327 lines
9.4 KiB
JavaScript
327 lines
9.4 KiB
JavaScript
/**
|
|
* OAuth Proxy Server for Challonge API
|
|
*
|
|
* This server handles OAuth token exchange and refresh for the Challonge API.
|
|
* It keeps client_secret secure by running on the backend.
|
|
*
|
|
* Usage:
|
|
* Development: node server/oauth-proxy.js
|
|
* Production: Deploy with Docker (see docker-compose.production.yml)
|
|
*/
|
|
|
|
import 'dotenv/config';
|
|
import express from 'express';
|
|
import cors from 'cors';
|
|
import fetch from 'node-fetch';
|
|
import gamemasterRouter from './gamemaster-api.js';
|
|
import { createAuthRouter } from './routes/auth.js';
|
|
import { validateOrExit, getConfig } from './utils/env-validator.js';
|
|
import logger, { requestLogger, errorLogger } from './utils/logger.js';
|
|
import {
|
|
setupGracefulShutdown,
|
|
createHealthCheckMiddleware
|
|
} from './utils/graceful-shutdown.js';
|
|
|
|
async function safeParseJsonResponse(response) {
|
|
const rawText = await response.text();
|
|
if (!rawText) {
|
|
return { data: {}, rawText: '' };
|
|
}
|
|
|
|
try {
|
|
return { data: JSON.parse(rawText), rawText };
|
|
} catch (error) {
|
|
return {
|
|
data: {
|
|
error: 'Invalid JSON response from upstream',
|
|
raw: rawText.slice(0, 1000)
|
|
},
|
|
rawText
|
|
};
|
|
}
|
|
}
|
|
|
|
// Validate environment variables
|
|
validateOrExit();
|
|
|
|
// Get validated configuration
|
|
const config = getConfig();
|
|
|
|
const app = express();
|
|
|
|
// Middleware
|
|
app.use(cors({ origin: config.cors.origin }));
|
|
app.use(express.json());
|
|
app.use(requestLogger);
|
|
|
|
// Mount API routes (nginx strips /api/ prefix before forwarding)
|
|
app.use('/gamemaster', gamemasterRouter);
|
|
|
|
/**
|
|
* Exchange authorization code for access token
|
|
* POST /oauth/token
|
|
* Supports multiple providers: Challonge, Discord
|
|
*/
|
|
app.post('/oauth/token', async (req, res) => {
|
|
const { code, provider = 'challonge' } = req.body;
|
|
|
|
if (!code) {
|
|
logger.warn('OAuth token request missing authorization code');
|
|
return res.status(400).json({ error: 'Missing authorization code' });
|
|
}
|
|
|
|
try {
|
|
// Handle Discord OAuth
|
|
if (provider === 'discord') {
|
|
const clientId = process.env.VITE_DISCORD_CLIENT_ID;
|
|
const clientSecret = process.env.DISCORD_CLIENT_SECRET;
|
|
const redirectUri =
|
|
process.env.DISCORD_REDIRECT_URI ||
|
|
process.env.VITE_DISCORD_REDIRECT_URI;
|
|
|
|
if (!clientId || !clientSecret || !redirectUri) {
|
|
logger.warn('Discord OAuth not configured', {
|
|
hasClientId: !!clientId,
|
|
hasClientSecret: !!clientSecret,
|
|
hasRedirectUri: !!redirectUri
|
|
});
|
|
return res.status(503).json({
|
|
error: 'Discord OAuth not configured',
|
|
message:
|
|
'Set VITE_DISCORD_CLIENT_ID, DISCORD_CLIENT_SECRET, and DISCORD_REDIRECT_URI environment variables'
|
|
});
|
|
}
|
|
|
|
logger.debug('Exchanging Discord authorization code for access token');
|
|
const response = await fetch('https://discord.com/api/oauth2/token', {
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/x-www-form-urlencoded'
|
|
},
|
|
body: new URLSearchParams({
|
|
client_id: clientId,
|
|
client_secret: clientSecret,
|
|
grant_type: 'authorization_code',
|
|
code: code,
|
|
redirect_uri: redirectUri
|
|
})
|
|
});
|
|
|
|
const { data, rawText } = await safeParseJsonResponse(response);
|
|
|
|
if (!response.ok) {
|
|
logger.error('Discord token exchange failed', {
|
|
status: response.status,
|
|
data
|
|
});
|
|
return res.status(response.status).json(data);
|
|
}
|
|
|
|
if (!data?.access_token) {
|
|
logger.error('Discord token exchange returned invalid payload', {
|
|
status: response.status,
|
|
raw: rawText.slice(0, 1000)
|
|
});
|
|
return res.status(502).json({
|
|
error: 'Invalid response from Discord',
|
|
raw: rawText.slice(0, 1000)
|
|
});
|
|
}
|
|
|
|
// Fetch Discord user info to check permissions
|
|
try {
|
|
const userResponse = await fetch('https://discord.com/api/users/@me', {
|
|
headers: {
|
|
Authorization: `Bearer ${data.access_token}`
|
|
}
|
|
});
|
|
|
|
if (userResponse.ok) {
|
|
const userData = await userResponse.json();
|
|
const username = userData.username?.toLowerCase();
|
|
const globalName = userData.global_name?.toLowerCase();
|
|
const discordId = userData.id;
|
|
|
|
logger.info('Discord user authenticated', {
|
|
username: userData.username,
|
|
id: discordId
|
|
});
|
|
|
|
// Check if user is in admin list
|
|
const isAdmin = config.discord.adminUsers.some(
|
|
adminUser =>
|
|
adminUser === username ||
|
|
adminUser === globalName ||
|
|
adminUser === discordId
|
|
);
|
|
|
|
// Add user info and permissions to response
|
|
data.discord_user = {
|
|
id: discordId,
|
|
username: userData.username,
|
|
global_name: userData.global_name,
|
|
discriminator: userData.discriminator,
|
|
avatar: userData.avatar
|
|
};
|
|
|
|
data.permissions = isAdmin ? ['developer_tools.view'] : [];
|
|
|
|
if (isAdmin) {
|
|
logger.info('Discord user granted developer access', {
|
|
username: userData.username
|
|
});
|
|
}
|
|
} else {
|
|
logger.warn('Failed to fetch Discord user info', {
|
|
status: userResponse.status
|
|
});
|
|
}
|
|
} catch (userError) {
|
|
logger.warn('Error fetching Discord user info', {
|
|
error: userError.message
|
|
});
|
|
// Continue without user info - token is still valid
|
|
}
|
|
|
|
logger.info('Discord token exchange successful');
|
|
return res.json(data);
|
|
}
|
|
|
|
// Handle Challonge OAuth (default)
|
|
if (!config.challonge.configured) {
|
|
logger.warn('OAuth token request received but Challonge not configured');
|
|
return res.status(503).json({
|
|
error: 'Challonge OAuth not configured',
|
|
message:
|
|
'Set CHALLONGE_CLIENT_ID and CHALLONGE_CLIENT_SECRET environment variables'
|
|
});
|
|
}
|
|
|
|
logger.debug('Exchanging Challonge authorization code for access token');
|
|
const response = await fetch('https://api.challonge.com/oauth/token', {
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/x-www-form-urlencoded'
|
|
},
|
|
body: new URLSearchParams({
|
|
grant_type: 'authorization_code',
|
|
client_id: config.challonge.clientId,
|
|
client_secret: config.challonge.clientSecret,
|
|
code: code,
|
|
redirect_uri: config.challonge.redirectUri
|
|
})
|
|
});
|
|
|
|
const data = await response.json();
|
|
|
|
if (!response.ok) {
|
|
logger.error('Challonge token exchange failed', {
|
|
status: response.status,
|
|
data
|
|
});
|
|
return res.status(response.status).json(data);
|
|
}
|
|
|
|
logger.info('Challonge token exchange successful');
|
|
res.json(data);
|
|
} catch (error) {
|
|
logger.error('Token exchange error', { provider, error: error.message });
|
|
res.status(500).json({
|
|
error: 'Token exchange failed',
|
|
message: error.message
|
|
});
|
|
}
|
|
});
|
|
|
|
/**
|
|
* Refresh access token
|
|
* POST /oauth/refresh
|
|
*/
|
|
app.post('/oauth/refresh', async (req, res) => {
|
|
if (!config.challonge.configured) {
|
|
logger.warn('OAuth refresh request received but Challonge not configured');
|
|
return res.status(503).json({
|
|
error: 'Challonge OAuth not configured',
|
|
message:
|
|
'Set CHALLONGE_CLIENT_ID and CHALLONGE_CLIENT_SECRET environment variables'
|
|
});
|
|
}
|
|
|
|
const { refresh_token } = req.body;
|
|
|
|
if (!refresh_token) {
|
|
logger.warn('OAuth refresh request missing refresh token');
|
|
return res.status(400).json({ error: 'Missing refresh token' });
|
|
}
|
|
|
|
try {
|
|
logger.debug('Refreshing access token');
|
|
const response = await fetch('https://api.challonge.com/oauth/token', {
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/x-www-form-urlencoded'
|
|
},
|
|
body: new URLSearchParams({
|
|
grant_type: 'refresh_token',
|
|
client_id: config.challonge.clientId,
|
|
client_secret: config.challonge.clientSecret,
|
|
refresh_token: refresh_token
|
|
})
|
|
});
|
|
|
|
const data = await response.json();
|
|
|
|
if (!response.ok) {
|
|
logger.error('Token refresh failed', { status: response.status, data });
|
|
return res.status(response.status).json(data);
|
|
}
|
|
|
|
logger.info('Token refresh successful');
|
|
res.json(data);
|
|
} catch (error) {
|
|
logger.error('Token refresh error', { error: error.message });
|
|
res.status(500).json({
|
|
error: 'Token refresh failed',
|
|
message: error.message
|
|
});
|
|
}
|
|
});
|
|
|
|
/**
|
|
* Health check endpoint (with graceful shutdown support)
|
|
* GET /health
|
|
*/
|
|
app.get('/health', createHealthCheckMiddleware());
|
|
|
|
// Error logging middleware (must be after routes)
|
|
app.use(errorLogger);
|
|
|
|
// Start server
|
|
const server = app.listen(config.port, () => {
|
|
logger.info('🔐 OAuth Proxy Server started', {
|
|
port: config.port,
|
|
nodeEnv: config.nodeEnv,
|
|
challongeConfigured: config.challonge.configured
|
|
});
|
|
|
|
if (!config.challonge.configured) {
|
|
logger.warn(
|
|
'⚠️ Challonge OAuth not configured - OAuth endpoints disabled'
|
|
);
|
|
logger.warn(
|
|
' Set CHALLONGE_CLIENT_ID and CHALLONGE_CLIENT_SECRET to enable'
|
|
);
|
|
}
|
|
|
|
logger.info('✅ Ready to handle requests');
|
|
});
|
|
|
|
// Setup graceful shutdown
|
|
setupGracefulShutdown(server, {
|
|
timeout: 30000,
|
|
onShutdown: async () => {
|
|
logger.info('Running cleanup tasks...');
|
|
// Add any cleanup tasks here (close DB connections, etc.)
|
|
}
|
|
});
|