From e8b2f3620a5833ee7b92bfc5b4c873b59861f43d Mon Sep 17 00:00:00 2001
From: Vlad Jerca <vlad.jerca@gmail.com>
Date: Thu, 9 Jan 2025 16:09:21 +0100
Subject: [PATCH] feat(auth): handle code exchange server-side

---
 .../auth/components/AuthProvider.svelte       | 43 +--------------
 .../client/src/lib/features/auth/handle.ts    | 54 ++++++++++---------
 2 files changed, 31 insertions(+), 66 deletions(-)

diff --git a/projects/client/src/lib/features/auth/components/AuthProvider.svelte b/projects/client/src/lib/features/auth/components/AuthProvider.svelte
index 827db8f03..ca93a93a4 100644
--- a/projects/client/src/lib/features/auth/components/AuthProvider.svelte
+++ b/projects/client/src/lib/features/auth/components/AuthProvider.svelte
@@ -1,10 +1,5 @@
 <script lang="ts">
-  import { replaceState } from "$app/navigation";
-  import { page } from "$app/stores";
-  import { onMount } from "svelte";
-  import { AuthEndpoint } from "../AuthEndpoint";
-  import type { ClientAuthResponse } from "../models/SerializedAuthResponse";
-  import { provisionAuth, useAuth } from "../stores/useAuth";
+  import { provisionAuth } from "../stores/useAuth";
 
   type AuthProviderProps = {
     url: string;
@@ -12,46 +7,10 @@
   } & ChildrenProps;
 
   const { isAuthorized, url, children }: AuthProviderProps = $props();
-
   provisionAuth({
     isAuthorized,
     url,
   });
-
-  const store = useAuth();
-
-  function requestAuthStatus(code: string) {
-    return fetch(AuthEndpoint.Exchange, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-      },
-      body: JSON.stringify({ code }),
-    }).then((res) => res.json() as Promise<ClientAuthResponse>);
-  }
-
-  onMount(async () => {
-    const url = new URL($page.url.href);
-    const queryParams = url.searchParams;
-    const code = queryParams.get("code");
-
-    if (!code) {
-      return;
-    }
-
-    const { isAuthorized } = await requestAuthStatus(code);
-    store.isAuthorized.set(isAuthorized);
-    if (!isAuthorized) {
-      return;
-    }
-
-    queryParams.delete("code");
-
-    replaceState(
-      `${url.pathname}${queryParams.toString() ? "?" + queryParams.toString() : ""}`,
-      {},
-    );
-  });
 </script>
 
 {@render children()}
diff --git a/projects/client/src/lib/features/auth/handle.ts b/projects/client/src/lib/features/auth/handle.ts
index 2e84f0d7c..7bd11840c 100644
--- a/projects/client/src/lib/features/auth/handle.ts
+++ b/projects/client/src/lib/features/auth/handle.ts
@@ -31,39 +31,43 @@ export const handle: Handle = async ({ event, resolve }) => {
     });
   }
 
-  const isExchange = event.url.pathname.startsWith(AuthEndpoint.Exchange);
+  const code = event.url.searchParams.get('code');
+  const isExchange = code != null;
 
   if (isExchange) {
-    const { code } = await event.request.json() as { code: string };
     const referrer = event.request.headers.get('referer') ?? '';
 
     const result = await authorize({ code, referrer });
     const { isAuthorized } = result;
     setAuth(result);
 
-    const cookieHeader = isAuthorized
-      ? {
-        'Set-Cookie': event.cookies.serialize(
-          AUTH_COOKIE_NAME,
-          await encrypt(key, result),
-          {
-            httpOnly: true,
-            secure: true,
-            maxAge: result.expiresAt ?? 0,
-            path: '/',
-          },
-        ),
-      }
-      : {} as Record<string, string>;
-
-    return new Response(
-      JSON.stringify({
-        isAuthorized,
-      }),
-      {
-        headers: { ...cookieHeader },
+    const url = new URL(event.url);
+    url.searchParams.delete('code');
+
+    const headers = new Headers();
+
+    if (isAuthorized) {
+      const cookie = event.cookies.serialize(
+        AUTH_COOKIE_NAME,
+        await encrypt(key, result),
+        {
+          httpOnly: true,
+          secure: true,
+          maxAge: result.expiresAt ?? 0,
+          path: '/',
+        },
+      );
+
+      headers.set('Set-Cookie', cookie);
+    }
+
+    return new Response(null, {
+      status: 302,
+      headers: {
+        ...Object.fromEntries(headers),
+        Location: url.toString(),
       },
-    );
+    });
   }
 
   /**
@@ -82,6 +86,8 @@ export const handle: Handle = async ({ event, resolve }) => {
       maxAge: 0,
       path: '/',
     });
+
+    return await resolve(event);
   }
 
   return await resolve(event);