< Summary

Information

Class:	oidc.server.ts
Assembly:	app.lib
File(s):	/home/runner/work/ClutterStock/ClutterStock/frontend/app/lib/oidc.server.ts
Tag:	58_25416222083

Line coverage

Covered lines:	4
Uncovered lines:	73
Coverable lines:	77
Total lines:	222
Line coverage:	5.1%

Branch coverage

Covered branches:	2
Total branches:	30
Branch coverage:	6.6%

Method coverage

Feature is only available for sponsors

Upgrade to PRO version

Metrics

Method
getDiscovery()
generateVerifier()
challengeFor()
saveOIDCState()
consumeOIDCState()
decodeJwtPayload()
redirectUri()
generateAuthUrl()
handleCallback()
getValidToken()
buildLogoutUrl()

File(s)

/home/runner/work/ClutterStock/ClutterStock/frontend/app/lib/oidc.server.ts

#	Line	Line coverage
2	`1`	`import { createHash, randomBytes } from "node:crypto";`
	`2`	`import { redis } from "./redis.server";`
	`3`	`import {`
	`4`	`type Session,`
	`5`	`type SessionUser,`
	`6`	`createSession,`
	`7`	`destroySession,`
	`8`	`getSession,`
	`9`	`updateSession,`
	`10`	`} from "./session.server";`
	`11`
2	`12`	`const AUTHORITY = process.env.VITE_OIDC_AUTHORITY ?? "";`
2	`13`	`const CLIENT_ID = process.env.VITE_OIDC_CLIENT_ID ?? "";`
2	`14`	`const STATE_TTL = 10 * 60; // 10 minutes`
	`15`
	`16`	`// ── OIDC discovery ────────────────────────────────────────────────────────────`
	`17`
	`18`	`interface OIDCDiscovery {`
	`19`	`authorization_endpoint: string;`
	`20`	`token_endpoint: string;`
	`21`	`userinfo_endpoint: string;`
	`22`	`end_session_endpoint: string;`
	`23`	`}`
	`24`
	`25`	`let _discovery: OIDCDiscovery \| undefined;`
	`26`
0	`27`	`async function getDiscovery(): Promise<OIDCDiscovery> {`
0	`28`	`if (_discovery) return _discovery;`
0	`29`	const res = await fetch(`${AUTHORITY}/.well-known/openid-configuration`);
0	`30`	if (!res.ok) throw new Error(`OIDC discovery failed: ${res.status}`);
0	`31`	`_discovery = (await res.json()) as OIDCDiscovery;`
0	`32`	`return _discovery;`
	`33`	`}`
	`34`
	`35`	`// ── PKCE helpers ──────────────────────────────────────────────────────────────`
	`36`
0	`37`	`function generateVerifier(): string {`
0	`38`	`return randomBytes(32).toString("base64url");`
	`39`	`}`
	`40`
0	`41`	`function challengeFor(verifier: string): string {`
0	`42`	`return createHash("sha256").update(verifier).digest("base64url");`
	`43`	`}`
	`44`
	`45`	`// ── PKCE state store (Redis, short TTL) ───────────────────────────────────────`
	`46`
	`47`	`interface OIDCState {`
	`48`	`codeVerifier: string;`
	`49`	`returnTo: string;`
	`50`	`}`
	`51`
0	`52`	`async function saveOIDCState(state: string, data: OIDCState): Promise<void> {`
0	`53`	await redis().set(`oidc:state:${state}`, JSON.stringify(data), { EX: STATE_TTL });
	`54`	`}`
	`55`
0	`56`	`async function consumeOIDCState(state: string): Promise<OIDCState \| null> {`
0	`57`	const key = `oidc:state:${state}`;
0	`58`	`const raw = await redis().get(key);`
0	`59`	`if (!raw) return null;`
0	`60`	`await redis().del(key);`
0	`61`	`return JSON.parse(raw) as OIDCState;`
	`62`	`}`
	`63`
	`64`	`// ── Token response shape ──────────────────────────────────────────────────────`
	`65`
	`66`	`interface TokenResponse {`
	`67`	`access_token: string;`
	`68`	`refresh_token?: string;`
	`69`	`id_token: string;`
	`70`	`expires_in: number;`
	`71`	`token_type: string;`
	`72`	`}`
	`73`
0	`74`	`function decodeJwtPayload<T>(jwt: string): T {`
0	`75`	`const [, payload] = jwt.split(".");`
0	`76`	`return JSON.parse(Buffer.from(payload!, "base64url").toString()) as T;`
	`77`	`}`
	`78`
	`79`	`// ── Public API ────────────────────────────────────────────────────────────────`
	`80`
0	`81`	`function redirectUri(request: Request): string {`
0	`82`	`const origin = process.env.PUBLIC_ORIGIN ?? new URL(request.url).origin;`
0	`83`	return `${origin}/auth/callback`;
	`84`	`}`
	`85`
0	`86`	`export async function generateAuthUrl(`
	`87`	`request: Request,`
	`88`	`returnTo = "/locations",`
	`89`	`): Promise<string> {`
0	`90`	`const { authorization_endpoint } = await getDiscovery();`
0	`91`	`const state = randomBytes(16).toString("base64url");`
0	`92`	`const codeVerifier = generateVerifier();`
	`93`
0	`94`	`await saveOIDCState(state, { codeVerifier, returnTo });`
	`95`
0	`96`	`const params = new URLSearchParams({`
	`97`	`response_type: "code",`
	`98`	`client_id: CLIENT_ID,`
	`99`	`redirect_uri: redirectUri(request),`
	`100`	`scope: "openid profile email groups offline_access",`
	`101`	`state,`
	`102`	`code_challenge: challengeFor(codeVerifier),`
	`103`	`code_challenge_method: "S256",`
	`104`	`});`
	`105`
0	`106`	return `${authorization_endpoint}?${params}`;
	`107`	`}`
	`108`
0	`109`	`export async function handleCallback(`
	`110`	`code: string,`
	`111`	`state: string,`
	`112`	`request: Request,`
	`113`	`): Promise<{ sid: string; returnTo: string }> {`
0	`114`	`const oidcState = await consumeOIDCState(state);`
0	`115`	`if (!oidcState) throw new Response("Invalid or expired state", { status: 400 });`
	`116`
0	`117`	`const { token_endpoint, userinfo_endpoint } = await getDiscovery();`
0	`118`	`const res = await fetch(token_endpoint, {`
	`119`	`method: "POST",`
	`120`	`headers: { "Content-Type": "application/x-www-form-urlencoded" },`
	`121`	`body: new URLSearchParams({`
	`122`	`grant_type: "authorization_code",`
	`123`	`client_id: CLIENT_ID,`
	`124`	`redirect_uri: redirectUri(request),`
	`125`	`code,`
	`126`	`code_verifier: oidcState.codeVerifier,`
	`127`	`}),`
	`128`	`});`
	`129`
0	`130`	`if (!res.ok) {`
0	`131`	`const body = await res.text();`
0	`132`	throw new Response(`Token exchange failed: ${body}`, { status: 502 });
	`133`	`}`
	`134`
0	`135`	`const tokens = (await res.json()) as TokenResponse;`
	`136`
	`137`	`// Prefer userinfo endpoint — id_token omits profile claims when no claims_policy is set`
	`138`	`let profile: SessionUser & Record<string, unknown>;`
0	`139`	`try {`
0	`140`	`const uiRes = await fetch(userinfo_endpoint, {`
	`141`	headers: { Authorization: `Bearer ${tokens.access_token}` },
	`142`	`});`
0	`143`	`profile = uiRes.ok`
	`144`	`? (await uiRes.json()) as SessionUser & Record<string, unknown>`
	`145`	`: decodeJwtPayload<SessionUser & Record<string, unknown>>(tokens.id_token);`
	`146`	`} catch {`
0	`147`	`profile = decodeJwtPayload<SessionUser & Record<string, unknown>>(tokens.id_token);`
	`148`	`}`
	`149`
0	`150`	`const session: Session = {`
	`151`	`accessToken: tokens.access_token,`
	`152`	`refreshToken: tokens.refresh_token ?? "",`
	`153`	`expiresAt: Math.floor(Date.now() / 1000) + tokens.expires_in,`
	`154`	`idToken: tokens.id_token,`
	`155`	`user: {`
	`156`	`sub: profile.sub,`
	`157`	`name: profile.name,`
	`158`	`preferred_username: profile.preferred_username,`
	`159`	`email: profile.email,`
	`160`	`groups: profile.groups ?? null,`
	`161`	`},`
	`162`	`};`
	`163`
0	`164`	`const sid = await createSession(session);`
0	`165`	`return { sid, returnTo: oidcState.returnTo };`
	`166`	`}`
	`167`
0	`168`	`export async function getValidToken(request: Request): Promise<string \| null> {`
0	`169`	`const sess = await getSession(request);`
0	`170`	`if (!sess) return null;`
	`171`
0	`172`	`const { sid, data } = sess;`
0	`173`	`const now = Math.floor(Date.now() / 1000);`
	`174`
0	`175`	`if (data.expiresAt > now + 60) return data.accessToken;`
	`176`
0	`177`	`if (!data.refreshToken) {`
0	`178`	`await destroySession(sid);`
0	`179`	`return null;`
	`180`	`}`
	`181`
0	`182`	`try {`
0	`183`	`const { token_endpoint } = await getDiscovery();`
0	`184`	`const res = await fetch(token_endpoint, {`
	`185`	`method: "POST",`
	`186`	`headers: { "Content-Type": "application/x-www-form-urlencoded" },`
	`187`	`body: new URLSearchParams({`
	`188`	`grant_type: "refresh_token",`
	`189`	`client_id: CLIENT_ID,`
	`190`	`refresh_token: data.refreshToken,`
	`191`	`}),`
	`192`	`});`
	`193`
0	`194`	`if (!res.ok) {`
0	`195`	`await destroySession(sid);`
0	`196`	`return null;`
	`197`	`}`
	`198`
0	`199`	`const tokens = (await res.json()) as TokenResponse;`
0	`200`	`await updateSession(sid, {`
	`201`	`...data,`
	`202`	`accessToken: tokens.access_token,`
	`203`	`refreshToken: tokens.refresh_token ?? data.refreshToken,`
	`204`	`expiresAt: now + tokens.expires_in,`
	`205`	`});`
0	`206`	`return tokens.access_token;`
	`207`	`} catch {`
0	`208`	`await destroySession(sid);`
0	`209`	`return null;`
	`210`	`}`
	`211`	`}`
	`212`
0	`213`	`export async function buildLogoutUrl(`
	`214`	`idToken: string \| undefined,`
	`215`	`request: Request,`
	`216`	`): Promise<string> {`
0	`217`	`const { end_session_endpoint } = await getDiscovery();`
0	`218`	`const origin = process.env.PUBLIC_ORIGIN ?? new URL(request.url).origin;`
0	`219`	`const params = new URLSearchParams({ post_logout_redirect_uri: origin });`
0	`220`	`if (idToken) params.set("id_token_hint", idToken);`
0	`221`	return `${end_session_endpoint}?${params}`;
	`222`	`}`

< Summary

Metrics

File(s)

/home/runner/work/ClutterStock/ClutterStock/frontend/app/lib/oidc.server.ts

Methods/Properties