Merge OAuth init endpoints and change to POST

hhvrc · hhvrc · commit 49bb4fd6f0b7 · 2025-09-16T15:30:58.000+02:00
diff --git a/API/Controller/Account/Authenticated/OAuthConnectionAdd.cs b/API/Controller/Account/Authenticated/OAuthConnectionAdd.cs
diff --git a/API/Controller/OAuth/Authorize.cs b/API/Controller/OAuth/Authorize.cs
@@ -10,29 +10,36 @@ namespace OpenShock.API.Controller.OAuth;
 public sealed partial class OAuthController
 {
     /// <summary>
-    /// Start OAuth authorization for a given provider (login-or-create flow).
+    /// Start OAuth authorization for a given provider with the specified flow.
     /// </summary>
     /// <remarks>
-    /// Initiates an OAuth challenge in "login-or-create" mode.  
     /// Returns <c>302</c> redirect to the provider authorization page.
     /// </remarks>
     /// <param name="provider">Provider key (e.g. <c>discord</c>).</param>
+    /// <param name="flow">Flow to run</param>
     /// <response code="302">Redirect to the provider authorization page.</response>
     /// <response code="400">Unsupported or misconfigured provider.</response>
     [EnableRateLimiting("auth")]
-    [HttpGet("{provider}/authorize")]
+    [HttpPost("{provider}/authorize")]
     [ProducesResponseType(StatusCodes.Status302Found)]
     [ProducesResponseType<OpenShockProblem>(StatusCodes.Status400BadRequest, MediaTypeNames.Application.Json)]
-    public async Task<IActionResult> OAuthAuthorize([FromRoute] string provider)
+    public async Task<IActionResult> OAuthAuthorize([FromRoute] string provider, [FromQuery] OAuthFlow flow)
     {
         if (!await _schemeProvider.IsSupportedOAuthScheme(provider))
             return Problem(OAuthError.UnsupportedProvider);
 
-        if (User.HasOpenShockUserIdentity())
+        switch (flow)
         {
-            return Problem(OAuthError.AnonymousOnlyEndpoint);
+            case OAuthFlow.LoginOrCreate:
+                if (User.HasOpenShockUserIdentity()) return Problem(OAuthError.FlowRequiresAnonymous);
+                break;
+            case OAuthFlow.Link:
+                if (!User.HasOpenShockUserIdentity()) return Problem(OAuthError.FlowRequiresAuthenticatedUser);
+                break;
+            default:
+                return Problem(OAuthError.UnsupportedFlow);
         }
 
-        return OAuthUtil.StartOAuth(provider, OAuthFlow.LoginOrCreate);
+        return OAuthUtil.StartOAuth(provider, flow);
     }
 }
diff --git a/API/Controller/OAuth/SignupFinalize.cs b/API/Controller/OAuth/SignupFinalize.cs
@@ -61,7 +61,7 @@ public async Task<IActionResult> OAuthSignupFinalize(
         
         if (User.HasOpenShockUserIdentity())
         {
-            return Problem(OAuthError.AnonymousOnlyEndpoint);
+            return Problem(OAuthError.FlowRequiresAnonymous);
         }
 
         // 1) Defense-in-depth: ensure the flow’s provider matches the route
diff --git a/API/Controller/OAuth/SignupGetData.cs b/API/Controller/OAuth/SignupGetData.cs
@@ -32,7 +32,7 @@ public async Task<IActionResult> OAuthSignupGetData([FromRoute] string provider)
     {
         if (User.HasOpenShockUserIdentity())
         {
-            return Problem(OAuthError.AnonymousOnlyEndpoint);
+            return Problem(OAuthError.FlowRequiresAnonymous);
         }
         
         var result = await ValidateOAuthFlowAsync();
diff --git a/API/OAuth/OAuthError.cs b/API/OAuth/OAuthError.cs
@@ -27,10 +27,15 @@ public static class OAuthError
         "This OAuth flow differs from the flow the oauth flow started with",
         HttpStatusCode.Forbidden);
 
-    public static OpenShockProblem AnonymousOnlyEndpoint => new(
-        "OAuth.Flow.AnonymousOnlyEndpoint",
+    public static OpenShockProblem FlowRequiresAnonymous => new(
+        "OAuth.Flow.AnonymousOnly",
         "You must be signed out to call this endpoint",
-        HttpStatusCode.Unauthorized);
+        HttpStatusCode.BadRequest);
+
+    public static OpenShockProblem FlowRequiresAuthenticatedUser => new(
+        "OAuth.Link.AuthenticatedUserOnly",
+        "You must be signed in to link an external account",
+        HttpStatusCode.BadRequest);
 
     public static OpenShockProblem FlowNotFound => new(
         "OAuth.Flow.NotFound",
@@ -53,11 +58,6 @@ public static class OAuthError
         "This external account is already linked to another user",
         HttpStatusCode.Conflict);
 
-    public static OpenShockProblem NotAuthenticatedForLink => new(
-        "OAuth.Link.NotAuthenticated",
-        "You must be signed in to link an external account",
-        HttpStatusCode.Unauthorized);
-
     // Misc / generic
     public static OpenShockProblem InternalError => new(
         "OAuth.InternalError",

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ public async Task<IActionResult> OAuthSignupFinalize(`
`61`	`61`
`62`	`62`	`if (User.HasOpenShockUserIdentity())`
`63`	`63`	`{`
`64`		`- return Problem(OAuthError.AnonymousOnlyEndpoint);`
	`64`	`+ return Problem(OAuthError.FlowRequiresAnonymous);`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`// 1) Defense-in-depth: ensure the flow’s provider matches the route`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ public async Task<IActionResult> OAuthSignupGetData([FromRoute] string provider)`
`32`	`32`	`{`
`33`	`33`	`if (User.HasOpenShockUserIdentity())`
`34`	`34`	`{`
`35`		`- return Problem(OAuthError.AnonymousOnlyEndpoint);`
	`35`	`+ return Problem(OAuthError.FlowRequiresAnonymous);`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`var result = await ValidateOAuthFlowAsync();`