@adversity/coding-tool-x 3.0.6 → 3.1.0

package/src/server/services/oauth-service.js

@@ -0,0 +1,378 @@
+'use strict';
+
+const crypto = require('crypto');
+const https = require('https');
+const http = require('http');
+const { URL } = require('url');
+const { getProviderConfig } = require('../config/oauth-providers');
+
+// Pending OAuth flows storage with state -> flow data mapping
+const pendingFlows = new Map();
+
+// Flow expiry time: 10 minutes
+const FLOW_EXPIRY_MS = 10 * 60 * 1000;
+
+// ============================================
+// PKCE Generation
+// ============================================
+
+/**
+ * Generate base64url encoded string from buffer
+ * @param {Buffer} buffer
+ * @returns {string}
+ */
+function base64url(buffer) {
+  return buffer
+    .toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=/g, '');
+}
+
+/**
+ * Generate PKCE code verifier and challenge
+ * @returns {{ codeVerifier: string, codeChallenge: string }}
+ */
+function generatePKCE() {
+  // 32 bytes random -> base64url for code verifier
+  const codeVerifier = base64url(crypto.randomBytes(32));
+
+  // SHA-256 hash of verifier -> base64url for challenge
+  const hash = crypto.createHash('sha256').update(codeVerifier).digest();
+  const codeChallenge = base64url(hash);
+
+  return { codeVerifier, codeChallenge };
+}
+
+// ============================================
+// State Management
+// ============================================
+
+/**
+ * Generate random state for OAuth flow
+ * @returns {string}
+ */
+function generateState() {
+  return crypto.randomBytes(16).toString('hex');
+}
+
+/**
+ * Clean up expired flows (older than 10 minutes)
+ */
+function cleanupExpiredFlows() {
+  const now = Date.now();
+  for (const [state, flow] of pendingFlows.entries()) {
+    if (now - flow.createdAt > FLOW_EXPIRY_MS) {
+      pendingFlows.delete(state);
+    }
+  }
+}
+
+// ============================================
+// Auth URL Construction
+// ============================================
+
+/**
+ * Build OAuth authorization URL
+ * @param {string} provider - Provider name (claude, codex, gemini)
+ * @param {string} state - State parameter
+ * @param {string} codeChallenge - PKCE code challenge (for PKCE providers)
+ * @returns {string} Full authorization URL
+ */
+function buildAuthUrl(provider, state, codeChallenge) {
+  const config = getProviderConfig(provider);
+  const url = new URL(config.authUrl);
+
+  // Common parameters
+  url.searchParams.set('client_id', config.clientId);
+  url.searchParams.set('redirect_uri', config.redirectUri);
+  url.searchParams.set('response_type', 'code');
+  url.searchParams.set('state', state);
+  url.searchParams.set('scope', config.scopes.join(' '));
+
+  // PKCE parameters for PKCE-enabled providers
+  if (config.authType === 'pkce' && codeChallenge) {
+    url.searchParams.set('code_challenge', codeChallenge);
+    url.searchParams.set('code_challenge_method', 'S256');
+  }
+
+  // Extra parameters from provider config
+  if (config.extraParams) {
+    for (const [key, value] of Object.entries(config.extraParams)) {
+      url.searchParams.set(key, value);
+    }
+  }
+
+  return url.toString();
+}
+
+// ============================================
+// HTTP Request Helper
+// ============================================
+
+/**
+ * Make HTTP/HTTPS request
+ * @param {string} urlString - Full URL
+ * @param {Object} options - Request options
+ * @param {string} body - Request body
+ * @returns {Promise<{ statusCode: number, data: Object }>}
+ */
+function makeRequest(urlString, options, body) {
+  return new Promise((resolve, reject) => {
+    const url = new URL(urlString);
+    const client = url.protocol === 'https:' ? https : http;
+
+    const reqOptions = {
+      hostname: url.hostname,
+      port: url.port || (url.protocol === 'https:' ? 443 : 80),
+      path: url.pathname + url.search,
+      method: options.method || 'POST',
+      headers: options.headers || {}
+    };
+
+    const req = client.request(reqOptions, (res) => {
+      let data = '';
+      res.on('data', (chunk) => { data += chunk; });
+      res.on('end', () => {
+        try {
+          const parsed = JSON.parse(data);
+          resolve({ statusCode: res.statusCode, data: parsed });
+        } catch (e) {
+          reject(new Error(`Failed to parse response: ${data}`));
+        }
+      });
+    });
+
+    req.on('error', reject);
+    req.on('timeout', () => {
+      req.destroy();
+      reject(new Error('Request timeout'));
+    });
+
+    if (body) {
+      req.write(body);
+    }
+    req.end();
+  });
+}
+
+// ============================================
+// Token Exchange
+// ============================================
+
+/**
+ * Exchange authorization code for tokens
+ * @param {string} provider - Provider name
+ * @param {string} code - Authorization code
+ * @param {string} codeVerifier - PKCE code verifier (for PKCE providers)
+ * @returns {Promise<{ accessToken: string, refreshToken?: string, idToken?: string, expiresIn?: number, scope?: string }>}
+ */
+async function exchangeCodeForToken(provider, code, codeVerifier) {
+  const config = getProviderConfig(provider);
+
+  // Build token request body
+  const params = new URLSearchParams();
+  params.set('grant_type', 'authorization_code');
+  params.set('code', code);
+  params.set('client_id', config.clientId);
+  params.set('redirect_uri', config.redirectUri);
+
+  // Add client_secret for standard OAuth (gemini)
+  if (config.clientSecret) {
+    params.set('client_secret', config.clientSecret);
+  }
+
+  // Add code_verifier for PKCE providers
+  if (config.authType === 'pkce' && codeVerifier) {
+    params.set('code_verifier', codeVerifier);
+  }
+
+  // Determine content type - Codex requires form-urlencoded
+  const contentType = config.tokenContentType || 'application/x-www-form-urlencoded';
+
+  const headers = {
+    'Content-Type': contentType,
+    'Accept': 'application/json'
+  };
+
+  const { statusCode, data } = await makeRequest(config.tokenUrl, { headers }, params.toString());
+
+  if (statusCode !== 200) {
+    const errorMsg = data.error_description || data.error || 'Token exchange failed';
+    throw new Error(`Token exchange failed (${statusCode}): ${errorMsg}`);
+  }
+
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    idToken: data.id_token,
+    expiresIn: data.expires_in,
+    scope: data.scope
+  };
+}
+
+// ============================================
+// Token Refresh
+// ============================================
+
+/**
+ * Refresh access token using refresh token
+ * @param {string} provider - Provider name
+ * @param {string} refreshTokenValue - Refresh token
+ * @returns {Promise<{ accessToken: string, refreshToken?: string, expiresIn?: number, scope?: string }>}
+ */
+async function refreshToken(provider, refreshTokenValue) {
+  const config = getProviderConfig(provider);
+
+  // Build refresh request body
+  const params = new URLSearchParams();
+  params.set('grant_type', 'refresh_token');
+  params.set('refresh_token', refreshTokenValue);
+  params.set('client_id', config.clientId);
+
+  // Add client_secret for standard OAuth (gemini)
+  if (config.clientSecret) {
+    params.set('client_secret', config.clientSecret);
+  }
+
+  // Determine content type
+  const contentType = config.tokenContentType || 'application/x-www-form-urlencoded';
+
+  const headers = {
+    'Content-Type': contentType,
+    'Accept': 'application/json'
+  };
+
+  const { statusCode, data } = await makeRequest(config.tokenUrl, { headers }, params.toString());
+
+  if (statusCode !== 200) {
+    const errorMsg = data.error_description || data.error || 'Token refresh failed';
+    throw new Error(`Token refresh failed (${statusCode}): ${errorMsg}`);
+  }
+
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    expiresIn: data.expires_in,
+    scope: data.scope
+  };
+}
+
+// ============================================
+// Flow Management
+// ============================================
+
+/**
+ * Start a new OAuth flow
+ * @param {string} provider - Provider name
+ * @param {string} [channelId] - Optional channel ID to associate with flow
+ * @returns {{ state: string, authUrl: string }}
+ */
+function startFlow(provider, channelId) {
+  // Clean up old flows first
+  cleanupExpiredFlows();
+
+  const state = generateState();
+  const config = getProviderConfig(provider);
+
+  let codeVerifier = null;
+  let codeChallenge = null;
+
+  // Generate PKCE for PKCE-enabled providers
+  if (config.authType === 'pkce') {
+    const pkce = generatePKCE();
+    codeVerifier = pkce.codeVerifier;
+    codeChallenge = pkce.codeChallenge;
+  }
+
+  const authUrl = buildAuthUrl(provider, state, codeChallenge);
+
+  // Store flow data
+  pendingFlows.set(state, {
+    provider,
+    codeVerifier,
+    channelId: channelId || null,
+    createdAt: Date.now(),
+    status: 'pending',
+    tokenId: null,
+    error: null
+  });
+
+  return { state, authUrl };
+}
+
+/**
+ * Get pending flow by state
+ * @param {string} state
+ * @returns {Object|null}
+ */
+function getPendingFlow(state) {
+  return pendingFlows.get(state) || null;
+}
+
+/**
+ * Update flow with partial data
+ * @param {string} state
+ * @param {Object} updates
+ * @returns {boolean}
+ */
+function updateFlow(state, updates) {
+  const flow = pendingFlows.get(state);
+  if (!flow) return false;
+
+  Object.assign(flow, updates);
+  return true;
+}
+
+/**
+ * Mark flow as completed
+ * @param {string} state
+ * @param {string} tokenId - Token ID from storage
+ * @returns {boolean}
+ */
+function completeFlow(state, tokenId) {
+  return updateFlow(state, { status: 'completed', tokenId });
+}
+
+/**
+ * Mark flow as failed
+ * @param {string} state
+ * @param {string} error - Error message
+ * @returns {boolean}
+ */
+function failFlow(state, error) {
+  return updateFlow(state, { status: 'failed', error });
+}
+
+/**
+ * Cancel and remove a flow
+ * @param {string} state
+ * @returns {boolean}
+ */
+function cancelFlow(state) {
+  return pendingFlows.delete(state);
+}
+
+module.exports = {
+  // PKCE
+  generatePKCE,
+
+  // State
+  generateState,
+  cleanupExpiredFlows,
+
+  // Auth URL
+  buildAuthUrl,
+
+  // Token operations
+  exchangeCodeForToken,
+  refreshToken,
+
+  // Flow management
+  startFlow,
+  getPendingFlow,
+  updateFlow,
+  completeFlow,
+  failFlow,
+  cancelFlow
+};

package/src/server/services/oauth-token-storage.js

@@ -0,0 +1,135 @@
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const TOKEN_EXPIRY_BUFFER_MS = 5 * 60 * 1000; // 5 minutes
+
+function getTokensFilePath() {
+  const dir = path.join(os.homedir(), '.claude', 'cc-tool');
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+  return path.join(dir, 'oauth-tokens.json');
+}
+
+function loadTokens() {
+  const filePath = getTokensFilePath();
+  try {
+    if (fs.existsSync(filePath)) {
+      const content = fs.readFileSync(filePath, 'utf8');
+      return JSON.parse(content);
+    }
+  } catch (error) {
+    console.error('Error loading oauth tokens:', error);
+  }
+  return { tokens: {} };
+}
+
+function saveTokens(data) {
+  const filePath = getTokensFilePath();
+  fs.writeFileSync(filePath, JSON.stringify(data, null, 2), 'utf8');
+
+  // Set file permissions to 0600 (owner read/write only) on non-Windows
+  if (process.platform !== 'win32') {
+    try {
+      fs.chmodSync(filePath, 0o600);
+    } catch (error) {
+      console.error('Error setting oauth tokens file permissions:', error);
+    }
+  }
+}
+
+function getToken(tokenId) {
+  const data = loadTokens();
+  return data.tokens[tokenId] || null;
+}
+
+function saveToken(tokenData) {
+  const data = loadTokens();
+  const id = tokenData.id || `token-${Date.now()}`;
+  const now = Date.now();
+
+  data.tokens[id] = {
+    ...tokenData,
+    id,
+    createdAt: tokenData.createdAt || now,
+    updatedAt: now
+  };
+
+  saveTokens(data);
+  return data.tokens[id];
+}
+
+function updateToken(tokenId, updates) {
+  const data = loadTokens();
+
+  if (!data.tokens[tokenId]) {
+    throw new Error('Token not found');
+  }
+
+  data.tokens[tokenId] = {
+    ...data.tokens[tokenId],
+    ...updates,
+    id: tokenId, // prevent id override
+    updatedAt: Date.now()
+  };
+
+  saveTokens(data);
+  return data.tokens[tokenId];
+}
+
+function deleteToken(tokenId) {
+  const data = loadTokens();
+
+  if (!data.tokens[tokenId]) {
+    throw new Error('Token not found');
+  }
+
+  delete data.tokens[tokenId];
+  saveTokens(data);
+  return { success: true };
+}
+
+function maskSensitiveField(value) {
+  if (!value || typeof value !== 'string') {
+    return value;
+  }
+  if (value.length <= 8) {
+    return '***';
+  }
+  return value.substring(0, 8) + '...';
+}
+
+function getAllTokens() {
+  const data = loadTokens();
+  return Object.values(data.tokens).map(token => ({
+    ...token,
+    accessToken: maskSensitiveField(token.accessToken),
+    refreshToken: maskSensitiveField(token.refreshToken)
+  }));
+}
+
+function getTokensByProvider(provider) {
+  const all = getAllTokens();
+  return all.filter(token => token.provider === provider);
+}
+
+function isTokenExpired(token) {
+  if (!token || !token.expiresAt) {
+    return true;
+  }
+  return Date.now() >= (token.expiresAt - TOKEN_EXPIRY_BUFFER_MS);
+}
+
+module.exports = {
+  loadTokens,
+  saveTokens,
+  getToken,
+  saveToken,
+  updateToken,
+  deleteToken,
+  getAllTokens,
+  getTokensByProvider,
+  isTokenExpired,
+  getTokensFilePath
+};