fragginwagon/memory-infrastructure-palace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor authentication handling and improve API client security

Browse Source 
- Updated OAuth endpoints for Challonge and Discord in platforms configuration.
- Implemented session and CSRF cookie initialization in main application entry.
- Enhanced Challonge API client to avoid sending sensitive API keys from the browser.
- Modified tournament querying to handle new state definitions and improved error handling.
- Updated UI components to reflect server-side storage of authentication tokens.
- Improved user experience in API Key Manager and Authentication Hub with clearer messaging.
- Refactored client credentials management to support asynchronous operations.
- Adjusted API client tests to validate new request configurations.
- Updated Vite configuration to support session and CSRF handling through proxies.
This commit is contained in:
Greg Jacobs
2026-02-03 12:50:11 -05:00
parent 161b758a1b
commit 700c1cbbbe
39 changed files with 2434 additions and 999 deletions
Download Patch File Download Diff File Expand all files Collapse all files

291
code/websites/pokedex.online/server/oauth-proxy.js
View File

@@ -12,34 +12,22 @@
import 'dotenv/config';
import express from 'express';
import cors from 'cors';
import fetch from 'node-fetch';
import cookieParser from 'cookie-parser';
import gamemasterRouter from './gamemaster-api.js';
import { createAuthRouter } from './routes/auth.js';
import { createOAuthRouter } from './routes/oauth.js';
import { createSessionRouter } from './routes/session.js';
import { createChallongeProxyRouter } from './routes/challonge.js';
import { createDiscordRouter } from './routes/discord.js';
import { validateOrExit, getConfig } from './utils/env-validator.js';
import logger, { requestLogger, errorLogger } from './utils/logger.js';
import {
setupGracefulShutdown,
createHealthCheckMiddleware
} from './utils/graceful-shutdown.js';
async function safeParseJsonResponse(response) {
const rawText = await response.text();
if (!rawText) {
return { data: {}, rawText: '' };
}
try {
return { data: JSON.parse(rawText), rawText };
} catch (error) {
return {
data: {
error: 'Invalid JSON response from upstream',
raw: rawText.slice(0, 1000)
},
rawText
};
}
}
import { sidMiddleware } from './middleware/sid.js';
import { csrfMiddleware } from './middleware/csrf.js';
import { createOAuthTokenStore } from './services/oauth-token-store.js';
// Validate environment variables
validateOrExit();
@@ -49,11 +37,31 @@ const config = getConfig();
const app = express();
// Behind nginx reverse proxy in production
app.set('trust proxy', 1);
// Middleware
app.use(cors({ origin: config.cors.origin }));
app.use(
cors({
origin: config.cors.origin,
credentials: true
})
);
app.use(cookieParser());
app.use(express.json());
app.use(requestLogger);
// Per-session identity (httpOnly signed SID cookie)
app.use(
sidMiddleware({
sessionSecret: config.session.secret,
config
})
);
// Encrypted per-session provider token store
const tokenStore = createOAuthTokenStore({ sessionSecret: config.session.secret });
// Mount API routes (nginx strips /api/ prefix before forwarding)
app.use('/gamemaster', gamemasterRouter);
app.use(
@@ -64,235 +72,22 @@ app.use(
})
);
/**
* Exchange authorization code for access token
* POST /oauth/token
* Supports multiple providers: Challonge, Discord
*/
app.post('/oauth/token', async (req, res) => {
const { code, provider = 'challonge' } = req.body;
// Session + CSRF helpers
app.use('/session', createSessionRouter({ config, tokenStore }));
if (!code) {
logger.warn('OAuth token request missing authorization code');
return res.status(400).json({ error: 'Missing authorization code' });
}
// Provider OAuth (server-owned tokens; browser never receives access/refresh tokens)
app.use(
'/oauth',
csrfMiddleware({
requireOriginCheck: config.isProduction,
allowedOrigin: config.cors.origin
})
);
app.use('/oauth', createOAuthRouter({ config, tokenStore }));
try {
// Handle Discord OAuth
if (provider === 'discord') {
const clientId = process.env.VITE_DISCORD_CLIENT_ID;
const clientSecret = process.env.DISCORD_CLIENT_SECRET;
const redirectUri =
process.env.DISCORD_REDIRECT_URI ||
process.env.VITE_DISCORD_REDIRECT_URI;
if (!clientId || !clientSecret || !redirectUri) {
logger.warn('Discord OAuth not configured', {
hasClientId: !!clientId,
hasClientSecret: !!clientSecret,
hasRedirectUri: !!redirectUri
});
return res.status(503).json({
error: 'Discord OAuth not configured',
message:
'Set VITE_DISCORD_CLIENT_ID, DISCORD_CLIENT_SECRET, and DISCORD_REDIRECT_URI environment variables'
});
}
logger.debug('Exchanging Discord authorization code for access token');
const response = await fetch('https://discord.com/api/oauth2/token', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: new URLSearchParams({
client_id: clientId,
client_secret: clientSecret,
grant_type: 'authorization_code',
code: code,
redirect_uri: redirectUri
})
});
const { data, rawText } = await safeParseJsonResponse(response);
if (!response.ok) {
logger.error('Discord token exchange failed', {
status: response.status,
data
});
return res.status(response.status).json(data);
}
if (!data?.access_token) {
logger.error('Discord token exchange returned invalid payload', {
status: response.status,
raw: rawText.slice(0, 1000)
});
return res.status(502).json({
error: 'Invalid response from Discord',
raw: rawText.slice(0, 1000)
});
}
// Fetch Discord user info to check permissions
try {
const userResponse = await fetch('https://discord.com/api/users/@me', {
headers: {
Authorization: `Bearer ${data.access_token}`
}
});
if (userResponse.ok) {
const userData = await userResponse.json();
const username = userData.username?.toLowerCase();
const globalName = userData.global_name?.toLowerCase();
const discordId = userData.id;
logger.info('Discord user authenticated', {
username: userData.username,
id: discordId
});
// Check if user is in admin list
const isAdmin = config.discord.adminUsers.some(
adminUser =>
adminUser === username ||
adminUser === globalName ||
adminUser === discordId
);
// Add user info and permissions to response
data.discord_user = {
id: discordId,
username: userData.username,
global_name: userData.global_name,
discriminator: userData.discriminator,
avatar: userData.avatar
};
data.permissions = isAdmin ? ['developer_tools.view'] : [];
if (isAdmin) {
logger.info('Discord user granted developer access', {
username: userData.username
});
}
} else {
logger.warn('Failed to fetch Discord user info', {
status: userResponse.status
});
}
} catch (userError) {
logger.warn('Error fetching Discord user info', {
error: userError.message
});
// Continue without user info - token is still valid
}
logger.info('Discord token exchange successful');
return res.json(data);
}
// Handle Challonge OAuth (default)
if (!config.challonge.configured) {
logger.warn('OAuth token request received but Challonge not configured');
return res.status(503).json({
error: 'Challonge OAuth not configured',
message:
'Set CHALLONGE_CLIENT_ID and CHALLONGE_CLIENT_SECRET environment variables'
});
}
logger.debug('Exchanging Challonge authorization code for access token');
const response = await fetch('https://api.challonge.com/oauth/token', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: new URLSearchParams({
grant_type: 'authorization_code',
client_id: config.challonge.clientId,
client_secret: config.challonge.clientSecret,
code: code,
redirect_uri: config.challonge.redirectUri
})
});
const data = await response.json();
if (!response.ok) {
logger.error('Challonge token exchange failed', {
status: response.status,
data
});
return res.status(response.status).json(data);
}
logger.info('Challonge token exchange successful');
res.json(data);
} catch (error) {
logger.error('Token exchange error', { provider, error: error.message });
res.status(500).json({
error: 'Token exchange failed',
message: error.message
});
}
});
/**
* Refresh access token
* POST /oauth/refresh
*/
app.post('/oauth/refresh', async (req, res) => {
if (!config.challonge.configured) {
logger.warn('OAuth refresh request received but Challonge not configured');
return res.status(503).json({
error: 'Challonge OAuth not configured',
message:
'Set CHALLONGE_CLIENT_ID and CHALLONGE_CLIENT_SECRET environment variables'
});
}
const { refresh_token } = req.body;
if (!refresh_token) {
logger.warn('OAuth refresh request missing refresh token');
return res.status(400).json({ error: 'Missing refresh token' });
}
try {
logger.debug('Refreshing access token');
const response = await fetch('https://api.challonge.com/oauth/token', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: new URLSearchParams({
grant_type: 'refresh_token',
client_id: config.challonge.clientId,
client_secret: config.challonge.clientSecret,
refresh_token: refresh_token
})
});
const data = await response.json();
if (!response.ok) {
logger.error('Token refresh failed', { status: response.status, data });
return res.status(response.status).json(data);
}
logger.info('Token refresh successful');
res.json(data);
} catch (error) {
logger.error('Token refresh error', { error: error.message });
res.status(500).json({
error: 'Token refresh failed',
message: error.message
});
}
});
// Provider API proxies (no split brain)
app.use('/challonge', createChallongeProxyRouter({ config, tokenStore }));
app.use('/discord', createDiscordRouter({ tokenStore }));
/**
* Health check endpoint (with graceful shutdown support)