2024-07-11 19:25:19 +00:00
|
|
|
import { createCookieSessionStorage, redirect } from '@remix-run/cloudflare';
|
2024-07-29 19:26:52 +00:00
|
|
|
import { decodeJwt } from 'jose';
|
2024-07-29 18:31:45 +00:00
|
|
|
import { CLIENT_ID, CLIENT_ORIGIN } from '~/lib/constants';
|
2024-07-30 08:31:35 +00:00
|
|
|
import { request as doRequest } from '~/lib/fetch';
|
2024-07-29 18:31:45 +00:00
|
|
|
import { logger } from '~/utils/logger';
|
2024-08-12 15:37:45 +00:00
|
|
|
import type { Identity } from '~/lib/analytics';
|
2024-07-11 19:25:19 +00:00
|
|
|
|
2024-07-29 18:31:45 +00:00
|
|
|
const DEV_SESSION_SECRET = import.meta.env.DEV ? 'LZQMrERo3Ewn/AbpSYJ9aw==' : undefined;
|
2024-07-11 19:25:19 +00:00
|
|
|
|
2024-07-29 18:31:45 +00:00
|
|
|
interface SessionData {
|
|
|
|
refresh: string;
|
|
|
|
expiresAt: number;
|
2024-08-12 15:37:45 +00:00
|
|
|
userId: string | null;
|
|
|
|
segmentWriteKey: string | null;
|
2024-07-29 18:31:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
export async function isAuthenticated(request: Request, env: Env) {
|
|
|
|
const { session, sessionStorage } = await getSession(request, env);
|
|
|
|
const token = session.get('refresh');
|
|
|
|
|
|
|
|
const header = async (cookie: Promise<string>) => ({ headers: { 'Set-Cookie': await cookie } });
|
|
|
|
const destroy = () => header(sessionStorage.destroySession(session));
|
|
|
|
|
|
|
|
if (token == null) {
|
|
|
|
return { authenticated: false as const, response: await destroy() };
|
|
|
|
}
|
|
|
|
|
|
|
|
const expiresAt = session.get('expiresAt') ?? 0;
|
|
|
|
|
|
|
|
if (Date.now() < expiresAt) {
|
|
|
|
return { authenticated: true as const };
|
|
|
|
}
|
|
|
|
|
|
|
|
let data: Awaited<ReturnType<typeof refreshToken>> | null = null;
|
|
|
|
|
|
|
|
try {
|
|
|
|
data = await refreshToken(token);
|
|
|
|
} catch {
|
2024-07-30 08:31:35 +00:00
|
|
|
// we can ignore the error here because it's handled below
|
2024-07-29 18:31:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if (data != null) {
|
|
|
|
const expiresAt = cookieExpiration(data.expires_in, data.created_at);
|
|
|
|
session.set('expiresAt', expiresAt);
|
|
|
|
|
|
|
|
return { authenticated: true as const, response: await header(sessionStorage.commitSession(session)) };
|
|
|
|
} else {
|
|
|
|
return { authenticated: false as const, response: await destroy() };
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
export async function createUserSession(
|
|
|
|
request: Request,
|
|
|
|
env: Env,
|
|
|
|
tokens: { refresh: string; expires_in: number; created_at: number },
|
2024-08-12 15:37:45 +00:00
|
|
|
identity?: Identity,
|
2024-07-29 18:31:45 +00:00
|
|
|
): Promise<ResponseInit> {
|
|
|
|
const { session, sessionStorage } = await getSession(request, env);
|
|
|
|
|
|
|
|
const expiresAt = cookieExpiration(tokens.expires_in, tokens.created_at);
|
|
|
|
|
|
|
|
session.set('refresh', tokens.refresh);
|
|
|
|
session.set('expiresAt', expiresAt);
|
|
|
|
|
2024-08-12 15:37:45 +00:00
|
|
|
if (identity) {
|
|
|
|
session.set('userId', identity.userId ?? null);
|
|
|
|
session.set('segmentWriteKey', identity.segmentWriteKey ?? null);
|
|
|
|
}
|
|
|
|
|
2024-07-29 18:31:45 +00:00
|
|
|
return {
|
|
|
|
headers: {
|
|
|
|
'Set-Cookie': await sessionStorage.commitSession(session, {
|
|
|
|
maxAge: 3600 * 24 * 30, // 1 month
|
|
|
|
}),
|
|
|
|
},
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
function getSessionStorage(cloudflareEnv: Env) {
|
|
|
|
return createCookieSessionStorage<SessionData>({
|
2024-07-11 19:25:19 +00:00
|
|
|
cookie: {
|
|
|
|
name: '__session',
|
|
|
|
httpOnly: true,
|
|
|
|
path: '/',
|
2024-07-29 18:31:45 +00:00
|
|
|
secrets: [DEV_SESSION_SECRET || cloudflareEnv.SESSION_SECRET],
|
|
|
|
secure: import.meta.env.PROD,
|
2024-07-11 19:25:19 +00:00
|
|
|
},
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
export async function logout(request: Request, env: Env) {
|
|
|
|
const { session, sessionStorage } = await getSession(request, env);
|
|
|
|
|
2024-07-29 18:31:45 +00:00
|
|
|
revokeToken(session.get('refresh'));
|
|
|
|
|
2024-07-11 19:25:19 +00:00
|
|
|
return redirect('/login', {
|
|
|
|
headers: {
|
|
|
|
'Set-Cookie': await sessionStorage.destroySession(session),
|
|
|
|
},
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
2024-07-29 18:31:45 +00:00
|
|
|
export function validateAccessToken(access: string) {
|
2024-07-29 19:26:52 +00:00
|
|
|
const jwtPayload = decodeJwt(access);
|
2024-07-29 18:31:45 +00:00
|
|
|
|
2024-07-29 19:26:52 +00:00
|
|
|
return jwtPayload.bolt === true;
|
2024-07-11 19:25:19 +00:00
|
|
|
}
|
|
|
|
|
2024-08-12 15:37:45 +00:00
|
|
|
export async function getSession(request: Request, env: Env) {
|
2024-07-29 18:31:45 +00:00
|
|
|
const sessionStorage = getSessionStorage(env);
|
|
|
|
const cookie = request.headers.get('Cookie');
|
2024-07-11 19:25:19 +00:00
|
|
|
|
2024-07-29 18:31:45 +00:00
|
|
|
return { session: await sessionStorage.getSession(cookie), sessionStorage };
|
|
|
|
}
|
2024-07-11 19:25:19 +00:00
|
|
|
|
2024-07-29 18:31:45 +00:00
|
|
|
async function refreshToken(refresh: string): Promise<{ expires_in: number; created_at: number }> {
|
|
|
|
const response = await doRequest(`${CLIENT_ORIGIN}/oauth/token`, {
|
|
|
|
method: 'POST',
|
|
|
|
body: urlParams({ grant_type: 'refresh_token', client_id: CLIENT_ID, refresh_token: refresh }),
|
|
|
|
});
|
|
|
|
|
|
|
|
const body = await response.json();
|
|
|
|
|
|
|
|
if (!response.ok) {
|
|
|
|
throw new Error(`Unable to refresh token\n${JSON.stringify(body)}`);
|
|
|
|
}
|
|
|
|
|
|
|
|
const { access_token: access } = body;
|
|
|
|
|
|
|
|
if (!validateAccessToken(access)) {
|
|
|
|
throw new Error('User is no longer authorized for Bolt');
|
|
|
|
}
|
|
|
|
|
|
|
|
return body;
|
|
|
|
}
|
|
|
|
|
|
|
|
function cookieExpiration(expireIn: number, createdAt: number) {
|
|
|
|
return (expireIn + createdAt - 10 * 60) * 1000;
|
|
|
|
}
|
|
|
|
|
|
|
|
async function revokeToken(refresh?: string) {
|
|
|
|
if (refresh == null) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
try {
|
|
|
|
const response = await doRequest(`${CLIENT_ORIGIN}/oauth/revoke`, {
|
|
|
|
method: 'POST',
|
|
|
|
body: urlParams({
|
|
|
|
token: refresh,
|
|
|
|
token_type_hint: 'refresh_token',
|
|
|
|
client_id: CLIENT_ID,
|
2024-07-11 19:25:19 +00:00
|
|
|
}),
|
2024-07-29 18:31:45 +00:00
|
|
|
});
|
|
|
|
|
|
|
|
if (!response.ok) {
|
|
|
|
throw new Error(`Unable to revoke token: ${response.status}`);
|
|
|
|
}
|
|
|
|
} catch (error) {
|
|
|
|
logger.debug(error);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
function urlParams(data: Record<string, string>) {
|
|
|
|
const encoded = new URLSearchParams();
|
|
|
|
|
|
|
|
for (const [key, value] of Object.entries(data)) {
|
|
|
|
encoded.append(key, value);
|
|
|
|
}
|
|
|
|
|
|
|
|
return encoded;
|
2024-07-11 19:25:19 +00:00
|
|
|
}
|