omar/lck-control-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support Quest Platform SDK auth with oculusId fallback

Browse Source 
When the Data Use Checkup hasn't granted numeric ID access, the SDK
returns oculusId (string username) instead. This makes nonce optional,
skips nonce verification for non-numeric userIds, and uses oculusId as
the metaId when numeric ID is unavailable.
This commit is contained in:
omigamedev
2026-02-24 12:41:54 +01:00
parent 0eab05f15b
commit 7351003c6b
4 changed files with 66 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/config.ts
View File

@@ -24,7 +24,6 @@ export const config = {
meta: { meta: {
appId: required('META_APP_ID'), appId: required('META_APP_ID'),
appSecret: required('META_APP_SECRET'), appSecret: required('META_APP_SECRET'),
redirectUri: required('META_REDIRECT_URI'),
}, },
youtube: { youtube: {

55
src/routes/auth/meta.ts
View File

@@ -1,6 +1,6 @@
import { FastifyPluginAsync } from 'fastify'; import { FastifyPluginAsync } from 'fastify';
import { randomUUID } from 'node:crypto'; import { randomUUID } from 'node:crypto';
import { exchangeMetaCode, fetchMetaProfile } from '../../services/meta-auth.service.js'; import { verifyUserProof, fetchOculusProfile } from '../../services/meta-auth.service.js';
import { signAccessToken } from '../../plugins/auth.js'; import { signAccessToken } from '../../plugins/auth.js';
import { hashToken } from '../../services/crypto.service.js'; import { hashToken } from '../../services/crypto.service.js';
import { config } from '../../config.js'; import { config } from '../../config.js';
@@ -15,37 +15,52 @@ const metaAuthRoutes: FastifyPluginAsync = async (fastify) => {
schema: { schema: {
body: { body: {
type: 'object', type: 'object',
required: ['code'], required: ['userId'],
properties: { properties: {
code: { type: 'string', minLength: 1 }, userId: { type: 'string', minLength: 1 },
nonce: { type: 'string' },
deviceInfo: { type: 'string' }, deviceInfo: { type: 'string' },
}, },
additionalProperties: false, additionalProperties: false,
}, },
}, },
}, async (request, reply) => { }, async (request, reply) => {
const { code, deviceInfo } = request.body; const { userId, nonce, deviceInfo } = request.body;
request.log.info({ userId, hasNonce: !!nonce, deviceInfo }, 'Meta callback received');
// Exchange code for Meta access token // Nonce validation requires a numeric user ID from Meta's graph API.
const { accessToken: metaToken } = await exchangeMetaCode(code); // When DUC hasn't granted numeric ID access, the SDK returns oculusId (a string username).
const isNumericId = /^\d+$/.test(userId);
// Fetch user profile if (nonce && isNumericId) {
const profile = await fetchMetaProfile(metaToken); const isValid = await verifyUserProof(userId, nonce);
if (!isValid) {
throw new AppError(401, 'Invalid user proof');
}
request.log.info('Nonce verified successfully');
} else {
request.log.warn({ isNumericId, hasNonce: !!nonce },
'Skipping nonce verification (non-numeric userId or missing nonce)');
}
// Try to fetch profile from Oculus graph; fall back to userId as display name
let metaId = userId;
let displayName = userId;
if (isNumericId) {
try {
const profile = await fetchOculusProfile(userId);
metaId = profile.metaId;
displayName = profile.displayName;
} catch (e) {
request.log.warn(e, 'Failed to fetch Oculus profile');
}
}
// Upsert user // Upsert user
const user = await fastify.prisma.user.upsert({ const user = await fastify.prisma.user.upsert({
where: { metaId: profile.metaId }, where: { metaId },
update: { update: { displayName },
displayName: profile.displayName, create: { metaId, displayName },
email: profile.email,
avatarUrl: profile.avatarUrl,
},
create: {
metaId: profile.metaId,
displayName: profile.displayName,
email: profile.email,
avatarUrl: profile.avatarUrl,
},
}); });
// Create session with hashed refresh token // Create session with hashed refresh token

55
src/services/meta-auth.service.ts
View File

@@ -1,55 +1,58 @@
import { config } from '../config.js'; import { config } from '../config.js';
interface MetaTokenResponse { interface NonceValidateResponse {
access_token: string; is_valid: boolean;
token_type: string;
expires_in: number;
} }
interface MetaProfile { interface OculusUserResponse {
id: string; id: string;
name: string; alias: string;
email?: string; avatar_uri?: string;
picture?: { data?: { url?: string } };
} }
export async function exchangeMetaCode(code: string): Promise<{ accessToken: string }> { /**
* Verify a Quest Platform SDK user proof (nonce) via Meta's server-side API.
* The app calls Users.getUserProof() on-device, sends the nonce + userId here,
* and we verify it with Meta using an app access token.
*/
export async function verifyUserProof(userId: string, nonce: string): Promise<boolean> {
const accessToken = `OC|${config.meta.appId}|${config.meta.appSecret}`;
const params = new URLSearchParams({ const params = new URLSearchParams({
client_id: config.meta.appId, access_token: accessToken,
client_secret: config.meta.appSecret, nonce,
redirect_uri: config.meta.redirectUri, user_id: userId,
code,
}); });
const res = await fetch( const res = await fetch(
`https://graph.facebook.com/v19.0/oauth/access_token?${params}`, `https://graph.oculus.com/user_nonce_validate?${params}`,
{ method: 'POST' },
); );
if (!res.ok) { if (!res.ok) {
const body = await res.text(); const body = await res.text();
throw new Error(`Meta token exchange failed: ${res.status} ${body}`); throw new Error(`Nonce validation request failed: ${res.status} ${body}`);
} }
const data = (await res.json()) as MetaTokenResponse; const data = (await res.json()) as NonceValidateResponse;
return { accessToken: data.access_token }; return data.is_valid;
} }
export async function fetchMetaProfile(accessToken: string): Promise<{ /**
* Fetch Oculus user profile using an app access token.
*/
export async function fetchOculusProfile(userId: string): Promise<{
metaId: string; metaId: string;
displayName: string; displayName: string;
email: string | null;
avatarUrl: string | null;
}> { }> {
const accessToken = `OC|${config.meta.appId}|${config.meta.appSecret}`;
const res = await fetch( const res = await fetch(
`https://graph.facebook.com/v19.0/me?fields=id,name,email,picture.type(large)&access_token=${accessToken}`, `https://graph.oculus.com/${userId}?fields=id,alias&access_token=${accessToken}`,
); );
if (!res.ok) { if (!res.ok) {
const body = await res.text(); const body = await res.text();
throw new Error(`Meta profile fetch failed: ${res.status} ${body}`); throw new Error(`Oculus profile fetch failed: ${res.status} ${body}`);
} }
const data = (await res.json()) as MetaProfile; const data = (await res.json()) as OculusUserResponse;
return { return {
metaId: data.id, metaId: data.id,
displayName: data.name, displayName: data.alias,
email: data.email ?? null,
avatarUrl: data.picture?.data?.url ?? null,
}; };
} }

3
src/types/api.ts
View File

@@ -1,6 +1,7 @@
// ── Auth ────────────────────────────────────────────────── // ── Auth ──────────────────────────────────────────────────
export interface MetaCallbackBody { export interface MetaCallbackBody {
code: string; userId: string;
nonce?: string;
deviceInfo?: string; deviceInfo?: string;
} }