Add secure support connection to website (#5750)
* wip: icom jwts * should fix auth token passing * add to wrangler
This commit is contained in:
aecsocket
@@ -414,17 +414,16 @@ const isLoading = ref(true)
|
||||
const isMounted = ref(true)
|
||||
const unsubscribers = ref<(() => void)[]>([])
|
||||
const flags = useFeatureFlags()
|
||||
const config = useRuntimeConfig()
|
||||
|
||||
const INTERCOM_APP_ID = ref('ykeritl9')
|
||||
const auth = (await useAuth()) as unknown as {
|
||||
value: { user: { id: string; username: string; email: string; created: string } }
|
||||
type AuthUser = {
|
||||
id: string
|
||||
username: string
|
||||
email?: string
|
||||
created: string
|
||||
}
|
||||
const userId = ref(auth.value?.user?.id ?? null)
|
||||
const username = ref(auth.value?.user?.username ?? null)
|
||||
const email = ref(auth.value?.user?.email ?? null)
|
||||
const createdAt = ref(
|
||||
auth.value?.user?.created ? Math.floor(new Date(auth.value.user.created).getTime() / 1000) : null,
|
||||
)
|
||||
|
||||
const auth = (await useAuth()) as unknown as { value: { user: AuthUser | null } }
|
||||
|
||||
const debug = useDebugLogger('ServerManage')
|
||||
const route = useNativeRoute()
|
||||
@@ -1332,6 +1331,22 @@ const openInstallLog = () => {
|
||||
})
|
||||
}
|
||||
|
||||
async function initializeIntercom() {
|
||||
if (!auth.value?.user) return
|
||||
|
||||
try {
|
||||
const intercomData = await $fetch<{ token: string }>('/api/intercom/messenger-jwt')
|
||||
|
||||
Intercom({
|
||||
app_id: config.public.intercomAppId,
|
||||
intercom_user_jwt: intercomData.token,
|
||||
session_duration: 1000 * 60 * 60 * 24,
|
||||
})
|
||||
} catch (error) {
|
||||
console.warn('[PYROSERVERS][INTERCOM] failed to initialize secure support chat', error)
|
||||
}
|
||||
}
|
||||
|
||||
const cleanup = () => {
|
||||
isMounted.value = false
|
||||
|
||||
@@ -1490,26 +1505,7 @@ onMounted(() => {
|
||||
})
|
||||
}
|
||||
|
||||
if (username.value && email.value && userId.value && createdAt.value) {
|
||||
const currentUser = auth.value?.user as any
|
||||
const matches =
|
||||
username.value === currentUser?.username &&
|
||||
email.value === currentUser?.email &&
|
||||
userId.value === currentUser?.id &&
|
||||
createdAt.value === Math.floor(new Date(currentUser?.created).getTime() / 1000)
|
||||
|
||||
if (matches) {
|
||||
Intercom({
|
||||
app_id: INTERCOM_APP_ID.value,
|
||||
userId: userId.value,
|
||||
name: username.value,
|
||||
email: email.value,
|
||||
created_at: createdAt.value,
|
||||
})
|
||||
} else {
|
||||
console.warn('[PYROSERVERS][INTERCOM] mismatch')
|
||||
}
|
||||
}
|
||||
void initializeIntercom()
|
||||
|
||||
DOMPurify.addHook(
|
||||
'afterSanitizeAttributes',
|
||||
|
||||
@@ -0,0 +1,99 @@
|
||||
import { type Labrinth, ModrinthApiError } from '@modrinth/api-client'
|
||||
import { SignJWT } from 'jose'
|
||||
|
||||
import { useServerModrinthClient } from '~/server/utils/api-client'
|
||||
|
||||
type IntercomTokenResponse = {
|
||||
token: string
|
||||
}
|
||||
|
||||
async function signIntercomUserJwt(
|
||||
user: { id: string; username: string; email?: string; created: string },
|
||||
secret: string,
|
||||
): Promise<string> {
|
||||
const createdAt = Math.floor(new Date(user.created).getTime() / 1000)
|
||||
|
||||
const payload: Record<string, string | number> = {
|
||||
user_id: user.id,
|
||||
name: user.username,
|
||||
}
|
||||
|
||||
if (user.email) {
|
||||
payload.email = user.email
|
||||
}
|
||||
|
||||
if (Number.isFinite(createdAt)) {
|
||||
payload.created_at = createdAt
|
||||
}
|
||||
|
||||
return await new SignJWT(payload)
|
||||
.setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
|
||||
.setIssuedAt()
|
||||
.setExpirationTime('1h')
|
||||
.sign(new TextEncoder().encode(secret))
|
||||
}
|
||||
|
||||
export default defineEventHandler(async (event): Promise<IntercomTokenResponse> => {
|
||||
if (event.method !== 'GET') {
|
||||
throw createError({
|
||||
statusCode: 405,
|
||||
message: 'Method not allowed',
|
||||
})
|
||||
}
|
||||
|
||||
const authToken = getCookie(event, 'auth-token')
|
||||
if (!authToken) {
|
||||
throw createError({
|
||||
statusCode: 401,
|
||||
message: 'Authentication required',
|
||||
})
|
||||
}
|
||||
|
||||
setHeader(event, 'cache-control', 'private, no-store, max-age=0')
|
||||
|
||||
const config = useRuntimeConfig(event)
|
||||
if (!config.intercomIdentitySecret) {
|
||||
throw createError({
|
||||
statusCode: 500,
|
||||
message: 'Intercom identity secret is not configured',
|
||||
})
|
||||
}
|
||||
|
||||
const client = useServerModrinthClient({
|
||||
event,
|
||||
authToken,
|
||||
})
|
||||
|
||||
let user: { id: string; username: string; email?: string; created: string }
|
||||
try {
|
||||
const currentUser = await client.request<Labrinth.Users.v2.User>('/user', {
|
||||
api: 'labrinth',
|
||||
version: 2,
|
||||
method: 'GET',
|
||||
})
|
||||
user = {
|
||||
id: currentUser.id,
|
||||
username: currentUser.username,
|
||||
email: currentUser.email,
|
||||
created: currentUser.created,
|
||||
}
|
||||
} catch (error) {
|
||||
if (error instanceof ModrinthApiError && error.statusCode === 401) {
|
||||
throw createError({
|
||||
statusCode: 401,
|
||||
message: 'Authentication required',
|
||||
})
|
||||
}
|
||||
|
||||
throw createError({
|
||||
statusCode: 502,
|
||||
message: 'Failed to resolve current user',
|
||||
})
|
||||
}
|
||||
|
||||
const token = await signIntercomUserJwt(user, config.intercomIdentitySecret)
|
||||
|
||||
return {
|
||||
token,
|
||||
}
|
||||
})
|
||||
Reference in New Issue
Block a user