feat: remove authentication (#1)
This commit is contained in:
Sam Denty
@@ -1,41 +0,0 @@
|
||||
import { json, redirect, type LoaderFunctionArgs, type TypedResponse } from '@remix-run/cloudflare';
|
||||
import { isAuthenticated, type Session } from './sessions';
|
||||
|
||||
type RequestArgs = Pick<LoaderFunctionArgs, 'request' | 'context'>;
|
||||
|
||||
export async function loadWithAuth<T extends RequestArgs>(
|
||||
args: T,
|
||||
handler: (args: T, session: Session) => Promise<Response>,
|
||||
) {
|
||||
return handleWithAuth(args, handler, (response) => redirect('/login', response));
|
||||
}
|
||||
|
||||
export async function actionWithAuth<T extends RequestArgs>(
|
||||
args: T,
|
||||
handler: (args: T, session: Session) => Promise<TypedResponse>,
|
||||
) {
|
||||
return await handleWithAuth(args, handler, (response) => json({}, { status: 401, ...response }));
|
||||
}
|
||||
|
||||
async function handleWithAuth<T extends RequestArgs, R extends TypedResponse>(
|
||||
args: T,
|
||||
handler: (args: T, session: Session) => Promise<R>,
|
||||
fallback: (partial: ResponseInit) => R,
|
||||
) {
|
||||
const { request, context } = args;
|
||||
const { session, response } = await isAuthenticated(request, context.cloudflare.env);
|
||||
|
||||
if (session == null && !import.meta.env.VITE_DISABLE_AUTH) {
|
||||
return fallback(response);
|
||||
}
|
||||
|
||||
const handlerResponse = await handler(args, session || {});
|
||||
|
||||
if (response) {
|
||||
for (const [key, value] of Object.entries(response.headers)) {
|
||||
handlerResponse.headers.append(key, value);
|
||||
}
|
||||
}
|
||||
|
||||
return handlerResponse;
|
||||
}
|
||||
@@ -1,240 +0,0 @@
|
||||
import { createCookieSessionStorage, redirect, type Session as RemixSession } from '@remix-run/cloudflare';
|
||||
import { decodeJwt } from 'jose';
|
||||
import { CLIENT_ID, CLIENT_ORIGIN } from '~/lib/constants';
|
||||
import { request as doRequest } from '~/lib/fetch';
|
||||
import { logger } from '~/utils/logger';
|
||||
import type { Identity } from '~/lib/analytics';
|
||||
import { decrypt, encrypt } from '~/lib/crypto';
|
||||
|
||||
const DEV_SESSION_SECRET = import.meta.env.DEV ? 'LZQMrERo3Ewn/AbpSYJ9aw==' : undefined;
|
||||
const DEV_PAYLOAD_SECRET = import.meta.env.DEV ? '2zAyrhjcdFeXk0YEDzilMXbdrGAiR+8ACIUgFNfjLaI=' : undefined;
|
||||
|
||||
const TOKEN_KEY = 't';
|
||||
const EXPIRES_KEY = 'e';
|
||||
const USER_ID_KEY = 'u';
|
||||
const SEGMENT_KEY = 's';
|
||||
const AVATAR_KEY = 'a';
|
||||
const ENCRYPTED_KEY = 'd';
|
||||
|
||||
interface PrivateSession {
|
||||
[TOKEN_KEY]: string;
|
||||
[EXPIRES_KEY]: number;
|
||||
[USER_ID_KEY]?: string;
|
||||
[SEGMENT_KEY]?: string;
|
||||
}
|
||||
|
||||
interface PublicSession {
|
||||
[ENCRYPTED_KEY]: string;
|
||||
[AVATAR_KEY]?: string;
|
||||
}
|
||||
|
||||
export interface Session {
|
||||
userId?: string;
|
||||
segmentWriteKey?: string;
|
||||
avatar?: string;
|
||||
}
|
||||
|
||||
export async function isAuthenticated(request: Request, env: Env) {
|
||||
const { session, sessionStorage } = await getSession(request, env);
|
||||
|
||||
const sessionData: PrivateSession | null = await decryptSessionData(env, session.get(ENCRYPTED_KEY));
|
||||
|
||||
const header = async (cookie: Promise<string>) => ({ headers: { 'Set-Cookie': await cookie } });
|
||||
const destroy = () => header(sessionStorage.destroySession(session));
|
||||
|
||||
if (sessionData?.[TOKEN_KEY] == null) {
|
||||
return { session: null, response: await destroy() };
|
||||
}
|
||||
|
||||
const expiresAt = sessionData[EXPIRES_KEY] ?? 0;
|
||||
|
||||
if (Date.now() < expiresAt) {
|
||||
return { session: getSessionData(session, sessionData) };
|
||||
}
|
||||
|
||||
logger.debug('Renewing token');
|
||||
|
||||
let data: Awaited<ReturnType<typeof refreshToken>> | null = null;
|
||||
|
||||
try {
|
||||
data = await refreshToken(sessionData[TOKEN_KEY]);
|
||||
} catch (error) {
|
||||
// we can ignore the error here because it's handled below
|
||||
logger.error(error);
|
||||
}
|
||||
|
||||
if (data != null) {
|
||||
const expiresAt = cookieExpiration(data.expires_in, data.created_at);
|
||||
|
||||
const newSessionData = { ...sessionData, [EXPIRES_KEY]: expiresAt };
|
||||
const encryptedData = await encryptSessionData(env, newSessionData);
|
||||
|
||||
session.set(ENCRYPTED_KEY, encryptedData);
|
||||
|
||||
return {
|
||||
session: getSessionData(session, newSessionData),
|
||||
response: await header(sessionStorage.commitSession(session)),
|
||||
};
|
||||
} else {
|
||||
return { session: null, response: await destroy() };
|
||||
}
|
||||
}
|
||||
|
||||
export async function createUserSession(
|
||||
request: Request,
|
||||
env: Env,
|
||||
tokens: { refresh: string; expires_in: number; created_at: number },
|
||||
identity?: Identity,
|
||||
): Promise<ResponseInit> {
|
||||
const { session, sessionStorage } = await getSession(request, env);
|
||||
|
||||
const expiresAt = cookieExpiration(tokens.expires_in, tokens.created_at);
|
||||
|
||||
const sessionData: PrivateSession = {
|
||||
[TOKEN_KEY]: tokens.refresh,
|
||||
[EXPIRES_KEY]: expiresAt,
|
||||
[USER_ID_KEY]: identity?.userId ?? undefined,
|
||||
[SEGMENT_KEY]: identity?.segmentWriteKey ?? undefined,
|
||||
};
|
||||
|
||||
const encryptedData = await encryptSessionData(env, sessionData);
|
||||
session.set(ENCRYPTED_KEY, encryptedData);
|
||||
session.set(AVATAR_KEY, identity?.avatar);
|
||||
|
||||
return {
|
||||
headers: {
|
||||
'Set-Cookie': await sessionStorage.commitSession(session, {
|
||||
maxAge: 3600 * 24 * 30, // 1 month
|
||||
}),
|
||||
},
|
||||
};
|
||||
}
|
||||
|
||||
function getSessionStorage(cloudflareEnv: Env) {
|
||||
return createCookieSessionStorage<PublicSession>({
|
||||
cookie: {
|
||||
name: '__session',
|
||||
httpOnly: true,
|
||||
path: '/',
|
||||
secrets: [DEV_SESSION_SECRET || cloudflareEnv.SESSION_SECRET],
|
||||
secure: import.meta.env.PROD,
|
||||
},
|
||||
});
|
||||
}
|
||||
|
||||
export async function logout(request: Request, env: Env) {
|
||||
const { session, sessionStorage } = await getSession(request, env);
|
||||
|
||||
const sessionData = await decryptSessionData(env, session.get(ENCRYPTED_KEY));
|
||||
|
||||
if (sessionData) {
|
||||
revokeToken(sessionData[TOKEN_KEY]);
|
||||
}
|
||||
|
||||
return redirect('/login', {
|
||||
headers: {
|
||||
'Set-Cookie': await sessionStorage.destroySession(session),
|
||||
},
|
||||
});
|
||||
}
|
||||
|
||||
export function validateAccessToken(access: string) {
|
||||
const jwtPayload = decodeJwt(access);
|
||||
|
||||
return jwtPayload.bolt === true;
|
||||
}
|
||||
|
||||
function getSessionData(session: RemixSession<PublicSession>, data: PrivateSession): Session {
|
||||
return {
|
||||
userId: data?.[USER_ID_KEY],
|
||||
segmentWriteKey: data?.[SEGMENT_KEY],
|
||||
avatar: session.get(AVATAR_KEY),
|
||||
};
|
||||
}
|
||||
|
||||
async function getSession(request: Request, env: Env) {
|
||||
const sessionStorage = getSessionStorage(env);
|
||||
const cookie = request.headers.get('Cookie');
|
||||
|
||||
return { session: await sessionStorage.getSession(cookie), sessionStorage };
|
||||
}
|
||||
|
||||
async function refreshToken(refresh: string): Promise<{ expires_in: number; created_at: number }> {
|
||||
const response = await doRequest(`${CLIENT_ORIGIN}/oauth/token`, {
|
||||
method: 'POST',
|
||||
body: urlParams({ grant_type: 'refresh_token', client_id: CLIENT_ID, refresh_token: refresh }),
|
||||
headers: {
|
||||
'content-type': 'application/x-www-form-urlencoded',
|
||||
},
|
||||
});
|
||||
|
||||
const body = await response.json();
|
||||
|
||||
if (!response.ok) {
|
||||
throw new Error(`Unable to refresh token\n${response.status} ${JSON.stringify(body)}`);
|
||||
}
|
||||
|
||||
const { access_token: access } = body;
|
||||
|
||||
if (!validateAccessToken(access)) {
|
||||
throw new Error('User is no longer authorized for Bolt');
|
||||
}
|
||||
|
||||
return body;
|
||||
}
|
||||
|
||||
function cookieExpiration(expireIn: number, createdAt: number) {
|
||||
return (expireIn + createdAt - 10 * 60) * 1000;
|
||||
}
|
||||
|
||||
async function revokeToken(refresh?: string) {
|
||||
if (refresh == null) {
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
const response = await doRequest(`${CLIENT_ORIGIN}/oauth/revoke`, {
|
||||
method: 'POST',
|
||||
body: urlParams({
|
||||
token: refresh,
|
||||
token_type_hint: 'refresh_token',
|
||||
client_id: CLIENT_ID,
|
||||
}),
|
||||
headers: {
|
||||
'content-type': 'application/x-www-form-urlencoded',
|
||||
},
|
||||
});
|
||||
|
||||
if (!response.ok) {
|
||||
throw new Error(`Unable to revoke token: ${response.status}`);
|
||||
}
|
||||
} catch (error) {
|
||||
logger.debug(error);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
function urlParams(data: Record<string, string>) {
|
||||
const encoded = new URLSearchParams();
|
||||
|
||||
for (const [key, value] of Object.entries(data)) {
|
||||
encoded.append(key, value);
|
||||
}
|
||||
|
||||
return encoded;
|
||||
}
|
||||
|
||||
async function decryptSessionData(env: Env, encryptedData?: string) {
|
||||
const decryptedData = encryptedData ? await decrypt(payloadSecret(env), encryptedData) : undefined;
|
||||
const sessionData: PrivateSession | null = JSON.parse(decryptedData ?? 'null');
|
||||
|
||||
return sessionData;
|
||||
}
|
||||
|
||||
async function encryptSessionData(env: Env, sessionData: PrivateSession) {
|
||||
return await encrypt(payloadSecret(env), JSON.stringify(sessionData));
|
||||
}
|
||||
|
||||
function payloadSecret(env: Env) {
|
||||
return DEV_PAYLOAD_SECRET || env.PAYLOAD_SECRET;
|
||||
}
|
||||
@@ -1,38 +0,0 @@
|
||||
import { CLIENT_ORIGIN } from '~/lib/constants';
|
||||
import { request as doRequest } from '~/lib/fetch';
|
||||
|
||||
export interface Identity {
|
||||
userId?: string | null;
|
||||
guestId?: string | null;
|
||||
segmentWriteKey?: string | null;
|
||||
avatar?: string;
|
||||
}
|
||||
|
||||
const MESSAGE_PREFIX = 'Bolt';
|
||||
|
||||
export enum AnalyticsTrackEvent {
|
||||
MessageSent = `${MESSAGE_PREFIX} Message Sent`,
|
||||
MessageComplete = `${MESSAGE_PREFIX} Message Complete`,
|
||||
ChatCreated = `${MESSAGE_PREFIX} Chat Created`,
|
||||
}
|
||||
|
||||
export async function identifyUser(access: string): Promise<Identity | undefined> {
|
||||
const response = await doRequest(`${CLIENT_ORIGIN}/api/identify`, {
|
||||
method: 'GET',
|
||||
headers: { authorization: `Bearer ${access}` },
|
||||
});
|
||||
|
||||
const body = await response.json();
|
||||
|
||||
if (!response.ok) {
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// convert numerical identity values to strings
|
||||
const stringified = Object.entries(body).map(([key, value]) => [
|
||||
key,
|
||||
typeof value === 'number' ? value.toString() : value,
|
||||
]);
|
||||
|
||||
return Object.fromEntries(stringified) as Identity;
|
||||
}
|
||||
@@ -1,4 +0,0 @@
|
||||
export function forgetAuth() {
|
||||
// FIXME: use dedicated method
|
||||
localStorage.removeItem('__wc_api_tokens__');
|
||||
}
|
||||
@@ -1,2 +0,0 @@
|
||||
export const CLIENT_ID = 'bolt';
|
||||
export const CLIENT_ORIGIN = import.meta.env.VITE_CLIENT_ORIGIN ?? 'https://stackblitz.com';
|
||||
@@ -116,7 +116,7 @@ export class FilesStore {
|
||||
async #init() {
|
||||
const webcontainer = await this.#webcontainer;
|
||||
|
||||
webcontainer.watchPaths(
|
||||
webcontainer.internal.watchPaths(
|
||||
{ include: [`${WORK_DIR}/**`], exclude: ['**/node_modules', '.git'], includeContent: true },
|
||||
bufferWatchEvents(100, this.#processEventBuffer.bind(this)),
|
||||
);
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
import { WebContainer } from '@webcontainer/api';
|
||||
import { WORK_DIR_NAME } from '~/utils/constants';
|
||||
import { forgetAuth } from '~/lib/auth';
|
||||
|
||||
interface WebContainerContext {
|
||||
loaded: boolean;
|
||||
@@ -23,7 +22,6 @@ if (!import.meta.env.SSR) {
|
||||
import.meta.hot?.data.webcontainer ??
|
||||
Promise.resolve()
|
||||
.then(() => {
|
||||
forgetAuth();
|
||||
return WebContainer.boot({ workdirName: WORK_DIR_NAME });
|
||||
})
|
||||
.then((webcontainer) => {
|
||||
|
||||
Reference in New Issue
Block a user