Code-based authorization for Drop clients (#145)

* feat: code-based authorization

* fix: final touches

* fix: require session on code fetch endpoint

* feat: better error handling

* refactor: move auth send to client handler

* fix: lint

server/api/v1/client/auth/callback/index.get.ts

@@ -1,26 +0,0 @@
-import clientHandler from "~/server/internal/clients/handler";
-import sessionHandler from "~/server/internal/session";
-
-export default defineEventHandler(async (h3) => {
-  const user = await sessionHandler.getSession(h3);
-  if (!user) throw createError({ statusCode: 403 });
-
-  const query = getQuery(h3);
-  const providedClientId = query.id?.toString();
-  if (!providedClientId)
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Provide client ID in request params as 'id'",
-    });
-
-  const data = await clientHandler.fetchClientMetadata(providedClientId);
-  if (!data)
-    throw createError({
-      statusCode: 404,
-      statusMessage: "Request not found.",
-    });
-
-  await clientHandler.attachUserId(providedClientId, user.userId);
-
-  return data;
-});

server/api/v1/client/auth/callback/index.post.ts

@@ -8,13 +8,19 @@ export default defineEventHandler(async (h3) => {
   const body = await readBody(h3);
   const clientId = await body.id;
 
-  const data = await clientHandler.fetchClientMetadata(clientId);
-  if (!data)
+  const client = await clientHandler.fetchClient(clientId);
+  if (!client)
     throw createError({
       statusCode: 400,
       statusMessage: "Invalid or expired client ID.",
     });
 
+  if (client.userId != user.userId)
+    throw createError({
+      statusCode: 403,
+      statusMessage: "Not allowed to authorize this client.",
+    });
+
   const token = await clientHandler.generateAuthToken(clientId);
 
   return {