From aaa2faffb16e3357373d38932f9f6ffb0aff5b3b Mon Sep 17 00:00:00 2001
From: Hornwitser <code@hornwitser.no>
Date: Wed, 9 Jul 2025 15:21:39 +0200
Subject: [PATCH] Implement register and login with Telegram

Add the concept of authentication methods that authenticate an account
where using the telegram login widget is one such method.  If a login is
done with an authentication method that's not associated with any
account the session ends up with the data from the authentication
method in order to allow registering a new account with the
authentication method.

This has to be stored on the session as otherwise it wouldn't be
possible to implement authentication methods such as OAuth2 that takes
the user to a third-party site and then redirects the browser back.
---
 components/Header.vue                     |   1 +
 components/LogInTelegram.vue              |  61 +++++++++++++
 docs/admin/authentication.md              |  15 ++++
 docs/admin/config.md                      |  18 ++++
 nuxt.config.ts                            |   3 +
 pages/login.vue                           |   3 +
 pages/register.vue                        |  57 ++++++++++++
 server/api/auth/account.post.ts           |  39 +++++++--
 server/api/auth/ap/telegram-login.post.ts | 100 ++++++++++++++++++++++
 server/database.ts                        |  27 ++++++
 server/utils/session.ts                   |  15 +++-
 shared/types/api.ts                       |   2 +
 shared/types/telegram.ts                  |  20 +++++
 stores/session.ts                         |   4 +
 14 files changed, 357 insertions(+), 8 deletions(-)
 create mode 100644 components/LogInTelegram.vue
 create mode 100644 docs/admin/authentication.md
 create mode 100644 pages/register.vue
 create mode 100644 server/api/auth/ap/telegram-login.post.ts
 create mode 100644 shared/types/telegram.ts

diff --git a/components/Header.vue b/components/Header.vue
index 0d9e95d..fd79684 100644
--- a/components/Header.vue
+++ b/components/Header.vue
@@ -33,6 +33,7 @@
 			</template>
 			<template v-else>
 				<NuxtLink to="/login">Log In</NuxtLink>
+				<NuxtLink to="/register">Register</NuxtLink>
 			</template>
 		</div>
 	</header>
diff --git a/components/LogInTelegram.vue b/components/LogInTelegram.vue
new file mode 100644
index 0000000..d56fa98
--- /dev/null
+++ b/components/LogInTelegram.vue
@@ -0,0 +1,61 @@
+<!--
+	SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
+	SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+<template>
+	<div ref="div">
+		<button
+			v-if="!loaded"
+			@click="load"
+		>
+			Enable Log in with Telegram
+		</button>
+	</div>
+</template>
+
+<script lang="ts" setup>
+import type { TelegramAuthData } from '~/shared/types/telegram';
+
+const divElement = useTemplateRef("div");
+const loaded = ref(false);
+const runtimeConfig = useRuntimeConfig();
+const sessionStore = useSessionStore();
+const route = useRoute();
+
+function load() {
+	const script = document.createElement("script");
+	script.async = true;
+	script.src = "https://telegram.org/js/telegram-widget.js?22";
+	script.dataset.telegramLogin = runtimeConfig.public.telegramBotUsername;
+	script.dataset.size = "medium";
+	script.dataset.onauth = "onTelegramAuth(user)";
+	script.dataset.requestAccess = "write";
+	divElement.value?.appendChild(script);
+	loaded.value = true;
+}
+
+async function login(authData: TelegramAuthData) {
+	const session = await $fetch("/api/auth/ap/telegram-login", {
+		method: "POST",
+		body: {
+			authData,
+		},
+	});
+	sessionStore.update(session);
+	if (!session.account) {
+		await navigateTo("/register");
+	} else if (route.path === "/register") {
+		await navigateTo("/");
+	}
+}
+
+declare global {
+	export function onTelegramAuth(user: any): void;
+}
+onMounted(() => {
+	// XXX this asumes there's only ever one LogInTelegram component mounted
+	window.onTelegramAuth = function(authData: TelegramAuthData) {
+		login(authData).catch(err => alert(err.data?.message ?? err.message));
+	};
+});
+</script>
diff --git a/docs/admin/authentication.md b/docs/admin/authentication.md
new file mode 100644
index 0000000..a1fbc3e
--- /dev/null
+++ b/docs/admin/authentication.md
@@ -0,0 +1,15 @@
+<!--
+	SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
+	SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+# Authentication
+
+It's possible to configure authentication using a third party Authentication Provider (referred to as AP). Currently only Telegram is supported as an AP.
+
+## Telegram
+
+In order to use Telegram as an AP you need to be hosting Owltide under a domain name over https, using http will not work.
+
+You will also need a bot which can be created by messaging [@BotFather](https://t.me/BotFather), with the domain of the bot set using the `/setdomain` command to the domain Owltide is hosted under.
+
+Once you have the pre-requisites you need to configure `NUXT_TELEGRAM_BOT_TOKEN_FILE` to a path to a file containing the token of the bot with no spaces or new-lines.  `NUXT_PUBLIC_TELEGRAM_BOT_USERNAME` to the username of the bot.  And finally `NUXT_AUTH_TELEGRAM_ENABLED` to `true` to enable authentication via Telegram.
diff --git a/docs/admin/config.md b/docs/admin/config.md
index e273f7d..b95e08d 100644
--- a/docs/admin/config.md
+++ b/docs/admin/config.md
@@ -19,3 +19,21 @@ Time in seconds before a session need to be rotated over into a new session. Whe
 Time in seconds before a session is deleted from the client and server, resulting in the user having to authenticate again if the session wasn't rotated over into a new session before this timeout.
 
 This should be several times greater that `NUXT_SESSION_ROTATES_TIMEOUT`.
+
+### NUXT_TELEGRAM_BOT_TOKEN_FILE
+
+Path to a file containing the token for the Telegram bot used for authenticating users via Telegram.
+
+Does nothing if `NUXT_AUTH_TELEGRAM_ENABLED` is not enabled.
+
+### NUXT_PUBLIC_TELEGRAM_BOT_USERNAME
+
+Username of the Telegram bot used for authenticating users via Telegram.
+
+Does nothing if `NUXT_AUTH_TELEGRAM_ENABLED` is not enabled.
+
+### NUXT_AUTH_TELEGRAM_ENABLED
+
+Boolean indicating if authentication via Telegram is enabled or not. Requires `NUXT_PUBLIC_TELEGRAM_BOT_USERNAME` and `NUXT_TELEGRAM_BOT_TOKEN_FILE` to be set in order to work.
+
+Defaults to `false`.
diff --git a/nuxt.config.ts b/nuxt.config.ts
index 6ff336a..b970358 100644
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -27,9 +27,12 @@ export default defineNuxtConfig({
 		sessionDiscardTimeout: 14 * oneDaySeconds,
 		vapidSubject: "",
 		vapidPrivateKeyFile: "",
+		telegramBotTokenFile: "",
 		public: {
 			defaultTimezone: "Europe/Oslo",
 			defaultLocale: "en-GB",
+			authTelegramEnabled: false,
+			telegramBotUsername: "",
 			vapidPublicKey: "",
 		}
 	},
diff --git a/pages/login.vue b/pages/login.vue
index cdb04b8..01b233f 100644
--- a/pages/login.vue
+++ b/pages/login.vue
@@ -9,6 +9,7 @@
 			<input v-model="name" type="text" placeholder="Name" required>
 			<button type="submit">Log In</button>
 		</form>
+		<LogInTelegram v-if="authTelegramEnabled" />
 		<h2 id="create-account">Create Account</h2>
 		<p>If you don't have an account you may create one</p>
 		<form @submit.prevent="createAccount">
@@ -38,6 +39,8 @@ useHead({
 	title: "Login",
 });
 
+const runtimeConfig = useRuntimeConfig();
+const authTelegramEnabled = runtimeConfig.public.authTelegramEnabled;
 const sessionStore = useSessionStore();
 const { getSubscription, subscribe } = usePushNotification();
 
diff --git a/pages/register.vue b/pages/register.vue
new file mode 100644
index 0000000..f9de244
--- /dev/null
+++ b/pages/register.vue
@@ -0,0 +1,57 @@
+<!--
+	SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
+	SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+<template>
+	<main>
+		<h1>Register</h1>
+		<form @submit.prevent="register">
+			<h2>User Details</h2>
+			<p>
+				<label>
+					Username
+					<input type="text" v-model="username">
+				</label>
+			</p>
+			<h2>Authentication Method</h2>
+			<p v-if="sessionStore.authenticationProvider">
+				Provider: {{ sessionStore.authenticationProvider }}
+				<br>Identifier: {{ sessionStore.authenticationName }}
+				<br><button type="button" @click="clearProvider">Clear Method</button>
+			</p>
+			<p v-else>
+				<LogInTelegram />
+			</p>
+			<p>
+				<button type="submit">Register new account</button>
+			</p>
+		</form>
+	</main>
+</template>
+
+<script setup lang="ts">
+const sessionStore = useSessionStore();
+const username = ref("");
+
+async function clearProvider() {
+	sessionStore.logOut();
+}
+async function register() {
+	let session;
+	try {
+		session = await $fetch("/api/auth/account", {
+			method: "POST",
+			body: {
+				name: username.value,
+			},
+		});
+	} catch (err: any) {
+		alert(err.data?.message ?? err.message);
+		return;
+	}
+	sessionStore.update(session);
+	if (session.account) {
+		await navigateTo("/account/settings");
+	}
+}
+</script>
diff --git a/server/api/auth/account.post.ts b/server/api/auth/account.post.ts
index 527215c..2fcbc71 100644
--- a/server/api/auth/account.post.ts
+++ b/server/api/auth/account.post.ts
@@ -2,20 +2,21 @@
 	SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
 	SPDX-License-Identifier: AGPL-3.0-or-later
 */
-import { readUsers, writeUsers, nextUserId, type ServerUser } from "~/server/database";
+import { readUsers, writeUsers, nextUserId, type ServerUser, readAuthenticationMethods, nextAuthenticationMethodId, writeAuthenticationMethods } from "~/server/database";
 import { broadcastEvent } from "~/server/streams";
+import { ApiSession } from "~/shared/types/api";
 
-export default defineEventHandler(async (event) => {
+export default defineEventHandler(async (event): Promise<ApiSession> => {
 	let session = await getServerSession(event, false);
-	if (session) {
+	if (session?.accountId !== undefined) {
 		throw createError({
 			status: 409,
-			message: "Cannot create account while having an active session."
+			message: "Cannot create account while logged in to an account."
 		});
 	}
 
-	const formData = await readFormData(event);
-	const name = formData.get("name");
+	const formData = await readBody(event);
+	const name = formData.name;
 
 	const users = await readUsers();
 	let user: ServerUser;
@@ -54,11 +55,35 @@ export default defineEventHandler(async (event) => {
 		});
 	}
 
+	if (session?.authenticationProvider) {
+		const authMethods = await readAuthenticationMethods();
+		const method = authMethods.find(method => (
+			method.provider === session.authenticationProvider
+			&& method.slug === session.authenticationSlug
+		));
+		if (method) {
+			throw createError({
+				statusCode: 409,
+				statusMessage: "Conflict",
+				message: "A user is already associated with the authentication method",
+			});
+		}
+		authMethods.push({
+			id: await nextAuthenticationMethodId(),
+			userId: user.id,
+			provider: session.authenticationProvider,
+			slug: session.authenticationSlug!,
+			name: session.authenticationName!,
+		})
+		await writeAuthenticationMethods(authMethods);
+	}
+
 	users.push(user);
 	await writeUsers(users);
 	await broadcastEvent({
 		type: "user-update",
 		data: user,
 	});
-	await setServerSession(event, user);
+	const newSession = await setServerSession(event, user);
+	return await serverSessionToApi(event, newSession);
 })
diff --git a/server/api/auth/ap/telegram-login.post.ts b/server/api/auth/ap/telegram-login.post.ts
new file mode 100644
index 0000000..d3c69fd
--- /dev/null
+++ b/server/api/auth/ap/telegram-login.post.ts
@@ -0,0 +1,100 @@
+/*
+	SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
+	SPDX-License-Identifier: AGPL-3.0-or-later
+*/
+import * as fs from "node:fs/promises";
+import type { H3Event } from "h3";
+import { string, z } from "zod/v4-mini";
+import { readAuthenticationMethods, readUsers } from "~/server/database";
+import { type TelegramAuthData, telegramAuthDataSchema } from "~/shared/types/telegram";
+import { ApiSession } from "~/shared/types/api";
+
+const loginSchema = z.object({
+	authData: telegramAuthDataSchema,
+});
+
+let cachedTelegramConfig:
+	| undefined
+	| { enabled: false }
+	| { enabled: true, botUsername: string, secretKey: CryptoKey }
+;
+async function useTelegramConfig(event: H3Event) {
+	if (cachedTelegramConfig)
+		return cachedTelegramConfig;
+
+	const runtimeConfig = useRuntimeConfig(event);
+	if (!runtimeConfig.public.authTelegramEnabled) {
+		return cachedTelegramConfig = {
+			enabled: false,
+		};
+	}
+	if (!runtimeConfig.telegramBotTokenFile) throw new Error("NUXT_TELEGRAM_BOT_TOKEN_FILE not configured");
+	if (!runtimeConfig.public.telegramBotUsername) throw new Error("NUXT_PUBLIC_TELEGRAM_BOT_USERNAME not configured");
+
+	const botToken = await fs.readFile(runtimeConfig.telegramBotTokenFile);
+	const secretKey = await crypto.subtle.importKey(
+		"raw",
+		await crypto.subtle.digest("SHA-256", botToken),
+		{
+			name: "HMAC",
+			hash: "SHA-256",
+		},
+		false,
+		["verify"],
+	);
+	return cachedTelegramConfig = {
+		enabled: true,
+		botUsername: runtimeConfig.public.telegramBotUsername,
+		secretKey,
+	}
+}
+
+async function validateTelegramAuthData(authData: TelegramAuthData, key: CryptoKey) {
+	const { hash, ...checkData } = authData;
+	const checkString = Object.entries(checkData).map(([key, value]) => `${key}=${value}`).sort().join("\n");
+	const signature = Buffer.from(hash, "hex");
+	return await crypto.subtle.verify("HMAC", key, signature, Buffer.from(checkString));
+}
+
+export default defineEventHandler(async (event): Promise<ApiSession> => {
+	const { success, error, data } = loginSchema.safeParse(await readBody(event));
+	if (!success) {
+		throw createError({
+			statusCode: 400,
+			statusMessage: "Bad Request",
+			message: z.prettifyError(error),
+		});
+	}
+
+	const config = await useTelegramConfig(event);
+	if (!config.enabled) {
+		throw createError({
+			statusCode: 403,
+			statusMessage: "Forbidden",
+			message: "Telegram authentication is disabled",
+		});
+	}
+
+	if (!await validateTelegramAuthData(data.authData, config.secretKey)) {
+		throw createError({
+			statusCode: 403,
+			statusMessage: "Forbidden",
+			message: "Validating authentication data failed",
+		});
+	}
+
+	const slug = String(data.authData.id);
+	const authMethods = await readAuthenticationMethods();
+	const method = authMethods.find(method => method.provider === "telegram" && method.slug === slug);
+	let session;
+	if (method) {
+		const users = await readUsers();
+		const account = users.find(user => !user.deleted && user.id === method.userId);
+		session = await setServerSession(event, account);
+	} else {
+		const name = data.authData.username ? "@" + data.authData.username : slug;
+		session = await setServerSession(event, undefined, "telegram", slug, name);
+	}
+
+	return await serverSessionToApi(event, session);
+})
diff --git a/server/database.ts b/server/database.ts
index e3b5c0b..da703e5 100644
--- a/server/database.ts
+++ b/server/database.ts
@@ -10,6 +10,9 @@ export interface ServerSession {
 	id: Id,
 	access: ApiUserType,
 	accountId?: number,
+	authenticationProvider?: "telegram",
+	authenticationSlug?: string,
+	authenticationName?: string,
 	rotatesAtMs: number,
 	expiresAtMs?: number,
 	discardAtMs: number,
@@ -28,6 +31,14 @@ export interface ServerUser {
 	locale?: string,
 }
 
+export interface ServerAuthenticationMethod {
+	id: Id,
+	provider: "telegram",
+	slug: string,
+	name: string,
+	userId: Id,
+}
+
 // For this demo I'm just storing the runtime data in JSON files. When making
 // this into proper application this should be replaced with an actual database.
 
@@ -37,6 +48,8 @@ const usersPath = "data/users.json";
 const nextUserIdPath = "data/next-user-id.json";
 const sessionsPath = "data/sessions.json";
 const nextSessionIdPath = "data/next-session-id.json";
+const authMethodPath = "data/auth-method.json";
+const nextAuthenticationMethodIdPath = "data/auth-method-id.json"
 
 async function remove(path: string) {
 	try {
@@ -137,3 +150,17 @@ export async function readSessions() {
 export async function writeSessions(sessions: ServerSession[]) {
 	await writeFile(sessionsPath, JSON.stringify(sessions, undefined, "\t") + "\n", "utf-8");
 }
+
+export async function nextAuthenticationMethodId() {
+	const nextId = await readJson(nextAuthenticationMethodIdPath, 0);
+	await writeFile(nextAuthenticationMethodIdPath, String(nextId + 1), "utf-8");
+	return nextId;
+}
+
+export async function readAuthenticationMethods() {
+	return readJson<ServerAuthenticationMethod[]>(authMethodPath, [])
+}
+
+export async function writeAuthenticationMethods(authMethods: ServerAuthenticationMethod[]) {
+	await writeFile(authMethodPath, JSON.stringify(authMethods, undefined, "\t") + "\n", "utf-8");
+}
diff --git a/server/utils/session.ts b/server/utils/session.ts
index f89a6b6..9c824e7 100644
--- a/server/utils/session.ts
+++ b/server/utils/session.ts
@@ -51,7 +51,13 @@ export async function clearServerSession(event: H3Event) {
 	deleteCookie(event, "session");
 }
 
-export async function setServerSession(event: H3Event, account: ServerUser) {
+export async function setServerSession(
+	event: H3Event,
+	account: ServerUser | undefined,
+	authenticationProvider?: "telegram",
+	authenticationSlug?: string,
+	authenticationName?: string,
+) {
 	const sessions = await readSessions();
 	const runtimeConfig = useRuntimeConfig(event);
 	await clearServerSessionInternal(event, sessions);
@@ -60,6 +66,9 @@ export async function setServerSession(event: H3Event, account: ServerUser) {
 	const newSession: ServerSession = {
 		access: account?.type ?? "anonymous",
 		accountId: account?.id,
+		authenticationProvider,
+		authenticationSlug,
+		authenticationName,
 		rotatesAtMs: now + runtimeConfig.sessionRotatesTimeout * 1000,
 		discardAtMs: now + runtimeConfig.sessionDiscardTimeout * 1000,
 		id: await nextSessionId(),
@@ -68,6 +77,7 @@ export async function setServerSession(event: H3Event, account: ServerUser) {
 	sessions.push(newSession);
 	await writeSessions(sessions);
 	await setSignedCookie(event, "session", String(newSession.id), runtimeConfig.sessionDiscardTimeout)
+	return newSession;
 }
 
 async function rotateSession(event: H3Event, sessions: ServerSession[], session: ServerSession) {
@@ -78,6 +88,7 @@ async function rotateSession(event: H3Event, sessions: ServerSession[], session:
 	const newSession: ServerSession = {
 		accountId: account?.id,
 		access: account?.type ?? "anonymous",
+		// Authentication provider is removed to avoid possibility of an infinite delay before using it.
 		rotatesAtMs: now + runtimeConfig.sessionRotatesTimeout * 1000,
 		discardAtMs: now + runtimeConfig.sessionDiscardTimeout * 1000,
 		id: await nextSessionId(),
@@ -172,6 +183,8 @@ export async function serverSessionToApi(event: H3Event, session: ServerSession)
 	return {
 		id: session.id,
 		account,
+		authenticationProvider: session.authenticationProvider,
+		authenticationName: session.authenticationName,
 		push,
 	};
 }
diff --git a/shared/types/api.ts b/shared/types/api.ts
index 3f2d421..64812ac 100644
--- a/shared/types/api.ts
+++ b/shared/types/api.ts
@@ -70,6 +70,8 @@ export type ApiSubscription = z.infer<typeof apiSubscriptionSchema>;
 export interface ApiSession {
 	id: Id,
 	account?: ApiAccount,
+	authenticationProvider?: "telegram",
+	authenticationName?: string,
 	push: boolean,
 }
 
diff --git a/shared/types/telegram.ts b/shared/types/telegram.ts
new file mode 100644
index 0000000..b7caeb7
--- /dev/null
+++ b/shared/types/telegram.ts
@@ -0,0 +1,20 @@
+/*
+	SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
+	SPDX-License-Identifier: AGPL-3.0-or-later
+*/
+import { z } from "zod/v4-mini";
+
+export const telegramAuthDataSchema = z.catchall(
+	z.object({
+		// These fields are pure speculation as the actual API is undocumented.
+		auth_date: z.number(),
+		first_name: z.optional(z.string()),
+		hash: z.string(),
+		id: z.number(),
+		last_name: z.optional(z.string()),
+		photo_url: z.optional(z.string()),
+		username: z.optional(z.string()),
+	}),
+	z.union([z.string(), z.number()]),
+);
+export type TelegramAuthData = z.infer<typeof telegramAuthDataSchema>;
diff --git a/stores/session.ts b/stores/session.ts
index 2545c4f..ddba323 100644
--- a/stores/session.ts
+++ b/stores/session.ts
@@ -26,6 +26,8 @@ const fetchSessionWithCookie = async (event?: H3Event) => {
 export const useSessionStore = defineStore("session", () => {
 	const state = {
 		account: ref<ApiAccount>(),
+		authenticationProvider: ref<string>(),
+		authenticationName: ref<string>(),
 		id: ref<number>(),
 		push: ref<boolean>(false),
 	};
@@ -37,6 +39,8 @@ export const useSessionStore = defineStore("session", () => {
 		},
 		update(session?: ApiSession) {
 			state.account.value = session?.account;
+			state.authenticationProvider.value = session?.authenticationProvider;
+			state.authenticationName.value = session?.authenticationName;
 			state.id.value = session?.id;
 			state.push.value = session?.push ?? false;
 		},