feat(backend/oauth): allow CORS for token endpoint (#12814)

* feat(backend/oauth): allow CORS for token endpoint

* no need to explicitly set origin to `*`

* Update CHANGELOG.md

1 files changed, 39 insertions, 32 deletions

diff --git a/packages/backend/src/server/oauth/OAuth2ProviderService.ts b/packages/backend/src/server/oauth/OAuth2ProviderService.ts
index 5c18f452ce..2253078582 100644
--- a/packages/backend/src/server/oauth/OAuth2ProviderService.ts
+++ b/packages/backend/src/server/oauth/OAuth2ProviderService.ts
@@ -11,6 +11,7 @@ import httpLinkHeader from 'http-link-header';
 import ipaddr from 'ipaddr.js';
 import oauth2orize, { type OAuth2, AuthorizationError, ValidateFunctionArity2, OAuth2Req, MiddlewareRequest } from 'oauth2orize';
 import oauth2Pkce from 'oauth2orize-pkce';
+import fastifyCors from '@fastify/cors';
 import fastifyView from '@fastify/view';
 import pug from 'pug';
 import bodyParser from 'body-parser';
@@ -348,25 +349,25 @@ export class OAuth2ProviderService {
 		}));
 	}
 
+	// https://datatracker.ietf.org/doc/html/rfc8414.html
+	// https://indieauth.spec.indieweb.org/#indieauth-server-metadata
+	public generateRFC8414() {
+		return {
+			issuer: this.config.url,
+			authorization_endpoint: new URL('/oauth/authorize', this.config.url),
+			token_endpoint: new URL('/oauth/token', this.config.url),
+			scopes_supported: kinds,
+			response_types_supported: ['code'],
+			grant_types_supported: ['authorization_code'],
+			service_documentation: 'https://misskey-hub.net',
+			code_challenge_methods_supported: ['S256'],
+			authorization_response_iss_parameter_supported: true,
+		};
+	}
+
 	@bindThis
 	public async createServer(fastify: FastifyInstance): Promise<void> {
-		// https://datatracker.ietf.org/doc/html/rfc8414.html
-		// https://indieauth.spec.indieweb.org/#indieauth-server-metadata
-		fastify.get('/.well-known/oauth-authorization-server', async (_request, reply) => {
-			reply.send({
-				issuer: this.config.url,
-				authorization_endpoint: new URL('/oauth/authorize', this.config.url),
-				token_endpoint: new URL('/oauth/token', this.config.url),
-				scopes_supported: kinds,
-				response_types_supported: ['code'],
-				grant_types_supported: ['authorization_code'],
-				service_documentation: 'https://misskey-hub.net',
-				code_challenge_methods_supported: ['S256'],
-				authorization_response_iss_parameter_supported: true,
-			});
-		});
-
-		fastify.get('/oauth/authorize', async (request, reply) => {
+		fastify.get('/authorize', async (request, reply) => {
 			const oauth2 = (request.raw as MiddlewareRequest).oauth2;
 			if (!oauth2) {
 				throw new Error('Unexpected lack of authorization information');
@@ -381,8 +382,7 @@ export class OAuth2ProviderService {
 				scope: oauth2.req.scope.join(' '),
 			});
 		});
-		fastify.post('/oauth/decision', async () => { });
-		fastify.post('/oauth/token', async () => { });
+		fastify.post('/decision', async () => { });
 
 		fastify.register(fastifyView, {
 			root: fileURLToPath(new URL('../web/views', import.meta.url)),
@@ -394,7 +394,7 @@ export class OAuth2ProviderService {
 		});
 
 		await fastify.register(fastifyExpress);
-		fastify.use('/oauth/authorize', this.#server.authorize(((areq, done) => {
+		fastify.use('/authorize', this.#server.authorize(((areq, done) => {
 			(async (): Promise<Parameters<typeof done>> => {
 				// This should return client/redirectURI AND the error, or
 				// the handler can't send error to the redirection URI
@@ -448,30 +448,24 @@ export class OAuth2ProviderService {
 				return [null, clientInfo, redirectURI];
 			})().then(args => done(...args), err => done(err));
 		}) as ValidateFunctionArity2));
-		fastify.use('/oauth/authorize', this.#server.errorHandler({
+		fastify.use('/authorize', this.#server.errorHandler({
 			mode: 'indirect',
 			modes: getQueryMode(this.config.url),
 		}));
-		fastify.use('/oauth/authorize', this.#server.errorHandler());
+		fastify.use('/authorize', this.#server.errorHandler());
 
-		fastify.use('/oauth/decision', bodyParser.urlencoded({ extended: false }));
-		fastify.use('/oauth/decision', this.#server.decision((req, done) => {
+		fastify.use('/decision', bodyParser.urlencoded({ extended: false }));
+		fastify.use('/decision', this.#server.decision((req, done) => {
 			const { body } = req as OAuth2DecisionRequest;
 			this.#logger.info(`Received the decision. Cancel: ${!!body.cancel}`);
 			req.user = body.login_token;
 			done(null, undefined);
 		}));
-		fastify.use('/oauth/decision', this.#server.errorHandler());
-
-		// Clients may use JSON or urlencoded
-		fastify.use('/oauth/token', bodyParser.urlencoded({ extended: false }));
-		fastify.use('/oauth/token', bodyParser.json({ strict: true }));
-		fastify.use('/oauth/token', this.#server.token());
-		fastify.use('/oauth/token', this.#server.errorHandler());
+		fastify.use('/decision', this.#server.errorHandler());
 
 		// Return 404 for any unknown paths under /oauth so that clients can know
 		// whether a certain endpoint is supported or not.
-		fastify.all('/oauth/*', async (_request, reply) => {
+		fastify.all('/*', async (_request, reply) => {
 			reply.code(404);
 			reply.send({
 				error: {
@@ -483,4 +477,17 @@ export class OAuth2ProviderService {
 			});
 		});
 	}
+
+	@bindThis
+	public async createTokenServer(fastify: FastifyInstance): Promise<void> {
+		fastify.register(fastifyCors);
+		fastify.post('', async () => { });
+
+		await fastify.register(fastifyExpress);
+		// Clients may use JSON or urlencoded
+		fastify.use('', bodyParser.urlencoded({ extended: false }));
+		fastify.use('', bodyParser.json({ strict: true }));
+		fastify.use('', this.#server.token());
+		fastify.use('', this.#server.errorHandler());
+	}
 }