DevLoversTeam
diff --git a/‎frontend/app/api/auth/github/callback/route.ts‎
Lines changed: 138 additions & 126 deletions b/‎frontend/app/api/auth/github/callback/route.ts‎
Lines changed: 138 additions & 126 deletions
diff --git a/‎frontend/app/api/auth/github/route.ts‎
Lines changed: 11 additions & 8 deletions b/‎frontend/app/api/auth/github/route.ts‎
Lines changed: 11 additions & 8 deletions
diff --git a/‎frontend/app/api/auth/google/callback/route.ts‎
Lines changed: 16 additions & 2 deletions b/‎frontend/app/api/auth/google/callback/route.ts‎
Lines changed: 16 additions & 2 deletions
diff --git a/‎frontend/app/api/auth/google/route.ts‎
Lines changed: 16 additions & 2 deletions b/‎frontend/app/api/auth/google/route.ts‎
Lines changed: 16 additions & 2 deletions
@@ -1,150 +1,162 @@
 import { NextRequest, NextResponse } from "next/server";
-import { eq } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 
 import { db } from "@/db";
 import { users } from "@/db/schema/users";
 import { signAuthToken, setAuthCookie } from "@/lib/auth";
 import { authEnv } from "@/lib/env/auth";
+import { consumeOAuthState } from "@/lib/auth/oauth-state";
 
 type GithubTokenResponse = {
-  access_token: string;
-  token_type: string;
-  scope: string;
+    access_token: string;
+    token_type: string;
+    scope: string;
 };
 
 type GithubUser = {
-  id: number;
-  login: string;
-  name: string | null;
-  avatar_url: string;
+    id: number;
+    login: string;
+    name: string | null;
+    avatar_url: string;
 };
 
 type GithubEmail = {
-  email: string;
-  primary: boolean;
-  verified: boolean;
+    email: string;
+    primary: boolean;
+    verified: boolean;
+};
+
+const GITHUB_HEADERS = {
+    "User-Agent": "devlovers-app",
 };
 
 export async function GET(req: NextRequest) {
-  const code = req.nextUrl.searchParams.get("code");
-
-  if (!code) {
-    return NextResponse.redirect(new URL("/login", req.url));
-  }
-
-  const tokenRes = await fetch(
-    "https://github.com/login/oauth/access_token",
-    {
-      method: "POST",
-      headers: {
-        Accept: "application/json",
-      },
-      body: new URLSearchParams({
-        client_id: authEnv.github.clientId,
-        client_secret: authEnv.github.clientSecret,
-        code,
-        redirect_uri: authEnv.github.redirectUri,
-      }),
+    const code = req.nextUrl.searchParams.get("code");
+    const state = req.nextUrl.searchParams.get("state");
+
+    if (!(await consumeOAuthState(state))) {
+        return NextResponse.redirect(new URL("/login", req.url));
+    }
+
+    if (!code) {
+        return NextResponse.redirect(new URL("/login", req.url));
+    }
+
+    const tokenRes = await fetch(
+        "https://github.com/login/oauth/access_token",
+        {
+            method: "POST",
+            headers: {
+                Accept: "application/json",
+            },
+            body: new URLSearchParams({
+                client_id: authEnv.github.clientId,
+                client_secret: authEnv.github.clientSecret,
+                code,
+                redirect_uri: authEnv.github.redirectUri,
+            }),
+        }
+    );
+
+    if (!tokenRes.ok) {
+        console.error(
+            "GitHub token exchange failed",
+            await tokenRes.text()
+        );
+        return NextResponse.redirect(new URL("/login", req.url));
+    }
+
+    const tokenData = (await tokenRes.json()) as GithubTokenResponse;
+
+    const userRes = await fetch("https://api.github.com/user", {
+        headers: {
+            ...GITHUB_HEADERS,
+            Authorization: `Bearer ${tokenData.access_token}`,
+        },
+    });
+
+    if (!userRes.ok) {
+        return NextResponse.redirect(new URL("/login", req.url));
     }
-  );
-
-  if (!tokenRes.ok) {
-    console.error(
-    "GitHub token exchange failed",
-    await tokenRes.text()
-  );
-    return NextResponse.redirect(new URL("/login", req.url));
-  }
-
-  const tokenData = (await tokenRes.json()) as GithubTokenResponse;
-
-  const userRes = await fetch("https://api.github.com/user", {
-    headers: {
-      Authorization: `Bearer ${tokenData.access_token}`,
-    },
-  });
-
-  if (!userRes.ok) {
-    return NextResponse.redirect(new URL("/login", req.url));
-  }
-
-  const ghUser = (await userRes.json()) as GithubUser;
-
-  const emailsRes = await fetch("https://api.github.com/user/emails", {
-    headers: {
-      Authorization: `Bearer ${tokenData.access_token}`,
-    },
-  });
-
-  if (!emailsRes.ok) {
-    return NextResponse.redirect(new URL("/login", req.url));
-  }
-
-  const emails = (await emailsRes.json()) as GithubEmail[];
-
-  const primaryEmail = emails.find(
-    (e) => e.primary && e.verified
-  )?.email;
-
-  if (!primaryEmail) {
-    return NextResponse.redirect(new URL("/login", req.url));
-  }
-
-  const githubId = String(ghUser.id);
-  let user = null;
-
-  const [githubUser] = await db
-    .select()
-    .from(users)
-    .where(eq(users.providerId, githubId))
-    .limit(1);
-
-  if (githubUser) {
-    user = githubUser;
-  } else {
-    const [emailUser] = await db
-      .select()
-      .from(users)
-      .where(eq(users.email, primaryEmail))
-      .limit(1);
-
-    if (emailUser) {
-      await db
-        .update(users)
-        .set({
-          provider: "github",
-          providerId: githubId,
-          emailVerified: emailUser.emailVerified ?? new Date(),
-          image: emailUser.image ?? ghUser.avatar_url,
-          name: emailUser.name ?? ghUser.name ?? ghUser.login,
-        })
-        .where(eq(users.id, emailUser.id));
-
-      user = emailUser;
+
+    const ghUser = (await userRes.json()) as GithubUser;
+
+    const emailsRes = await fetch("https://api.github.com/user/emails", {
+        headers: {
+            ...GITHUB_HEADERS,
+            Authorization: `Bearer ${tokenData.access_token}`,
+        },
+    });
+
+    if (!emailsRes.ok) {
+        return NextResponse.redirect(new URL("/login", req.url));
+    }
+
+    const emails = (await emailsRes.json()) as GithubEmail[];
+
+    const primaryEmail = emails.find(
+        (e) => e.primary && e.verified
+    )?.email;
+
+    if (!primaryEmail) {
+        return NextResponse.redirect(new URL("/login", req.url));
+    }
+
+    const githubId = String(ghUser.id);
+    let user = null;
+
+    const [githubUser] = await db
+        .select()
+        .from(users)
+        .where(and(eq(users.providerId, githubId), eq(users.provider, "github")))
+        .limit(1);
+
+    if (githubUser) {
+        user = githubUser;
     } else {
-      const [created] = await db
-        .insert(users)
-        .values({
-          email: primaryEmail,
-          name: ghUser.name ?? ghUser.login,
-          image: ghUser.avatar_url,
-          provider: "github",
-          providerId: githubId,
-          emailVerified: new Date(),
-        })
-        .returning();
-
-      user = created;
+        const [emailUser] = await db
+            .select()
+            .from(users)
+            .where(eq(users.email, primaryEmail))
+            .limit(1);
+
+        if (emailUser) {
+            await db
+                .update(users)
+                .set({
+                    provider: "github",
+                    providerId: githubId,
+                    emailVerified: emailUser.emailVerified ?? new Date(),
+                    image: emailUser.image ?? ghUser.avatar_url,
+                    name: emailUser.name ?? ghUser.name ?? ghUser.login,
+                })
+                .where(eq(users.id, emailUser.id));
+
+            user = emailUser;
+        } else {
+            const [created] = await db
+                .insert(users)
+                .values({
+                    email: primaryEmail,
+                    name: ghUser.name ?? ghUser.login,
+                    image: ghUser.avatar_url,
+                    provider: "github",
+                    providerId: githubId,
+                    emailVerified: new Date(),
+                })
+                .returning();
+
+            user = created;
+        }
     }
-  }
 
-  const token = signAuthToken({
-    userId: user.id,
-    email: user.email,
-    role: user.role === "admin" ? "admin" : "user",
-  });
+    const token = signAuthToken({
+        userId: user.id,
+        email: user.email,
+        role: user.role === "admin" ? "admin" : "user",
+    });
 
-  await setAuthCookie(token);
+    await setAuthCookie(token);
 
-  return NextResponse.redirect(new URL("/", req.url));
+    return NextResponse.redirect(new URL("/", req.url));
 }
@@ -1,14 +1,17 @@
 import { authEnv } from "@/lib/env/auth";
 import { NextResponse } from "next/server";
+import { generateOAuthState, setOAuthStateCookie } from "@/lib/auth/oauth-state";
 
 export async function GET() {
-  const params = new URLSearchParams({
-    client_id: authEnv.github.clientId,
-    redirect_uri: authEnv.github.redirectUri,
-    scope: "user:email",
-  });
+    const state = generateOAuthState();
+    await setOAuthStateCookie(state);
+    const params = new URLSearchParams({
+        client_id: authEnv.github.clientId,
+        redirect_uri: authEnv.github.redirectUri,
+        scope: "user:email",
+    });
 
-  return NextResponse.redirect(
-    `https://github.com/login/oauth/authorize?${params.toString()}`
-  );
+    return NextResponse.redirect(
+        `https://github.com/login/oauth/authorize?${params.toString()}`
+    );
 }
@@ -1,10 +1,11 @@
 import { NextRequest, NextResponse } from "next/server";
-import { eq } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 
 import { db } from "@/db";
 import { users } from "@/db/schema/users";
 import { signAuthToken, setAuthCookie } from "@/lib/auth";
 import { authEnv } from "@/lib/env/auth";
+import { consumeOAuthState } from "@/lib/auth/oauth-state";
 
 type GoogleTokenResponse = {
   access_token: string;
@@ -28,6 +29,12 @@ export async function GET(req: NextRequest) {
     return NextResponse.redirect(new URL("/login", req.url));
   }
 
+  const state = req.nextUrl.searchParams.get("state");
+
+  if (!(await consumeOAuthState(state))) {
+    return NextResponse.redirect(new URL("/login", req.url));
+  }
+
   const tokenRes = await fetch("https://oauth2.googleapis.com/token", {
     method: "POST",
     headers: {
@@ -43,6 +50,8 @@ export async function GET(req: NextRequest) {
   });
 
   if (!tokenRes.ok) {
+    console.error(
+      "Google token exchange failed",)
     return NextResponse.redirect(new URL("/login", req.url));
   }
 
@@ -63,6 +72,11 @@ export async function GET(req: NextRequest) {
 
   const profile = (await profileRes.json()) as GoogleProfile;
 
+  if (!profile.verified_email) {
+    console.warn("Google email not verified", profile);
+    return NextResponse.redirect(new URL("/login?error=unverified_email", req.url));
+  }
+
   const email = profile.email;
   const googleId = profile.id;
 
@@ -71,7 +85,7 @@ export async function GET(req: NextRequest) {
   const [googleUser] = await db
     .select()
     .from(users)
-    .where(eq(users.providerId, googleId))
+    .where(and(eq(users.providerId, googleId), eq(users.provider, "google")))
     .limit(1);
 
   if (googleUser) {
 
@@ -1,10 +1,24 @@
 import { authEnv } from "@/lib/env/auth";
 import { NextResponse } from "next/server";
+import {
+  generateOAuthState,
+  setOAuthStateCookie,
+} from "@/lib/auth/oauth-state";
+
 
 export async function GET() {
+  const { clientId, redirectUri } = authEnv.github
+
+  if (!clientId || !redirectUri) {
+    throw new Error("Google OAuth is not properly configured");
+  }
+
+  const state = generateOAuthState();
+  await setOAuthStateCookie(state);
+
   const params = new URLSearchParams({
-    client_id: authEnv.google.clientId,
-    redirect_uri: authEnv.google.redirectUri,
+    client_id: clientId,
+    redirect_uri: redirectUri,
     response_type: "code",
     scope: "openid email profile",
     prompt: "select_account",