/** * OAuth Proxy Server for Challonge API * * This server handles OAuth token exchange and refresh for the Challonge API. * It keeps client_secret secure by running on the backend. * * Usage: * Development: node server/oauth-proxy.js * Production: Deploy with Docker (see docker-compose.production.yml) */ import 'dotenv/config'; import express from 'express'; import cors from 'cors'; import fetch from 'node-fetch'; import gamemasterRouter from './gamemaster-api.js'; import { createAuthRouter } from './routes/auth.js'; import { validateOrExit, getConfig } from './utils/env-validator.js'; import logger, { requestLogger, errorLogger } from './utils/logger.js'; import { setupGracefulShutdown, createHealthCheckMiddleware } from './utils/graceful-shutdown.js'; async function safeParseJsonResponse(response) { const rawText = await response.text(); if (!rawText) { return { data: {}, rawText: '' }; } try { return { data: JSON.parse(rawText), rawText }; } catch (error) { return { data: { error: 'Invalid JSON response from upstream', raw: rawText.slice(0, 1000) }, rawText }; } } // Validate environment variables validateOrExit(); // Get validated configuration const config = getConfig(); const app = express(); // Middleware app.use(cors({ origin: config.cors.origin })); app.use(express.json()); app.use(requestLogger); // Mount API routes (nginx strips /api/ prefix before forwarding) app.use('/gamemaster', gamemasterRouter); app.use('/auth', createAuthRouter({ secret: config.secret, adminPassword: config.adminPassword })); /** * Exchange authorization code for access token * POST /oauth/token * Supports multiple providers: Challonge, Discord */ app.post('/oauth/token', async (req, res) => { const { code, provider = 'challonge' } = req.body; if (!code) { logger.warn('OAuth token request missing authorization code'); return res.status(400).json({ error: 'Missing authorization code' }); } try { // Handle Discord OAuth if (provider === 'discord') { const clientId = process.env.VITE_DISCORD_CLIENT_ID; const clientSecret = process.env.DISCORD_CLIENT_SECRET; const redirectUri = process.env.DISCORD_REDIRECT_URI || process.env.VITE_DISCORD_REDIRECT_URI; if (!clientId || !clientSecret || !redirectUri) { logger.warn('Discord OAuth not configured', { hasClientId: !!clientId, hasClientSecret: !!clientSecret, hasRedirectUri: !!redirectUri }); return res.status(503).json({ error: 'Discord OAuth not configured', message: 'Set VITE_DISCORD_CLIENT_ID, DISCORD_CLIENT_SECRET, and DISCORD_REDIRECT_URI environment variables' }); } logger.debug('Exchanging Discord authorization code for access token'); const response = await fetch('https://discord.com/api/oauth2/token', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: new URLSearchParams({ client_id: clientId, client_secret: clientSecret, grant_type: 'authorization_code', code: code, redirect_uri: redirectUri }) }); const { data, rawText } = await safeParseJsonResponse(response); if (!response.ok) { logger.error('Discord token exchange failed', { status: response.status, data }); return res.status(response.status).json(data); } if (!data?.access_token) { logger.error('Discord token exchange returned invalid payload', { status: response.status, raw: rawText.slice(0, 1000) }); return res.status(502).json({ error: 'Invalid response from Discord', raw: rawText.slice(0, 1000) }); } // Fetch Discord user info to check permissions try { const userResponse = await fetch('https://discord.com/api/users/@me', { headers: { Authorization: `Bearer ${data.access_token}` } }); if (userResponse.ok) { const userData = await userResponse.json(); const username = userData.username?.toLowerCase(); const globalName = userData.global_name?.toLowerCase(); const discordId = userData.id; logger.info('Discord user authenticated', { username: userData.username, id: discordId }); // Check if user is in admin list const isAdmin = config.discord.adminUsers.some( adminUser => adminUser === username || adminUser === globalName || adminUser === discordId ); // Add user info and permissions to response data.discord_user = { id: discordId, username: userData.username, global_name: userData.global_name, discriminator: userData.discriminator, avatar: userData.avatar }; data.permissions = isAdmin ? ['developer_tools.view'] : []; if (isAdmin) { logger.info('Discord user granted developer access', { username: userData.username }); } } else { logger.warn('Failed to fetch Discord user info', { status: userResponse.status }); } } catch (userError) { logger.warn('Error fetching Discord user info', { error: userError.message }); // Continue without user info - token is still valid } logger.info('Discord token exchange successful'); return res.json(data); } // Handle Challonge OAuth (default) if (!config.challonge.configured) { logger.warn('OAuth token request received but Challonge not configured'); return res.status(503).json({ error: 'Challonge OAuth not configured', message: 'Set CHALLONGE_CLIENT_ID and CHALLONGE_CLIENT_SECRET environment variables' }); } logger.debug('Exchanging Challonge authorization code for access token'); const response = await fetch('https://api.challonge.com/oauth/token', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: new URLSearchParams({ grant_type: 'authorization_code', client_id: config.challonge.clientId, client_secret: config.challonge.clientSecret, code: code, redirect_uri: config.challonge.redirectUri }) }); const data = await response.json(); if (!response.ok) { logger.error('Challonge token exchange failed', { status: response.status, data }); return res.status(response.status).json(data); } logger.info('Challonge token exchange successful'); res.json(data); } catch (error) { logger.error('Token exchange error', { provider, error: error.message }); res.status(500).json({ error: 'Token exchange failed', message: error.message }); } }); /** * Refresh access token * POST /oauth/refresh */ app.post('/oauth/refresh', async (req, res) => { if (!config.challonge.configured) { logger.warn('OAuth refresh request received but Challonge not configured'); return res.status(503).json({ error: 'Challonge OAuth not configured', message: 'Set CHALLONGE_CLIENT_ID and CHALLONGE_CLIENT_SECRET environment variables' }); } const { refresh_token } = req.body; if (!refresh_token) { logger.warn('OAuth refresh request missing refresh token'); return res.status(400).json({ error: 'Missing refresh token' }); } try { logger.debug('Refreshing access token'); const response = await fetch('https://api.challonge.com/oauth/token', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: new URLSearchParams({ grant_type: 'refresh_token', client_id: config.challonge.clientId, client_secret: config.challonge.clientSecret, refresh_token: refresh_token }) }); const data = await response.json(); if (!response.ok) { logger.error('Token refresh failed', { status: response.status, data }); return res.status(response.status).json(data); } logger.info('Token refresh successful'); res.json(data); } catch (error) { logger.error('Token refresh error', { error: error.message }); res.status(500).json({ error: 'Token refresh failed', message: error.message }); } }); /** * Health check endpoint (with graceful shutdown support) * GET /health */ app.get('/health', createHealthCheckMiddleware()); // Error logging middleware (must be after routes) app.use(errorLogger); // Start server const server = app.listen(config.port, () => { logger.info('🔐 OAuth Proxy Server started', { port: config.port, nodeEnv: config.nodeEnv, challongeConfigured: config.challonge.configured }); if (!config.challonge.configured) { logger.warn( '⚠️ Challonge OAuth not configured - OAuth endpoints disabled' ); logger.warn( ' Set CHALLONGE_CLIENT_ID and CHALLONGE_CLIENT_SECRET to enable' ); } logger.info('✅ Ready to handle requests'); }); // Setup graceful shutdown setupGracefulShutdown(server, { timeout: 30000, onShutdown: async () => { logger.info('Running cleanup tasks...'); // Add any cleanup tasks here (close DB connections, etc.) } });