feat: oauth before login

alby/alby_http_service.go

@@ -5,6 +5,8 @@ import (
 	"net/http"
 
 	"github.com/getAlby/nostr-wallet-connect/config"
+	"github.com/gorilla/sessions"
+	"github.com/labstack/echo-contrib/session"
 	"github.com/labstack/echo/v4"
 	"github.com/sirupsen/logrus"
 )
@@ -15,6 +17,11 @@ type AlbyHttpService struct {
 	appConfig    *config.AppConfig
 }
 
+const (
+	sessionCookieName     = "session"
+	sessionCookieOAuthKey = "oauthenticated"
+)
+
 func NewAlbyHttpService(albyOAuthSvc AlbyOAuthService, logger *logrus.Logger, appConfig *config.AppConfig) *AlbyHttpService {
 	return &AlbyHttpService{
 		albyOAuthSvc: albyOAuthSvc,
@@ -24,13 +31,33 @@ func NewAlbyHttpService(albyOAuthSvc AlbyOAuthService, logger *logrus.Logger, ap
 }
 
 func (albyHttpSvc *AlbyHttpService) RegisterSharedRoutes(e *echo.Echo, authMiddleware func(next echo.HandlerFunc) echo.HandlerFunc) {
-	e.GET("/api/alby/callback", albyHttpSvc.albyCallbackHandler, authMiddleware)
+	e.GET("/api/alby/callback", albyHttpSvc.albyCallbackHandler)
 	e.GET("/api/alby/me", albyHttpSvc.albyMeHandler, authMiddleware)
 	e.GET("/api/alby/balance", albyHttpSvc.albyBalanceHandler, authMiddleware)
 	e.POST("/api/alby/pay", albyHttpSvc.albyPayHandler, authMiddleware)
 	e.POST("/api/alby/link-account", albyHttpSvc.albyLinkAccountHandler, authMiddleware)
 }
 
+func (albyHttpSvc *AlbyHttpService) IsAlbyConnected(c echo.Context) bool {
+	sess, _ := session.Get(sessionCookieName, c)
+	return sess.Values[sessionCookieOAuthKey] == true
+}
+
+func (albyHttpSvc *AlbyHttpService) saveSessionCookie(c echo.Context) error {
+	sess, _ := session.Get("session", c)
+	sess.Options = &sessions.Options{
+		Path:     "/",
+		MaxAge:   86400 * 7,
+		HttpOnly: true,
+	}
+	sess.Values[sessionCookieOAuthKey] = true
+	err := sess.Save(c.Request(), c.Response())
+	if err != nil {
+		albyHttpSvc.logger.WithError(err).Error("Failed to save session")
+	}
+	return err
+}
+
 func (albyHttpSvc *AlbyHttpService) albyCallbackHandler(c echo.Context) error {
 	code := c.QueryParam("code")
 
@@ -42,6 +69,14 @@ func (albyHttpSvc *AlbyHttpService) albyCallbackHandler(c echo.Context) error {
 		})
 	}
 
+	err = albyHttpSvc.saveSessionCookie(c)
+
+	if err != nil {
+		return c.JSON(http.StatusInternalServerError, ErrorResponse{
+			Message: fmt.Sprintf("Failed to save session: %s", err.Error()),
+		})
+	}
+
 	if albyHttpSvc.appConfig.IsDefaultClientId() {
 		// do not redirect if using default OAuth client
 		// redirect will be handled by the frontend instead

alby/alby_oauth_service.go

@@ -72,24 +72,27 @@ func (svc *albyOAuthService) CallbackHandler(ctx context.Context, code string) e
 	}
 	svc.saveToken(token)
 
+	me, err := svc.GetMe(ctx)
+	if err != nil {
+		svc.logger.WithError(err).Error("Failed to fetch user me")
+		// remove token so user can retry
+		svc.config.SetUpdate(accessTokenKey, me.Identifier, "")
+		return err
+	}
+
 	existingUserIdentifier, err := svc.GetUserIdentifier()
 	if err != nil {
 		svc.logger.WithError(err).Error("Failed to get alby user identifier")
 		return err
 	}
 
-	// setup Alby account on first time login
+	// save the user's alby account ID on first time login
 	if existingUserIdentifier == "" {
-		// fetch and save the user's alby account ID. This cannot be changed.
-		me, err := svc.GetMe(ctx)
-		if err != nil {
-			svc.logger.WithError(err).Error("Failed to fetch user me")
-			// remove token so user can retry
-			svc.config.SetUpdate(accessTokenKey, me.Identifier, "")
-			return err
-		}
-
 		svc.config.SetUpdate(userIdentifierKey, me.Identifier, "")
+	} else {
+		if existingUserIdentifier != me.Identifier {
+			return errors.New("alby identifier does not match")
+		}
 	}
 
 	return nil

api/api.go

@@ -485,7 +485,6 @@ func (api *api) GetInfo(ctx context.Context) (*InfoResponse, error) {
 		return nil, err
 	}
 	info.AlbyUserIdentifier = albyUserIdentifier
-	info.AlbyAccountConnected = api.svc.GetAlbyOAuthSvc().IsConnected(ctx)
 	if api.svc.GetLNClient() != nil {
 		nodeInfo, err := api.svc.GetLNClient().GetInfo(ctx)
 		if err != nil {

frontend/src/components/redirects/HomeRedirect.tsx

@@ -15,8 +15,8 @@ export function HomeRedirect() {
     }
     let to: string | undefined;
     if (info.setupCompleted && info.running) {
-      if (info.unlocked) {
-        if (info.albyAccountConnected) {
+      if (info.albyAccountConnected) {
+        if (info.unlocked) {
           const returnTo = window.localStorage.getItem(
             localStorageKeys.returnTo
           );
@@ -27,10 +27,10 @@ export function HomeRedirect() {
           }, 100);
           to = returnTo || "/wallet";
         } else {
-          to = "/alby/auth";
+          to = "/unlock";
         }
       } else {
-        to = "/unlock";
+        to = "/alby/auth";
       }
     } else if (info.setupCompleted && !info.running) {
       to = "/start";

http/http_service.go

@@ -143,6 +143,7 @@ func (httpSvc *HttpService) infoHandler(c echo.Context) error {
 			Message: err.Error(),
 		})
 	}
+	responseBody.AlbyAccountConnected = httpSvc.albyHttpSvc.IsAlbyConnected(c)
 	responseBody.Unlocked = httpSvc.isUnlocked(c)
 	return c.JSON(http.StatusOK, responseBody)
 }
@@ -250,11 +251,6 @@ func (httpSvc *HttpService) isUnlocked(c echo.Context) bool {
 
 func (httpSvc *HttpService) saveSessionCookie(c echo.Context) error {
 	sess, _ := session.Get("session", c)
-	sess.Options = &sessions.Options{
-		Path:     "/",
-		MaxAge:   86400 * 7,
-		HttpOnly: true,
-	}
 	sess.Values[sessionCookieAuthKey] = true
 	err := sess.Save(c.Request(), c.Response())
 	if err != nil {