as-a-bot/worker-web.js at main · ai-ecoverse/as-a-bot · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
/**
 * GitHub App Token Broker - Web Flow Implementation
 *
 * Provides user-to-server GitHub tokens via web-based OAuth flow for proper user attribution.
 * This should create tokens with app badge attribution.
 */

import { signJWT } from './jwt-simple.js';

// Handle /auth/start endpoint - initiate web flow
async function handleAuthStart(request, env) {
  const state = crypto.randomUUID();
  const clientId = env.GITHUB_CLIENT_ID;

  if (!clientId) {
    return new Response(JSON.stringify({
      error: 'GitHub Client ID not configured'
    }), {
      status: 500,
      headers: { 'Content-Type': 'application/json' }
    });
  }

  // Store state in KV for later verification
  if (env.AUTH_STATES) {
    await env.AUTH_STATES.put(state, JSON.stringify({
      created_at: Date.now(),
      status: 'pending'
    }), {
      expirationTtl: 600 // 10 minutes
    });
  }

  // Build GitHub OAuth URL
  const params = new URLSearchParams({
    client_id: clientId,
    redirect_uri: `${new URL(request.url).origin}/auth/callback`,
    state: state
    // Don't include scope for GitHub Apps - they use fine-grained permissions
  });

  const authUrl = `https://github.com/login/oauth/authorize?${params}`;

  return new Response(JSON.stringify({
    auth_url: authUrl,
    state: state,
    expires_in: 600
  }), {
    status: 200,
    headers: { 'Content-Type': 'application/json' }
  });
}

// Handle /auth/callback endpoint - GitHub redirects here
async function handleAuthCallback(request, env) {
  const url = new URL(request.url);
  const code = url.searchParams.get('code');
  let state = url.searchParams.get('state');
  const installationId = url.searchParams.get('installation_id');
  const setupAction = url.searchParams.get('setup_action');

  // Handle installation flow (no state, but has installation_id)
  if (code && installationId && setupAction === 'install') {
    // This is an installation flow callback
    // For installation flow, we don't have a pre-existing state
    state = `install-${installationId}`;
  }

  if (!code) {
    return new Response('Missing code', { status: 400 });
  }

  // For regular OAuth flow, verify state exists
  if (!installationId && env.AUTH_STATES) {
    const stateData = await env.AUTH_STATES.get(state, 'json');
    if (!stateData) {
      return new Response('Invalid or expired state', { status: 400 });
    }
  }

  // Exchange code for token
  const tokenUrl = 'https://github.com/login/oauth/access_token';
  const clientId = env.GITHUB_CLIENT_ID;
  const clientSecret = env.GITHUB_CLIENT_SECRET;

  if (!clientSecret) {
    return new Response('Client secret not configured', { status: 500 });
  }

  const tokenResponse = await fetch(tokenUrl, {
    method: 'POST',
    headers: {
      'Accept': 'application/json',
      'Content-Type': 'application/x-www-form-urlencoded'
    },
    body: new URLSearchParams({
      client_id: clientId,
      client_secret: clientSecret,
      code: code,
      state: state
    }).toString()
  });

  const tokenData = await tokenResponse.json();

  if (tokenData.error) {
    return new Response(`Error: ${tokenData.error_description}`, { status: 400 });
  }

  // Store token in KV for polling
  if (env.AUTH_STATES) {
    await env.AUTH_STATES.put(state, JSON.stringify({
      created_at: Date.now(),
      status: 'completed',
      access_token: tokenData.access_token,
      token_type: tokenData.token_type,
      scope: tokenData.scope
    }), {
      expirationTtl: 300 // 5 minutes to poll
    });
  }

  // Return success page
  return new Response(`
    <!DOCTYPE html>
    <html>
    <head>
      <title>Authorization Successful</title>
      <style>
        body {
          font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif;
          display: flex;
          justify-content: center;
          align-items: center;
          height: 100vh;
          margin: 0;
          background: #0d1117;
          color: #c9d1d9;
        }
        .container {
          text-align: center;
          padding: 2rem;
          background: #161b22;
          border: 1px solid #30363d;
          border-radius: 6px;
        }
        .success {
          color: #3fb950;
          font-size: 48px;
          margin-bottom: 1rem;
        }
        h1 {
          margin: 0 0 0.5rem 0;
          font-size: 24px;
        }
        p {
          color: #8b949e;
          margin: 0;
        }
      </style>
    </head>
    <body>
      <div class="container">
        <div class="success">✓</div>
        <h1>Authorization Successful</h1>
        <p>You can now close this window and return to your terminal.</p>
      </div>
    </body>
    </html>
  `, {
    status: 200,
    headers: { 'Content-Type': 'text/html' }
  });
}

// Handle /auth/poll endpoint - CLI polls this
async function handleAuthPoll(request, env, body) {
  const { state } = body;

  if (!state) {
    return new Response(JSON.stringify({
      error: 'state is required'
    }), {
      status: 400,
      headers: { 'Content-Type': 'application/json' }
    });
  }

  if (!env.AUTH_STATES) {
    return new Response(JSON.stringify({
      error: 'server_error',
      error_description: 'Auth state storage not configured'
    }), {
      status: 503,
      headers: { 'Content-Type': 'application/json' }
    });
  }

  const stateData = await env.AUTH_STATES.get(state, 'json');

  if (!stateData) {
    return new Response(JSON.stringify({
      error: 'expired_token',
      error_description: 'State has expired or does not exist'
    }), {
      status: 400,
      headers: { 'Content-Type': 'application/json' }
    });
  }

  if (stateData.status === 'pending') {
    return new Response(JSON.stringify({
      error: 'authorization_pending',
      error_description: 'User has not yet completed authorization'
    }), {
      status: 202,
      headers: { 'Content-Type': 'application/json' }
    });
  }

  if (stateData.status === 'completed') {
    // Clean up state
    await env.AUTH_STATES.delete(state);

    // Return token
    return new Response(JSON.stringify({
      access_token: stateData.access_token,
      token_type: stateData.token_type || 'bearer',
      scope: stateData.scope
    }), {
      status: 200,
      headers: {
        'Content-Type': 'application/json',
        'Cache-Control': 'no-store'
      }
    });
  }

  return new Response(JSON.stringify({
    error: 'server_error',
    error_description: 'Invalid state status'
  }), {
    status: 500,
    headers: { 'Content-Type': 'application/json' }
  });
}

// Main request handler
export default {
  async fetch(request, env, ctx) {
    const url = new URL(request.url);

    // Health check
    if (request.method === 'GET' && url.pathname === '/') {
      return new Response(JSON.stringify({
        status: 'healthy',
        service: 'GitHub App Token Broker - Web Flow',
        endpoints: {
          '/auth/start': 'Start web authorization flow (POST)',
          '/auth/callback': 'OAuth callback (GET)',
          '/auth/poll': 'Poll for authorization completion (POST)'
        }
      }), {
        status: 200,
        headers: { 'Content-Type': 'application/json' }
      });
    }

    // Route requests
    try {
      switch (url.pathname) {
        case '/auth/start':
          if (request.method !== 'POST') {
            return new Response('Method not allowed', { status: 405 });
          }
          return await handleAuthStart(request, env);

        case '/auth/callback':
          if (request.method !== 'GET') {
            return new Response('Method not allowed', { status: 405 });
          }
          return await handleAuthCallback(request, env);

        case '/auth/poll':
          if (request.method !== 'POST') {
            return new Response('Method not allowed', { status: 405 });
          }
          const body = await request.json().catch(() => ({}));
          return await handleAuthPoll(request, env, body);

        default:
          return new Response('Not found', { status: 404 });
      }
    } catch (error) {
      console.error('Error:', error);
      return new Response(JSON.stringify({
        error: 'internal_error',
        message: error.message
      }), {
        status: 500,
        headers: { 'Content-Type': 'application/json' }
      });
    }
  }
};