Code-based authorization for Drop clients (#145)

* feat: code-based authorization * fix: final touches * fix: require session on code fetch endpoint * feat: better error handling * refactor: move auth send to client handler * fix: lint
2025-08-01 13:11:56 +10:00
parent 786ad0ff82
commit b72e1ef7a4
13 changed files with 396 additions and 52 deletions
@@ -0,0 +1,21 @@
+import clientHandler from "~/server/internal/clients/handler";
+import sessionHandler from "~/server/internal/session";
+
+export default defineEventHandler(async (h3) => {
+  const user = await sessionHandler.getSession(h3);
+  if (!user) throw createError({ statusCode: 403 });
+
+  const query = getQuery(h3);
+  const code = query.code?.toString()?.toUpperCase();
+  if (!code)
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Code required in query params.",
+    });
+
+  const clientId = await clientHandler.fetchClientIdByCode(code);
+  if (!clientId)
+    throw createError({ statusCode: 400, statusMessage: "Invalid code." });
+
+  return clientId;
+});