@m5kdev/backend 0.1.0

package/src/modules/connect/connect.oauth.ts

@@ -0,0 +1,288 @@
+import * as client from "openid-client";
+import { logger as rootLogger } from "#utils/logger";
+import type { ConnectProvider } from "./connect.types";
+
+export interface OAuthState {
+  state: string;
+  codeVerifier: string;
+  codeChallenge: string;
+  sessionId: string;
+  provider: string;
+}
+
+// In-memory store for OAuth state (keyed by sessionId + provider)
+// In production, consider using Redis with TTL
+const oauthStateStore = new Map<string, OAuthState>();
+
+const STATE_TTL_MS = 10 * 60 * 1000; // 10 minutes
+
+function getStateKey(sessionId: string, provider: string): string {
+  return `${sessionId}:${provider}`;
+}
+
+export async function generateOAuthState(sessionId: string, provider: string): Promise<OAuthState> {
+  const state = client.randomState();
+  const codeVerifier = client.randomPKCECodeVerifier();
+  const codeChallenge = await client.calculatePKCECodeChallenge(codeVerifier);
+
+  const oauthState: OAuthState = {
+    state,
+    codeVerifier,
+    codeChallenge,
+    sessionId,
+    provider,
+  };
+
+  const key = getStateKey(sessionId, provider);
+  oauthStateStore.set(key, oauthState);
+
+  // Clean up after TTL
+  setTimeout(() => {
+    oauthStateStore.delete(key);
+  }, STATE_TTL_MS);
+
+  return oauthState;
+}
+
+export function getOAuthState(
+  sessionId: string,
+  provider: string,
+  state: string
+): OAuthState | null {
+  const key = getStateKey(sessionId, provider);
+  const stored = oauthStateStore.get(key);
+
+  if (!stored || stored.state !== state) {
+    return null;
+  }
+
+  // Clean up after use
+  oauthStateStore.delete(key);
+  return stored;
+}
+
+export async function createConfiguration(
+  provider: ConnectProvider
+): Promise<client.Configuration> {
+  // LinkedIn uses client_secret_post (form-encoded body parameters)
+  // The library's ClientSecretPost handles this correctly
+  const clientAuth = provider.clientSecret
+    ? client.ClientSecretPost(provider.clientSecret)
+    : client.None();
+
+  if (provider.issuerConfig) {
+    // Use manual issuer config (e.g., LinkedIn) - create Configuration directly
+    // LinkedIn doesn't support OpenID Connect discovery
+    const serverMetadata: client.ServerMetadata = {
+      issuer: provider.issuerConfig.issuer,
+      authorization_endpoint: provider.issuerConfig.authorization_endpoint,
+      token_endpoint: provider.issuerConfig.token_endpoint,
+      ...(provider.issuerConfig.userinfo_endpoint && {
+        userinfo_endpoint: provider.issuerConfig.userinfo_endpoint,
+      }),
+      // LinkedIn JWKS URI for ID token signature verification
+      ...(provider.id === "linkedin" && {
+        jwks_uri: "https://www.linkedin.com/oauth/openid/jwks",
+      }),
+    };
+
+    const clientMetadata: Partial<client.ClientMetadata> = {
+      client_id: provider.clientId,
+      ...(provider.clientSecret && { client_secret: provider.clientSecret }),
+      redirect_uris: [provider.redirectUri],
+    };
+
+    return new client.Configuration(serverMetadata, provider.clientId, clientMetadata, clientAuth);
+  }
+
+  // Auto-discovery from well-known endpoint
+  if (!provider.issuerUrl) {
+    throw new Error("Provider must have either issuerConfig or issuerUrl");
+  }
+
+  const serverUrl = new URL(provider.issuerUrl);
+  return await client.discovery(serverUrl, provider.clientId, undefined, clientAuth);
+}
+
+export async function buildAuthorizationUrl(
+  provider: ConnectProvider,
+  state: OAuthState
+): Promise<string> {
+  const config = await createConfiguration(provider);
+
+  const parameters: Record<string, string> = {
+    scope: provider.scopes.join(" "),
+    state: state.state,
+    redirect_uri: provider.redirectUri,
+  };
+
+  // Add PKCE parameters only if provider supports it
+  if (provider.supportsPKCE !== false) {
+    parameters.code_challenge = state.codeChallenge;
+    parameters.code_challenge_method = "S256";
+  }
+
+  const url = client.buildAuthorizationUrl(config, parameters);
+  return url.toString();
+}
+
+export async function exchangeCodeForTokens(
+  provider: ConnectProvider,
+  code: string,
+  codeVerifier: string,
+  redirectUri: string,
+  state: string
+): Promise<{
+  accessToken: string;
+  refreshToken?: string;
+  tokenType?: string;
+  expiresAt?: Date;
+  scope?: string;
+}> {
+  const logger = rootLogger.child({ layer: "exchangeCodeForTokens" });
+
+  try {
+    // LinkedIn-specific workaround: Manual token exchange to bypass ID token validation
+    // LinkedIn's OpenID Connect ID token has non-standard claim format
+    if (provider.id === "linkedin" && provider.issuerConfig) {
+      const tokenEndpoint = provider.issuerConfig.token_endpoint;
+      const body = new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: provider.redirectUri,
+        client_id: provider.clientId,
+        client_secret: provider.clientSecret,
+      });
+
+      const response = await fetch(tokenEndpoint, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+        },
+        body: body.toString(),
+      });
+
+      if (!response.ok) {
+        const errorData = await response.json().catch(() => ({}));
+        throw new Error(
+          `LinkedIn token exchange failed: ${response.status} ${response.statusText} - ${JSON.stringify(errorData)}`
+        );
+      }
+
+      const tokenData = (await response.json()) as {
+        access_token: string;
+        refresh_token?: string;
+        token_type?: string;
+        expires_in?: number;
+        scope?: string;
+      };
+
+      return {
+        accessToken: tokenData.access_token,
+        refreshToken: tokenData.refresh_token,
+        tokenType: tokenData.token_type || "bearer",
+        expiresAt: tokenData.expires_in
+          ? new Date(Date.now() + tokenData.expires_in * 1000)
+          : undefined,
+        scope: tokenData.scope,
+      };
+    }
+
+    // Standard flow for other providers
+    const config = await createConfiguration(provider);
+    const currentUrl = new URL(redirectUri);
+    currentUrl.searchParams.set("code", code);
+    currentUrl.searchParams.set("state", state);
+
+    const checks: {
+      pkceCodeVerifier?: string;
+      expectedState: string;
+    } = {
+      expectedState: state,
+    };
+
+    // Only include PKCE verifier if provider supports it
+    if (provider.supportsPKCE !== false) {
+      checks.pkceCodeVerifier = codeVerifier;
+    }
+
+    const tokenSet = await client.authorizationCodeGrant(config, currentUrl, checks);
+
+    return {
+      accessToken: tokenSet.access_token,
+      refreshToken: tokenSet.refresh_token,
+      tokenType: tokenSet.token_type,
+      expiresAt: tokenSet.expires_in
+        ? new Date(Date.now() + tokenSet.expires_in * 1000)
+        : undefined,
+      scope: tokenSet.scope,
+    };
+  } catch (error: unknown) {
+    // Enhanced error logging for OAuth issues
+    logger.error("Token exchange error", { error, provider: provider.id });
+
+    if (error instanceof Error) {
+      const errorMessage = error.message || "Unknown error";
+
+      // Check if this is an ID token validation error for LinkedIn
+      // LinkedIn's ID token may have non-standard claim format, but we can still use the access token
+      if (
+        provider.id === "linkedin" &&
+        errorMessage.includes("JWT claim") &&
+        (error as { code?: string }).code === "OAUTH_JWT_CLAIM_COMPARISON_FAILED"
+      ) {
+        // Try to extract access token from the error response if available
+        // This is a workaround for LinkedIn's ID token validation issues
+        logger.warn(
+          "LinkedIn ID token validation failed, but token exchange may have succeeded. Check if access token is available.",
+          { error: errorMessage }
+        );
+        // Re-throw for now - we need the access token to continue
+        // In a production scenario, you might want to manually parse the token response
+        throw new Error(
+          `LinkedIn ID token validation failed: ${errorMessage}. This is a known issue with LinkedIn's OpenID Connect implementation.`
+        );
+      }
+
+      // ResponseBodyError from oauth4webapi has a 'cause' property with the error details
+      const responseBodyError = error as { cause?: Record<string, unknown> };
+      const errorDetails = responseBodyError.cause;
+
+      // Extract error and error_description from LinkedIn's response
+      const linkedInError = errorDetails?.error as string | undefined;
+      const linkedInErrorDescription = errorDetails?.error_description as string | undefined;
+
+      const fullErrorMessage = linkedInError
+        ? `LinkedIn OAuth error: ${linkedInError}${linkedInErrorDescription ? ` - ${linkedInErrorDescription}` : ""}`
+        : `Token exchange failed: ${errorMessage}${
+            errorDetails ? ` - Details: ${JSON.stringify(errorDetails)}` : ""
+          }`;
+
+      throw new Error(fullErrorMessage);
+    }
+    throw error;
+  }
+}
+
+export async function refreshAccessToken(
+  provider: ConnectProvider,
+  refreshToken: string
+): Promise<{
+  accessToken: string;
+  refreshToken?: string;
+  tokenType?: string;
+  expiresAt?: Date;
+  scope?: string;
+}> {
+  const config = await createConfiguration(provider);
+
+  const tokenSet = await client.refreshTokenGrant(config, refreshToken);
+
+  return {
+    accessToken: tokenSet.access_token,
+    refreshToken: tokenSet.refresh_token || refreshToken,
+    tokenType: tokenSet.token_type,
+    expiresAt: tokenSet.expires_in ? new Date(Date.now() + tokenSet.expires_in * 1000) : undefined,
+    scope: tokenSet.scope,
+  };
+}

package/src/modules/connect/connect.repository.ts

@@ -0,0 +1,65 @@
+import type { InferInsertModel, InferSelectModel } from "drizzle-orm";
+import { and, eq, inArray, isNull } from "drizzle-orm";
+import type { LibSQLDatabase } from "drizzle-orm/libsql";
+import { ok } from "neverthrow";
+import { BaseTableRepository } from "#modules/base/base.repository";
+import * as connect from "#modules/connect/connect.db";
+import type { ConnectListInputSchema } from "#modules/connect/connect.dto";
+
+const schema = { ...connect };
+type Schema = typeof schema;
+type Orm = LibSQLDatabase<Schema>;
+
+export type ConnectRow = InferSelectModel<Schema["connect"]>;
+export type ConnectInsert = InferInsertModel<Schema["connect"]>;
+
+export class ConnectRepository extends BaseTableRepository<Orm, Schema, Record<string, never>, Schema["connect"]> {
+  async list(data: ConnectListInputSchema & { userId: string }, tx?: Orm) {
+    return this.throwableAsync(async () => {
+      const db = tx ?? this.orm;
+      const { ConditionBuilder } = this.helpers;
+      const conditions = new ConditionBuilder();
+      if (data.providers) conditions.push(inArray(this.schema.connect.provider, data.providers));
+      if (data.inactive) conditions.push(isNull(this.schema.connect.revokedAt));
+      conditions.push(eq(this.schema.connect.userId, data.userId));
+      const rows = await db.select().from(this.schema.connect).where(conditions.join());
+      return ok(rows);
+    });
+  }
+
+  async upsert(data: ConnectInsert, tx?: Orm) {
+    return this.throwableAsync(async () => {
+      const db = tx ?? this.orm;
+      const [existing] = await db
+        .select()
+        .from(this.schema.connect)
+        .where(
+          and(
+            eq(this.schema.connect.userId, data.userId),
+            eq(this.schema.connect.provider, data.provider),
+            eq(this.schema.connect.providerAccountId, data.providerAccountId)
+          )
+        )
+        .limit(1);
+
+      if (existing) {
+        // Update existing
+        const [updated] = await db
+          .update(this.schema.connect)
+          .set({
+            ...data,
+            updatedAt: new Date(),
+            lastRefreshedAt: new Date(),
+          })
+          .where(eq(this.schema.connect.id, existing.id))
+          .returning();
+        return ok(updated);
+      }
+
+      // Create new
+      const [created] = await db.insert(this.schema.connect).values(data).returning();
+      if (!created) return this.error("UNPROCESSABLE_CONTENT");
+      return ok(created);
+    });
+  }
+}

package/src/modules/connect/connect.router.ts

@@ -0,0 +1,76 @@
+import { Router } from "express";
+import type { AuthMiddleware, AuthRequest } from "#modules/auth/auth.middleware";
+import type { ConnectService } from "./connect.service";
+
+export function createConnectRouter(
+  authMiddleware: AuthMiddleware,
+  connectService: ConnectService
+): Router {
+  const connectRouter = Router();
+
+  connectRouter.get("/:provider/start", authMiddleware, async (req: AuthRequest, res) => {
+    const user = req.user;
+    const session = req.session;
+    if (!user || !session) {
+      return res.status(401).json({ message: "Unauthorized" });
+    }
+    const { provider } = req.params;
+    const { redirect } = req.query;
+
+    const result = await connectService.startAuth(user, session.id, provider);
+
+    if (result.isErr()) {
+      const errorUrl = redirect
+        ? `${redirect}?error=${encodeURIComponent(result.error.message)}`
+        : `${process.env.VITE_APP_URL || process.env.VITE_SERVER_URL || "/"}?connect_error=${encodeURIComponent(result.error.message)}`;
+      return res.redirect(errorUrl);
+    }
+
+    return res.redirect(result.value.url);
+  });
+
+  connectRouter.get("/:provider/callback", authMiddleware, async (req: AuthRequest, res) => {
+    const user = req.user;
+    const session = req.session;
+    if (!user || !session) {
+      return res.status(401).json({ message: "Unauthorized" });
+    }
+    const { provider } = req.params;
+    const { code, state, error, error_description } = req.query;
+    const { redirect } = req.query;
+
+    const successUrl =
+      redirect && typeof redirect === "string"
+        ? redirect
+        : `${process.env.VITE_APP_URL || process.env.VITE_SERVER_URL || "/"}?connect_success=true`;
+
+    // Handle OAuth errors from provider
+    if (error) {
+      const errorMessage = error_description || error || "OAuth error";
+      const errorUrl = `${successUrl}&error=${encodeURIComponent(String(errorMessage))}`;
+      return res.redirect(errorUrl);
+    }
+
+    if (!code || !state) {
+      const errorUrl = `${successUrl}&error=${encodeURIComponent("Missing code or state")}`;
+      return res.redirect(errorUrl);
+    }
+
+    const result = await connectService.handleCallback(
+      user,
+      session.id,
+      provider,
+      String(code),
+      String(state)
+    );
+
+    if (result.isErr()) {
+      const errorUrl = `${successUrl}&error=${encodeURIComponent(result.error.message)}`;
+      return res.redirect(errorUrl);
+    }
+
+    return res.redirect(`${successUrl}&provider=${provider}`);
+  });
+
+  return connectRouter;
+}

package/src/modules/connect/connect.service.ts

@@ -0,0 +1,171 @@
+import { err, ok } from "neverthrow";
+import type { User } from "#modules/auth/auth.lib";
+import type { ServerResultAsync } from "#modules/base/base.dto";
+import { BaseService } from "#modules/base/base.service";
+import type {
+  ConnectDeleteInputSchema,
+  ConnectListInputSchema,
+} from "#modules/connect/connect.dto";
+import {
+  buildAuthorizationUrl,
+  exchangeCodeForTokens,
+  generateOAuthState,
+  getOAuthState,
+  refreshAccessToken,
+} from "./connect.oauth";
+import type { ConnectRepository } from "./connect.repository";
+import type { ConnectProvider } from "./connect.types";
+
+export class ConnectService extends BaseService<{ connect: ConnectRepository }, never> {
+  private providers = new Map<string, ConnectProvider>();
+
+  constructor(repositories: { connect: ConnectRepository }, providers: ConnectProvider[]) {
+    super(repositories);
+    this.providers = new Map(providers.map((provider) => [provider.id, provider]));
+  }
+
+  getProvider(id: string): ConnectProvider | null {
+    return this.providers.get(id) || null;
+  }
+
+  async startAuth(
+    _user: User,
+    sessionId: string,
+    providerId: string
+  ): ServerResultAsync<{ url: string }> {
+    return this.throwableAsync(async () => {
+      const provider = this.getProvider(providerId);
+      if (!provider) {
+        return this.error("BAD_REQUEST", `Unknown provider: ${providerId}`);
+      }
+
+      const state = await generateOAuthState(sessionId, providerId);
+      const url = await buildAuthorizationUrl(provider, state);
+
+      return ok({ url });
+    });
+  }
+
+  async handleCallback(
+    user: User,
+    sessionId: string,
+    providerId: string,
+    code: string,
+    state: string
+  ) {
+    return this.throwableAsync(async () => {
+      const provider = this.getProvider(providerId);
+      if (!provider) {
+        return this.error("BAD_REQUEST", `Unknown provider: ${providerId}`);
+      }
+
+      const oauthState = getOAuthState(sessionId, providerId, state);
+      if (!oauthState) {
+        return this.error("BAD_REQUEST", "Invalid or expired state");
+      }
+
+      // Exchange code for tokens
+      // Note: redirectUri must match exactly what was used in authorization request
+      const tokens = await exchangeCodeForTokens(
+        provider,
+        code,
+        oauthState.codeVerifier,
+        provider.redirectUri,
+        state
+      );
+
+      // Fetch profile
+      const profile = await provider.mapProfile(tokens.accessToken);
+
+      // Upsert connection
+      const connection = await this.repository.connect.upsert({
+        userId: user.id,
+        provider: providerId,
+        accountType: profile.accountType,
+        providerAccountId: profile.providerAccountId,
+        handle: profile.handle,
+        displayName: profile.displayName,
+        avatarUrl: profile.avatarUrl,
+        accessToken: tokens.accessToken,
+        refreshToken: tokens.refreshToken,
+        tokenType: tokens.tokenType || "bearer",
+        scope: tokens.scope,
+        expiresAt: tokens.expiresAt,
+        parentId: profile.parentId,
+        metadataJson: profile.metadata ? JSON.stringify(profile.metadata) : null,
+      });
+
+      if (connection.isErr()) {
+        return this.error("INTERNAL_SERVER_ERROR", "Failed to save connection", {
+          cause: connection.error,
+        });
+      }
+
+      return ok(connection.value);
+    });
+  }
+
+  async refreshToken(connectionId: string) {
+    return this.throwableAsync(async () => {
+      const connection = await this.repository.connect.findById(connectionId);
+      if (connection.isErr() || !connection.value) {
+        return this.error("NOT_FOUND", "Connection not found");
+      }
+
+      const conn = connection.value;
+      if (!conn.refreshToken) {
+        return this.error("BAD_REQUEST", "No refresh token available");
+      }
+
+      const provider = this.getProvider(conn.provider);
+      if (!provider) {
+        return this.error("BAD_REQUEST", `Unknown provider: ${conn.provider}`);
+      }
+
+      const tokens = await refreshAccessToken(provider, conn.refreshToken);
+
+      const updateData: {
+        id: string;
+        accessToken: string;
+        refreshToken?: string | null;
+        tokenType?: string | null;
+        scope?: string | null;
+        expiresAt?: Date | null;
+        lastRefreshedAt: Date;
+      } = {
+        id: conn.id,
+        accessToken: tokens.accessToken,
+        refreshToken: tokens.refreshToken || null,
+        tokenType: tokens.tokenType || conn.tokenType || null,
+        scope: tokens.scope || conn.scope || null,
+        expiresAt: tokens.expiresAt || null,
+        lastRefreshedAt: new Date(),
+      };
+
+      const updated = await this.repository.connect.update(updateData);
+
+      if (updated.isErr()) {
+        return this.error("INTERNAL_SERVER_ERROR", "Failed to update tokens", {
+          cause: updated.error,
+        });
+      }
+
+      return ok(updated.value);
+    });
+  }
+
+  async list(input: ConnectListInputSchema, { user }: { user: User }) {
+    return this.repository.connect.list({ userId: user.id, ...input });
+  }
+
+  async delete({ id }: ConnectDeleteInputSchema, { user }: { user: User }) {
+    const connection = await this.repository.connect.findById(id);
+    if (connection.isOk()) {
+      if (connection.value?.userId !== user.id) {
+        return this.error("FORBIDDEN", "Not your connection");
+      }
+      return this.repository.connect.deleteById(id);
+    }
+    return err(connection.error);
+  }
+}

package/src/modules/connect/connect.trpc.ts

@@ -0,0 +1,26 @@
+import { handleTRPCResult, procedure, router } from "#trpc";
+import {
+  connectDeleteInputSchema,
+  connectDeleteOutputSchema,
+  connectListInputSchema,
+  connectListOutputSchema,
+} from "./connect.dto";
+import type { ConnectService } from "./connect.service";
+
+export function createConnectTRPC(connectService: ConnectService) {
+  return router({
+    list: procedure
+      .input(connectListInputSchema)
+      .output(connectListOutputSchema)
+      .query(async ({ ctx, input }) => {
+        return handleTRPCResult(await connectService.list(input, ctx));
+      }),
+
+    delete: procedure
+      .input(connectDeleteInputSchema)
+      .output(connectDeleteOutputSchema)
+      .mutation(async ({ ctx, input }) => {
+        return handleTRPCResult(await connectService.delete(input, ctx));
+      }),
+  });
+}

package/src/modules/connect/connect.types.ts

@@ -0,0 +1,27 @@
+export interface ConnectProvider {
+  id: string;
+  clientId: string;
+  clientSecret: string;
+  redirectUri: string;
+  scopes: string[];
+  issuerConfig?: {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    userinfo_endpoint?: string;
+  };
+  issuerUrl?: string; // For auto-discovery
+  supportsPKCE?: boolean; // Whether provider supports PKCE (default: true)
+  mapProfile: (accessToken: string) => Promise<ConnectProfile>;
+}
+
+export interface ConnectProfile {
+  providerAccountId: string;
+  displayName?: string;
+  avatarUrl?: string;
+  handle?: string;
+  accountType: "user" | "page" | "org" | "channel";
+  parentId?: string;
+  metadata?: Record<string, unknown>;
+}
+

package/src/modules/crypto/crypto.db.ts

@@ -0,0 +1,15 @@
+import { integer, real, sqliteTable as table, text } from "drizzle-orm/sqlite-core";
+import { v4 as uuidv4 } from "uuid";
+
+export const cryptoPayments = table("crypto_payments", {
+  id: text("id").primaryKey().$default(uuidv4),
+  createdAt: integer("created_at", { mode: "timestamp" })
+    .notNull()
+    .$default(() => new Date()),
+  updatedAt: integer("updated_at", { mode: "timestamp" }),
+  address: text("address").notNull(),
+  referenceId: text("reference_id").notNull(),
+  status: text("status").notNull().default("pending"),
+  derivationIndex: integer("derivation_index").notNull(),
+  amountExpected: real("amount_expected").notNull(),
+});

package/src/modules/crypto/crypto.repository.ts

@@ -0,0 +1,13 @@
+import type { LibSQLDatabase } from "drizzle-orm/libsql";
+import { BaseTableRepository } from "#modules/base/base.repository";
+import * as crypto from "#modules/crypto/crypto.db";
+
+const schema = { ...crypto };
+type Schema = typeof schema;
+
+export class CryptoRepository extends BaseTableRepository<
+  LibSQLDatabase<Schema>,
+  Schema,
+  Record<string, never>,
+  Schema["cryptoPayments"]
+> {}