tmp

packages/backend/package.json

@@ -127,6 +127,7 @@
 		"otpauth": "9.1.2",
 		"parse5": "7.1.2",
 		"pg": "8.11.0",
+		"pkce-challenge": "^3.1.0",
 		"probe-image-size": "7.2.3",
 		"promise-limit": "2.7.0",
 		"pug": "3.0.2",
@@ -202,6 +203,7 @@
 		"@types/sanitize-html": "2.9.0",
 		"@types/semver": "7.5.0",
 		"@types/sharp": "0.32.0",
+		"@types/simple-oauth2": "^5.0.4",
 		"@types/sinonjs__fake-timers": "8.1.2",
 		"@types/tinycolor2": "1.4.3",
 		"@types/tmp": "0.2.3",
@@ -219,6 +221,7 @@
 		"eslint-plugin-import": "2.27.5",
 		"execa": "6.1.0",
 		"jest": "29.5.0",
-		"jest-mock": "29.5.0"
+		"jest-mock": "29.5.0",
+		"simple-oauth2": "^5.0.0"
 	}
 }

packages/backend/src/server/oauth/OAuth2ProviderService.ts

@@ -433,7 +433,7 @@ export class OAuth2ProviderService {
 		fastify.get<{ Querystring: OAuthRequestQuery }>('/oauth/authorize', async (request, reply) => {
 			console.log('HIT /oauth/authorize', request.query);
 			const oauth2 = (request.raw as any).oauth2 as (OAuth2 | undefined);
-			console.log(oauth2);
+			console.log(oauth2, request.raw.session);
 
 			if (request.query.response_type !== 'code') {
 				throw new Error('`response_type` parameter must be set as "code"');

packages/backend/test/e2e/oauth.ts

@@ -0,0 +1,94 @@
+process.env.NODE_ENV = 'test';
+
+import * as assert from 'assert';
+import { port, signup, startServer } from '../utils.js';
+import type { INestApplicationContext } from '@nestjs/common';
+import { AuthorizationCode } from 'simple-oauth2';
+import pkceChallenge from 'pkce-challenge';
+import { JSDOM } from 'jsdom';
+
+describe('OAuth', () => {
+	let app: INestApplicationContext;
+
+	let alice: any;
+	const clientPort = port + 1;
+
+	beforeAll(async () => {
+		app = await startServer();
+		alice = await signup({ username: 'alice' });
+		// fastify = Fastify();
+	}, 1000 * 60 * 2);
+
+	afterAll(async () => {
+		await app.close();
+	});
+
+	test('Full flow', async () => {
+		const { code_challenge, code_verifier } = pkceChallenge.default(128);
+
+		const client = new AuthorizationCode({
+			client: {
+				id: `http://127.0.0.1:${clientPort}/`,
+			},
+			auth: {
+				tokenHost: `http://127.0.0.1:${port}`,
+				tokenPath: '/oauth/token',
+				authorizePath: '/oauth/authorize',
+			},
+			options: {
+				authorizationMethod: 'body',
+			},
+		});
+
+		const redirect_uri = `http://127.0.0.1:${clientPort}/redirect`;
+
+		const authEndpoint = client.authorizeURL({
+			redirect_uri,
+			scope: 'write:notes',
+			state: 'state',
+			code_challenge,
+			code_challenge_method: 'S256',
+		});
+		const response = await fetch(authEndpoint);
+		assert.strictEqual(response.status, 200);
+		const cookie = response.headers.get('set-cookie');
+		assert.ok(cookie?.startsWith('connect.sid='));
+
+		const fragment = JSDOM.fragment(await response.text());
+		const transactionId = fragment.querySelector<HTMLMetaElement>('meta[name="misskey:oauth:transaction-id"]')?.content;
+		assert.strictEqual(typeof transactionId, 'string');
+
+		const formData = new FormData();
+		formData.append('transaction_id', transactionId!);
+		formData.append('login_token', alice.token);
+		const decisionResponse = await fetch(`http://127.0.0.1:${port}/oauth/decision`, {
+			method: 'post',
+			body: new URLSearchParams({
+				transaction_id: transactionId!,
+				login_token: alice.token,
+			}),
+			redirect: 'manual',
+			headers: {
+				'content-type': 'application/x-www-form-urlencoded',
+				cookie: cookie!,
+			},
+		});
+		assert.strictEqual(decisionResponse.status, 302);
+		assert.ok(decisionResponse.headers.has('location'));
+
+		const location = new URL(decisionResponse.headers.get('location')!);
+		assert.strictEqual(location.origin + location.pathname, redirect_uri);
+
+		assert.ok(location.searchParams.has('code'));
+		assert.strictEqual(location.searchParams.get('state'), 'state');
+
+		const token = await client.getToken({
+			code: location.searchParams.get('code')!,
+			redirect_uri,
+			code_verifier,
+		});
+		assert.strictEqual(typeof token.token.access_token, 'string');
+		assert.strictEqual(typeof token.token.refresh_token, 'string');
+		assert.strictEqual(token.token.token_type, 'Bearer');
+	});
+});