fragginwagon/memory-infrastructure-palace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor authentication handling and improve API client security

Browse Source 
- Updated OAuth endpoints for Challonge and Discord in platforms configuration.
- Implemented session and CSRF cookie initialization in main application entry.
- Enhanced Challonge API client to avoid sending sensitive API keys from the browser.
- Modified tournament querying to handle new state definitions and improved error handling.
- Updated UI components to reflect server-side storage of authentication tokens.
- Improved user experience in API Key Manager and Authentication Hub with clearer messaging.
- Refactored client credentials management to support asynchronous operations.
- Adjusted API client tests to validate new request configurations.
- Updated Vite configuration to support session and CSRF handling through proxies.
This commit is contained in:
Greg Jacobs
2026-02-03 12:50:11 -05:00
parent 161b758a1b
commit 700c1cbbbe
39 changed files with 2434 additions and 999 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
code/websites/pokedex.online/server/data/oauth-tokens.json Normal file
View File

File diff suppressed because one or more lines are too long

68
code/websites/pokedex.online/server/middleware/csrf.js Normal file
View File

@@ -0,0 +1,68 @@
import { COOKIE_NAMES } from '../utils/cookie-options.js';
const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
function getCookieValuesFromHeader(cookieHeader, name) {
if (!cookieHeader || typeof cookieHeader !== 'string') return [];
const values = [];
const pattern = new RegExp(`(?:^|;\\s*)${name}=([^;]*)`, 'g');
let match;
while ((match = pattern.exec(cookieHeader)) !== null) {
values.push(match[1]);
}
return values;
}
export function csrfMiddleware(options = {}) {
const {
cookieName = COOKIE_NAMES.csrf,
headerName = 'x-csrf-token',
requireOriginCheck = false,
allowedOrigin = null
} = options;
return function csrf(req, res, next) {
if (SAFE_METHODS.has(req.method)) return next();
// Optional origin check hardening (recommended in production)
if (requireOriginCheck && allowedOrigin) {
const origin = req.headers.origin;
const referer = req.headers.referer;
const ok =
(origin && origin === allowedOrigin) ||
(!origin && referer && referer.startsWith(allowedOrigin));
if (!ok) {
return res.status(403).json({
error: 'CSRF origin check failed',
code: 'CSRF_ORIGIN_FAILED'
});
}
}
const csrfCookie = req.cookies?.[cookieName];
const csrfHeader = req.headers[headerName];
// Handle duplicate cookies with the same name (e.g. legacy '/api' path plus
// current '/' path). cookie-parser will pick one value, but the browser may
// send both. Accept if the header matches ANY provided cookie value.
const rawHeader = req.headers?.cookie || '';
const rawValues = getCookieValuesFromHeader(rawHeader, cookieName).map(v => {
try {
return decodeURIComponent(v);
} catch {
return v;
}
});
const anyMatch = csrfHeader && rawValues.includes(csrfHeader);
if (!csrfHeader || (!csrfCookie && !anyMatch) || (csrfCookie !== csrfHeader && !anyMatch)) {
return res.status(403).json({
error: 'CSRF validation failed',
code: 'CSRF_FAILED'
});
}
return next();
};
}

96
code/websites/pokedex.online/server/middleware/sid.js Normal file
View File

@@ -0,0 +1,96 @@
import crypto from 'node:crypto';
import {
COOKIE_NAMES,
generateToken,
getLegacyCsrfCookieOptions,
getLegacySidCookieOptions,
getSidCookieOptions
} from '../utils/cookie-options.js';
function signSid(sessionSecret, sid) {
return crypto
.createHmac('sha256', sessionSecret)
.update(sid)
.digest('base64url');
}
function parseAndVerifySignedSid(sessionSecret, signedValue) {
if (!signedValue || typeof signedValue !== 'string') return null;
const idx = signedValue.lastIndexOf('.');
if (idx <= 0) return null;
const sid = signedValue.slice(0, idx);
const sig = signedValue.slice(idx + 1);
if (!sid || !sig) return null;
const expected = signSid(sessionSecret, sid);
try {
if (!crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expected))) {
return null;
}
} catch {
return null;
}
return sid;
}
function getCookieValuesFromHeader(cookieHeader, name) {
if (!cookieHeader || typeof cookieHeader !== 'string') return [];
// Multiple cookies with the same name can exist if older cookies were scoped
// to a different path (e.g. '/api') than newer ones ('/').
const values = [];
const pattern = new RegExp(`(?:^|;\\s*)${name}=([^;]*)`, 'g');
let match;
while ((match = pattern.exec(cookieHeader)) !== null) {
values.push(match[1]);
}
return values;
}
export function sidMiddleware({ sessionSecret, config }) {
if (!sessionSecret) {
throw new Error('sidMiddleware requires sessionSecret');
}
return function sid(req, res, next) {
// If older cookies (scoped to '/api') exist alongside newer cookies
// (scoped to '/'), browsers may send both. Some parsers will then pick the
// "wrong" one depending on header order, causing auth to appear connected
// in one request and missing in another.
const rawCookieHeader = req.headers?.cookie || '';
if (rawCookieHeader.includes(`${COOKIE_NAMES.sid}=`)) {
res.clearCookie(COOKIE_NAMES.sid, getLegacySidCookieOptions(config));
}
if (rawCookieHeader.includes(`${COOKIE_NAMES.csrf}=`)) {
res.clearCookie(COOKIE_NAMES.csrf, getLegacyCsrfCookieOptions(config));
}
const signedCandidates = getCookieValuesFromHeader(
rawCookieHeader,
COOKIE_NAMES.sid
);
const signedFromParser = req.cookies?.[COOKIE_NAMES.sid];
if (signedFromParser) signedCandidates.push(signedFromParser);
// If multiple signed SIDs are present (legacy '/api' cookie + current '/'),
// browsers tend to send the more-specific path cookie first.
// Prefer the last valid SID to bias towards the newer '/' cookie.
let sid = null;
for (let i = signedCandidates.length - 1; i >= 0; i -= 1) {
const signed = signedCandidates[i];
sid = parseAndVerifySignedSid(sessionSecret, signed);
if (sid) break;
}
if (!sid) {
sid = generateToken(24);
const signedSid = `${sid}.${signSid(sessionSecret, sid)}`;
res.cookie(COOKIE_NAMES.sid, signedSid, getSidCookieOptions(config));
}
req.sid = sid;
next();
};
}

291
code/websites/pokedex.online/server/oauth-proxy.js
View File

@@ -12,34 +12,22 @@
import 'dotenv/config';
import express from 'express';
import cors from 'cors';
import fetch from 'node-fetch';
import cookieParser from 'cookie-parser';
import gamemasterRouter from './gamemaster-api.js';
import { createAuthRouter } from './routes/auth.js';
import { createOAuthRouter } from './routes/oauth.js';
import { createSessionRouter } from './routes/session.js';
import { createChallongeProxyRouter } from './routes/challonge.js';
import { createDiscordRouter } from './routes/discord.js';
import { validateOrExit, getConfig } from './utils/env-validator.js';
import logger, { requestLogger, errorLogger } from './utils/logger.js';
import {
setupGracefulShutdown,
createHealthCheckMiddleware
} from './utils/graceful-shutdown.js';
async function safeParseJsonResponse(response) {
const rawText = await response.text();
if (!rawText) {
return { data: {}, rawText: '' };
}
try {
return { data: JSON.parse(rawText), rawText };
} catch (error) {
return {
data: {
error: 'Invalid JSON response from upstream',
raw: rawText.slice(0, 1000)
},
rawText
};
}
}
import { sidMiddleware } from './middleware/sid.js';
import { csrfMiddleware } from './middleware/csrf.js';
import { createOAuthTokenStore } from './services/oauth-token-store.js';
// Validate environment variables
validateOrExit();
@@ -49,11 +37,31 @@ const config = getConfig();
const app = express();
// Behind nginx reverse proxy in production
app.set('trust proxy', 1);
// Middleware
app.use(cors({ origin: config.cors.origin }));
app.use(
cors({
origin: config.cors.origin,
credentials: true
})
);
app.use(cookieParser());
app.use(express.json());
app.use(requestLogger);
// Per-session identity (httpOnly signed SID cookie)
app.use(
sidMiddleware({
sessionSecret: config.session.secret,
config
})
);
// Encrypted per-session provider token store
const tokenStore = createOAuthTokenStore({ sessionSecret: config.session.secret });
// Mount API routes (nginx strips /api/ prefix before forwarding)
app.use('/gamemaster', gamemasterRouter);
app.use(
@@ -64,235 +72,22 @@ app.use(
})
);
/**
* Exchange authorization code for access token
* POST /oauth/token
* Supports multiple providers: Challonge, Discord
*/
app.post('/oauth/token', async (req, res) => {
const { code, provider = 'challonge' } = req.body;
// Session + CSRF helpers
app.use('/session', createSessionRouter({ config, tokenStore }));
if (!code) {
logger.warn('OAuth token request missing authorization code');
return res.status(400).json({ error: 'Missing authorization code' });
}
// Provider OAuth (server-owned tokens; browser never receives access/refresh tokens)
app.use(
'/oauth',
csrfMiddleware({
requireOriginCheck: config.isProduction,
allowedOrigin: config.cors.origin
})
);
app.use('/oauth', createOAuthRouter({ config, tokenStore }));
try {
// Handle Discord OAuth
if (provider === 'discord') {
const clientId = process.env.VITE_DISCORD_CLIENT_ID;
const clientSecret = process.env.DISCORD_CLIENT_SECRET;
const redirectUri =
process.env.DISCORD_REDIRECT_URI ||
process.env.VITE_DISCORD_REDIRECT_URI;
if (!clientId || !clientSecret || !redirectUri) {
logger.warn('Discord OAuth not configured', {
hasClientId: !!clientId,
hasClientSecret: !!clientSecret,
hasRedirectUri: !!redirectUri
});
return res.status(503).json({
error: 'Discord OAuth not configured',
message:
'Set VITE_DISCORD_CLIENT_ID, DISCORD_CLIENT_SECRET, and DISCORD_REDIRECT_URI environment variables'
});
}
logger.debug('Exchanging Discord authorization code for access token');
const response = await fetch('https://discord.com/api/oauth2/token', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: new URLSearchParams({
client_id: clientId,
client_secret: clientSecret,
grant_type: 'authorization_code',
code: code,
redirect_uri: redirectUri
})
});
const { data, rawText } = await safeParseJsonResponse(response);
if (!response.ok) {
logger.error('Discord token exchange failed', {
status: response.status,
data
});
return res.status(response.status).json(data);
}
if (!data?.access_token) {
logger.error('Discord token exchange returned invalid payload', {
status: response.status,
raw: rawText.slice(0, 1000)
});
return res.status(502).json({
error: 'Invalid response from Discord',
raw: rawText.slice(0, 1000)
});
}
// Fetch Discord user info to check permissions
try {
const userResponse = await fetch('https://discord.com/api/users/@me', {
headers: {
Authorization: `Bearer ${data.access_token}`
}
});
if (userResponse.ok) {
const userData = await userResponse.json();
const username = userData.username?.toLowerCase();
const globalName = userData.global_name?.toLowerCase();
const discordId = userData.id;
logger.info('Discord user authenticated', {
username: userData.username,
id: discordId
});
// Check if user is in admin list
const isAdmin = config.discord.adminUsers.some(
adminUser =>
adminUser === username ||
adminUser === globalName ||
adminUser === discordId
);
// Add user info and permissions to response
data.discord_user = {
id: discordId,
username: userData.username,
global_name: userData.global_name,
discriminator: userData.discriminator,
avatar: userData.avatar
};
data.permissions = isAdmin ? ['developer_tools.view'] : [];
if (isAdmin) {
logger.info('Discord user granted developer access', {
username: userData.username
});
}
} else {
logger.warn('Failed to fetch Discord user info', {
status: userResponse.status
});
}
} catch (userError) {
logger.warn('Error fetching Discord user info', {
error: userError.message
});
// Continue without user info - token is still valid
}
logger.info('Discord token exchange successful');
return res.json(data);
}
// Handle Challonge OAuth (default)
if (!config.challonge.configured) {
logger.warn('OAuth token request received but Challonge not configured');
return res.status(503).json({
error: 'Challonge OAuth not configured',
message:
'Set CHALLONGE_CLIENT_ID and CHALLONGE_CLIENT_SECRET environment variables'
});
}
logger.debug('Exchanging Challonge authorization code for access token');
const response = await fetch('https://api.challonge.com/oauth/token', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: new URLSearchParams({
grant_type: 'authorization_code',
client_id: config.challonge.clientId,
client_secret: config.challonge.clientSecret,
code: code,
redirect_uri: config.challonge.redirectUri
})
});
const data = await response.json();
if (!response.ok) {
logger.error('Challonge token exchange failed', {
status: response.status,
data
});
return res.status(response.status).json(data);
}
logger.info('Challonge token exchange successful');
res.json(data);
} catch (error) {
logger.error('Token exchange error', { provider, error: error.message });
res.status(500).json({
error: 'Token exchange failed',
message: error.message
});
}
});
/**
* Refresh access token
* POST /oauth/refresh
*/
app.post('/oauth/refresh', async (req, res) => {
if (!config.challonge.configured) {
logger.warn('OAuth refresh request received but Challonge not configured');
return res.status(503).json({
error: 'Challonge OAuth not configured',
message:
'Set CHALLONGE_CLIENT_ID and CHALLONGE_CLIENT_SECRET environment variables'
});
}
const { refresh_token } = req.body;
if (!refresh_token) {
logger.warn('OAuth refresh request missing refresh token');
return res.status(400).json({ error: 'Missing refresh token' });
}
try {
logger.debug('Refreshing access token');
const response = await fetch('https://api.challonge.com/oauth/token', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: new URLSearchParams({
grant_type: 'refresh_token',
client_id: config.challonge.clientId,
client_secret: config.challonge.clientSecret,
refresh_token: refresh_token
})
});
const data = await response.json();
if (!response.ok) {
logger.error('Token refresh failed', { status: response.status, data });
return res.status(response.status).json(data);
}
logger.info('Token refresh successful');
res.json(data);
} catch (error) {
logger.error('Token refresh error', { error: error.message });
res.status(500).json({
error: 'Token refresh failed',
message: error.message
});
}
});
// Provider API proxies (no split brain)
app.use('/challonge', createChallongeProxyRouter({ config, tokenStore }));
app.use('/discord', createDiscordRouter({ tokenStore }));
/**
* Health check endpoint (with graceful shutdown support)

6
code/websites/pokedex.online/server/package.json
View File

@@ -6,9 +6,9 @@
"main": "oauth-proxy.js",
"scripts": {
"start": "node oauth-proxy.js",
"dev": "node oauth-proxy.js",
"dev": "DOTENV_CONFIG_PATH=.env.development node oauth-proxy.js",
"build": "echo 'Backend is Node.js - no build step required'",
"gamemaster": "node gamemaster-api.js",
"gamemaster": "DOTENV_CONFIG_PATH=.env.development node gamemaster-api.js",
"test": "vitest",
"test:run": "vitest run",
"lint": "echo 'Add ESLint when ready'",
@@ -16,8 +16,10 @@
},
"dependencies": {
"cors": "^2.8.5",
"cookie-parser": "^1.4.6",
"dotenv": "^16.6.1",
"express": "^4.18.2",
"jsonwebtoken": "^9.0.2",
"node-fetch": "^3.3.2",
"express-rate-limit": "^7.1.5",
"winston": "^3.11.0"

253
code/websites/pokedex.online/server/routes/challonge.js Normal file
View File

@@ -0,0 +1,253 @@
import express from 'express';
import fetch from 'node-fetch';
import logger from '../utils/logger.js';
function isExpired(expiresAt) {
if (!expiresAt) return false;
return Date.now() >= expiresAt - 30_000; // 30s buffer
}
async function refreshUserOAuth({ config, refreshToken }) {
const response = await fetch('https://api.challonge.com/oauth/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
grant_type: 'refresh_token',
client_id: config.challonge.clientId,
client_secret: config.challonge.clientSecret,
refresh_token: refreshToken
})
});
const payload = await response.json().catch(() => ({}));
if (!response.ok) {
const err = new Error('Challonge refresh failed');
err.status = response.status;
err.payload = payload;
throw err;
}
return payload;
}
async function exchangeClientCredentials({ clientId, clientSecret, scope }) {
const response = await fetch('https://api.challonge.com/oauth/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
grant_type: 'client_credentials',
client_id: clientId,
client_secret: clientSecret,
...(scope ? { scope } : {})
})
});
const payload = await response.json().catch(() => ({}));
if (!response.ok) {
const err = new Error('Challonge client_credentials exchange failed');
err.status = response.status;
err.payload = payload;
throw err;
}
return payload;
}
function computeExpiresAt(expiresInSeconds) {
const ttl = Number(expiresInSeconds || 0);
if (!ttl || Number.isNaN(ttl)) return null;
return Date.now() + ttl * 1000;
}
export function createChallongeProxyRouter({ config, tokenStore }) {
const router = express.Router();
// Proxy all Challonge requests through backend; auth is derived from SID-stored credentials.
router.all('/*', async (req, res) => {
try {
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
const challongeRecord = (await tokenStore.getProviderRecord(req.sid, 'challonge')) || {};
// Determine upstream path relative to this router mount
// This router is mounted at /challonge, so req.url starts with /v1/... or /v2.1/...
const upstreamPath = req.url.replace(/^\/+/, '');
const upstreamUrl = new URL(`https://api.challonge.com/${upstreamPath}`);
const authTypeRaw = req.header('Authorization-Type');
const authType = authTypeRaw?.toLowerCase();
const wantsApplication = upstreamPath.startsWith('v2.1/application/');
const isSafeMethod = req.method === 'GET' || req.method === 'HEAD';
// Build headers
const headers = { ...req.headers };
delete headers.host;
delete headers.connection;
delete headers['content-length'];
// Normalize sensitive/auth headers (avoid duplicate casing like
// 'authorization-type' + 'Authorization-Type' which can confuse upstream)
delete headers.authorization;
delete headers.Authorization;
delete headers['authorization-type'];
delete headers['Authorization-Type'];
// Apply auth based on request + stored credentials
if (upstreamPath.startsWith('v1/')) {
const apiKey = challongeRecord.api_key?.token;
if (!apiKey) {
return res.status(401).json({
error: 'Challonge API key not configured for this session',
code: 'CHALLONGE_API_KEY_REQUIRED'
});
}
upstreamUrl.searchParams.set('api_key', apiKey);
} else if (upstreamPath.startsWith('v2.1/')) {
if (wantsApplication) {
const app = challongeRecord.client_credentials;
if (!app?.client_id || !app?.client_secret) {
return res.status(401).json({
error: 'Challonge client credentials not configured for this session',
code: 'CHALLONGE_CLIENT_CREDENTIALS_REQUIRED'
});
}
let accessToken = app.access_token;
if (!accessToken || isExpired(app.expires_at)) {
const exchanged = await exchangeClientCredentials({
clientId: app.client_id,
clientSecret: app.client_secret,
scope: app.scope
});
challongeRecord.client_credentials = {
...app,
access_token: exchanged.access_token,
token_type: exchanged.token_type,
scope: exchanged.scope,
expires_at: computeExpiresAt(exchanged.expires_in)
};
await tokenStore.setProviderRecord(req.sid, 'challonge', challongeRecord);
accessToken = challongeRecord.client_credentials.access_token;
}
headers['authorization'] = `Bearer ${accessToken}`;
headers['authorization-type'] = 'v2';
} else if (authType === 'v1') {
// v2.1 supports legacy API key via Authorization header + Authorization-Type: v1
const apiKey = challongeRecord.api_key?.token;
if (!apiKey) {
return res.status(401).json({
error: 'Challonge API key not configured for this session',
code: 'CHALLONGE_API_KEY_REQUIRED'
});
}
headers['authorization'] = apiKey;
headers['authorization-type'] = 'v1';
} else {
// default to user OAuth (Bearer)
const user = challongeRecord.user_oauth;
if (!user?.access_token) {
return res.status(401).json({
error: 'Challonge OAuth not connected for this session',
code: 'CHALLONGE_OAUTH_REQUIRED'
});
}
let accessToken = user.access_token;
if (isExpired(user.expires_at) && user.refresh_token && config.challonge.configured) {
try {
const refreshed = await refreshUserOAuth({
config,
refreshToken: user.refresh_token
});
challongeRecord.user_oauth = {
...user,
access_token: refreshed.access_token,
refresh_token: refreshed.refresh_token || user.refresh_token,
token_type: refreshed.token_type,
scope: refreshed.scope,
expires_at: computeExpiresAt(refreshed.expires_in)
};
await tokenStore.setProviderRecord(req.sid, 'challonge', challongeRecord);
accessToken = challongeRecord.user_oauth.access_token;
} catch (err) {
logger.warn('Failed to refresh Challonge user OAuth token', {
status: err.status,
payload: err.payload
});
}
}
headers['authorization'] = `Bearer ${accessToken}`;
headers['authorization-type'] = 'v2';
}
}
const fetchOptions = {
method: req.method,
headers
};
if (req.method !== 'GET' && req.method !== 'HEAD') {
if (req.body !== undefined && req.body !== null) {
// express.json parsed it already
fetchOptions.body = JSON.stringify(req.body);
}
}
let upstreamResponse = await fetch(upstreamUrl.toString(), fetchOptions);
// If user OAuth is present but invalid/revoked, the upstream may return 401/403.
// For safe methods, fall back to the stored API key if available.
// This helps avoid a confusing "connected" state that still can't query tournaments.
if (
isSafeMethod &&
upstreamPath.startsWith('v2.1/') &&
!wantsApplication &&
authType !== 'v1' &&
(upstreamResponse.status === 401 || upstreamResponse.status === 403)
) {
const apiKey = challongeRecord.api_key?.token;
if (apiKey) {
logger.warn('Challonge v2.1 user OAuth unauthorized; retrying with API key', {
status: upstreamResponse.status,
path: upstreamPath
});
const retryHeaders = { ...headers };
delete retryHeaders.authorization;
delete retryHeaders.Authorization;
delete retryHeaders['authorization-type'];
delete retryHeaders['Authorization-Type'];
retryHeaders['authorization'] = apiKey;
retryHeaders['authorization-type'] = 'v1';
upstreamResponse = await fetch(upstreamUrl.toString(), {
...fetchOptions,
headers: retryHeaders
});
}
}
// Forward status + headers (minimal)
res.status(upstreamResponse.status);
const contentType = upstreamResponse.headers.get('content-type');
if (contentType) res.setHeader('content-type', contentType);
const buf = await upstreamResponse.arrayBuffer();
return res.send(Buffer.from(buf));
} catch (err) {
logger.error('Challonge proxy error', { error: err.message });
return res.status(502).json({
error: 'Challonge proxy failed',
code: 'CHALLONGE_PROXY_FAILED'
});
}
});
return router;
}

41
code/websites/pokedex.online/server/routes/discord.js Normal file
View File

@@ -0,0 +1,41 @@
import express from 'express';
import fetch from 'node-fetch';
export function createDiscordRouter({ tokenStore }) {
const router = express.Router();
router.get('/profile', async (req, res) => {
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
const record = await tokenStore.getProviderRecord(req.sid, 'discord');
const accessToken = record?.access_token;
if (!accessToken) {
return res.status(401).json({
error: 'Not connected to Discord',
code: 'DISCORD_NOT_CONNECTED'
});
}
const response = await fetch('https://discord.com/api/users/@me', {
headers: {
Authorization: `Bearer ${accessToken}`
}
});
if (!response.ok) {
const details = await response.text();
return res.status(response.status).json({
error: 'Failed to fetch Discord profile',
code: 'DISCORD_PROFILE_FAILED',
details: details.slice(0, 1000)
});
}
const user = await response.json();
return res.json({ user });
});
return router;
}

480
code/websites/pokedex.online/server/routes/oauth.js Normal file
View File

@@ -0,0 +1,480 @@
import express from 'express';
import fetch from 'node-fetch';
import logger from '../utils/logger.js';
function computeExpiresAt(expiresInSeconds) {
const ttl = Number(expiresInSeconds || 0);
if (!ttl || Number.isNaN(ttl)) return null;
return Date.now() + ttl * 1000;
}
function redactProviderRecord(provider, record) {
if (!record) {
if (provider === 'challonge') {
return {
provider,
connected: false,
methods: {
user_oauth: {
connected: false,
expires_at: null,
scope: null
},
client_credentials: {
stored: false,
connected: false,
expires_at: null,
scope: null
},
api_key: {
stored: false,
connected: false
}
}
};
}
if (provider === 'discord') {
return {
provider,
connected: false,
expires_at: null,
scope: null
};
}
return { provider, connected: false };
}
if (provider === 'discord') {
return {
provider,
connected: !!record.access_token,
expires_at: record.expires_at || null,
scope: record.scope || null
};
}
if (provider === 'challonge') {
const user = record.user_oauth;
const app = record.client_credentials;
const apiKey = record.api_key;
return {
provider,
connected: !!(user?.access_token || app?.access_token || apiKey?.token),
methods: {
user_oauth: {
connected: !!user?.access_token,
expires_at: user?.expires_at || null,
scope: user?.scope || null
},
client_credentials: {
stored: !!(app?.client_id && app?.client_secret),
connected: !!app?.access_token,
expires_at: app?.expires_at || null,
scope: app?.scope || null
},
api_key: {
stored: !!apiKey?.token,
connected: !!apiKey?.token
}
}
};
}
return { provider, connected: true };
}
export function createOAuthRouter({ config, tokenStore }) {
const router = express.Router();
router.get('/:provider/status', async (req, res) => {
const { provider } = req.params;
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
const record = await tokenStore.getProviderRecord(req.sid, provider);
return res.json(redactProviderRecord(provider, record));
});
router.post('/:provider/disconnect', async (req, res) => {
const { provider } = req.params;
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
await tokenStore.deleteProviderRecord(req.sid, provider);
return res.json({ ok: true });
});
// Exchange authorization code (server stores tokens; frontend never receives them)
router.post('/:provider/exchange', async (req, res) => {
const { provider } = req.params;
const { code } = req.body || {};
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
if (!code) {
return res.status(400).json({ error: 'Authorization code is required', code: 'MISSING_CODE' });
}
if (provider === 'discord') {
const clientId = process.env.VITE_DISCORD_CLIENT_ID;
const clientSecret = process.env.DISCORD_CLIENT_SECRET;
const redirectUri = process.env.DISCORD_REDIRECT_URI || process.env.VITE_DISCORD_REDIRECT_URI;
if (!clientId || !clientSecret || !redirectUri) {
return res.status(503).json({
error: 'Discord OAuth not configured',
code: 'DISCORD_NOT_CONFIGURED'
});
}
const response = await fetch('https://discord.com/api/oauth2/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
client_id: clientId,
client_secret: clientSecret,
grant_type: 'authorization_code',
code,
redirect_uri: redirectUri
})
});
const text = await response.text();
let payload;
try {
payload = text ? JSON.parse(text) : {};
} catch {
payload = { raw: text.slice(0, 1000) };
}
if (!response.ok) {
logger.warn('Discord token exchange failed', { status: response.status, payload });
return res.status(response.status).json({
error: 'Discord token exchange failed',
code: 'DISCORD_TOKEN_EXCHANGE_FAILED',
details: payload
});
}
const record = {
access_token: payload.access_token,
refresh_token: payload.refresh_token,
token_type: payload.token_type,
scope: payload.scope,
expires_at: computeExpiresAt(payload.expires_in)
};
await tokenStore.setProviderRecord(req.sid, 'discord', record);
return res.json(redactProviderRecord('discord', record));
}
if (provider === 'challonge') {
if (!config.challonge.configured || !config.challonge.redirectUri) {
return res.status(503).json({
error: 'Challonge OAuth not configured',
code: 'CHALLONGE_NOT_CONFIGURED'
});
}
const response = await fetch('https://api.challonge.com/oauth/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
grant_type: 'authorization_code',
client_id: config.challonge.clientId,
client_secret: config.challonge.clientSecret,
code,
redirect_uri: config.challonge.redirectUri
})
});
const payload = await response.json().catch(() => ({}));
if (!response.ok) {
logger.warn('Challonge token exchange failed', { status: response.status, payload });
return res.status(response.status).json({
error: 'Challonge token exchange failed',
code: 'CHALLONGE_TOKEN_EXCHANGE_FAILED',
details: payload
});
}
const existing = (await tokenStore.getProviderRecord(req.sid, 'challonge')) || {};
const user_oauth = {
access_token: payload.access_token,
refresh_token: payload.refresh_token,
token_type: payload.token_type,
scope: payload.scope,
expires_at: computeExpiresAt(payload.expires_in)
};
const record = {
...existing,
user_oauth
};
await tokenStore.setProviderRecord(req.sid, 'challonge', record);
return res.json(redactProviderRecord('challonge', record));
}
return res.status(400).json({ error: `Unknown provider: ${provider}`, code: 'UNKNOWN_PROVIDER' });
});
// Store Challonge API key (v1 compatibility) per session
router.post('/challonge/api-key', async (req, res) => {
let { apiKey } = req.body || {};
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
if (!apiKey) {
return res.status(400).json({ error: 'apiKey is required', code: 'MISSING_API_KEY' });
}
apiKey = String(apiKey).trim();
if (apiKey.toLowerCase().startsWith('bearer ')) {
apiKey = apiKey.slice('bearer '.length).trim();
}
if (!apiKey) {
return res.status(400).json({ error: 'apiKey is required', code: 'MISSING_API_KEY' });
}
const existing = (await tokenStore.getProviderRecord(req.sid, 'challonge')) || {};
const record = {
...existing,
api_key: {
token: apiKey
}
};
await tokenStore.setProviderRecord(req.sid, 'challonge', record);
return res.json(redactProviderRecord('challonge', record));
});
router.post('/challonge/api-key/clear', async (req, res) => {
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
const existing = (await tokenStore.getProviderRecord(req.sid, 'challonge')) || {};
const record = { ...existing };
if (record.api_key) delete record.api_key;
await tokenStore.setProviderRecord(req.sid, 'challonge', record);
return res.json(redactProviderRecord('challonge', record));
});
// Store Challonge client credentials and exchange token per session
router.post('/challonge/client-credentials', async (req, res) => {
let { clientId, clientSecret, scope } = req.body || {};
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
if (typeof clientId === 'string') clientId = clientId.trim();
if (typeof clientSecret === 'string') clientSecret = clientSecret.trim();
if (typeof scope === 'string') scope = scope.trim();
const existing = (await tokenStore.getProviderRecord(req.sid, 'challonge')) || {};
const prev = existing.client_credentials || {};
const effectiveClientId = clientId || prev.client_id;
const effectiveClientSecret = clientSecret || prev.client_secret;
const effectiveScope = scope || prev.scope;
if (!effectiveClientId || !effectiveClientSecret) {
return res.status(400).json({
error: 'clientId and clientSecret are required (or must already be stored for this session)',
code: 'MISSING_CLIENT_CREDENTIALS'
});
}
const response = await fetch('https://api.challonge.com/oauth/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
grant_type: 'client_credentials',
client_id: effectiveClientId,
client_secret: effectiveClientSecret,
...(effectiveScope ? { scope: effectiveScope } : {})
})
});
const payload = await response.json().catch(() => ({}));
if (!response.ok) {
logger.warn('Challonge client_credentials token exchange failed', { status: response.status, payload });
return res.status(response.status).json({
error: 'Challonge client credentials exchange failed',
code: 'CHALLONGE_CLIENT_CREDENTIALS_FAILED',
details: payload
});
}
const record = {
...existing,
client_credentials: {
client_id: effectiveClientId,
client_secret: effectiveClientSecret,
access_token: payload.access_token,
token_type: payload.token_type,
scope: payload.scope,
expires_at: computeExpiresAt(payload.expires_in)
}
};
await tokenStore.setProviderRecord(req.sid, 'challonge', record);
return res.json(redactProviderRecord('challonge', record));
});
router.post('/challonge/client-credentials/clear', async (req, res) => {
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
const existing = (await tokenStore.getProviderRecord(req.sid, 'challonge')) || {};
const record = { ...existing };
if (record.client_credentials) delete record.client_credentials;
await tokenStore.setProviderRecord(req.sid, 'challonge', record);
return res.json(redactProviderRecord('challonge', record));
});
// Logout client credentials token but retain stored client_id/client_secret
router.post('/challonge/client-credentials/logout', async (req, res) => {
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
const existing = (await tokenStore.getProviderRecord(req.sid, 'challonge')) || {};
const creds = existing.client_credentials;
if (!creds) {
return res.json(redactProviderRecord('challonge', existing));
}
const record = {
...existing,
client_credentials: {
client_id: creds.client_id,
client_secret: creds.client_secret
}
};
await tokenStore.setProviderRecord(req.sid, 'challonge', record);
return res.json(redactProviderRecord('challonge', record));
});
// Refresh stored OAuth tokens (no tokens returned to browser)
router.post('/:provider/refresh', async (req, res) => {
const { provider } = req.params;
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
const record = await tokenStore.getProviderRecord(req.sid, provider);
if (!record) {
return res.status(400).json({ error: 'No stored tokens', code: 'NO_TOKENS' });
}
if (provider === 'discord') {
const refreshToken = record.refresh_token;
if (!refreshToken) {
return res.status(400).json({ error: 'No refresh token available', code: 'NO_REFRESH_TOKEN' });
}
const clientId = process.env.VITE_DISCORD_CLIENT_ID;
const clientSecret = process.env.DISCORD_CLIENT_SECRET;
if (!clientId || !clientSecret) {
return res.status(503).json({ error: 'Discord OAuth not configured', code: 'DISCORD_NOT_CONFIGURED' });
}
const response = await fetch('https://discord.com/api/oauth2/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
client_id: clientId,
client_secret: clientSecret,
grant_type: 'refresh_token',
refresh_token: refreshToken
})
});
const payload = await response.json().catch(() => ({}));
if (!response.ok) {
return res.status(response.status).json({
error: 'Discord refresh failed',
code: 'DISCORD_REFRESH_FAILED',
details: payload
});
}
const updated = {
...record,
access_token: payload.access_token,
refresh_token: payload.refresh_token || record.refresh_token,
token_type: payload.token_type,
scope: payload.scope,
expires_at: computeExpiresAt(payload.expires_in)
};
await tokenStore.setProviderRecord(req.sid, 'discord', updated);
return res.json(redactProviderRecord('discord', updated));
}
if (provider === 'challonge') {
const user = record.user_oauth;
if (!user?.refresh_token) {
return res.status(400).json({
error: 'No refresh token available',
code: 'NO_REFRESH_TOKEN'
});
}
if (!config.challonge.configured) {
return res.status(503).json({
error: 'Challonge OAuth not configured',
code: 'CHALLONGE_NOT_CONFIGURED'
});
}
const response = await fetch('https://api.challonge.com/oauth/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
grant_type: 'refresh_token',
client_id: config.challonge.clientId,
client_secret: config.challonge.clientSecret,
refresh_token: user.refresh_token
})
});
const payload = await response.json().catch(() => ({}));
if (!response.ok) {
return res.status(response.status).json({
error: 'Challonge refresh failed',
code: 'CHALLONGE_REFRESH_FAILED',
details: payload
});
}
const updatedRecord = {
...record,
user_oauth: {
...user,
access_token: payload.access_token,
refresh_token: payload.refresh_token || user.refresh_token,
token_type: payload.token_type,
scope: payload.scope,
expires_at: computeExpiresAt(payload.expires_in)
}
};
await tokenStore.setProviderRecord(req.sid, 'challonge', updatedRecord);
return res.json(redactProviderRecord('challonge', updatedRecord));
}
return res.status(400).json({ error: `Unknown provider: ${provider}`, code: 'UNKNOWN_PROVIDER' });
});
return router;
}

152
code/websites/pokedex.online/server/routes/session.js Normal file
View File

@@ -0,0 +1,152 @@
import express from 'express';
import fetch from 'node-fetch';
import { COOKIE_NAMES, getCsrfCookieOptions, generateToken } from '../utils/cookie-options.js';
export function createSessionRouter({ config, tokenStore }) {
const router = express.Router();
async function probeChallonge(url, headers) {
try {
const resp = await fetch(url, { method: 'GET', headers });
const contentType = resp.headers.get('content-type') || '';
let bodyText = '';
try {
bodyText = await resp.text();
} catch {
bodyText = '';
}
// Keep response small & safe
const snippet = (bodyText || '').slice(0, 500);
let json = null;
if (contentType.includes('application/json')) {
try {
json = bodyText ? JSON.parse(bodyText) : null;
} catch {
json = null;
}
}
return {
ok: resp.ok,
status: resp.status,
contentType,
snippet,
json
};
} catch (err) {
return {
ok: false,
status: null,
contentType: null,
snippet: err?.message || 'probe failed',
json: null
};
}
}
// Ensure SID exists (sid middleware should run before this)
router.get('/init', async (req, res) => {
try {
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
await tokenStore.touchSession(req.sid);
return res.json({ ok: true });
} catch (err) {
return res.status(500).json({
error: err.message || 'Failed to init session',
code: 'SESSION_INIT_FAILED'
});
}
});
// Issue/refresh CSRF token cookie
router.get('/csrf', (req, res) => {
const token = generateToken(24);
res.cookie(COOKIE_NAMES.csrf, token, getCsrfCookieOptions(config));
res.json({ csrfToken: token });
});
// Dev helper: confirm which SID the browser is using and whether provider
// credentials are present for that SID. Does not return secrets.
router.get('/whoami', async (req, res) => {
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
const challonge = (await tokenStore.getProviderRecord(req.sid, 'challonge')) || {};
return res.json({
sid: req.sid,
challonge: {
hasApiKey: !!challonge.api_key?.token,
hasUserOAuth: !!challonge.user_oauth?.access_token,
userOAuthExpiresAt: challonge.user_oauth?.expires_at || null,
hasClientCredentials: !!(challonge.client_credentials?.client_id && challonge.client_credentials?.client_secret),
hasClientCredentialsToken: !!challonge.client_credentials?.access_token,
clientCredentialsExpiresAt: challonge.client_credentials?.expires_at || null
}
});
});
// Dev-only: verify challonge upstream auth for this SID (no secrets returned)
router.get('/challonge/verify', async (req, res) => {
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
const challonge = (await tokenStore.getProviderRecord(req.sid, 'challonge')) || {};
const base = 'https://api.challonge.com/v2.1/tournaments.json?page=1&per_page=1&state=pending';
const results = {
sid: req.sid,
endpoints: {
userTournamentsSample: base,
appTournamentsSample: 'https://api.challonge.com/v2.1/application/tournaments.json?page=1&per_page=1&state=pending'
},
methods: {
user_oauth: { present: !!challonge.user_oauth?.access_token, probe: null },
api_key: { present: !!challonge.api_key?.token, probe: null },
client_credentials: {
present: !!challonge.client_credentials?.access_token,
probe: null
}
}
};
if (challonge.user_oauth?.access_token) {
results.methods.user_oauth.probe = await probeChallonge(base, {
Accept: 'application/json',
'Content-Type': 'application/vnd.api+json',
authorization: `Bearer ${challonge.user_oauth.access_token}`,
'authorization-type': 'v2'
});
}
if (challonge.api_key?.token) {
results.methods.api_key.probe = await probeChallonge(base, {
Accept: 'application/json',
'Content-Type': 'application/vnd.api+json',
authorization: challonge.api_key.token,
'authorization-type': 'v1'
});
}
if (challonge.client_credentials?.access_token) {
results.methods.client_credentials.probe = await probeChallonge(
results.endpoints.appTournamentsSample,
{
Accept: 'application/json',
'Content-Type': 'application/vnd.api+json',
authorization: `Bearer ${challonge.client_credentials.access_token}`,
'authorization-type': 'v2'
}
);
}
return res.json(results);
});
return router;
}

224
code/websites/pokedex.online/server/services/oauth-token-store.js Normal file
View File

@@ -0,0 +1,224 @@
import fs from 'node:fs/promises';
import path from 'node:path';
import crypto from 'node:crypto';
import { fileURLToPath } from 'node:url';
import logger from '../utils/logger.js';
const __filename = fileURLToPath(import.meta.url);
const __dirname = path.dirname(__filename);
const STORE_PATH = path.join(__dirname, '..', 'data', 'oauth-tokens.json');
const STORE_VERSION = 1;
const ONE_DAY_MS = 24 * 60 * 60 * 1000;
const SEVEN_DAYS_MS = 7 * ONE_DAY_MS;
function now() {
return Date.now();
}
function getEncryptionKey(sessionSecret) {
const raw = process.env.OAUTH_TOKEN_ENC_KEY;
if (raw) {
// Expect base64 32 bytes. If it's longer, hash it down.
const buf = Buffer.from(raw, 'base64');
if (buf.length === 32) return buf;
return crypto.createHash('sha256').update(raw).digest();
}
// Dev fallback: derive from session secret (still better than plaintext)
logger.warn('OAUTH_TOKEN_ENC_KEY not set; deriving key from SESSION_SECRET (dev only).');
return crypto.createHash('sha256').update(sessionSecret).digest();
}
function encryptJson(key, plaintextObj) {
const iv = crypto.randomBytes(12);
const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
const plaintext = Buffer.from(JSON.stringify(plaintextObj), 'utf8');
const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
const tag = cipher.getAuthTag();
return {
version: STORE_VERSION,
alg: 'aes-256-gcm',
iv: iv.toString('base64'),
tag: tag.toString('base64'),
ciphertext: ciphertext.toString('base64')
};
}
function decryptJson(key, envelope) {
if (!envelope || envelope.version !== STORE_VERSION) {
return { sessions: {}, version: STORE_VERSION };
}
if (envelope.alg !== 'aes-256-gcm') {
throw new Error(`Unsupported store encryption alg: ${envelope.alg}`);
}
const iv = Buffer.from(envelope.iv, 'base64');
const tag = Buffer.from(envelope.tag, 'base64');
const ciphertext = Buffer.from(envelope.ciphertext, 'base64');
const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
decipher.setAuthTag(tag);
const plaintext = Buffer.concat([
decipher.update(ciphertext),
decipher.final()
]);
return JSON.parse(plaintext.toString('utf8'));
}
async function readStoreFile() {
try {
const raw = await fs.readFile(STORE_PATH, 'utf8');
return JSON.parse(raw);
} catch (err) {
if (err.code === 'ENOENT') return null;
throw err;
}
}
async function writeStoreFile(envelope) {
await fs.mkdir(path.dirname(STORE_PATH), { recursive: true });
const tmp = `${STORE_PATH}.${crypto.randomUUID()}.tmp`;
try {
await fs.writeFile(tmp, JSON.stringify(envelope, null, 2), 'utf8');
await fs.rename(tmp, STORE_PATH);
} finally {
// Best-effort cleanup if something failed before rename.
try {
await fs.unlink(tmp);
} catch {
// ignore
}
}
}
export function createOAuthTokenStore({ sessionSecret }) {
if (!sessionSecret) {
throw new Error('createOAuthTokenStore requires sessionSecret');
}
const key = getEncryptionKey(sessionSecret);
let cache = null;
let cacheLoadedAt = 0;
// Serialize writes to avoid races under concurrent requests.
let writeChain = Promise.resolve();
async function load() {
if (cache) return cache;
const envelope = await readStoreFile();
if (!envelope) {
cache = { version: STORE_VERSION, sessions: {} };
cacheLoadedAt = now();
return cache;
}
try {
cache = decryptJson(key, envelope);
if (!cache.sessions) cache.sessions = {};
cache.version = STORE_VERSION;
cacheLoadedAt = now();
return cache;
} catch (err) {
logger.error('Failed to decrypt oauth token store; starting fresh', {
error: err.message
});
cache = { version: STORE_VERSION, sessions: {} };
cacheLoadedAt = now();
return cache;
}
}
async function persist(state) {
const envelope = encryptJson(key, state);
const run = async () => {
await writeStoreFile(envelope);
};
// Keep the chain alive even if a prior write failed.
writeChain = writeChain.then(run, run);
await writeChain;
}
function ensureSession(state, sid) {
const existing = state.sessions[sid];
const ts = now();
if (existing) {
existing.lastSeenAt = ts;
existing.expiresAt = Math.min(existing.createdAt + SEVEN_DAYS_MS, ts + ONE_DAY_MS);
return existing;
}
const createdAt = ts;
const session = {
createdAt,
lastSeenAt: ts,
expiresAt: Math.min(createdAt + SEVEN_DAYS_MS, ts + ONE_DAY_MS),
providers: {}
};
state.sessions[sid] = session;
return session;
}
function sweep(state) {
const ts = now();
let removed = 0;
for (const [sid, session] of Object.entries(state.sessions)) {
if (!session?.expiresAt || session.expiresAt <= ts) {
delete state.sessions[sid];
removed++;
}
}
if (removed > 0) {
logger.info('Swept expired OAuth sessions', { removed });
}
}
async function touchSession(sid) {
const state = await load();
sweep(state);
ensureSession(state, sid);
await persist(state);
}
async function getProviderRecord(sid, provider) {
const state = await load();
sweep(state);
const session = ensureSession(state, sid);
await persist(state);
return session.providers?.[provider] || null;
}
async function setProviderRecord(sid, provider, record) {
const state = await load();
sweep(state);
const session = ensureSession(state, sid);
session.providers[provider] = {
...record,
updatedAt: now()
};
await persist(state);
}
async function deleteProviderRecord(sid, provider) {
const state = await load();
sweep(state);
const session = ensureSession(state, sid);
if (session.providers?.[provider]) {
delete session.providers[provider];
await persist(state);
}
}
return {
touchSession,
getProviderRecord,
setProviderRecord,
deleteProviderRecord
};
}

77
code/websites/pokedex.online/server/utils/cookie-options.js Normal file
View File

@@ -0,0 +1,77 @@
import crypto from 'node:crypto';
const ONE_DAY_SECONDS = 60 * 60 * 24;
const SEVEN_DAYS_SECONDS = ONE_DAY_SECONDS * 7;
export const COOKIE_NAMES = {
sid: 'pdx_sid',
csrf: 'pdx_csrf'
};
export function getCookieSecurityConfig(config) {
const deploymentTarget = config?.deploymentTarget || process.env.DEPLOYMENT_TARGET;
const nodeEnv = config?.nodeEnv || process.env.NODE_ENV;
const isProdTarget = deploymentTarget === 'production' || nodeEnv === 'production';
return {
secure: isProdTarget,
sameSite: 'lax'
};
}
export function getSidCookieOptions(config) {
const { secure, sameSite } = getCookieSecurityConfig(config);
return {
httpOnly: true,
secure,
sameSite,
path: '/',
maxAge: SEVEN_DAYS_SECONDS * 1000
};
}
// Legacy cookie options used before widening cookie scope to '/'.
// Clearing these prevents browsers from sending multiple cookies with the same
// name but different paths (e.g. '/api' and '/'), which can cause session
// split-brain.
export function getLegacySidCookieOptions(config) {
const { secure, sameSite } = getCookieSecurityConfig(config);
return {
httpOnly: true,
secure,
sameSite,
path: '/api',
maxAge: SEVEN_DAYS_SECONDS * 1000
};
}
export function getCsrfCookieOptions(config) {
const { secure, sameSite } = getCookieSecurityConfig(config);
return {
httpOnly: false,
secure,
sameSite,
path: '/',
maxAge: ONE_DAY_SECONDS * 1000
};
}
export function getLegacyCsrfCookieOptions(config) {
const { secure, sameSite } = getCookieSecurityConfig(config);
return {
httpOnly: false,
secure,
sameSite,
path: '/api',
maxAge: ONE_DAY_SECONDS * 1000
};
}
export function generateToken(bytes = 24) {
return crypto.randomBytes(bytes).toString('base64url');
}

34
code/websites/pokedex.online/server/utils/env-validator.js
View File

@@ -73,6 +73,36 @@ const REQUIRED_ENV_VARS = {
: null
},
// Token encryption key (required for server-side OAuth token storage in production)
OAUTH_TOKEN_ENC_KEY: {
required: false,
description:
'Base64-encoded 32-byte key for encrypting OAuth tokens at rest (AES-256-GCM)',
validate: (val, env) => {
const target = env?.DEPLOYMENT_TARGET;
if (target !== 'production') return true;
if (!val) {
console.error(
'❌ OAUTH_TOKEN_ENC_KEY is required in production to encrypt OAuth tokens'
);
return false;
}
// Best-effort validation: base64 decode should yield 32 bytes
try {
const buf = Buffer.from(val, 'base64');
return buf.length === 32;
} catch {
return false;
}
}
},
// Admin auth
ADMIN_PASSWORD: {
required: false,
description: 'Admin password for /auth/login (recommended for production)'
},
// Challonge OAuth (optional)
CHALLONGE_CLIENT_ID: {
required: false,
@@ -217,6 +247,10 @@ export function getConfig() {
secret: process.env.SESSION_SECRET || 'dev-secret-change-in-production'
},
// Admin auth (JWT secret uses session secret for now)
secret: process.env.SESSION_SECRET || 'dev-secret-change-in-production',
adminPassword: process.env.ADMIN_PASSWORD,
// Discord User Permissions
discord: {
adminUsers: process.env.DISCORD_ADMIN_USERS