Merge pull request #7 from markusahlstrand/silent-auth

add silent auth for the code flow

apps/demo/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @authhero/demo
 
+## 0.2.6
+
+### Patch Changes
+
+- Updated dependencies
+  - [email protected]
+  - @authhero/kysely-adapter@0.24.2
+
 ## 0.2.5
 
 ### Patch Changes

apps/demo/package.json

@@ -1,15 +1,15 @@
 {
   "name": "@authhero/demo",
   "private": true,
-  "version": "0.2.5",
+  "version": "0.2.6",
   "scripts": {
     "dev": "bun --watch src/bun.ts"
   },
   "dependencies": {
-    "@authhero/kysely-adapter": "^0.24.1",
+    "@authhero/kysely-adapter": "^0.24.2",
     "@hono/swagger-ui": "^0.4.1",
     "@hono/zod-openapi": "^0.18.0",
-    "authhero": "^0.16.0",
+    "authhero": "^0.17.0",
     "hono": "^4.6.11",
     "hono-openapi-middlewares": "^1.0.11",
     "kysely-bun-sqlite": "^0.3.2"

packages/adapter-interfaces/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @authhero/adapter-interfaces
 
+## 0.29.0
+
+### Minor Changes
+
+- add silent tokens
+
 ## 0.28.0
 
 ### Minor Changes

packages/adapter-interfaces/package.json

@@ -11,7 +11,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "0.28.0",
+  "version": "0.29.0",
   "files": [
     "dist"
   ],

packages/adapter-interfaces/src/types/AuthParams.ts

@@ -15,8 +15,8 @@ export enum AuthorizationResponseMode {
 }
 
 export enum CodeChallengeMethod {
-  S265 = "S256",
-  plain = "plain",
+  S256 = "S256",
+  Plain = "plain",
 }
 
 export const authParamsSchema = z.object({

packages/authhero/CHANGELOG.md

@@ -1,5 +1,16 @@
 # authhero
 
+## 0.17.0
+
+### Minor Changes
+
+- add silent tokens
+
+### Patch Changes
+
+- Updated dependencies
+  - @authhero/adapter-interfaces@0.29.0
+
 ## 0.16.0
 
 ### Minor Changes

packages/authhero/package.json

@@ -1,6 +1,6 @@
 {
   "name": "authhero",
-  "version": "0.16.0",
+  "version": "0.17.0",
   "files": [
     "dist"
   ],

packages/authhero/src/authentication-flows/authorization-code.ts

@@ -1,9 +1,12 @@
 import { HTTPException } from "hono/http-exception";
 import { Context } from "hono";
 import { z } from "@hono/zod-openapi";
+import { nanoid } from "nanoid";
 import { createAuthTokens } from "./common";
 import { Bindings, Variables } from "../types";
 import { computeCodeChallenge } from "../utils/crypto";
+import { SILENT_AUTH_MAX_AGE, SILENT_COOKIE_NAME } from "../constants";
+import { serializeCookie } from "oslo/cookie";
 
 export const authorizationCodeGrantParamsSchema = z
   .object({
@@ -97,5 +100,34 @@ export async function authorizationCodeGrant(
 
   await ctx.env.data.codes.remove(client.tenant.id, params.code);
 
-  return createAuthTokens(ctx, { authParams: login.authParams, user });
+  // Create a new session
+  const session = await ctx.env.data.sessions.create(client.tenant.id, {
+    session_id: nanoid(),
+    user_id: user.user_id,
+    client_id: client.id,
+    expires_at: new Date(Date.now() + SILENT_AUTH_MAX_AGE * 1000).toISOString(),
+    used_at: new Date().toISOString(),
+  });
+
+  const tokens = await createAuthTokens(ctx, {
+    authParams: login.authParams,
+    user,
+    sid: session.session_id,
+  });
+
+  return ctx.json(tokens, {
+    headers: {
+      "set-cookie": serializeCookie(
+        `${client.tenant.id}-${SILENT_COOKIE_NAME}`,
+        session.session_id,
+        {
+          path: "/",
+          httpOnly: true,
+          secure: true,
+          maxAge: 60 * 60 * 24 * 7, // 1 mo
+          sameSite: "none",
+        },
+      ),
+    },
+  });
 }

packages/authhero/src/authentication-flows/client-credentials.ts

@@ -37,5 +37,6 @@ export async function clientCredentialsGrant(
     audience: params.audience,
   };
 
-  return createAuthTokens(ctx, { authParams });
+  const tokens = await createAuthTokens(ctx, { authParams });
+  return ctx.json(tokens);
 }

packages/authhero/src/authentication-flows/common.ts

@@ -39,6 +39,7 @@ export async function createAuthTokens(
       sub: user?.user_id || authParams.client_id,
       iss: ctx.env.ISSUER,
       tenant_id: ctx.var.tenant_id,
+      sid,
     },
     {
       includeIssuedTimestamp: true,

packages/authhero/src/constants.ts

@@ -1 +1,3 @@
 export const JWKS_CACHE_TIMEOUT_IN_SECONDS = 60 * 5; // 5 minutes
+export const SILENT_AUTH_MAX_AGE = 30 * 24 * 60 * 60; // 30 days
+export const SILENT_COOKIE_NAME = "auth-token";

packages/authhero/src/routes/oauth2/token.ts

@@ -88,6 +88,7 @@ export const tokenRoutes = new OpenAPIHono<{
         },
       },
     }),
+    // @ts-ignore
     async (ctx) => {
       const body = ctx.req.valid("form");
 
@@ -100,18 +101,14 @@ export const tokenRoutes = new OpenAPIHono<{
 
       switch (body.grant_type) {
         case GrantType.AuthorizationCode:
-          return ctx.json(
-            await authorizationCodeGrant(
-              ctx,
-              authorizationCodeGrantParamsSchema.parse(params),
-            ),
+          return authorizationCodeGrant(
+            ctx,
+            authorizationCodeGrantParamsSchema.parse(params),
           );
         case GrantType.ClientCredential:
-          return ctx.json(
-            await clientCredentialsGrant(
-              ctx,
-              clientCredentialGrantParamsSchema.parse(params),
-            ),
+          return clientCredentialsGrant(
+            ctx,
+            clientCredentialGrantParamsSchema.parse(params),
           );
         default:
           throw new HTTPException(400, { message: "Not implemented" });

packages/authhero/test/routes/oauth2/token.spec.ts

@@ -3,6 +3,7 @@ import { testClient } from "hono/testing";
 import { getTestServer } from "../../helpers/test-server";
 import { parseJWT } from "oslo/jwt";
 import { computeCodeChallenge } from "../../../src/utils/crypto";
+import { CodeChallengeMethod } from "@authhero/adapter-interfaces";
 
 describe("token", () => {
   describe("client_credentials", () => {
@@ -446,6 +447,62 @@ describe("token", () => {
 
         expect(secondResponse.status).toBe(403);
       });
+
+      it("should set a silent authentication token", async () => {
+        const { oauthApp, env } = await getTestServer();
+        const client = testClient(oauthApp, env);
+
+        // Create the login session and code
+        const loginSesssion = await env.data.logins.create("tenantId", {
+          expires_at: new Date(Date.now() + 1000 * 60 * 5).toISOString(),
+          authParams: {
+            client_id: "clientId",
+            username: "[email protected]",
+            scope: "",
+            audience: "http://example.com",
+            redirect_uri: "http://example.com/callback",
+          },
+        });
+
+        await env.data.codes.create("tenantId", {
+          code_type: "authorization_code",
+          user_id: "email|userId",
+          code_id: "123456",
+          login_id: loginSesssion.login_id,
+          expires_at: new Date(Date.now() + 1000 * 60 * 5).toISOString(),
+        });
+
+        const response = await client.oauth.token.$post(
+          {
+            form: {
+              grant_type: "authorization_code",
+              code: "123456",
+              redirect_uri: "http://example.com/callback",
+              client_id: "clientId",
+              client_secret: "clientSecret",
+            },
+          },
+          {
+            headers: {
+              "tenant-id": "tenantId",
+            },
+          },
+        );
+
+        expect(response.status).toBe(200);
+        const body = await response.json();
+
+        const accessToken = parseJWT(body.access_token);
+
+        if (!accessToken || !("sid" in accessToken.payload)) {
+          throw new Error("sid is missing");
+        }
+
+        const cookie = response.headers.get("set-cookie");
+        expect(cookie).toBe(
+          `tenantId-auth-token=${accessToken?.payload.sid}; HttpOnly; Max-Age=604800; Path=/; SameSite=None; Secure`,
+        );
+      });
     });
 
     describe("authorization_code with PKCE", () => {
@@ -465,7 +522,7 @@ describe("token", () => {
             scope: "",
             audience: "http://example.com",
             code_challenge: codeChallenge,
-            code_challenge_method: "plain",
+            code_challenge_method: CodeChallengeMethod.Plain,
           },
         });
 
@@ -523,7 +580,7 @@ describe("token", () => {
             scope: "",
             audience: "http://example.com",
             code_challenge: await computeCodeChallenge(codeChallenge, "S256"),
-            code_challenge_method: "S256",
+            code_challenge_method: CodeChallengeMethod.S256,
           },
         });
 
@@ -581,7 +638,7 @@ describe("token", () => {
             scope: "",
             audience: "http://example.com",
             code_challenge: codeChallenge,
-            code_challenge_method: "plain",
+            code_challenge_method: CodeChallengeMethod.Plain,
           },
         });
 

packages/drizzle/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @authhero/drizzle
 
+## 0.1.64
+
+### Patch Changes
+
+- Updated dependencies
+  - @authhero/adapter-interfaces@0.29.0
+
 ## 0.1.63
 
 ### Patch Changes

packages/drizzle/package.json

@@ -11,7 +11,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "0.1.63",
+  "version": "0.1.64",
   "files": [
     "dist"
   ],

packages/kysely/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @authhero/kysely-adapter
 
+## 0.24.2
+
+### Patch Changes
+
+- Updated dependencies
+  - @authhero/adapter-interfaces@0.29.0
+
 ## 0.24.1
 
 ### Patch Changes

packages/kysely/package.json

@@ -11,7 +11,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "0.24.1",
+  "version": "0.24.2",
   "files": [
     "dist"
   ],