npm - @actual-app/sync-server - Versions diffs - 25.4.0-alpha.0 - Mend

@actual-app/sync-server 25.4.0-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

package/.dockerignore +12 -0
package/README.md +19 -0
package/app.js +11 -0
package/babel.config.json +3 -0
package/bin/@actual-app/sync-server +55 -0
package/docker/alpine.Dockerfile +62 -0
package/docker/ubuntu.Dockerfile +63 -0
package/docker-compose.yml +29 -0
package/jest.config.json +19 -0
package/jest.global-setup.js +101 -0
package/jest.global-teardown.js +6 -0
package/migrations/1694360000000-create-folders.js +25 -0
package/migrations/1694360479680-create-account-db.js +30 -0
package/migrations/1694362247011-create-secret-table.js +16 -0
package/migrations/1702667624000-rename-nordigen-secrets.js +19 -0
package/migrations/1718889148000-openid.js +41 -0
package/migrations/1719409568000-multiuser.js +116 -0
package/package.json +64 -0
package/src/account-db.js +239 -0
package/src/accounts/openid.js +361 -0
package/src/accounts/password.js +149 -0
package/src/app-account.js +155 -0
package/src/app-admin.js +410 -0
package/src/app-admin.test.js +381 -0
package/src/app-gocardless/README.md +198 -0
package/src/app-gocardless/app-gocardless.js +274 -0
package/src/app-gocardless/bank-factory.js +91 -0
package/src/app-gocardless/banks/abanca_caglesmm.js +22 -0
package/src/app-gocardless/banks/abnamro_abnanl2a.js +57 -0
package/src/app-gocardless/banks/american_express_aesudef1.js +40 -0
package/src/app-gocardless/banks/bancsabadell_bsabesbbb.js +31 -0
package/src/app-gocardless/banks/bank.interface.ts +51 -0
package/src/app-gocardless/banks/bank_of_ireland_b365_bofiie2d.js +39 -0
package/src/app-gocardless/banks/bankinter_bkbkesmm.js +24 -0
package/src/app-gocardless/banks/belfius_gkccbebb.js +17 -0
package/src/app-gocardless/banks/berliner_sparkasse_beladebexxx.js +61 -0
package/src/app-gocardless/banks/bnp_be_gebabebb.js +73 -0
package/src/app-gocardless/banks/cbc_cregbebb.js +34 -0
package/src/app-gocardless/banks/commerzbank_cobadeff.js +51 -0
package/src/app-gocardless/banks/danskebank_dabno22.js +39 -0
package/src/app-gocardless/banks/direkt_heladef1822.js +18 -0
package/src/app-gocardless/banks/easybank_bawaatww.js +50 -0
package/src/app-gocardless/banks/entercard_swednokk.js +40 -0
package/src/app-gocardless/banks/fortuneo_ftnofrp1xxx.js +46 -0
package/src/app-gocardless/banks/hype_hyeeit22.js +74 -0
package/src/app-gocardless/banks/ing_ingbrobu.js +70 -0
package/src/app-gocardless/banks/ing_ingddeff.js +47 -0
package/src/app-gocardless/banks/ing_pl_ingbplpw.js +46 -0
package/src/app-gocardless/banks/integration-bank.js +115 -0
package/src/app-gocardless/banks/isybank_itbbitmm.js +18 -0
package/src/app-gocardless/banks/kbc_kredbebb.js +33 -0
package/src/app-gocardless/banks/lhv-lhvbee22.js +36 -0
package/src/app-gocardless/banks/mbank_retail_brexplpw.js +56 -0
package/src/app-gocardless/banks/nationwide_naiagb21.js +46 -0
package/src/app-gocardless/banks/nbg_ethngraaxxx.js +51 -0
package/src/app-gocardless/banks/norwegian_xx_norwnok1.js +74 -0
package/src/app-gocardless/banks/revolut_revolt21.js +37 -0
package/src/app-gocardless/banks/sandboxfinance_sfin0000.js +28 -0
package/src/app-gocardless/banks/seb_kort_bank_ab.js +58 -0
package/src/app-gocardless/banks/seb_privat.js +29 -0
package/src/app-gocardless/banks/sparnord_spnodk22.js +24 -0
package/src/app-gocardless/banks/spk_karlsruhe_karsde66.js +61 -0
package/src/app-gocardless/banks/spk_marburg_biedenkopf_heladef1mar.js +30 -0
package/src/app-gocardless/banks/spk_worms_alzey_ried_malade51wor.js +19 -0
package/src/app-gocardless/banks/ssk_dusseldorf_dussdeddxxx.js +50 -0
package/src/app-gocardless/banks/swedbank_habalv22.js +47 -0
package/src/app-gocardless/banks/tests/abanca_caglesmm.spec.js +21 -0
package/src/app-gocardless/banks/tests/abnamro_abnanl2a.spec.js +61 -0
package/src/app-gocardless/banks/tests/bancsabadell_bsabesbbb.spec.js +53 -0
package/src/app-gocardless/banks/tests/belfius_gkccbebb.spec.js +22 -0
package/src/app-gocardless/banks/tests/cbc_cregbebb.spec.js +34 -0
package/src/app-gocardless/banks/tests/commerzbank_cobadeff.spec.js +110 -0
package/src/app-gocardless/banks/tests/easybank_bawaatww.spec.js +54 -0
package/src/app-gocardless/banks/tests/fortuneo_ftnofrp1xxx.spec.js +206 -0
package/src/app-gocardless/banks/tests/ing_ingddeff.spec.js +302 -0
package/src/app-gocardless/banks/tests/ing_pl_ingbplpw.spec.js +202 -0
package/src/app-gocardless/banks/tests/integration_bank.spec.js +158 -0
package/src/app-gocardless/banks/tests/kbc_kredbebb.spec.js +38 -0
package/src/app-gocardless/banks/tests/lhv-lhvbee22.spec.js +68 -0
package/src/app-gocardless/banks/tests/mbank_retail_brexplpw.spec.js +171 -0
package/src/app-gocardless/banks/tests/nationwide_naiagb21.spec.js +105 -0
package/src/app-gocardless/banks/tests/nbg_ethngraaxxx.spec.js +48 -0
package/src/app-gocardless/banks/tests/revolut_revolt21.spec.js +42 -0
package/src/app-gocardless/banks/tests/sandboxfinance_sfin0000.spec.js +133 -0
package/src/app-gocardless/banks/tests/spk_marburg_biedenkopf_heladef1mar.spec.js +256 -0
package/src/app-gocardless/banks/tests/ssk_dusseldorf_dussdeddxxx.spec.js +102 -0
package/src/app-gocardless/banks/tests/swedbank_habalv22.spec.js +57 -0
package/src/app-gocardless/banks/tests/virgin_nrnbgb22.spec.js +54 -0
package/src/app-gocardless/banks/util/extract-payeeName-from-remittanceInfo.js +36 -0
package/src/app-gocardless/banks/virgin_nrnbgb22.js +39 -0
package/src/app-gocardless/errors.js +84 -0
package/src/app-gocardless/gocardless-node.types.ts +497 -0
package/src/app-gocardless/gocardless.types.ts +93 -0
package/src/app-gocardless/link.html +18 -0
package/src/app-gocardless/services/gocardless-service.js +620 -0
package/src/app-gocardless/services/tests/fixtures.js +181 -0
package/src/app-gocardless/services/tests/gocardless-service.spec.js +537 -0
package/src/app-gocardless/tests/bank-factory.spec.js +20 -0
package/src/app-gocardless/tests/utils.spec.js +162 -0
package/src/app-gocardless/util/handle-error.js +16 -0
package/src/app-gocardless/utils.js +45 -0
package/src/app-openid.js +108 -0
package/src/app-pluggyai/app-pluggyai.js +215 -0
package/src/app-pluggyai/pluggyai-service.js +120 -0
package/src/app-secrets.js +61 -0
package/src/app-simplefin/app-simplefin.js +418 -0
package/src/app-sync/errors.js +13 -0
package/src/app-sync/services/files-service.js +243 -0
package/src/app-sync/tests/services/files-service.test.js +250 -0
package/src/app-sync/validation.js +77 -0
package/src/app-sync.js +391 -0
package/src/app-sync.test.js +877 -0
package/src/app.js +145 -0
package/src/config-types.ts +44 -0
package/src/db.js +58 -0
package/src/load-config.js +307 -0
package/src/migrations.js +36 -0
package/src/run-migrations.js +8 -0
package/src/scripts/disable-openid.js +44 -0
package/src/scripts/enable-openid.js +53 -0
package/src/scripts/health-check.js +23 -0
package/src/scripts/reset-password.js +51 -0
package/src/secrets.test.js +83 -0
package/src/services/secrets-service.js +94 -0
package/src/services/user-service.js +272 -0
package/src/sql/messages.sql +9 -0
package/src/sync-simple.js +95 -0
package/src/util/hash.js +5 -0
package/src/util/middlewares.js +62 -0
package/src/util/paths.js +13 -0
package/src/util/payee-name.js +45 -0
package/src/util/prompt.js +88 -0
package/src/util/title/index.js +59 -0
package/src/util/title/lower-case.js +93 -0
package/src/util/title/specials.js +21 -0
package/src/util/validate-user.js +68 -0
package/tsconfig.json +21 -0

package/package.json ADDED Viewed

@@ -0,0 +1,64 @@
+{
+  "name": "@actual-app/sync-server",
+  "version": "25.4.0-alpha.0",
+  "license": "MIT",
+  "description": "actual syncing server",
+  "bin": "bin/@actual-app/sync-server",
+  "type": "module",
+  "scripts": {
+    "start": "node app",
+    "start-monitor": "nodemon app",
+    "build": "tsc",
+    "test": "NODE_ENV=test NODE_OPTIONS='--experimental-vm-modules --trace-warnings' jest  --coverage",
+    "db:migrate": "NODE_ENV=development node src/run-migrations.js up",
+    "db:downgrade": "NODE_ENV=development node src/run-migrations.js down",
+    "db:test-migrate": "NODE_ENV=test node src/run-migrations.js up",
+    "db:test-downgrade": "NODE_ENV=test node src/run-migrations.js down",
+    "reset-password": "node src/scripts/reset-password.js",
+    "disable-openid": "node src/scripts/disable-openid.js",
+    "health-check": "node src/scripts/health-check.js"
+  },
+  "dependencies": {
+    "@actual-app/crdt": "2.1.0",
+    "@actual-app/web": "25.4.0-alpha.0",
+    "bcrypt": "^5.1.1",
+    "better-sqlite3": "^11.9.1",
+    "body-parser": "^1.20.3",
+    "convict": "^6.2.4",
+    "cors": "^2.8.5",
+    "date-fns": "^2.30.0",
+    "debug": "^4.4.0",
+    "express": "4.21.2",
+    "express-actuator": "1.8.4",
+    "express-rate-limit": "^7.5.0",
+    "express-response-size": "^0.0.3",
+    "express-winston": "^4.2.0",
+    "jws": "^4.0.0",
+    "migrate": "^2.1.0",
+    "nordigen-node": "^1.4.0",
+    "openid-client": "^5.4.3",
+    "pluggy-sdk": "^0.68.1",
+    "uuid": "^9.0.1",
+    "winston": "^3.17.0"
+  },
+  "devDependencies": {
+    "@babel/core": "^7.26.10",
+    "@babel/preset-typescript": "^7.20.2",
+    "@types/babel__core": "^7",
+    "@types/bcrypt": "^5.0.2",
+    "@types/better-sqlite3": "^7.6.12",
+    "@types/convict": "^6",
+    "@types/cors": "^2.8.17",
+    "@types/express": "^5.0.0",
+    "@types/express-actuator": "^1.8.3",
+    "@types/jest": "^29.5.14",
+    "@types/node": "^22.14.0",
+    "@types/supertest": "^2.0.16",
+    "@types/uuid": "^9.0.8",
+    "http-proxy-middleware": "^3.0.3",
+    "jest": "^29.7.0",
+    "nodemon": "^3.1.9",
+    "supertest": "^6.3.4",
+    "typescript": "^5.8.2"
+  }
+}

package/src/account-db.js ADDED Viewed

@@ -0,0 +1,239 @@
+import { join } from 'node:path';
+import * as bcrypt from 'bcrypt';
+import { bootstrapOpenId } from './accounts/openid.js';
+import { bootstrapPassword, loginWithPassword } from './accounts/password.js';
+import { openDatabase } from './db.js';
+import { config } from './load-config.js';
+let _accountDb;
+export function getAccountDb() {
+  if (_accountDb === undefined) {
+    const dbPath = join(config.get('serverFiles'), 'account.sqlite');
+    _accountDb = openDatabase(dbPath);
+  }
+  return _accountDb;
+}
+export function needsBootstrap() {
+  const accountDb = getAccountDb();
+  const rows = accountDb.all('SELECT * FROM auth');
+  return rows.length === 0;
+}
+export function listLoginMethods() {
+  const accountDb = getAccountDb();
+  const rows = accountDb.all('SELECT method, display_name, active FROM auth');
+  return rows
+    .filter(f =>
+      rows.length > 1 && config.get('enforceOpenId')
+        ? f.method === 'openid'
+        : true,
+    )
+    .map(r => ({
+      method: r.method,
+      active: r.active,
+      displayName: r.display_name,
+    }));
+}
+export function getActiveLoginMethod() {
+  const accountDb = getAccountDb();
+  const { method } =
+    accountDb.first('SELECT method FROM auth WHERE active = 1') || {};
+  return method;
+}
+/*
+ * Get the Login Method in the following order
+ * req (the frontend can say which method in the case it wants to resort to forcing password auth)
+ * config options
+ * fall back to using password
+ */
+export function getLoginMethod(req) {
+  if (
+    typeof req !== 'undefined' &&
+    (req.body || { loginMethod: null }).loginMethod &&
+    config.get('allowedLoginMethods').includes(req.body.loginMethod)
+  ) {
+    return req.body.loginMethod;
+  }
+  //BY-PASS ANY OTHER CONFIGURATION TO ENSURE HEADER AUTH
+  if (
+    config.get('loginMethod') === 'header' &&
+    config.get('allowedLoginMethods').includes('header')
+  ) {
+    return config.get('loginMethod');
+  }
+  const activeMethod = getActiveLoginMethod();
+  return activeMethod || config.get('loginMethod');
+}
+export async function bootstrap(loginSettings, forced = false) {
+  if (!loginSettings) {
+    return { error: 'invalid-login-settings' };
+  }
+  const passEnabled = 'password' in loginSettings;
+  const openIdEnabled = 'openId' in loginSettings;
+  const accountDb = getAccountDb();
+  accountDb.mutate('BEGIN TRANSACTION');
+  try {
+    const { countOfOwner } =
+      accountDb.first(
+        `SELECT count(*) as countOfOwner
+   FROM users
+   WHERE users.user_name <> '' and users.owner = 1`,
+      ) || {};
+    if (!forced && (!openIdEnabled || countOfOwner > 0)) {
+      if (!needsBootstrap()) {
+        accountDb.mutate('ROLLBACK');
+        return { error: 'already-bootstrapped' };
+      }
+    }
+    if (!passEnabled && !openIdEnabled) {
+      accountDb.mutate('ROLLBACK');
+      return { error: 'no-auth-method-selected' };
+    }
+    if (passEnabled && openIdEnabled && !forced) {
+      accountDb.mutate('ROLLBACK');
+      return { error: 'max-one-method-allowed' };
+    }
+    if (passEnabled) {
+      const { error } = bootstrapPassword(loginSettings.password);
+      if (error) {
+        accountDb.mutate('ROLLBACK');
+        return { error };
+      }
+    }
+    if (openIdEnabled && forced) {
+      const { error } = await bootstrapOpenId(loginSettings.openId);
+      if (error) {
+        accountDb.mutate('ROLLBACK');
+        return { error };
+      }
+    }
+    accountDb.mutate('COMMIT');
+    return passEnabled ? loginWithPassword(loginSettings.password) : {};
+  } catch (error) {
+    accountDb.mutate('ROLLBACK');
+    throw error;
+  }
+}
+export function isAdmin(userId) {
+  return hasPermission(userId, 'ADMIN');
+}
+export function hasPermission(userId, permission) {
+  return getUserPermission(userId) === permission;
+}
+export async function enableOpenID(loginSettings) {
+  if (!loginSettings || !loginSettings.openId) {
+    return { error: 'invalid-login-settings' };
+  }
+  const { error } = (await bootstrapOpenId(loginSettings.openId)) || {};
+  if (error) {
+    return { error };
+  }
+  getAccountDb().mutate('DELETE FROM sessions');
+}
+export async function disableOpenID(loginSettings) {
+  if (!loginSettings || !loginSettings.password) {
+    return { error: 'invalid-login-settings' };
+  }
+  const accountDb = getAccountDb();
+  const { extra_data: passwordHash } =
+    accountDb.first('SELECT extra_data FROM auth WHERE method = ?', [
+      'password',
+    ]) || {};
+  if (!passwordHash) {
+    return { error: 'invalid-password' };
+  }
+  if (!loginSettings?.password) {
+    return { error: 'invalid-password' };
+  }
+  if (passwordHash) {
+    const confirmed = bcrypt.compareSync(loginSettings.password, passwordHash);
+    if (!confirmed) {
+      return { error: 'invalid-password' };
+    }
+  }
+  const { error } = (await bootstrapPassword(loginSettings.password)) || {};
+  if (error) {
+    return { error };
+  }
+  try {
+    accountDb.transaction(() => {
+      accountDb.mutate('DELETE FROM sessions');
+      accountDb.mutate(
+        `DELETE FROM user_access
+                              WHERE user_access.user_id IN (
+                                  SELECT users.id
+                                  FROM users
+                                  WHERE users.user_name <> ?
+                              );`,
+        [''],
+      );
+      accountDb.mutate('DELETE FROM users WHERE user_name <> ?', ['']);
+      accountDb.mutate('DELETE FROM auth WHERE method = ?', ['openid']);
+    });
+  } catch (err) {
+    console.error('Error cleaning up openid information:', err);
+    return { error: 'database-error' };
+  }
+}
+export function getSession(token) {
+  const accountDb = getAccountDb();
+  return accountDb.first('SELECT * FROM sessions WHERE token = ?', [token]);
+}
+export function getUserInfo(userId) {
+  const accountDb = getAccountDb();
+  return accountDb.first('SELECT * FROM users WHERE id = ?', [userId]);
+}
+export function getUserPermission(userId) {
+  const accountDb = getAccountDb();
+  const { role } = accountDb.first(
+    `SELECT role FROM users
+          WHERE users.id = ?`,
+    [userId],
+  ) || { role: '' };
+  return role;
+}
+export function clearExpiredSessions() {
+  const clearThreshold = Math.floor(Date.now() / 1000) - 3600;
+  const deletedSessions = getAccountDb().mutate(
+    'DELETE FROM sessions WHERE expires_at <> -1 and expires_at < ?',
+    [clearThreshold],
+  ).changes;
+  console.log(`Deleted ${deletedSessions} old sessions`);
+}

package/src/accounts/openid.js ADDED Viewed

@@ -0,0 +1,361 @@
+import { generators, Issuer } from 'openid-client';
+import { v4 as uuidv4 } from 'uuid';
+import { clearExpiredSessions, getAccountDb } from '../account-db.js';
+import { config } from '../load-config.js';
+import {
+  getUserByUsername,
+  transferAllFilesFromUser,
+} from '../services/user-service.js';
+import { TOKEN_EXPIRATION_NEVER } from '../util/validate-user.js';
+import { checkPassword } from './password.js';
+export async function bootstrapOpenId(configParameter) {
+  if (!('issuer' in configParameter) && !('discoveryURL' in configParameter)) {
+    return { error: 'missing-issuer-or-discoveryURL' };
+  }
+  if (!('client_id' in configParameter)) {
+    return { error: 'missing-client-id' };
+  }
+  if (!('client_secret' in configParameter)) {
+    return { error: 'missing-client-secret' };
+  }
+  if (!('server_hostname' in configParameter)) {
+    return { error: 'missing-server-hostname' };
+  }
+  try {
+    //FOR BACKWARD COMPATIBLITY:
+    //If we don't put discoverURL into the issuer, it will break already enabled openid instances
+    if (configParameter.discoveryURL) {
+      configParameter.issuer = configParameter.discoveryURL;
+      delete configParameter.discoveryURL;
+    }
+    await setupOpenIdClient(configParameter);
+  } catch (err) {
+    console.error('Error setting up OpenID client:', err);
+    return { error: 'configuration-error' };
+  }
+  const accountDb = getAccountDb();
+  try {
+    accountDb.transaction(() => {
+      accountDb.mutate('DELETE FROM auth WHERE method = ?', ['openid']);
+      accountDb.mutate('UPDATE auth SET active = 0');
+      accountDb.mutate(
+        "INSERT INTO auth (method, display_name, extra_data, active) VALUES ('openid', 'OpenID', ?, 1)",
+        [JSON.stringify(configParameter)],
+      );
+    });
+  } catch (err) {
+    console.error('Error updating auth table:', err);
+    return { error: 'database-error' };
+  }
+  return {};
+}
+async function setupOpenIdClient(configParameter) {
+  const issuer =
+    typeof configParameter.issuer === 'string'
+      ? await Issuer.discover(configParameter.issuer)
+      : new Issuer({
+          issuer: configParameter.issuer.name,
+          authorization_endpoint: configParameter.issuer.authorization_endpoint,
+          token_endpoint: configParameter.issuer.token_endpoint,
+          userinfo_endpoint: configParameter.issuer.userinfo_endpoint,
+        });
+  const client = new issuer.Client({
+    client_id: configParameter.client_id,
+    client_secret: configParameter.client_secret,
+    redirect_uri: new URL(
+      '/openid/callback',
+      configParameter.server_hostname,
+    ).toString(),
+    validate_id_token: true,
+  });
+  return client;
+}
+export async function loginWithOpenIdSetup(
+  returnUrl,
+  firstTimeLoginPassword = '',
+) {
+  if (!returnUrl) {
+    return { error: 'return-url-missing' };
+  }
+  if (!isValidRedirectUrl(returnUrl)) {
+    return { error: 'invalid-return-url' };
+  }
+  const accountDb = getAccountDb();
+  const { countUsersWithUserName } = accountDb.first(
+    'SELECT count(*) as countUsersWithUserName FROM users WHERE user_name <> ?',
+    [''],
+  );
+  if (countUsersWithUserName === 0) {
+    const valid = checkPassword(firstTimeLoginPassword);
+    if (!valid) {
+      return { error: 'invalid-password' };
+    }
+  }
+  let config = accountDb.first('SELECT extra_data FROM auth WHERE method = ?', [
+    'openid',
+  ]);
+  if (!config) {
+    return { error: 'openid-not-configured' };
+  }
+  try {
+    config = JSON.parse(config['extra_data']);
+  } catch (err) {
+    console.error('Error parsing OpenID configuration:', err);
+    return { error: 'openid-setup-failed' };
+  }
+  let client;
+  try {
+    client = await setupOpenIdClient(config);
+  } catch (err) {
+    console.error('Error setting up OpenID client:', err);
+    return { error: 'openid-setup-failed' };
+  }
+  const state = generators.state();
+  const code_verifier = generators.codeVerifier();
+  const code_challenge = generators.codeChallenge(code_verifier);
+  const now_time = Date.now();
+  const expiry_time = now_time + 300 * 1000;
+  accountDb.mutate(
+    'DELETE FROM pending_openid_requests WHERE expiry_time < ?',
+    [now_time],
+  );
+  accountDb.mutate(
+    'INSERT INTO pending_openid_requests (state, code_verifier, return_url, expiry_time) VALUES (?, ?, ?, ?)',
+    [state, code_verifier, returnUrl, expiry_time],
+  );
+  const url = client.authorizationUrl({
+    response_type: 'code',
+    scope: 'openid email profile',
+    state,
+    code_challenge,
+    code_challenge_method: 'S256',
+  });
+  return { url };
+}
+export async function loginWithOpenIdFinalize(body) {
+  if (!body.code) {
+    return { error: 'missing-authorization-code' };
+  }
+  if (!body.state) {
+    return { error: 'missing-state' };
+  }
+  const accountDb = getAccountDb();
+  let configFromDb = accountDb.first(
+    "SELECT extra_data FROM auth WHERE method = 'openid' AND active = 1",
+  );
+  if (!configFromDb) {
+    return { error: 'openid-not-configured' };
+  }
+  try {
+    configFromDb = JSON.parse(configFromDb['extra_data']);
+  } catch (err) {
+    console.error('Error parsing OpenID configuration:', err);
+    return { error: 'openid-setup-failed' };
+  }
+  let client;
+  try {
+    client = await setupOpenIdClient(configFromDb);
+  } catch (err) {
+    console.error('Error setting up OpenID client:', err);
+    return { error: 'openid-setup-failed' };
+  }
+  const pendingRequest = accountDb.first(
+    'SELECT code_verifier, return_url FROM pending_openid_requests WHERE state = ? AND expiry_time > ?',
+    [body.state, Date.now()],
+  );
+  if (!pendingRequest) {
+    return { error: 'invalid-or-expired-state' };
+  }
+  const { code_verifier, return_url } = pendingRequest;
+  try {
+    let tokenSet = null;
+    if (!configFromDb.authMethod || configFromDb.authMethod === 'openid') {
+      const params = { code: body.code, state: body.state, iss: body.iss };
+      tokenSet = await client.callback(client.redirect_uris[0], params, {
+        code_verifier,
+        state: body.state,
+      });
+    } else {
+      tokenSet = await client.grant({
+        grant_type: 'authorization_code',
+        code: body.code,
+        redirect_uri: client.redirect_uris[0],
+        code_verifier,
+      });
+    }
+    const userInfo = await client.userinfo(tokenSet.access_token);
+    const identity =
+      userInfo.preferred_username ??
+      userInfo.login ??
+      userInfo.email ??
+      userInfo.id ??
+      userInfo.sub;
+    if (identity == null) {
+      return { error: 'openid-grant-failed: no identification was found' };
+    }
+    let userId = null;
+    try {
+      accountDb.transaction(() => {
+        const { countUsersWithUserName } = accountDb.first(
+          'SELECT count(*) as countUsersWithUserName FROM users WHERE user_name <> ?',
+          [''],
+        );
+        // Check if user was created by another transaction
+        const existingUser = accountDb.first(
+          'SELECT id FROM users WHERE user_name = ?',
+          [identity],
+        );
+        if (
+          !existingUser &&
+          (countUsersWithUserName === 0 ||
+            config.get('userCreationMode') === 'login')
+        ) {
+          userId = uuidv4();
+          accountDb.mutate(
+            'INSERT INTO users (id, user_name, display_name, enabled, owner, role) VALUES (?, ?, ?, 1, ?, ?)',
+            [
+              userId,
+              identity,
+              userInfo.name ?? userInfo.email ?? identity,
+              countUsersWithUserName === 0 ? '1' : '0',
+              countUsersWithUserName === 0 ? 'ADMIN' : 'BASIC',
+            ],
+          );
+          if (countUsersWithUserName === 0) {
+            const userFromPasswordMethod = getUserByUsername('');
+            if (userFromPasswordMethod) {
+              transferAllFilesFromUser(userId, userFromPasswordMethod.user_id);
+            }
+          }
+        } else {
+          const { id: userIdFromDb, display_name: displayName } =
+            accountDb.first(
+              'SELECT id, display_name FROM users WHERE user_name = ? and enabled = 1',
+              [identity],
+            ) || {};
+          if (userIdFromDb == null) {
+            throw new Error('openid-grant-failed');
+          }
+          if (!displayName && userInfo.name) {
+            accountDb.mutate('UPDATE users set display_name = ? WHERE id = ?', [
+              userInfo.name,
+              userIdFromDb,
+            ]);
+          }
+          userId = userIdFromDb;
+        }
+      });
+    } catch (error) {
+      if (error.message === 'user-already-exists') {
+        return { error: 'user-already-exists' };
+      } else if (error.message === 'openid-grant-failed') {
+        return { error: 'openid-grant-failed' };
+      } else {
+        throw error; // Re-throw other unexpected errors
+      }
+    }
+    const token = uuidv4();
+    let expiration;
+    if (config.get('token_expiration') === 'openid-provider') {
+      expiration = tokenSet.expires_at ?? TOKEN_EXPIRATION_NEVER;
+    } else if (config.get('token_expiration') === 'never') {
+      expiration = TOKEN_EXPIRATION_NEVER;
+    } else if (typeof config.get('token_expiration') === 'number') {
+      expiration =
+        Math.floor(Date.now() / 1000) + config.get('token_expiration') * 60;
+    } else {
+      expiration = Math.floor(Date.now() / 1000) + 10 * 60;
+    }
+    accountDb.mutate(
+      'INSERT INTO sessions (token, expires_at, user_id, auth_method) VALUES (?, ?, ?, ?)',
+      [token, expiration, userId, 'openid'],
+    );
+    clearExpiredSessions();
+    return { url: `${return_url}/openid-cb?token=${token}` };
+  } catch (err) {
+    console.error('OpenID grant failed:', err);
+    return { error: 'openid-grant-failed' };
+  }
+}
+export function getServerHostname() {
+  const auth = getAccountDb().first(
+    'select * from auth WHERE method = ? and active = 1',
+    ['openid'],
+  );
+  if (auth && auth.extra_data) {
+    try {
+      const openIdConfig = JSON.parse(auth.extra_data);
+      return openIdConfig.server_hostname;
+    } catch (error) {
+      console.error('Error parsing OpenID configuration:', error);
+    }
+  }
+  return null;
+}
+export function isValidRedirectUrl(url) {
+  const serverHostname = getServerHostname();
+  if (!serverHostname) {
+    return false;
+  }
+  try {
+    const redirectUrl = new URL(url);
+    const serverUrl = new URL(serverHostname);
+    if (
+      redirectUrl.hostname === serverUrl.hostname ||
+      redirectUrl.hostname === 'localhost'
+    ) {
+      return true;
+    } else {
+      return false;
+    }
+  } catch (err) {
+    return false;
+  }
+}