| 38 | } |
| 39 | |
| 40 | export class SqliteOAuthStore { |
| 41 | private readonly database: DatabaseHandle; |
| 42 | |
| 43 | constructor(stateDir: string) { |
| 44 | this.database = openDatabase(stateDir); |
| 45 | this.deleteExpiredTokens(Math.floor(Date.now() / 1000)); |
| 46 | } |
| 47 | |
| 48 | getClient(clientId: string): OAuthClientInformationFull | undefined { |
| 49 | const row = this.database.sqlite |
| 50 | .prepare("select client_json from oauth_clients where client_id = ?") |
| 51 | .get(clientId) as { client_json: string } | undefined; |
| 52 | |
| 53 | return row ? (JSON.parse(row.client_json) as OAuthClientInformationFull) : undefined; |
| 54 | } |
| 55 | |
| 56 | registerClient( |
| 57 | client: Omit<OAuthClientInformationFull, "client_id" | "client_id_issued_at">, |
| 58 | allowedRedirectHosts: string[], |
| 59 | ): OAuthClientInformationFull { |
| 60 | if (!client.redirect_uris.every((uri) => redirectHostAllowed(String(uri), allowedRedirectHosts))) { |
| 61 | throw new InvalidRequestError("Client redirect_uri is not allowed for this DevSpace server"); |
| 62 | } |
| 63 | |
| 64 | const now = Math.floor(Date.now() / 1000); |
| 65 | const registered: OAuthClientInformationFull = { |
| 66 | ...client, |
| 67 | client_id: `devspace-${randomUUID()}`, |
| 68 | client_id_issued_at: now, |
| 69 | token_endpoint_auth_method: client.token_endpoint_auth_method ?? "none", |
| 70 | grant_types: client.grant_types ?? ["authorization_code", "refresh_token"], |
| 71 | response_types: client.response_types ?? ["code"], |
| 72 | }; |
| 73 | |
| 74 | this.database.sqlite |
| 75 | .prepare("insert into oauth_clients (client_id, client_json, issued_at) values (?, ?, ?)") |
| 76 | .run(registered.client_id, JSON.stringify(registered), now); |
| 77 | |
| 78 | return registered; |
| 79 | } |
| 80 | |
| 81 | saveAccessToken(tokenHash: string, record: PersistedAccessTokenRecord): void { |
| 82 | this.database.sqlite |
| 83 | .prepare( |
| 84 | `insert into oauth_access_tokens (token_hash, client_id, scopes_json, expires_at, resource) |
| 85 | values (?, ?, ?, ?, ?) |
| 86 | on conflict(token_hash) do update set |
| 87 | client_id = excluded.client_id, |
| 88 | scopes_json = excluded.scopes_json, |
| 89 | expires_at = excluded.expires_at, |
| 90 | resource = excluded.resource`, |
| 91 | ) |
| 92 | .run( |
| 93 | tokenHash, |
| 94 | record.clientId, |
| 95 | JSON.stringify(record.scopes), |
| 96 | record.expiresAt, |
| 97 | record.resource ?? null, |
nothing calls this directly
no outgoing calls
no test coverage detected