refactor(server): replace elysia-oauth2 with custom OAuth implementation

OXeu · OXeu · commit 0c7d8d031580 · 2026-02-03T15:25:56.000Z
Replace the incompatible elysia-oauth2 dependency with a custom OAuth2
implementation that provides:

- Generic OAuth2 plugin architecture supporting any OAuth2 provider
- Built-in GitHub OAuth provider as default
- CSRF protection via state parameter validation
- Type-safe implementation with full TypeScript support
- Simplified API without external dependencies

Changes:
- Add server/src/utils/oauth.ts with OAuth2 implementation
- Update server/src/setup.ts to use new OAuth plugin
- Update server/src/services/user.ts with state validation
- Remove elysia-oauth2 from package.json dependencies
diff --git a/bun.lockb b/bun.lockb
diff --git a/server/package.json b/server/package.json
@@ -33,7 +33,6 @@
     "arctic": "^3.7.0",
     "drizzle-orm": "^0.30.10",
     "elysia": "^1.4.22",
-    "elysia-oauth2": "2.1.0",
     "feed": "^4.2.2",
     "jose": "^5.3.0",
     "openapi-types": "^12.1.3",
diff --git a/server/src/services/user.ts b/server/src/services/user.ts
@@ -1,27 +1,36 @@
 import { eq } from "drizzle-orm";
 import { t } from "elysia";
-import { URL } from "url";
 import { users } from "../db/schema";
 import base from "../base";
 
 export const UserService = base()
     .group('/user', (group) =>
         group
-            .get("/github", ({ oauth2, headers: { referer }, cookie: { redirect_to }, store: { env } }) => {
+            .get("/github", ({ oauth2, set, headers: { referer }, cookie: { redirect_to } }) => {
                 if (!referer) {
                     return 'Referer not found'
                 }
-                const referer_url = new URL(referer)
-                redirect_to.value = `${referer_url.protocol}//${referer_url.host}`
-                return oauth2?.redirect("GitHub", ["read:user"])
+                redirect_to.value = `${referer}`
+                set.headers['Location'] = oauth2.createRedirectUrl("GitHub")
+                set.status = 302
             })
-            .get("/github/callback", async ({ jwt, oauth2, set, store, query, cookie: { token, redirect_to, state } }) => {
+            .get("/github/callback", async ({ jwt, oauth2, set, store, query, cookie: { token, redirect_to } }) => {
                 const { db } = store;
 
-                console.log('state', state.value)
                 console.log('p_state', query.state)
 
-                const gh_token = await oauth2?.authorize("GitHub");
+                // Verify state to prevent CSRF attacks
+                if (!oauth2.verifyState(query.state)) {
+                    set.status = 400;
+                    return 'Invalid state parameter';
+                }
+
+                oauth2.removeState(query.state);
+                const gh_token = await oauth2.authorize("GitHub", query.code);
+                if (!gh_token) {
+                    set.status = 400;
+                    return 'Failed to authorize with GitHub';
+                }
                 // request https://api.github.com/user for user info
                 const response = await fetch("https://api.github.com/user", {
                     headers: {
@@ -74,12 +83,9 @@ export const UserService = base()
                             }
                         }
                     });
-                const redirect_host = redirect_to.value || ""
-                const redirect_url = (`${redirect_host}/callback?token=${token.value}`);
-                set.headers = {
-                    'Content-Type': 'text/html',
-                }
-                set.redirect = redirect_url
+                const redirect_url = `${redirect_to.value}`
+                set.headers['Location'] = redirect_url
+                set.status = 302
             }, {
                 query: t.Object({
                     state: t.String(),
diff --git a/server/src/setup.ts b/server/src/setup.ts
@@ -1,12 +1,12 @@
 import { eq } from "drizzle-orm";
 import { Elysia, t } from "elysia";
-import { oauth2 } from "elysia-oauth2";
 import type { DB } from "./context";
 import { users } from "./db/schema";
 import jwt from "./utils/jwt";
 import { CacheImpl } from "./utils/cache";
 import { drizzle } from "drizzle-orm/d1";
 import * as schema from './db/schema';
+import { createOAuthPlugin, GitHubProvider } from "./utils/oauth";
 
 
 const anyUser = async (db: DB) => (await db.query.users.findMany())?.length > 0
@@ -40,12 +40,11 @@ export function createSetupPlugin(env: Env) {
         throw new Error('Please set JWT_SECRET');
     }
 
-    const oauth = oauth2({
-        GitHub: [
-            gh_client_id,
-            gh_client_secret,
-            null
-        ],
+    const oauth = createOAuthPlugin({
+        GitHub: new GitHubProvider({
+            clientId: gh_client_id,
+            clientSecret: gh_client_secret,
+        }),
     });
 
     return new Elysia()
@@ -66,7 +65,7 @@ export function createSetupPlugin(env: Env) {
                 })
             })
         )
-        .derive({ as: 'global' }, async ({ headers, jwt, store: { db }, oauth2 }) => {
+        .derive({ as: 'global' }, async ({ headers, jwt, store: { db } }) => {
             const authorization = headers['authorization']
             if (!authorization) {
                 return {};
@@ -85,7 +84,6 @@ export function createSetupPlugin(env: Env) {
                 uid: user.id,
                 username: user.username,
                 admin: user.permission === 1,
-                oauth2: oauth2
             }
         })
 }
diff --git a/server/src/utils/oauth.ts b/server/src/utils/oauth.ts
@@ -0,0 +1,163 @@
+import { Elysia } from "elysia";
+
+export interface OAuthProvider {
+    name: string;
+    clientId: string;
+    clientSecret: string;
+    redirectUri?: string;
+    authorizeUrl: string;
+    tokenUrl: string;
+    scopes: string[];
+}
+
+export interface OAuthToken {
+    accessToken: string;
+    tokenType: string;
+    scope?: string;
+    expiresIn?: number;
+    refreshToken?: string;
+}
+
+export interface GitHubConfig {
+    clientId: string;
+    clientSecret: string;
+    redirectUri?: string;
+}
+
+export class GitHubProvider implements OAuthProvider {
+    name = "GitHub";
+    clientId: string;
+    clientSecret: string;
+    redirectUri?: string;
+    authorizeUrl = "https://github.com/login/oauth/authorize";
+    tokenUrl = "https://github.com/login/oauth/access_token";
+    scopes: string[] = ["read:user"];
+
+    constructor(config: GitHubConfig) {
+        this.clientId = config.clientId;
+        this.clientSecret = config.clientSecret;
+        this.redirectUri = config.redirectUri;
+    }
+}
+
+export interface OAuth2Methods {
+    redirect: (providerName: string, scopes?: string[]) => Response;
+    authorize: (providerName: string, code?: string) => Promise<OAuthToken>;
+    verifyState: (state: string) => boolean;
+    getStateData: (state: string) => { provider: string; timestamp: number } | undefined;
+    removeState: (state: string) => void;
+}
+
+export function createOAuthPlugin(providers: Record<string, OAuthProvider>) {
+    const stateStore = new Map<string, { provider: string; timestamp: number }>();
+
+    // Clean up expired states (older than 10 minutes)
+    const cleanupExpiredStates = () => {
+        const now = Date.now();
+        const expiryTime = 10 * 60 * 1000; // 10 minutes
+        for (const [state, data] of stateStore.entries()) {
+            if (now - data.timestamp > expiryTime) {
+                stateStore.delete(state);
+            }
+        }
+    };
+
+    // Generate random state string
+    const generateState = (): string => {
+        const array = new Uint8Array(32);
+        crypto.getRandomValues(array);
+        return Array.from(array, (byte) => byte.toString(16).padStart(2, "0")).join("");
+    };
+
+    return new Elysia({ name: "oauth2" })
+        .decorate("oauth2", {
+            createRedirectUrl: (providerName: string): string => {
+                const provider = providers[providerName];
+                if (!provider) {
+                    throw new Error(`OAuth provider "${providerName}" not found`);
+                }
+
+                cleanupExpiredStates();
+
+                const state = generateState();
+                stateStore.set(state, {
+                    provider: providerName,
+                    timestamp: Date.now(),
+                });
+
+                const params = new URLSearchParams({
+                    client_id: provider.clientId,
+                    state: state,
+                });
+
+                // if (provider.redirectUri) {
+                    // params.set("redirect_uri", provider.redirectUri);
+                // }
+
+                return `${provider.authorizeUrl}?${params.toString()}`;
+            },
+
+            authorize: async (providerName: string, code?: string): Promise<OAuthToken> => {
+                const provider = providers[providerName];
+                if (!provider) {
+                    throw new Error(`OAuth provider "${providerName}" not found`);
+                }
+
+                if (!code) {
+                    throw new Error("Authorization code is required");
+                }
+
+                const params = new URLSearchParams({
+                    client_id: provider.clientId,
+                    client_secret: provider.clientSecret,
+                    code: code,
+                });
+
+                if (provider.redirectUri) {
+                    params.set("redirect_uri", provider.redirectUri);
+                }
+
+                const response = await fetch(provider.tokenUrl, {
+                    method: "POST",
+                    headers: {
+                        "Content-Type": "application/x-www-form-urlencoded",
+                        Accept: "application/json",
+                    },
+                    body: params.toString(),
+                });
+
+                if (!response.ok) {
+                    throw new Error(`Failed to exchange code for token: ${response.statusText}`);
+                }
+
+                const data = await response.json() as {
+                    access_token: string;
+                    token_type?: string;
+                    scope?: string;
+                    expires_in?: number;
+                    refresh_token?: string;
+                };
+
+                return {
+                    accessToken: data.access_token,
+                    tokenType: data.token_type || "Bearer",
+                    scope: data.scope,
+                    expiresIn: data.expires_in,
+                    refreshToken: data.refresh_token,
+                };
+            },
+
+            verifyState: (state: string): boolean => {
+                cleanupExpiredStates();
+                return stateStore.has(state);
+            },
+
+            getStateData: (state: string) => {
+                return stateStore.get(state);
+            },
+
+            removeState: (state: string) => {
+                stateStore.delete(state);
+            },
+        });
+}
