feat: github verification

Author: virtual-designer

prisma/schema.prisma

@@ -162,6 +162,7 @@ model User {
     name                   String?
     username               String
     discordId              String
+    githubId               String?
     guilds                 String[]  @default([])
     password               String
     token                  String?
@@ -234,3 +235,25 @@ model VerificationEntry {
     @@unique([userId, guildId])
     @@map("verification_entries")
 }
+
+model VerificationRecord {
+    id        Int                @id @default(autoincrement())
+    guildId   String
+    userId    String
+    discordId String?
+    githubId  String?
+    googleId  String?
+    email     String?
+    method    VerificationMethod
+    createdAt DateTime           @default(now())
+    updatedAt DateTime           @default(now()) @updatedAt
+
+    @@map("verification_records")
+}
+
+enum VerificationMethod {
+    DISCORD
+    GITHUB
+    GOOGLE
+    EMAIL
+}

src/main/typescript/api/controllers/VerificationController.ts

@@ -6,40 +6,14 @@ import Response from "@framework/api/http/Response";
 import { Inject } from "@framework/container/Inject";
 import type VerificationService from "@main/automod/VerificationService";
 import { env } from "@main/env/env";
+import { VerificationMethod } from "@prisma/client";
 import undici from "undici";
 import { z } from "zod";
 
 class VerificationController extends Controller {
     @Inject("verificationService")
     private readonly verificationService!: VerificationService;
 
-    // FIXME: This is a dummy implementation
-    @Action("GET", "/verify")
-    public async verify(request: Request) {
-        if (!request.query.code) {
-            return new Response({ status: 400, body: { error: "A code to verify is required." } });
-        }
-
-        const result = await this.application
-            .service("verificationService")
-            .verifyByCode(
-                typeof request.query.code === "string"
-                    ? request.query.code
-                    : String(request.query.code)
-            );
-
-        if (!result) {
-            return new Response({ status: 403, body: { error: "Invalid code." } });
-        }
-
-        return new Response({
-            status: 302,
-            headers: {
-                Location: `https://discord.com/channels/${encodeURIComponent(result.guildId)}`
-            }
-        });
-    }
-
     @Action("POST", "/verification/guild")
     @Validate(
         z.object({
@@ -142,7 +116,10 @@ class VerificationController extends Controller {
 
             const result = await this.application
                 .service("verificationService")
-                .verifyWithEntry(entry);
+                .verifyWithEntry(entry, {
+                    discordId: (userData as Record<string, string>).id,
+                    method: VerificationMethod.DISCORD
+                });
 
             if (!result) {
                 return new Response({
@@ -151,6 +128,13 @@ class VerificationController extends Controller {
                 });
             }
 
+            if (result.error === "record_exists") {
+                return new Response({
+                    status: 403,
+                    body: { error: "You cannot use this account to verify." }
+                });
+            }
+
             return new Response({
                 status: 200,
                 body: {
@@ -166,6 +150,127 @@ class VerificationController extends Controller {
             body: { error: "We're unable to verify your Discord Account." }
         });
     }
+
+    @Action("POST", "/challenge/github")
+    @Validate(
+        z.object({
+            code: z.string(),
+            token: z.string()
+        })
+    )
+    public async verifyByGitHub(request: Request) {
+        const { code, token } = request.parsedBody ?? {};
+
+        if (!env.GITHUB_CLIENT_ID || !env.GITHUB_CLIENT_SECRET) {
+            return new Response({
+                status: 403,
+                body: { error: "GitHub OAuth is not supported." }
+            });
+        }
+
+        try {
+            const body = new URLSearchParams({
+                client_id: env.GITHUB_CLIENT_ID,
+                client_secret: env.GITHUB_CLIENT_SECRET,
+                code,
+                redirect_uri: `${env.FRONTEND_URL}/challenge/github`
+            }).toString();
+
+            const tokenResponse = await undici.request(
+                "https://github.com/login/oauth/access_token",
+                {
+                    method: "POST",
+                    body,
+                    headers: {
+                        "Content-Type": "application/x-www-form-urlencoded",
+                        Accept: "application/json"
+                    }
+                }
+            );
+
+            if (tokenResponse.statusCode > 299 || tokenResponse.statusCode < 200) {
+                throw new Error(`Failed to get token: ${tokenResponse.statusCode}`);
+            }
+
+            const oauthData = await tokenResponse.body.json();
+
+            if (typeof oauthData !== "object" || !oauthData) {
+                throw new Error("Invalid token response");
+            }
+
+            const { access_token, token_type, scope } = oauthData as Record<string, string>;
+
+            console.log(oauthData);
+
+            if (!scope.includes("read:user")) {
+                return new Response({
+                    status: 403,
+                    body: { error: "You must authorize the read:user scope." }
+                });
+            }
+
+            const userResponse = await undici.request("https://api.github.com/user", {
+                method: "GET",
+                headers: {
+                    Authorization: `${token_type} ${access_token}`
+                }
+            });
+
+            if (userResponse.statusCode > 299 || userResponse.statusCode < 200) {
+                throw new Error(`Failed to get user info: ${userResponse.statusCode}`);
+            }
+
+            const userData = await userResponse.body.json();
+
+            if (typeof userData !== "object" || !userData) {
+                throw new Error("Invalid user response");
+            }
+
+            const entry = await this.verificationService.getVerificationEntry(token);
+
+            if (!entry || !(userData as Record<string, number>).id || entry.code !== token) {
+                return new Response({
+                    status: 403,
+                    body: { error: "We're unable to verify you, please try again." }
+                });
+            }
+
+            const result = await this.application
+                .service("verificationService")
+                .verifyWithEntry(entry, {
+                    githubId: (userData as Record<string, number>).id?.toString(),
+                    method: VerificationMethod.GITHUB
+                });
+
+            if (!result) {
+                return new Response({
+                    status: 403,
+                    body: { error: "We're unable to verify you, please try again." }
+                });
+            }
+
+            if (result.error === "record_exists") {
+                return new Response({
+                    status: 403,
+                    body: { error: "You cannot use this account to verify." }
+                });
+            }
+
+            return new Response({
+                status: 200,
+                body: {
+                    message: "You have been verified successfully."
+                }
+            });
+        } catch (error) {
+            this.application.logger.error(error);
+        }
+
+        return new Response({
+            status: 403,
+            body: { error: "We're unable to verify your GitHub Account." }
+        });
+    }
 }
 
 export default VerificationController;

src/main/typescript/automod/VerificationService.ts

@@ -3,11 +3,12 @@ import { GatewayEventListener } from "@framework/events/GatewayEventListener";
 import { Name } from "@framework/services/Name";
 import { Service } from "@framework/services/Service";
 import { Events } from "@framework/types/ClientEvents";
-import { fetchMember } from "@framework/utils/entities";
+import { fetchMember, fetchUser } from "@framework/utils/entities";
 import { Colors } from "@main/constants/Colors";
 import { env } from "@main/env/env";
 import type ConfigurationManager from "@main/services/ConfigurationManager";
-import { VerificationEntry } from "@prisma/client";
+import type ModerationActionService from "@main/services/ModerationActionService";
+import { VerificationEntry, VerificationMethod } from "@prisma/client";
 import {
     ActionRowBuilder,
     ButtonBuilder,
@@ -25,6 +26,9 @@ class VerificationService extends Service {
     @Inject("configManager")
     private readonly configManager!: ConfigurationManager;
 
+    @Inject("moderationActionService")
+    private readonly moderationActionService!: ModerationActionService;
+
     private configFor(guildId: Snowflake) {
         return this.configManager.config[guildId]?.member_verification;
     }
@@ -153,23 +157,36 @@ class VerificationService extends Service {
                 }
             });
 
+            const actions = this.configFor(entry.guildId)?.expired_actions;
+            const guild = this.application.client.guilds.cache.get(entry.guildId);
+
+            if (actions?.length && guild) {
+                const memberOrUser =
+                    (await fetchMember(guild, entry.userId)) ??
+                    (await fetchUser(this.application.client, entry.userId));
+
+                if (memberOrUser) {
+                    await this.moderationActionService.takeActions(guild, memberOrUser, actions);
+                }
+            }
+
             return null;
         }
 
         return entry;
     }
 
-    public async verifyByCode(code: string) {
+    public async verifyByCode(code: string, payload: VerificationPayload) {
         const entry = await this.getVerificationEntry(code);
 
         if (!entry) {
             return null;
         }
 
-        return this.verifyWithEntry(entry);
+        return this.verifyWithEntry(entry, payload);
     }
 
-    public async verifyWithEntry(entry: VerificationEntry) {
+    public async verifyWithEntry(entry: VerificationEntry, payload: VerificationPayload) {
         const config = this.configFor(entry.guildId);
 
         if (!config?.enabled) {
@@ -182,6 +199,20 @@ class VerificationService extends Service {
             return null;
         }
 
+        const existingRecord = await this.application.prisma.verificationRecord.findFirst({
+            where: {
+                guildId: guild.id,
+                userId: entry.userId,
+                ...payload
+            }
+        });
+
+        if (existingRecord) {
+            return {
+                error: "record_exists"
+            };
+        }
+
         const member = await fetchMember(guild, entry.userId);
 
         if (!member) {
@@ -202,6 +233,14 @@ class VerificationService extends Service {
             }
         });
 
+        await this.application.prisma.verificationRecord.create({
+            data: {
+                guildId: guild.id,
+                userId: member.id,
+                ...payload
+            }
+        });
+
         await member
             .send({
                 embeds: [
@@ -230,4 +269,12 @@ class VerificationService extends Service {
     }
 }
 
+export type VerificationPayload = {
+    githubId?: string;
+    googleId?: string;
+    discordId?: string;
+    email?: string;
+    method: VerificationMethod;
+};
+
 export default VerificationService;

src/main/typescript/schemas/EnvironmentVariableSchema.ts

@@ -36,7 +36,9 @@ export const EnvironmentVariableSchema = z.object({
         .nullable()
         .transform(value => (value === "null" ? null : value)),
     API_NINJAS_JOKE_API_KEY: z.string().optional(),
-    PIXABAY_TOKEN: z.string().optional()
+    PIXABAY_TOKEN: z.string().optional(),
+    GITHUB_CLIENT_ID: z.string().optional(),
+    GITHUB_CLIENT_SECRET: z.string().optional()
 });
 
 export type EnvironmentVariableRecord = z.infer<typeof EnvironmentVariableSchema>;

src/main/typescript/schemas/GuildConfigSchema.ts

@@ -211,7 +211,7 @@ export const GuildConfigSchema = z.object({
             }),
             unverified_roles: z.array(zSnowflake).default([]),
             verified_roles: z.array(zSnowflake).default([]),
-            failed_actions: z.array(ModerationActionSchema).default([]),
+            expired_actions: z.array(ModerationActionSchema).default([]),
             verification_message: z.string().optional(),
             success_message: z.string().optional(),
             max_duration: z