chore: store provider accessToken into secure cookie

Author: peppescg

src/lib/auth.ts

@@ -1,10 +1,14 @@
 import type { BetterAuthOptions } from "better-auth";
 import { betterAuth } from "better-auth";
 import { genericOAuth } from "better-auth/plugins";
+import crypto from "crypto";
+import { cookies } from "next/headers";
 
 const OIDC_PROVIDER_ID = process.env.OIDC_PROVIDER_ID || "oidc";
 const OIDC_ISSUER = process.env.OIDC_ISSUER || "";
 const BASE_URL = process.env.BETTER_AUTH_URL || "http://localhost:3000";
+const ENCRYPTION_KEY =
+  process.env.BETTER_AUTH_SECRET || "build-time-placeholder";
 
 const trustedOrigins = process.env.TRUSTED_ORIGINS
   ? process.env.TRUSTED_ORIGINS.split(",").map((s) => s.trim())
@@ -14,6 +18,56 @@ if (!trustedOrigins.includes(BASE_URL)) {
   trustedOrigins.push(BASE_URL);
 }
 
+/**
+ * Encrypts data using AES-256-GCM (AEAD).
+ * Provides both confidentiality and integrity/authentication.
+ */
+function encrypt(text: string): string {
+  const key = crypto.scryptSync(ENCRYPTION_KEY, "salt", 32);
+  const iv = crypto.randomBytes(12); // GCM recommends 12 bytes
+  const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+
+  const encrypted = Buffer.concat([
+    cipher.update(text, "utf8"),
+    cipher.final(),
+  ]);
+
+  const authTag = cipher.getAuthTag();
+
+  return [
+    iv.toString("hex"),
+    authTag.toString("hex"),
+    encrypted.toString("hex"),
+  ].join(":");
+}
+
+/**
+ * Decrypts data encrypted with AES-256-GCM.
+ * Verifies authenticity before decryption.
+ */
+function decrypt(payload: string): string {
+  const key = crypto.scryptSync(ENCRYPTION_KEY, "salt", 32);
+  const [ivHex, tagHex, encryptedHex] = payload.split(":");
+
+  if (!ivHex || !tagHex || !encryptedHex) {
+    throw new Error("Invalid encrypted data format");
+  }
+
+  const iv = Buffer.from(ivHex, "hex");
+  const authTag = Buffer.from(tagHex, "hex");
+  const encrypted = Buffer.from(encryptedHex, "hex");
+
+  const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(authTag);
+
+  const decrypted = Buffer.concat([
+    decipher.update(encrypted),
+    decipher.final(),
+  ]);
+
+  return decrypted.toString("utf8");
+}
+
 export const auth = betterAuth({
   secret: process.env.BETTER_AUTH_SECRET || "build-time-placeholder",
   baseURL: BASE_URL,
@@ -38,4 +92,87 @@ export const auth = betterAuth({
       ],
     }),
   ],
+  // Use databaseHooks to save tokens in HTTP-only cookie after account creation
+  databaseHooks: {
+    account: {
+      create: {
+        after: async (account) => {
+          if (account.accessToken && account.userId) {
+            const expiresAt = account.accessTokenExpiresAt
+              ? new Date(account.accessTokenExpiresAt).getTime()
+              : Date.now() + 3600000;
+
+            const tokenData = JSON.stringify({
+              accessToken: account.accessToken,
+              refreshToken: account.refreshToken || undefined,
+              expiresAt,
+              userId: account.userId,
+            });
+
+            const encrypted = encrypt(tokenData);
+            const cookieStore = await cookies();
+
+            cookieStore.set("oidc_token", encrypted, {
+              httpOnly: true,
+              secure: process.env.NODE_ENV === "production",
+              sameSite: "lax",
+              maxAge: 60 * 60 * 24 * 7, // 7 days
+              path: "/",
+            });
+          }
+        },
+      },
+    },
+  },
 } as BetterAuthOptions);
+
+/**
+ * Retrieves the OIDC provider access token from HTTP-only cookie.
+ * Returns null if token not found, expired, or belongs to different user.
+ */
+export async function getOidcProviderAccessToken(
+  userId: string,
+): Promise<string | null> {
+  try {
+    const cookieStore = await cookies();
+    const encryptedCookie = cookieStore.get("oidc_token");
+
+    if (!encryptedCookie?.value) {
+      return null;
+    }
+
+    const decrypted = decrypt(encryptedCookie.value);
+    const tokenData = JSON.parse(decrypted) as {
+      accessToken: string;
+      refreshToken?: string;
+      expiresAt: number;
+      userId: string;
+    };
+
+    // Verify the token belongs to the current user
+    if (tokenData.userId !== userId) {
+      return null;
+    }
+
+    // Check if token is expired
+    const now = Date.now();
+    if (tokenData.expiresAt < now) {
+      // Clear expired cookie
+      cookieStore.delete("oidc_token");
+      return null;
+    }
+
+    return tokenData.accessToken;
+  } catch (error) {
+    console.error("[Auth] Error reading OIDC token from cookie:", error);
+    return null;
+  }
+}
+
+/**
+ * Clears the OIDC token cookie (useful for logout).
+ */
+export async function clearOidcProviderToken(): Promise<void> {
+  const cookieStore = await cookies();
+  cookieStore.delete("oidc_token");
+}