Include auth_time in token

GW2Treasures · Dec 16, 2024 · a7a2b51 · a7a2b51
1 parent f8a9583
commit a7a2b51
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 5 deletions.
diff --git a/apps/web/app/api/(oauth)/token/openid.ts b/apps/web/app/api/(oauth)/token/openid.ts
@@ -2,26 +2,40 @@ import { createSigner } from 'fast-jwt';
 import { RequestAuthentication } from '../auth';
 import { getBaseUrlFromHeaders } from '@/lib/url';
 import { ACCESS_TOKEN_EXPIRATION } from './token';
+import { db } from '@/lib/db';
+import { assert } from '@/lib/oauth/assert';
+import { OAuth2ErrorCode } from '@/lib/oauth/error';
 
 type IdTokenOptions = {
   clientId: string,
   requestAuthentication: RequestAuthentication
   userId: string,
-  authTime: Date,
   nonce: string,
 }
-export async function createIdToken({ userId, clientId, requestAuthentication, authTime, nonce }: IdTokenOptions) {
+export async function createIdToken({ userId, clientId, requestAuthentication, nonce }: IdTokenOptions) {
   const { origin: issuer } = await getBaseUrlFromHeaders();
+  const issuedAt = toTimestamp(new Date());
 
-  const issuedAt = Math.floor(Date.now() / 1000);
+  const user = await db.user.findUnique({
+    where: { id: userId },
+    select: {
+      // get latest created session to use as auth_time
+      sessions: {
+        select: { createdAt: true },
+        orderBy: { createdAt: 'desc' },
+        take: 1
+      }
+    }
+  });
+  assert(user, OAuth2ErrorCode.server_error, 'user not found');
 
   const idToken = {
     iss: issuer,
     sub: userId,
     aud: [clientId],
     exp: issuedAt + ACCESS_TOKEN_EXPIRATION,
     iat: issuedAt,
-    auth_time: authTime.valueOf(),
+    auth_time: toTimestamp(user.sessions[0].createdAt),
     nonce: nonce
   };
 
@@ -36,3 +50,7 @@ export async function createIdToken({ userId, clientId, requestAuthentication, a
     return jwt;
   }
 }
+
+function toTimestamp(date: Date): number {
+  return Math.floor(date.valueOf() / 1000);
+}
diff --git a/apps/web/app/api/(oauth)/token/token.ts b/apps/web/app/api/(oauth)/token/token.ts
@@ -88,7 +88,7 @@ export async function handleTokenRequest(headers: Headers, params: Record<string
 
       // create id_token
       const id_token = client.type === 'Confidential' && scope.includes(Scope.OpenID)
-        ? await createIdToken({ userId, clientId, requestAuthentication, nonce: 'TODO', authTime: new Date() })
+        ? await createIdToken({ userId, clientId, requestAuthentication, nonce: 'TODO' })
         : undefined;
 
       return {