feat: Add OIDC Salt service (#64)

* Add salt endpoint

* Verify JWT

* Add hash salt

* Add hash salt

* Update packages/auth-server/server/api/salt.ts

* Lint

* lint

* Remove axios

* Remove axios

* Make SALT_ENTROPY required

* Use jose

* Encode data in buffer

* Crop salt

Author: matias-gonz

packages/auth-server/.env.example

@@ -0,0 +1,2 @@
+SALT_ENTROPY=
+APP_AUD=

packages/auth-server/nuxt.config.ts

@@ -27,7 +27,7 @@ export default defineNuxtConfig({
       ],
     },
   },
-  ssr: false,
+  ssr: true,
   devServer: {
     port: 3002,
   },

packages/auth-server/package.json

@@ -20,6 +20,7 @@
     "@vueuse/nuxt": "^11.1.0",
     "@wagmi/core": "^2.13.3",
     "@wagmi/vue": "^0.0.49",
+    "jose": "^5.9.6",
     "date-fns": "^4.1.0",
     "nuxt": "^3.12.3",
     "nuxt-gtag": "3.0.2",
@@ -42,4 +43,4 @@
   "overrides": {
     "vue": "latest"
   }
-}
+}

packages/auth-server/server/api/salt.ts

@@ -0,0 +1,53 @@
+import crypto from "crypto";
+import { defineEventHandler, getHeader } from "h3";
+import * as jose from 'jose';
+
+const GOOGLE_JWKS_URL = new URL("https://www.googleapis.com/oauth2/v3/certs");
+const GOOGLE_ISSUER = "https://accounts.google.com";
+
+const APP_AUD = process.env.APP_AUD;
+if (!APP_AUD) {
+  throw new Error("APP_AUD environment variable is required but not set");
+}
+
+const SALT_ENTROPY = process.env.SALT_ENTROPY;
+if (!SALT_ENTROPY) {
+  throw new Error("SALT_ENTROPY environment variable is required but not set");
+}
+
+
+export default defineEventHandler(async (event) => {
+  const authHeader = getHeader(event, "Authorization");
+
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    throw createError({
+      statusCode: 401,
+      message: "Unauthorized - Missing or invalid token",
+    });
+  }
+
+  const jwt = authHeader.split(" ")[1];
+
+  try {
+    const JWKS = jose.createRemoteJWKSet(GOOGLE_JWKS_URL)
+
+    const { payload } = await jose.jwtVerify(jwt, JWKS, {
+      issuer: GOOGLE_ISSUER,
+      audience: APP_AUD,
+    });
+
+    const iss = payload.iss;
+    const aud = payload.aud;
+    const sub = payload.sub;
+
+    const data = Buffer.from(`${iss}${aud}${sub}${SALT_ENTROPY}`, "ascii");
+    const hash = crypto.createHash("sha256").update(data).digest("hex").slice(0, 62);
+
+    return { salt: hash };
+  } catch {
+    throw createError({
+      statusCode: 401,
+      message: "Unauthorized - Invalid token",
+    });
+  }
+});