feat(identities): callback exchanges code and upserts identity

Author: Ripwords

apps/dashboard/server/api/me/identities/github/callback.get.ts

@@ -0,0 +1,59 @@
+import { defineEventHandler, createError, getQuery, sendRedirect } from "h3"
+import { verifyIdentityState } from "../../../../lib/identity-oauth-state"
+import { upsertGithubIdentity } from "../../../../lib/github-identities"
+import { getGithubAppCredentials } from "../../../../lib/github-app-credentials"
+import {
+  exchangeGithubCodeDefault,
+  fetchGithubUserDefault,
+  __getOauthOverride,
+} from "../../../../lib/github-oauth-link"
+import { requireSession } from "../../../../lib/permissions"
+
+export default defineEventHandler(async (event) => {
+  const session = await requireSession(event)
+  const query = getQuery(event)
+  const code = typeof query.code === "string" ? query.code : null
+  const state = typeof query.state === "string" ? query.state : null
+  if (!code || !state) {
+    throw createError({ statusCode: 400, statusMessage: "Missing code/state" })
+  }
+
+  const authSecret = process.env.BETTER_AUTH_SECRET
+  if (!authSecret) throw createError({ statusCode: 500, statusMessage: "Missing auth secret" })
+
+  let stateClaim: { userId: string }
+  try {
+    stateClaim = verifyIdentityState({ state, secret: authSecret })
+  } catch {
+    throw createError({ statusCode: 400, statusMessage: "Invalid or expired state" })
+  }
+  if (stateClaim.userId !== session.userId) {
+    throw createError({ statusCode: 403, statusMessage: "State does not match session" })
+  }
+
+  const creds = await getGithubAppCredentials()
+  if (!creds?.clientId || !creds.clientSecret) {
+    throw createError({ statusCode: 400, statusMessage: "GitHub App is not configured" })
+  }
+
+  const override = __getOauthOverride()
+  const deps = override ?? { clientId: creds.clientId, clientSecret: creds.clientSecret }
+
+  const token = await exchangeGithubCodeDefault(deps, code)
+  const ghUser = await fetchGithubUserDefault(deps, token)
+
+  try {
+    await upsertGithubIdentity(session.userId, {
+      externalId: String(ghUser.id),
+      externalHandle: ghUser.login,
+      externalAvatarUrl: ghUser.avatar_url,
+      externalName: ghUser.name,
+      externalEmail: ghUser.email,
+    })
+  } catch (e) {
+    const message = e instanceof Error ? e.message : "Link failed"
+    return sendRedirect(event, `/settings/identities?error=${encodeURIComponent(message)}`)
+  }
+
+  return sendRedirect(event, "/settings/identities?linked=github")
+})

apps/dashboard/server/lib/github-oauth-link.ts

@@ -0,0 +1,55 @@
+export type GithubOauthUser = {
+  id: number
+  login: string
+  name: string | null
+  email: string | null
+  avatar_url: string | null
+}
+
+export type GithubOauthLinkDeps = {
+  clientId: string
+  clientSecret: string
+  exchangeCode?: (code: string) => Promise<string>
+  fetchUser?: (accessToken: string) => Promise<GithubOauthUser>
+}
+
+export async function exchangeGithubCodeDefault(
+  deps: GithubOauthLinkDeps,
+  code: string,
+): Promise<string> {
+  if (deps.exchangeCode) return deps.exchangeCode(code)
+  const res = await $fetch<{ access_token?: string }>(
+    "https://github.com/login/oauth/access_token",
+    {
+      method: "POST",
+      headers: { accept: "application/json", "content-type": "application/json" },
+      body: { client_id: deps.clientId, client_secret: deps.clientSecret, code },
+    },
+  )
+  if (!res.access_token) throw new Error("No access token")
+  return res.access_token
+}
+
+export async function fetchGithubUserDefault(
+  deps: GithubOauthLinkDeps,
+  token: string,
+): Promise<GithubOauthUser> {
+  if (deps.fetchUser) return deps.fetchUser(token)
+  return await $fetch<GithubOauthUser>("https://api.github.com/user", {
+    headers: {
+      accept: "application/vnd.github+json",
+      "user-agent": "Repro-Dashboard",
+      authorization: `Bearer ${token}`,
+    },
+  })
+}
+
+let __testOverride: GithubOauthLinkDeps | null = null
+
+export function __setOauthOverride(deps: GithubOauthLinkDeps | null) {
+  __testOverride = deps
+}
+
+export function __getOauthOverride() {
+  return __testOverride
+}