| 158 | } |
| 159 | |
| 160 | async function startOAuthServer() { |
| 161 | if (oauthServer) return |
| 162 | |
| 163 | oauthServer = createServer((req, res) => { |
| 164 | const host = req.headers.host || `${OAUTH_CALLBACK_HOST}:${oauthServerPort ?? 0}` |
| 165 | const url = new URL(req.url || "/", `http://${host}`) |
| 166 | |
| 167 | if (url.pathname !== OAUTH_CALLBACK_PATH) { |
| 168 | res.writeHead(404) |
| 169 | res.end("Not found") |
| 170 | return |
| 171 | } |
| 172 | |
| 173 | const state = url.searchParams.get("state") |
| 174 | const code = url.searchParams.get("code") |
| 175 | const error = url.searchParams.get("error") |
| 176 | const errorDescription = url.searchParams.get("error_description") |
| 177 | |
| 178 | // CSRF guard: validate state before processing any callback |
| 179 | if (!pendingOAuth || state !== pendingOAuth.state) { |
| 180 | const message = "Invalid state - potential CSRF attack" |
| 181 | pendingOAuth?.reject(new Error(message)) |
| 182 | pendingOAuth = undefined |
| 183 | res.writeHead(400, { "Content-Type": "text/html" }) |
| 184 | res.end(OauthCallbackPage.error(message, { provider: "Snowflake" })) |
| 185 | return |
| 186 | } |
| 187 | |
| 188 | const current = pendingOAuth |
| 189 | pendingOAuth = undefined |
| 190 | |
| 191 | if (error) { |
| 192 | const message = errorDescription || error |
| 193 | current.reject(new Error(message)) |
| 194 | res.writeHead(200, { "Content-Type": "text/html" }) |
| 195 | res.end(OauthCallbackPage.error(message, { provider: "Snowflake" })) |
| 196 | return |
| 197 | } |
| 198 | |
| 199 | if (!code) { |
| 200 | const message = "Missing authorization code" |
| 201 | current.reject(new Error(message)) |
| 202 | res.writeHead(400, { "Content-Type": "text/html" }) |
| 203 | res.end(OauthCallbackPage.error(message, { provider: "Snowflake" })) |
| 204 | return |
| 205 | } |
| 206 | |
| 207 | exchangeCodeForToken(current.account, code, current.pkce) |
| 208 | .then((tokens) => current.resolve(tokens)) |
| 209 | .catch((err) => current.reject(err instanceof Error ? err : new Error(String(err)))) |
| 210 | |
| 211 | res.writeHead(200, { "Content-Type": "text/html" }) |
| 212 | res.end(OauthCallbackPage.success({ provider: "Snowflake" })) |
| 213 | }) |
| 214 | |
| 215 | await new Promise<void>((resolve, reject) => { |
| 216 | oauthServer!.listen(0, OAUTH_CALLBACK_HOST, () => { |
| 217 | const address = oauthServer!.address() |