feat(core): guard one-time token on consent request

Author: charIeszhao

packages/core/src/middleware/koa-consent-guard.ts

@@ -0,0 +1,71 @@
+import { experience } from '@logto/schemas';
+import { type MiddlewareType } from 'koa';
+import { type IRouterParamContext } from 'koa-router';
+import { errors, type Provider } from 'oidc-provider';
+
+import RequestError from '../errors/RequestError/index.js';
+import type Libraries from '../tenants/Libraries.js';
+import type Queries from '../tenants/Queries.js';
+import assertThat from '../utils/assert-that.js';
+
+/**
+ * Guard before allowing auto-consent
+ */
+export default function koaConsentGuard<
+  StateT,
+  ContextT extends IRouterParamContext,
+  ResponseBodyT,
+>(
+  provider: Provider,
+  libraries: Libraries,
+  query: Queries
+): MiddlewareType<StateT, ContextT, ResponseBodyT> {
+  return async (ctx, next) => {
+    const interactionDetails = await provider.interactionDetails(ctx.req, ctx.res);
+    const {
+      params: { token, login_hint: loginHint },
+      session,
+    } = interactionDetails;
+
+    assertThat(session, new errors.SessionNotFound('session not found'));
+
+    if (token && loginHint && typeof token === 'string' && typeof loginHint === 'string') {
+      const user = await query.users.findUserById(session.accountId);
+
+      assertThat(user.primaryEmail, 'user.email_not_exist');
+
+      if (user.primaryEmail !== loginHint) {
+        const searchParams = new URLSearchParams({
+          account: user.primaryEmail,
+        });
+        ctx.redirect(`${experience.routes.switchAccount}?${searchParams.toString()}`);
+        return;
+      }
+
+      try {
+        await libraries.oneTimeTokens.verifyOneTimeToken(token, loginHint);
+      } catch (error: unknown) {
+        if (error instanceof RequestError) {
+          if (error.code === 'one_time_token.email_mismatch') {
+            const searchParams = new URLSearchParams({
+              account: user.primaryEmail,
+            });
+            ctx.redirect(`${experience.routes.switchAccount}?${searchParams.toString()}`);
+            return;
+          }
+          const searchParams = new URLSearchParams({
+            code: error.code,
+            status: error.status.toString(),
+            message: error.message,
+          });
+          ctx.redirect(`${experience.routes.error}?${searchParams.toString()}`);
+          return;
+        }
+
+        throw error;
+      }
+    }
+
+    return next();
+  };
+}

packages/core/src/tenants/Tenant.ts

@@ -32,6 +32,7 @@ import BasicSentinel from '#src/sentinel/basic-sentinel.js';
 
 import { redisCache } from '../caches/index.js';
 import { SubscriptionLibrary } from '../libraries/subscription.js';
+import koaConsentGuard from '../middleware/koa-consent-guard.js';
 
 import Libraries from './Libraries.js';
 import Queries from './Queries.js';
@@ -195,7 +196,13 @@ export default class Tenant implements TenantContext {
       compose([
         koaExperienceSsr(libraries, queries),
         koaSpaSessionGuard(provider, queries),
-        mount(`/${experience.routes.consent}`, koaAutoConsent(provider, queries)),
+        mount(
+          `/${experience.routes.consent}`,
+          compose([
+            koaConsentGuard(provider, libraries, queries),
+            koaAutoConsent(provider, queries),
+          ])
+        ),
         koaSpaProxy({ mountedApps, queries }),
       ])
     );