuthorizeRequestParams>) {
+function verifyResponseType({ response_type }: Partial<AuthorizationRequestData.OAuth2>) {
   const supportedResponseTypes = ['code'];
 
   assert(response_type, OAuth2ErrorCode.invalid_request, 'missing response_type');
   assert(supportedResponseTypes.includes(response_type), OAuth2ErrorCode.unsupported_response_type, 'response_type is unsupported');
 }
 
 /** @see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3 */
-function verifyScopes({ scope }: Partial<AuthorizeRequestParams>) {
+function verifyScopes({ scope }: Partial<AuthorizationRequestData.OAuth2>) {
   assert(scope, OAuth2ErrorCode.invalid_request, 'missing scopes');
 
   const validScopes: string[] = Object.values(Scope);
@@ -75,7 +75,7 @@ function verifyScopes({ scope }: Partial<AuthorizeRequestParams>) {
 }
 
 /** @see https://datatracker.ietf.org/doc/html/rfc7636#section-4.3 */
-async function verifyPKCE({ client_id, code_challenge, code_challenge_method }: Partial<AuthorizeRequestParams>) {
+async function verifyPKCE({ client_id, code_challenge, code_challenge_method }: Partial<AuthorizationRequestData.OAuth2>) {
   const supportedAlgorithms = ['S256'];
 
   const hasPKCE = !!code_challenge || !!code_challenge_method;
@@ -89,19 +89,19 @@ async function verifyPKCE({ client_id, code_challenge, code_challenge_method }:
   fail(client.type === ClientType.Public && !hasPKCE, OAuth2ErrorCode.invalid_request, 'PKCE is required for public clients');
 }
 
-function verifyIncludeGrantedScopes({ include_granted_scopes }: Partial<AuthorizeRequestParams>) {
+function verifyIncludeGrantedScopes({ include_granted_scopes }: Partial<AuthorizationRequestData.OAuth2>) {
   assert(include_granted_scopes === undefined || include_granted_scopes === 'true', OAuth2ErrorCode.invalid_request, 'invalid include_granted_scopes');
 }
 
-function verifyPrompt({ prompt }: Partial<AuthorizeRequestParams>) {
+function verifyPrompt({ prompt }: Partial<AuthorizationRequestData.OAuth2>) {
   assert([undefined, 'none', 'consent'].includes(prompt), OAuth2ErrorCode.invalid_request, 'invalid prompt');
 }
 
-function verifyVerifiedAccountsOnly({ verified_accounts_only }: Partial<AuthorizeRequestParams>) {
+function verifyVerifiedAccountsOnly({ verified_accounts_only }: Partial<AuthorizationRequestData.OAuth2>) {
   assert(verified_accounts_only === undefined || verified_accounts_only === 'true', OAuth2ErrorCode.invalid_request, 'invalid verified_accounts_only');
 }
 
-export const validateRequest = cache(async function validateRequest(request: Partial<AuthorizeRequestParams>): Promise<{ error: string, request?: undefined } | { error: undefined, request: AuthorizeRequestParams }> {
+export const validateRequest = cache(async function validateRequest(request: Partial<AuthorizationRequestData.OAuth2>): Promise<{ error: string, request?: undefined } | { error: undefined, request: AuthorizationRequestData.OAuth2 }> {
   try {
     // first verify client_id and redirect_uri
     await verifyClientId(request);
@@ -127,7 +127,7 @@ export const validateRequest = cache(async function validateRequest(request: Par
       verifyVerifiedAccountsOnly(request),
     ]);
 
-    return { error: undefined, request: request as AuthorizeRequestParams };
+    return { error: undefined, request: request as AuthorizationRequestData.OAuth2 };
   } catch(error) {
     let redirect_uri: URL;
 
