isomerpages · prestonlimlianjie · Jun 18, 2021 · Jun 18, 2021 · Jun 18, 2021
diff --git a/errors/ForbiddenError.js b/errors/ForbiddenError.js
@@ -0,0 +1,12 @@
+// Import base error
+const { BaseIsomerError } = require("@errors/BaseError")
+
+class ForbiddenError extends BaseIsomerError {
+  constructor() {
+    super(403, "Access forbidden")
+  }
+}
+
+module.exports = {
+  ForbiddenError,
+}
diff --git a/middleware/auth.js b/middleware/auth.js
@@ -53,6 +53,7 @@ const whoamiAuth = (req, res, next) => {
 }
 
 // Login and logout
+auth.get("/v1/auth/github-redirect", noVerify)
 auth.get("/v1/auth", noVerify)
 auth.get("/v1/auth/logout", noVerify)
 auth.get("/v1/auth/whoami", whoamiAuth)

diff --git a/routes/auth.js b/routes/auth.js
@@ -1,9 +1,11 @@
 const axios = require("axios")
 const express = require("express")
 const queryString = require("query-string")
+const uuid = require("uuid/v4")
 
 // Import error
 const { AuthError } = require("@errors/AuthError")
+const { ForbiddenError } = require("@errors/ForbiddenError")
 
 // Import middleware
 const { attachReadRouteHandlerWrapper } = require("@middleware/routeHandler")
@@ -16,13 +18,45 @@ const router = express.Router()
 const { CLIENT_ID } = process.env
 const { CLIENT_SECRET } = process.env
 const { REDIRECT_URI } = process.env
-const AUTH_TOKEN_EXPIRY_MS = process.env.AUTH_TOKEN_EXPIRY_DURATION_IN_MILLISECONDS.toString()
+const AUTH_TOKEN_EXPIRY_MS = parseInt(
+  process.env.AUTH_TOKEN_EXPIRY_DURATION_IN_MILLISECONDS,
+  10
+)
+const CSRF_TOKEN_EXPIRY_MS = 600000
 const { FRONTEND_URL } = process.env
 
+const CSRF_COOKIE_NAME = "isomer-csrf"
 const COOKIE_NAME = "isomercms"
 
+async function authRedirect(req, res) {
+  const state = uuid()
+  const githubAuthUrl = `https://github.com/login/oauth/authorize?client_id=${CLIENT_ID}&state=${state}&scope=repo`
+
+  const csrfTokenExpiry = new Date()
+  csrfTokenExpiry.setTime(csrfTokenExpiry.getTime() + CSRF_TOKEN_EXPIRY_MS)
+
+  const cookieSettings = {
+    expires: csrfTokenExpiry,
+    httpOnly: true,
+    secure:
+      process.env.NODE_ENV !== "DEV" && process.env.NODE_ENV !== "LOCAL_DEV",
+  }
+
+  const token = jwtUtils.signToken({ state })
+
+  res.cookie(CSRF_COOKIE_NAME, token, cookieSettings)
+  return res.redirect(githubAuthUrl)
+}
+
 async function githubAuth(req, res) {
+  const csrfState = req.cookies[CSRF_COOKIE_NAME]
   const { code, state } = req.query
+
+  const isCsrfValid =
+    jwtUtils.verifyToken(csrfState) &&
+    jwtUtils.decodeToken(csrfState).state === state
+  if (!isCsrfValid) throw new ForbiddenError()
+
   const params = {
     code,
     redirect_uri: REDIRECT_URI,
@@ -83,6 +117,7 @@ async function logout(req, res) {
     path: "/",
   }
   res.clearCookie(COOKIE_NAME, cookieSettings)
+  res.clearCookie(CSRF_COOKIE_NAME, cookieSettings)
   return res.sendStatus(200)
 }
 
@@ -107,6 +142,7 @@ async function whoami(req, res) {
   return res.status(200).json({ userId })
 }
 
+router.get("/github-redirect", attachReadRouteHandlerWrapper(authRedirect))
 router.get("/", attachReadRouteHandlerWrapper(githubAuth))
 router.get("/logout", attachReadRouteHandlerWrapper(logout))
 router.get("/whoami", attachReadRouteHandlerWrapper(whoami))

diff --git a/utils/jwt-utils.js b/utils/jwt-utils.js
@@ -5,6 +5,7 @@ const { JWT_SECRET } = process.env
 const AUTH_TOKEN_EXPIRY_MS = process.env.AUTH_TOKEN_EXPIRY_DURATION_IN_MILLISECONDS.toString()
 
 const jwtUtil = {
+  decodeToken: _.wrap(jwt.decode, (decode, token) => decode(token)),
   verifyToken: _.wrap(jwt.verify, (verify, token) =>
     verify(token, JWT_SECRET, { algorithms: ["HS256"] })
   ),