fragginwagon/memory-infrastructure-palace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor authentication handling and improve API client security

Browse Source 
- Updated OAuth endpoints for Challonge and Discord in platforms configuration.
- Implemented session and CSRF cookie initialization in main application entry.
- Enhanced Challonge API client to avoid sending sensitive API keys from the browser.
- Modified tournament querying to handle new state definitions and improved error handling.
- Updated UI components to reflect server-side storage of authentication tokens.
- Improved user experience in API Key Manager and Authentication Hub with clearer messaging.
- Refactored client credentials management to support asynchronous operations.
- Adjusted API client tests to validate new request configurations.
- Updated Vite configuration to support session and CSRF handling through proxies.
This commit is contained in:
Greg Jacobs
2026-02-03 12:50:11 -05:00
parent 161b758a1b
commit 700c1cbbbe
39 changed files with 2434 additions and 999 deletions
Download Patch File Download Diff File Expand all files Collapse all files

480
code/websites/pokedex.online/server/routes/oauth.js Normal file
View File

@@ -0,0 +1,480 @@
import express from 'express';
import fetch from 'node-fetch';
import logger from '../utils/logger.js';
function computeExpiresAt(expiresInSeconds) {
const ttl = Number(expiresInSeconds || 0);
if (!ttl || Number.isNaN(ttl)) return null;
return Date.now() + ttl * 1000;
}
function redactProviderRecord(provider, record) {
if (!record) {
if (provider === 'challonge') {
return {
provider,
connected: false,
methods: {
user_oauth: {
connected: false,
expires_at: null,
scope: null
},
client_credentials: {
stored: false,
connected: false,
expires_at: null,
scope: null
},
api_key: {
stored: false,
connected: false
}
}
};
}
if (provider === 'discord') {
return {
provider,
connected: false,
expires_at: null,
scope: null
};
}
return { provider, connected: false };
}
if (provider === 'discord') {
return {
provider,
connected: !!record.access_token,
expires_at: record.expires_at || null,
scope: record.scope || null
};
}
if (provider === 'challonge') {
const user = record.user_oauth;
const app = record.client_credentials;
const apiKey = record.api_key;
return {
provider,
connected: !!(user?.access_token || app?.access_token || apiKey?.token),
methods: {
user_oauth: {
connected: !!user?.access_token,
expires_at: user?.expires_at || null,
scope: user?.scope || null
},
client_credentials: {
stored: !!(app?.client_id && app?.client_secret),
connected: !!app?.access_token,
expires_at: app?.expires_at || null,
scope: app?.scope || null
},
api_key: {
stored: !!apiKey?.token,
connected: !!apiKey?.token
}
}
};
}
return { provider, connected: true };
}
export function createOAuthRouter({ config, tokenStore }) {
const router = express.Router();
router.get('/:provider/status', async (req, res) => {
const { provider } = req.params;
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
const record = await tokenStore.getProviderRecord(req.sid, provider);
return res.json(redactProviderRecord(provider, record));
});
router.post('/:provider/disconnect', async (req, res) => {
const { provider } = req.params;
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
await tokenStore.deleteProviderRecord(req.sid, provider);
return res.json({ ok: true });
});
// Exchange authorization code (server stores tokens; frontend never receives them)
router.post('/:provider/exchange', async (req, res) => {
const { provider } = req.params;
const { code } = req.body || {};
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
if (!code) {
return res.status(400).json({ error: 'Authorization code is required', code: 'MISSING_CODE' });
}
if (provider === 'discord') {
const clientId = process.env.VITE_DISCORD_CLIENT_ID;
const clientSecret = process.env.DISCORD_CLIENT_SECRET;
const redirectUri = process.env.DISCORD_REDIRECT_URI || process.env.VITE_DISCORD_REDIRECT_URI;
if (!clientId || !clientSecret || !redirectUri) {
return res.status(503).json({
error: 'Discord OAuth not configured',
code: 'DISCORD_NOT_CONFIGURED'
});
}
const response = await fetch('https://discord.com/api/oauth2/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
client_id: clientId,
client_secret: clientSecret,
grant_type: 'authorization_code',
code,
redirect_uri: redirectUri
})
});
const text = await response.text();
let payload;
try {
payload = text ? JSON.parse(text) : {};
} catch {
payload = { raw: text.slice(0, 1000) };
}
if (!response.ok) {
logger.warn('Discord token exchange failed', { status: response.status, payload });
return res.status(response.status).json({
error: 'Discord token exchange failed',
code: 'DISCORD_TOKEN_EXCHANGE_FAILED',
details: payload
});
}
const record = {
access_token: payload.access_token,
refresh_token: payload.refresh_token,
token_type: payload.token_type,
scope: payload.scope,
expires_at: computeExpiresAt(payload.expires_in)
};
await tokenStore.setProviderRecord(req.sid, 'discord', record);
return res.json(redactProviderRecord('discord', record));
}
if (provider === 'challonge') {
if (!config.challonge.configured || !config.challonge.redirectUri) {
return res.status(503).json({
error: 'Challonge OAuth not configured',
code: 'CHALLONGE_NOT_CONFIGURED'
});
}
const response = await fetch('https://api.challonge.com/oauth/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
grant_type: 'authorization_code',
client_id: config.challonge.clientId,
client_secret: config.challonge.clientSecret,
code,
redirect_uri: config.challonge.redirectUri
})
});
const payload = await response.json().catch(() => ({}));
if (!response.ok) {
logger.warn('Challonge token exchange failed', { status: response.status, payload });
return res.status(response.status).json({
error: 'Challonge token exchange failed',
code: 'CHALLONGE_TOKEN_EXCHANGE_FAILED',
details: payload
});
}
const existing = (await tokenStore.getProviderRecord(req.sid, 'challonge')) || {};
const user_oauth = {
access_token: payload.access_token,
refresh_token: payload.refresh_token,
token_type: payload.token_type,
scope: payload.scope,
expires_at: computeExpiresAt(payload.expires_in)
};
const record = {
...existing,
user_oauth
};
await tokenStore.setProviderRecord(req.sid, 'challonge', record);
return res.json(redactProviderRecord('challonge', record));
}
return res.status(400).json({ error: `Unknown provider: ${provider}`, code: 'UNKNOWN_PROVIDER' });
});
// Store Challonge API key (v1 compatibility) per session
router.post('/challonge/api-key', async (req, res) => {
let { apiKey } = req.body || {};
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
if (!apiKey) {
return res.status(400).json({ error: 'apiKey is required', code: 'MISSING_API_KEY' });
}
apiKey = String(apiKey).trim();
if (apiKey.toLowerCase().startsWith('bearer ')) {
apiKey = apiKey.slice('bearer '.length).trim();
}
if (!apiKey) {
return res.status(400).json({ error: 'apiKey is required', code: 'MISSING_API_KEY' });
}
const existing = (await tokenStore.getProviderRecord(req.sid, 'challonge')) || {};
const record = {
...existing,
api_key: {
token: apiKey
}
};
await tokenStore.setProviderRecord(req.sid, 'challonge', record);
return res.json(redactProviderRecord('challonge', record));
});
router.post('/challonge/api-key/clear', async (req, res) => {
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
const existing = (await tokenStore.getProviderRecord(req.sid, 'challonge')) || {};
const record = { ...existing };
if (record.api_key) delete record.api_key;
await tokenStore.setProviderRecord(req.sid, 'challonge', record);
return res.json(redactProviderRecord('challonge', record));
});
// Store Challonge client credentials and exchange token per session
router.post('/challonge/client-credentials', async (req, res) => {
let { clientId, clientSecret, scope } = req.body || {};
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
if (typeof clientId === 'string') clientId = clientId.trim();
if (typeof clientSecret === 'string') clientSecret = clientSecret.trim();
if (typeof scope === 'string') scope = scope.trim();
const existing = (await tokenStore.getProviderRecord(req.sid, 'challonge')) || {};
const prev = existing.client_credentials || {};
const effectiveClientId = clientId || prev.client_id;
const effectiveClientSecret = clientSecret || prev.client_secret;
const effectiveScope = scope || prev.scope;
if (!effectiveClientId || !effectiveClientSecret) {
return res.status(400).json({
error: 'clientId and clientSecret are required (or must already be stored for this session)',
code: 'MISSING_CLIENT_CREDENTIALS'
});
}
const response = await fetch('https://api.challonge.com/oauth/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
grant_type: 'client_credentials',
client_id: effectiveClientId,
client_secret: effectiveClientSecret,
...(effectiveScope ? { scope: effectiveScope } : {})
})
});
const payload = await response.json().catch(() => ({}));
if (!response.ok) {
logger.warn('Challonge client_credentials token exchange failed', { status: response.status, payload });
return res.status(response.status).json({
error: 'Challonge client credentials exchange failed',
code: 'CHALLONGE_CLIENT_CREDENTIALS_FAILED',
details: payload
});
}
const record = {
...existing,
client_credentials: {
client_id: effectiveClientId,
client_secret: effectiveClientSecret,
access_token: payload.access_token,
token_type: payload.token_type,
scope: payload.scope,
expires_at: computeExpiresAt(payload.expires_in)
}
};
await tokenStore.setProviderRecord(req.sid, 'challonge', record);
return res.json(redactProviderRecord('challonge', record));
});
router.post('/challonge/client-credentials/clear', async (req, res) => {
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
const existing = (await tokenStore.getProviderRecord(req.sid, 'challonge')) || {};
const record = { ...existing };
if (record.client_credentials) delete record.client_credentials;
await tokenStore.setProviderRecord(req.sid, 'challonge', record);
return res.json(redactProviderRecord('challonge', record));
});
// Logout client credentials token but retain stored client_id/client_secret
router.post('/challonge/client-credentials/logout', async (req, res) => {
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
const existing = (await tokenStore.getProviderRecord(req.sid, 'challonge')) || {};
const creds = existing.client_credentials;
if (!creds) {
return res.json(redactProviderRecord('challonge', existing));
}
const record = {
...existing,
client_credentials: {
client_id: creds.client_id,
client_secret: creds.client_secret
}
};
await tokenStore.setProviderRecord(req.sid, 'challonge', record);
return res.json(redactProviderRecord('challonge', record));
});
// Refresh stored OAuth tokens (no tokens returned to browser)
router.post('/:provider/refresh', async (req, res) => {
const { provider } = req.params;
if (!req.sid) {
return res.status(500).json({ error: 'SID middleware not configured' });
}
const record = await tokenStore.getProviderRecord(req.sid, provider);
if (!record) {
return res.status(400).json({ error: 'No stored tokens', code: 'NO_TOKENS' });
}
if (provider === 'discord') {
const refreshToken = record.refresh_token;
if (!refreshToken) {
return res.status(400).json({ error: 'No refresh token available', code: 'NO_REFRESH_TOKEN' });
}
const clientId = process.env.VITE_DISCORD_CLIENT_ID;
const clientSecret = process.env.DISCORD_CLIENT_SECRET;
if (!clientId || !clientSecret) {
return res.status(503).json({ error: 'Discord OAuth not configured', code: 'DISCORD_NOT_CONFIGURED' });
}
const response = await fetch('https://discord.com/api/oauth2/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
client_id: clientId,
client_secret: clientSecret,
grant_type: 'refresh_token',
refresh_token: refreshToken
})
});
const payload = await response.json().catch(() => ({}));
if (!response.ok) {
return res.status(response.status).json({
error: 'Discord refresh failed',
code: 'DISCORD_REFRESH_FAILED',
details: payload
});
}
const updated = {
...record,
access_token: payload.access_token,
refresh_token: payload.refresh_token || record.refresh_token,
token_type: payload.token_type,
scope: payload.scope,
expires_at: computeExpiresAt(payload.expires_in)
};
await tokenStore.setProviderRecord(req.sid, 'discord', updated);
return res.json(redactProviderRecord('discord', updated));
}
if (provider === 'challonge') {
const user = record.user_oauth;
if (!user?.refresh_token) {
return res.status(400).json({
error: 'No refresh token available',
code: 'NO_REFRESH_TOKEN'
});
}
if (!config.challonge.configured) {
return res.status(503).json({
error: 'Challonge OAuth not configured',
code: 'CHALLONGE_NOT_CONFIGURED'
});
}
const response = await fetch('https://api.challonge.com/oauth/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
grant_type: 'refresh_token',
client_id: config.challonge.clientId,
client_secret: config.challonge.clientSecret,
refresh_token: user.refresh_token
})
});
const payload = await response.json().catch(() => ({}));
if (!response.ok) {
return res.status(response.status).json({
error: 'Challonge refresh failed',
code: 'CHALLONGE_REFRESH_FAILED',
details: payload
});
}
const updatedRecord = {
...record,
user_oauth: {
...user,
access_token: payload.access_token,
refresh_token: payload.refresh_token || user.refresh_token,
token_type: payload.token_type,
scope: payload.scope,
expires_at: computeExpiresAt(payload.expires_in)
}
};
await tokenStore.setProviderRecord(req.sid, 'challonge', updatedRecord);
return res.json(redactProviderRecord('challonge', updatedRecord));
}
return res.status(400).json({ error: `Unknown provider: ${provider}`, code: 'UNKNOWN_PROVIDER' });
});
return router;
}