forked from theatre-js/theatre
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
The new auth flow, toolbar, and workspace selector
- Loading branch information
1 parent
be366e5
commit 9f4e21f
Showing
93 changed files
with
2,974 additions
and
1,367 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
30 changes: 30 additions & 0 deletions
30
packages/app/prisma/migrations/20231127144216_/migration.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
/* | ||
Warnings: | ||
- You are about to drop the `LibAuthenticationFlow` table. If the table is not empty, all the data it contains will be lost. | ||
*/ | ||
-- CreateEnum | ||
CREATE TYPE "DeviceAuthorizationFlowState" AS ENUM ('initialized', 'userAllowedAuth', 'userDeniedAuth', 'tokenAlreadyUsed'); | ||
|
||
-- DropTable | ||
DROP TABLE "LibAuthenticationFlow"; | ||
|
||
-- DropEnum | ||
DROP TYPE "LibAuthenticationFlowState"; | ||
|
||
-- CreateTable | ||
CREATE TABLE "DeviceAuthorizationFlow" ( | ||
"deviceCode" TEXT NOT NULL, | ||
"userCode" TEXT NOT NULL, | ||
"createdAt" TIMESTAMPTZ NOT NULL, | ||
"lastCheckTime" TIMESTAMPTZ NOT NULL, | ||
"nounce" TEXT NOT NULL, | ||
"state" "DeviceAuthorizationFlowState" NOT NULL DEFAULT 'initialized', | ||
"tokens" TEXT NOT NULL, | ||
|
||
CONSTRAINT "DeviceAuthorizationFlow_pkey" PRIMARY KEY ("deviceCode") | ||
); | ||
|
||
-- CreateIndex | ||
CREATE UNIQUE INDEX "DeviceAuthorizationFlow_userCode_key" ON "DeviceAuthorizationFlow"("userCode"); |
3 changes: 3 additions & 0 deletions
3
packages/app/prisma/migrations/20231127153849_pkce/migration.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
-- AlterTable | ||
ALTER TABLE "DeviceAuthorizationFlow" ADD COLUMN "codeChallenge" TEXT NOT NULL DEFAULT '', | ||
ADD COLUMN "codeChallengeMethod" TEXT NOT NULL DEFAULT 'S256'; |
2 changes: 2 additions & 0 deletions
2
packages/app/prisma/migrations/20231202190130_scopes/migration.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
-- AlterTable | ||
ALTER TABLE "DeviceAuthorizationFlow" ADD COLUMN "scopes" JSONB NOT NULL DEFAULT '[]'; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
import {NextResponse} from 'next/server' | ||
import {allowCors} from '~/utils' | ||
|
||
async function handler(req: Request) { | ||
if (req.method === 'OPTIONS') { | ||
const res = new Response(null, {status: 204}) | ||
allowCors(res) | ||
|
||
return res | ||
} | ||
|
||
const res = NextResponse.json({ | ||
publicKey: process.env.STUDIO_AUTH_JWT_PUBLIC_KEY, | ||
}) | ||
|
||
allowCors(res) | ||
|
||
return res | ||
} | ||
|
||
export {handler as GET, handler as OPTIONS} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,131 @@ | ||
import type {NextRequest} from 'next/server' | ||
import {NextResponse} from 'next/server' | ||
import prisma from 'src/prisma' | ||
|
||
import {getAppSession, studioAuth} from 'src/utils/authUtils' | ||
import {userCodeLength} from '~/server/studio-api/routes/studioAuthRouter' | ||
import {studioAccessScopes} from '~/types' | ||
import {type $IntentionalAny} from '@theatre/utils/types' | ||
|
||
export const dynamic = 'force-dynamic' | ||
|
||
async function libAuth(req: NextRequest) { | ||
const userCode = req.nextUrl.searchParams.get('userCode') | ||
|
||
if (typeof userCode !== 'string' || userCode.length !== userCodeLength) { | ||
return NextResponse.json( | ||
{ | ||
error: `userCode must be a string of length ${userCodeLength}`, | ||
}, | ||
{status: 400}, | ||
) | ||
} | ||
|
||
const row = await prisma.deviceAuthorizationFlow.findFirst({ | ||
where: { | ||
userCode, | ||
}, | ||
}) | ||
if (row === null) { | ||
return NextResponse.json( | ||
{ | ||
error: | ||
'This authentication flow either does not exist, or has already been used. Try again from the studio.', | ||
}, | ||
{status: 404}, | ||
) | ||
} | ||
|
||
const session = await getAppSession() | ||
|
||
// if no session, redirect to login | ||
if (!session || !session.user) { | ||
console.log('s', req.nextUrl.host, req.nextUrl.hostname, req.nextUrl.origin) | ||
const redirectUrl = new URL( | ||
`/api/auth/signin?callbackUrl=${encodeURIComponent( | ||
req.nextUrl.toString(), | ||
)}`, | ||
req.nextUrl.origin, | ||
) | ||
return NextResponse.redirect(redirectUrl) | ||
} | ||
|
||
if (row.state === 'tokenAlreadyUsed') { | ||
return NextResponse.json( | ||
{ | ||
error: | ||
'This authentication flow has already been used. Try again from the studio.', | ||
}, | ||
{status: 400}, | ||
) | ||
} | ||
|
||
if (row.state === 'userDeniedAuth') { | ||
return NextResponse.json( | ||
{ | ||
error: | ||
'This authentication flow has been denied by the user. Try again from the studio.', | ||
}, | ||
{status: 400}, | ||
) | ||
} | ||
|
||
if (row.state === 'userAllowedAuth') { | ||
return NextResponse.json( | ||
{ | ||
error: | ||
'This authentication flow has already been used. Try again from the studio.', | ||
}, | ||
{status: 400}, | ||
) | ||
} | ||
|
||
if (row.state !== 'initialized') { | ||
return NextResponse.json( | ||
{ | ||
error: `This authentication flow is in an invalid state. Try again from the studio.`, | ||
}, | ||
{status: 500}, | ||
) | ||
} | ||
|
||
const user = session.user | ||
const nounce = row.nounce | ||
const scopes = row.scopes | ||
|
||
if (!studioAccessScopes.scopes.parse(scopes)) { | ||
console.error(`bad scopes`, scopes) | ||
await prisma.deviceAuthorizationFlow.delete({ | ||
where: {deviceCode: row.deviceCode}, | ||
}) | ||
return NextResponse.json( | ||
{ | ||
error: `This authentication flow is in an invalid state. Try again from the studio.`, | ||
}, | ||
{status: 500}, | ||
) | ||
} | ||
|
||
const {refreshToken, accessToken} = await studioAuth.createSession( | ||
nounce, | ||
user, | ||
scopes as $IntentionalAny, | ||
) | ||
|
||
await prisma.deviceAuthorizationFlow.update({ | ||
where: { | ||
deviceCode: row.deviceCode, | ||
}, | ||
data: { | ||
state: 'userAllowedAuth', | ||
tokens: JSON.stringify({ | ||
accessToken, | ||
refreshToken, | ||
}), | ||
}, | ||
}) | ||
|
||
return NextResponse.json('success', {status: 200}) | ||
} | ||
|
||
export {libAuth as GET} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
import {fetchRequestHandler} from '@trpc/server/adapters/fetch' | ||
import type {NextRequest} from 'next/server' | ||
import {createTRPCContext} from '~/server/api/trpc' | ||
import {studioTrpcRouter} from '~/server/studio-api/root' | ||
import {allowCors} from '~/utils' | ||
|
||
// we don't need the trpc routes' responses to be cached | ||
export const dynamic = 'force-dynamic' | ||
|
||
const handler = async (req: NextRequest) => { | ||
if (req.method === 'OPTIONS') { | ||
const res = new Response(null, { | ||
status: 204, | ||
}) | ||
allowCors(res) | ||
return res | ||
} | ||
|
||
const res = await fetchRequestHandler({ | ||
endpoint: '/api/studio-trpc', | ||
req, | ||
router: studioTrpcRouter, | ||
createContext: () => createTRPCContext(), | ||
onError: | ||
process.env.NODE_ENV === 'development' | ||
? ({path, error}) => { | ||
console.error( | ||
`❌ studio-trpc failed on ${path ?? '<no-path>'}: ${ | ||
error.message | ||
}`, | ||
) | ||
} | ||
: undefined, | ||
}) | ||
|
||
allowCors(res) | ||
|
||
return res | ||
} | ||
|
||
export {handler as GET, handler as POST, handler as OPTIONS} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.