feat: support basePath configuration (#2167)

Author: guabu

README.md

@@ -1,4 +1,5 @@
 import { AccessTokenError } from "../../errors";
+import { normailizeWithBasePath } from "../../utils/pathUtils";
 
 type AccessTokenResponse = {
   token: string;
@@ -8,7 +9,9 @@ type AccessTokenResponse = {
 
 export async function getAccessToken(): Promise<string> {
   const tokenRes = await fetch(
-    process.env.NEXT_PUBLIC_ACCESS_TOKEN_ROUTE || "/auth/access-token"
+    normailizeWithBasePath(
+      process.env.NEXT_PUBLIC_ACCESS_TOKEN_ROUTE || "/auth/access-token"
+    )
   );
 
   if (!tokenRes.ok) {

src/client/helpers/get-access-token.ts

@@ -3,10 +3,13 @@
 import useSWR from "swr";
 
 import type { User } from "../../types";
+import { normailizeWithBasePath } from "../../utils/pathUtils";
 
 export function useUser() {
   const { data, error, isLoading, mutate } = useSWR<User, Error, string>(
-    process.env.NEXT_PUBLIC_PROFILE_ROUTE || "/auth/profile",
+    normailizeWithBasePath(
+      process.env.NEXT_PUBLIC_PROFILE_ROUTE || "/auth/profile"
+    ),
     (...args) =>
       fetch(...args).then((res) => {
         if (!res.ok) {

src/client/hooks/use-user.ts

@@ -1,7 +1,7 @@
 import { NextRequest, NextResponse } from "next/server";
 import * as jose from "jose";
 import * as oauth from "oauth4webapi";
-import { describe, expect, it, vi } from "vitest";
+import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
 
 import { generateSecret } from "../test/utils";
 import { SessionData } from "../types";
@@ -806,6 +806,89 @@ ca/T0LLtgmbMmxSv/MmzIg==
         delete process.env.NEXT_PUBLIC_ACCESS_TOKEN_ROUTE;
       });
     });
+
+    describe("with a base path", async () => {
+      beforeAll(() => {
+        process.env.NEXT_PUBLIC_BASE_PATH = "/base-path";
+      });
+
+      afterAll(() => {
+        delete process.env.NEXT_PUBLIC_BASE_PATH;
+      });
+
+      it("should call the appropriate handlers when routes are called with base path", async () => {
+        const testCases = [
+          {
+            path: "/auth/login",
+            method: "GET",
+            handler: "handleLogin"
+          },
+          {
+            path: "/auth/logout",
+            method: "GET",
+            handler: "handleLogout"
+          },
+          {
+            path: "/auth/callback",
+            method: "GET",
+            handler: "handleCallback"
+          },
+          {
+            path: "/auth/backchannel-logout",
+            method: "POST",
+            handler: "handleBackChannelLogout"
+          },
+          {
+            path: "/auth/profile",
+            method: "GET",
+            handler: "handleProfile"
+          },
+          {
+            path: "/auth/access-token",
+            method: "GET",
+            handler: "handleAccessToken"
+          }
+        ];
+
+        for (const testCase of testCases) {
+          const secret = await generateSecret(32);
+          const transactionStore = new TransactionStore({
+            secret
+          });
+          const sessionStore = new StatelessSessionStore({
+            secret
+          });
+          const authClient = new AuthClient({
+            transactionStore,
+            sessionStore,
+
+            domain: DEFAULT.domain,
+            clientId: DEFAULT.clientId,
+            clientSecret: DEFAULT.clientSecret,
+
+            secret,
+            appBaseUrl: DEFAULT.appBaseUrl,
+
+            fetch: getMockAuthorizationServer()
+          });
+
+          const request = new NextRequest(
+            // Next.js will strip the base path from the URL
+            new URL(
+              testCase.path,
+              `${DEFAULT.appBaseUrl}/${process.env.NEXT_PUBLIC_BASE_PATH}`
+            ),
+            {
+              method: testCase.method
+            }
+          );
+
+          (authClient as any)[testCase.handler] = vi.fn();
+          await authClient.handler(request);
+          expect((authClient as any)[testCase.handler]).toHaveBeenCalled();
+        }
+      });
+    });
   });
 
   describe("handleLogin", async () => {
@@ -918,6 +1001,55 @@ ca/T0LLtgmbMmxSv/MmzIg==
       );
     });
 
+    describe("with a base path", async () => {
+      beforeAll(() => {
+        process.env.NEXT_PUBLIC_BASE_PATH = "/base-path";
+      });
+
+      afterAll(() => {
+        delete process.env.NEXT_PUBLIC_BASE_PATH;
+      });
+
+      it("should prepend the base path to the redirect_uri", async () => {
+        const secret = await generateSecret(32);
+        const transactionStore = new TransactionStore({
+          secret
+        });
+        const sessionStore = new StatelessSessionStore({
+          secret
+        });
+        const authClient = new AuthClient({
+          transactionStore,
+          sessionStore,
+
+          domain: DEFAULT.domain,
+          clientId: DEFAULT.clientId,
+          clientSecret: DEFAULT.clientSecret,
+
+          secret,
+          appBaseUrl: `${DEFAULT.appBaseUrl}`,
+
+          fetch: getMockAuthorizationServer()
+        });
+        const request = new NextRequest(
+          new URL(
+            process.env.NEXT_PUBLIC_BASE_PATH + "/auth/login",
+            DEFAULT.appBaseUrl
+          ),
+          {
+            method: "GET"
+          }
+        );
+
+        const response = await authClient.handleLogin(request);
+        const authorizationUrl = new URL(response.headers.get("Location")!);
+
+        expect(authorizationUrl.searchParams.get("redirect_uri")).toEqual(
+          `${DEFAULT.appBaseUrl}/base-path/auth/callback`
+        );
+      });
+    });
+
     it("should return an error if the discovery endpoint could not be fetched", async () => {
       const secret = await generateSecret(32);
       const transactionStore = new TransactionStore({
@@ -1600,6 +1732,79 @@ ca/T0LLtgmbMmxSv/MmzIg==
         );
       });
 
+      describe("with a base path", async () => {
+        beforeAll(() => {
+          process.env.NEXT_PUBLIC_BASE_PATH = "/base-path";
+        });
+
+        afterAll(() => {
+          delete process.env.NEXT_PUBLIC_BASE_PATH;
+        });
+
+        it("should prepend the base path to the redirect_uri", async () => {
+          const secret = await generateSecret(32);
+          const transactionStore = new TransactionStore({
+            secret
+          });
+          const sessionStore = new StatelessSessionStore({
+            secret
+          });
+          const authClient = new AuthClient({
+            transactionStore,
+            sessionStore,
+            domain: DEFAULT.domain,
+            clientId: DEFAULT.clientId,
+            clientSecret: DEFAULT.clientSecret,
+            pushedAuthorizationRequests: true,
+            secret,
+            appBaseUrl: DEFAULT.appBaseUrl,
+            fetch: getMockAuthorizationServer({
+              onParRequest: async (request) => {
+                const params = new URLSearchParams(await request.text());
+                expect(params.get("client_id")).toEqual(DEFAULT.clientId);
+                expect(params.get("redirect_uri")).toEqual(
+                  `${DEFAULT.appBaseUrl}/base-path/auth/callback`
+                );
+                expect(params.get("response_type")).toEqual("code");
+                expect(params.get("code_challenge")).toEqual(
+                  expect.any(String)
+                );
+                expect(params.get("code_challenge_method")).toEqual("S256");
+                expect(params.get("state")).toEqual(expect.any(String));
+                expect(params.get("nonce")).toEqual(expect.any(String));
+                expect(params.get("scope")).toEqual(
+                  "openid profile email offline_access"
+                );
+              }
+            })
+          });
+
+          const request = new NextRequest(
+            new URL(
+              process.env.NEXT_PUBLIC_BASE_PATH + "/auth/login",
+              DEFAULT.appBaseUrl
+            ),
+            {
+              method: "GET"
+            }
+          );
+
+          const response = await authClient.handleLogin(request);
+          expect(response.status).toEqual(307);
+          expect(response.headers.get("Location")).not.toBeNull();
+
+          const authorizationUrl = new URL(response.headers.get("Location")!);
+          expect(authorizationUrl.origin).toEqual(`https://${DEFAULT.domain}`);
+          // query parameters should only include the `request_uri` and not the standard auth params
+          expect(authorizationUrl.searchParams.get("request_uri")).toEqual(
+            DEFAULT.requestUri
+          );
+          expect(authorizationUrl.searchParams.get("client_id")).toEqual(
+            DEFAULT.clientId
+          );
+        });
+      });
+
       describe("custom parameters to the authorization server", async () => {
         it("should not forward any custom parameters sent via the query parameters to /auth/login", async () => {
           const secret = await generateSecret(32);
@@ -2335,6 +2540,76 @@ ca/T0LLtgmbMmxSv/MmzIg==
       );
     });
 
+    describe("when a base path is defined", async () => {
+      beforeAll(() => {
+        process.env.NEXT_PUBLIC_BASE_PATH = "/base-path";
+      });
+
+      afterAll(() => {
+        delete process.env.NEXT_PUBLIC_BASE_PATH;
+      });
+
+      it("should generate a callback URL with the base path", async () => {
+        const state = "transaction-state";
+        const code = "auth-code";
+
+        const secret = await generateSecret(32);
+        const transactionStore = new TransactionStore({
+          secret
+        });
+        const sessionStore = new StatelessSessionStore({
+          secret
+        });
+        const authClient = new AuthClient({
+          transactionStore,
+          sessionStore,
+
+          domain: DEFAULT.domain,
+          clientId: DEFAULT.clientId,
+          clientSecret: DEFAULT.clientSecret,
+
+          secret,
+          appBaseUrl: DEFAULT.appBaseUrl,
+
+          fetch: getMockAuthorizationServer()
+        });
+
+        const url = new URL(
+          process.env.NEXT_PUBLIC_BASE_PATH + "/auth/callback",
+          DEFAULT.appBaseUrl
+        );
+        url.searchParams.set("code", code);
+        url.searchParams.set("state", state);
+
+        const headers = new Headers();
+        const transactionState: TransactionState = {
+          nonce: "nonce-value",
+          maxAge: 3600,
+          codeVerifier: "code-verifier",
+          responseType: "code",
+          state: state,
+          returnTo: "/dashboard"
+        };
+        const maxAge = 60 * 60; // 1 hour
+        const expiration = Math.floor(Date.now() / 1000 + maxAge);
+        headers.set(
+          "cookie",
+          `__txn_${state}=${await encrypt(transactionState, secret, expiration)}`
+        );
+        const request = new NextRequest(url, {
+          method: "GET",
+          headers
+        });
+
+        const response = await authClient.handleCallback(request);
+        expect(response.status).toEqual(307);
+        expect(response.headers.get("Location")).not.toBeNull();
+
+        const redirectUrl = new URL(response.headers.get("Location")!);
+        expect(redirectUrl.pathname).toEqual("/base-path/dashboard");
+      });
+    });
+
     it("must use private_key_jwt when a clientAssertionSigningKey is specified", async () => {
       function pemToArrayBuffer(pem: string) {
         const b64 = pem

src/server/auth-client.test.ts

@@ -29,6 +29,7 @@ import {
 import {
   ensureNoLeadingSlash,
   ensureTrailingSlash,
+  normailizeWithBasePath,
   removeTrailingSlash
 } from "../utils/pathUtils";
 import { toSafeRedirect } from "../utils/url-helpers";
@@ -138,7 +139,10 @@ export interface AuthClientOptions {
 }
 
 function createRouteUrl(url: string, base: string) {
-  return new URL(ensureNoLeadingSlash(url), ensureTrailingSlash(base));
+  return new URL(
+    ensureNoLeadingSlash(normailizeWithBasePath(url)),
+    ensureTrailingSlash(base)
+  );
 }
 
 export class AuthClient {