chore: bump to oauth4webapi@3 (#11994)

panva · web-flow · commit 0244513061d4 · 2024-10-08T13:11:59.000+02:00
diff --git a/packages/core/package.json b/packages/core/package.json
@@ -71,7 +71,7 @@
     "@types/cookie": "0.6.0",
     "cookie": "0.7.1",
     "jose": "^5.9.3",
-    "oauth4webapi": "^2.17.0",
+    "oauth4webapi": "^3.0.0",
     "preact": "10.11.3",
     "preact-render-to-string": "5.2.3"
   },
diff --git a/packages/core/src/lib/actions/callback/oauth/callback.ts b/packages/core/src/lib/actions/callback/oauth/callback.ts
@@ -19,6 +19,21 @@ import type { Cookie } from "../../../utils/cookie.js"
 import { isOIDCProvider } from "../../../utils/providers.js"
 import { fetchOpt } from "../../../utils/custom-fetch.js"
 
+function formUrlEncode(token: string) {
+  return encodeURIComponent(token).replace(/%20/g, "+")
+}
+
+/**
+ * Formats client_id and client_secret as an HTTP Basic Authentication header as per the OAuth 2.0
+ * specified in RFC6749.
+ */
+function clientSecretBasic(clientId: string, clientSecret: string) {
+  const username = formUrlEncode(clientId)
+  const password = formUrlEncode(clientSecret)
+  const credentials = btoa(`${username}:${password}`)
+  return `Basic ${credentials}`
+}
+
 /**
  * Handles the following OAuth steps.
  * https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1
@@ -46,10 +61,11 @@ export async function handleOAuth(
     // We assume that issuer is always defined as this has been asserted earlier
 
     const issuer = new URL(provider.issuer!)
-    const discoveryResponse = await o.discoveryRequest(
-      issuer,
-      fetchOpt(provider)
-    )
+    // TODO: move away from allowing insecure HTTP requests
+    const discoveryResponse = await o.discoveryRequest(issuer, {
+      ...fetchOpt(provider),
+      [o.allowInsecureRequests]: true,
+    })
     const discoveredAs = await o.processDiscoveryResponse(
       issuer,
       discoveryResponse
@@ -76,26 +92,63 @@ export async function handleOAuth(
 
   const client: o.Client = {
     client_id: provider.clientId,
-    client_secret: provider.clientSecret,
     ...provider.client,
   }
 
+  let clientAuth: o.ClientAuth
+
+  switch (client.token_endpoint_auth_method) {
+    // TODO: in the next breaking major version have undefined be `client_secret_post`
+    case undefined:
+    case "client_secret_basic":
+      // TODO: in the next breaking major version use o.ClientSecretBasic() here
+      clientAuth = (_as, _client, _body, headers) => {
+        headers.set(
+          "authorization",
+          clientSecretBasic(provider.clientId, provider.clientSecret!)
+        )
+      }
+      break
+    case "client_secret_post":
+      clientAuth = o.ClientSecretPost(provider.clientSecret!)
+      break
+    case "client_secret_jwt":
+      clientAuth = o.ClientSecretJwt(provider.clientSecret!)
+      break
+    case "private_key_jwt":
+      clientAuth = o.PrivateKeyJwt(provider.token!.clientPrivateKey!, {
+        // TODO: review in the next breaking change
+        [o.modifyAssertion](_header, payload) {
+          payload.aud = [as.issuer, as.token_endpoint!]
+        },
+      })
+      break
+    default:
+      throw new Error("unsupported client authentication method")
+  }
+
   const resCookies: Cookie[] = []
 
   const state = await checks.state.use(cookies, resCookies, options)
 
-  const codeGrantParams = o.validateAuthResponse(
-    as,
-    client,
-    new URLSearchParams(params),
-    provider.checks.includes("state") ? state : o.skipStateCheck
-  )
-
-  /** https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2.1 */
-  if (o.isOAuth2Error(codeGrantParams)) {
-    const cause = { providerId: provider.id, ...codeGrantParams }
-    logger.debug("OAuthCallbackError", cause)
-    throw new OAuthCallbackError("OAuth Provider returned an error", cause)
+  let codeGrantParams: URLSearchParams
+  try {
+    codeGrantParams = o.validateAuthResponse(
+      as,
+      client,
+      new URLSearchParams(params),
+      provider.checks.includes("state") ? state : o.skipStateCheck
+    )
+  } catch (err) {
+    if (err instanceof o.AuthorizationResponseError) {
+      const cause = {
+        providerId: provider.id,
+        ...Object.fromEntries(err.cause.entries()),
+      }
+      logger.debug("OAuthCallbackError", cause)
+      throw new OAuthCallbackError("OAuth Provider returned an error", cause)
+    }
+    throw err
   }
 
   const codeVerifier = await checks.pkce.use(cookies, resCookies, options)
@@ -108,20 +161,19 @@ export async function handleOAuth(
   let codeGrantResponse = await o.authorizationCodeGrantRequest(
     as,
     client,
+    clientAuth,
     codeGrantParams,
     redirect_uri,
-    codeVerifier ?? "auth", // TODO: review fallback code verifier,
+    codeVerifier ?? "decoy",
     {
+      // TODO: move away from allowing insecure HTTP requests
+      [o.allowInsecureRequests]: true,
       [o.customFetch]: (...args) => {
-        if (
-          !provider.checks.includes("pkce") &&
-          args[1]?.body instanceof URLSearchParams
-        ) {
+        if (!provider.checks.includes("pkce")) {
           args[1].body.delete("code_verifier")
         }
         return fetchOpt(provider)[o.customFetch](...args)
       },
-      clientPrivateKey: provider.token?.clientPrivateKey,
     }
   )
 
@@ -131,41 +183,35 @@ export async function handleOAuth(
       codeGrantResponse
   }
 
-  let challenges: o.WWWAuthenticateChallenge[] | undefined
-  if ((challenges = o.parseWwwAuthenticateChallenges(codeGrantResponse))) {
-    for (const challenge of challenges) {
-      console.log("challenge", challenge)
-    }
-    throw new Error("TODO: Handle www-authenticate challenges as needed")
-  }
-
   let profile: Profile = {}
-  let tokens: TokenSet & Pick<Account, "expires_at">
 
-  if (isOIDCProvider(provider)) {
-    const nonce = await checks.nonce.use(cookies, resCookies, options)
-    const processedCodeResponse =
-      await o.processAuthorizationCodeOpenIDResponse(
-        as,
-        client,
-        codeGrantResponse,
-        nonce ?? o.expectNoNonce
-      )
-
-    if (o.isOAuth2Error(processedCodeResponse)) {
-      console.log("error", processedCodeResponse)
-      throw new Error("TODO: Handle OIDC response body error")
+  const isOidc = isOIDCProvider(provider)
+  const processedCodeResponse = await o.processAuthorizationCodeResponse(
+    as,
+    client,
+    codeGrantResponse,
+    {
+      expectedNonce: await checks.nonce.use(cookies, resCookies, options),
+      requireIdToken: isOidc,
     }
+  )
+
+  const tokens: TokenSet & Pick<Account, "expires_at"> = processedCodeResponse
 
-    const idTokenClaims = o.getValidatedIdTokenClaims(processedCodeResponse)
+  if (isOidc) {
+    const idTokenClaims = o.getValidatedIdTokenClaims(processedCodeResponse)!
     profile = idTokenClaims
 
     if (provider.idToken === false) {
       const userinfoResponse = await o.userInfoRequest(
         as,
         client,
         processedCodeResponse.access_token,
-        fetchOpt(provider)
+        {
+          ...fetchOpt(provider),
+          // TODO: move away from allowing insecure HTTP requests
+          [o.allowInsecureRequests]: true,
+        }
       )
 
       profile = await o.processUserInfoResponse(
@@ -175,20 +221,7 @@ export async function handleOAuth(
         userinfoResponse
       )
     }
-    tokens = processedCodeResponse
   } else {
-    const processedCodeResponse =
-      await o.processAuthorizationCodeOAuth2Response(
-        as,
-        client,
-        codeGrantResponse
-      )
-    tokens = processedCodeResponse
-    if (o.isOAuth2Error(processedCodeResponse)) {
-      console.log("error", processedCodeResponse)
-      throw new Error("TODO: Handle OAuth 2.0 response body error")
-    }
-
     if (userinfo?.request) {
       const _profile = await userinfo.request({ tokens, provider })
       if (_profile instanceof Object) profile = _profile
diff --git a/packages/core/src/lib/actions/signin/authorization-url.ts b/packages/core/src/lib/actions/signin/authorization-url.ts
@@ -25,10 +25,11 @@ export async function getAuthorizationUrl(
     // We check this in assert.ts
 
     const issuer = new URL(provider.issuer!)
-    const discoveryResponse = await o.discoveryRequest(
-      issuer,
-      fetchOpt(options.provider)
-    )
+    // TODO: move away from allowing insecure HTTP requests
+    const discoveryResponse = await o.discoveryRequest(issuer, {
+      ...fetchOpt(options.provider),
+      [o.allowInsecureRequests]: true,
+    })
     const as = await o.processDiscoveryResponse(issuer, discoveryResponse)
 
     if (!as.authorization_endpoint) {
diff --git a/packages/core/src/providers/oauth.ts b/packages/core/src/providers/oauth.ts
@@ -205,7 +205,7 @@ export interface OAuth2Config<Profile>
    * Pass overrides to the underlying OAuth library.
    * See [`oauth4webapi` client](https://github.com/panva/oauth4webapi/blob/main/docs/interfaces/Client.md) for details.
    */
-  client?: Partial<Client>
+  client?: Partial<Client & { token_endpoint_auth_method: string }>
   style?: OAuthProviderButtonStyles
   /**
    * Normally, when you sign in with an OAuth provider and another account
diff --git a/packages/core/src/types.ts b/packages/core/src/types.ts
@@ -52,10 +52,7 @@
  */
 
 import type { CookieSerializeOptions } from "cookie"
-import type {
-  OAuth2TokenEndpointResponse,
-  OpenIDTokenEndpointResponse,
-} from "oauth4webapi"
+import type { TokenEndpointResponse } from "oauth4webapi"
 import type { Adapter } from "./adapters.js"
 import { AuthConfig } from "./index.js"
 import type { JWTOptions } from "./jwt.js"
@@ -102,9 +99,7 @@ export interface Theme {
  * Some of them are available with different casing,
  * but they refer to the same value.
  */
-export type TokenSet = Partial<
-  OAuth2TokenEndpointResponse | OpenIDTokenEndpointResponse
-> & {
+export type TokenSet = Partial<TokenEndpointResponse> & {
   /**
    * Date of when the `access_token` expires in seconds.
    * This value is calculated from the `expires_in` value.
@@ -118,7 +113,7 @@ export type TokenSet = Partial<
  * Usually contains information about the provider being used
  * and also extends `TokenSet`, which is different tokens returned by OAuth Providers.
  */
-export interface Account extends Partial<OpenIDTokenEndpointResponse> {
+export interface Account extends Partial<TokenEndpointResponse> {
   /** Provider's id for this account. E.g. "google". See the full list at https://authjs.dev/reference/core/providers */
   provider: string
   /**
@@ -137,11 +132,11 @@ export interface Account extends Partial<OpenIDTokenEndpointResponse> {
    */
   userId?: string
   /**
-   * Calculated value based on {@link OAuth2TokenEndpointResponse.expires_in}.
+   * Calculated value based on {@link TokenEndpointResponse.expires_in}.
    *
-   * It is the absolute timestamp (in seconds) when the {@link OAuth2TokenEndpointResponse.access_token} expires.
+   * It is the absolute timestamp (in seconds) when the {@link TokenEndpointResponse.access_token} expires.
    *
-   * This value can be used for implementing token rotation together with {@link OAuth2TokenEndpointResponse.refresh_token}.
+   * This value can be used for implementing token rotation together with {@link TokenEndpointResponse.refresh_token}.
    *
    * @see https://authjs.dev/guides/refresh-token-rotation#database-strategy
    * @see https://www.rfc-editor.org/rfc/rfc6749#section-5.1
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
