feat: 3-click SSO registration - unified /auth page, Google/Apple/GitHub OAuth, email fallback, provider model

This commit is contained in:
root
2026-06-15 12:42:03 +02:00
parent 64ae34e9c9
commit d194e295ad
12 changed files with 1150 additions and 294 deletions
+390
View File
@@ -0,0 +1,390 @@
import { SignJWT, jwtVerify } from "jose";
import { prisma } from "@/lib/prisma";
// ─── Provider Config ────────────────────────────────────────────────────────
export type Provider = "google" | "apple" | "github";
interface ProviderConfig {
authorizeUrl: string;
tokenUrl: string;
scopes: string[];
clientIdEnv: string;
clientSecretEnv: string;
}
export const PROVIDER_CONFIGS: Record<Provider, ProviderConfig> = {
google: {
authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
tokenUrl: "https://oauth2.googleapis.com/token",
scopes: ["openid", "email", "profile"],
clientIdEnv: "GOOGLE_CLIENT_ID",
clientSecretEnv: "GOOGLE_CLIENT_SECRET",
},
apple: {
authorizeUrl: "https://appleid.apple.com/auth/authorize",
tokenUrl: "https://appleid.apple.com/auth/token",
scopes: ["name", "email"],
clientIdEnv: "APPLE_CLIENT_ID",
clientSecretEnv: "APPLE_CLIENT_SECRET",
},
github: {
authorizeUrl: "https://github.com/login/oauth/authorize",
tokenUrl: "https://github.com/login/oauth/access_token",
scopes: ["read:user", "user:email"],
clientIdEnv: "GITHUB_CLIENT_ID",
clientSecretEnv: "GITHUB_CLIENT_SECRET",
},
};
// ─── State Management ────────────────────────────────────────────────────────
const STATE_SECRET = new TextEncoder().encode(
process.env.JWT_SECRET || "dev-jwt-secret-change-in-production"
);
export interface StatePayload {
provider: Provider;
redirectTo?: string;
}
/** Generate a signed state string for CSRF protection. */
export async function generateState(
provider: Provider,
redirectTo?: string
): Promise<string> {
return new SignJWT({ provider, redirectTo } as unknown as import("jose").JWTPayload)
.setProtectedHeader({ alg: "HS256" })
.setIssuedAt()
.setExpirationTime("10m")
.sign(STATE_SECRET);
}
/** Verify a state string and return the payload, or null if invalid/expired. */
export async function verifyState(token: string): Promise<StatePayload | null> {
try {
const { payload } = await jwtVerify(token, STATE_SECRET);
return payload as unknown as StatePayload;
} catch {
return null;
}
}
// ─── Token Exchange & User Info ──────────────────────────────────────────────
interface ProviderUser {
providerId: string;
email: string;
name: string;
avatar: string | null;
}
/**
* Exchange an authorization code for a Google access token,
* then fetch user info.
*/
export async function exchangeGoogleCode(
code: string,
redirectUri: string
): Promise<ProviderUser> {
const clientId = process.env.GOOGLE_CLIENT_ID;
const clientSecret = process.env.GOOGLE_CLIENT_SECRET;
if (!clientId || !clientSecret) {
throw new Error("Google OAuth is not configured");
}
// Exchange code for token
const tokenRes = await fetch("https://oauth2.googleapis.com/token", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: new URLSearchParams({
code,
client_id: clientId,
client_secret: clientSecret,
redirect_uri: redirectUri,
grant_type: "authorization_code",
}),
});
if (!tokenRes.ok) {
const errBody = await tokenRes.text();
throw new Error(`Google token exchange failed: ${errBody}`);
}
const tokenData = await tokenRes.json();
const accessToken = tokenData.access_token;
// Fetch user info
const userRes = await fetch(
"https://www.googleapis.com/oauth2/v2/userinfo",
{
headers: { Authorization: `Bearer ${accessToken}` },
}
);
if (!userRes.ok) {
throw new Error("Failed to fetch Google user info");
}
const userData = await userRes.json();
return {
providerId: userData.id,
email: userData.email,
name: userData.name || userData.given_name || "User",
avatar: userData.picture || null,
};
}
/**
* Exchange an authorization code for an Apple access token,
* then decode the ID token to get user info.
*/
export async function exchangeAppleCode(
code: string,
redirectUri: string
): Promise<ProviderUser> {
const clientId = process.env.APPLE_CLIENT_ID;
const clientSecret = process.env.APPLE_CLIENT_SECRET;
if (!clientId || !clientSecret) {
throw new Error("Apple OAuth is not configured");
}
// Exchange code for token
const tokenRes = await fetch("https://appleid.apple.com/auth/token", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: new URLSearchParams({
code,
client_id: clientId,
client_secret: clientSecret,
redirect_uri: redirectUri,
grant_type: "authorization_code",
}),
});
if (!tokenRes.ok) {
const errBody = await tokenRes.text();
throw new Error(`Apple token exchange failed: ${errBody}`);
}
const tokenData = await tokenRes.json();
const idToken = tokenData.id_token;
if (!idToken) {
throw new Error("No ID token returned from Apple");
}
// Decode the JWT payload (second segment) — no verification needed here
// since Apple's token endpoint already verified the auth code.
const payloadBase64 = idToken.split(".")[1];
const payloadJson = Buffer.from(payloadBase64, "base64").toString("utf-8");
const payload = JSON.parse(payloadJson);
return {
providerId: payload.sub,
email: payload.email || "",
name:
payload.name ||
`${payload.given_name || ""} ${payload.family_name || ""}`.trim() ||
"User",
avatar: null, // Apple does not provide a profile photo
};
}
/**
* Exchange an authorization code for a GitHub access token,
* then fetch user info (and primary email).
*/
export async function exchangeGitHubCode(
code: string,
redirectUri: string
): Promise<ProviderUser> {
const clientId = process.env.GITHUB_CLIENT_ID;
const clientSecret = process.env.GITHUB_CLIENT_SECRET;
if (!clientId || !clientSecret) {
throw new Error("GitHub OAuth is not configured");
}
// Exchange code for token
const tokenRes = await fetch("https://github.com/login/oauth/access_token", {
method: "POST",
headers: {
"Content-Type": "application/json",
Accept: "application/json",
},
body: JSON.stringify({
code,
client_id: clientId,
client_secret: clientSecret,
redirect_uri: redirectUri,
}),
});
if (!tokenRes.ok) {
const errBody = await tokenRes.text();
throw new Error(`GitHub token exchange failed: ${errBody}`);
}
const tokenData = await tokenRes.json();
if (tokenData.error) {
throw new Error(`GitHub OAuth error: ${tokenData.error_description || tokenData.error}`);
}
const accessToken = tokenData.access_token;
// Fetch user info
const userRes = await fetch("https://api.github.com/user", {
headers: {
Authorization: `Bearer ${accessToken}`,
Accept: "application/json",
"User-Agent": "Falah-App",
},
});
if (!userRes.ok) {
throw new Error("Failed to fetch GitHub user info");
}
const userData = await userRes.json();
// GitHub doesn't always return a public email; fetch emails if needed
let email = userData.email;
if (!email) {
try {
const emailsRes = await fetch("https://api.github.com/user/emails", {
headers: {
Authorization: `Bearer ${accessToken}`,
Accept: "application/json",
"User-Agent": "Falah-App",
},
});
if (emailsRes.ok) {
const emails = await emailsRes.json();
const primary = emails.find((e: { primary: boolean }) => e.primary);
if (primary) email = primary.email;
}
} catch {
// fall back to empty email
}
}
return {
providerId: String(userData.id),
email: email || "",
name: userData.name || userData.login || "User",
avatar: userData.avatar_url || null,
};
}
// ─── Dispatch ────────────────────────────────────────────────────────────────
/** Exchange a code for user info based on provider. */
export async function exchangeCode(
provider: Provider,
code: string,
redirectUri: string
): Promise<ProviderUser> {
switch (provider) {
case "google":
return exchangeGoogleCode(code, redirectUri);
case "apple":
return exchangeAppleCode(code, redirectUri);
case "github":
return exchangeGitHubCode(code, redirectUri);
default:
throw new Error(`Unsupported provider: ${provider}`);
}
}
// ─── Find or Create User ─────────────────────────────────────────────────────
export async function findOrCreateOAuthUser(
provider: Provider,
providerUser: ProviderUser
) {
const { providerId, email, name, avatar } = providerUser;
// Try to find by provider + providerId first
let user = await prisma.user.findFirst({
where: { provider, providerId },
});
if (user) {
// Update avatar if provider has a new one
if (avatar && avatar !== user.avatar) {
user = await prisma.user.update({
where: { id: user.id },
data: { avatar },
});
}
return user;
}
// Try to find by email (so OAuth can link to an existing email account)
if (email) {
user = await prisma.user.findUnique({ where: { email } });
if (user) {
// Link the OAuth provider to this existing user
user = await prisma.user.update({
where: { id: user.id },
data: { provider, providerId, avatar: avatar || user.avatar },
});
return user;
}
}
// Create a new user
user = await prisma.user.create({
data: {
email: email || `${providerId}@${provider}.oauth`,
name,
provider,
providerId,
avatar,
flhBalance: 5000,
trialEndsAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
},
});
return user;
}
// ─── Build OAuth URL ─────────────────────────────────────────────────────────
/**
* Construct the provider's OAuth authorization URL.
*/
export function buildAuthorizationUrl(
provider: Provider,
state: string,
redirectUri: string
): string {
const config = PROVIDER_CONFIGS[provider];
const clientId = process.env[config.clientIdEnv];
if (!clientId) {
throw new Error(
`${provider} OAuth is not configured. Missing ${config.clientIdEnv} env var.`
);
}
const params = new URLSearchParams({
client_id: clientId,
redirect_uri: redirectUri,
response_type: "code",
scope: config.scopes.join(" "),
state,
});
// Apple requires response_mode=form_post
if (provider === "apple") {
params.set("response_mode", "form_post");
}
return `${config.authorizeUrl}?${params.toString()}`;
}