feat(core): guard one-time token on consent request

charIeszhao · charIeszhao · commit 4ae5524a4408 · 2025-03-25T20:42:46.000+08:00
diff --git a/packages/core/src/middleware/koa-consent-guard.test.ts b/packages/core/src/middleware/koa-consent-guard.test.ts
@@ -0,0 +1,113 @@
+import { Provider, errors } from 'oidc-provider';
+
+import RequestError from '#src/errors/RequestError/index.js';
+import { MockTenant } from '#src/test-utils/tenant.js';
+import { createContextWithRouteParameters } from '#src/utils/test-utils.js';
+
+import koaConsentGuard from './koa-consent-guard.js';
+
+const { jest } = import.meta;
+
+describe('koaConsentGuard middleware', () => {
+  const provider = new Provider('https://logto.test');
+  const interactionDetails = jest.spyOn(provider, 'interactionDetails');
+  const verifyOneTimeToken = jest.fn();
+
+  const tenant = new MockTenant(
+    undefined,
+    {
+      users: {
+        findUserById: jest.fn().mockResolvedValue({ primaryEmail: 'foo@example.com' }),
+      },
+    },
+    undefined,
+    {
+      oneTimeTokens: { verifyOneTimeToken },
+    }
+  );
+  const next = jest.fn();
+
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('should throw an error if session is not found', async () => {
+    // @ts-expect-error
+    interactionDetails.mockResolvedValue({
+      params: { token: 'token', login_hint: 'foo@example.com' },
+      session: undefined,
+    });
+    const ctx = createContextWithRouteParameters({
+      url: `/consent`,
+    });
+    const guard = koaConsentGuard(provider, tenant.libraries, tenant.queries);
+
+    await expect(guard(ctx, next)).rejects.toThrow(errors.SessionNotFound);
+  });
+
+  it('should not block if token or login_hint are not provided', async () => {
+    interactionDetails.mockResolvedValue({
+      params: { token: '', login_hint: '' },
+      // @ts-expect-error
+      session: { accountId: 'foo' },
+    });
+    const ctx = createContextWithRouteParameters({
+      url: `/consent`,
+    });
+    const guard = koaConsentGuard(provider, tenant.libraries, tenant.queries);
+
+    await guard(ctx, next);
+    expect(tenant.queries.users.findUserById).not.toHaveBeenCalled();
+    expect(tenant.libraries.oneTimeTokens.verifyOneTimeToken).not.toHaveBeenCalled();
+    expect(next).toHaveBeenCalled();
+  });
+
+  it('should redirect to switch account page if email does not match', async () => {
+    interactionDetails.mockResolvedValue({
+      params: { token: 'abcdefg', login_hint: 'bar@example.com' },
+      // @ts-expect-error
+      session: { accountId: 'bar' },
+    });
+    const ctx = createContextWithRouteParameters({
+      url: `/consent`,
+    });
+    const guard = koaConsentGuard(provider, tenant.libraries, tenant.queries);
+
+    await guard(ctx, jest.fn());
+    expect(ctx.redirect).toHaveBeenCalledWith(expect.stringContaining('switch-account'));
+  });
+
+  it('should call next middleware if validations pass', async () => {
+    const ctx = createContextWithRouteParameters({
+      url: `/consent`,
+    });
+    interactionDetails.mockResolvedValue({
+      params: { token: 'token_value', login_hint: 'foo@example.com' },
+      // @ts-expect-error
+      session: { accountId: 'foo' },
+    });
+    verifyOneTimeToken.mockResolvedValueOnce({ token: 'token_value', email: 'foo@example.com' });
+    const guard = koaConsentGuard(provider, tenant.libraries, tenant.queries);
+
+    await guard(ctx, next);
+    expect(next).toHaveBeenCalled();
+  });
+
+  it('should redirect to error page on one-time token verification failure', async () => {
+    const ctx = createContextWithRouteParameters({
+      url: `/consent`,
+    });
+    interactionDetails.mockResolvedValue({
+      params: { token: 'token', login_hint: 'foo@example.com' },
+      // @ts-expect-error
+      session: { accountId: 'foo' },
+    });
+    verifyOneTimeToken.mockRejectedValue(new RequestError('one_time_token.token_consumed'));
+    const guard = koaConsentGuard(provider, tenant.libraries, tenant.queries);
+
+    await guard(ctx, next);
+    expect(ctx.redirect).toHaveBeenCalledWith(
+      expect.stringContaining('code=one_time_token.token_consumed')
+    );
+  });
+});
diff --git a/packages/core/src/middleware/koa-consent-guard.ts b/packages/core/src/middleware/koa-consent-guard.ts
@@ -0,0 +1,71 @@
+import { experience } from '@logto/schemas';
+import { type MiddlewareType } from 'koa';
+import { type IRouterParamContext } from 'koa-router';
+import { errors, type Provider } from 'oidc-provider';
+
+import RequestError from '../errors/RequestError/index.js';
+import type Libraries from '../tenants/Libraries.js';
+import type Queries from '../tenants/Queries.js';
+import assertThat from '../utils/assert-that.js';
+
+/**
+ * Guard before allowing auto-consent
+ */
+export default function koaConsentGuard<
+  StateT,
+  ContextT extends IRouterParamContext,
+  ResponseBodyT,
+>(
+  provider: Provider,
+  libraries: Libraries,
+  query: Queries
+): MiddlewareType<StateT, ContextT, ResponseBodyT> {
+  return async (ctx, next) => {
+    const interactionDetails = await provider.interactionDetails(ctx.req, ctx.res);
+    const {
+      params: { token, login_hint: loginHint },
+      session,
+    } = interactionDetails;
+
+    assertThat(session, new errors.SessionNotFound('session not found'));
+
+    if (token && loginHint && typeof token === 'string' && typeof loginHint === 'string') {
+      const user = await query.users.findUserById(session.accountId);
+
+      assertThat(user.primaryEmail, 'user.email_not_exist');
+
+      if (user.primaryEmail !== loginHint) {
+        const searchParams = new URLSearchParams({
+          account: user.primaryEmail,
+        });
+        ctx.redirect(`${experience.routes.switchAccount}?${searchParams.toString()}`);
+        return;
+      }
+
+      try {
+        await libraries.oneTimeTokens.verifyOneTimeToken(token, loginHint);
+      } catch (error: unknown) {
+        if (error instanceof RequestError) {
+          if (error.code === 'one_time_token.email_mismatch') {
+            const searchParams = new URLSearchParams({
+              account: user.primaryEmail,
+            });
+            ctx.redirect(`${experience.routes.switchAccount}?${searchParams.toString()}`);
+            return;
+          }
+          const searchParams = new URLSearchParams({
+            code: error.code,
+            status: error.status.toString(),
+            message: error.message,
+          });
+          ctx.redirect(`${experience.routes.error}?${searchParams.toString()}`);
+          return;
+        }
+
+        throw error;
+      }
+    }
+
+    return next();
+  };
+}
diff --git a/packages/core/src/tenants/Tenant.ts b/packages/core/src/tenants/Tenant.ts
@@ -32,6 +32,7 @@ import BasicSentinel from '#src/sentinel/basic-sentinel.js';
 
 import { redisCache } from '../caches/index.js';
 import { SubscriptionLibrary } from '../libraries/subscription.js';
+import koaConsentGuard from '../middleware/koa-consent-guard.js';
 
 import Libraries from './Libraries.js';
 import Queries from './Queries.js';
@@ -201,7 +202,13 @@ export default class Tenant implements TenantContext {
       compose([
         koaExperienceSsr(libraries, queries),
         koaSpaSessionGuard(provider, queries),
-        mount(`/${experience.routes.consent}`, koaAutoConsent(provider, queries)),
+        mount(
+          `/${experience.routes.consent}`,
+          compose([
+            koaConsentGuard(provider, libraries, queries),
+            koaAutoConsent(provider, queries),
+          ])
+        ),
         koaSpaProxy({ mountedApps, queries }),
       ])
     );
