feat: whitelisted discord & redirect uri oauth (#469)

* Allow Redirect URI Configuration * Prettier * Add Whitelisted Users * Update discord.ts * Whitespace * Whitespace --------- Co-authored-by: dicedtomato <[email protected]>
diced · Nov 6, 2023 · e6ed7a3 · e6ed7a3
1 parent 93cb9ee
commit e6ed7a3
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 8 deletions.
diff --git a/src/lib/config/Config.ts b/src/lib/config/Config.ts
@@ -136,9 +136,12 @@ export interface ConfigOAuth {
 
   discord_client_id?: string;
   discord_client_secret?: string;
+  discord_redirect_uri?: string;
+  discord_whitelisted_users?: string[];
 
   google_client_id?: string;
   google_client_secret?: string;
+  google_redirect_uri?: string;
 }
 
 export interface ConfigChunks {

diff --git a/src/lib/config/readConfig.ts b/src/lib/config/readConfig.ts
@@ -147,9 +147,12 @@ export default function readConfig() {
 
     map('OAUTH_DISCORD_CLIENT_ID', 'string', 'oauth.discord_client_id'),
     map('OAUTH_DISCORD_CLIENT_SECRET', 'string', 'oauth.discord_client_secret'),
+    map('OAUTH_DISCORD_REDIRECT_URI', 'string', 'oauth.discord_redirect_uri'),
+    map('OAUTH_DISCORD_WHITELISTED_USERS', 'array', 'oauth.discord_whitelisted_users'),
 
     map('OAUTH_GOOGLE_CLIENT_ID', 'string', 'oauth.google_client_id'),
     map('OAUTH_GOOGLE_CLIENT_SECRET', 'string', 'oauth.google_client_secret'),
+    map('OAUTH_GOOGLE_REDIRECT_URI', 'string', 'oauth.google_redirect_uri'),
 
     map('FEATURES_INVITES', 'boolean', 'features.invites'),
     map('FEATURES_INVITES_LENGTH', 'number', 'features.invites_length'),

diff --git a/src/lib/config/validateConfig.ts b/src/lib/config/validateConfig.ts
@@ -177,9 +177,12 @@ const validator = s.object({
 
       discord_client_id: s.string.nullable.default(null),
       discord_client_secret: s.string.nullable.default(null),
+      discord_redirect_uri: s.string.nullable.default(null),
+      discord_whitelisted_users: s.string.array.default([]),
 
       google_client_id: s.string.nullable.default(null),
       google_client_secret: s.string.nullable.default(null),
+      google_redirect_uri: s.string.nullable.default(null),
     })
     .nullish.default(null),
   features: s

diff --git a/src/lib/oauth.ts b/src/lib/oauth.ts
@@ -16,9 +16,9 @@ export const github_auth = {
 };
 
 export const discord_auth = {
-  oauth_url: (clientId: string, origin: string, state?: string) =>
+  oauth_url: (clientId: string, origin: string, state?: string, redirect_uri?: string) =>
     `https://discord.com/api/oauth2/authorize?client_id=${clientId}&redirect_uri=${encodeURIComponent(
-      `${origin}/api/auth/oauth/discord`
+      redirect_uri || `${origin}/api/auth/oauth/discord`
     )}&response_type=code&scope=identify${state ? `&state=${state}` : ''}`,
   oauth_user: async (access_token: string) => {
     const res = await fetch('https://discord.com/api/users/@me', {
@@ -33,9 +33,9 @@ export const discord_auth = {
 };
 
 export const google_auth = {
-  oauth_url: (clientId: string, origin: string, state?: string) =>
+  oauth_url: (clientId: string, origin: string, state?: string, redirect_uri?: string) =>
     `https://accounts.google.com/o/oauth2/auth?client_id=${clientId}&redirect_uri=${encodeURIComponent(
-      `${origin}/api/auth/oauth/google`
+      redirect_uri || `${origin}/api/auth/oauth/google`
     )}&response_type=code&access_type=offline&scope=https://www.googleapis.com/auth/userinfo.profile${
       state ? `&state=${state}` : ''
     }`,

diff --git a/src/pages/api/auth/oauth/discord.ts b/src/pages/api/auth/oauth/discord.ts
@@ -29,7 +29,8 @@ async function handler({ code, state, host }: OAuthQuery, logger: Logger): Promi
       redirect: discord_auth.oauth_url(
         config.oauth.discord_client_id,
         `${config.core.return_https ? 'https' : 'http'}://${host}`,
-        state
+        state,
+        config.oauth.discord_redirect_uri
       ),
     };
 
@@ -38,7 +39,9 @@ async function handler({ code, state, host }: OAuthQuery, logger: Logger): Promi
     client_secret: config.oauth.discord_client_secret,
     code,
     grant_type: 'authorization_code',
-    redirect_uri: `${config.core.return_https ? 'https' : 'http'}://${host}/api/auth/oauth/discord`,
+    redirect_uri:
+      config.oauth.discord_redirect_uri ||
+      `${config.core.return_https ? 'https' : 'http'}://${host}/api/auth/oauth/discord`,
     scope: 'identify',
   });
 
@@ -70,6 +73,12 @@ async function handler({ code, state, host }: OAuthQuery, logger: Logger): Promi
     : `https://cdn.discordapp.com/embed/avatars/${userJson.discriminator % 5}.png`;
   const avatarBase64 = await getBase64URLFromURL(avatar);
 
+  if (
+    config.oauth.discord_whitelisted_users?.length &&
+    !config.oauth.discord_whitelisted_users.includes(userJson.id)
+  )
+    return { error: 'user is not whitelisted' };
+
   return {
     username: userJson.username,
     user_id: userJson.id,

diff --git a/src/pages/api/auth/oauth/google.ts b/src/pages/api/auth/oauth/google.ts
@@ -28,15 +28,18 @@ async function handler({ code, state, host }: OAuthQuery, logger: Logger): Promi
       redirect: google_auth.oauth_url(
         config.oauth.google_client_id,
         `${config.core.return_https ? 'https' : 'http'}://${host}`,
-        state
+        state,
+        config.oauth.google_redirect_uri
       ),
     };
 
   const body = new URLSearchParams({
     code,
     client_id: config.oauth.google_client_id,
     client_secret: config.oauth.google_client_secret,
-    redirect_uri: `${config.core.return_https ? 'https' : 'http'}://${host}/api/auth/oauth/google`,
+    redirect_uri:
+      config.oauth.google_redirect_uri ||
+      `${config.core.return_https ? 'https' : 'http'}://${host}/api/auth/oauth/google`,
     grant_type: 'authorization_code',
   });