refactor progress

2026-02-17 12:22:36 +00:00
parent cb31608523
commit d5abd1a7e4
8257 changed files with 1190207 additions and 761040 deletions
--- a/packages/admin/src/routes/Auth.tsx
+++ b/packages/admin/src/routes/Auth.tsx
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) 2026 Fluxer Contributors
+ *
+ * This file is part of Fluxer.
+ *
+ * Fluxer is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Fluxer is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with Fluxer. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+/** @jsxRuntime automatic */
+/** @jsxImportSource hono/jsx */
+
+import * as usersApi from '@fluxer/admin/src/api/Users';
+import {getValidSession, redirectToAuthorize} from '@fluxer/admin/src/middleware/Auth';
+import {LoginPage} from '@fluxer/admin/src/pages/LoginPage';
+import type {RouteFactoryDeps} from '@fluxer/admin/src/routes/RouteTypes';
+import {createSession} from '@fluxer/admin/src/Session';
+import type {AppVariables} from '@fluxer/admin/src/types/App';
+import {base64EncodeString} from '@fluxer/oauth2/src/OAuth2';
+import {Hono} from 'hono';
+import {deleteCookie, getCookie, setCookie} from 'hono/cookie';
+
+export function createAuthRoutes({config}: RouteFactoryDeps) {
+	const router = new Hono<{Variables: AppVariables}>();
+
+	router.get('/login', async (c) => {
+		const error = c.req.query('error');
+		let errorMsg: string | undefined;
+
+		if (error === 'oauth_failed') {
+			errorMsg = 'Authentication failed. Please try again.';
+		} else if (error === 'missing_admin_acl') {
+			errorMsg = 'Access denied: missing admin:authenticate permission. Ask an administrator to grant access.';
+		} else if (error) {
+			errorMsg = 'Login error. Please try again.';
+		}
+
+		const session = await getValidSession(c, config);
+		if (session) {
+			return c.redirect(`${config.basePath}/dashboard`);
+		}
+
+		return c.html(<LoginPage config={config} errorMessage={errorMsg} />);
+	});
+
+	router.get('/auth/start', (c) => {
+		return redirectToAuthorize(c, config);
+	});
+
+	router.get('/oauth2_callback', async (c) => {
+		const code = c.req.query('code');
+		const state = c.req.query('state');
+		const storedState = getCookie(c, 'oauth_state');
+
+		deleteCookie(c, 'oauth_state', {path: '/'});
+
+		if (!code || !state || state !== storedState) {
+			return c.redirect(`${config.basePath}/login?error=oauth_failed`);
+		}
+
+		try {
+			const tokenResponse = await fetch(`${config.apiEndpoint}/oauth2/token`, {
+				method: 'POST',
+				headers: {
+					'Content-Type': 'application/x-www-form-urlencoded',
+				},
+				body: new URLSearchParams({
+					grant_type: 'authorization_code',
+					code,
+					redirect_uri: config.oauthRedirectUri,
+					client_id: config.oauthClientId,
+					client_secret: config.oauthClientSecret,
+				}),
+			});
+
+			if (!tokenResponse.ok) {
+				return c.redirect(`${config.basePath}/login?error=oauth_failed`);
+			}
+
+			const tokenData = (await tokenResponse.json()) as {access_token: string; token_type: string};
+			const accessToken = tokenData.access_token;
+
+			const userResponse = await fetch(`${config.apiEndpoint}/users/@me`, {
+				headers: {
+					Authorization: `Bearer ${accessToken}`,
+				},
+			});
+
+			if (!userResponse.ok) {
+				return c.redirect(`${config.basePath}/login?error=oauth_failed`);
+			}
+
+			const userData = (await userResponse.json()) as {id: string};
+			const userId = userData.id;
+
+			const adminResult = await usersApi.getCurrentAdmin(config, {
+				userId,
+				accessToken,
+				createdAt: Math.floor(Date.now() / 1000),
+			});
+			if (!adminResult.ok || !adminResult.data) {
+				return c.redirect(`${config.basePath}/login?error=missing_admin_acl`);
+			}
+
+			const sessionData = createSession(userId, accessToken, config.secretKeyBase);
+			setCookie(c, 'session', sessionData, {
+				httpOnly: true,
+				secure: config.env === 'production',
+				sameSite: 'Lax',
+				maxAge: 60 * 60 * 24 * 7,
+				path: '/',
+			});
+
+			return c.redirect(`${config.basePath}/dashboard`);
+		} catch {
+			return c.redirect(`${config.basePath}/login?error=oauth_failed`);
+		}
+	});
+
+	router.post('/logout', async (c) => {
+		const session = await getValidSession(c, config);
+
+		if (session) {
+			try {
+				const basic = `Basic ${base64EncodeString(`${config.oauthClientId}:${config.oauthClientSecret}`)}`;
+				await fetch(`${config.apiEndpoint}/oauth2/revoke`, {
+					method: 'POST',
+					headers: {
+						'Content-Type': 'application/x-www-form-urlencoded',
+						Authorization: basic,
+					},
+					body: new URLSearchParams({
+						token: session.accessToken,
+						token_type_hint: 'access_token',
+					}),
+				});
+			} catch {}
+		}
+
+		deleteCookie(c, 'session', {path: '/'});
+		return c.redirect(`${config.basePath}/login`);
+	});
+
+	router.get('/logout', async (c) => {
+		const session = await getValidSession(c, config);
+		if (session) {
+			return c.redirect(`${config.basePath}/dashboard`);
+		}
+		return c.redirect(`${config.basePath}/login`);
+	});
+
+	return router;
+}