Added Sign In with Apple

2026-04-05 17:33:31 -04:00 · 2026-02-13 00:57:44 -05:00
parent a12c7d011a
commit ac6ec051d4
14 changed files with 658 additions and 48 deletions
--- a/src/routes/auth/apple/+page.server.ts
+++ b/src/routes/auth/apple/+page.server.ts
@@ -0,0 +1,27 @@
+import { redirect } from '@sveltejs/kit';
+import type { Actions } from './$types';
+import { getAppleAuthUrl } from '$lib/server/apple-auth';
+import { encodeBase64url } from '@oslojs/encoding';
+
+export const actions: Actions = {
+	default: async ({ cookies, request }) => {
+		const data = await request.formData();
+		const anonymousId = data.get('anonymousId')?.toString() || '';
+
+		// Generate CSRF state
+		const stateBytes = crypto.getRandomValues(new Uint8Array(16));
+		const state = encodeBase64url(stateBytes);
+
+		// Store state + anonymousId in a short-lived cookie
+		// sameSite 'none' + secure required because Apple POSTs cross-origin
+		cookies.set('apple_oauth_state', JSON.stringify({ state, anonymousId }), {
+			path: '/',
+			httpOnly: true,
+			secure: true,
+			sameSite: 'none',
+			maxAge: 600
+		});
+
+		redirect(302, getAppleAuthUrl(state));
+	}
+};
--- a/src/routes/auth/apple/callback/+server.ts
+++ b/src/routes/auth/apple/callback/+server.ts
@@ -0,0 +1,123 @@
+import { redirect, error } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { exchangeAppleCode, decodeAppleIdToken } from '$lib/server/apple-auth';
+import { env as publicEnv } from '$env/dynamic/public';
+import * as auth from '$lib/server/auth';
+import { db } from '$lib/server/db';
+import { user as userTable } from '$lib/server/db/schema';
+import { eq } from 'drizzle-orm';
+
+export const POST: RequestHandler = async ({ request, cookies }) => {
+	const formData = await request.formData();
+	const code = formData.get('code')?.toString();
+	const state = formData.get('state')?.toString();
+	// Apple sends user info as JSON string on FIRST authorization only
+	const userInfoStr = formData.get('user')?.toString();
+
+	// Validate CSRF state
+	const storedRaw = cookies.get('apple_oauth_state');
+	if (!storedRaw || !state || !code) {
+		throw error(400, 'Invalid OAuth callback');
+	}
+	const stored = JSON.parse(storedRaw) as { state: string; anonymousId: string };
+	if (stored.state !== state) {
+		throw error(400, 'State mismatch');
+	}
+	cookies.delete('apple_oauth_state', { path: '/' });
+
+	// Exchange authorization code for tokens
+	const tokens = await exchangeAppleCode(code, `${publicEnv.PUBLIC_SITE_URL}/auth/apple/callback`);
+	const claims = decodeAppleIdToken(tokens.id_token);
+	const appleId = claims.sub;
+
+	// Parse user info (only present on first authorization)
+	let appleFirstName: string | undefined;
+	let appleLastName: string | undefined;
+	if (userInfoStr) {
+		try {
+			const userInfo = JSON.parse(userInfoStr);
+			appleFirstName = userInfo.name?.firstName;
+			appleLastName = userInfo.name?.lastName;
+		} catch {
+			/* ignore parse errors */
+		}
+	}
+
+	// --- User resolution ---
+	let userId: string;
+
+	// 1. Check if a user with this appleId already exists (returning user)
+	const existingAppleUser = await auth.getUserByAppleId(appleId);
+
+	if (existingAppleUser) {
+		userId = existingAppleUser.id;
+		await auth.migrateAnonymousStats(stored.anonymousId, userId);
+	} else if (claims.email) {
+		// 2. Check if email matches an existing email/password user
+		const existingEmailUser = await auth.getUserByEmail(claims.email);
+		if (existingEmailUser) {
+			// Link Apple account to existing user
+			await db.update(userTable).set({ appleId }).where(eq(userTable.id, existingEmailUser.id));
+			userId = existingEmailUser.id;
+			await auth.migrateAnonymousStats(stored.anonymousId, userId);
+		} else {
+			// 3. Brand new user — use anonymousId as user ID to preserve local stats
+			userId = stored.anonymousId || crypto.randomUUID();
+			try {
+				await db.insert(userTable).values({
+					id: userId,
+					email: claims.email,
+					passwordHash: null,
+					appleId,
+					firstName: appleFirstName || null,
+					lastName: appleLastName || null,
+					isPrivate: false
+				});
+			} catch (e: any) {
+				// Handle race condition: if appleId was inserted between our check and insert
+				if (e?.message?.includes('UNIQUE constraint')) {
+					const retryUser = await auth.getUserByAppleId(appleId);
+					if (retryUser) {
+						userId = retryUser.id;
+					} else {
+						throw error(500, 'Failed to create user');
+					}
+				} else {
+					throw e;
+				}
+			}
+		}
+	} else {
+		// No email from Apple — create account with appleId only
+		userId = stored.anonymousId || crypto.randomUUID();
+		try {
+			await db.insert(userTable).values({
+				id: userId,
+				email: null,
+				passwordHash: null,
+				appleId,
+				firstName: appleFirstName || null,
+				lastName: appleLastName || null,
+				isPrivate: false
+			});
+		} catch (e: any) {
+			if (e?.message?.includes('UNIQUE constraint')) {
+				const retryUser = await auth.getUserByAppleId(appleId);
+				if (retryUser) {
+					userId = retryUser.id;
+				} else {
+					throw error(500, 'Failed to create user');
+				}
+			} else {
+				throw e;
+			}
+		}
+	}
+
+	// Create session
+	const sessionToken = auth.generateSessionToken();
+	const session = await auth.createSession(sessionToken, userId);
+	auth.setSessionTokenCookie({ cookies } as any, sessionToken, session.expiresAt);
+
+	redirect(302, '/');
+};
--- a/src/routes/auth/signin/+page.server.ts
+++ b/src/routes/auth/signin/+page.server.ts
@@ -1,9 +1,6 @@
-import { redirect, fail } from '@sveltejs/kit';
+import { fail } from '@sveltejs/kit';
 import type { Actions } from './$types';
 import * as auth from '$lib/server/auth';
-import { db } from '$lib/server/db';
-import { dailyCompletions } from '$lib/server/db/schema';
-import { eq, inArray } from 'drizzle-orm';

 export const actions: Actions = {
 	default: async ({ request, cookies }) => {
@@ -40,49 +37,7 @@ export const actions: Actions = {
 			}

 			// Migrate anonymous stats if different anonymous ID
-			if (anonymousId && anonymousId !== user.id) {
-				try {
-					// Get completions for both the anonymous ID and the user ID
-					const anonCompletions = await db
-						.select()
-						.from(dailyCompletions)
-						.where(eq(dailyCompletions.anonymousId, anonymousId));
-
-					const userCompletions = await db
-						.select()
-						.from(dailyCompletions)
-						.where(eq(dailyCompletions.anonymousId, user.id));
-
-					// Create a set of dates the user already has completions for
-					const userDates = new Set(userCompletions.map(c => c.date));
-
-					let migrated = 0;
-					let skipped = 0;
-
-					// Migrate only non-conflicting completions
-					for (const completion of anonCompletions) {
-						if (!userDates.has(completion.date)) {
-							// No conflict - safe to migrate
-							await db
-								.update(dailyCompletions)
-								.set({ anonymousId: user.id })
-								.where(eq(dailyCompletions.id, completion.id));
-							migrated++;
-						} else {
-							// Conflict exists - delete the anonymous completion (keep user's existing one)
-							await db
-								.delete(dailyCompletions)
-								.where(eq(dailyCompletions.id, completion.id));
-							skipped++;
-						}
-					}
-
-					console.log(`Migration complete: ${migrated} moved, ${skipped} duplicates removed`);
-				} catch (error) {
-					console.error('Error migrating anonymous stats:', error);
-					// Don't fail the signin if stats migration fails
-				}
-			}
+			await auth.migrateAnonymousStats(anonymousId, user.id);

 			// Create session
 			const sessionToken = auth.generateSessionToken();