Merged in feature/curity-social-login (pull request #2963)

feat(SW-3541): Do social login after login to SAS * feat(auth): wip social login via curity * Setup social login auth flow * Merge branch 'master' of bitbucket.org:scandic-swap/web into feature/curity-social-login * Added support for getting scandic tokens and refresh them * feat: Enhance social login and session management with auto-refresh and improved error handling * Merge branch 'master' of bitbucket.org:scandic-swap/web into feature/curity-social-login * wrap layout in suspense * revert app/layout.tsx * fix import * cleanup * merge * merge * dont pass client_secret in the url to curity * add state validation when doing social login through /authorize * remove debug logging Approved-by: Anton Gunnarsson
2025-10-16 12:47:12 +00:00
parent 1850cfd20d
commit 291310e841
24 changed files with 827 additions and 84 deletions
--- a/apps/partner-sas/app/[lang]/(auth)/SocialLogin.tsx
+++ b/apps/partner-sas/app/[lang]/(auth)/SocialLogin.tsx
@@ -0,0 +1,59 @@
+"use client"
+
+import React, { createContext, useContext } from "react"
+
+import { useSocialSession } from "@/hooks/useSocialSession"
+
+/* eslint-disable formatjs/no-literal-string-in-jsx */
+
+type SocialLoginContextType = {
+  session: ReturnType<typeof useSocialSession>["session"]
+  refresh: ReturnType<typeof useSocialSession>["refresh"]
+}
+
+const SocialLoginContext = createContext<SocialLoginContextType | undefined>(
+  undefined
+)
+
+export function SocialLoginProvider({
+  children,
+}: {
+  children: React.ReactNode
+}) {
+  const { session: socialSession, refresh } = useSocialSession()
+
+  return (
+    <SocialLoginContext.Provider value={{ session: socialSession, refresh }}>
+      {process.env.NODE_ENV === "development" && (
+        <>
+          <span>Social login: </span>
+          {socialSession.data?.status}{" "}
+          {socialSession?.data?.status === "expired" && (
+            <>
+              <span>Expires@{socialSession?.data.expiresAt}</span>{" "}
+              <button onClick={() => refresh.mutate()}>Refresh</button>
+            </>
+          )}
+          {socialSession?.data?.status === "valid" && (
+            <>
+              <span>Expires@{socialSession?.data.expiresAt}</span>{" "}
+              <button onClick={() => refresh.mutate()}>Refresh</button>
+            </>
+          )}
+        </>
+      )}
+
+      {children}
+    </SocialLoginContext.Provider>
+  )
+}
+
+export function useSocialLogin() {
+  const ctx = useContext(SocialLoginContext)
+  if (!ctx) {
+    throw new Error(
+      "useSocialLogin must be used within SocialLoginContextProvider"
+    )
+  }
+  return ctx
+}
--- a/apps/partner-sas/app/[lang]/layout.tsx
+++ b/apps/partner-sas/app/[lang]/layout.tsx
@@ -28,17 +28,13 @@ import { FontPreload } from "@/fonts/font-preloading"
 import { getMessages } from "@/i18n"
 import ClientIntlProvider from "@/i18n/Provider"
 import { setLang } from "@/i18n/serverContext"
-import { routeToScandicWeb } from "@/util"

 import { BookingFlowProviders } from "../../components/BookingFlowProviders"
 import { Footer } from "../../components/Footer/Footer"
 import { Header } from "../../components/Header/Header"
+import { SocialLoginProvider } from "./(auth)/SocialLogin"

-import type { Metadata } from "next"
-
-export const metadata: Metadata = {
-  description: "TODO This text should be updated.",
-}
+import type { LangRoute } from "@scandic-hotels/common/constants/routes/langRoute"

 type LangParams = {
  lang: Lang
@@ -74,7 +70,7 @@ export default async function RootLayout(props: RootLayoutProps) {
  }

  return (
-    <html lang="en">
+    <html lang={lang}>
      <head>
        <FontPreload />
        <AdobeSDKScript />
@@ -95,21 +91,23 @@ export default async function RootLayout(props: RootLayoutProps) {
            >
              <NuqsAdapter>
                <TrpcProvider>
-                  <RACRouterProvider>
-                    <BookingFlowConfig config={bookingFlowConfig}>
-                      <BookingFlowProviders>
-                        <RouteChange />
-                        <SiteWideAlert />
-                        <Header />
-                        {props.bookingwidget}
-                        <main>{children}</main>
-                        <Footer />
-                        <ToastHandler />
-                        <CookieBotConsent />
-                        <ReactQueryDevtools initialIsOpen={false} />
-                      </BookingFlowProviders>
-                    </BookingFlowConfig>
-                  </RACRouterProvider>
+                  <SocialLoginProvider>
+                    <RACRouterProvider>
+                      <BookingFlowConfig config={bookingFlowConfig}>
+                        <BookingFlowProviders>
+                          <RouteChange />
+                          <SiteWideAlert />
+                          <Header />
+                          {props.bookingwidget}
+                          <main>{children}</main>
+                          <Footer />
+                          <ToastHandler />
+                          <CookieBotConsent />
+                          <ReactQueryDevtools initialIsOpen={false} />
+                        </BookingFlowProviders>
+                      </BookingFlowConfig>
+                    </RACRouterProvider>
+                  </SocialLoginProvider>
                </TrpcProvider>
              </NuqsAdapter>
            </ClientIntlProvider>
@@ -129,3 +127,11 @@ export default async function RootLayout(props: RootLayoutProps) {
    </html>
  )
 }
+
+function routeToScandicWeb(route: LangRoute) {
+  const url = `https://www.scandichotels.com`
+  return Object.entries(route).reduce((acc, [key, value]) => {
+    acc[key as Lang] = `${url}${value}`
+    return acc
+  }, {} as LangRoute)
+}
--- a/apps/partner-sas/app/api/web/auth/callback/curity/route.ts
+++ b/apps/partner-sas/app/api/web/auth/callback/curity/route.ts
@@ -0,0 +1,51 @@
+import { cookies } from "next/headers"
+import { type NextRequest, NextResponse } from "next/server"
+
+import { createLogger } from "@scandic-hotels/common/logger/createLogger"
+
+import { env } from "@/env/server"
+
+import { getToken } from "@/auth/scandic/getToken"
+import { createSession } from "@/auth/scandic/session"
+
+const logger = createLogger("curity-callback")
+export async function GET(req: NextRequest) {
+  const code = req.nextUrl.searchParams.get("code")
+  const state = req.nextUrl.searchParams.get("state")
+  const savedState = req.cookies.get("oauth_state")?.value
+
+  if (!code || !state) {
+    logger.error("Missing code or state", { url: req.nextUrl.toString() })
+    throw new Error("Missing code or state, auth failed")
+  }
+
+  if (!savedState) {
+    logger.error("No saved state cookie", { url: req.nextUrl.toString() })
+    throw new Error("Missing saved oauth state, auth failed")
+  }
+
+  if (state !== savedState) {
+    logger.error("State mismatch", {
+      provided: state,
+      saved: savedState,
+      url: req.nextUrl.toString(),
+    })
+    throw new Error("Invalid state, possible CSRF")
+  }
+
+  const tokenResponse = await getToken({
+    code,
+  })
+
+  await createSession({
+    access_token: tokenResponse.access_token,
+    refresh_token: tokenResponse.refresh_token,
+    expires_in: tokenResponse.expires_in,
+  })
+
+  const c = await cookies()
+  c.delete({ name: "oauth_state", path: "/" })
+
+  const url = new URL(env.PUBLIC_URL)
+  return NextResponse.redirect(url)
+}
--- a/apps/partner-sas/app/api/web/auth/scandic/login/route.ts
+++ b/apps/partner-sas/app/api/web/auth/scandic/login/route.ts
@@ -0,0 +1,53 @@
+import "server-only"
+
+import { createHash, randomUUID } from "node:crypto"
+
+import { cookies } from "next/headers"
+import { type NextRequest, NextResponse } from "next/server"
+
+import { config } from "@/auth/scandic/config"
+import { endpoints } from "@/auth/scandic/endpoints"
+
+export async function GET(req: NextRequest) {
+  const authUrl = new URL(endpoints.authorization_endpoint.toString())
+
+  const configData: Omit<typeof config, "client_secret"> = {
+    client_id: config.client_id,
+    redirect_uri: config.redirect_uri,
+    acr_values: config.acr_values,
+    scope: config.scope,
+    response_type: config.response_type,
+    issuer: config.issuer,
+  }
+
+  Object.entries(configData).forEach(([key, value]) => {
+    authUrl.searchParams.set(key, String(value))
+  })
+
+  const state = generateState()
+  const redirectTo = req.nextUrl.searchParams.get("redirect_to") || "/"
+  authUrl.searchParams.set("redirect_to", redirectTo)
+  authUrl.searchParams.set("state", state)
+
+  const c = await cookies()
+  c.set({
+    name: "oauth_state",
+    value: state,
+    httpOnly: true,
+    path: "/",
+    secure: true,
+    sameSite: "lax",
+    maxAge: 300,
+  })
+
+  return NextResponse.redirect(authUrl)
+}
+
+function generateState(length = 32) {
+  const seed = randomUUID()
+
+  const hashed = createHash("sha256")
+    .update(seed + Math.random())
+    .digest("hex")
+  return hashed.slice(0, length)
+}
--- a/apps/partner-sas/app/api/web/auth/scandic/logout/route.ts
+++ b/apps/partner-sas/app/api/web/auth/scandic/logout/route.ts
@@ -0,0 +1,12 @@
+import { type NextRequest } from "next/server"
+
+import { noContent } from "@/server/errors/next"
+
+import { destroySession } from "@/auth/scandic/session"
+
+export async function GET(_req: NextRequest) {
+  await destroySession()
+  // TODO: Should we call Scandic's logout endpoint?
+
+  return noContent()
+}
--- a/apps/partner-sas/app/api/web/auth/scandic/refresh/route.ts
+++ b/apps/partner-sas/app/api/web/auth/scandic/refresh/route.ts
@@ -0,0 +1,122 @@
+import { type NextRequest } from "next/server"
+import { z } from "zod"
+
+import { createLogger } from "@scandic-hotels/common/logger/createLogger"
+import { safeTry } from "@scandic-hotels/common/utils/safeTry"
+
+import {
+  badRequest,
+  internalServerError,
+  ok,
+  response,
+} from "@/server/errors/next"
+
+import { config } from "@/auth/scandic/config"
+import { endpoints } from "@/auth/scandic/endpoints"
+import {
+  createSession,
+  destroySession,
+  getSession,
+} from "@/auth/scandic/session"
+
+const logger = createLogger("scandic/refresh")
+export async function POST(_req: NextRequest) {
+  const session = await getSession()
+  if (!session) {
+    return badRequest("No session found")
+  }
+
+  if (!session.refresh_token) {
+    return badRequest("No refresh token found")
+  }
+
+  const [newTokens, error] = await safeTry(
+    refreshToken({ refreshToken: session.refresh_token })
+  )
+
+  if (!newTokens || error) {
+    console.error("Error refreshing token", error)
+
+    if (isResponseError(error)) {
+      if (error.status === 400 && error.cause === "invalid_grant") {
+        await destroySession()
+        return badRequest("invalid_grant")
+      }
+
+      return response({}, error.status, error.statusText)
+    }
+
+    return internalServerError(error)
+  }
+
+  logger.debug("Successfully refreshed, got new token(s)", {
+    expires_in: newTokens.expires_in,
+    got_new_refresh_token: newTokens.refresh_token !== session.refresh_token,
+    got_new_access_token: newTokens.access_token !== session.access_token,
+  })
+
+  await createSession({
+    access_token: newTokens.access_token,
+    refresh_token: newTokens.refresh_token ?? session.refresh_token,
+    expires_in: newTokens.expires_in,
+  })
+
+  return ok({ status: "refreshed token" })
+}
+
+const refreshTokenResponse = z.object({
+  access_token: z.string(),
+  expires_in: z.number(),
+  refresh_token: z.string().optional(),
+})
+
+async function refreshToken({ refreshToken }: { refreshToken: string }) {
+  const response = await fetch(endpoints.token_endpoint, {
+    body: new URLSearchParams({
+      client_id: config.client_id,
+      client_secret: config.client_secret,
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+    }),
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    method: "POST",
+    signal: AbortSignal.timeout(15_000),
+  })
+
+  const new_tokens: Record<string, unknown> = await response.json()
+  if (!response.ok) {
+    throw (
+      responseErrorSchema.safeParse({
+        status: response.status,
+        statusText: response.statusText,
+        cause: new_tokens?.error,
+      }).data ?? {
+        status: response.status,
+        statusText: response.statusText,
+        cause: "unknown",
+      }
+    )
+  }
+
+  const tokenResult = refreshTokenResponse.parse(new_tokens)
+
+  return tokenResult
+}
+
+type ResponseError = z.infer<typeof responseErrorSchema>
+const responseErrorSchema = z.object({
+  status: z.number(),
+  statusText: z.string(),
+  cause: z.enum(["invalid_grant", "unknown"]),
+})
+
+function isResponseError(error: unknown): error is ResponseError {
+  return (
+    typeof error === "object" &&
+    error !== null &&
+    "status" in error &&
+    "statusText" in error
+  )
+}
--- a/apps/partner-sas/app/api/web/auth/scandic/session/route.ts
+++ b/apps/partner-sas/app/api/web/auth/scandic/session/route.ts
@@ -0,0 +1,66 @@
+import { NextResponse } from "next/server"
+import { z } from "zod"
+
+import { dt } from "@scandic-hotels/common/dt"
+import { createLogger } from "@scandic-hotels/common/logger/createLogger"
+
+import { getSession } from "@/auth/scandic/session"
+
+const logger = createLogger("scandic/session")
+
+const socialSessionResponseSchema = z.discriminatedUnion("status", [
+  z.object({
+    status: z.literal("valid"),
+    user: z.null(),
+    expiresAt: z.string().datetime(),
+  }),
+  z.object({
+    status: z.literal("expired"),
+    expiresAt: z.string().datetime(),
+  }),
+  z.object({
+    status: z.literal("error"),
+    cause: z.string(),
+  }),
+  z.object({ status: z.literal("no_session"), user: z.null() }),
+])
+
+export type SocialSessionResponse = z.infer<typeof socialSessionResponseSchema>
+
+export async function GET(): Promise<NextResponse<SocialSessionResponse>> {
+  try {
+    const session = await getSession()
+    if (!session || !session.access_token) {
+      return createResponse({ status: "no_session", user: null })
+    }
+
+    const hasExpired = dt(session.expires_at).isBefore(dt())
+    if (hasExpired) {
+      return createResponse({
+        status: "expired",
+        expiresAt: session.expires_at,
+      })
+    }
+
+    return createResponse({
+      status: "valid",
+      user: null,
+      expiresAt: session.expires_at,
+    })
+  } catch (error) {
+    logger.error("Failed to get session", error)
+    return createResponse(
+      { status: "error", cause: String(error) },
+      { status: 500 }
+    )
+  }
+}
+
+function createResponse(
+  data: SocialSessionResponse,
+  options?: { status: number }
+) {
+  return NextResponse.json(socialSessionResponseSchema.parse(data), {
+    status: options?.status ?? 200,
+  })
+}