feat(auth:sync): introduce registerWithAuth to enable desktop client registration from external process (OIDC)

johaven · johaven · commit b6525ecd8b5e · 2026-02-02T23:32:22.000+01:00
diff --git a/backend/src/applications/sync/constants/routes.ts b/backend/src/applications/sync/constants/routes.ts
@@ -12,6 +12,7 @@ export const SYNC_ROUTE = {
   HANDSHAKE: 'handshake',
   REGISTER: 'register',
   UNREGISTER: 'unregister',
+  REGISTER_AUTH: 'register/auth',
   APP_STORE: 'app-store',
   AUTH: 'auth',
   CLIENTS: 'clients',
@@ -23,3 +24,4 @@ export const SYNC_ROUTE = {
 
 export const API_SYNC_AUTH_COOKIE = `${SYNC_ROUTE.BASE}/${SYNC_ROUTE.AUTH}/cookie`
 export const API_SYNC_CLIENTS = `${SYNC_ROUTE.BASE}/${SYNC_ROUTE.CLIENTS}`
+export const API_SYNC_REGISTER_AUTH = `${SYNC_ROUTE.BASE}/${SYNC_ROUTE.REGISTER_AUTH}`
diff --git a/backend/src/applications/sync/dtos/sync-client-auth.dto.ts b/backend/src/applications/sync/dtos/sync-client-auth.dto.ts
@@ -4,8 +4,8 @@
  * See the LICENSE file for licensing details
  */
 
-import { IsDefined, IsNotEmpty, IsNotEmptyObject, IsObject, IsString, IsUUID } from 'class-validator'
-import { SyncClientInfo } from '../interfaces/sync-client.interface'
+import { IsBoolean, IsDefined, IsNotEmpty, IsNotEmptyObject, IsObject, IsOptional, IsString, IsUUID } from 'class-validator'
+import type { SyncClientInfo } from '../interfaces/sync-client.interface'
 
 export class SyncClientAuthDto {
   @IsNotEmpty()
@@ -22,4 +22,8 @@ export class SyncClientAuthDto {
   @IsNotEmptyObject()
   @IsObject()
   info: SyncClientInfo
+
+  @IsOptional()
+  @IsBoolean()
+  tokenHasExpired?: boolean
 }
diff --git a/backend/src/applications/sync/dtos/sync-client-registration.dto.ts b/backend/src/applications/sync/dtos/sync-client-registration.dto.ts
@@ -28,5 +28,17 @@ export class SyncClientRegistrationDto {
   @IsDefined()
   @IsNotEmptyObject()
   @IsObject()
-  info: SyncClientInfo
+  info: SyncClientInfo // TODO: create a DTO for validation
+}
+
+export class SyncClientAuthRegistrationDto {
+  @IsOptional()
+  @IsString()
+  @IsUUID()
+  clientId?: string
+
+  @IsDefined()
+  @IsNotEmptyObject()
+  @IsObject()
+  info: SyncClientInfo // TODO: create a DTO for validation
 }
diff --git a/backend/src/applications/sync/interfaces/sync-client-auth.interface.ts b/backend/src/applications/sync/interfaces/sync-client-auth.interface.ts
@@ -4,15 +4,14 @@
  * See the LICENSE file for licensing details
  */
 
-import { LoginResponseDto } from '../../../authentication/dto/login-response.dto'
-import { TokenResponseDto } from '../../../authentication/dto/token-response.dto'
+import type { LoginResponseDto } from '../../../authentication/dto/login-response.dto'
+import type { TokenResponseDto } from '../../../authentication/dto/token-response.dto'
 
-export class ClientAuthCookieDto extends LoginResponseDto {
-  // send the new client token
-  client_token_update?: string
-}
+// send the new client token
+export type SyncClientAuthCookie = LoginResponseDto & { client_token_update?: string }
+export type SyncClientAuthToken = TokenResponseDto & { client_token_update?: string }
 
-export class ClientAuthTokenDto extends TokenResponseDto {
-  // send the new client token
-  client_token_update?: string
+export interface SyncClientAuthRegistration {
+  clientId: string
+  clientToken: string
 }
diff --git a/backend/src/applications/sync/interfaces/sync-client.interface.ts b/backend/src/applications/sync/interfaces/sync-client.interface.ts
@@ -4,7 +4,7 @@
  * See the LICENSE file for licensing details
  */
 
-import { SYNC_CLIENT_TYPE } from '../constants/sync'
+import type { SYNC_CLIENT_TYPE } from '../constants/sync'
 
 export interface SyncClientInfo {
   node: string
diff --git a/backend/src/applications/sync/services/sync-clients-manager.service.ts b/backend/src/applications/sync/services/sync-clients-manager.service.ts
@@ -12,6 +12,7 @@ import crypto from 'node:crypto'
 import fs from 'node:fs/promises'
 import path from 'node:path'
 import { AuthManager } from '../../../authentication/auth.service'
+import { FastifyAuthenticatedRequest } from '../../../authentication/interfaces/auth-request.interface'
 import { AuthProvider } from '../../../authentication/providers/auth-providers.models'
 import { AuthProvider2FA } from '../../../authentication/providers/two-fa/auth-provider-two-fa.service'
 import { convertHumanTimeToSeconds } from '../../../common/functions'
@@ -28,10 +29,11 @@ import { CLIENT_AUTH_TYPE, CLIENT_TOKEN_EXPIRATION_TIME, CLIENT_TOKEN_EXPIRED_ER
 import { APP_STORE_DIRNAME, APP_STORE_MANIFEST_FILE, APP_STORE_REPOSITORY, APP_STORE_URL } from '../constants/store'
 import { SYNC_CLIENT_TYPE } from '../constants/sync'
 import type { SyncClientAuthDto } from '../dtos/sync-client-auth.dto'
-import type { SyncClientRegistrationDto } from '../dtos/sync-client-registration.dto'
+import { SyncClientAuthRegistrationDto, SyncClientRegistrationDto } from '../dtos/sync-client-registration.dto'
 import { AppStoreManifest } from '../interfaces/store-manifest.interface'
-import { ClientAuthCookieDto, ClientAuthTokenDto } from '../interfaces/sync-client-auth.interface'
+import { SyncClientAuthCookie, SyncClientAuthRegistration, SyncClientAuthToken } from '../interfaces/sync-client-auth.interface'
 import { SyncClientPaths } from '../interfaces/sync-client-paths.interface'
+import { SyncClientInfo } from '../interfaces/sync-client.interface'
 import { SyncClient } from '../schemas/sync-client.interface'
 import { SyncQueries } from './sync-queries.service'
 
@@ -48,7 +50,7 @@ export class SyncClientsManager {
     private readonly syncQueries: SyncQueries
   ) {}
 
-  async register(clientRegistrationDto: SyncClientRegistrationDto, ip: string): Promise<{ clientToken: string }> {
+  async register(clientRegistrationDto: SyncClientRegistrationDto, ip: string): Promise<SyncClientAuthRegistration> {
     const user: UserModel = await this.authMethod.validateUser(clientRegistrationDto.login, clientRegistrationDto.password)
     if (!user) {
       this.logger.warn(`${this.register.name} - auth failed for user *${clientRegistrationDto.login}*`)
@@ -75,14 +77,15 @@ export class SyncClientsManager {
         }
       }
     }
-    try {
-      const token = await this.syncQueries.getOrCreateClient(user.id, clientRegistrationDto.clientId, clientRegistrationDto.info, ip)
-      this.logger.log(`${this.register.name} - client *${clientRegistrationDto.info.type}* was registered for user *${user.login}* (${user.id})`)
-      return { clientToken: token }
-    } catch (e) {
-      this.logger.error(`${this.register.name} - ${e}`)
-      throw new HttpException('Error during the client registration', HttpStatus.INTERNAL_SERVER_ERROR)
-    }
+    return this.getOrCreateClient(user, clientRegistrationDto.clientId, clientRegistrationDto.info, ip)
+  }
+
+  async registerWithAuth(
+    clientAuthenticatedRegistrationDto: SyncClientAuthRegistrationDto,
+    req: FastifyAuthenticatedRequest
+  ): Promise<SyncClientAuthRegistration> {
+    const clientId = clientAuthenticatedRegistrationDto.clientId || crypto.randomUUID()
+    return this.getOrCreateClient(req.user, clientId, clientAuthenticatedRegistrationDto.info, req.ip)
   }
 
   async unregister(user: UserModel): Promise<void> {
@@ -99,7 +102,7 @@ export class SyncClientsManager {
     syncClientAuthDto: SyncClientAuthDto,
     ip: string,
     res: FastifyReply
-  ): Promise<ClientAuthTokenDto | ClientAuthCookieDto> {
+  ): Promise<SyncClientAuthToken | SyncClientAuthCookie> {
     const client = await this.syncQueries.getClient(syncClientAuthDto.clientId, null, syncClientAuthDto.token)
     if (!client) {
       throw new HttpException('Client is unknown', HttpStatus.FORBIDDEN)
@@ -126,7 +129,7 @@ export class SyncClientsManager {
     user.clientId = client.id
     // update accesses
     this.usersManager.updateAccesses(user, ip, true).catch((e: Error) => this.logger.error(`${this.authenticate.name} - ${e}`))
-    let r: ClientAuthTokenDto | ClientAuthCookieDto
+    let r: SyncClientAuthToken | SyncClientAuthCookie
     if (authType === CLIENT_AUTH_TYPE.COOKIE) {
       // used by the desktop app to perform the login setup using cookies
       r = await this.authManager.setCookies(user, res)
@@ -209,4 +212,15 @@ export class SyncClientsManager {
     }
     return manifest
   }
+
+  private async getOrCreateClient(user: UserModel, clientId: string, clientInfo: SyncClientInfo, ip: string): Promise<SyncClientAuthRegistration> {
+    try {
+      const token = await this.syncQueries.getOrCreateClient(user.id, clientId, clientInfo, ip)
+      this.logger.log(`${this.register.name} - client *${clientInfo.type}* was registered for user *${user.login}* (${user.id})`)
+      return { clientId: clientId, clientToken: token } satisfies SyncClientAuthRegistration
+    } catch (e) {
+      this.logger.error(`${this.register.name} - ${e}`)
+      throw new HttpException('Error during the client registration', HttpStatus.INTERNAL_SERVER_ERROR)
+    }
+  }
 }
diff --git a/backend/src/applications/sync/sync.controller.ts b/backend/src/applications/sync/sync.controller.ts
@@ -28,6 +28,7 @@ import {
 } from '@nestjs/common'
 import { FastifyReply, FastifyRequest } from 'fastify'
 import { AuthTokenSkip } from '../../authentication/decorators/auth-token-skip.decorator'
+import { FastifyAuthenticatedRequest } from '../../authentication/interfaces/auth-request.interface'
 import { ContextInterceptor } from '../../infrastructure/context/interceptors/context.interceptor'
 import { SkipSpacePermissionsCheck } from '../spaces/decorators/space-skip-permissions.decorator'
 import { FastifySpaceRequest } from '../spaces/interfaces/space-request.interface'
@@ -41,13 +42,13 @@ import { SYNC_ROUTE } from './constants/routes'
 import { CHECK_SERVER_RESP, SYNC_IN_SERVER_AGENT } from './constants/sync'
 import { SyncEnvironment } from './decorators/sync-environment.decorator'
 import { SyncClientAuthDto } from './dtos/sync-client-auth.dto'
-import type { SyncClientRegistrationDto } from './dtos/sync-client-registration.dto'
+import { SyncClientAuthRegistrationDto, SyncClientRegistrationDto } from './dtos/sync-client-registration.dto'
 import { SyncCopyMoveDto, SyncDiffDto, SyncMakeDto, SyncPropsDto } from './dtos/sync-operations.dto'
 import { SyncPathDto, SyncPathUpdateDto } from './dtos/sync-path.dto'
 import { SyncUploadDto } from './dtos/sync-upload.dto'
 import { SyncDiffGzipBodyInterceptor } from './interceptors/sync-diff-gzip-body.interceptor'
 import { AppStoreManifest } from './interfaces/store-manifest.interface'
-import { ClientAuthCookieDto, ClientAuthTokenDto } from './interfaces/sync-client-auth.interface'
+import { SyncClientAuthCookie, SyncClientAuthRegistration, SyncClientAuthToken } from './interfaces/sync-client-auth.interface'
 import { SyncClientPaths } from './interfaces/sync-client-paths.interface'
 import { SyncPathSettings } from './interfaces/sync-path.interface'
 import { SyncClientsManager } from './services/sync-clients-manager.service'
@@ -75,10 +76,20 @@ export class SyncController {
 
   @Post(SYNC_ROUTE.REGISTER)
   @AuthTokenSkip()
-  register(@Body() syncClientRegistrationDto: SyncClientRegistrationDto, @Req() req: FastifyRequest): Promise<{ clientToken: string }> {
+  register(@Body() syncClientRegistrationDto: SyncClientRegistrationDto, @Req() req: FastifyRequest): Promise<SyncClientAuthRegistration> {
     return this.syncClientsManager.register(syncClientRegistrationDto, req.ip)
   }
 
+  @Post(SYNC_ROUTE.REGISTER_AUTH)
+  @UserHavePermission(USER_PERMISSION.DESKTOP_APP)
+  @UseGuards(UserPermissionsGuard)
+  registerWithAuth(
+    @Body() clientAuthenticatedRegistrationDto: SyncClientAuthRegistrationDto,
+    @Req() req: FastifyAuthenticatedRequest
+  ): Promise<SyncClientAuthRegistration> {
+    return this.syncClientsManager.registerWithAuth(clientAuthenticatedRegistrationDto, req)
+  }
+
   @Post(SYNC_ROUTE.UNREGISTER)
   @UserHavePermission(USER_PERMISSION.DESKTOP_APP)
   @UseGuards(UserPermissionsGuard)
@@ -89,6 +100,7 @@ export class SyncController {
   @Get(SYNC_ROUTE.APP_STORE)
   @AuthTokenSkip()
   checkAppStore(): Promise<AppStoreManifest> {
+    // This route must be public to allow clients to receive updates
     return this.syncClientsManager.checkAppStore()
   }
 
@@ -99,7 +111,7 @@ export class SyncController {
     @Body() clientAuthDto: SyncClientAuthDto,
     @Req() req: FastifyRequest,
     @Res({ passthrough: true }) res: FastifyReply
-  ): Promise<ClientAuthCookieDto | ClientAuthTokenDto> {
+  ): Promise<SyncClientAuthCookie | SyncClientAuthToken> {
     return this.syncClientsManager.authenticate(type, clientAuthDto, req.ip, res)
   }
 
diff --git a/frontend/src/app/auth/auth.service.ts b/frontend/src/app/auth/auth.service.ts
@@ -8,9 +8,9 @@ import { HttpClient, HttpErrorResponse, HttpRequest } from '@angular/common/http
 import { inject, Injectable } from '@angular/core'
 import { Router } from '@angular/router'
 import { CLIENT_TOKEN_EXPIRED_ERROR } from '@sync-in-server/backend/src/applications/sync/constants/auth'
-import { API_SYNC_AUTH_COOKIE } from '@sync-in-server/backend/src/applications/sync/constants/routes'
+import { API_SYNC_AUTH_COOKIE, API_SYNC_REGISTER_AUTH } from '@sync-in-server/backend/src/applications/sync/constants/routes'
 import type { SyncClientAuthDto } from '@sync-in-server/backend/src/applications/sync/dtos/sync-client-auth.dto'
-import type { ClientAuthCookieDto } from '@sync-in-server/backend/src/applications/sync/interfaces/sync-client-auth.interface'
+import { SyncClientAuthCookie, SyncClientAuthRegistration } from '@sync-in-server/backend/src/applications/sync/interfaces/sync-client-auth.interface'
 import { API_ADMIN_IMPERSONATE_LOGOUT, API_USERS_ME } from '@sync-in-server/backend/src/applications/users/constants/routes'
 import { CSRF_KEY } from '@sync-in-server/backend/src/authentication/constants/auth'
 import {
@@ -142,10 +142,8 @@ export class AuthService {
         return true
       }),
       catchError((e: HttpErrorResponse) => {
-        console.debug('token has expired')
         if (this.electron.enabled) {
-          console.debug('login with app')
-          return this.authenticateDesktopClient()
+          return this.authDesktopClient()
         }
         this.logout(true, true)
         return throwError(() => e)
@@ -155,12 +153,17 @@ export class AuthService {
 
   checkUserAuthAndLoad(returnUrl: string, authFromOIDC?: AuthOIDCQueryParams): Observable<boolean> {
     if (authFromOIDC) {
+      // At this point, the cookies are stored in the session.
+      console.debug(`${this.checkUserAuthAndLoad.name} - auth from OIDC`)
       this.accessExpiration = parseInt(authFromOIDC.access_expiration)
       this.refreshExpiration = parseInt(authFromOIDC.refresh_expiration)
+      if (this.electron.enabled) {
+        return this.authOIDCDesktopClient()
+      }
     }
     if (this.refreshTokenHasExpired()) {
       if (this.electron.enabled) {
-        return this.authenticateDesktopClient()
+        return this.authDesktopClient()
       }
       this.returnUrl = returnUrl.length > 1 ? returnUrl : null
       this.logout()
@@ -236,16 +239,17 @@ export class AuthService {
     })
   }
 
-  private authenticateDesktopClient(): Observable<boolean> {
+  private authDesktopClient(): Observable<boolean> {
     return this.electron.authenticate().pipe(
       switchMap((auth: SyncClientAuthDto) => {
         if (!auth.clientId) {
           // No auth was provided, the Sync-in desktop app must be registered
+          console.debug(`${this.authDesktopClient.name} - client must be registered`)
           this.logout(true)
           return of(false)
         }
-        return this.http.post<ClientAuthCookieDto>(API_SYNC_AUTH_COOKIE, auth).pipe(
-          map((r: ClientAuthCookieDto) => {
+        return this.http.post<SyncClientAuthCookie>(API_SYNC_AUTH_COOKIE, auth).pipe(
+          map((r: SyncClientAuthCookie) => {
             this.accessExpiration = r.token.access_expiration
             this.refreshExpiration = r.token.refresh_expiration
             this.initUser(r)
@@ -256,6 +260,7 @@ export class AuthService {
             return true
           }),
           catchError((e: HttpErrorResponse) => {
+            console.debug(`${this.authDesktopClient.name} - ${e.error.message}`)
             if (e.error.message === CLIENT_TOKEN_EXPIRED_ERROR) {
               this.electron.send(EVENT.SERVER.AUTHENTICATION_TOKEN_EXPIRED)
             } else {
@@ -270,6 +275,39 @@ export class AuthService {
     )
   }
 
+  private authOIDCDesktopClient(): Observable<boolean> {
+    return this.electron.authenticate().pipe(
+      switchMap((auth: SyncClientAuthDto) => {
+        if (!auth.clientId || auth.tokenHasExpired) {
+          // The client must be registered, or the token must be renewed
+          return this.http.post<SyncClientAuthRegistration>(API_SYNC_REGISTER_AUTH, auth).pipe(
+            switchMap((externalAuth: SyncClientAuthRegistration) => {
+              return this.electron.externalRegister(externalAuth).pipe(
+                switchMap((success: boolean) => {
+                  if (success) {
+                    console.debug(`${this.authOIDCDesktopClient.name} - ${auth.clientId ? 'client was registered' : 'client token renewed'}`)
+                    return this.authDesktopClient()
+                  } else {
+                    this.logout(true, true)
+                    return of(false)
+                  }
+                })
+              )
+            }),
+            catchError((e: HttpErrorResponse) => {
+              console.error(`${this.authOIDCDesktopClient.name} - ${e}`)
+              this.logout(true)
+              return of(false)
+            })
+          )
+        } else {
+          // The client must be authenticated
+          return this.authDesktopClient()
+        }
+      })
+    )
+  }
+
   private refreshTokenHasExpired(): boolean {
     return this.refreshExpiration === 0 || currentTimeStamp() >= this.refreshExpiration
   }
diff --git a/frontend/src/app/electron/electron.service.ts b/frontend/src/app/electron/electron.service.ts
@@ -8,6 +8,7 @@ import { effect, inject, Injectable, NgZone } from '@angular/core'
 import { toObservable } from '@angular/core/rxjs-interop'
 import { FileTask } from '@sync-in-server/backend/src/applications/files/models/file-task'
 import type { SyncClientAuthDto } from '@sync-in-server/backend/src/applications/sync/dtos/sync-client-auth.dto'
+import type { SyncClientAuthRegistration } from '@sync-in-server/backend/src/applications/sync/interfaces/sync-client-auth.interface'
 import { combineLatest, from, map, Observable } from 'rxjs'
 import { NotificationModel } from '../applications/notifications/models/notification.model'
 import { CLIENT_APP_COUNTER, CLIENT_SCHEDULER_STATE } from '../applications/sync/constants/client'
@@ -71,15 +72,27 @@ export class Electron {
   }
 
   authenticate(): Observable<SyncClientAuthDto> {
+    // Get information about client authentication
     return from(this.invoke(EVENT.SERVER.AUTHENTICATION))
   }
 
   register(login: string, password: string, code?: string): Observable<AuthResult> {
+    // The client handles the registration.
     return from(this.invoke(EVENT.SERVER.REGISTRATION, { login, password, code })).pipe(
       map((e: { ok: boolean; msg?: string }) => ({ success: e.ok, message: e.msg ?? null }) satisfies AuthResult)
     )
   }
 
+  externalRegister(externalAuth: SyncClientAuthRegistration): Observable<boolean> {
+    // The registration has already been completed on the server, and the client must be updated accordingly.
+    return from(this.invoke(EVENT.SERVER.REGISTRATION, null, externalAuth)).pipe(
+      map((e: { ok: boolean; msg?: string }) => {
+        if (!e.ok) console.error(`${this.externalRegister.name} - ${e.msg}`)
+        return e.ok
+      })
+    )
+  }
+
   openPath(path: string) {
     this.send(EVENT.MISC.FILE_OPEN, path)
   }
