Code-based authorization for Drop clients (#145)

* feat: code-based authorization

* fix: final touches

* fix: require session on code fetch endpoint

* feat: better error handling

* refactor: move auth send to client handler

* fix: lint
This commit is contained in:
DecDuck
2025-08-01 13:11:56 +10:00
committed by GitHub
parent 786ad0ff82
commit b72e1ef7a4
13 changed files with 396 additions and 52 deletions
@@ -8,13 +8,19 @@ export default defineEventHandler(async (h3) => {
const body = await readBody(h3);
const clientId = await body.id;
const data = await clientHandler.fetchClientMetadata(clientId);
if (!data)
const client = await clientHandler.fetchClient(clientId);
if (!client)
throw createError({
statusCode: 400,
statusMessage: "Invalid or expired client ID.",
});
if (client.userId != user.userId)
throw createError({
statusCode: 403,
statusMessage: "Not allowed to authorize this client.",
});
const token = await clientHandler.generateAuthToken(clientId);
return {