Add PKCE and fix CIMD

Author: coyotte508

src/hooks.server.ts

@@ -139,7 +139,7 @@ export const handle: Handle = async ({ event, resolve }) => {
 
 	event.locals.sessionId = auth.sessionId;
 
-	if (loginEnabled && !auth.user) {
+	if (loginEnabled && !auth.user && !event.url.pathname.startsWith(`${base}/.well-known/`)) {
 		if (config.AUTOMATIC_LOGIN === "true") {
 			// AUTOMATIC_LOGIN: always redirect to OAuth flow (unless already on login or healthcheck pages)
 			if (
@@ -148,11 +148,7 @@ export const handle: Handle = async ({ event, resolve }) => {
 			) {
 				// To get the same CSRF token after callback
 				refreshSessionCookie(event.cookies, auth.secretSessionId);
-				return await triggerOauthFlow({
-					request: event.request,
-					url: event.url,
-					locals: event.locals,
-				});
+				return await triggerOauthFlow(event);
 			}
 		} else {
 			// Redirect to OAuth flow unless on the authorized pages (home, shared conversation, login, healthcheck, model thumbnails)
@@ -168,7 +164,7 @@ export const handle: Handle = async ({ event, resolve }) => {
 				!event.url.pathname.startsWith(`${base}/api`)
 			) {
 				refreshSessionCookie(event.cookies, auth.secretSessionId);
-				return triggerOauthFlow({ request: event.request, url: event.url, locals: event.locals });
+				return triggerOauthFlow(event);
 			}
 		}
 	}

src/lib/server/api/authPlugin.ts

@@ -11,11 +11,10 @@ export const authPlugin = new Elysia({ name: "auth" }).derive(
 	}): Promise<{
 		locals: App.Locals;
 	}> => {
-		request.url;
 		const auth = await authenticateRequest(
 			{ type: "elysia", value: headers },
 			{ type: "elysia", value: cookie },
-			new URL(request.url, config.PUBLIC_ORIGIN),
+			new URL(request.url, config.PUBLIC_ORIGIN || undefined),
 			true
 		);
 		return {

src/lib/server/auth.ts

@@ -4,7 +4,9 @@ import {
 	type UserinfoResponse,
 	type TokenSet,
 	custom,
+	generators,
 } from "openid-client";
+import type { RequestEvent } from "@sveltejs/kit";
 import { addHours, addWeeks, differenceInMinutes, subMinutes } from "date-fns";
 import { config } from "$lib/server/config";
 import { sha256 } from "$lib/utils/sha256";
@@ -54,7 +56,7 @@ export const OIDConfig = z
 	})
 	.parse(JSON5.parse(config.OPENID_CONFIG || "{}"));
 
-export const loginEnabled = !!OIDConfig.CLIENT_ID && !!OIDConfig.CLIENT_SECRET;
+export const loginEnabled = !!OIDConfig.CLIENT_ID;
 
 const sameSite = z
 	.enum(["lax", "none", "strict"])
@@ -264,8 +266,8 @@ async function getOIDCClient(settings: OIDCSettings, url: URL): Promise<BaseClie
 	};
 
 	if (OIDConfig.CLIENT_ID === "__CIMD__") {
-		OIDConfig.CLIENT_ID = new URL(
-			"/.well-known/oauth-cimd",
+		client_config.client_id = new URL(
+			`${base}/.well-known/oauth-cimd`,
 			config.PUBLIC_ORIGIN || url.origin
 		).toString();
 	}
@@ -281,7 +283,7 @@ async function getOIDCClient(settings: OIDCSettings, url: URL): Promise<BaseClie
 
 export async function getOIDCAuthorizationUrl(
 	settings: OIDCSettings,
-	params: { sessionId: string; next?: string; url: URL }
+	params: { sessionId: string; next?: string; url: URL; cookies: Cookies }
 ): Promise<string> {
 	const client = await getOIDCClient(settings, params.url);
 	const csrfToken = await generateCsrfToken(
@@ -290,7 +292,20 @@ export async function getOIDCAuthorizationUrl(
 		sanitizeReturnPath(params.next)
 	);
 
+	const codeVerifier = generators.codeVerifier();
+	const codeChallenge = generators.codeChallenge(codeVerifier);
+
+	params.cookies.set("hfChat-codeVerifier", codeVerifier, {
+		path: "/",
+		sameSite,
+		secure,
+		httpOnly: true,
+		expires: addHours(new Date(), 1),
+	});
+
 	return client.authorizationUrl({
+		code_challenge_method: "S256",
+		code_challenge: codeChallenge,
 		scope: OIDConfig.SCOPES,
 		state: csrfToken,
 		resource: OIDConfig.RESOURCE || undefined,
@@ -300,11 +315,19 @@ export async function getOIDCAuthorizationUrl(
 export async function getOIDCUserData(
 	settings: OIDCSettings,
 	code: string,
+	codeVerifier: string,
 	iss: string | undefined,
 	url: URL
 ): Promise<OIDCUserInfo> {
 	const client = await getOIDCClient(settings, url);
-	const token = await client.callback(settings.redirectURI, { code, iss });
+	const token = await client.callback(
+		settings.redirectURI,
+		{
+			code,
+			iss,
+		},
+		{ code_verifier: codeVerifier }
+	);
 	const userData = await client.userinfo(token);
 
 	return { token, userData };
@@ -514,14 +537,7 @@ export async function authenticateRequest(
 	return { user: undefined, sessionId, secretSessionId, isAdmin: false };
 }
 
-export async function triggerOauthFlow({
-	url,
-	locals,
-}: {
-	request: Request;
-	url: URL;
-	locals: App.Locals;
-}): Promise<Response> {
+export async function triggerOauthFlow({ url, locals, cookies }: RequestEvent): Promise<Response> {
 	// const referer = request.headers.get("referer");
 	// let redirectURI = `${(referer ? new URL(referer) : url).origin}${base}/login/callback`;
 	let redirectURI = `${url.origin}${base}/login/callback`;
@@ -551,7 +567,7 @@ export async function triggerOauthFlow({
 
 	const authorizationUrl = await getOIDCAuthorizationUrl(
 		{ redirectURI },
-		{ sessionId: locals.sessionId, next, url }
+		{ sessionId: locals.sessionId, next, url, cookies }
 	);
 
 	throw redirect(302, authorizationUrl);

…outes/.well-known/.oauth-cimd/+server.ts …routes/.well-known/oauth-cimd/+server.tssrc/routes/.well-known/.oauth-cimd/+server.ts renamed to src/routes/.well-known/oauth-cimd/+server.ts src/routes/.well-known/.oauth-cimd/+server.ts renamed to src/routes/.well-known/oauth-cimd/+server.ts

@@ -1,3 +1,4 @@
+import { base } from "$app/paths";
 import { OIDConfig } from "$lib/server/auth";
 import { config } from "$lib/server/config";
 
@@ -6,14 +7,18 @@ export const GET = ({ url }) => {
 		return new Response("Client ID not found", { status: 404 });
 	}
 	if (OIDConfig.CLIENT_ID !== "__CIMD__") {
-		return new Response("Client ID is manually set to something other than '__CIMD__'", {
-			status: 404,
-		});
+		return new Response(
+			`Client ID is manually set to something other than '__CIMD__': ${OIDConfig.CLIENT_ID}`,
+			{
+				status: 404,
+			}
+		);
 	}
 	return new Response(
 		JSON.stringify({
-			client_id: new URL("/.well-known/oauth-cimd", config.PUBLIC_ORIGIN || url.origin).toString(),
+			client_id: new URL(url, config.PUBLIC_ORIGIN || url.origin).toString(),
 			client_name: config.PUBLIC_APP_NAME,
+			client_uri: `${config.PUBLIC_ORIGIN || url.origin}${base}`,
 			redirect_uris: [new URL("/login/callback", config.PUBLIC_ORIGIN || url.origin).toString()],
 			token_endpoint_auth_method: "none",
 			scopes: OIDConfig.SCOPES,

src/routes/login/+server.ts

@@ -1,5 +1,5 @@
 import { triggerOauthFlow } from "$lib/server/auth";
 
-export async function GET({ request, url, locals }) {
-	return await triggerOauthFlow({ request, url, locals });
+export async function GET(event) {
+	return await triggerOauthFlow(event);
 }

src/routes/login/callback/+server.ts

@@ -52,9 +52,15 @@ export async function GET({ url, locals, cookies, request, getClientAddress }) {
 		throw error(403, "Invalid or expired CSRF token");
 	}
 
+	const codeVerifier = cookies.get("hfChat-codeVerifier");
+	if (!codeVerifier) {
+		throw error(403, "Code verifier cookie not found");
+	}
+
 	const { userData, token } = await getOIDCUserData(
 		{ redirectURI: validatedToken.redirectUrl },
 		code,
+		codeVerifier,
 		iss,
 		url
 	);