[sdk-playground] Verify Proxy Auth Headers (#82)

* [sdk-playground/server] split utils into lib

* [sdk-playground/server] withProxyAuth to lib/crypto

* [sdk-playground/client] Proxy Auth Example page

* add pages functions middleware with PROXY_AUTH_MODE

* use shared package

* add PROXY_AUTH_MODE to example.env

* add allowedHosts:true to vite config

* shared package gitignore

* public key is hex encoded

* fix bottom page of scroll being broken

* remove dist oops

* remove shared/package-lock.json

* put the html into a templates file

* pnpm run fix

* fix nullish hexBytes issue

* build shared in github workflows

Author: afgiel

.github/workflows/ci.yml

@@ -21,4 +21,7 @@ jobs:
           node-version: 20
           cache: pnpm
       - run: pnpm install
+      - run: pnpm --filter "./sdk-playground/packages/shared" build
+      - run: pnpm --filter "./sdk-playground/packages/server" build
+      - run: pnpm --filter "./sdk-playground/packages/client" build
       - run: pnpm lint

.github/workflows/sdk-playground-production.yml

@@ -21,6 +21,10 @@ jobs:
         run: |
           cd sdk-playground
           echo "${{ secrets.ENV_FILE }}" > .env.production
+      - name: build sdk-playground shared
+        run: |
+          cd sdk-playground/packages/shared
+          pnpm build
       - name: build sdk-playground client
         run: |
           cd sdk-playground/packages/client

.github/workflows/sdk-playground.yml

@@ -23,6 +23,8 @@ jobs:
           node-version: 20
           cache: pnpm
       - run: pnpm install
+      - run: npm run build
+        working-directory: sdk-playground/packages/shared
       - run: npm run build
         working-directory: sdk-playground/packages/server
       - run: npm run build

pnpm-lock.yaml

@@ -7,6 +7,8 @@ VITE_CLIENT_ID=123456789
 VITE_APPLICATION_ID=123456789
 VITE_DISCORD_API_BASE=https://discord.com/api
 
-CLIENT_SECRET=secret # This should be the oauth2 token for your application from the developer portal.
 BOT_TOKEN=bottoken # This should be the bot token for your application from the developer portal.
-WEBAPP_SERVE_PORT=3000
+CLIENT_SECRET=secret # This should be the oauth2 token for your application from the developer portal.
+PROXY_AUTH_MODE='log-only'
+PUBLIC_KEY=publickey # This should be the publickey for your application from the developer portal.
+WEBAPP_SERVE_PORT=3000

sdk-playground/example.env

@@ -0,0 +1,104 @@
+import { verifyProxyAuth } from 'shared';
+import type { Env } from 'shared';
+import { AUTH_REQUIRED_HTML, SERVER_ERROR_HTML } from './templates';
+
+type AuthMode = 'enforce' | 'log-only' | 'disabled';
+
+function getAuthMode(request: Request, env: Env): AuthMode {
+	const url = new URL(request.url);
+
+	// Check query parameter first (for easy testing)
+	const queryMode = url.searchParams.get('proxy_auth');
+	if (
+		queryMode === 'enforce' ||
+		queryMode === 'log-only' ||
+		queryMode === 'disabled'
+	) {
+		return queryMode;
+	}
+
+	if (env.PROXY_AUTH_MODE) {
+		return env.PROXY_AUTH_MODE;
+	}
+
+	return 'log-only';
+}
+
+function shouldSkipAuth(request: Request, env: Env): boolean {
+	const url = new URL(request.url);
+
+	if (url.hostname === 'localhost' || url.hostname === '127.0.0.1') {
+		return true;
+	}
+
+	return false;
+}
+
+export async function onRequest(context: {
+	request: Request;
+	env: Env;
+	next: () => Promise<Response>;
+}): Promise<Response> {
+	const { request, env, next } = context;
+	const url = new URL(request.url);
+
+	try {
+		const authMode = getAuthMode(request, env);
+		console.log(`[Proxy Auth] Mode: ${authMode}, URL: ${url.pathname}`);
+
+		if (shouldSkipAuth(request, env)) {
+			console.log('[Proxy Auth] Bypassed for development/testing');
+			return await next();
+		}
+
+		if (authMode === 'disabled') {
+			console.log('[Proxy Auth] Authentication disabled, allowing request');
+			return await next();
+		}
+
+		const proxyToken = await verifyProxyAuth(request, env);
+
+		if (!proxyToken) {
+			console.log('[Proxy Auth] Validation failed - no valid token');
+
+			// In log-only mode, allow the request but log the failure
+			if (authMode === 'log-only') {
+				console.log(
+					'[Proxy Auth] Log-only mode: allowing request despite auth failure',
+				);
+				return await next();
+			}
+
+			console.log('[Proxy Auth] Enforce mode: blocking request');
+			return new Response(AUTH_REQUIRED_HTML, {
+				status: 401,
+				headers: {
+					'Content-Type': 'text/html',
+					'Cache-Control': 'no-cache, no-store, must-revalidate',
+				},
+			});
+		}
+
+		console.log(
+			`[Proxy Auth] Validation success for user ${proxyToken.user_id} (app: ${proxyToken.application_id})`,
+		);
+
+		return await next();
+	} catch (error) {
+		console.error('[Proxy Auth] Middleware error:', error);
+
+		// In log-only mode, allow the request despite errors
+		const authMode = getAuthMode(request, env);
+		if (authMode === 'log-only') {
+			console.log('[Proxy Auth] Log-only mode: allowing request despite error');
+			return await next();
+		}
+		return new Response(SERVER_ERROR_HTML, {
+			status: 500,
+			headers: {
+				'Content-Type': 'text/html',
+				'Cache-Control': 'no-cache, no-store, must-revalidate',
+			},
+		});
+	}
+}

sdk-playground/packages/client/functions/_middleware.ts

@@ -0,0 +1,46 @@
+// HTML templates for error pages
+export const AUTH_REQUIRED_HTML = `<!DOCTYPE html>
+<html>
+<head>
+	<title>Discord Authentication Required</title>
+	<style>
+		body { 
+			font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+			max-width: 600px; 
+			margin: 100px auto; 
+			padding: 20px;
+			text-align: center;
+		}
+		.error { color: #f04747; }
+		.info { color: #5865f2; margin-top: 20px; }
+	</style>
+</head>
+<body>
+	<h1 class="error">🔒 Discord Authentication Required</h1>
+	<p>This application requires Discord proxy authentication.</p>
+	<p>Please access this app through Discord's embedded app system.</p>
+	<p class="info">Add <code>?proxy_auth=log-only</code> to bypass auth for testing.</p>
+</body>
+</html>`;
+
+export const SERVER_ERROR_HTML = `<!DOCTYPE html>
+<html>
+<head>
+	<title>Server Error</title>
+	<style>
+		body { 
+			font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+			max-width: 600px; 
+			margin: 100px auto; 
+			padding: 20px;
+			text-align: center;
+		}
+		.error { color: #f04747; }
+	</style>
+</head>
+<body>
+	<h1 class="error">⚠️ Server Error</h1>
+	<p>An error occurred while validating authentication.</p>
+	<p>Add <code>?proxy_auth=disabled</code> to skip auth for debugging.</p>
+</body>
+</html>`;

sdk-playground/packages/client/functions/templates/index.ts

@@ -25,6 +25,7 @@
     "react-router": "^6.16.0",
     "react-router-dom": "^6.16.0",
     "react-use": "^17.2.4",
+    "shared": "workspace:*",
     "web-vitals": "^3.0.0",
     "zustand": "^4.1.4"
   },

sdk-playground/packages/client/package.json

@@ -46,6 +46,7 @@ import {useState} from 'react';
 import GetActivityInstance from "./pages/GetActivityInstance";
 import CloseActivity from "./pages/CloseActivity";
 import Quests from "./pages/Quests";
+import ProxyAuthExample from "./pages/ProxyAuthExample";
 
 import discordSdk from './discordSdk';
 
@@ -253,6 +254,11 @@ const routes: Record<string, AppRoute> = {
     path: '/quests',
     name: 'Quests',
     component: Quests
+  },
+  proxyAuthExample: {
+    path: '/proxy-auth-example',
+    name: 'Proxy Auth Example',
+    component: ProxyAuthExample
   }
 };
 

sdk-playground/packages/client/src/App.tsx

@@ -13,6 +13,7 @@ export const Navigation = styled(ScrollArea.Root, {
 export const Ul = styled('ul', {
   display: 'flex',
   flexDirection: 'column',
+  paddingBottom: '36px',
 });
 
 export const Li = styled(Link, {