From 50b68e41bf3f4e71492dffb0a81de89164f8e124 Mon Sep 17 00:00:00 2001
From: Tom West <55838419+twestos@users.noreply.github.com>
Date: Fri, 14 Apr 2023 15:20:36 +1000
Subject: [PATCH 1/2] added post login redirect url

---
 src/config/index.js      |  53 +++++++++----------
 src/handlers/callback.js | 109 +++++++++++++++++++--------------------
 2 files changed, 79 insertions(+), 83 deletions(-)

diff --git a/src/config/index.js b/src/config/index.js
index f2786c5..000b2d0 100644
--- a/src/config/index.js
+++ b/src/config/index.js
@@ -1,39 +1,40 @@
 const initialState = {
-  user: null,
-  isLoading: true,
-  checkSession: null,
+	user: null,
+	isLoading: true,
+	checkSession: null,
 };
 
 const SESSION_PREFIX = "pkce-verifier";
 
 const KINDE_SITE_URL = process.env.KINDE_SITE_URL;
+const KINDE_POST_LOGIN_URL_REDIRECT_URL = process.env.KINDE_POST_LOGIN_URL_REDIRECT_URL;
 const KINDE_ISSUER_URL = process.env.KINDE_ISSUER_URL;
-const KINDE_POST_LOGOUT_REDIRECT_URL =
-  process.env.KINDE_POST_LOGOUT_REDIRECT_URL;
+const KINDE_POST_LOGOUT_REDIRECT_URL = process.env.KINDE_POST_LOGOUT_REDIRECT_URL;
 const KINDE_CLIENT_ID = process.env.KINDE_CLIENT_ID;
 const KINDE_CLIENT_SECRET = process.env.KINDE_CLIENT_SECRET;
 const KINDE_AUDIENCE = process.env.KINDE_AUDIENCE;
 
 export const config = {
-  initialState,
-  SESSION_PREFIX,
-  redirectURL: KINDE_SITE_URL,
-  issuerURL: KINDE_ISSUER_URL,
-  clientID: KINDE_CLIENT_ID,
-  clientSecret: KINDE_CLIENT_SECRET,
-  postLogoutRedirectURL: KINDE_POST_LOGOUT_REDIRECT_URL,
-  audience: KINDE_AUDIENCE,
-  responseType: "code",
-  scope: "openid profile email offline",
-  codeChallengeMethod: "S256",
-  redirectRoutes: {
-    callback: "/api/auth/kinde_callback",
-  },
-  issuerRoutes: {
-    logout: "/logout",
-    login: "/oauth2/auth",
-    register: "/oauth2/auth",
-    token: "/oauth2/token",
-    profile: "/oauth2/v2/user_profile",
-  },
+	initialState,
+	SESSION_PREFIX,
+	redirectURL: KINDE_SITE_URL,
+	postLoginURL: KINDE_POST_LOGIN_URL_REDIRECT_URL,
+	issuerURL: KINDE_ISSUER_URL,
+	clientID: KINDE_CLIENT_ID,
+	clientSecret: KINDE_CLIENT_SECRET,
+	postLogoutRedirectURL: KINDE_POST_LOGOUT_REDIRECT_URL,
+	audience: KINDE_AUDIENCE,
+	responseType: "code",
+	scope: "openid profile email offline",
+	codeChallengeMethod: "S256",
+	redirectRoutes: {
+		callback: "/api/auth/kinde_callback",
+	},
+	issuerRoutes: {
+		logout: "/logout",
+		login: "/oauth2/auth",
+		register: "/oauth2/auth",
+		token: "/oauth2/token",
+		profile: "/oauth2/v2/user_profile",
+	},
 };
diff --git a/src/handlers/callback.js b/src/handlers/callback.js
index 8011ceb..ca2dc25 100644
--- a/src/handlers/callback.js
+++ b/src/handlers/callback.js
@@ -3,64 +3,59 @@ import { config } from "../config/index";
 var cookie = require("cookie");
 
 export const callback = async (req, res) => {
-  const { code, state } = req.query;
-  const code_verifier = cookie.parse(req.headers.cookie || "")[
-    `${config.SESSION_PREFIX}-${state}`
-  ];
+	const { code, state } = req.query;
+	const code_verifier = cookie.parse(req.headers.cookie || "")[`${config.SESSION_PREFIX}-${state}`];
 
-  if (code_verifier) {
-    try {
-      const response = await fetch(
-        config.issuerURL + config.issuerRoutes.token,
-        {
-          method: "POST",
-          headers: new Headers({
-            "Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
-          }),
-          body: new URLSearchParams({
-            client_id: config.clientID,
-            client_secret: config.clientSecret,
-            code,
-            code_verifier,
-            grant_type: "authorization_code",
-            redirect_uri: config.redirectURL + config.redirectRoutes.callback,
-          }),
-        }
-      );
-      const data = await response.json();
-      const accessTokenHeader = jwt_decode(data.access_token, { header: true });
-      const accessTokenPayload = jwt_decode(data.access_token);
+	if (code_verifier) {
+		try {
+			const response = await fetch(config.issuerURL + config.issuerRoutes.token, {
+				method: "POST",
+				headers: new Headers({
+					"Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
+				}),
+				body: new URLSearchParams({
+					client_id: config.clientID,
+					client_secret: config.clientSecret,
+					code,
+					code_verifier,
+					grant_type: "authorization_code",
+					redirect_uri: config.redirectURL + config.redirectRoutes.callback,
+				}),
+			});
+			const data = await response.json();
+			const accessTokenHeader = jwt_decode(data.access_token, { header: true });
+			const accessTokenPayload = jwt_decode(data.access_token);
 
-      let isAudienceValid = true;
-      if (config.audience)
-        isAudienceValid = accessTokenPayload.aud == config.audience;
+			let isAudienceValid = true;
+			if (config.audience) isAudienceValid = accessTokenPayload.aud == config.audience;
 
-      if (
-        accessTokenPayload.iss == config.issuerURL &&
-        accessTokenHeader.alg == "RS256" &&
-        accessTokenPayload.exp > Math.floor(Date.now() / 1000) &&
-        isAudienceValid
-      ) {
-        res.setHeader(
-          "Set-Cookie",
-          cookie.serialize(`kinde_token`, JSON.stringify(data), {
-            httpOnly: true,
-            expires: new Date(accessTokenPayload.exp * 1000),
-            sameSite: "strict",
-            secure: true,
-            path: "/",
-          })
-        );
-      } else {
-        console.error("One or more of the claims were not verified.");
-      }
-    } catch (err) {
-      console.error(err);
-    }
-    res.redirect(config.redirectURL);
-  } else {
-    const logoutURL = new URL(config.issuerURL + config.issuerRoutes.logout);
-    logoutURL.searchParams.set("redirect", config.postLogoutRedirectURL);
-    res.redirect(logoutURL.href);
-  }
+			if (
+				accessTokenPayload.iss == config.issuerURL &&
+				accessTokenHeader.alg == "RS256" &&
+				accessTokenPayload.exp > Math.floor(Date.now() / 1000) &&
+				isAudienceValid
+			) {
+				res.setHeader(
+					"Set-Cookie",
+					cookie.serialize(`kinde_token`, JSON.stringify(data), {
+						httpOnly: true,
+						expires: new Date(accessTokenPayload.exp * 1000),
+						sameSite: "strict",
+						secure: true,
+						path: "/",
+					})
+				);
+			} else {
+				console.error("One or more of the claims were not verified.");
+			}
+		} catch (err) {
+			console.error(err);
+		}
+		const redirectUrl = config.postLoginURL ? config.postLoginURL : config.redirectURL;
+		res.redirect(redirectUrl);
+	} else {
+		const logoutURL = new URL(config.issuerURL + config.issuerRoutes.logout);
+		logoutURL.searchParams.set("redirect", config.postLogoutRedirectURL);
+		res.redirect(logoutURL.href);
+	}
 };

From 6c5a02cfd882edaa4aa9df24f6e7dd08cfa53a7e Mon Sep 17 00:00:00 2001
From: Tom West <55838419+twestos@users.noreply.github.com>
Date: Fri, 21 Apr 2023 16:24:23 +1000
Subject: [PATCH 2/2] Update callback.js

---
 src/handlers/callback.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/handlers/callback.js b/src/handlers/callback.js
index ca2dc25..8e3c079 100644
--- a/src/handlers/callback.js
+++ b/src/handlers/callback.js
@@ -12,6 +12,7 @@ export const callback = async (req, res) => {
 				method: "POST",
 				headers: new Headers({
 					"Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
+					"Kinde-SDK": `"NextJS"/${version}`,
 				}),
 				body: new URLSearchParams({
 					client_id: config.clientID,