switch remote auth to competitiongroups token exchange

Author: coder13

netlify/functions/notify-comp-token.js

@@ -8,6 +8,8 @@ const headers = {
 };
 
 const base64Url = (value) => Buffer.from(value).toString('base64url');
+const REMOTE_SCOPE = 'notifycomp.remote';
+const PUSH_SCOPE = 'assignment_notifications';
 
 const signJwt = (claims, secret) => {
   const encodedHeader = base64Url(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
@@ -42,7 +44,18 @@ exports.handler = async (event) => {
     };
   }
 
-  const { accessToken } = JSON.parse(event.body || '{}');
+  let body;
+  try {
+    body = JSON.parse(event.body || '{}');
+  } catch {
+    return {
+      statusCode: 400,
+      headers,
+      body: JSON.stringify({ message: 'Invalid JSON body' }),
+    };
+  }
+
+  const { accessToken, competitionId, scope } = body;
   if (!accessToken) {
     return {
       statusCode: 400,
@@ -75,14 +88,28 @@ exports.handler = async (event) => {
     };
   }
 
+  const tokenScope = scope === REMOTE_SCOPE ? REMOTE_SCOPE : PUSH_SCOPE;
+  if (tokenScope === REMOTE_SCOPE && !competitionId) {
+    return {
+      statusCode: 400,
+      headers,
+      body: JSON.stringify({ message: 'Missing competition ID for remote token' }),
+    };
+  }
+
   const now = Math.floor(Date.now() / 1000);
   const token = signJwt(
     {
       aud: process.env.COMPETITION_GROUPS_JWT_AUDIENCE || 'notifycomp',
+      competitionIds: tokenScope === REMOTE_SCOPE ? [competitionId] : undefined,
       exp: now + 10 * 60,
       iat: now,
       iss: process.env.COMPETITION_GROUPS_JWT_ISSUER || 'competitiongroups.com',
+      name: me.name,
+      scope: tokenScope,
+      scopes: [tokenScope],
       sub: `wca:${me.id}`,
+      wcaUserId: me.id,
       wcaUserIds: [me.id],
     },
     secret,

src/lib/notifications/assignmentNotifications.ts

@@ -1,4 +1,5 @@
 import { deleteLocalStorage, getLocalStorage, setLocalStorage } from '@/lib/localStorage';
+import { getStoredWcaAccessToken } from '@/lib/wcaAccessToken';
 
 const NOTIFY_COMP_ORIGIN =
   import.meta.env.VITE_NOTIFY_COMP_ORIGIN ?? 'https://api.notifycomp.com/api';
@@ -26,17 +27,6 @@ const notifyCompUrl = (path: string) => `${NOTIFY_COMP_ORIGIN}${path}`;
 export const isAssignmentNotificationsEnabled = () =>
   getLocalStorage(ENABLED_STORAGE_KEY) === 'true';
 
-const getAccessToken = () => {
-  const expiresAt = Number(getLocalStorage('expirationTime') ?? 0);
-  const accessToken = getLocalStorage('accessToken');
-
-  if (!accessToken || !expiresAt || expiresAt <= Date.now()) {
-    return null;
-  }
-
-  return accessToken;
-};
-
 const toUint8Array = (base64: string) => {
   const padding = '='.repeat((4 - (base64.length % 4)) % 4);
   const normalized = `${base64}${padding}`.replace(/-/g, '+').replace(/_/g, '/');
@@ -59,7 +49,7 @@ export const getAssignmentNotificationStatus = (): AssignmentNotificationStatus
     return 'unsupported';
   }
 
-  if (!getAccessToken()) {
+  if (!getStoredWcaAccessToken()) {
     return 'reauthorize';
   }
 
@@ -90,7 +80,7 @@ const readErrorMessage = async (response: Response) => {
 };
 
 const fetchNotifyCompToken = async () => {
-  const accessToken = getAccessToken();
+  const accessToken = getStoredWcaAccessToken();
   if (!accessToken) {
     throw new Error('Refresh your WCA authorization to enable assignment notifications.');
   }

src/lib/notifyCompRemoteAuth.ts

@@ -1,13 +1,15 @@
 import { deleteLocalStorage, getLocalStorage, setLocalStorage } from './localStorage';
 
 const REMOTE_JWT_KEY = 'notifyComp.jwt';
-const REMOTE_AUTH_PENDING_KEY = 'notifyComp.authPending';
-const REMOTE_REDIRECT_PATH_KEY = 'notifyComp.redirectPath';
 
 interface JwtClaims {
+  competitionIds?: string[];
   exp?: number;
-  name?: string;
   id?: number;
+  name?: string;
+  scope?: string | string[];
+  scopes?: string[];
+  wcaUserId?: number;
 }
 
 const decodeJwtPayload = (token: string): JwtClaims | null => {
@@ -44,25 +46,19 @@ export const getNotifyCompRemoteClaims = () => {
   return token ? decodeJwtPayload(token) : null;
 };
 
+export const hasNotifyCompRemoteTokenForCompetition = (competitionId: string) => {
+  const claims = getNotifyCompRemoteClaims();
+  if (!claims) {
+    return false;
+  }
+
+  return claims.competitionIds?.includes(competitionId) ?? false;
+};
+
 export const setNotifyCompRemoteToken = (token: string) => {
   setLocalStorage(REMOTE_JWT_KEY, token);
 };
 
 export const clearNotifyCompRemoteToken = () => {
   deleteLocalStorage(REMOTE_JWT_KEY);
 };
-
-export const setNotifyCompRemoteAuthPending = (redirectPath: string) => {
-  setLocalStorage(REMOTE_AUTH_PENDING_KEY, 'true');
-  setLocalStorage(REMOTE_REDIRECT_PATH_KEY, redirectPath);
-};
-
-export const isNotifyCompRemoteAuthPending = () =>
-  getLocalStorage(REMOTE_AUTH_PENDING_KEY) === 'true';
-
-export const consumeNotifyCompRemoteRedirectPath = () => {
-  const redirectPath = getLocalStorage(REMOTE_REDIRECT_PATH_KEY) || '/';
-  deleteLocalStorage(REMOTE_AUTH_PENDING_KEY);
-  deleteLocalStorage(REMOTE_REDIRECT_PATH_KEY);
-  return redirectPath;
-};

src/lib/remoteConfig.ts

@@ -9,6 +9,3 @@ export const NOTIFYCOMP_API_ORIGIN = NOTIFYCOMP_GRAPHQL_ORIGIN.replace(/\/graphq
 
 export const NOTIFYCOMP_WS_ORIGIN =
   import.meta.env.VITE_NOTIFYCOMP_WS_ORIGIN || 'wss://api.notifycomp.com/api/graphql';
-
-export const NOTIFYCOMP_AUTH_ORIGIN =
-  import.meta.env.VITE_NOTIFYCOMP_AUTH_ORIGIN || NOTIFYCOMP_API_ORIGIN;

src/lib/wcaAccessToken.ts

@@ -0,0 +1,12 @@
+import { getLocalStorage } from './localStorage';
+
+export const getStoredWcaAccessToken = () => {
+  const expiresAt = Number(getLocalStorage('expirationTime') ?? 0);
+  const accessToken = getLocalStorage('accessToken');
+
+  if (!accessToken || !expiresAt || expiresAt <= Date.now()) {
+    return null;
+  }
+
+  return accessToken;
+};

src/pages/Competition/Remote/index.tsx

@@ -33,9 +33,12 @@ export default function CompetitionRemote() {
 
   const rooms = useMemo(() => (wcif ? getRooms(wcif) : []), [wcif]);
   const roomId = selectedRoomId === 'all' ? undefined : selectedRoomId;
+  const isRemoteAuthenticated = competitionId
+    ? remoteAuth.isAuthenticatedForCompetition(competitionId)
+    : false;
   const remote = useNotifyCompRemoteActivities({
     competitionId: competitionId || '',
-    enabled: remoteAuth.isAuthenticated,
+    enabled: isRemoteAuthenticated,
     roomId,
   });
 
@@ -120,16 +123,22 @@ export default function CompetitionRemote() {
 
         {remoteAuth.error && <NoteBox prefix="Remote sign in" text={remoteAuth.error} />}
 
-        {!remoteAuth.isAuthenticated ? (
+        {!isRemoteAuthenticated ? (
           <div className="space-y-4 rounded border border-tertiary-weak bg-panel p-4 shadow-md shadow-tertiary-dark">
             <div className="space-y-2">
-              <h2 className="type-heading">Remote sign in</h2>
+              <h2 className="type-heading">Remote authorization</h2>
               <p className="type-body-sm text-subtle">
-                Sign in with NotifyComp Remote to start, stop, reset, or auto-advance activities.
+                Authorize this competition with your WCA account to start, stop, reset, or
+                auto-advance activities.
               </p>
             </div>
-            <Button type="button" disabled={remoteAuth.authenticating} onClick={remoteAuth.signIn}>
-              {remoteAuth.authenticating ? 'Signing in...' : 'Sign in for remote control'}
+            <Button
+              type="button"
+              disabled={remoteAuth.authenticating}
+              onClick={() => {
+                void remoteAuth.signIn(competitionId);
+              }}>
+              {remoteAuth.authenticating ? 'Authorizing...' : 'Authorize remote control'}
             </Button>
           </div>
         ) : (

src/providers/NotifyCompRemoteAuthProvider/NotifyCompRemoteAuthContext.tsx

@@ -3,17 +3,19 @@ import { createContext, useContext } from 'react';
 export interface NotifyCompRemoteAuthContextValue {
   authenticating: boolean;
   error: string | null;
+  isAuthenticatedForCompetition: (competitionId: string) => boolean;
   isAuthenticated: boolean;
-  signIn: () => void;
+  signIn: (competitionId: string) => Promise<void>;
   signOut: () => void;
   userName?: string;
 }
 
 export const NotifyCompRemoteAuthContext = createContext<NotifyCompRemoteAuthContextValue>({
   authenticating: false,
   error: null,
+  isAuthenticatedForCompetition: () => false,
   isAuthenticated: false,
-  signIn: () => {},
+  signIn: async () => {},
   signOut: () => {},
 });
 

src/providers/NotifyCompRemoteAuthProvider/NotifyCompRemoteAuthProvider.tsx

@@ -1,17 +1,18 @@
-import { PropsWithChildren, useCallback, useEffect, useMemo, useState } from 'react';
-import { useLocation, useNavigate } from 'react-router-dom';
+import { PropsWithChildren, useCallback, useMemo, useState } from 'react';
 import {
   clearNotifyCompRemoteToken,
-  consumeNotifyCompRemoteRedirectPath,
   getNotifyCompRemoteClaims,
   getNotifyCompRemoteToken,
-  isNotifyCompRemoteAuthPending,
-  setNotifyCompRemoteAuthPending,
+  hasNotifyCompRemoteTokenForCompetition,
   setNotifyCompRemoteToken,
 } from '@/lib/notifyCompRemoteAuth';
-import { NOTIFYCOMP_AUTH_ORIGIN } from '@/lib/remoteConfig';
+import { getStoredWcaAccessToken } from '@/lib/wcaAccessToken';
+import { useAuth } from '../AuthProvider';
 import { NotifyCompRemoteAuthContext } from './NotifyCompRemoteAuthContext';
 
+const NOTIFY_COMP_TOKEN_URL = '/.netlify/functions/notify-comp-token';
+const REMOTE_SCOPE = 'notifycomp.remote';
+
 const readErrorMessage = async (response: Response) => {
   const text = await response.text();
 
@@ -27,82 +28,67 @@ export function NotifyCompRemoteAuthProvider({ children }: PropsWithChildren) {
   const [token, setToken] = useState(getNotifyCompRemoteToken);
   const [authenticating, setAuthenticating] = useState(false);
   const [error, setError] = useState<string | null>(null);
-  const location = useLocation();
-  const navigate = useNavigate();
-
-  const signIn = useCallback(() => {
-    const redirectPath = `${window.location.pathname}${window.location.search}${window.location.hash}`;
-    setNotifyCompRemoteAuthPending(redirectPath);
-    setError(null);
-
-    const params = new URLSearchParams({
-      redirect_uri: window.location.href,
-    });
-
-    window.location.href = `${NOTIFYCOMP_AUTH_ORIGIN}/auth/wca?${params.toString()}`;
-  }, []);
-
-  const signOut = useCallback(() => {
-    clearNotifyCompRemoteToken();
-    setToken(null);
-  }, []);
-
-  useEffect(() => {
-    const params = new URLSearchParams(location.search);
-    const code = params.get('code');
+  const { signIn: signInWithWca } = useAuth();
+
+  const signIn = useCallback(
+    async (competitionId: string) => {
+      setError(null);
+      const accessToken = getStoredWcaAccessToken();
+
+      if (!accessToken) {
+        signInWithWca();
+        return;
+      }
+
+      setAuthenticating(true);
+
+      try {
+        const response = await fetch(NOTIFY_COMP_TOKEN_URL, {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+          },
+          body: JSON.stringify({
+            accessToken,
+            competitionId,
+            scope: REMOTE_SCOPE,
+          }),
+        });
 
-    if (!code || !isNotifyCompRemoteAuthPending()) {
-      return;
-    }
-
-    setAuthenticating(true);
-    setError(null);
-
-    const callbackParams = new URLSearchParams({
-      code,
-      redirect_uri: window.location.href,
-    });
-
-    fetch(`${NOTIFYCOMP_AUTH_ORIGIN}/auth/wca/callback?${callbackParams.toString()}`)
-      .then(async (response) => {
         if (!response.ok) {
           throw new Error(await readErrorMessage(response));
         }
 
-        return (await response.json()) as { jwt?: string };
-      })
-      .then(({ jwt }) => {
-        if (!jwt) {
-          throw new Error('NotifyComp did not return a remote session token.');
+        const payload = (await response.json()) as { token?: string };
+        if (!payload.token) {
+          throw new Error('Remote token response was missing a token.');
         }
 
-        setNotifyCompRemoteToken(jwt);
-        setToken(jwt);
-
-        const nextParams = new URLSearchParams(location.search);
-        nextParams.delete('code');
-        const query = nextParams.toString();
-        const fallbackPath = `${location.pathname}${query ? `?${query}` : ''}${location.hash}`;
-        const redirectPath = consumeNotifyCompRemoteRedirectPath() || fallbackPath;
-        navigate(redirectPath, { replace: true });
-      })
-      .catch((err) => {
-        setError(err instanceof Error ? err.message : 'Unable to sign in to NotifyComp Remote.');
+        setNotifyCompRemoteToken(payload.token);
+        setToken(payload.token);
+      } catch (err) {
+        setError(err instanceof Error ? err.message : 'Unable to authorize NotifyComp Remote.');
         clearNotifyCompRemoteToken();
         setToken(null);
-        consumeNotifyCompRemoteRedirectPath();
-      })
-      .finally(() => {
+      } finally {
         setAuthenticating(false);
-      });
-  }, [location, navigate]);
+      }
+    },
+    [signInWithWca],
+  );
+
+  const signOut = useCallback(() => {
+    clearNotifyCompRemoteToken();
+    setToken(null);
+  }, []);
 
   const claims = token ? getNotifyCompRemoteClaims() : null;
 
   const value = useMemo(
     () => ({
       authenticating,
       error,
+      isAuthenticatedForCompetition: hasNotifyCompRemoteTokenForCompetition,
       isAuthenticated: Boolean(token),
       signIn,
       signOut,

src/vite-env.d.ts

@@ -6,7 +6,6 @@ declare const __GIT_TAG__: string;
 
 interface ImportMetaEnv {
   readonly VITE_NOTIFY_COMP_ORIGIN?: string;
-  readonly VITE_NOTIFYCOMP_AUTH_ORIGIN?: string;
   readonly VITE_NOTIFYCOMP_API_ORIGIN?: string;
   readonly VITE_NOTIFYCOMP_WS_ORIGIN?: string;
 }