mirror of
https://github.com/toeverything/AFFiNE.git
synced 2026-07-18 18:46:19 +08:00
feat(core): improve auth handling (#15271)
fix #15270 fix #15260 fix #15257 #### PR Dependency Tree * **PR #15271** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal)
This commit is contained in:
@@ -1612,7 +1612,7 @@
|
||||
},
|
||||
"providers.oidc": {
|
||||
"type": "object",
|
||||
"description": "OIDC OAuth provider config\n@default {\"clientId\":\"\",\"clientSecret\":\"\",\"issuer\":\"\",\"args\":{}}\n@link https://openid.net/specs/openid-connect-core-1_0.html",
|
||||
"description": "OIDC OAuth provider config. Private network access requires allowPrivateNetwork: true\n@default {\"clientId\":\"\",\"clientSecret\":\"\",\"issuer\":\"\",\"allowPrivateNetwork\":false,\"args\":{}}\n@link https://openid.net/specs/openid-connect-core-1_0.html",
|
||||
"properties": {
|
||||
"clientId": {
|
||||
"type": "string"
|
||||
@@ -1622,12 +1622,21 @@
|
||||
},
|
||||
"args": {
|
||||
"type": "object"
|
||||
},
|
||||
"issuer": {
|
||||
"type": "string",
|
||||
"description": "OIDC issuer URL"
|
||||
},
|
||||
"allowPrivateNetwork": {
|
||||
"type": "boolean",
|
||||
"description": "Allow the OIDC issuer origin to resolve to private network addresses"
|
||||
}
|
||||
},
|
||||
"default": {
|
||||
"clientId": "",
|
||||
"clientSecret": "",
|
||||
"issuer": "",
|
||||
"allowPrivateNetwork": false,
|
||||
"args": {}
|
||||
}
|
||||
},
|
||||
|
||||
@@ -6,7 +6,12 @@ import ava, { TestFn } from 'ava';
|
||||
import Sinon from 'sinon';
|
||||
|
||||
import { AppModule } from '../../app.module';
|
||||
import { ConfigFactory, InvalidOauthResponse, URLHelper } from '../../base';
|
||||
import {
|
||||
ConfigFactory,
|
||||
InvalidOauthResponse,
|
||||
type SafeFetchOptions,
|
||||
URLHelper,
|
||||
} from '../../base';
|
||||
import { SessionCache } from '../../base/cache';
|
||||
import { ConfigModule } from '../../base/config';
|
||||
import { CurrentUser } from '../../core/auth';
|
||||
@@ -531,6 +536,7 @@ function createOidcRegistrationHarness(config?: {
|
||||
clientId?: string;
|
||||
clientSecret?: string;
|
||||
issuer?: string;
|
||||
allowPrivateNetwork?: boolean;
|
||||
}) {
|
||||
const server = {
|
||||
enableFeature: Sinon.spy(),
|
||||
@@ -551,6 +557,7 @@ function createOidcRegistrationHarness(config?: {
|
||||
clientId: config?.clientId ?? 'oidc-client-id',
|
||||
clientSecret: config?.clientSecret ?? 'oidc-client-secret',
|
||||
issuer: config?.issuer ?? 'https://issuer.affine.dev',
|
||||
allowPrivateNetwork: config?.allowPrivateNetwork ?? false,
|
||||
args: {},
|
||||
},
|
||||
},
|
||||
@@ -565,6 +572,12 @@ function createOidcRegistrationHarness(config?: {
|
||||
provider,
|
||||
factory,
|
||||
server,
|
||||
fetchOptions: (url: string) =>
|
||||
(
|
||||
provider as unknown as {
|
||||
fetchOptions(url: string): SafeFetchOptions;
|
||||
}
|
||||
).fetchOptions(url),
|
||||
};
|
||||
}
|
||||
|
||||
@@ -940,7 +953,16 @@ test('oidc should not fall back to default email claim when custom claim is conf
|
||||
});
|
||||
|
||||
test('oidc discovery should remove oauth feature on failure and restore it after backoff retry succeeds', async t => {
|
||||
const { provider, factory, server } = createOidcRegistrationHarness();
|
||||
const issuer = 'https://auth.internal/application/o/affine/';
|
||||
const { fetchOptions: defaultFetchOptions } = createOidcRegistrationHarness({
|
||||
issuer,
|
||||
});
|
||||
t.falsy(defaultFetchOptions(issuer).allowPrivateTargetOrigin);
|
||||
|
||||
const { provider, factory, server } = createOidcRegistrationHarness({
|
||||
issuer,
|
||||
allowPrivateNetwork: true,
|
||||
});
|
||||
const fetchStub = Sinon.stub(provider as any, 'oidcFetch');
|
||||
const scheduledRetries: Array<() => void> = [];
|
||||
const retryDelays: number[] = [];
|
||||
@@ -967,11 +989,11 @@ test('oidc discovery should remove oauth feature on failure and restore it after
|
||||
.resolves(
|
||||
new Response(
|
||||
JSON.stringify({
|
||||
authorization_endpoint: 'https://issuer.affine.dev/auth',
|
||||
token_endpoint: 'https://issuer.affine.dev/token',
|
||||
userinfo_endpoint: 'https://issuer.affine.dev/userinfo',
|
||||
issuer: 'https://issuer.affine.dev',
|
||||
jwks_uri: 'https://issuer.affine.dev/jwks',
|
||||
authorization_endpoint: `${issuer}authorize`,
|
||||
token_endpoint: `${issuer}token`,
|
||||
userinfo_endpoint: `${issuer}userinfo`,
|
||||
issuer,
|
||||
jwks_uri: `${issuer}jwks`,
|
||||
}),
|
||||
{
|
||||
status: 200,
|
||||
@@ -986,6 +1008,11 @@ test('oidc discovery should remove oauth feature on failure and restore it after
|
||||
t.deepEqual(factory.providers, []);
|
||||
t.true(server.disableFeature.calledWith(ServerFeature.OAuth));
|
||||
t.is(fetchStub.callCount, 1);
|
||||
t.is(
|
||||
fetchStub.firstCall.args[0],
|
||||
`${issuer.replace(/\/+$/, '')}/.well-known/openid-configuration`
|
||||
);
|
||||
t.true(fetchStub.firstCall.args[2].allowPrivateTargetOrigin);
|
||||
t.deepEqual(retryDelays, [1000]);
|
||||
|
||||
const firstRetry = scheduledRetries.shift();
|
||||
|
||||
@@ -280,12 +280,24 @@ export const USER_FRIENDLY_ERRORS = {
|
||||
args: { reason: 'string' },
|
||||
message: ({ reason }) => {
|
||||
switch (reason) {
|
||||
case 'invalid_url':
|
||||
return 'Invalid URL';
|
||||
case 'disallowed_protocol':
|
||||
return 'URL protocol is not allowed';
|
||||
case 'url_has_credentials':
|
||||
return 'URL must not contain credentials';
|
||||
case 'blocked_hostname':
|
||||
return 'URL hostname is not allowed';
|
||||
case 'host_not_allowed':
|
||||
return 'URL hostname is outside the allowed hosts';
|
||||
case 'unresolvable_hostname':
|
||||
return 'Failed to resolve hostname';
|
||||
case 'blocked_ip':
|
||||
return 'URL resolves to a private or reserved IP address';
|
||||
case 'too_many_redirects':
|
||||
return 'Too many redirects';
|
||||
default:
|
||||
return 'Invalid URL';
|
||||
return `URL blocked by SSRF protection: ${reason}`;
|
||||
}
|
||||
},
|
||||
},
|
||||
|
||||
@@ -18,6 +18,7 @@ export type OIDCArgs = {
|
||||
|
||||
export interface OAuthOIDCProviderConfig extends OAuthProviderConfig {
|
||||
issuer: string;
|
||||
allowPrivateNetwork?: boolean;
|
||||
args?: OIDCArgs;
|
||||
}
|
||||
|
||||
@@ -49,6 +50,22 @@ const schema: JSONSchema = {
|
||||
},
|
||||
};
|
||||
|
||||
const oidcSchema: JSONSchema = {
|
||||
type: 'object',
|
||||
properties: {
|
||||
...schema.properties,
|
||||
issuer: {
|
||||
type: 'string',
|
||||
description: 'OIDC issuer URL',
|
||||
},
|
||||
allowPrivateNetwork: {
|
||||
type: 'boolean',
|
||||
description:
|
||||
'Allow the OIDC issuer origin to resolve to private network addresses',
|
||||
},
|
||||
},
|
||||
};
|
||||
|
||||
defineModuleConfig('oauth', {
|
||||
'providers.google': {
|
||||
desc: 'Google OAuth provider config',
|
||||
@@ -69,14 +86,15 @@ defineModuleConfig('oauth', {
|
||||
link: 'https://docs.github.com/en/apps/oauth-apps',
|
||||
},
|
||||
'providers.oidc': {
|
||||
desc: 'OIDC OAuth provider config',
|
||||
desc: 'OIDC OAuth provider config. Private network access requires allowPrivateNetwork: true',
|
||||
default: {
|
||||
clientId: '',
|
||||
clientSecret: '',
|
||||
issuer: '',
|
||||
allowPrivateNetwork: false,
|
||||
args: {},
|
||||
},
|
||||
schema,
|
||||
schema: oidcSchema,
|
||||
link: 'https://openid.net/specs/openid-connect-core-1_0.html',
|
||||
shape: z.object({
|
||||
issuer: z
|
||||
@@ -84,6 +102,7 @@ defineModuleConfig('oauth', {
|
||||
.url()
|
||||
.regex(/^https?:\/\//, 'issuer must be a valid URL')
|
||||
.or(z.string().length(0)),
|
||||
allowPrivateNetwork: z.boolean().optional(),
|
||||
args: z.object({
|
||||
scope: z.string().optional(),
|
||||
claim_id: z.string().optional(),
|
||||
|
||||
@@ -6,6 +6,7 @@ import {
|
||||
InvalidOauthResponse,
|
||||
OnEvent,
|
||||
safeFetch,
|
||||
type SafeFetchOptions,
|
||||
} from '../../../base';
|
||||
import { OAuthProviderName } from '../config';
|
||||
import { OAuthProviderFactory } from '../factory';
|
||||
@@ -79,6 +80,15 @@ export abstract class OAuthProvider {
|
||||
return false;
|
||||
}
|
||||
|
||||
protected fetchOptions(_url: string | URL): SafeFetchOptions {
|
||||
return {
|
||||
timeoutMs: 10_000,
|
||||
maxRedirects: 3,
|
||||
maxBytes: 1024 * 1024,
|
||||
allowedHeaders: ['authorization', 'content-type', 'accept'],
|
||||
};
|
||||
}
|
||||
|
||||
protected async fetchJson<T>(
|
||||
url: string,
|
||||
init?: RequestInit,
|
||||
@@ -87,12 +97,7 @@ export abstract class OAuthProvider {
|
||||
const response = await safeFetch(
|
||||
url,
|
||||
{ ...init, headers: { ...init?.headers, Accept: 'application/json' } },
|
||||
{
|
||||
timeoutMs: 10_000,
|
||||
maxRedirects: 3,
|
||||
maxBytes: 1024 * 1024,
|
||||
allowedHeaders: ['authorization', 'content-type', 'accept'],
|
||||
}
|
||||
this.fetchOptions(url)
|
||||
);
|
||||
|
||||
const body = await response.text();
|
||||
|
||||
@@ -13,6 +13,8 @@ import {
|
||||
InvalidAuthState,
|
||||
InvalidOauthResponse,
|
||||
safeFetch,
|
||||
type SafeFetchOptions,
|
||||
SsrfBlockedError,
|
||||
URLHelper,
|
||||
} from '../../../base';
|
||||
import { OAuthOIDCProviderConfig, OAuthProviderName } from '../config';
|
||||
@@ -65,13 +67,6 @@ type OIDCConfiguration = z.infer<typeof OIDCConfigurationSchema>;
|
||||
|
||||
const OIDC_DISCOVERY_INITIAL_RETRY_DELAY = 1000;
|
||||
const OIDC_DISCOVERY_MAX_RETRY_DELAY = 60_000;
|
||||
const OIDC_FETCH_OPTIONS = {
|
||||
timeoutMs: 10_000,
|
||||
maxRedirects: 3,
|
||||
maxBytes: 1024 * 1024,
|
||||
allowedHeaders: ['accept'],
|
||||
};
|
||||
|
||||
@Injectable()
|
||||
export class OIDCProvider extends OAuthProvider implements OnModuleDestroy {
|
||||
override provider = OAuthProviderName.OIDC;
|
||||
@@ -96,6 +91,24 @@ export class OIDCProvider extends OAuthProvider implements OnModuleDestroy {
|
||||
return true;
|
||||
}
|
||||
|
||||
protected override fetchOptions(rawUrl: string | URL): SafeFetchOptions {
|
||||
const options = super.fetchOptions(rawUrl);
|
||||
const config = this.config as OAuthOIDCProviderConfig;
|
||||
if (!config.allowPrivateNetwork) {
|
||||
return options;
|
||||
}
|
||||
try {
|
||||
const issuer = new URL(config.issuer);
|
||||
const target = new URL(rawUrl);
|
||||
if (target.origin === issuer.origin) {
|
||||
return { ...options, allowPrivateTargetOrigin: true };
|
||||
}
|
||||
} catch {
|
||||
return options;
|
||||
}
|
||||
return options;
|
||||
}
|
||||
|
||||
private get endpoints() {
|
||||
if (!this.#endpoints) {
|
||||
throw new Error('OIDC provider is not configured');
|
||||
@@ -145,10 +158,11 @@ export class OIDCProvider extends OAuthProvider implements OnModuleDestroy {
|
||||
}
|
||||
|
||||
try {
|
||||
const discoveryUrl = `${this.normalizeIssuer(config.issuer)}/.well-known/openid-configuration`;
|
||||
const res = await this.oidcFetch(
|
||||
`${config.issuer}/.well-known/openid-configuration`,
|
||||
discoveryUrl,
|
||||
{ method: 'GET', headers: { Accept: 'application/json' } },
|
||||
OIDC_FETCH_OPTIONS
|
||||
this.fetchOptions(discoveryUrl)
|
||||
);
|
||||
|
||||
if (generation !== this.#validationGeneration) {
|
||||
@@ -176,7 +190,7 @@ export class OIDCProvider extends OAuthProvider implements OnModuleDestroy {
|
||||
this.#endpoints = configuration;
|
||||
this.#jwks = createRemoteJWKSet(new URL(configuration.jwks_uri), {
|
||||
[customFetch]: (url, init) =>
|
||||
this.oidcFetch(url, init, OIDC_FETCH_OPTIONS),
|
||||
this.oidcFetch(url, init, this.fetchOptions(url)),
|
||||
});
|
||||
this.#retryScheduler.reset();
|
||||
super.setup();
|
||||
@@ -184,7 +198,14 @@ export class OIDCProvider extends OAuthProvider implements OnModuleDestroy {
|
||||
if (generation !== this.#validationGeneration) {
|
||||
return;
|
||||
}
|
||||
this.logger.error('Failed to validate OIDC configuration', e);
|
||||
const reason = e instanceof SsrfBlockedError ? e.data?.reason : undefined;
|
||||
const message =
|
||||
reason === 'blocked_ip' && !config.allowPrivateNetwork
|
||||
? 'Failed to validate OIDC configuration: issuer resolves to a private network address; set oauth.providers.oidc.allowPrivateNetwork to true to trust this origin'
|
||||
: reason
|
||||
? `Failed to validate OIDC configuration: ${reason}`
|
||||
: 'Failed to validate OIDC configuration';
|
||||
this.logger.error(message, e);
|
||||
this.onValidationFailure(generation);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -482,7 +482,7 @@
|
||||
},
|
||||
"providers.oidc": {
|
||||
"type": "Object",
|
||||
"desc": "OIDC OAuth provider config",
|
||||
"desc": "OIDC OAuth provider config. Private network access requires allowPrivateNetwork: true",
|
||||
"link": "https://openid.net/specs/openid-connect-core-1_0.html"
|
||||
},
|
||||
"providers.apple": {
|
||||
|
||||
+19
-6
@@ -56,7 +56,20 @@ private data class TokenPair(
|
||||
val json: String,
|
||||
)
|
||||
|
||||
private class AuthServerException(val code: String?, val status: Int) : Exception(code)
|
||||
private class AuthServerException(
|
||||
val code: String?,
|
||||
val status: Int,
|
||||
override val message: String,
|
||||
) : Exception(message)
|
||||
|
||||
private fun authServerException(status: Int, text: String): AuthServerException {
|
||||
val body = runCatching { JSONObject(text) }.getOrNull()
|
||||
val code = body?.optString("code")?.takeIf { it.isNotEmpty() }
|
||||
?: body?.optString("name")?.takeIf { it.isNotEmpty() }
|
||||
val message = body?.optString("message")?.takeIf { it.isNotEmpty() }
|
||||
?: "Authentication request failed with status $status"
|
||||
return AuthServerException(code, status, message)
|
||||
}
|
||||
|
||||
private val permanentAuthErrors = setOf(
|
||||
"ACCESS_TOKEN_INVALID", "AUTH_SESSION_EXPIRED", "AUTH_SESSION_REVOKED",
|
||||
@@ -183,8 +196,7 @@ internal class AuthSessionBroker(
|
||||
AuthHttp.client.newCall(request).executeAsync().use { response ->
|
||||
val text = response.body.string()
|
||||
if (response.code < 400) return text
|
||||
val code = runCatching { JSONObject(text).optString("code").ifEmpty { null } }.getOrNull()
|
||||
val error = AuthServerException(code, response.code)
|
||||
val error = authServerException(response.code, text)
|
||||
if (response.code < 500 || attempt == 2) throw error
|
||||
last = error
|
||||
}
|
||||
@@ -338,7 +350,7 @@ class AuthPlugin : Plugin() {
|
||||
.build()
|
||||
val exchangeCode = AuthHttp.client.newCall(request).executeAsync().use { response ->
|
||||
val text = response.body.string()
|
||||
if (response.code >= 400) throw IllegalStateException(text)
|
||||
if (response.code >= 400) throw authServerException(response.code, text)
|
||||
JSONObject(text).getString("exchangeCode")
|
||||
}
|
||||
val exchangeBody = JSONObject()
|
||||
@@ -353,7 +365,7 @@ class AuthPlugin : Plugin() {
|
||||
.build()
|
||||
val tokenResponse = AuthHttp.client.newCall(exchangeRequest).executeAsync().use { response ->
|
||||
val text = response.body.string()
|
||||
if (response.code >= 400) throw IllegalStateException(text)
|
||||
if (response.code >= 400) throw authServerException(response.code, text)
|
||||
text
|
||||
}
|
||||
broker.store(endpoint, tokenResponse)
|
||||
@@ -385,7 +397,8 @@ class AuthPlugin : Plugin() {
|
||||
?: "AUTH_SESSION_TEMPORARILY_UNAVAILABLE"
|
||||
else -> "AUTH_SESSION_TEMPORARILY_UNAVAILABLE"
|
||||
}
|
||||
call.reject("Auth operation failed", code, error)
|
||||
val message = if (error is AuthServerException) error.message else "Auth operation failed"
|
||||
call.reject(message, code, error)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -8,9 +8,10 @@ import {
|
||||
type AuthTokenResponse,
|
||||
classifyAuthError,
|
||||
} from '@affine/auth';
|
||||
import { app, net, safeStorage } from 'electron';
|
||||
import { app, safeStorage } from 'electron';
|
||||
|
||||
import { logger } from '../logger';
|
||||
import { authFetch } from './transport';
|
||||
|
||||
const FILEPATH = path.join(app.getPath('userData'), 'auth-sessions.json');
|
||||
const TEMP_FILEPATH = `${FILEPATH}.tmp`;
|
||||
@@ -105,7 +106,7 @@ function storage(endpoint: string) {
|
||||
}
|
||||
|
||||
async function refresh(endpoint: string, refreshToken: string) {
|
||||
const response = await net.fetch(
|
||||
const response = await authFetch(
|
||||
new URL('/api/auth/session/refresh', endpoint).toString(),
|
||||
{
|
||||
method: 'POST',
|
||||
@@ -192,7 +193,7 @@ export async function revokeAuthSession(endpoint: string) {
|
||||
await getAuthSessionBroker(normalized).revoke(
|
||||
'sign-out',
|
||||
async (refreshToken: string) => {
|
||||
const response = await net.fetch(
|
||||
const response = await authFetch(
|
||||
new URL('/api/auth/session/revoke', normalized).toString(),
|
||||
{
|
||||
method: 'POST',
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
import os from 'node:os';
|
||||
|
||||
import type { AuthTokenResponse } from '@affine/auth';
|
||||
import { net, session } from 'electron';
|
||||
import { session } from 'electron';
|
||||
|
||||
import { logger } from '../logger';
|
||||
import type { NamespaceHandlers } from '../type';
|
||||
@@ -12,6 +12,7 @@ import {
|
||||
revokeAuthSession,
|
||||
setAuthSession,
|
||||
} from './auth-session';
|
||||
import { authFetch, getAuthTransportSession } from './transport';
|
||||
|
||||
export interface SignInResponse {
|
||||
id?: string;
|
||||
@@ -47,14 +48,21 @@ function authUrl(endpoint: string, path: string) {
|
||||
async function readJson<T>(response: Response): Promise<T> {
|
||||
const text = await response.text();
|
||||
if (!response.ok) {
|
||||
throw new Error(text || response.statusText);
|
||||
let message = text || response.statusText;
|
||||
try {
|
||||
const error = JSON.parse(text);
|
||||
if (typeof error.message === 'string') {
|
||||
message = error.message;
|
||||
}
|
||||
} catch {}
|
||||
throw new Error(message);
|
||||
}
|
||||
|
||||
return text ? JSON.parse(text) : ({} as T);
|
||||
}
|
||||
|
||||
async function fetchAuth(endpoint: string, path: string, body?: unknown) {
|
||||
return await net.fetch(authUrl(endpoint, path), {
|
||||
return await authFetch(authUrl(endpoint, path), {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'content-type': 'application/json',
|
||||
@@ -66,18 +74,21 @@ async function fetchAuth(endpoint: string, path: string, body?: unknown) {
|
||||
}
|
||||
|
||||
async function clearAuthCookies(endpoint: string) {
|
||||
const sessions = [session.defaultSession, getAuthTransportSession()];
|
||||
await Promise.all(
|
||||
authCookieNames.map(name =>
|
||||
session.defaultSession.cookies
|
||||
.remove(endpoint, name)
|
||||
.catch(error =>
|
||||
logger.debug(
|
||||
'failed to clear native auth cookie',
|
||||
endpoint,
|
||||
name,
|
||||
error
|
||||
sessions.flatMap(authSession =>
|
||||
authCookieNames.map(name =>
|
||||
authSession.cookies
|
||||
.remove(endpoint, name)
|
||||
.catch(error =>
|
||||
logger.debug(
|
||||
'failed to clear native auth cookie',
|
||||
endpoint,
|
||||
name,
|
||||
error
|
||||
)
|
||||
)
|
||||
)
|
||||
)
|
||||
)
|
||||
);
|
||||
}
|
||||
@@ -148,7 +159,7 @@ export const authHandlers = {
|
||||
challenge?: string;
|
||||
}
|
||||
) => {
|
||||
const response = await net.fetch(authUrl(endpoint, '/api/auth/sign-in'), {
|
||||
const response = await authFetch(authUrl(endpoint, '/api/auth/sign-in'), {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'content-type': 'application/json',
|
||||
|
||||
@@ -0,0 +1,11 @@
|
||||
import { session } from 'electron';
|
||||
|
||||
const AUTH_TRANSPORT_PARTITION = 'affine-auth-transport';
|
||||
|
||||
export function getAuthTransportSession() {
|
||||
return session.fromPartition(AUTH_TRANSPORT_PARTITION, { cache: false });
|
||||
}
|
||||
|
||||
export function authFetch(input: string | Request, init?: RequestInit) {
|
||||
return getAuthTransportSession().fetch(input, init);
|
||||
}
|
||||
@@ -18,6 +18,36 @@ if (isDev) {
|
||||
protocol = 'affine-dev';
|
||||
}
|
||||
|
||||
const authMethods = new Set(['magic-link', 'oauth', 'open-app-signin']);
|
||||
|
||||
function summarizeDeepLink(rawUrl: string) {
|
||||
try {
|
||||
const url = new URL(rawUrl);
|
||||
const method = url.searchParams.get('method');
|
||||
const server = url.searchParams.get('server');
|
||||
let serverOrigin: string | undefined;
|
||||
try {
|
||||
serverOrigin = server ? new URL(server).origin : undefined;
|
||||
} catch {
|
||||
serverOrigin = undefined;
|
||||
}
|
||||
return {
|
||||
protocol: url.protocol,
|
||||
action: url.hostname,
|
||||
method: method && authMethods.has(method) ? method : undefined,
|
||||
serverOrigin,
|
||||
};
|
||||
} catch {
|
||||
return { valid: false };
|
||||
}
|
||||
}
|
||||
|
||||
function logDeepLinkFailure(rawUrl: string, error: unknown) {
|
||||
logger.error('failed to handle affine url', summarizeDeepLink(rawUrl), {
|
||||
error: error instanceof Error ? error.name : typeof error,
|
||||
});
|
||||
}
|
||||
|
||||
export function setupDeepLink(app: App) {
|
||||
if (process.defaultApp) {
|
||||
if (process.argv.length >= 2) {
|
||||
@@ -30,14 +60,14 @@ export function setupDeepLink(app: App) {
|
||||
}
|
||||
|
||||
app.on('open-url', (event, url) => {
|
||||
logger.log('open-url', url);
|
||||
logger.log('open-url', summarizeDeepLink(url));
|
||||
if (url.startsWith(`${protocol}://`)) {
|
||||
event.preventDefault();
|
||||
app
|
||||
.whenReady()
|
||||
.then(() => handleAffineUrl(url))
|
||||
.catch(e => {
|
||||
logger.error('failed to handle affine url', e);
|
||||
logDeepLinkFailure(url, e);
|
||||
});
|
||||
}
|
||||
});
|
||||
@@ -55,7 +85,7 @@ export function setupDeepLink(app: App) {
|
||||
if (url?.startsWith(`${protocol}://`)) {
|
||||
event.preventDefault();
|
||||
handleAffineUrl(url).catch(e => {
|
||||
logger.error('failed to handle affine url', e);
|
||||
logDeepLinkFailure(url, e);
|
||||
});
|
||||
}
|
||||
})
|
||||
@@ -66,10 +96,15 @@ export function setupDeepLink(app: App) {
|
||||
// app may be brought up without having a running instance
|
||||
// need to read the url from the command line
|
||||
const url = process.argv.at(-1);
|
||||
logger.log('url from argv', process.argv, url);
|
||||
logger.log(
|
||||
'url from argv',
|
||||
url?.startsWith(`${protocol}://`)
|
||||
? summarizeDeepLink(url)
|
||||
: { deepLink: false, argumentCount: process.argv.length }
|
||||
);
|
||||
if (url?.startsWith(`${protocol}://`)) {
|
||||
handleAffineUrl(url).catch(e => {
|
||||
logger.error('failed to handle affine url', e);
|
||||
logDeepLinkFailure(url, e);
|
||||
});
|
||||
}
|
||||
});
|
||||
@@ -78,7 +113,7 @@ export function setupDeepLink(app: App) {
|
||||
async function handleAffineUrl(url: string) {
|
||||
await showMainWindow();
|
||||
|
||||
logger.info('open affine url', url);
|
||||
logger.info('open affine url', summarizeDeepLink(url));
|
||||
const urlObj = new URL(url);
|
||||
|
||||
if (urlObj.hostname === 'authentication') {
|
||||
@@ -93,7 +128,7 @@ async function handleAffineUrl(url: string) {
|
||||
method !== 'open-app-signin') ||
|
||||
!payload
|
||||
) {
|
||||
logger.error('Invalid authentication url', url);
|
||||
logger.error('Invalid authentication url', summarizeDeepLink(url));
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
@@ -99,7 +99,7 @@ export const registerHandlers = () => {
|
||||
return await handleIpcMessage(e, ...args);
|
||||
} catch (error) {
|
||||
logger.error(`error in ipc handler when calling ${args[0]}`, error);
|
||||
return null;
|
||||
throw error;
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
@@ -11,6 +11,7 @@ const runtime = vi.hoisted(() => ({
|
||||
failWrite: false,
|
||||
files: new Map<string, string>(),
|
||||
fetch: vi.fn(),
|
||||
fromPartition: vi.fn(),
|
||||
rename: vi.fn(),
|
||||
}));
|
||||
|
||||
@@ -41,7 +42,12 @@ vi.mock('node:fs/promises', () => ({
|
||||
|
||||
vi.mock('electron', () => ({
|
||||
app: { getPath: () => '/test-user-data' },
|
||||
net: { fetch: runtime.fetch },
|
||||
session: {
|
||||
fromPartition: (...args: unknown[]) => {
|
||||
runtime.fromPartition(...args);
|
||||
return { fetch: runtime.fetch };
|
||||
},
|
||||
},
|
||||
safeStorage: {
|
||||
isEncryptionAvailable: () => runtime.encryptionAvailable,
|
||||
getSelectedStorageBackend: () => runtime.backend,
|
||||
@@ -68,6 +74,7 @@ beforeEach(() => {
|
||||
runtime.backend = 'unknown';
|
||||
runtime.failWrite = false;
|
||||
runtime.fetch.mockReset();
|
||||
runtime.fromPartition.mockClear();
|
||||
runtime.rename.mockClear();
|
||||
});
|
||||
|
||||
@@ -138,6 +145,9 @@ test('shares one refresh across concurrent main-process callers', async () => {
|
||||
|
||||
expect(tokens.every(token => token === 'fresh')).toBe(true);
|
||||
expect(runtime.fetch).toHaveBeenCalledTimes(1);
|
||||
expect(runtime.fromPartition).toHaveBeenCalledWith('affine-auth-transport', {
|
||||
cache: false,
|
||||
});
|
||||
});
|
||||
|
||||
test('preserves credentials for unknown refresh errors', async () => {
|
||||
|
||||
@@ -29,11 +29,16 @@ private struct StoredAuthTokenPair: Codable {
|
||||
|
||||
private struct AuthErrorResponse: Decodable {
|
||||
let code: String?
|
||||
let name: String?
|
||||
let message: String?
|
||||
}
|
||||
|
||||
private struct AuthServerError: Error {
|
||||
private struct AuthServerError: Error, CustomStringConvertible {
|
||||
let code: String?
|
||||
let statusCode: Int
|
||||
let message: String
|
||||
|
||||
var description: String { message }
|
||||
|
||||
var permanentlyInvalidatesSession: Bool {
|
||||
switch code {
|
||||
@@ -46,6 +51,14 @@ private struct AuthServerError: Error {
|
||||
}
|
||||
}
|
||||
|
||||
private func authServerError(_ data: Data, statusCode: Int) -> AuthServerError {
|
||||
let response = try? JSONDecoder().decode(AuthErrorResponse.self, from: data)
|
||||
return AuthServerError(
|
||||
code: response?.code ?? response?.name,
|
||||
statusCode: statusCode,
|
||||
message: response?.message ?? "Authentication request failed with status \(statusCode)")
|
||||
}
|
||||
|
||||
private struct AuthOperationCancelled: Error {}
|
||||
|
||||
private struct AuthRefreshOperation {
|
||||
@@ -63,7 +76,8 @@ private actor AuthSessionBroker {
|
||||
try write(endpoint, tokenPair(response))
|
||||
}
|
||||
|
||||
func validAccessToken(_ endpoint: String, minValidity: TimeInterval = 120) async throws -> String? {
|
||||
func validAccessToken(_ endpoint: String, minValidity: TimeInterval = 120) async throws -> String?
|
||||
{
|
||||
guard let pair = try read(endpoint) else { return nil }
|
||||
if pair.accessExpiresAt.timeIntervalSinceNow > minValidity {
|
||||
return pair.accessToken
|
||||
@@ -149,7 +163,9 @@ private actor AuthSessionBroker {
|
||||
session: response.session)
|
||||
}
|
||||
|
||||
private func request(_ endpoint: String, action: String, body: [String: String]) async throws -> Data {
|
||||
private func request(_ endpoint: String, action: String, body: [String: String]) async throws
|
||||
-> Data
|
||||
{
|
||||
guard let url = URL(string: "\(canonicalEndpoint(endpoint))\(action)") else {
|
||||
throw AuthError.invalidEndpoint
|
||||
}
|
||||
@@ -168,9 +184,7 @@ private actor AuthSessionBroker {
|
||||
throw AuthError.internalError
|
||||
}
|
||||
if response.statusCode < 400 { return data }
|
||||
let error = AuthServerError(
|
||||
code: try? JSONDecoder().decode(AuthErrorResponse.self, from: data).code,
|
||||
statusCode: response.statusCode)
|
||||
let error = authServerError(data, statusCode: response.statusCode)
|
||||
guard response.statusCode >= 500, attempt < 2 else { throw error }
|
||||
} catch let error as AuthServerError {
|
||||
if error.statusCode < 500 || attempt == 2 { throw error }
|
||||
@@ -336,12 +350,7 @@ public class AuthPlugin: CAPPlugin, CAPBridgedPlugin {
|
||||
], body: ["email": email, "token": token, "client_nonce": clientNonce])
|
||||
|
||||
if response.statusCode >= 400 {
|
||||
if let textBody = String(data: data, encoding: .utf8) {
|
||||
call.reject(textBody)
|
||||
} else {
|
||||
call.reject("Failed to sign in")
|
||||
}
|
||||
return
|
||||
throw authServerError(data, statusCode: response.statusCode)
|
||||
}
|
||||
|
||||
try await self.exchangeSession(endpoint, data)
|
||||
@@ -367,12 +376,7 @@ public class AuthPlugin: CAPPlugin, CAPBridgedPlugin {
|
||||
], body: ["code": code, "state": state, "client_nonce": clientNonce])
|
||||
|
||||
if response.statusCode >= 400 {
|
||||
if let textBody = String(data: data, encoding: .utf8) {
|
||||
call.reject(textBody)
|
||||
} else {
|
||||
call.reject("Failed to sign in")
|
||||
}
|
||||
return
|
||||
throw authServerError(data, statusCode: response.statusCode)
|
||||
}
|
||||
|
||||
try await self.exchangeSession(endpoint, data)
|
||||
@@ -398,16 +402,12 @@ public class AuthPlugin: CAPPlugin, CAPBridgedPlugin {
|
||||
"x-affine-client-kind": "native",
|
||||
"x-captcha-token": verifyToken,
|
||||
"x-captcha-challenge": challenge,
|
||||
"x-captcha-provider": verifyToken == nil ? nil : (challenge == nil ? "turnstile" : "hashcash"),
|
||||
"x-captcha-provider": verifyToken == nil
|
||||
? nil : (challenge == nil ? "turnstile" : "hashcash"),
|
||||
], body: ["email": email, "password": password])
|
||||
|
||||
if response.statusCode >= 400 {
|
||||
if let textBody = String(data: data, encoding: .utf8) {
|
||||
call.reject(textBody)
|
||||
} else {
|
||||
call.reject("Failed to sign in")
|
||||
}
|
||||
return
|
||||
throw authServerError(data, statusCode: response.statusCode)
|
||||
}
|
||||
|
||||
try await self.exchangeSession(endpoint, data)
|
||||
@@ -431,12 +431,7 @@ public class AuthPlugin: CAPPlugin, CAPBridgedPlugin {
|
||||
], body: ["code": code])
|
||||
|
||||
if response.statusCode >= 400 {
|
||||
if let textBody = String(data: data, encoding: .utf8) {
|
||||
call.reject(textBody)
|
||||
} else {
|
||||
call.reject("Failed to sign in")
|
||||
}
|
||||
return
|
||||
throw authServerError(data, statusCode: response.statusCode)
|
||||
}
|
||||
|
||||
try await self.exchangeSession(endpoint, data)
|
||||
@@ -476,7 +471,8 @@ public class AuthPlugin: CAPPlugin, CAPBridgedPlugin {
|
||||
endpoint, method: "POST", action: "/api/auth/session/exchange",
|
||||
headers: [
|
||||
"x-affine-client-kind": "native"
|
||||
], body: [
|
||||
],
|
||||
body: [
|
||||
"code": code,
|
||||
"installationId": self.installationId(),
|
||||
"platform": "ios",
|
||||
@@ -484,10 +480,11 @@ public class AuthPlugin: CAPPlugin, CAPBridgedPlugin {
|
||||
])
|
||||
|
||||
if response.statusCode >= 400 {
|
||||
throw AuthError.exchangeFailed
|
||||
throw authServerError(data, statusCode: response.statusCode)
|
||||
}
|
||||
|
||||
try await broker.store(endpoint, response: JSONDecoder().decode(AuthTokenResponse.self, from: data))
|
||||
try await broker.store(
|
||||
endpoint, response: JSONDecoder().decode(AuthTokenResponse.self, from: data))
|
||||
self.clearAuthCookies(endpoint)
|
||||
}
|
||||
|
||||
@@ -506,7 +503,8 @@ public class AuthPlugin: CAPPlugin, CAPBridgedPlugin {
|
||||
let normalizedHost = host.lowercased()
|
||||
|
||||
HTTPCookieStorage.shared.cookies?.forEach { cookie in
|
||||
let domain = cookie.domain.lowercased().trimmingCharacters(in: CharacterSet(charactersIn: "."))
|
||||
let domain = cookie.domain.lowercased().trimmingCharacters(
|
||||
in: CharacterSet(charactersIn: "."))
|
||||
let domainMatches = normalizedHost == domain || normalizedHost.hasSuffix(".\(domain)")
|
||||
if domainMatches && authCookieNames.contains(cookie.name) {
|
||||
HTTPCookieStorage.shared.deleteCookie(cookie)
|
||||
|
||||
@@ -9312,9 +9312,11 @@ export function useAFFiNEI18N(): {
|
||||
readonly message: string;
|
||||
}): string;
|
||||
/**
|
||||
* `Invalid URL`
|
||||
* `URL blocked by SSRF protection: {{reason}}`
|
||||
*/
|
||||
["error.SSRF_BLOCKED_ERROR"](): string;
|
||||
["error.SSRF_BLOCKED_ERROR"](options: {
|
||||
readonly reason: string;
|
||||
}): string;
|
||||
/**
|
||||
* `Response too large ({{receivedBytes}} bytes), limit is {{limitBytes}} bytes`
|
||||
*/
|
||||
|
||||
@@ -2325,7 +2325,7 @@
|
||||
"error.BAD_REQUEST": "Bad request.",
|
||||
"error.GRAPHQL_BAD_REQUEST": "GraphQL bad request, code: {{code}}, {{message}}",
|
||||
"error.HTTP_REQUEST_ERROR": "HTTP request error, message: {{message}}",
|
||||
"error.SSRF_BLOCKED_ERROR": "Invalid URL",
|
||||
"error.SSRF_BLOCKED_ERROR": "URL blocked by SSRF protection: {{reason}}",
|
||||
"error.RESPONSE_TOO_LARGE_ERROR": "Response too large ({{receivedBytes}} bytes), limit is {{limitBytes}} bytes",
|
||||
"error.EMAIL_SERVICE_NOT_CONFIGURED": "Email service is not configured.",
|
||||
"error.IMAGE_FORMAT_NOT_SUPPORTED": "Image format not supported: {{format}}",
|
||||
|
||||
Reference in New Issue
Block a user