Implement register and login with Telegram
Add the concept of authentication methods that authenticate an account where using the telegram login widget is one such method. If a login is done with an authentication method that's not associated with any account the session ends up with the data from the authentication method in order to allow registering a new account with the authentication method. This has to be stored on the session as otherwise it wouldn't be possible to implement authentication methods such as OAuth2 that takes the user to a third-party site and then redirects the browser back.
This commit is contained in:
parent
2d6bcebc5a
commit
aaa2faffb1
14 changed files with 357 additions and 8 deletions
|
|
@ -2,20 +2,21 @@
|
|||
SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
*/
|
||||
import { readUsers, writeUsers, nextUserId, type ServerUser } from "~/server/database";
|
||||
import { readUsers, writeUsers, nextUserId, type ServerUser, readAuthenticationMethods, nextAuthenticationMethodId, writeAuthenticationMethods } from "~/server/database";
|
||||
import { broadcastEvent } from "~/server/streams";
|
||||
import { ApiSession } from "~/shared/types/api";
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
export default defineEventHandler(async (event): Promise<ApiSession> => {
|
||||
let session = await getServerSession(event, false);
|
||||
if (session) {
|
||||
if (session?.accountId !== undefined) {
|
||||
throw createError({
|
||||
status: 409,
|
||||
message: "Cannot create account while having an active session."
|
||||
message: "Cannot create account while logged in to an account."
|
||||
});
|
||||
}
|
||||
|
||||
const formData = await readFormData(event);
|
||||
const name = formData.get("name");
|
||||
const formData = await readBody(event);
|
||||
const name = formData.name;
|
||||
|
||||
const users = await readUsers();
|
||||
let user: ServerUser;
|
||||
|
|
@ -54,11 +55,35 @@ export default defineEventHandler(async (event) => {
|
|||
});
|
||||
}
|
||||
|
||||
if (session?.authenticationProvider) {
|
||||
const authMethods = await readAuthenticationMethods();
|
||||
const method = authMethods.find(method => (
|
||||
method.provider === session.authenticationProvider
|
||||
&& method.slug === session.authenticationSlug
|
||||
));
|
||||
if (method) {
|
||||
throw createError({
|
||||
statusCode: 409,
|
||||
statusMessage: "Conflict",
|
||||
message: "A user is already associated with the authentication method",
|
||||
});
|
||||
}
|
||||
authMethods.push({
|
||||
id: await nextAuthenticationMethodId(),
|
||||
userId: user.id,
|
||||
provider: session.authenticationProvider,
|
||||
slug: session.authenticationSlug!,
|
||||
name: session.authenticationName!,
|
||||
})
|
||||
await writeAuthenticationMethods(authMethods);
|
||||
}
|
||||
|
||||
users.push(user);
|
||||
await writeUsers(users);
|
||||
await broadcastEvent({
|
||||
type: "user-update",
|
||||
data: user,
|
||||
});
|
||||
await setServerSession(event, user);
|
||||
const newSession = await setServerSession(event, user);
|
||||
return await serverSessionToApi(event, newSession);
|
||||
})
|
||||
|
|
|
|||
100
server/api/auth/ap/telegram-login.post.ts
Normal file
100
server/api/auth/ap/telegram-login.post.ts
Normal file
|
|
@ -0,0 +1,100 @@
|
|||
/*
|
||||
SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
*/
|
||||
import * as fs from "node:fs/promises";
|
||||
import type { H3Event } from "h3";
|
||||
import { string, z } from "zod/v4-mini";
|
||||
import { readAuthenticationMethods, readUsers } from "~/server/database";
|
||||
import { type TelegramAuthData, telegramAuthDataSchema } from "~/shared/types/telegram";
|
||||
import { ApiSession } from "~/shared/types/api";
|
||||
|
||||
const loginSchema = z.object({
|
||||
authData: telegramAuthDataSchema,
|
||||
});
|
||||
|
||||
let cachedTelegramConfig:
|
||||
| undefined
|
||||
| { enabled: false }
|
||||
| { enabled: true, botUsername: string, secretKey: CryptoKey }
|
||||
;
|
||||
async function useTelegramConfig(event: H3Event) {
|
||||
if (cachedTelegramConfig)
|
||||
return cachedTelegramConfig;
|
||||
|
||||
const runtimeConfig = useRuntimeConfig(event);
|
||||
if (!runtimeConfig.public.authTelegramEnabled) {
|
||||
return cachedTelegramConfig = {
|
||||
enabled: false,
|
||||
};
|
||||
}
|
||||
if (!runtimeConfig.telegramBotTokenFile) throw new Error("NUXT_TELEGRAM_BOT_TOKEN_FILE not configured");
|
||||
if (!runtimeConfig.public.telegramBotUsername) throw new Error("NUXT_PUBLIC_TELEGRAM_BOT_USERNAME not configured");
|
||||
|
||||
const botToken = await fs.readFile(runtimeConfig.telegramBotTokenFile);
|
||||
const secretKey = await crypto.subtle.importKey(
|
||||
"raw",
|
||||
await crypto.subtle.digest("SHA-256", botToken),
|
||||
{
|
||||
name: "HMAC",
|
||||
hash: "SHA-256",
|
||||
},
|
||||
false,
|
||||
["verify"],
|
||||
);
|
||||
return cachedTelegramConfig = {
|
||||
enabled: true,
|
||||
botUsername: runtimeConfig.public.telegramBotUsername,
|
||||
secretKey,
|
||||
}
|
||||
}
|
||||
|
||||
async function validateTelegramAuthData(authData: TelegramAuthData, key: CryptoKey) {
|
||||
const { hash, ...checkData } = authData;
|
||||
const checkString = Object.entries(checkData).map(([key, value]) => `${key}=${value}`).sort().join("\n");
|
||||
const signature = Buffer.from(hash, "hex");
|
||||
return await crypto.subtle.verify("HMAC", key, signature, Buffer.from(checkString));
|
||||
}
|
||||
|
||||
export default defineEventHandler(async (event): Promise<ApiSession> => {
|
||||
const { success, error, data } = loginSchema.safeParse(await readBody(event));
|
||||
if (!success) {
|
||||
throw createError({
|
||||
statusCode: 400,
|
||||
statusMessage: "Bad Request",
|
||||
message: z.prettifyError(error),
|
||||
});
|
||||
}
|
||||
|
||||
const config = await useTelegramConfig(event);
|
||||
if (!config.enabled) {
|
||||
throw createError({
|
||||
statusCode: 403,
|
||||
statusMessage: "Forbidden",
|
||||
message: "Telegram authentication is disabled",
|
||||
});
|
||||
}
|
||||
|
||||
if (!await validateTelegramAuthData(data.authData, config.secretKey)) {
|
||||
throw createError({
|
||||
statusCode: 403,
|
||||
statusMessage: "Forbidden",
|
||||
message: "Validating authentication data failed",
|
||||
});
|
||||
}
|
||||
|
||||
const slug = String(data.authData.id);
|
||||
const authMethods = await readAuthenticationMethods();
|
||||
const method = authMethods.find(method => method.provider === "telegram" && method.slug === slug);
|
||||
let session;
|
||||
if (method) {
|
||||
const users = await readUsers();
|
||||
const account = users.find(user => !user.deleted && user.id === method.userId);
|
||||
session = await setServerSession(event, account);
|
||||
} else {
|
||||
const name = data.authData.username ? "@" + data.authData.username : slug;
|
||||
session = await setServerSession(event, undefined, "telegram", slug, name);
|
||||
}
|
||||
|
||||
return await serverSessionToApi(event, session);
|
||||
})
|
||||
Loading…
Add table
Add a link
Reference in a new issue