100 lines
5.1 KiB
TypeScript
100 lines
5.1 KiB
TypeScript
// Login completion (todo §4): turn a fresh Kratos session into our locally-verifiable
|
|
// session JWT — the one moment Ory is on the path (README: Login → session JWT):
|
|
// 1. whoami(cookie) → the identity (id, email); no active session ⇒ null
|
|
// 2. read roles from Keto → the source of truth for the `roles` claim
|
|
// 3. project onto metadata_public (admin API) so the tokenizer's mapper can read them
|
|
// 4. whoami(tokenize_as) → the signed JWT { sub, email, roles }, stored as our cookie
|
|
// Order matters: the projection is written before tokenizing, because the claims mapper
|
|
// reads only the identity, never Keto.
|
|
import type { User } from "./context.ts";
|
|
import { serializeCookie, type CookieOptions } from "./cookie.ts";
|
|
import type { KetoClient } from "./keto-client.ts";
|
|
import type { KratosAdmin } from "./kratos-admin.ts";
|
|
import type { KratosPublic } from "./kratos-public.ts";
|
|
|
|
// Our session cookie — the signed JWT the hot path verifies in-process. Distinct from
|
|
// Kratos' own `plainpages_session` cookie (the long-lived login the JWT is re-minted off).
|
|
export const SESSION_COOKIE = "plainpages_jwt";
|
|
|
|
// Mirrors kratos.yml session.lifespan (30d) so the cookie survives browser restarts; the
|
|
// JWT inside is short-lived (~10m) and re-minted on expiry by the §4 hot path (remintSession).
|
|
const COOKIE_MAX_AGE = 60 * 60 * 24 * 30;
|
|
|
|
// The tokenizer template (kratos.yml session.whoami.tokenizer.templates.plainpages).
|
|
const TOKENIZE_AS = "plainpages";
|
|
|
|
export interface LoginDeps {
|
|
keto: KetoClient;
|
|
kratosAdmin: KratosAdmin;
|
|
kratosPublic: KratosPublic;
|
|
}
|
|
|
|
export interface CompletedLogin {
|
|
email: string | null;
|
|
identityId: string;
|
|
jwt: string;
|
|
roles: string[];
|
|
}
|
|
|
|
// The coarse roles Keto grants a subject directly: `Role:<name>#members@user:<id>`. Returns
|
|
// the de-duped, sorted role names (the tuple `object`). One logical read, paged defensively.
|
|
// Group→role inheritance lands with the Groups screen (§5); MVP grants are direct.
|
|
export async function readRoles(keto: KetoClient, identityId: string): Promise<string[]> {
|
|
const subject_id = `user:${identityId}`;
|
|
const roles = new Set<string>();
|
|
let pageToken: string | undefined;
|
|
do {
|
|
const page = await keto.listRelations({ namespace: "Role", relation: "members", subject_id, ...(pageToken ? { pageToken } : {}) });
|
|
for (const t of page.tuples) roles.add(t.object);
|
|
pageToken = page.nextPageToken ?? undefined;
|
|
} while (pageToken);
|
|
return [...roles].sort();
|
|
}
|
|
|
|
export async function completeLogin(deps: LoginDeps, cookie: string | undefined): Promise<CompletedLogin | null> {
|
|
const session = await deps.kratosPublic.whoami(cookie ? { cookie } : {});
|
|
if (!session?.identity) return null;
|
|
const identityId = session.identity.id;
|
|
const emailTrait = session.identity.traits?.["email"];
|
|
const email = typeof emailTrait === "string" ? emailTrait : null;
|
|
|
|
const roles = await readRoles(deps.keto, identityId);
|
|
await deps.kratosAdmin.updateMetadataPublic(identityId, { roles });
|
|
|
|
const tokenized = await deps.kratosPublic.whoami({ ...(cookie ? { cookie } : {}), tokenizeAs: TOKENIZE_AS });
|
|
const jwt = tokenized?.tokenized;
|
|
if (!jwt) throw new Error("login completion: Kratos tokenizer returned no JWT");
|
|
|
|
return { email, identityId, jwt, roles };
|
|
}
|
|
|
|
export interface Reminted {
|
|
setCookie: string; // a fresh JWT cookie on success, else a cookie that clears the stale one
|
|
user: User | null;
|
|
}
|
|
|
|
// Re-mint the session JWT on TTL expiry — "stay signed in" (README): the ~10m token lapsed but
|
|
// the long-lived Kratos session may still be live. A live session ⇒ re-read roles from Keto,
|
|
// re-tokenize, fresh cookie + the refreshed user (the one moment authz recomputes). A dead
|
|
// session ⇒ a cookie that *clears* the stale JWT, so later requests fall straight through to
|
|
// anonymous instead of re-hitting Ory on every one.
|
|
export async function remintSession(deps: LoginDeps, cookie: string | undefined, options: { secure?: boolean } = {}): Promise<Reminted> {
|
|
const completed = await completeLogin(deps, cookie);
|
|
if (!completed) return { setCookie: clearSessionCookie(options), user: null };
|
|
return { setCookie: sessionCookie(completed.jwt, options), user: { email: completed.email ?? "", id: completed.identityId, roles: completed.roles } };
|
|
}
|
|
|
|
// Build the Set-Cookie for our session JWT. HttpOnly + SameSite=Lax by default; `secure` is
|
|
// supplied by the caller (off in dev http; the §9 cookie hardening toggles it on for prod).
|
|
export function sessionCookie(jwt: string, options: { secure?: boolean } = {}): string {
|
|
const opts: CookieOptions = { httpOnly: true, maxAge: COOKIE_MAX_AGE, path: "/", sameSite: "Lax", ...(options.secure ? { secure: true } : {}) };
|
|
return serializeCookie(SESSION_COOKIE, jwt, opts);
|
|
}
|
|
|
|
// Expire our session cookie (Max-Age=0), with the same attributes sessionCookie sets so the
|
|
// browser deletes the right one.
|
|
export function clearSessionCookie(options: { secure?: boolean } = {}): string {
|
|
const opts: CookieOptions = { httpOnly: true, maxAge: 0, path: "/", sameSite: "Lax", ...(options.secure ? { secure: true } : {}) };
|
|
return serializeCookie(SESSION_COOKIE, "", opts);
|
|
}
|