OIDC Authentication (#28)

* build(deps): add hono oidc auth package

* refactor(server): allow GET methods

* build(deps): remove hono auth package, add generic auth envelop plugin package

* feature(plugins): add useGenericAuth plugin WIP

* chore: remove ts-ignore

* refactor: add envs for AUTH_JWKS_URL, remove specific logs

* refactor(plugins): update useGenericAuth to use jose for JWT handling

* refactor(plugins): rename upsertedUser --> user

* refactor(plugins): update naming convention, useGenericAuth --> useAuth

* chore(plugins): update file name, useGenericAuth --> useAuth

* refactor(plugins): update useAuth to dedup claims derived from payload

* refactor(plugins): remove upsert from auth flow

* chore(plugin): revert changes, continuw with upsert

* docs: add JSDoc to createGraphQLContext function

Co-authored-by: Brian Cooper <20056195+coopbri@users.noreply.github.com>

* refactor(plugins): remove TODO, update catch block pattern

Co-authored-by: Brian Cooper <20056195+coopbri@users.noreply.github.com>

* docs: add JSDoc to resolveUser

Co-authored-by: Brian Cooper <20056195+coopbri@users.noreply.github.com>

---------

Co-authored-by: Brian Cooper <20056195+coopbri@users.noreply.github.com>

Author: hobbescodes

.env.development

@@ -0,0 +1 @@
+AUTH_JWKS_URL="https://hidra.omni.dev/realms/test/protocol/openid-connect/certs"

.env.production

@@ -0,0 +1 @@
+AUTH_JWKS_URL="https://hidra.omni.dev/realms/omni/protocol/openid-connect/certs"

.gitignore

@@ -3,6 +3,8 @@ node_modules/
 .env
 .env.*
 !.env.*template
+!.env.development
+!.env.production
 
 ## Misc
 .vscode

bun.lock

@@ -3,6 +3,7 @@
   "workspaces": {
     "": {
       "dependencies": {
+        "@envelop/generic-auth": "^8.0.1",
         "@graphile/pg-aggregates": "^0.2.0-beta.7",
         "@graphile/simplify-inflection": "^8.0.0-beta.5",
         "dayjs": "^1.11.13",
@@ -12,6 +13,7 @@
         "graphql": "^16.9.0",
         "graphql-yoga": "^5.8.0",
         "hono": "^4.6.8",
+        "jose": "^5.9.6",
         "pg": "^8.13.1",
         "postgraphile": "^5.0.0-beta.37",
         "postgraphile-plugin-connection-filter": "^3.0.0-beta.7",
@@ -80,6 +82,10 @@
 
     "@envelop/core": ["@envelop/core@5.0.2", "", { "dependencies": { "@envelop/types": "5.0.0", "tslib": "^2.5.0" } }, "sha512-tVL6OrMe6UjqLosiE+EH9uxh2TQC0469GwF4tE014ugRaDDKKVWwFwZe0TBMlcyHKh5MD4ZxktWo/1hqUxIuhw=="],
 
+    "@envelop/extended-validation": ["@envelop/extended-validation@4.1.0", "", { "dependencies": { "@graphql-tools/utils": "^10.0.0", "tslib": "^2.5.0" }, "peerDependencies": { "@envelop/core": "^5.0.2", "graphql": "^14.0.0 || ^15.0.0 || ^16.0.0" } }, "sha512-S90LQanW+xg3Lkp2sNiHa2KJnXXpKLucKys05Wk5zpiV0vL0SDX+/cuV+tnDhShWJucunAGi34n8xFCXsUUOkA=="],
+
+    "@envelop/generic-auth": ["@envelop/generic-auth@8.0.1", "", { "dependencies": { "@envelop/extended-validation": "^4.1.0", "@graphql-tools/executor": "^1.3.6", "@graphql-tools/utils": "^10.5.1", "tslib": "^2.5.0" }, "peerDependencies": { "@envelop/core": "^5.0.2", "graphql": "^14.0.0 || ^15.0.0 || ^16.0.0" } }, "sha512-QznhYwj1Ri8Afkc6djtBTWI28xMdmKUxyqLc85XfpjxVnKrGcd8jdgV08SKiRQC29AH/rhSZprt6vXAXIsqRJA=="],
+
     "@envelop/types": ["@envelop/types@5.0.0", "", { "dependencies": { "tslib": "^2.5.0" } }, "sha512-IPjmgSc4KpQRlO4qbEDnBEixvtb06WDmjKfi/7fkZaryh5HuOmTtixe1EupQI5XfXO8joc3d27uUZ0QdC++euA=="],
 
     "@esbuild-kit/core-utils": ["@esbuild-kit/core-utils@3.3.2", "", { "dependencies": { "esbuild": "~0.18.20", "source-map-support": "^0.5.21" } }, "sha512-sPRAnw9CdSsRmEtnsl2WXWdyquogVpB3yZ3dgwJfe8zrOzTsV7cJvmwrKVa+0ma5BoiGJ+BoqkMvawbayKUsqQ=="],
@@ -308,6 +314,8 @@
 
     "jackspeak": ["jackspeak@3.4.3", "", { "dependencies": { "@isaacs/cliui": "^8.0.2" }, "optionalDependencies": { "@pkgjs/parseargs": "^0.11.0" } }, "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw=="],
 
+    "jose": ["jose@5.9.6", "", {}, "sha512-AMlnetc9+CV9asI19zHmrgS/WYsWUwCn2R7RzlbJWD7F9eWYUTGyBmU9o6PxngtLGOiDGPRu+Uc4fhKzbpteZQ=="],
+
     "js-tokens": ["js-tokens@4.0.0", "", {}, "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ=="],
 
     "jsesc": ["jsesc@3.1.0", "", { "bin": { "jsesc": "bin/jsesc" } }, "sha512-/sM3dO2FOzXjKQhJuo0Q173wf2KOo8t4I8vHy6lF9poUp7bKT0/NHE8fPX23PwfhnykfqnC2xRxOnVw5XuGIaA=="],

package.json

@@ -32,6 +32,7 @@
     "typescript": "^5.6.3"
   },
   "dependencies": {
+    "@envelop/generic-auth": "^8.0.1",
     "@graphile/pg-aggregates": "^0.2.0-beta.7",
     "@graphile/simplify-inflection": "^8.0.0-beta.5",
     "dayjs": "^1.11.13",
@@ -41,6 +42,7 @@
     "graphql": "^16.9.0",
     "graphql-yoga": "^5.8.0",
     "hono": "^4.6.8",
+    "jose": "^5.9.6",
     "pg": "^8.13.1",
     "postgraphile": "^5.0.0-beta.37",
     "postgraphile-plugin-connection-filter": "^3.0.0-beta.7"

src/lib/config/env.ts

@@ -7,6 +7,7 @@ export const {
   // https://stackoverflow.com/a/68578294
   HOST = "0.0.0.0",
   DATABASE_URL,
+  AUTH_JWKS_URL,
 } = process.env;
 
 export const isDevEnv = NODE_ENV === "development";

src/lib/graphql/context.ts

@@ -0,0 +1,28 @@
+import { createWithPgClient } from "@dataplan/pg/adaptors/pg";
+
+import { dbPool } from "lib/db/db";
+import { pgPool } from "lib/db/pool";
+
+import type { YogaInitialContext } from "graphql-yoga";
+import type { WithPgClient } from "postgraphile/@dataplan/pg";
+import type { NodePostgresPgClient } from "postgraphile/adaptors/pg";
+
+const withPgClient = createWithPgClient({ pool: pgPool });
+
+export interface GraphQLContext {
+  db: typeof dbPool;
+  request: Request;
+  withPgClient: WithPgClient<NodePostgresPgClient>;
+}
+
+/**
+ * Create a GraphQL context.
+ * @see https://graphql.org/learn/execution/#root-fields-and-resolvers
+ */
+export const createGraphQLContext = async ({
+  request,
+}: YogaInitialContext): Promise<GraphQLContext> => ({
+  db: dbPool,
+  request,
+  withPgClient,
+});

src/lib/graphql/index.ts

@@ -0,0 +1 @@
+export { createGraphQLContext, type GraphQLContext } from "./context";

src/lib/plugins/index.ts

@@ -0,0 +1 @@
+export { default as useAuth } from "./useAuth";

src/lib/plugins/useAuth.ts

@@ -0,0 +1,66 @@
+import { useGenericAuth } from "@envelop/generic-auth";
+import * as jose from "jose";
+
+import { AUTH_JWKS_URL } from "lib/config/env";
+import { users } from "lib/drizzle/schema";
+
+import type { ResolveUserFn } from "@envelop/generic-auth";
+import type { InsertUser, SelectUser } from "lib/drizzle/schema";
+import type { GraphQLContext } from "lib/graphql";
+
+/**
+ * Validate user session and resolve user if successful.
+ * @see https://the-guild.dev/graphql/envelop/plugins/use-generic-auth#getting-started
+ */
+const resolveUser: ResolveUserFn<SelectUser, GraphQLContext> = async (
+  context
+) => {
+  try {
+    const sessionToken = context.request.headers
+      .get("authorization")
+      ?.split("Bearer ")[1];
+
+    if (!sessionToken) throw new Error("Invalid or missing session token");
+
+    const jwks = jose.createRemoteJWKSet(new URL(AUTH_JWKS_URL!));
+
+    const { payload } = await jose.jwtVerify(sessionToken, jwks);
+
+    if (!payload) throw new Error("Invalid or missing session token");
+
+    const insertedUser: InsertUser = {
+      hidraId: payload.sub!,
+      username: payload.preferred_username as string,
+      firstName: payload.given_name as string,
+      lastName: payload.family_name as string,
+    };
+
+    const { hidraId, ...rest } = insertedUser;
+
+    const [user] = await context.db
+      .insert(users)
+      .values(insertedUser)
+      .onConflictDoUpdate({
+        target: users.hidraId,
+        set: {
+          ...rest,
+          updatedAt: new Date().toISOString(),
+        },
+      })
+      .returning();
+
+    return user;
+  } catch (err) {
+    console.error(err);
+
+    return null;
+  }
+};
+
+const useAuth = () =>
+  useGenericAuth({
+    resolveUserFn: resolveUser,
+    mode: "protect-all",
+  });
+
+export default useAuth;