[add] redirectUriCheckController

2025-05-31 15:22:25 +09:00 · 2025-05-31 15:22:25 +09:00 · 9c4b53a6bc
commit 9c4b53a6bc
parent d35af82aae
27 changed files with 1235 additions and 161 deletions
--- a/playground/PKCEDowngrade/src/index.ts
+++ b/playground/PKCEDowngrade/src/index.ts
@ -0,0 +1,94 @@
+import { Hono } from 'hono'
+import { randomBytes, createHash } from 'crypto'
+import { Buffer } from 'buffer'
+
+const app = new Hono()
+
+// In-memory PKCE store (should use Redis or similar in production)
+const pkceStore = new Map<string, string>()
+
+const generateCodeVerifier = () => {
+  return randomBytes(32).toString('hex')
+}
+
+const generateCodeChallenge = (verifier: string) => {
+  const hash = createHash('sha256').update(verifier).digest()
+  return hash.toString('base64url')
+}
+
+// Step 1: Redirect to GitHub with PKCE
+app.get('/login', (c) => {
+  const codeVerifier = generateCodeVerifier()
+  const codeChallenge = generateCodeChallenge(codeVerifier)
+  const state = randomBytes(8).toString('hex')
+
+  pkceStore.set(state, codeVerifier)
+
+  const params = new URLSearchParams({
+    client_id: process.env.GITHUB_CLIENT_ID!,
+    redirect_uri: 'http://localhost:8787/callback',
+    scope: 'read:user',
+    state,
+    response_type: 'code',
+    code_challenge: codeChallenge,
+    code_challenge_method: 'S256',
+  })
+
+  return c.redirect(`https://github.com/login/oauth/authorize?${params}`)
+})
+
+// Step 2: GitHub redirects back here
+app.get('/callback', async (c) => {
+  const url = new URL(c.req.url)
+  const code = url.searchParams.get('code')
+  const state = url.searchParams.get('state')
+
+  if (!code || !state) {
+    return c.text('Missing code or state', 400)
+  }
+
+  const codeVerifier = pkceStore.get(state)
+  if (!codeVerifier) {
+    return c.text('Invalid or expired state', 400)
+  }
+
+  // Step 3: Exchange code + verifier for token
+  const tokenRes = await fetch('https://github.com/login/oauth/access_token', {
+    method: 'POST',
+    headers: {
+      Accept: 'application/json',
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      client_id: process.env.GITHUB_CLIENT_ID,
+      client_secret: process.env.GITHUB_CLIENT_SECRET,
+      code,
+      redirect_uri: 'http://localhost:8787/callback',
+      code_verifier: codeVerifier,
+    }),
+  })
+
+  const tokenData = await tokenRes.json()
+  if (!tokenData.access_token) {
+    return c.text('Failed to get access token', 500)
+  }
+
+  // Step 4: Use token to fetch user profile
+  const userRes = await fetch('https://api.github.com/user', {
+    headers: {
+      Authorization: `Bearer ${tokenData.access_token}`,
+      'User-Agent': 'hono-app',
+    },
+  })
+
+  const user = await userRes.json()
+  return c.json({
+    message: 'GitHub login successful!',
+    user,
+  })
+})
+
+export default { 
+  port: 8787,
+  fetch: app.fetch,
+}