creatorsgarten · rayriffy · May 5, 2024
diff --git a/Dockerfile b/Dockerfile
@@ -34,6 +34,5 @@ ENV TZ="Asia/Bangkok"
 COPY package.json ./
 COPY --chown=nonroot:nonroot --from=deps-prod /app/node_modules ./node_modules
 COPY --chown=nonroot:nonroot --from=builder /app/dist ./dist
-COPY server.mjs ./
 
-CMD ["./server.mjs"]
+
diff --git a/astro.config.mjs b/astro.config.mjs
@@ -2,7 +2,7 @@ import 'dotenv/config'
 import { defineConfig } from 'astro/config'
 
 /* Adapter */
-import node from '@astrojs/node'
+// import node from '@astrojs/node'
 
 /* Integrations */
 import react from '@astrojs/react'
@@ -14,9 +14,9 @@ import sentry from '@sentry/astro'
 export default defineConfig({
   output: 'server',
   site: 'https://creatorsgarten.org',
-  adapter: node({
-    mode: 'middleware',
-  }),
+  // adapter: node({
+  //   mode: 'middleware',
+  // }),
   prefetch: true,
   integrations: [
     tailwind(),

diff --git a/package.json b/package.json
@@ -3,7 +3,7 @@
   "type": "module",
   "version": "0.0.1",
   "private": true,
-  "packageManager": "[email protected]",
+  "trustedDependencies": ["@sentry/astro"],
   "lint-staged": {
     "*.{astro,html,js,jsx,md,mdx,svelte,ts,tsx,vue}": [
       "prettier --write"
@@ -19,22 +19,22 @@
     "prepare": "test -d node_modules/husky && husky install || echo \"husky is not installed\""
   },
   "dependencies": {
+    "@bogeychan/elysia-polyfills": "^0.6.4",
     "@contentsgarten/html": "^1.3.0",
     "@doist/typist": "^6.0.0",
-    "@fastify/middie": "^8.3.0",
-    "@fastify/static": "^7.0.0",
+    "@elysiajs/eden": "^1.0.12",
     "@nanostores/logger": "^0.3.0",
     "@nanostores/persistent": "^0.10.0",
     "@nanostores/react": "^0.7.1",
     "@sentry/astro": "^7.86.0",
+    "@sinclair/typebox": "^0.32.29",
     "@tanstack/react-query": "^5.0.0",
-    "@trpc/client": "10.45.2",
-    "@trpc/server": "10.45.2",
+    "@trpc/client": "^10.45.2",
     "astro-tweet": "^0.0.4",
     "clsx": "^2.0.0",
     "csrf": "^3.1.0",
     "dayjs": "^1.11.9",
-    "fastify": "^4.22.1",
+    "elysia": "^1.0.16",
     "google-auth-library": "^9.0.0",
     "jose": "^5.0.0",
     "jsonwebtoken": "^9.0.2",
@@ -47,9 +47,7 @@
     "react": "18.3.1",
     "react-dom": "18.3.1",
     "react-iconify-icon-wrapper": "^0.0.3",
-    "sitemap": "^7.1.1",
-    "zod": "^3.22.2",
-    "zod-validation-error": "^3.0.0"
+    "sitemap": "^7.1.1"
   },
   "devDependencies": {
     "@astrojs/check": "^0.5.0",

diff --git a/server.mjs b/server.mjs
diff --git a/src/backend/auth/authenticateDeviceAuthorizationSignature.ts b/src/backend/auth/authenticateDeviceAuthorizationSignature.ts
@@ -1,45 +1,40 @@
-import { collections } from '$constants/mongo'
-import { TRPCError } from '@trpc/server'
+import { collections } from '$constants/mongo.ts'
 import { ObjectId } from 'mongodb'
-import { generateMessageHash } from '../signatures/generateSignature'
-import { verifySignature } from '../signatures/verifySignature'
-import { finalizeAuthentication } from './finalizeAuthentication'
+import { generateMessageHash } from '../signatures/generateSignature.ts'
+import { verifySignature } from '../signatures/verifySignature.ts'
+import { finalizeAuthentication } from './finalizeAuthentication.ts'
+import type { Handler } from 'elysia'
+
+type Set = Parameters<Handler>[0]['set']
 
 export async function authenticateDeviceAuthorizationSignature(
   deviceId: string,
-  signature: string
+  signature: string,
+  set: Set
 ) {
   const result = await verifySignature(signature)
   if (!result.verified) {
-    throw new TRPCError({
-      code: 'UNAUTHORIZED',
-      message: 'Signature is not verified',
-    })
+    set.status = 401
+    return 'Signature is not verified'
   }
 
   const expectedMessage = `mobileAuthorize:${deviceId}`
   const expectedMessageHash = generateMessageHash(expectedMessage)
   if (result.messageHash !== expectedMessageHash) {
-    throw new TRPCError({
-      code: 'UNAUTHORIZED',
-      message: 'Signature is not for mobile authorization',
-    })
+    set.status = 401
+    return 'Signature is not for mobile authorization'
   }
 
   if (Date.parse(result.timestamp) < Date.now() - 15 * 60e3) {
-    throw new TRPCError({
-      code: 'UNAUTHORIZED',
-      message: 'Signature is expired',
-    })
+    set.status = 401
+    return 'Signature is expired'
   }
 
   const userId = result.userId
   const user = await collections.users.findOne({ _id: new ObjectId(userId) })
   if (!user) {
-    throw new TRPCError({
-      code: 'INTERNAL_SERVER_ERROR',
-      message: 'User not found in database. This should not happen.',
-    })
+    set.status = 500
+    return 'User not found in database. This should not happen.'
   }
 
   return finalizeAuthentication(user.uid)

diff --git a/src/backend/auth/authenticateDiscord.ts b/src/backend/auth/authenticateDiscord.ts
@@ -1,10 +1,10 @@
 import { ObjectId } from 'mongodb'
 
-import { collections } from '$constants/mongo'
-import { discordClient } from '$constants/secrets/discordClient'
+import { collections } from '$constants/mongo.ts'
+import { discordClient } from '$constants/secrets/discordClient.ts'
 
-import { getAuthenticatedUser } from './getAuthenticatedUser'
-import { finalizeAuthentication } from './finalizeAuthentication'
+import { getAuthenticatedUser } from './getAuthenticatedUser.ts'
+import { finalizeAuthentication } from './finalizeAuthentication.ts'
 
 import type { User } from '$types/mongo/User'
 

diff --git a/src/backend/auth/authenticateEventpopUser.ts b/src/backend/auth/authenticateEventpopUser.ts
@@ -1,10 +1,9 @@
-import { finalizeAuthentication } from './finalizeAuthentication'
+import { collections } from '$constants/mongo.ts'
+import { eventpopClient } from '$constants/secrets/eventpopClient.ts'
 
-import { collections } from '$constants/mongo'
-import { eventpopClient } from '$constants/secrets/eventpopClient'
-
-import { getEventpopUser } from 'src/backend/auth/getEventpopUser'
-import { getEventpopUserTickets } from 'src/backend/auth/getEventpopUserTickets'
+import { finalizeAuthentication } from './finalizeAuthentication.ts'
+import { getEventpopUser } from './getEventpopUser'
+import { getEventpopUserTickets } from './getEventpopUserTickets'
 
 interface EventpopAuthorizationResponse {
   access_token: string

diff --git a/src/backend/auth/authenticateGitHub.ts b/src/backend/auth/authenticateGitHub.ts
@@ -1,10 +1,10 @@
 import { ObjectId } from 'mongodb'
 
-import { githubClient } from '$constants/secrets/githubClient'
-import { collections } from '$constants/mongo'
+import { githubClient } from '$constants/secrets/githubClient.ts'
+import { collections } from '$constants/mongo.ts'
 
-import { getAuthenticatedUser } from './getAuthenticatedUser'
-import { finalizeAuthentication } from './finalizeAuthentication'
+import { getAuthenticatedUser } from './getAuthenticatedUser.ts'
+import { finalizeAuthentication } from './finalizeAuthentication.ts'
 
 import type { User } from '$types/mongo/User'
 

diff --git a/src/backend/auth/finalizeAuthentication.ts b/src/backend/auth/finalizeAuthentication.ts
@@ -1,10 +1,10 @@
 import jwt from 'jsonwebtoken'
 
-import { collections } from '$constants/mongo'
-import { maxSessionAge } from '$constants/maxSessionAge'
-import { privateKey } from '$constants/secrets/privateKey'
+import { collections } from '$constants/mongo.ts'
+import { maxSessionAge } from '$constants/maxSessionAge.ts'
+import { privateKey } from '$constants/secrets/privateKey.ts'
 
-import type { AuthenticatedUser } from '$types/AuthenticatedUser'
+import type { AuthenticatedUser } from '$types/AuthenticatedUser.ts'
 
 export const finalizeAuthentication = async (uid: number) => {
   // get mongo document

diff --git a/src/backend/auth/getAuthenticatedUser.ts b/src/backend/auth/getAuthenticatedUser.ts
@@ -1,8 +1,8 @@
 import jwt from 'jsonwebtoken'
 
-import { privateKey } from '$constants/secrets/privateKey'
+import { privateKey } from '$constants/secrets/privateKey.ts'
 
-import type { AuthenticatedUser } from '$types/AuthenticatedUser'
+import type { AuthenticatedUser } from '$types/AuthenticatedUser.ts'
 
 export const getAuthenticatedUser = async (
   token?: string

diff --git a/src/backend/auth/getBearer.ts b/src/backend/auth/getBearer.ts
@@ -0,0 +1,2 @@
+export const getBearer = (input?: string) =>
+  input?.startsWith('Bearer ') ? input.slice(7) : undefined
diff --git a/src/backend/auth/index.ts b/src/backend/auth/index.ts
@@ -0,0 +1,95 @@
+import { Elysia } from 'elysia'
+
+import {
+  auditInputSchema,
+  authorizationCodeInputSchema,
+  deviceAuthorizationSignatureInputSchema,
+  mintIdTokenInputSchema,
+} from './models'
+
+import { getAuthenticatedUser } from './getAuthenticatedUser'
+import { checkOAuthAudit, recordOAuthAudit } from './oAuthAudit'
+import { mintIdToken } from './mintIdToken.ts'
+import { authenticateEventpopUser } from './authenticateEventpopUser.ts'
+import { authenticateDeviceAuthorizationSignature } from './authenticateDeviceAuthorizationSignature.ts'
+import { authenticateGitHub } from './authenticateGitHub.ts'
+import { authenticateDiscord } from './authenticateDiscord.ts'
+import { createPrivateKey, createPublicKey } from 'crypto'
+import { privateKey } from '$constants/secrets/privateKey.ts'
+import { exportJWK } from 'jose'
+import { getBearer } from './getBearer.ts'
+import { authenticatedHandler } from '../handler/authenticated.ts'
+
+export const auth = new Elysia({
+  name: 'auth',
+  prefix: '/auth',
+})
+  .derive(({ headers }) => ({
+    bearer: getBearer(headers['authorization']),
+  }))
+  .get('/user', ({ bearer }) => getAuthenticatedUser(bearer))
+
+  // OAuth
+  .get('/oauth/check', ({ bearer, body }) => checkOAuthAudit(bearer, body), {
+    beforeHandle: authenticatedHandler,
+    body: auditInputSchema,
+  })
+  .post('/oauth/record', ({ bearer, body }) => recordOAuthAudit(bearer, body), {
+    beforeHandle: authenticatedHandler,
+    body: auditInputSchema,
+  })
+
+  // Handler to mint ID token
+  .post(
+    '/mintIdToken',
+    async ({ bearer, body }) =>
+      mintIdToken((await getAuthenticatedUser(bearer))!, body),
+    {
+      beforeHandle: authenticatedHandler,
+      body: mintIdTokenInputSchema,
+    }
+  )
+
+  // Sign-in handler
+  .post(
+    '/signIn/eventpopAuthorizationCode',
+    ({ body }) => authenticateEventpopUser(body.code),
+    {
+      body: authorizationCodeInputSchema,
+    }
+  )
+  .post(
+    '/signIn/deviceAuthorizationSignature',
+    ({ body, set }) =>
+      authenticateDeviceAuthorizationSignature(
+        body.deviceId,
+        body.signature,
+        set
+      ),
+    {
+      body: deviceAuthorizationSignatureInputSchema,
+    }
+  )
+
+  // Account linking
+  .post(
+    '/link/github',
+    ({ bearer, body }) => authenticateGitHub(body.code, bearer),
+    {
+      body: authorizationCodeInputSchema,
+    }
+  )
+  .post(
+    '/link/discord',
+    ({ bearer, body }) => authenticateDiscord(body.code, bearer),
+    {
+      body: authorizationCodeInputSchema,
+    }
+  )
+
+  // JWKs
+  .get('/publicKeys', async () => {
+    const privateKeyObj = createPrivateKey(privateKey)
+    const publicKeyObj = createPublicKey(privateKeyObj)
+    return [{ ...(await exportJWK(publicKeyObj)), kid: 'riffy1' }]
+  })
diff --git a/src/backend/auth/mintIdToken.ts b/src/backend/auth/mintIdToken.ts
@@ -1,9 +1,11 @@
 import jwt from 'jsonwebtoken'
-import type { AuthenticatedUser } from '$types/AuthenticatedUser'
-import { privateKey } from '$constants/secrets/privateKey'
-import { getJoinedEvents } from '../events/getJoinedEvents'
-import type { GitHubConnection } from '$types/mongo/User/GitHubConnection'
-import type { DiscordConnection } from '$types/mongo/User/DiscordConnection'
+import type { Static } from 'elysia'
+import type { AuthenticatedUser } from '$types/AuthenticatedUser.ts'
+import { privateKey } from '$constants/secrets/privateKey.ts'
+import { getJoinedEvents } from '../events/getJoinedEvents.ts'
+import type { GitHubConnection } from '$types/mongo/User/GitHubConnection.ts'
+import type { DiscordConnection } from '$types/mongo/User/DiscordConnection.ts'
+import type { mintIdTokenInputSchema } from './models.ts'
 
 /**
  * Data contained in ID token returned by Authgarten OIDC provider.
@@ -67,9 +69,7 @@ export interface AuthgartenOidcClaims {
 
 export async function mintIdToken(
   user: AuthenticatedUser,
-  audience: string,
-  nonce: string | undefined,
-  scopes: string[]
+  input: Static<typeof mintIdTokenInputSchema>
 ): Promise<{ idToken: string; claims: AuthgartenOidcClaims }> {
   const claims: AuthgartenOidcClaims = {
     sub: String(user.sub),
@@ -82,16 +82,16 @@ export async function mintIdToken(
       github: user.connections.github,
       discord: user.connections.discord,
     },
-    nonce,
+    nonce: input.nonce,
   }
 
-  if (scopes.includes('email')) {
+  if (input.scopes.includes('email')) {
     claims.email = user.email
   }
 
   const eventpopEventRegex = /^https:\/\/eventpop\.me\/e\/(\d+)$/
   const eventIds = new Set<number>()
-  for (const scope of scopes) {
+  for (const scope of input.scopes) {
     const match = eventpopEventRegex.exec(scope)
     if (match) {
       eventIds.add(Number(match[1]))
@@ -117,7 +117,7 @@ export async function mintIdToken(
 
     // https://openid.net/specs/openid-connect-basic-1_0.html#IDToken
     issuer: 'https://creatorsgarten.org',
-    audience: audience,
+    audience: input.audience,
     expiresIn: 3600,
 
     header: {
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		export const getBearer = (input?: string) =>
		input?.startsWith('Bearer ') ? input.slice(7) : undefined