Add OIDC provider for Outline wiki SSO

Add oidc-provider with MongoDB adapter so ghostguild.org can act as the identity provider for the self-hosted Outline wiki. Members authenticate via the existing magic-link flow, with automatic SSO when an active session exists. Includes interaction routes, well-known discovery endpoint, and login page.
2026-03-01 15:46:01 +00:00 · 2026-03-01 15:46:01 +00:00 · 8a529a8e7c
commit 8a529a8e7c
parent a232a7bbf8
13 changed files with 1258 additions and 2 deletions
--- a/server/routes/oidc/[...].ts
+++ b/server/routes/oidc/[...].ts
@ -0,0 +1,30 @@
+/**
+ * Catch-all route that delegates all /oidc/* requests to the oidc-provider.
+ *
+ * This exposes the standard OIDC endpoints:
+ *   /oidc/auth          — authorization
+ *   /oidc/token         — token exchange
+ *   /oidc/me            — userinfo
+ *   /oidc/session/end   — logout
+ *   /oidc/jwks          — JSON Web Key Set
+ */
+import { getOidcProvider } from "../../utils/oidc-provider.js";
+
+export default defineEventHandler(async (event) => {
+  const provider = await getOidcProvider();
+  const { req, res } = event.node;
+
+  // oidc-provider expects paths relative to its own mount point.
+  // Nitro gives us the full path, so strip the /oidc prefix.
+  const originalUrl = req.url || "";
+  req.url = originalUrl.replace(/^\/oidc/, "") || "/";
+
+  // Hand off to oidc-provider's Connect-style callback
+  const callback = provider.callback() as Function;
+  await new Promise<void>((resolve, reject) => {
+    callback(req, res, (err: unknown) => {
+      if (err) reject(err);
+      else resolve();
+    });
+  });
+});
--- a/server/routes/oidc/interaction/[uid].get.ts
+++ b/server/routes/oidc/interaction/[uid].get.ts
@ -0,0 +1,94 @@
+/**
+ * OIDC interaction handler — checks for an existing Ghost Guild session.
+ *
+ * Flow:
+ * 1. Outline redirects user to /oidc/auth
+ * 2. oidc-provider creates an interaction and redirects here
+ * 3. If the user has a valid auth-token cookie → complete the interaction (SSO)
+ * 4. Otherwise → redirect to the OIDC login page
+ */
+import jwt from "jsonwebtoken";
+import Member from "../../../models/member.js";
+import { connectDB } from "../../../utils/mongoose.js";
+import { getOidcProvider } from "../../../utils/oidc-provider.js";
+
+export default defineEventHandler(async (event) => {
+  const provider = await getOidcProvider();
+  const uid = getRouterParam(event, "uid")!;
+
+  // Load the interaction details from oidc-provider
+  const interactionDetails = await provider.interactionDetails(
+    event.node.req,
+    event.node.res
+  );
+  const { prompt } = interactionDetails;
+
+  // ----- Login prompt -----
+  if (prompt.name === "login") {
+    // Check for existing Ghost Guild session
+    const token = getCookie(event, "auth-token");
+
+    if (token) {
+      try {
+        const config = useRuntimeConfig();
+        const decoded = jwt.verify(token, config.jwtSecret) as {
+          memberId: string;
+        };
+
+        await connectDB();
+        const member = await (Member as any).findById(decoded.memberId);
+
+        if (
+          member &&
+          member.status !== "suspended" &&
+          member.status !== "cancelled"
+        ) {
+          // Auto-complete the login interaction (SSO)
+          const result = {
+            login: { accountId: member._id.toString() },
+          };
+          await provider.interactionFinished(
+            event.node.req,
+            event.node.res,
+            result,
+            { mergeWithLastSubmission: false }
+          );
+          return;
+        }
+      } catch {
+        // Token invalid — fall through to login page
+      }
+    }
+
+    // No valid session — redirect to login page
+    return sendRedirect(event, `/oidc/login?uid=${uid}`, 302);
+  }
+
+  // ----- Consent prompt -----
+  if (prompt.name === "consent") {
+    // Auto-approve consent for our first-party client
+    const grant = interactionDetails.grantId
+      ? await provider.Grant.find(interactionDetails.grantId)
+      : new provider.Grant({
+          accountId: interactionDetails.session!.accountId,
+          clientId: interactionDetails.params.client_id as string,
+        });
+
+    if (grant) {
+      grant.addOIDCScope("openid profile email");
+      await grant.save();
+
+      const result = { consent: { grantId: grant.jti } };
+      await provider.interactionFinished(
+        event.node.req,
+        event.node.res,
+        result,
+        { mergeWithLastSubmission: true }
+      );
+      return;
+    }
+  }
+
+  // Fallback — shouldn't reach here normally
+  throw createError({ statusCode: 400, statusMessage: "Unknown interaction" });
+});
--- a/server/routes/oidc/interaction/login.post.ts
+++ b/server/routes/oidc/interaction/login.post.ts
@ -0,0 +1,81 @@
+/**
+ * Handle magic link login request during OIDC interaction flow.
+ *
+ * POST /oidc/interaction/login
+ * Body: { email: string, uid: string }
+ *
+ * Sends a magic link email. The link includes the OIDC interaction uid so the
+ * verify step can complete the interaction after authenticating.
+ */
+import jwt from "jsonwebtoken";
+import { Resend } from "resend";
+import Member from "../../../models/member.js";
+import { connectDB } from "../../../utils/mongoose.js";
+
+const resend = new Resend(process.env.RESEND_API_KEY);
+
+export default defineEventHandler(async (event) => {
+  await connectDB();
+
+  const body = await readBody(event);
+  const email = body?.email?.trim()?.toLowerCase();
+  const uid = body?.uid;
+
+  if (!email || !uid) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Email and interaction uid are required",
+    });
+  }
+
+  const GENERIC_MESSAGE =
+    "If this email is registered, we've sent a login link.";
+
+  const member = await (Member as any).findOne({ email });
+  if (!member) {
+    return { success: true, message: GENERIC_MESSAGE };
+  }
+
+  const config = useRuntimeConfig(event);
+  const token = jwt.sign(
+    { memberId: member._id, oidcUid: uid },
+    config.jwtSecret,
+    { expiresIn: "15m" }
+  );
+
+  const headers = getHeaders(event);
+  const baseUrl =
+    process.env.BASE_URL ||
+    `${headers.host?.includes("localhost") ? "http" : "https"}://${headers.host}`;
+
+  try {
+    await resend.emails.send({
+      from: "Ghost Guild <ghostguild@babyghosts.org>",
+      to: email,
+      subject: "Sign in to Ghost Guild Wiki",
+      html: `
+        <div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
+          <h2 style="color: #2563eb;">Sign in to the Ghost Guild Wiki</h2>
+          <p>Click the button below to sign in:</p>
+          <div style="text-align: center; margin: 30px 0;">
+            <a href="${baseUrl}/oidc/interaction/verify?token=${token}"
+               style="background-color: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px; display: inline-block;">
+              Sign In
+            </a>
+          </div>
+          <p style="color: #666; font-size: 14px;">
+            This link expires in 15 minutes. If you didn't request this, you can safely ignore this email.
+          </p>
+        </div>
+      `,
+    });
+
+    return { success: true, message: GENERIC_MESSAGE };
+  } catch (error) {
+    console.error("Failed to send OIDC login email:", error);
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Failed to send login email. Please try again.",
+    });
+  }
+});
--- a/server/routes/oidc/interaction/verify.get.ts
+++ b/server/routes/oidc/interaction/verify.get.ts
@ -0,0 +1,75 @@
+/**
+ * Verify magic link token and complete the OIDC login interaction.
+ *
+ * GET /oidc/interaction/verify?token=...
+ *
+ * This is the endpoint the magic link email points to. It:
+ * 1. Verifies the JWT token
+ * 2. Sets the Ghost Guild session cookie (so future logins are SSO)
+ * 3. Completes the OIDC interaction so the user is redirected back to Outline
+ */
+import jwt from "jsonwebtoken";
+import Member from "../../../models/member.js";
+import { connectDB } from "../../../utils/mongoose.js";
+import { getOidcProvider } from "../../../utils/oidc-provider.js";
+
+export default defineEventHandler(async (event) => {
+  const { token } = getQuery(event);
+
+  if (!token) {
+    throw createError({ statusCode: 400, statusMessage: "Token is required" });
+  }
+
+  const config = useRuntimeConfig(event);
+
+  let decoded: { memberId: string; oidcUid: string };
+  try {
+    decoded = jwt.verify(token as string, config.jwtSecret) as typeof decoded;
+  } catch {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Invalid or expired token",
+    });
+  }
+
+  await connectDB();
+  const member = await (Member as any).findById(decoded.memberId);
+
+  if (!member) {
+    throw createError({ statusCode: 404, statusMessage: "Member not found" });
+  }
+
+  if (member.status === "suspended" || member.status === "cancelled") {
+    throw createError({
+      statusCode: 403,
+      statusMessage: `Account is ${member.status}`,
+    });
+  }
+
+  // Set Ghost Guild session cookie for future SSO
+  const sessionToken = jwt.sign(
+    { memberId: member._id, email: member.email },
+    config.jwtSecret,
+    { expiresIn: "7d" }
+  );
+
+  setCookie(event, "auth-token", sessionToken, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    maxAge: 60 * 60 * 24 * 7,
+  });
+
+  // Complete the OIDC interaction
+  const provider = await getOidcProvider();
+  const result = {
+    login: { accountId: member._id.toString() },
+  };
+
+  await provider.interactionFinished(
+    event.node.req,
+    event.node.res,
+    result,
+    { mergeWithLastSubmission: false }
+  );
+});