Initial commit

Author: n4bb12

.gitignore

@@ -0,0 +1,4 @@
+.env
+.vercel/
+node_modules/
+dist/

.prettierrc

@@ -0,0 +1,15 @@
+{
+  "arrowParens": "avoid",
+  "bracketSpacing": true,
+  "insertPragma": false,
+  "jsxBracketSameLine": false,
+  "jsxSingleQuote": false,
+  "printWidth": 120,
+  "proseWrap": "preserve",
+  "requirePragma": false,
+  "semi": false,
+  "singleQuote": false,
+  "tabWidth": 2,
+  "trailingComma": "es5",
+  "useTabs": false
+}

README.md

@@ -0,0 +1,85 @@
+# ▲🔐 vercel-github-oauth-proxy
+
+Protect a static website hosted on Vercel behind GitHub authentication.
+
+## Setup
+
+### Step 1 — Add the library
+
+```
+yarn add vercel-github-oauth-proxy
+```
+
+### Step 2 — Create an API endpoint at `/api/index.ts`
+
+```ts
+import { createLambdaHandler } from "vercel-github-oauth-proxy"
+
+export default createLambdaHandler(config)
+```
+
+`config.cryptoSecret`
+
+This is used to sign cookies.
+
+`config.staticDir`
+
+The output directory of the static website.
+
+`config.githubOrgName`
+
+The GitHub org users need to be part of.
+
+`config.githubClientId`
+`config.githubClientSecret`
+
+The id/secret pair of your GitHub OAuth app.
+You can create a new app at `https://github.com/organizations/{config.githubOrgName}/settings/applications/new`
+
+`config.githubOrgAdminToken`
+
+Private org memberships can only be determined by making an authenticated API request.
+
+We could request `read:org` scope during the OAuth flow and then use each user's access token to determine org membership, but using this method means the user additionally needs to request org access during or after the login flow and requires an org admin to confirm. This makes this approach inconvenient for both the users and the admin.
+
+Therefore we're using a separate org admin token to verify membership during login (org admins can see all users).
+
+### Step 3 — Create a `vercel.json`
+
+```json
+{
+  "version": 2,
+  "routes": [{ "src": "/(.*)", "dest": "/api/index.ts" }],
+  "functions": {
+    "api/index.ts": {
+      "includeFiles": "**"
+    }
+  }
+}
+```
+
+This routes all traffic through the lambda endpoint.
+
+Note that we also include all repo files in the lambda build. This is required because the static website needs to be deployed as part of the lambda function, not the default build. See also the [function docs](https://vercel.com/docs/configuration?query=includeFiles#project/functions) and [limits](https://vercel.com/docs/platform/limits?query=includeFiles#serverless-function-size).
+
+### Step 4 — Build
+
+To build your website during lambda deploylent, add a `vercel-build` step that builds your website.
+
+```json
+{
+  "scripts": {
+    "vercel-build": "your website build command"
+  }
+}
+```
+
+## Local development
+
+To develop locally, run
+
+```
+yarn vercel dev
+```
+
+When developing locally, you'll need to update your GitHub OAuth app's redirect URL to `http://localhost:3000`.

api/index.ts

@@ -0,0 +1,13 @@
+import path from "path"
+
+import { createLambdaProxyAuthHandler } from "../lib"
+
+export default createLambdaProxyAuthHandler({
+  cryptoSecret: process.env.CRYPTO_SECRET!,
+  githubClientId: process.env.GITHUB_CLIENT_ID!,
+  githubClientSecret: process.env.GITHUB_CLIENT_SECRET!,
+  githubOrgAdminToken: process.env.GITHUB_ORG_ADMIN_TOKEN!,
+  githubOrgName: process.env.GITHUB_ORG_NAME!,
+  staticDir: path.resolve(__dirname, "../static"),
+  sessionDurationSeconds: 604800, // 1 week
+})

lib/fastify-cookie.ts

@@ -0,0 +1,11 @@
+import { FastifyInstance } from "fastify"
+import fastifyCookie from "fastify-cookie"
+
+import { Config } from "./types"
+
+//
+// https://github.com/fastify/fastify-cookie#fastify-cookie
+//
+export function registerCookieMiddleware(server: FastifyInstance, config: Config) {
+  server.register(fastifyCookie, { secret: config.cryptoSecret })
+}

lib/fastify-lambda.ts

@@ -0,0 +1,13 @@
+import { NowApiHandler, NowRequest, NowResponse } from "@vercel/node"
+import { FastifyInstance } from "fastify"
+
+//
+// https://www.fastify.io/docs/latest/Serverless/#vercel
+// https://vercel.com/docs/serverless-functions/supported-languages#using-typescript
+//
+export const createLambdaHandler: (server: FastifyInstance) => NowApiHandler = server => {
+  return async (req: NowRequest, res: NowResponse) => {
+    await server.ready()
+    server.server.emit("request", req, res)
+  }
+}

lib/fastify-static.ts

@@ -0,0 +1,13 @@
+import { FastifyInstance } from "fastify"
+import fastifyStatic from "fastify-static"
+import path from "path"
+import { Config } from "./types"
+
+//
+// https://github.com/fastify/fastify-static#fastify-static
+//
+export function registerServeStatic(server: FastifyInstance, config: Config) {
+  server.register(fastifyStatic, {
+    root: path.resolve(config.staticDir),
+  })
+}

lib/github-oauth.ts

@@ -0,0 +1,176 @@
+import axios from "axios"
+import { FastifyInstance, FastifyReply, FastifyRequest } from "fastify"
+import { nanoid } from "nanoid"
+import { URLSearchParams } from "url"
+
+import { GitHubAccessToken, GitHubOrgMembership, GitHubUser, RoutePrams, Config, OAuthState } from "./types"
+
+export function registerGitHubOAuth(server: FastifyInstance, config: Config) {
+  const secureCookies = !!process.env.VERCEL_URL
+
+  const urls = {
+    localAuthorize: "/login/oauth/authorize",
+    githubAuthorize: "https://github.com/login/oauth/authorize",
+    githubToken: "https://github.com/login/oauth/access_token",
+    githubOrgMembers: `https://api.github.com/orgs/${config.githubOrgName}/members`,
+    githubUserDetails: "https://api.github.com/user",
+  }
+
+  const cookieNames = {
+    state: "state",
+    user: "user",
+  } as const
+
+  const formatQueryParams = (params: NodeJS.Dict<string>) => {
+    return "?" + new URLSearchParams(params).toString()
+  }
+
+  const unsignCookie = (res: FastifyReply, value: string) => {
+    const unsigned = res.unsignCookie(value)
+
+    if (unsigned.valid) {
+      return JSON.parse(unsigned.value || "null")
+    }
+  }
+
+  /**
+   * Make sure the authentication request was initiated by this application.
+   */
+  const initiateOAuth = async (req: FastifyRequest, res: FastifyReply) => {
+    const state: OAuthState = {
+      randomToken: nanoid(),
+      path: req.url,
+    }
+
+    res.clearCookie(cookieNames.user)
+    res.setCookie(cookieNames.state, JSON.stringify(state), {
+      httpOnly: true,
+      maxAge: config.sessionDurationSeconds,
+      path: "/",
+      sameSite: "lax",
+      secure: secureCookies,
+      signed: true,
+    })
+    res.redirect(302, urls.localAuthorize)
+  }
+
+  //
+  // https://docs.github.com/en/free-pro-team@latest/developers/apps/authorizing-oauth-apps#web-application-flow
+  //
+  const redirectToGitHub = async (req: FastifyRequest<RoutePrams>, res: FastifyReply) => {
+    const query = formatQueryParams({
+      client_id: config.githubClientId,
+      scope: "read:user",
+      state: req.cookies[cookieNames.state],
+    })
+    res.redirect(302, urls.githubAuthorize + query)
+  }
+
+  const denyAccess = async (res: FastifyReply, message?: string) => {
+    res.clearCookie(cookieNames.user)
+    res.clearCookie(cookieNames.state)
+    res.status(401).send({
+      statusCode: 401,
+      error: "Unauthorized",
+      message,
+    })
+  }
+
+  const getGitHubAccessToken = async (code: string): Promise<GitHubAccessToken> => {
+    const url = urls.githubToken
+    const headers = {
+      Accept: "application/json",
+    }
+    const body = {
+      client_id: config.githubClientId,
+      client_secret: config.githubClientSecret,
+      code,
+    }
+
+    const { data } = await axios.post<GitHubAccessToken>(url, body, { headers })
+
+    return data
+  }
+
+  const getGitHubUser = async (tokenData: GitHubAccessToken): Promise<GitHubUser> => {
+    const url = urls.githubUserDetails
+    const headers = {
+      Accept: "application/json",
+      Authorization: `${tokenData.token_type} ${tokenData.access_token}`,
+    }
+
+    const { data } = await axios.get<GitHubUser>(url, { headers })
+
+    return data
+  }
+
+  const getGitHubOrgMemberships = async (): Promise<GitHubOrgMembership[]> => {
+    const url = urls.githubOrgMembers
+    const headers = {
+      Accept: "application/json",
+      Authorization: `Bearer ${config.githubOrgAdminToken}`,
+    }
+
+    const { data } = await axios.get<GitHubOrgMembership[]>(url, { headers })
+
+    return data
+  }
+
+  const retrieveState = (req: FastifyRequest<RoutePrams>, res: FastifyReply) => {
+    const state: OAuthState = unsignCookie(res, req.query.state || "")
+    const expectedState: OAuthState = unsignCookie(res, req.cookies[cookieNames.state] || "")
+
+    if (!state?.randomToken || state.randomToken !== expectedState?.randomToken) {
+      throw new Error("State mismatch")
+    }
+
+    return state
+  }
+
+  const succeed = (res: FastifyReply, user: GitHubUser, path: string) => {
+    res.setCookie(cookieNames.user, JSON.stringify(user), {
+      httpOnly: false,
+      maxAge: config.sessionDurationSeconds,
+      path: "/",
+      sameSite: "lax",
+      secure: secureCookies,
+      signed: false,
+    })
+    res.redirect(302, path)
+  }
+
+  //
+  // https://www.fastify.io/docs/latest/Hooks/
+  //
+  server.addHook<RoutePrams>("preValidation", async (req, res) => {
+    if (req.cookies[cookieNames.state] && req.cookies[cookieNames.user]) {
+      return
+    }
+
+    if (req.url === urls.localAuthorize) {
+      return redirectToGitHub(req, res)
+    }
+
+    const code = req.query.code
+
+    if (!code) {
+      return initiateOAuth(req, res)
+    }
+
+    try {
+      const state = retrieveState(req, res)
+      const tokenData = await getGitHubAccessToken(code)
+      const user = await getGitHubUser(tokenData)
+      const members = await getGitHubOrgMemberships()
+
+      if (!members.find(member => member.id === user.id)) {
+        return denyAccess(res, "It appears you are not a member of the required GitHub organization.")
+      }
+
+      return succeed(res, user, state.path)
+    } catch (error) {
+      console.error(error)
+      return denyAccess(res, "It appears that the authentication request was initiated or processed incorrectly.")
+    }
+  })
+}

lib/index.ts

@@ -0,0 +1,26 @@
+import { NowApiHandler } from "@vercel/node"
+import fastify from "fastify"
+import assert from "ow"
+import { registerCookieMiddleware } from "./fastify-cookie"
+import { createLambdaHandler } from "./fastify-lambda"
+import { registerServeStatic } from "./fastify-static"
+import { registerGitHubOAuth } from "./github-oauth"
+import { Config } from "./types"
+
+export const createLambdaProxyAuthHandler: (config: Config) => NowApiHandler = config => {
+  assert(config.cryptoSecret, "config.cryptoSecret", assert.string.nonEmpty)
+  assert(config.githubClientId, "config.githubClientId", assert.string.nonEmpty)
+  assert(config.githubClientSecret, "config.githubClientSecret", assert.string.nonEmpty)
+  assert(config.githubOrgAdminToken, "config.githubOrgAdminToken", assert.string.nonEmpty)
+  assert(config.githubOrgName, "config.githubOrgName", assert.string.nonEmpty)
+
+  const server = fastify({ logger: true })
+
+  registerCookieMiddleware(server, config)
+  registerGitHubOAuth(server, config)
+  registerServeStatic(server, config)
+
+  return createLambdaHandler(server)
+}
+
+export type { Config } from "./types"