artin/API-Explorer-II
1
0
Fork 0
mirror of https://github.com/OpenBankProject/API-Explorer-II.git synced 2026-02-06 10:47:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
86295f827a
API-Explorer-II/server/controllers/OAuth2CallbackController.ts
simonredfern 86295f827a Phase 1: Implement OAuth2/OIDC core infrastructure 
Backend Implementation:
- Add arctic and jsonwebtoken dependencies
- Create PKCEUtils for OAuth2 PKCE flow (RFC 7636)
- Create OAuth2Service for OIDC provider integration
  * OIDC discovery (.well-known/openid-configuration)
  * Authorization URL generation with PKCE
  * Token exchange (code for access/refresh/ID tokens)
  * Token refresh flow
  * UserInfo endpoint integration
- Create OAuth2AuthorizationMiddleware (initiate auth flow)
- Create OAuth2CallbackMiddleware (handle provider callback)
- Create OAuth2ConnectController (/oauth2/connect endpoint)
- Create OAuth2CallbackController (/oauth2/callback endpoint)

Configuration:
- Add OAuth2 environment variables to env_ai
- Feature flag VITE_USE_OAUTH2 for gradual migration
- Support for OBP-OIDC provider

Features:
- PKCE (Proof Key for Code Exchange) support
- State parameter for CSRF protection
- Session-based token storage
- Comprehensive error handling
- Security best practices (token expiration, flow timeout)

Note: Backend infrastructure complete. Next phase: integrate with app.ts
and update UserController for dual auth support.
2025-11-29 19:53:41 +01:00

99 lines
3.4 KiB
TypeScript
Raw Blame History

/*
* Open Bank Project - API Explorer II
* Copyright (C) 2023-2024, TESOBE GmbH
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Email: contact@tesobe.com
* TESOBE GmbH
* Osloerstrasse 16/17
* Berlin 13359, Germany
*
* This product includes software developed at
* TESOBE (http://www.tesobe.com/)
*
*/
import { Controller, Req, Res, Get, UseBefore } from 'routing-controllers'
import { Request, Response } from 'express'
import { Service } from 'typedi'
import OAuth2CallbackMiddleware from '../middlewares/OAuth2CallbackMiddleware'
/**
* OAuth2 Callback Controller
*
* Handles the OAuth2/OIDC callback from the identity provider.
* This controller receives the authorization code and state parameter
* after the user authenticates with the OIDC provider.
*
* The OAuth2CallbackMiddleware handles:
* - State validation (CSRF protection)
* - Authorization code exchange for tokens
* - User info retrieval
* - Session storage
* - Redirect to original page
*
* Endpoint: GET /oauth2/callback
*
* Query Parameters (from OIDC provider):
* - code: Authorization code to exchange for tokens
* - state: State parameter for CSRF validation
* - error (optional): Error code if authentication failed
* - error_description (optional): Human-readable error description
*
* Flow:
* OIDC Provider → /oauth2/callback?code=XXX&state=YYY
* → OAuth2CallbackMiddleware → Original Page (with authenticated session)
*
* Success Flow:
* 1. Validate state parameter
* 2. Exchange authorization code for tokens (access, refresh, ID)
* 3. Fetch user information from UserInfo endpoint
* 4. Store tokens and user data in session
* 5. Redirect to original page or home
*
* Error Flow:
* 1. Parse error from query parameters
* 2. Display user-friendly error page
* 3. Allow user to retry authentication
*
* @example
* // Successful callback URL from OIDC provider
* http://localhost:5173/oauth2/callback?code=abc123&state=xyz789
*
* // Error callback URL from OIDC provider
* http://localhost:5173/oauth2/callback?error=access_denied&error_description=User%20cancelled
*/
@Service()
@Controller()
@UseBefore(OAuth2CallbackMiddleware)
export class OAuth2CallbackController {
/**
* Handle OAuth2/OIDC callback
*
* The actual logic is handled by OAuth2CallbackMiddleware.
* This method exists only as the routing endpoint definition.
*
* @param {Request} request - Express request object with query params (code, state)
* @param {Response} response - Express response object (redirected by middleware)
* @returns {Response} Response object (handled by middleware)
*/
@Get('/oauth2/callback')
callback(@Req() request: Request, @Res() response: Response): Response {
// The middleware handles all the logic and redirects the user
// This method should never actually execute
return response
}
}
Reference in New Issue View Git Blame Copy Permalink