Add OAuth token verification for Discord and Google in UserController

- Updated loginOAuth method to include accessToken in request body validation.
- Implemented verifyDiscordToken and verifyGoogleToken methods to validate OAuth tokens.
- Enhanced error handling for unsupported providers and token verification failures.
- Ensured email and providerId match verified user data before proceeding with login.

Author: fox3000foxy

dist/controllers/UserController.d.ts

@@ -37,4 +37,6 @@ export declare class Users {
     transferCredits(req: AuthenticatedRequest, res: Response): Promise<Response<any, Record<string, any>> | undefined>;
     checkVerificationKey(req: Request, res: Response): Promise<Response<any, Record<string, any>> | undefined>;
     changeRole(req: AuthenticatedRequest, res: Response): Promise<Response<any, Record<string, any>> | undefined>;
+    private verifyDiscordToken;
+    private verifyGoogleToken;
 }

dist/controllers/UserController.js

@@ -92,27 +92,43 @@ let Users = class Users {
     }
     // --- AUTHENTIFICATION & INSCRIPTION ---
     async loginOAuth(req, res) {
-        const { email, provider, providerId, username } = req.body;
-        if (!email || !provider || !providerId) {
+        const { email, provider, providerId, username, accessToken } = req.body;
+        if (!email || !provider || !providerId || !accessToken) {
             await this.createLog(req, "loginOAuth", "users", 400);
-            return this.sendError(res, 400, "Missing email, provider or providerId");
+            return this.sendError(res, 400, "Missing email, provider, providerId or accessToken");
+        }
+        // Vérifier le token OAuth avec le provider
+        let verifiedUser;
+        try {
+            if (provider === "discord") {
+                verifiedUser = await this.verifyDiscordToken(accessToken, providerId);
+            }
+            else if (provider === "google") {
+                verifiedUser = await this.verifyGoogleToken(accessToken, providerId);
+            }
+            else {
+                await this.createLog(req, "loginOAuth", "users", 400);
+                return this.sendError(res, 400, "Unsupported OAuth provider");
+            }
+        }
+        catch (error) {
+            await this.createLog(req, "loginOAuth", "users", 401);
+            return this.sendError(res, 401, "Invalid OAuth token");
+        }
+        // Vérifier que l'email et l'ID correspondent aux données du provider
+        if (verifiedUser.email !== email || verifiedUser.id !== providerId) {
+            await this.createLog(req, "loginOAuth", "users", 401);
+            return this.sendError(res, 401, "OAuth data mismatch");
         }
         const users = await this.userService.getAllUsersWithDisabled();
-        // console.log(users);
         const token = req.headers["cookie"]?.toString().split("token=")[1]?.split(";")[0];
-        // const authHeader =
-        //   req.headers["authorization"] ||
-        //   "Bearer " +
-        //   req.headers["cookie"]?.toString().split("token=")[1]?.split(";")[0];
-        // const token = authHeader.split("Bearer ")[1];
         let user = await this.userService.authenticateUser(token);
         if (!user) {
             user = users.find((u) => u.discord_id == providerId || u.google_id == providerId) || null;
         }
         if (!user) {
             const userId = crypto_1.default.randomUUID();
-            user = await this.userService.createUser(userId, username || "", email, null, provider, providerId);
-            // await this.mailService.sendAccountConfirmationMail(user.email);
+            user = await this.userService.createUser(userId, username || verifiedUser.username || "", email, null, provider, providerId);
             await this.createLog(req, "loginOAuth", "users", 201, userId);
         }
         else {
@@ -631,6 +647,45 @@ let Users = class Users {
             this.sendError(res, 500, "Error setting role cookie");
         }
     }
+    // Ajouter ces méthodes de vérification OAuth
+    async verifyDiscordToken(accessToken, expectedUserId) {
+        try {
+            const response = await fetch("https://discord.com/api/users/@me", {
+                headers: {
+                    Authorization: `Bearer ${accessToken}`,
+                },
+            });
+            if (!response.ok) {
+                throw new Error("Invalid Discord token");
+            }
+            const userData = await response.json();
+            return {
+                id: userData.id,
+                email: userData.email,
+                username: userData.username,
+            };
+        }
+        catch (error) {
+            throw new Error("Failed to verify Discord token");
+        }
+    }
+    async verifyGoogleToken(accessToken, expectedUserId) {
+        try {
+            const response = await fetch(`https://www.googleapis.com/oauth2/v2/userinfo?access_token=${accessToken}`);
+            if (!response.ok) {
+                throw new Error("Invalid Google token");
+            }
+            const userData = await response.json();
+            return {
+                id: userData.id,
+                email: userData.email,
+                username: userData.name,
+            };
+        }
+        catch (error) {
+            throw new Error("Failed to verify Google token");
+        }
+    }
 };
 exports.Users = Users;
 __decorate([

src/controllers/UserController.ts

@@ -87,20 +87,36 @@ export class Users {
 
 	@httpPost("/login-oauth")
 	public async loginOAuth(req: Request, res: Response) {
-		const { email, provider, providerId, username } = req.body;
-		if (!email || !provider || !providerId) {
+		const { email, provider, providerId, username, accessToken } = req.body;
+		if (!email || !provider || !providerId || !accessToken) {
 			await this.createLog(req, "loginOAuth", "users", 400);
-			return this.sendError(res, 400, "Missing email, provider or providerId");
+			return this.sendError(res, 400, "Missing email, provider, providerId or accessToken");
+		}
+
+		// Vérifier le token OAuth avec le provider
+		let verifiedUser;
+		try {
+			if (provider === "discord") {
+				verifiedUser = await this.verifyDiscordToken(accessToken, providerId);
+			} else if (provider === "google") {
+				verifiedUser = await this.verifyGoogleToken(accessToken, providerId);
+			} else {
+				await this.createLog(req, "loginOAuth", "users", 400);
+				return this.sendError(res, 400, "Unsupported OAuth provider");
+			}
+		} catch (error) {
+			await this.createLog(req, "loginOAuth", "users", 401);
+			return this.sendError(res, 401, "Invalid OAuth token");
+		}
+
+		// Vérifier que l'email et l'ID correspondent aux données du provider
+		if (verifiedUser.email !== email || verifiedUser.id !== providerId) {
+			await this.createLog(req, "loginOAuth", "users", 401);
+			return this.sendError(res, 401, "OAuth data mismatch");
 		}
 
 		const users = await this.userService.getAllUsersWithDisabled();
-		// console.log(users);
 		const token = req.headers["cookie"]?.toString().split("token=")[1]?.split(";")[0];
-		// const authHeader =
-		//   req.headers["authorization"] ||
-		//   "Bearer " +
-		//   req.headers["cookie"]?.toString().split("token=")[1]?.split(";")[0];
-		// const token = authHeader.split("Bearer ")[1];
 
 		let user = await this.userService.authenticateUser(token as string);
 
@@ -110,8 +126,7 @@ export class Users {
 
 		if (!user) {
 			const userId = crypto.randomUUID();
-			user = await this.userService.createUser(userId, username || "", email, null, provider, providerId);
-			// await this.mailService.sendAccountConfirmationMail(user.email);
+			user = await this.userService.createUser(userId, username || verifiedUser.username || "", email, null, provider, providerId);
 			await this.createLog(req, "loginOAuth", "users", 201, userId);
 		} else {
 			if ((provider === "discord" && !user.discord_id) || (provider === "google" && !user.google_id)) {
@@ -122,10 +137,12 @@ export class Users {
 				return this.sendError(res, 401, "OAuth providerId mismatch");
 			}
 		}
+		
 		if (user.disabled) {
 			await this.createLog(req, "loginOAuth", "users", 403, user.user_id);
 			return this.sendError(res, 403, "Account is disabled");
 		}
+		
 		await this.createLog(req, "loginOAuth", "users", 200, user.user_id);
 		const apiKey = genKey(user.user_id);
 		const jwtToken = generateUserJwt(user, apiKey);
@@ -746,4 +763,47 @@ export class Users {
 			this.sendError(res, 500, "Error setting role cookie");
 		}
 	}
+
+	// Ajouter ces méthodes de vérification OAuth
+	private async verifyDiscordToken(accessToken: string, expectedUserId: string) {
+		try {
+			const response = await fetch("https://discord.com/api/users/@me", {
+				headers: {
+					Authorization: `Bearer ${accessToken}`,
+				},
+			});
+			
+			if (!response.ok) {
+				throw new Error("Invalid Discord token");
+			}
+			
+			const userData = await response.json();
+			return {
+				id: userData.id,
+				email: userData.email,
+				username: userData.username,
+			};
+		} catch (error) {
+			throw new Error("Failed to verify Discord token");
+		}
+	}
+
+	private async verifyGoogleToken(accessToken: string, expectedUserId: string) {
+		try {
+			const response = await fetch(`https://www.googleapis.com/oauth2/v2/userinfo?access_token=${accessToken}`);
+			
+			if (!response.ok) {
+				throw new Error("Invalid Google token");
+			}
+			
+			const userData = await response.json();
+			return {
+				id: userData.id,
+				email: userData.email,
+				username: userData.name,
+			};
+		} catch (error) {
+			throw new Error("Failed to verify Google token");
+		}
+	}
 }