Implement access grants for OAuth

[ThisIsMissEm]

This is still a work in progress, but gives an idea of how the code changes. I haven't yet implemented PKCE in here, though the database supports it.

[ThisIsMissEm]

Left some informative comments.

Code coverage for src/oauth.tsx is 56.47%, and for the other parts:

 hollo/src/oauth         |   83.18 |    79.16 |   85.71 |   83.18 |                                              
  constants.ts           |     100 |      100 |     100 |     100 |                                              
  helpers.ts             |   78.16 |    57.14 |      80 |   78.16 | 40-59,92-98,131-134                          
  middleware.ts          |   98.52 |    93.33 |     100 |   98.52 | 61                                           
  validators.ts          |   66.66 |       50 |     100 |   66.66 | 11-17  

[ThisIsMissEm]

Apparently drizzle doesn't export a type for this, which is weird.

[ThisIsMissEm]

I could maybe assert here that the count of access grants is zero?

[ThisIsMissEm]

Currently I'm setting revokedAt here, which means our database will have loads of now useless access grants in it. It would be a reasonable decision to just delete the access grant from the database in this case.

[ThisIsMissEm]

@dahlia would like your thoughts here, a trade-off is that by not setting revoked and just deleting the access grant, you can't detect authorization code reuse attacks, where the authorization code is reused and consequently all created access tokens from that authorization code should be invalidated (grants, this would imply having some relationship between access grants and access tokens)

[ThisIsMissEm]

scope is only required for client_credentials grant type.

[ThisIsMissEm]

This code path technically doesn't exist anymore, so we could remove this test.

[ThisIsMissEm]

We needed to switch to concurrency of 1 for now, as the database tests clean the database, which causes issues if multiple tests are running concurrently.

[ThisIsMissEm]

For now, this is just to give an idea of where we stand, but we may want to make it part of CI to check code coverage once we get it high enough.

Could probably also already include it as like a PR comment or something.

[ThisIsMissEm]

Correction, oauth coverage is, I had some dead code:

 hollo/src               |   71.03 |    67.47 |   23.28 |   71.03 |           
  oauth.tsx              |   56.47 |       40 |      80 |   56.47 | ...9,418-427,433-441,444-452,455-463,479-485 
 hollo/src/oauth         |   90.99 |    79.16 |     100 |   90.99 |                                              
  constants.ts           |     100 |      100 |     100 |     100 |                                              
  helpers.ts             |    90.9 |    57.14 |     100 |    90.9 | 71-77,110-113                                
  middleware.ts          |   98.52 |    93.33 |     100 |   98.52 | 61                                           
  validators.ts          |   66.66 |       50 |     100 |   66.66 | 11-17    

[ThisIsMissEm]

@dahlia I've just been working on the access tokens for FIRES, and came across something interesting, which is still using a database value for the "secret values", but using a construction of ${tokenBytes}.${hmac(tokenBytes, secretKey)} (where both values are base64 urlsafe). This allows using the database for the token storage, whilst also easily filtering out completely invalid tokens using cryptography.

Might be an idea to adopt that. I've also come across some interesting stuff for including CRC32's at the end of the token, such that secret scanning tools can easily detect the secret is a "valid secret": https://docs.github.com/en/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program#identify-your-secrets-and-create-regular-expressions