api/controllers/AuthController.ts

/**
 * This file is part of SudoBot.
 *
 * Copyright (C) 2021-2023 OSN Developers.
 *
 * SudoBot is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Affero General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * SudoBot is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with SudoBot. If not, see <https://www.gnu.org/licenses/>.
 */

import { User } from "@prisma/client";
import bcrypt from "bcrypt";
import { add } from "date-fns";
import {
    ActionRowBuilder,
    ButtonBuilder,
    ButtonStyle,
    EmbedBuilder,
    Snowflake,
    escapeMarkdown
} from "discord.js";
import jwt from "jsonwebtoken";
import { randomInt } from "node:crypto";
import { request as undiciRequest } from "undici";
import { z } from "zod";
import { Action } from "../../decorators/Action";
import { Validate } from "../../decorators/Validate";
import { logError } from "../../utils/Logger";
import { safeUserFetch } from "../../utils/fetch";
import Controller from "../Controller";
import Request from "../Request";
import Response from "../Response";

export default class AuthController extends Controller {
    private isBannedUser(discordId?: Snowflake | null) {
        if (!discordId) {
            return true;
        }

        if (this.client.commandManager.isBanned(discordId)) {
            return true;
        }

        return false;
    }

    private async genToken(user: User) {
        if (
            !user.token ||
            (user.token && user.tokenExpiresAt && user.tokenExpiresAt.getTime() <= Date.now())
        ) {
            user.token = jwt.sign(
                {
                    userId: user.id,
                    random: Math.round(Math.random() * 2000)
                },
                process.env.JWT_SECRET!,
                {
                    expiresIn: "2 days",
                    issuer: process.env.JWT_ISSUER ?? "SudoBot",
                    subject: "Temporary API token for authenticated user"
                }
            );

            user.tokenExpiresAt = new Date(Date.now() + 1000 * 60 * 60 * 24 * 2);

            await this.client.prisma.user.updateMany({
                where: {
                    id: user.id
                },
                data: {
                    token: user.token,
                    tokenExpiresAt: user.tokenExpiresAt
                }
            });
        }
    }

    @Action("POST", "/auth/recovery_token")
    @Validate(
        z.object({
            username: z.string(),
            code: z.number()
        })
    )
    public async recoveryToken(request: Request) {
        const { username, code } = request.parsedBody ?? {};

        const user = await this.client.prisma.user.findFirst({
            where: {
                username: username.trim(),
                recoveryCode: code.toString().trim()
            }
        });

        if (!user) {
            return new Response({
                status: 403,
                body: {
                    error: "Invalid username or code provided"
                }
            });
        }

        if (this.isBannedUser(user.discordId)) {
            return new Response({
                status: 403,
                body: {
                    error: "Forbidden"
                }
            });
        }

        try {
            jwt.verify(user.recoveryToken!, process.env.JWT_SECRET!, {
                issuer: process.env.JWT_ISSUER ?? "SudoBot",
                subject: "Temporary recovery token",
                complete: true
            });
        } catch (e) {
            logError(e);

            return new Response({
                status: 403,
                body: {
                    error: "Invalid username or code provided"
                }
            });
        }

        if ((user.recoveryTokenExpiresAt?.getTime() ?? Date.now()) <= Date.now()) {
            return new Response({
                status: 400,
                body: {
                    error: "This account recovery request has expired"
                }
            });
        }

        await this.client.prisma.user.updateMany({
            where: {
                id: user.id
            },
            data: {
                recoveryCode: null
            }
        });

        return { success: true, token: user.recoveryToken };
    }

    @Action("POST", "/auth/reset")
    @Validate(
        z.object({
            username: z.string(),
            token: z.string(),
            new_password: z.string()
        })
    )
    public async reset(request: Request) {
        const { username, token, new_password } = request.parsedBody ?? {};

        const user = await this.client.prisma.user.findFirst({
            where: {
                username: username.trim(),
                recoveryToken: token.trim()
            }
        });

        if (!user) {
            return new Response({
                status: 403,
                body: {
                    error: "Invalid username or token provided"
                }
            });
        }

        if (this.isBannedUser(user.discordId)) {
            return new Response({
                status: 403,
                body: {
                    error: "Forbidden"
                }
            });
        }

        try {
            jwt.verify(user.recoveryToken!, process.env.JWT_SECRET!, {
                issuer: process.env.JWT_ISSUER ?? "SudoBot",
                subject: "Temporary recovery token",
                complete: true
            });
        } catch (e) {
            logError(e);

            return new Response({
                status: 403,
                body: {
                    error: "Invalid username or token provided"
                }
            });
        }

        if ((user.recoveryTokenExpiresAt?.getTime() ?? Date.now()) <= Date.now()) {
            return new Response({
                status: 400,
                body: {
                    error: "This account recovery request has expired"
                }
            });
        }

        await this.client.prisma.user.updateMany({
            where: {
                id: user.id
            },
            data: {
                recoveryAttempts: 0,
                recoveryToken: null,
                recoveryTokenExpiresAt: null,
                password: bcrypt.hashSync(new_password, bcrypt.genSaltSync(10)),
                token: null,
                tokenExpiresAt: null,
                recoveryCode: null
            }
        });

        const discordUser = await safeUserFetch(this.client, user.discordId);

        await discordUser
            ?.send({
                embeds: [
                    new EmbedBuilder({
                        author: {
                            name: "Account Successfully Recovered",
                            icon_url: this.client.user?.displayAvatarURL()
                        },
                        color: 0x007bff,
                        description: `Hey ${escapeMarkdown(
                            discordUser.username
                        )},\n\nYour SudoBot Account was recovered and the password was reset. You've been automatically logged out everywhere you were logged in before.\n\nCheers,\nSudoBot Developers`,
                        footer: {
                            text: "Recovery succeeded"
                        }
                    }).setTimestamp()
                ],
                components: [
                    new ActionRowBuilder<ButtonBuilder>().addComponents(
                        new ButtonBuilder()
                            .setStyle(ButtonStyle.Link)
                            .setLabel("Log into your account")
                            .setURL(`${process.env.FRONTEND_URL}/login`)
                    )
                ]
            })
            .catch(logError);

        return {
            success: true,
            message: "Successfully completed account recovery"
        };
    }

    @Action("POST", "/auth/recovery")
    @Validate(
        z.object({
            username: z.string()
        })
    )
    public async recovery(request: Request) {
        const { username } = request.parsedBody ?? {};

        const user = await this.client.prisma.user.findFirst({
            where: {
                username: username.trim()
            }
        });

        if (!user) {
            return new Response({
                status: 403,
                body: {
                    error: "Invalid username provided"
                }
            });
        }

        if (this.isBannedUser(user.discordId)) {
            return new Response({
                status: 403,
                body: {
                    error: "Forbidden"
                }
            });
        }

        if (
            user.recoveryToken &&
            user.recoveryTokenExpiresAt &&
            user.recoveryTokenExpiresAt.getTime() > Date.now() &&
            user.recoveryAttempts >= 2
        ) {
            return new Response({
                status: 429,
                body: {
                    error: "This account is already awaiting for recovery"
                }
            });
        }

        const recoveryToken = jwt.sign(
            {
                type: "pwdreset",
                userId: user.id
            },
            process.env.JWT_SECRET!,
            {
                expiresIn: "2 days",
                issuer: process.env.JWT_ISSUER ?? "SudoBot",
                subject: "Temporary recovery token"
            }
        );

        const recoveryTokenExpiresAt = add(new Date(), {
            days: 2
        });

        const recoveryCode = randomInt(10000, 99999).toString();

        await this.client.prisma.user.updateMany({
            where: {
                id: user.id
            },
            data: {
                recoveryAttempts: {
                    increment: 1
                },
                recoveryToken,
                recoveryTokenExpiresAt,
                recoveryCode
            }
        });

        const discordUser = await safeUserFetch(this.client, user.discordId);

        await discordUser
            ?.send({
                embeds: [
                    new EmbedBuilder({
                        author: {
                            name: "Account Recovery Request",
                            icon_url: this.client.user?.displayAvatarURL()
                        },
                        color: 0x007bff,
                        description: `Hey ${escapeMarkdown(
                            discordUser.username
                        )},\n\nWe've received a recovery request for your SudoBot Account. Your recovery code is:\n\n# ${recoveryCode}\n\nAlternatively, click the button at the bottom to reset your account's password.\nIf you haven't requested this, feel free to ignore this DM.\n\nCheers,\nSudoBot Developers`,
                        footer: {
                            text: "This account recovery request will be valid for the next 48 hours"
                        }
                    }).setTimestamp()
                ],
                components: [
                    new ActionRowBuilder<ButtonBuilder>().addComponents(
                        new ButtonBuilder()
                            .setStyle(ButtonStyle.Link)
                            .setLabel("Reset your password")
                            .setURL(
                                `${process.env.FRONTEND_URL}/account/reset?u=${encodeURIComponent(
                                    user.username
                                )}&t=${encodeURIComponent(recoveryToken)}`
                            )
                    )
                ]
            })
            .catch(logError);

        return {
            success: true,
            message: "Successfully initiated account recovery"
        };
    }

    @Action("POST", "/auth/login")
    @Validate(
        z.object({
            username: z.string(),
            password: z.string()
        })
    )
    public async login(request: Request) {
        const { username, password } = request.parsedBody ?? {};

        const user = await this.client.prisma.user.findFirst({
            where: {
                username: username.trim()
            }
        });

        if (!user || !bcrypt.compareSync(password.trim(), user.password)) {
            return new Response({
                status: 403,
                body: {
                    error: "Invalid login credentials"
                }
            });
        }

        if (this.isBannedUser(user.discordId)) {
            return new Response({
                status: 403,
                body: {
                    error: "Unable to log in"
                }
            });
        }

        await this.genToken(user);

        const guilds = [];
        const discordUser = await safeUserFetch(this.client, user.discordId);

        for (const id of user.guilds) {
            const guild = this.client.guilds.cache.get(id);

            if (guild) {
                guilds.push({
                    id: guild.id,
                    name: guild.name,
                    iconURL: guild.iconURL() ?? undefined
                });
            }
        }

        return {
            message: "Login successful",
            user: {
                id: user.id,
                avatarURL: discordUser?.displayAvatarURL(),
                username: user.username,
                name: user.name,
                discordId: user.discordId,
                guilds,
                token: user.token,
                tokenExpiresAt: user.tokenExpiresAt,
                createdAt: user.createdAt
            }
        };
    }

    @Action("POST", "/auth/discord")
    @Validate(
        z.object({
            code: z.string()
        })
    )
    async discord(request: Request) {
        const { parsedBody } = request;

        try {
            const tokenResponseData = await undiciRequest("https://discord.com/api/oauth2/token", {
                method: "POST",
                body: new URLSearchParams({
                    client_id: process.env.CLIENT_ID!,
                    client_secret: process.env.CLIENT_SECRET!,
                    code: parsedBody!.code,
                    grant_type: "authorization_code",
                    redirect_uri: `${process.env.DISCORD_OAUTH2_REDIRECT_URI}`,
                    scope: "identify"
                }).toString(),
                headers: {
                    "Content-Type": "application/x-www-form-urlencoded"
                }
            });

            const oauthData = <Record<string, string>>await tokenResponseData.body.json();

            if (oauthData?.error) {
                throw new Error(`${oauthData?.error}: ${oauthData?.error_description}`);
            }

            const userResponse = await undiciRequest("https://discord.com/api/users/@me", {
                headers: {
                    authorization: `${oauthData.token_type} ${oauthData.access_token}`
                }
            });

            const userData = <Record<string, string>>await userResponse.body.json();

            if (userData?.error) {
                throw new Error(`${userData?.error}: ${userData?.error_description}`);
            }

            const avatarURL = `https://cdn.discordapp.com/avatars/${encodeURIComponent(
                userData.id
            )}/${encodeURIComponent(userData.avatar)}.${
                userData.avatar.startsWith("a_") ? "gif" : "webp"
            }?size=512`;

            const user = await this.client.prisma.user.findFirst({
                where: {
                    discordId: userData.id
                }
            });

            if (!user) {
                return new Response({ status: 400, body: "Access denied, no such user found" });
            }

            if (this.isBannedUser(user.discordId)) {
                return new Response({
                    status: 403,
                    body: {
                        error: "Unable to log in"
                    }
                });
            }

            await this.genToken(user);

            const guilds = [];

            for (const id of user.guilds) {
                const guild = this.client.guilds.cache.get(id);

                if (guild) {
                    guilds.push({
                        id: guild.id,
                        name: guild.name,
                        iconURL: guild.iconURL() ?? undefined
                    });
                }
            }

            return {
                message: "Login successful",
                user: {
                    id: user.id,
                    avatarURL,
                    username: user.username,
                    name: user.name,
                    discordId: user.discordId,
                    guilds,
                    token: user.token,
                    tokenExpiresAt: user.tokenExpiresAt,
                    createdAt: user.createdAt
                }
            };
        } catch (error) {
            console.error(error);
            return new Response({ status: 400, body: "Invalid oauth2 grant code" });
        }
    }
}
1	/**
2	* This file is part of SudoBot.
3	*
4	* Copyright (C) 2021-2023 OSN Developers.
5	*
6	* SudoBot is free software; you can redistribute it and/or modify it
7	* under the terms of the GNU Affero General Public License as published by
8	* the Free Software Foundation, either version 3 of the License, or
9	* (at your option) any later version.
10	*
11	* SudoBot is distributed in the hope that it will be useful, but
12	* WITHOUT ANY WARRANTY; without even the implied warranty of
13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	* GNU Affero General Public License for more details.
15	*
16	* You should have received a copy of the GNU Affero General Public License
17	* along with SudoBot. If not, see <https://www.gnu.org/licenses/>.
18	*/
19
20	import { User } from "@prisma/client";
21	import bcrypt from "bcrypt";
22	import { add } from "date-fns";
23	import {
24	ActionRowBuilder,
25	ButtonBuilder,
26	ButtonStyle,
27	EmbedBuilder,
28	Snowflake,
29	escapeMarkdown
30	} from "discord.js";
31	import jwt from "jsonwebtoken";
32	import { randomInt } from "node:crypto";
33	import { request as undiciRequest } from "undici";
34	import { z } from "zod";
35	import { Action } from "../../decorators/Action";
36	import { Validate } from "../../decorators/Validate";
37	import { logError } from "../../utils/Logger";
38	import { safeUserFetch } from "../../utils/fetch";
39	import Controller from "../Controller";
40	import Request from "../Request";
41	import Response from "../Response";
42
43	export default class AuthController extends Controller {
44	private isBannedUser(discordId?: Snowflake \| null) {
45	if (!discordId) {
46	return true;
47	}
48
49	if (this.client.commandManager.isBanned(discordId)) {
50	return true;
51	}
52
53	return false;
54	}
55
56	private async genToken(user: User) {
57	if (
58	!user.token \|\|
59	(user.token && user.tokenExpiresAt && user.tokenExpiresAt.getTime() <= Date.now())
60	) {
61	user.token = jwt.sign(
62	{
63	userId: user.id,
64	random: Math.round(Math.random() * 2000)
65	},
66	process.env.JWT_SECRET!,
67	{
68	expiresIn: "2 days",
69	issuer: process.env.JWT_ISSUER ?? "SudoBot",
70	subject: "Temporary API token for authenticated user"
71	}
72	);
73
74	user.tokenExpiresAt = new Date(Date.now() + 1000 * 60 * 60 * 24 * 2);
75
76	await this.client.prisma.user.updateMany({
77	where: {
78	id: user.id
79	},
80	data: {
81	token: user.token,
82	tokenExpiresAt: user.tokenExpiresAt
83	}
84	});
85	}
86	}
87
88	@Action("POST", "/auth/recovery_token")
89	@Validate(
90	z.object({
91	username: z.string(),
92	code: z.number()
93	})
94	)
95	public async recoveryToken(request: Request) {
96	const { username, code } = request.parsedBody ?? {};
97
98	const user = await this.client.prisma.user.findFirst({
99	where: {
100	username: username.trim(),
101	recoveryCode: code.toString().trim()
102	}
103	});
104
105	if (!user) {
106	return new Response({
107	status: 403,
108	body: {
109	error: "Invalid username or code provided"
110	}
111	});
112	}
113
114	if (this.isBannedUser(user.discordId)) {
115	return new Response({
116	status: 403,
117	body: {
118	error: "Forbidden"
119	}
120	});
121	}
122
123	try {
124	jwt.verify(user.recoveryToken!, process.env.JWT_SECRET!, {
125	issuer: process.env.JWT_ISSUER ?? "SudoBot",
126	subject: "Temporary recovery token",
127	complete: true
128	});
129	} catch (e) {
130	logError(e);
131
132	return new Response({
133	status: 403,
134	body: {
135	error: "Invalid username or code provided"
136	}
137	});
138	}
139
140	if ((user.recoveryTokenExpiresAt?.getTime() ?? Date.now()) <= Date.now()) {
141	return new Response({
142	status: 400,
143	body: {
144	error: "This account recovery request has expired"
145	}
146	});
147	}
148
149	await this.client.prisma.user.updateMany({
150	where: {
151	id: user.id
152	},
153	data: {
154	recoveryCode: null
155	}
156	});
157
158	return { success: true, token: user.recoveryToken };
159	}
160
161	@Action("POST", "/auth/reset")
162	@Validate(
163	z.object({
164	username: z.string(),
165	token: z.string(),
166	new_password: z.string()
167	})
168	)
169	public async reset(request: Request) {
170	const { username, token, new_password } = request.parsedBody ?? {};
171
172	const user = await this.client.prisma.user.findFirst({
173	where: {
174	username: username.trim(),
175	recoveryToken: token.trim()
176	}
177	});
178
179	if (!user) {
180	return new Response({
181	status: 403,
182	body: {
183	error: "Invalid username or token provided"
184	}
185	});
186	}
187
188	if (this.isBannedUser(user.discordId)) {
189	return new Response({
190	status: 403,
191	body: {
192	error: "Forbidden"
193	}
194	});
195	}
196
197	try {
198	jwt.verify(user.recoveryToken!, process.env.JWT_SECRET!, {
199	issuer: process.env.JWT_ISSUER ?? "SudoBot",
200	subject: "Temporary recovery token",
201	complete: true
202	});
203	} catch (e) {
204	logError(e);
205
206	return new Response({
207	status: 403,
208	body: {
209	error: "Invalid username or token provided"
210	}
211	});
212	}
213
214	if ((user.recoveryTokenExpiresAt?.getTime() ?? Date.now()) <= Date.now()) {
215	return new Response({
216	status: 400,
217	body: {
218	error: "This account recovery request has expired"
219	}
220	});
221	}
222
223	await this.client.prisma.user.updateMany({
224	where: {
225	id: user.id
226	},
227	data: {
228	recoveryAttempts: 0,
229	recoveryToken: null,
230	recoveryTokenExpiresAt: null,
231	password: bcrypt.hashSync(new_password, bcrypt.genSaltSync(10)),
232	token: null,
233	tokenExpiresAt: null,
234	recoveryCode: null
235	}
236	});
237
238	const discordUser = await safeUserFetch(this.client, user.discordId);
239
240	await discordUser
241	?.send({
242	embeds: [
243	new EmbedBuilder({
244	author: {
245	name: "Account Successfully Recovered",
246	icon_url: this.client.user?.displayAvatarURL()
247	},
248	color: 0x007bff,
249	description: `Hey ${escapeMarkdown(
250	discordUser.username
251	)},\n\nYour SudoBot Account was recovered and the password was reset. You've been automatically logged out everywhere you were logged in before.\n\nCheers,\nSudoBot Developers`,
252	footer: {
253	text: "Recovery succeeded"
254	}
255	}).setTimestamp()
256	],
257	components: [
258	new ActionRowBuilder<ButtonBuilder>().addComponents(
259	new ButtonBuilder()
260	.setStyle(ButtonStyle.Link)
261	.setLabel("Log into your account")
262	.setURL(`${process.env.FRONTEND_URL}/login`)
263	)
264	]
265	})
266	.catch(logError);
267
268	return {
269	success: true,
270	message: "Successfully completed account recovery"
271	};
272	}
273
274	@Action("POST", "/auth/recovery")
275	@Validate(
276	z.object({
277	username: z.string()
278	})
279	)
280	public async recovery(request: Request) {
281	const { username } = request.parsedBody ?? {};
282
283	const user = await this.client.prisma.user.findFirst({
284	where: {
285	username: username.trim()
286	}
287	});
288
289	if (!user) {
290	return new Response({
291	status: 403,
292	body: {
293	error: "Invalid username provided"
294	}
295	});
296	}
297
298	if (this.isBannedUser(user.discordId)) {
299	return new Response({
300	status: 403,
301	body: {
302	error: "Forbidden"
303	}
304	});
305	}
306
307	if (
308	user.recoveryToken &&
309	user.recoveryTokenExpiresAt &&
310	user.recoveryTokenExpiresAt.getTime() > Date.now() &&
311	user.recoveryAttempts >= 2
312	) {
313	return new Response({
314	status: 429,
315	body: {
316	error: "This account is already awaiting for recovery"
317	}
318	});
319	}
320
321	const recoveryToken = jwt.sign(
322	{
323	type: "pwdreset",
324	userId: user.id
325	},
326	process.env.JWT_SECRET!,
327	{
328	expiresIn: "2 days",
329	issuer: process.env.JWT_ISSUER ?? "SudoBot",
330	subject: "Temporary recovery token"
331	}
332	);
333
334	const recoveryTokenExpiresAt = add(new Date(), {
335	days: 2
336	});
337
338	const recoveryCode = randomInt(10000, 99999).toString();
339
340	await this.client.prisma.user.updateMany({
341	where: {
342	id: user.id
343	},
344	data: {
345	recoveryAttempts: {
346	increment: 1
347	},
348	recoveryToken,
349	recoveryTokenExpiresAt,
350	recoveryCode
351	}
352	});
353
354	const discordUser = await safeUserFetch(this.client, user.discordId);
355
356	await discordUser
357	?.send({
358	embeds: [
359	new EmbedBuilder({
360	author: {
361	name: "Account Recovery Request",
362	icon_url: this.client.user?.displayAvatarURL()
363	},
364	color: 0x007bff,
365	description: `Hey ${escapeMarkdown(
366	discordUser.username
367	)},\n\nWe've received a recovery request for your SudoBot Account. Your recovery code is:\n\n# ${recoveryCode}\n\nAlternatively, click the button at the bottom to reset your account's password.\nIf you haven't requested this, feel free to ignore this DM.\n\nCheers,\nSudoBot Developers`,
368	footer: {
369	text: "This account recovery request will be valid for the next 48 hours"
370	}
371	}).setTimestamp()
372	],
373	components: [
374	new ActionRowBuilder<ButtonBuilder>().addComponents(
375	new ButtonBuilder()
376	.setStyle(ButtonStyle.Link)
377	.setLabel("Reset your password")
378	.setURL(
379	`${process.env.FRONTEND_URL}/account/reset?u=${encodeURIComponent(
380	user.username
381	)}&t=${encodeURIComponent(recoveryToken)}`
382	)
383	)
384	]
385	})
386	.catch(logError);
387
388	return {
389	success: true,
390	message: "Successfully initiated account recovery"
391	};
392	}
393
394	@Action("POST", "/auth/login")
395	@Validate(
396	z.object({
397	username: z.string(),
398	password: z.string()
399	})
400	)
401	public async login(request: Request) {
402	const { username, password } = request.parsedBody ?? {};
403
404	const user = await this.client.prisma.user.findFirst({
405	where: {
406	username: username.trim()
407	}
408	});
409
410	if (!user \|\| !bcrypt.compareSync(password.trim(), user.password)) {
411	return new Response({
412	status: 403,
413	body: {
414	error: "Invalid login credentials"
415	}
416	});
417	}
418
419	if (this.isBannedUser(user.discordId)) {
420	return new Response({
421	status: 403,
422	body: {
423	error: "Unable to log in"
424	}
425	});
426	}
427
428	await this.genToken(user);
429
430	const guilds = [];
431	const discordUser = await safeUserFetch(this.client, user.discordId);
432
433	for (const id of user.guilds) {
434	const guild = this.client.guilds.cache.get(id);
435
436	if (guild) {
437	guilds.push({
438	id: guild.id,
439	name: guild.name,
440	iconURL: guild.iconURL() ?? undefined
441	});
442	}
443	}
444
445	return {
446	message: "Login successful",
447	user: {
448	id: user.id,
449	avatarURL: discordUser?.displayAvatarURL(),
450	username: user.username,
451	name: user.name,
452	discordId: user.discordId,
453	guilds,
454	token: user.token,
455	tokenExpiresAt: user.tokenExpiresAt,
456	createdAt: user.createdAt
457	}
458	};
459	}
460
461	@Action("POST", "/auth/discord")
462	@Validate(
463	z.object({
464	code: z.string()
465	})
466	)
467	async discord(request: Request) {
468	const { parsedBody } = request;
469
470	try {
471	const tokenResponseData = await undiciRequest("https://discord.com/api/oauth2/token", {
472	method: "POST",
473	body: new URLSearchParams({
474	client_id: process.env.CLIENT_ID!,
475	client_secret: process.env.CLIENT_SECRET!,
476	code: parsedBody!.code,
477	grant_type: "authorization_code",
478	redirect_uri: `${process.env.DISCORD_OAUTH2_REDIRECT_URI}`,
479	scope: "identify"
480	}).toString(),
481	headers: {
482	"Content-Type": "application/x-www-form-urlencoded"
483	}
484	});
485
486	const oauthData = <Record<string, string>>await tokenResponseData.body.json();
487
488	if (oauthData?.error) {
489	throw new Error(`${oauthData?.error}: ${oauthData?.error_description}`);
490	}
491
492	const userResponse = await undiciRequest("https://discord.com/api/users/@me", {
493	headers: {
494	authorization: `${oauthData.token_type} ${oauthData.access_token}`
495	}
496	});
497
498	const userData = <Record<string, string>>await userResponse.body.json();
499
500	if (userData?.error) {
501	throw new Error(`${userData?.error}: ${userData?.error_description}`);
502	}
503
504	const avatarURL = `https://cdn.discordapp.com/avatars/${encodeURIComponent(
505	userData.id
506	)}/${encodeURIComponent(userData.avatar)}.${
507	userData.avatar.startsWith("a_") ? "gif" : "webp"
508	}?size=512`;
509
510	const user = await this.client.prisma.user.findFirst({
511	where: {
512	discordId: userData.id
513	}
514	});
515
516	if (!user) {
517	return new Response({ status: 400, body: "Access denied, no such user found" });
518	}
519
520	if (this.isBannedUser(user.discordId)) {
521	return new Response({
522	status: 403,
523	body: {
524	error: "Unable to log in"
525	}
526	});
527	}
528
529	await this.genToken(user);
530
531	const guilds = [];
532
533	for (const id of user.guilds) {
534	const guild = this.client.guilds.cache.get(id);
535
536	if (guild) {
537	guilds.push({
538	id: guild.id,
539	name: guild.name,
540	iconURL: guild.iconURL() ?? undefined
541	});
542	}
543	}
544
545	return {
546	message: "Login successful",
547	user: {
548	id: user.id,
549	avatarURL,
550	username: user.username,
551	name: user.name,
552	discordId: user.discordId,
553	guilds,
554	token: user.token,
555	tokenExpiresAt: user.tokenExpiresAt,
556	createdAt: user.createdAt
557	}
558	};
559	} catch (error) {
560	console.error(error);
561	return new Response({ status: 400, body: "Invalid oauth2 grant code" });
562	}
563	}
564	}