Auth Sync Rewrite - Sync API endpoint and Middleware

Middleware:
- redirects to auth sync API endpoint
- supports signup redirects
- if it receives a verification token, sends a POST to auth sync API endpoint and exchange it for a JWT session token
- applies session token from the POST
- gets rid of next auth functions

GET Auth Sync:
- issue a verification token tied to the session token's user id
- support signup and redirect accordingly
- use getToken from Next-Auth to get the live session token
- also validate domain param through custom domain schema validation before checking if ACTIVE

POST Auth Sync:
- consume the verification token by checking its existence in DB and deleting it afterwards
- create and return ephemeral JWT session token

Author: Soxasora

middleware.js

@@ -1,7 +1,6 @@
 import { NextResponse, URLPattern } from 'next/server'
 import { getDomainMapping } from '@/lib/domains'
 import { SESSION_COOKIE, cookieOptions } from '@/lib/auth'
-import { decode as decodeJWT } from 'next-auth/jwt'
 
 const referrerPattern = new URLPattern({ pathname: ':pathname(*)/r/:referrer([\\w_]+)' })
 const itemPattern = new URLPattern({ pathname: '/items/:id(\\d+){/:other(\\w+)}?' })
@@ -34,18 +33,16 @@ async function customDomainMiddleware (request, domain, subName) {
   console.log('[domains] pathname', pathname) // TEST
   console.log('[domains] searchParams', searchParams) // TEST
 
-  // WIP Rewrite Auth Sync
+  // Auth Sync
+  // if the user is trying to login or signup, redirect to the Auth Sync API
   if (pathname.startsWith('/login') || pathname.startsWith('/signup')) {
-    return authSyncMiddleware(url, domain)
-  }
-
-  // WIP Rewrite Auth Sync
-  if (searchParams.has('token')) {
-    const redirectUri = searchParams.get('redirectUri') || '/'
-    const res = NextResponse.redirect(decodeURIComponent(redirectUri))
-    return establishAuthSync(res, url, domain)
+    const signup = pathname.startsWith('/signup')
+    return redirectToAuthSync(searchParams, domain, signup)
   }
+  // if we have a verification token, exchange it for a session token
+  if (searchParams.has('token')) return establishAuthSync(searchParams)
 
+  // Territory URLs
   // if sub param exists and doesn't match the domain's subname, update it
   if (searchParams.has('sub') && searchParams.get('sub') !== subName) {
     console.log('[domains] setting sub to', subName) // TEST
@@ -75,11 +72,16 @@ async function customDomainMiddleware (request, domain, subName) {
   return NextResponse.next({ request: { headers } })
 }
 
-// WIP Rewrite Auth Sync
-async function authSyncMiddleware (url, domain) {
-  const { searchParams } = url
+// redirect to the Auth Sync API
+async function redirectToAuthSync (searchParams, domain, signup) {
   const syncUrl = new URL('/api/auth/sync', SN_MAIN_DOMAIN)
   syncUrl.searchParams.set('domain', domain)
+
+  // if we're signing up, we need to set the signup flag
+  if (signup) {
+    syncUrl.searchParams.set('signup', 'true')
+  }
+
   // if we have a callbackUrl, we need to set it as redirectUri
   if (searchParams.has('callbackUrl')) {
     syncUrl.searchParams.set('redirectUri', searchParams.get('callbackUrl'))
@@ -88,33 +90,38 @@ async function authSyncMiddleware (url, domain) {
   return NextResponse.redirect(syncUrl)
 }
 
-async function establishAuthSync (res, url, domain) {
-  const { searchParams } = url
+// POST to /api/auth/sync and set the session cookie
+async function establishAuthSync (searchParams) {
+  // get the verification token from the search params
   const token = searchParams.get('token')
+  // get the redirectUri from the search params
+  const redirectUri = searchParams.get('redirectUri') || '/'
+  // prepare redirect to the redirectUri
+  const res = NextResponse.redirect(decodeURIComponent(redirectUri))
+
+  // POST to /api/auth/sync to exchange verification token for session token
+  const response = await fetch(`${SN_MAIN_DOMAIN.origin}/api/auth/sync`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json'
+    },
+    body: JSON.stringify({
+      verificationToken: token
+    })
+  })
 
-  const decodedSession = await verifySessionToken(token, domain)
-  if (!decodedSession) {
-    // TODO: maybe a page with a message?
+  // get the session token from the response
+  const data = await response.json()
+  if (data.status === 'ERROR') {
+    // if the response is an error, redirect to the home page
     return NextResponse.redirect('/')
   }
+
   // set the session cookie
-  res.cookies.set(SESSION_COOKIE, token, cookieOptions())
+  res.cookies.set(SESSION_COOKIE, data.sessionToken, cookieOptions())
   return res
 }
 
-async function verifySessionToken (sessionToken, domain) {
-  const decodedSession = await decodeJWT({
-    token: sessionToken,
-    secret: process.env.NEXTAUTH_SECRET
-  })
-  // check if the session is valid and belongs to the domain
-  if (!decodedSession || decodedSession?.domainName !== domain) {
-    console.log('[establishAuthSync] invalid session token') // TEST
-    return false
-  }
-  return decodedSession
-}
-
 function getContentReferrer (request, url) {
   if (itemPattern.test(url)) {
     let id = request.nextUrl.searchParams.get('commentId')

pages/api/auth/sync.js

@@ -1,45 +1,78 @@
-// SYNC sketchbook
-// WIP
-
-import { getServerSession } from 'next-auth/next'
-import { getAuthOptions } from './[...nextauth]'
+// Auth Sync API
 import models from '@/api/models'
-import { encode as encodeJWT } from 'next-auth/jwt'
+import { randomBytes } from 'node:crypto'
+import { encode as encodeJWT, getToken } from 'next-auth/jwt'
 import { validateSchema, customDomainSchema } from '@/lib/validate'
 
 const SN_MAIN_DOMAIN = new URL(process.env.NEXT_PUBLIC_URL)
 const SYNC_TOKEN_MAX_AGE = 60 // 1 minute
 
 export default async function handler (req, res) {
   try {
-    // STEP 1: check if the domain is correct
-    const { domain, redirectUri = '/' } = req.query
-    if (!domain) {
-      return res.status(400).json({ status: 'ERROR', reason: 'domain is a required parameter' })
-    }
-
-    // prepare domain
-    const domainName = domain.toLowerCase().trim()
-
-    // STEP 2: check if domain is valid and ACTIVE
-    const domainValidation = await isDomainAllowed(domainName)
-    if (domainValidation.status === 'ERROR') {
-      return res.status(400).json(domainValidation)
+    // POST /api/auth/sync
+    // exchange a verification token for an ephemeral session token
+    if (req.method === 'POST') {
+      // a verification token is received from the middleware
+      const { verificationToken } = JSON.parse(req.body)
+      if (!verificationToken) {
+        return res.status(400).json({ status: 'ERROR', reason: 'verification token is required' })
+      }
+
+      // validate and consume the verification token
+      const validationResult = await consumeVerificationToken(verificationToken)
+      if (validationResult.status === 'ERROR') {
+        return res.status(400).json(validationResult)
+      }
+
+      // create a short-lived JWT session token with the user id
+      const sessionTokenResult = await createEphemeralSessionToken(validationResult.userId)
+      if (sessionTokenResult.status === 'ERROR') {
+        // if we can't create a session token, return the error
+        return res.status(500).json(sessionTokenResult)
+      }
+
+      // return the session token
+      return res.status(200).json({ status: 'OK', sessionToken: sessionTokenResult.sessionToken })
     }
 
-    // STEP 3: check if we have a session, if not, redirect to the SN login page
-    const session = await getServerSession(req, res, getAuthOptions(req, res))
-    if (!session?.user) {
-      return handleNoSession(res, domainName, redirectUri)
+    // GET /api/auth/sync
+    // check if there's a session, if not, redirect to the SN login page and come back here
+    // if there's a session, create a verification token and redirect to the domain
+    if (req.method === 'GET') {
+      // STEP 1: check if the domain is correct
+      const { domain, redirectUri = '/' } = req.query
+      // domain and a path redirectUri are required
+      if (!domain || !redirectUri.startsWith('/')) {
+        return res.status(400).json({ status: 'ERROR', reason: 'domain and a correct redirectUri are required' })
+      }
+
+      // STEP 2: check if domain is valid and ACTIVE
+      const domainValidation = await isDomainAllowed(domain)
+      if (domainValidation.status === 'ERROR') {
+        return res.status(400).json(domainValidation)
+      }
+
+      // if we're signing up, redirect to the SN signup page and come back here
+      if (req.headers.get('x-stacker-news-signup') === 'true') {
+        return handleNoSession(res, domain, redirectUri, true)
+      }
+
+      // STEP 3: check if we have a session, if not, redirect to the SN login page
+      const sessionToken = await getToken({ req }) // from cookie
+      if (!sessionToken) {
+        // we don't have a session, redirect to the login page and come back here
+        return handleNoSession(res, domain, redirectUri)
+      }
+
+      // STEP 4: create a verification token
+      const verificationToken = await createVerificationToken(sessionToken)
+      if (verificationToken.status === 'ERROR') {
+        return res.status(500).json(verificationToken)
+      }
+
+      // STEP 5: redirect to the domain with the verification token
+      return redirectToDomain(res, domain, verificationToken.token, redirectUri)
     }
-
-    // STEP 4: create an ephemeral session and redirect to the custom domain
-    const sessionToken = await createEphemeralSessionToken(session, domainName)
-    if (sessionToken.status === 'ERROR') {
-      return res.status(500).json(sessionToken)
-    }
-
-    return redirectToDomain(res, domainName, sessionToken, redirectUri)
   } catch (error) {
     return res.status(500).json({ status: 'ERROR', reason: 'auth sync broke its legs' })
   }
@@ -51,67 +84,108 @@ async function isDomainAllowed (domainName) {
     // check if domain is conformative
     await validateSchema(customDomainSchema, { domainName })
     // check if domain is ACTIVE
-    // not cached because we're handling sensitive data
-    const domainInfo = await models.domain.findUnique({
+    const domain = await models.domain.findUnique({
       where: { domainName, status: 'ACTIVE' }
     })
-    if (!domainInfo) {
+
+    if (!domain) {
       return { status: 'ERROR', reason: 'domain not allowed' }
     }
-    return { status: 'OK', domain: domainInfo }
+
+    // domain is valid and ACTIVE
+    return { status: 'OK' }
   } catch (error) {
     return { status: 'ERROR', reason: 'domain is not valid' }
   }
 }
 
-function handleNoSession (res, domainName, redirectUri) {
-  // if we don't have a session, redirect to the login page
-  const loginUrl = new URL('/login', SN_MAIN_DOMAIN)
-
-  // sync url as callback to continue syncing afterwards
-  // sync url: /api/auth/sync?domain=www.pizza.com&redirectUri=/
+function handleNoSession (res, domainName, redirectUri, signup) {
+  // create the sync callback URL that we'll return to after login
   const syncUrl = new URL('/api/auth/sync', SN_MAIN_DOMAIN)
   syncUrl.searchParams.set('domain', domainName)
   syncUrl.searchParams.set('redirectUri', redirectUri)
 
-  // set callbackUrl as syncUrl
-  loginUrl.searchParams.set('callbackUrl', syncUrl.href)
-  res.redirect(302, loginUrl.href)
+  // create SN login URL and add our sync callback URL
+  const loginRedirectUrl = new URL(signup ? '/signup' : '/login', SN_MAIN_DOMAIN)
+  loginRedirectUrl.searchParams.set('callbackUrl', syncUrl.href)
+
+  // redirect user to login page
+  res.redirect(302, loginRedirectUrl.href)
 }
 
-// creates an ephemeral session token for the user
-async function createEphemeralSessionToken (session, domainName) {
+async function createVerificationToken (token) {
   try {
-    const domainTiedPayload = {
-      ...session.user,
-      domainName,
-      purpose: 'auth_sync'
-    }
-    const sessionToken = await encodeJWT({
-      token: domainTiedPayload,
-      secret: process.env.NEXTAUTH_SECRET,
-      maxAge: SYNC_TOKEN_MAX_AGE
+    // a 5 minutes verification token using the session token's user id
+    const verificationToken = await models.verificationToken.create({
+      data: {
+        identifier: token.id.toString(),
+        token: randomBytes(32).toString('hex'),
+        expires: new Date(Date.now() + 1000 * 60 * 5) // 5 minutes
+      }
     })
-    return sessionToken
+    return { status: 'OK', token: verificationToken.token }
   } catch (error) {
-    return { status: 'ERROR', reason: 'failed to create ephemeral session token' }
+    return { status: 'ERROR', reason: 'failed to create verification token' }
   }
 }
 
-async function redirectToDomain (res, domainName, token, redirectUri) {
+async function redirectToDomain (res, domainName, verificationToken, redirectUri) {
   try {
+    // create the target URL
     const protocol = process.env.NODE_ENV === 'development' ? 'http' : 'https'
     const target = new URL(`${protocol}://${domainName}`)
 
-    target.searchParams.set('token', token)
-    // if redirectUri is provided, add it to the URL
-    if (redirectUri && redirectUri !== '/') {
-      target.searchParams.set('redirectUri', redirectUri)
-    }
+    // add the verification token and the redirectUri to the URL
+    target.searchParams.set('token', verificationToken)
+    target.searchParams.set('redirectUri', redirectUri)
 
+    // redirect to the custom domain
     res.redirect(302, target.href)
   } catch (error) {
-    console.error('[authSync::redirectToDomain] error', error)
     return { status: 'ERROR', reason: 'could not construct the URL' }
   }
 }
+
+async function consumeVerificationToken (verificationToken) {
+  try {
+    // find the verification token
+    const { identifier } = await models.verificationToken.findFirst({
+      where: {
+        token: verificationToken,
+        expires: { gt: new Date() }
+      }
+    })
+    // if we can't find the verification token, it's invalid or expired
+    if (!identifier) {
+      return { status: 'ERROR', reason: 'invalid verification token' }
+    }
+
+    // delete the verification token, we don't need it anymore
+    await models.verificationToken.delete({
+      where: {
+        token: verificationToken
+      }
+    })
+
+    // return the user id
+    return { status: 'OK', userId: Number(identifier) }
+  } catch (error) {
+    return { status: 'ERROR', reason: 'cannot validate verification token' }
+  }
+}
+
+async function createEphemeralSessionToken (userId) {
+  try {
+    // create a short-lived JWT session token with the user id
+    const sessionToken = await encodeJWT({
+      token: { id: userId, sub: userId },
+      secret: process.env.NEXTAUTH_SECRET,
+      maxAge: SYNC_TOKEN_MAX_AGE
+    })
+
+    // return the ephemeral session token
+    return { status: 'OK', sessionToken }
+  } catch (error) {
+    return { status: 'ERROR', reason: 'failed to create ephemeral session token' }
+  }
+}