Merge pull request #8 from zunalita/main

sync

Author: zunalita-admin

api-map.json

@@ -1,4 +1,7 @@
 [
+  "lib/cors",
+  "lib/env",
+  "lib/github",
   "oauth",
   "revoke"
 ]

api/lib/cors.js

@@ -0,0 +1,13 @@
+export function setCors(res) {
+  res.setHeader("Access-Control-Allow-Origin", "https://zunalita.github.io");
+  res.setHeader("Access-Control-Allow-Methods", "POST, OPTIONS");
+  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
+}
+
+export function handleOptions(req, res) {
+  if (req.method === "OPTIONS") {
+    res.status(204).end();
+    return true;
+  }
+  return false;
+}

api/lib/env.js

@@ -0,0 +1,12 @@
+export function requireClientCreds() {
+  const client_id = process.env.GITHUB_CLIENT_ID;
+  const client_secret = process.env.GITHUB_CLIENT_SECRET;
+
+  if (!client_id || !client_secret) {
+    const err = new Error('Server misconfigured: missing GITHUB_CLIENT_ID or GITHUB_CLIENT_SECRET');
+    err.code = 'MISSING_GITHUB_CREDS';
+    throw err;
+  }
+
+  return { client_id, client_secret };
+}

api/lib/github.js

@@ -0,0 +1,48 @@
+async function fetchJson(url, options) {
+  const res = await fetch(url, options);
+  const text = await res.text();
+  try {
+    return { ok: res.ok, status: res.status, body: JSON.parse(text) };
+  } catch (e) {
+    return { ok: res.ok, status: res.status, body: text };
+  }
+}
+
+export async function exchangeCodeForToken(code, client_id, client_secret) {
+  const { ok, status, body } = await fetchJson("https://github.com/login/oauth/access_token", {
+    method: "POST",
+    headers: { "Content-Type": "application/json", "Accept": "application/json" },
+    body: JSON.stringify({ client_id, client_secret, code }),
+  });
+
+  if (!ok) {
+    throw new Error(`GitHub token exchange failed: ${status} ${JSON.stringify(body)}`);
+  }
+
+  if (body && body.error) {
+    throw new Error(body.error_description || body.error);
+  }
+
+  return body && body.access_token;
+}
+
+export async function revokeToken(token, client_id, client_secret) {
+  const { ok, status, body } = await fetchJson(
+    `https://api.github.com/applications/${client_id}/token`,
+    {
+      method: "DELETE",
+      headers: {
+        "Content-Type": "application/json",
+        "Accept": "application/json",
+        "Authorization": `Basic ${Buffer.from(`${client_id}:${client_secret}`).toString("base64")}`,
+      },
+      body: JSON.stringify({ access_token: token }),
+    }
+  );
+
+  if (!ok) {
+    throw new Error(`GitHub token revocation failed: ${status} ${JSON.stringify(body)}`);
+  }
+
+  return true;
+}

api/oauth.js

@@ -1,56 +1,33 @@
-export default async function handler(req, res) {
-  res.setHeader("Access-Control-Allow-Origin", "https://zunalita.github.io");
-  res.setHeader("Access-Control-Allow-Methods", "POST, OPTIONS");
-  res.setHeader("Access-Control-Allow-Headers", "Content-Type");
+import { setCors, handleOptions } from './lib/cors.js';
+import { requireClientCreds } from './lib/env.js';
+import { exchangeCodeForToken } from './lib/github.js';
 
-  if (req.method === "OPTIONS") {
-    return res.status(204).end();
-  }
+export default async function handler(req, res) {
+  setCors(res);
+  if (handleOptions(req, res)) return;
 
-  if (req.method !== "POST") {
-    return res.status(405).json({ error: "Method not allowed" });
+  if (req.method !== 'POST') {
+    return res.status(405).json({ error: 'Method not allowed' });
   }
 
-  const { code } = req.body;
-
+  const { code } = req.body || {};
   if (!code) {
-    return res.status(400).json({ error: "Missing code" });
+    return res.status(400).json({ error: 'Missing code' });
   }
 
-  const client_id = process.env.GITHUB_CLIENT_ID;
-  const client_secret = process.env.GITHUB_CLIENT_SECRET;
-
-  if (!client_id || !client_secret) {
-    return res.status(500).json({ error: "Server misconfigured" });
+  let client_id, client_secret;
+  try {
+    ({ client_id, client_secret } = requireClientCreds());
+  } catch (err) {
+    console.error(err);
+    return res.status(500).json({ error: 'Server misconfigured' });
   }
 
   try {
-    const tokenRes = await fetch("https://github.com/login/oauth/access_token", {
-      method: "POST",
-      headers: { "Content-Type": "application/json", "Accept": "application/json" },
-      body: JSON.stringify({
-        client_id,
-        client_secret,
-        code,
-      }),
-    });
-
-    if (!tokenRes.ok) {
-      const errText = await tokenRes.text();
-      throw new Error(`GitHub responded: ${errText}`);
-    }
-
-    const data = await tokenRes.json();
-
-    if (data.error) {
-      return res.status(400).json({ error: data.error_description || data.error });
-    }
-
-    const access_token = data.access_token;
-
-    res.status(200).json({ token: access_token });
+    const access_token = await exchangeCodeForToken(code, client_id, client_secret);
+    return res.status(200).json({ token: access_token });
   } catch (err) {
     console.error(err);
-    res.status(500).json({ error: "OAuth exchange failed" });
+    return res.status(500).json({ error: 'OAuth exchange failed' });
   }
 }

api/revoke.js

@@ -1,59 +1,40 @@
+import { setCors, handleOptions } from './lib/cors.js';
+import { requireClientCreds } from './lib/env.js';
+import { revokeToken } from './lib/github.js';
+
 // Revoking oauth user tokens for more security at Zunalita!
 export default async function handler(req, res) {
-  // Set CORS headers
-  res.setHeader("Access-Control-Allow-Origin", "https://zunalita.github.io");
-  res.setHeader("Access-Control-Allow-Methods", "POST, OPTIONS");
-  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
-
-  if (req.method === "OPTIONS") {
-    return res.status(204).end();
-  }
+  setCors(res);
+  if (handleOptions(req, res)) return;
 
-  if (req.method !== "POST") {
-    return res.status(405).json({ error: "method not allowed" });
+  if (req.method !== 'POST') {
+    return res.status(405).json({ error: 'method not allowed' });
   }
 
-  const { token } = req.body;
-
+  const { token } = req.body || {};
   if (!token) {
-    return res.status(400).json({ error: "missing token" });
+    return res.status(400).json({ error: 'missing token' });
   }
 
-  // --- Prefix check (quick validation) ---
-  const validPrefixes = ["ghp_", "gho_", "ghu_", "ghs_", "ghr_"];
+  // quick format validation
+  const validPrefixes = ['ghp_', 'gho_', 'ghu_', 'ghs_', 'ghr_'];
   if (!validPrefixes.some(prefix => token.startsWith(prefix))) {
-    return res.status(400).json({ error: "invalid token format" });
+    return res.status(400).json({ error: 'invalid token format' });
   }
 
-  const client_id = process.env.GITHUB_CLIENT_ID;
-  const client_secret = process.env.GITHUB_CLIENT_SECRET;
-
-  if (!client_id || !client_secret) {
-    return res.status(500).json({ error: "server misconfigured" });
+  let client_id, client_secret;
+  try {
+    ({ client_id, client_secret } = requireClientCreds());
+  } catch (err) {
+    console.error(err);
+    return res.status(500).json({ error: 'server misconfigured' });
   }
 
   try {
-    const tokenRevocationRes = await fetch(
-      `https://api.github.com/applications/${client_id}/token`,
-      {
-        method: "DELETE",
-        headers: {
-          "Content-Type": "application/json",
-          "Accept": "application/json",
-          "Authorization": `Basic ${Buffer.from(`${client_id}:${client_secret}`).toString("base64")}`,
-        },
-        body: JSON.stringify({ access_token: token }),
-      }
-    );
-
-    if (!tokenRevocationRes.ok) {
-      const errText = await tokenRevocationRes.text();
-      throw new Error(`gitHub responded with an error during token revocation: ${errText}`);
-    }
-
-    res.status(200).json({ message: "token revoked successfully" });
+    await revokeToken(token, client_id, client_secret);
+    return res.status(200).json({ message: 'token revoked successfully' });
   } catch (err) {
     console.error(err);
-    res.status(500).json({ error: "token revocation failed" });
+    return res.status(500).json({ error: 'token revocation failed' });
   }
 }