Drop invalid Freebuff login auth codes

Author: jahooma

freebuff/web/src/app/api/auth/[...nextauth]/auth-options.ts

@@ -131,6 +131,7 @@ export const authOptions: NextAuthOptions = {
             },
             'Freebuff auth redirect received non-CLI-shaped auth_code',
           )
+          return baseUrl
         }
 
         const onboardUrl = new URL(`${baseUrl}/onboard`)

freebuff/web/src/app/login/page.tsx

@@ -29,10 +29,12 @@ export default async function LoginPage({
   const resolvedSearchParams = searchParams ? await searchParams : {}
   const rawAuthCode = resolvedSearchParams?.auth_code
   const authCode = Array.isArray(rawAuthCode) ? rawAuthCode[0] : rawAuthCode
+  const validAuthCode =
+    authCode && isCliAuthCodeCandidate(authCode) ? authCode : undefined
   const searchParamKeys = Object.keys(resolvedSearchParams).sort()
 
   if (authCode) {
-    if (!isCliAuthCodeCandidate(authCode)) {
+    if (!validAuthCode) {
       const headerStore = await headers()
       logger.warn(
         {
@@ -80,7 +82,9 @@ export default async function LoginPage({
       )
     }
 
-    const { expiresAt } = parseAuthCode(authCode)
+    const { expiresAt } = validAuthCode
+      ? parseAuthCode(validAuthCode)
+      : { expiresAt: '' }
 
     if (expiresAt && isAuthCodeExpired(expiresAt)) {
       return (
@@ -122,7 +126,7 @@ export default async function LoginPage({
       <HeroGrid />
       <BackgroundBeams />
       <main className="relative z-10 flex flex-col items-center justify-center min-h-screen py-20">
-        <LoginCard authCode={authCode} />
+        <LoginCard authCode={validAuthCode} />
       </main>
     </div>
   )

freebuff/web/src/app/onboard/_helpers.ts

@@ -2,8 +2,14 @@ import { createHash } from 'node:crypto'
 
 import { genAuthCode } from '@codebuff/common/util/credentials'
 
-const OPAQUE_CLI_AUTH_CODE_TOKEN_RE = /^[A-Za-z0-9_-]{43}$/
-const CLI_AUTH_CODE_HASH_RE = /^[a-f0-9]{64}$/i
+import {
+  isCliAuthCodeCandidate,
+  isOpaqueCliAuthCodeToken,
+  parseCliAuthCodeShape,
+} from '@/lib/cli-auth-code-shape'
+
+export { isCliAuthCodeCandidate, isOpaqueCliAuthCodeToken }
+
 const CLI_AUTH_CODE_TOKEN_IDENTIFIER_PREFIX = 'cli-login:'
 const CONSUMED_CLI_AUTH_CODE_TOKEN_IDENTIFIER_PREFIX = 'cli-login-consumed:'
 const CONSUMED_CLI_AUTH_CODE_TOKEN_VALUE = 'consumed'
@@ -20,23 +26,6 @@ export function buildCliAuthCode(
   return `${fingerprintId}.${expiresAt}.${fingerprintHash}`
 }
 
-export function isOpaqueCliAuthCodeToken(authCode: string): boolean {
-  return OPAQUE_CLI_AUTH_CODE_TOKEN_RE.test(authCode.trim())
-}
-
-export function isCliAuthCodeCandidate(authCode: string): boolean {
-  if (isOpaqueCliAuthCodeToken(authCode)) {
-    return true
-  }
-
-  const { fingerprintId, expiresAt, receivedHash } = parseAuthCode(authCode)
-  return (
-    fingerprintId.length > 0 &&
-    /^\d+$/.test(expiresAt) &&
-    CLI_AUTH_CODE_HASH_RE.test(receivedHash)
-  )
-}
-
 export function getCliAuthCodeHashPrefix(authCode: string): string {
   return getCliAuthCodeHash(authCode).slice(0, 12)
 }
@@ -123,36 +112,7 @@ export function parseAuthCode(authCode: string): {
   expiresAt: string
   receivedHash: string
 } {
-  const normalizedAuthCode = authCode.trim()
-  const hashSeparatorIndex = normalizedAuthCode.lastIndexOf('.')
-  const expiresSeparatorIndex = normalizedAuthCode.lastIndexOf(
-    '.',
-    hashSeparatorIndex - 1,
-  )
-
-  if (hashSeparatorIndex === -1 || expiresSeparatorIndex === -1) {
-    const legacyMatch = normalizedAuthCode.match(
-      /^(?<fingerprintId>.+)-(?<expiresAt>\d+)-(?<receivedHash>[a-f0-9]{64})$/i,
-    )
-    if (legacyMatch?.groups) {
-      return {
-        fingerprintId: legacyMatch.groups.fingerprintId,
-        expiresAt: legacyMatch.groups.expiresAt,
-        receivedHash: legacyMatch.groups.receivedHash,
-      }
-    }
-
-    return { fingerprintId: '', expiresAt: '', receivedHash: '' }
-  }
-
-  const fingerprintId = normalizedAuthCode.slice(0, expiresSeparatorIndex)
-  const expiresAt = normalizedAuthCode.slice(
-    expiresSeparatorIndex + 1,
-    hashSeparatorIndex,
-  )
-  const receivedHash = normalizedAuthCode.slice(hashSeparatorIndex + 1)
-
-  return { fingerprintId, expiresAt, receivedHash }
+  return parseCliAuthCodeShape(authCode)
 }
 
 export function validateAuthCode(

freebuff/web/src/components/sign-in/sign-in-button.tsx

@@ -7,6 +7,8 @@ import { useTransition } from 'react'
 import { Icons } from '../icons'
 import { Button } from '../ui/button'
 
+import { isCliAuthCodeCandidate } from '@/lib/cli-auth-code-shape'
+
 import type { OAuthProviderType } from 'next-auth/providers/oauth-types'
 
 export function SignInButton({
@@ -34,7 +36,7 @@ export function SignInButton({
       if (pathname === '/login') {
         const authCode = searchParams.get('auth_code')
 
-        if (authCode) {
+        if (authCode && isCliAuthCodeCandidate(authCode)) {
           callbackUrl = `/onboard?${searchParams.toString()}`
         } else {
           callbackUrl = '/'

freebuff/web/src/lib/cli-auth-code-shape.ts

@@ -0,0 +1,57 @@
+const OPAQUE_CLI_AUTH_CODE_TOKEN_RE = /^[A-Za-z0-9_-]{43}$/
+const CLI_AUTH_CODE_HASH_RE = /^[a-f0-9]{64}$/i
+
+export function isOpaqueCliAuthCodeToken(authCode: string): boolean {
+  return OPAQUE_CLI_AUTH_CODE_TOKEN_RE.test(authCode.trim())
+}
+
+export function parseCliAuthCodeShape(authCode: string): {
+  fingerprintId: string
+  expiresAt: string
+  receivedHash: string
+} {
+  const normalizedAuthCode = authCode.trim()
+  const hashSeparatorIndex = normalizedAuthCode.lastIndexOf('.')
+  const expiresSeparatorIndex = normalizedAuthCode.lastIndexOf(
+    '.',
+    hashSeparatorIndex - 1,
+  )
+
+  if (hashSeparatorIndex === -1 || expiresSeparatorIndex === -1) {
+    const legacyMatch = normalizedAuthCode.match(
+      /^(?<fingerprintId>.+)-(?<expiresAt>\d+)-(?<receivedHash>[a-f0-9]{64})$/i,
+    )
+    if (legacyMatch?.groups) {
+      return {
+        fingerprintId: legacyMatch.groups.fingerprintId,
+        expiresAt: legacyMatch.groups.expiresAt,
+        receivedHash: legacyMatch.groups.receivedHash,
+      }
+    }
+
+    return { fingerprintId: '', expiresAt: '', receivedHash: '' }
+  }
+
+  const fingerprintId = normalizedAuthCode.slice(0, expiresSeparatorIndex)
+  const expiresAt = normalizedAuthCode.slice(
+    expiresSeparatorIndex + 1,
+    hashSeparatorIndex,
+  )
+  const receivedHash = normalizedAuthCode.slice(hashSeparatorIndex + 1)
+
+  return { fingerprintId, expiresAt, receivedHash }
+}
+
+export function isCliAuthCodeCandidate(authCode: string): boolean {
+  if (isOpaqueCliAuthCodeToken(authCode)) {
+    return true
+  }
+
+  const { fingerprintId, expiresAt, receivedHash } =
+    parseCliAuthCodeShape(authCode)
+  return (
+    fingerprintId.length > 0 &&
+    /^\d+$/.test(expiresAt) &&
+    CLI_AUTH_CODE_HASH_RE.test(receivedHash)
+  )
+}