Microsoft Auth Proxy

Microsoft Auth Proxy

To enable OneDrive streaming, Freak-Flix requires interaction with the Microsoft Identity Platform. However, Microsoft's OAuth 2.0 endpoints do not support Cross-Origin Resource Sharing (CORS) for direct client-side requests from web browsers.

The Microsoft Auth Proxy acts as a secure intermediary. It forwards authentication requests to Microsoft, strips problematic headers (like Origin), and injects the necessary CORS headers to allow the Freak-Flix frontend (especially the Web version) to securely exchange authorization codes for access tokens.

🌐 Proxy Endpoints

Depending on your deployment environment, the proxy is available at the following base paths:

| Environment | Base Proxy URL | | :--- | :--- | | Cloudflare Workers | /microsoft/proxy/ | | Netlify Functions | /api/ms_auth/ |

The proxy transparently maps any path appended to these bases to https://login.microsoftonline.com/.

🛠️ Usage Example

When performing an OAuth 2.0 token exchange, instead of calling Microsoft directly, the application targets the proxy.

Request Transformation:

• Original Target: https://login.microsoftonline.com/common/oauth2/v2.0/token
• Proxy Target (Netlify): https://your-domain.com/api/ms_auth/common/oauth2/v2.0/token

Example Token Request

POST /api/ms_auth/common/oauth2/v2.0/token HTTP/1.1
Host: your-backend-api.com
Content-Type: application/x-www-form-urlencoded

client_id=YOUR_AZURE_APP_ID
&redirect_uri=YOUR_REDIRECT_URI
&code=AUTHORIZATION_CODE
&grant_type=authorization_code

⚙️ How it Handles Requests

1. Path Resolution: The proxy extracts the portion of the URL following the base proxy path (e.g., {tenant}/oauth2/v2.0/token).
2. Header Sanitization: To comply with Microsoft's security policies, the proxy forwards standard headers like Content-Type and Authorization while explicitly omitting the Origin and Referer headers that usually cause CORS rejections.
3. CORS Injection: The backend appends Access-Control-Allow-Origin: * to the response from Microsoft, allowing the Flutter Web client to read the returned JSON payload (containing access_token and refresh_token).

🔑 Security Considerations

• Internal Routing: While the proxy is a public-facing interface, it is designed strictly for the Microsoft Identity Platform. It does not allow arbitrary forwarding to other domains.
• Token Safety: The proxy does not log or store the access_token or client_secret. It acts as a "pass-through" pipe.
• HTTPS: All requests to the proxy must be made over HTTPS to ensure that sensitive authentication data is encrypted in transit.

🚀 Developer Setup

If you are hosting your own version of the Freak-Flix backend:

1. Cloudflare: Ensure your wrangler.toml is configured and the JWT_SECRET is set in your environment variables.
2. Netlify: The rewrite rule in netlify.toml should map /api/ms_auth/* to the ms_auth_proxy.js function:

   [[redirects]]
     from = "/api/ms_auth/*"
     to = "/.netlify/functions/ms_auth_proxy"
     status = 200
   

3. Azure Configuration: When registering your app in the Azure Portal, ensure your Redirect URI matches the one configured in the Freak-Flix frontend settings.