add JWT signing and redirect for login flow (#6129)

Author: jnsdls

apps/login/next.config.ts

@@ -5,7 +5,7 @@ const nextConfig: NextConfig = {
   async headers() {
     return [
       {
-        source: "/api/request",
+        source: "/api/:path*",
         headers: [
           {
             key: "Access-Control-Allow-Origin",

apps/login/package.json

@@ -17,6 +17,7 @@
     "next": "15.1.6",
     "react": "19.0.0",
     "react-dom": "19.0.0",
+    "server-only": "^0.0.1",
     "thirdweb": "workspace:*"
   },
   "devDependencies": {

apps/login/public/logo.svg

@@ -2,69 +2,76 @@
 (function () {
   const globalSetup = getSetup();
 
-  const USER_ADDRESS_KEY = "tw.login:userAddress";
-  const SESSION_KEY_ADDRESS_KEY = "tw.login:sessionKeyAddress";
+  const JWT_KEY = "tw.login:jwt";
   const CODE_KEY = "tw.login:code";
 
-  function main() {
-    // check if redirected first, this sets up the logged in state if it was from redirect
-    const params = parseURLHash(new URL(window.location));
-    if (params && params.code === localStorage.getItem(CODE_KEY)) {
-      // reset the URL hash
-      window.location.hash = "";
-      // reset the code
-      localStorage.setItem(CODE_KEY, params.code);
-      // write the userAddress to local storage
-      localStorage.setItem(USER_ADDRESS_KEY, params.userAddress);
-      // write the sessionKeyAddress to local storage
-      localStorage.setItem(SESSION_KEY_ADDRESS_KEY, params.sessionKeyAddress);
-    }
+  // check if redirected first, this sets up the logged in state if it was from redirect
+  const result = parseURL(new URL(window.location));
+  if (
+    result &&
+    result.length === 2 &&
+    result[1] === localStorage.getItem(CODE_KEY)
+  ) {
+    // reset the URL
+    window.location.hash = "";
+    window.location.search = "";
 
-    const userAddress = localStorage.getItem(USER_ADDRESS_KEY);
-    const sessionKeyAddress = localStorage.getItem(SESSION_KEY_ADDRESS_KEY);
+    // write the jwt to local storage
+    localStorage.setItem(JWT_KEY, result[0]);
+  }
 
-    if (userAddress && sessionKeyAddress) {
-      // handle logged in state
-      handleIsLoggedIn();
-    } else {
-      // handle not logged in state
-      handleNotLoggedIn();
-    }
+  // always reset the code
+  localStorage.removeItem(CODE_KEY);
+
+  const jwt = localStorage.getItem(JWT_KEY);
+
+  if (jwt) {
+    // handle logged in state
+    handleIsLoggedIn();
+  } else {
+    // handle not logged in state
+    handleNotLoggedIn();
   }
 
   function handleIsLoggedIn() {
-    console.log("handleIsLoggedIn");
-
     window.thirdweb = {
       isLoggedIn: true,
-      getAddress: () => getAddress(),
+      getUser: async () => {
+        const res = await fetch(`${globalSetup.baseUrl}/api/user`, {
+          headers: {
+            Authorization: `Bearer ${localStorage.getItem(JWT_KEY)}`,
+          },
+        });
+        return res.json();
+      },
       logout: () => {
-        window.localStorage.removeItem(USER_ADDRESS_KEY);
-        window.localStorage.removeItem(SESSION_KEY_ADDRESS_KEY);
+        window.localStorage.removeItem(JWT_KEY);
         window.location.reload();
       },
     };
+
+    renderFloatingBubble(true);
   }
 
   function handleNotLoggedIn() {
     window.thirdweb = { login: onLogin, isLoggedIn: false };
+    renderFloatingBubble(false);
   }
 
   function onLogin() {
-    const code = window.crypto.getRandomValues(new Uint8Array(4)).join("");
+    const code = window.crypto.getRandomValues(new Uint8Array(16)).join("");
     localStorage.setItem(CODE_KEY, code);
     // redirect to the login page
     const redirect = new URL(globalSetup.baseUrl);
     redirect.searchParams.set("code", code);
     redirect.searchParams.set("clientId", globalSetup.clientId);
-    redirect.searchParams.set("redirect", window.location.href);
+    redirect.searchParams.set(
+      "redirect",
+      window.location.origin + window.location.pathname,
+    );
     window.location.href = redirect.href;
   }
 
-  function getAddress() {
-    return localStorage.getItem(USER_ADDRESS_KEY);
-  }
-
   // utils
   function getSetup() {
     const el = document.currentScript;
@@ -74,52 +81,113 @@
     const baseUrl = new URL(el.src).origin;
     const dataset = el.dataset;
     const clientId = dataset.clientId;
+    const theme = dataset.theme || "dark";
     if (!clientId) {
       throw new Error("Missing client-id");
     }
-    return { clientId, baseUrl };
+    return { clientId, baseUrl, theme };
   }
 
   /**
    * @param {URL} url
-   * @returns null | { [key: string]: string }
+   * @returns null | [string, string]
    */
-  function parseURLHash(url) {
-    if (!url.hash) {
-      return null;
-    }
+  function parseURL(url) {
     try {
-      return decodeHash(url.hash);
+      const hash = url.hash.startsWith("#") ? url.hash.slice(1) : url.hash;
+      const code = url.searchParams.get("code");
+      if (!hash || !code) {
+        return null;
+      }
+      return [hash, code];
     } catch {
       // if this fails, invalid data -> return null
       return null;
     }
   }
 
-  /**
-   * Decodes a URL hash string to extract the three keys.
-   *
-   * @param {string} hash - A string like "#eyJrZXkxIjoiVmFsdWU..."
-   * @returns {{ userAddress: string, sessionKeyAddress: string, code: string }} An object with the three keys
-   */
-  function decodeHash(hash) {
-    // Remove the "#" prefix, if present.
-    const base64Data = hash.startsWith("#") ? hash.slice(1) : hash;
-
-    // Decode the Base64 string, then parse the JSON.
-    const jsonString = atob(base64Data);
-    const data = JSON.parse(jsonString);
-
-    // data should have the shape { userAddress, sessionKeyAddress, code }.
-    if (
-      "userAddress" in data &&
-      "sessionKeyAddress" in data &&
-      "code" in data
-    ) {
-      return data;
-    }
-    return null;
+  async function renderFloatingBubble(loggedIn) {
+    const el = document.createElement("div");
+    el.id = "tw-floating-bubble";
+    el.style.position = "fixed";
+    el.style.bottom = "24px";
+    el.style.right = "24px";
+    el.style.zIndex = "1000";
+    el.style.width = "138px";
+    el.style.height = "40px";
+    el.style.backgroundColor =
+      globalSetup.theme === "dark" ? "#131418" : "#ffffff";
+    el.style.color = globalSetup.theme === "dark" ? "white" : "black";
+    el.style.borderRadius = "8px";
+    el.style.placeItems = "center";
+    el.style.fontSize = loggedIn ? "12px" : "12px";
+    el.style.cursor = "pointer";
+    el.style.overflow = "hidden";
+    el.style.boxShadow = "1px 1px 10px rgba(0, 0, 0, 0.5)";
+    el.style.display = "flex";
+    el.style.alignItems = "center";
+    el.style.justifyContent = "space-around";
+    el.style.fontFamily = "sans-serif";
+    el.style.gap = "8px";
+    el.style.padding = "0px 8px";
+    el.onclick = () => {
+      if (loggedIn) {
+        window.thirdweb.logout();
+      } else {
+        window.thirdweb.login();
+      }
+    };
+    el.innerHTML = loggedIn ? await renderBlobbie() : renderThirdwebLogo();
+    document.body.appendChild(el);
+  }
+
+  function renderThirdwebLogo() {
+    const el = document.createElement("img");
+    el.src = `${globalSetup.baseUrl}/logo.svg`;
+    el.style.height = "16px";
+    el.style.objectFit = "contain";
+    el.style.flexShrink = "0";
+    el.style.marginLeft = "-4px";
+    return `${el.outerHTML} <span>Login</span><span></span>`;
   }
 
-  main();
+  async function renderBlobbie() {
+    const address = (await window.thirdweb.getUser()).address;
+
+    function hexToNumber(hex) {
+      if (typeof hex !== "string")
+        throw new Error(`hex string expected, got ${typeof hex}`);
+      return hex === "" ? _0n : BigInt(`0x${hex}`);
+    }
+
+    const COLOR_OPTIONS = [
+      ["#fca5a5", "#b91c1c"],
+      ["#fdba74", "#c2410c"],
+      ["#fcd34d", "#b45309"],
+      ["#fde047", "#a16207"],
+      ["#a3e635", "#4d7c0f"],
+      ["#86efac", "#15803d"],
+      ["#67e8f9", "#0e7490"],
+      ["#7dd3fc", "#0369a1"],
+      ["#93c5fd", "#1d4ed8"],
+      ["#a5b4fc", "#4338ca"],
+      ["#c4b5fd", "#6d28d9"],
+      ["#d8b4fe", "#7e22ce"],
+      ["#f0abfc", "#a21caf"],
+      ["#f9a8d4", "#be185d"],
+      ["#fda4af", "#be123c"],
+    ];
+    const colors =
+      COLOR_OPTIONS[
+        Number(hexToNumber(address.slice(2, 4))) % COLOR_OPTIONS.length
+      ];
+    const el = document.createElement("div");
+    el.style.backgroundImage = `radial-gradient(ellipse at left bottom, ${colors[0]}, ${colors[1]})`;
+    el.style.width = "24px";
+    el.style.height = "24px";
+    el.style.borderRadius = "50%";
+    el.style.flexShrink = "0";
+
+    return `${el.outerHTML}<span>${address.slice(0, 6)}...${address.slice(-4)}</span><span></span>`;
+  }
 })();

apps/login/public/twl.js

@@ -0,0 +1,33 @@
+import { type NextRequest, NextResponse } from "next/server";
+import { verifyJWT } from "../../authorization/jwt";
+
+export const GET = async (req: NextRequest) => {
+  const jwt = req.headers.get("Authorization")?.split("Bearer ")[1];
+  if (!jwt) {
+    return NextResponse.json(
+      {
+        message: "No JWT provided",
+      },
+      {
+        status: 401,
+      },
+    );
+  }
+
+  try {
+    const verifiedPayload = await verifyJWT(jwt);
+    return NextResponse.json({
+      address: verifiedPayload.sub,
+    });
+  } catch (e) {
+    console.error("failed", e);
+    return NextResponse.json(
+      {
+        message: "Invalid JWT",
+      },
+      {
+        status: 401,
+      },
+    );
+  }
+};