feat: replace password login with OIDC PKCE flow

services/auth.ts

@@ -0,0 +1,91 @@
+import * as Crypto from 'expo-crypto';
+import * as WebBrowser from 'expo-web-browser';
+import { makeRedirectUri } from 'expo-auth-session';
+import { setSetting } from '@/db/queries';
+import { type SQLiteDatabase } from 'expo-sqlite';
+
+const ISSUER = 'https://bincio.org';
+const CLIENT_ID = 'bincio-autarchive';
+const REDIRECT_URI = makeRedirectUri({ scheme: 'bincio', path: 'oauth' });
+
+async function generateVerifier(): Promise<string> {
+  const bytes = await Crypto.getRandomBytesAsync(32);
+  return btoa(String.fromCharCode(...bytes))
+    .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+
+async function deriveChallenge(verifier: string): Promise<string> {
+  const digest = await Crypto.digestStringAsync(
+    Crypto.CryptoDigestAlgorithm.SHA256,
+    verifier,
+    { encoding: Crypto.CryptoEncoding.BASE64 },
+  );
+  return digest.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+
+export interface LoginResult {
+  ok: boolean;
+  displayName?: string;
+  error?: string;
+}
+
+export async function login(db: SQLiteDatabase): Promise<LoginResult> {
+  const verifier  = await generateVerifier();
+  const challenge = await deriveChallenge(verifier);
+
+  const authUrl = `${ISSUER}/oauth2/authorize?` + new URLSearchParams({
+    client_id:             CLIENT_ID,
+    redirect_uri:          REDIRECT_URI,
+    response_type:         'code',
+    scope:                 'openid profile',
+    code_challenge:        challenge,
+    code_challenge_method: 'S256',
+  });
+
+  const result = await WebBrowser.openAuthSessionAsync(authUrl, REDIRECT_URI);
+  if (result.type !== 'success') {
+    return { ok: false, error: result.type === 'cancel' ? 'Cancelled' : 'Browser error' };
+  }
+
+  const code = new URL(result.url).searchParams.get('code');
+  if (!code) return { ok: false, error: 'No code in redirect' };
+
+  const tokenResp = await fetch(`${ISSUER}/oauth2/token`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: new URLSearchParams({
+      grant_type:    'authorization_code',
+      code,
+      redirect_uri:  REDIRECT_URI,
+      client_id:     CLIENT_ID,
+      code_verifier: verifier,
+    }).toString(),
+  });
+
+  if (!tokenResp.ok) {
+    const text = await tokenResp.text().catch(() => '');
+    return { ok: false, error: `Token exchange failed: ${text}` };
+  }
+
+  const tokenData = await tokenResp.json();
+  const idToken: string = tokenData.id_token;
+  if (!idToken) return { ok: false, error: 'No id_token in response' };
+
+  const payload = JSON.parse(atob(idToken.split('.')[1].replace(/-/g, '+').replace(/_/g, '/')));
+
+  await Promise.all([
+    setSetting(db, 'instance_url', ISSUER),
+    setSetting(db, 'handle', payload.sub ?? ''),
+    setSetting(db, 'api_token', idToken),
+  ]);
+
+  return { ok: true, displayName: payload.name ?? payload.preferred_username };
+}
+
+export async function logout(db: SQLiteDatabase): Promise<void> {
+  await Promise.all([
+    setSetting(db, 'instance_url', ''),
+    setSetting(db, 'handle', ''),
+    setSetting(db, 'api_token', ''),
+  ]);
+}