car-crushers-portal/functions/api/auth/mobile/token.ts

import { jsonError } from "../../../common.js";

export async function onRequestGet(context: RequestContext) {
  const { current_user: currentUser } = context.data;

  if (!currentUser) return jsonError("Unauthorized", 401);

  const header = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9";

  const cookies = (context.request.headers.get("cookie") as string).split("; ");
  const sessionCookie = cookies.find((c) => c.startsWith("_s=")) as string;

  const claimSet = btoa(
    JSON.stringify({
      email: currentUser.email,
      email_verified: true,
      exp: Math.floor(currentUser.refresh_at / 1000),
      iat: Math.floor(Date.now() / 1000),
      iss: "https://carcrushers.cc/auth/mobile/token",
      jti: sessionCookie.replace("_s=", ""),
      name: currentUser.username,
      permissions: currentUser.permissions,
      picture: currentUser.avatar ?? "https://carcrushers.cc/files/logo192.png",
      sub: currentUser.id,
    }),
  )
    .replaceAll("+", "-")
    .replaceAll("/", "_")
    .replaceAll("=", "");

  const key = await crypto.subtle.importKey(
    "raw",
    // @ts-ignore
    Uint8Array.from(
      atob(
        context.env.JWT_SIGNING_KEY.replaceAll("-", "+").replaceAll("_", "/"),
      ),
      (m) => m.codePointAt(0),
    ),
    { hash: "SHA-256", name: "HMAC" },
    false,
    ["sign"],
  );

  const signature = await crypto.subtle.sign(
    "HMAC",
    key,
    new TextEncoder().encode(`${header}.${claimSet}`),
  );

  const encodedSignature = btoa(
    String.fromCodePoint(...new Uint8Array(signature)),
  )
    .replaceAll("+", "-")
    .replaceAll("/", "_")
    .replaceAll("=", "");

  return Response.redirect(
    `com.carcrushers.app://login-callback?token=${header}.${claimSet}.${encodedSignature}`,
  );
}