@m5kdev/backend 0.1.1 → 0.1.3

package/dist/src/modules/billing/billing.router.js

@@ -0,0 +1,56 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createBillingRouter = createBillingRouter;
+const tslib_1 = require("tslib");
+const body_parser_1 = tslib_1.__importDefault(require("body-parser"));
+const express_1 = require("express");
+function createBillingRouter(authMiddleware, service) {
+    const billingRouter = (0, express_1.Router)();
+    billingRouter.get("/checkout/:priceId", authMiddleware, async (req, res) => {
+        const user = req.user;
+        const session = await service.createCheckoutSession({ priceId: req.params.priceId }, { user });
+        if (session.isErr()) {
+            return res.status(500).json({ message: session.error.message });
+        }
+        if (!session.value.url) {
+            return res.status(500).json({ message: "Failed to create checkout session" });
+        }
+        return res.redirect(session.value.url);
+    });
+    billingRouter.get("/portal", authMiddleware, async (req, res) => {
+        const user = req.user;
+        const session = await service.createBillingPortalSession({ user });
+        if (session.isErr()) {
+            return res.status(500).json({ message: session.error.message });
+        }
+        return res.redirect(session.value.url);
+    });
+    billingRouter.get("/success", authMiddleware, async (req, res) => {
+        const user = req.user;
+        if (!user.stripeCustomerId) {
+            return res.redirect(`${process.env.VITE_APP_URL}/billing`);
+        }
+        const result = await service.syncStripeData(user.stripeCustomerId);
+        if (result.isErr()) {
+            return res.redirect(`${process.env.VITE_APP_URL}/billing?error=SYNC_FAILED`);
+        }
+        return res.redirect(`${process.env.VITE_APP_URL}/billing`);
+    });
+    billingRouter.post("/webhook", body_parser_1.default.raw({ type: "application/json" }), async (req, res) => {
+        const signature = req.headers["stripe-signature"];
+        if (!signature)
+            return res.status(400).json({ message: "No signature" });
+        if (typeof signature !== "string")
+            return res.status(500).json({ message: "Signature is not a string" });
+        const event = service.constructEvent(req.body, signature);
+        if (event.isErr()) {
+            return res.status(500).json({ message: event.error.message });
+        }
+        const result = await service.processEvent(event.value);
+        if (result.isErr()) {
+            return res.status(500).json({ message: result.error.message });
+        }
+        return res.status(200).json({ received: true });
+    });
+    return billingRouter;
+}

package/dist/src/modules/billing/billing.service.js

@@ -0,0 +1,147 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BillingService = void 0;
+const neverthrow_1 = require("neverthrow");
+const base_service_1 = require("#modules/base/base.service");
+const posthog_1 = require("#utils/posthog");
+const allowedEvents = [
+    "checkout.session.completed",
+    "customer.subscription.created",
+    "customer.subscription.updated",
+    "customer.subscription.deleted",
+    "customer.subscription.paused",
+    "customer.subscription.resumed",
+    "customer.subscription.pending_update_applied",
+    "customer.subscription.pending_update_expired",
+    "customer.subscription.trial_will_end",
+    "invoice.paid",
+    "invoice.payment_failed",
+    "invoice.payment_action_required",
+    "invoice.upcoming",
+    "invoice.marked_uncollectible",
+    "invoice.payment_succeeded",
+    "payment_intent.succeeded",
+    "payment_intent.payment_failed",
+    "payment_intent.canceled",
+];
+class BillingService extends base_service_1.BaseService {
+    async createUserCustomer({ user, }) {
+        let stripeCustomer = null;
+        const existingCustomer = await this.repository.billing.getCustomerByEmail(user.email);
+        if (existingCustomer.isErr())
+            return (0, neverthrow_1.err)(existingCustomer.error);
+        stripeCustomer = existingCustomer.value;
+        if (!stripeCustomer) {
+            const newCustomer = await this.repository.billing.createCustomer({
+                email: user.email,
+                name: user.name,
+                userId: user.id,
+            });
+            if (newCustomer.isErr())
+                return (0, neverthrow_1.err)(newCustomer.error);
+            stripeCustomer = newCustomer.value;
+        }
+        if (!stripeCustomer)
+            return this.error("INTERNAL_SERVER_ERROR", "Failed to create or get stripe customer");
+        const updatedUser = await this.repository.billing.updateUserCustomerId({
+            userId: user.id,
+            customerId: stripeCustomer.id,
+        });
+        if (updatedUser.isErr())
+            return (0, neverthrow_1.err)(updatedUser.error);
+        return (0, neverthrow_1.ok)(stripeCustomer);
+    }
+    async createUserHook({ user, }) {
+        const stripeCustomer = await this.createUserCustomer({ user });
+        if (stripeCustomer.isErr())
+            return (0, neverthrow_1.err)(stripeCustomer.error);
+        if (this.repository.billing.hasTrial()) {
+            const existingSubscription = await this.repository.billing.getLatestSubscription(user.id);
+            if (existingSubscription.isErr())
+                return (0, neverthrow_1.err)(existingSubscription.error);
+            if (!existingSubscription.value) {
+                const subscription = await this.repository.billing.createTrialSubscription(stripeCustomer.value.id);
+                if (subscription.isErr())
+                    return (0, neverthrow_1.err)(subscription.error);
+            }
+            const syncResult = await this.syncStripeData(stripeCustomer.value.id);
+            if (syncResult.isErr())
+                return (0, neverthrow_1.err)(syncResult.error);
+            if (syncResult.value === false)
+                return this.error("INTERNAL_SERVER_ERROR", "Sync did not create new subscription");
+        }
+        return (0, neverthrow_1.ok)(true);
+    }
+    async getActiveSubscription({ user }) {
+        return this.repository.billing.getActiveSubscription(user.id);
+    }
+    async listInvoices({ user }) {
+        if (!user.stripeCustomerId)
+            return this.error("NOT_FOUND", "User has no stripe customer id");
+        return this.repository.billing.listInvoices(user.stripeCustomerId);
+    }
+    async createCheckoutSession({ priceId }, { user }) {
+        let stripeCustomerId = user.stripeCustomerId;
+        if (!stripeCustomerId) {
+            const stripeCustomer = await this.createUserCustomer({ user });
+            if (stripeCustomer.isErr())
+                return (0, neverthrow_1.err)(stripeCustomer.error);
+            stripeCustomerId = stripeCustomer.value.id;
+        }
+        return this.repository.billing.createCheckoutSession({
+            customerId: stripeCustomerId,
+            priceId,
+            userId: user.id,
+        });
+    }
+    async createBillingPortalSession({ user, }) {
+        let stripeCustomerId = user.stripeCustomerId;
+        if (!stripeCustomerId) {
+            const stripeCustomer = await this.createUserCustomer({ user });
+            if (stripeCustomer.isErr())
+                return (0, neverthrow_1.err)(stripeCustomer.error);
+            stripeCustomerId = stripeCustomer.value.id;
+        }
+        return this.repository.billing.createBillingPortalSession(stripeCustomerId);
+    }
+    constructEvent(body, signature) {
+        if (!process.env.STRIPE_WEBHOOK_SECRET)
+            return this.error("INTERNAL_SERVER_ERROR", "Stripe webhook secret is not set");
+        return this.repository.billing.constructEvent(body, signature, process.env.STRIPE_WEBHOOK_SECRET);
+    }
+    async syncStripeData(customerId, eventType) {
+        const user = await this.repository.billing.getUserByCustomerId(customerId);
+        if (user.isErr())
+            return (0, neverthrow_1.err)(user.error);
+        if (!user.value)
+            return this.error("NOT_FOUND", "User not found");
+        if (eventType) {
+            (0, posthog_1.posthogCapture)({
+                distinctId: user.value.id,
+                event: `stripe.${eventType}`,
+                properties: {
+                    customerId,
+                },
+            });
+        }
+        return this.repository.billing.syncStripeData({ customerId, userId: user.value.id });
+    }
+    async processEvent(event) {
+        return this.throwableAsync(async () => {
+            // Skip processing if the event isn't one I'm tracking (list of all events below)
+            if (!allowedEvents.includes(event.type))
+                return (0, neverthrow_1.ok)(false);
+            // All the events I track have a customerId
+            const { customer: customerId } = event?.data?.object;
+            // This helps make it typesafe and also lets me know if my assumption is wrong
+            if (typeof customerId !== "string") {
+                return this.error("INTERNAL_SERVER_ERROR", `[STRIPE HOOK] Unexpected event structure: customer ID is not a string. Event type: ${event.type}`);
+            }
+            const result = await this.syncStripeData(customerId, event.type);
+            if (result.isErr())
+                return (0, neverthrow_1.err)(result.error);
+            return (0, neverthrow_1.ok)(true);
+        });
+    }
+}
+exports.BillingService = BillingService;

package/dist/src/modules/billing/billing.trpc.d.ts

@@ -4,9 +4,9 @@ export declare function createBillingTRPC(billingService: BillingService): impor
         session: {
             id: string;
             userId: string;
-            expiresAt: Date;
-            createdAt: Date;
             updatedAt: Date;
+            createdAt: Date;
+            expiresAt: Date;
             token: string;
             ipAddress: string | null;
             userAgent: string | null;
@@ -18,13 +18,12 @@ export declare function createBillingTRPC(billingService: BillingService): impor
         };
         user: {
             name: string;
-            image: string | null;
             id: string;
-            createdAt: Date;
             updatedAt: Date;
             email: string;
-            metadata: Record<string, unknown>;
             emailVerified: boolean;
+            image: string | null;
+            createdAt: Date;
             role: string | null;
             banned: boolean | null;
             banReason: string | null;
@@ -34,6 +33,7 @@ export declare function createBillingTRPC(billingService: BillingService): impor
             paymentPlanTier: string | null;
             paymentPlanExpiresAt: Date | null;
             preferences: string | null;
+            metadata: Record<string, unknown>;
             onboarding: number | null;
             flags: string | null;
         };

package/dist/src/modules/billing/billing.trpc.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createBillingTRPC = createBillingTRPC;
+const billing_schema_1 = require("@m5kdev/commons/modules/billing/billing.schema");
+const _trpc_1 = require("#trpc");
+function createBillingTRPC(billingService) {
+    return (0, _trpc_1.router)({
+        getActiveSubscription: _trpc_1.procedure
+            .output(billing_schema_1.billingSchema.nullable())
+            .query(async ({ ctx: { user } }) => {
+            return (0, _trpc_1.handleTRPCResult)(await billingService.getActiveSubscription({ user }));
+        }),
+        listInvoices: _trpc_1.procedure.query(async ({ ctx: { user } }) => {
+            return (0, _trpc_1.handleTRPCResult)(await billingService.listInvoices({ user }));
+        }),
+    });
+}

package/dist/src/modules/clay/clay.repository.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClayRepository = void 0;
+const neverthrow_1 = require("neverthrow");
+const base_repository_1 = require("#modules/base/base.repository");
+const { CLAY_WEBHOOK_AUTH_TOKEN } = process.env;
+class ClayRepository extends base_repository_1.BaseExternaRepository {
+    async sendToWebhook(webhookUrl, row, callbackUrl) {
+        return this.throwableAsync(async () => {
+            const response = await fetch(webhookUrl, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    ...(CLAY_WEBHOOK_AUTH_TOKEN ? { "x-clay-webhook-auth": CLAY_WEBHOOK_AUTH_TOKEN } : {}),
+                },
+                body: JSON.stringify({ ...row, callback: callbackUrl }),
+            });
+            if (!response.ok)
+                return this.error("BAD_REQUEST", `HTTP error! status: ${response.status}`, {
+                    cause: response,
+                });
+            return (0, neverthrow_1.ok)();
+        });
+    }
+}
+exports.ClayRepository = ClayRepository;

package/dist/src/modules/clay/clay.service.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClayService = void 0;
+const base_service_1 = require("#modules/base/base.service");
+class ClayService extends base_service_1.BaseService {
+    tables;
+    constructor(repositories, services, tables) {
+        super(repositories, services);
+        this.tables = tables;
+    }
+    async waitForResponse(webhookUrl, row, timeoutInSeconds) {
+        return await this.service.webhook.waitForRequest((url) => {
+            return this.repository.clay.sendToWebhook(webhookUrl, row, url);
+        }, timeoutInSeconds);
+    }
+    async sendToTable(table, row, timeoutInSeconds) {
+        const tableData = this.tables[table];
+        if (!tableData)
+            return this.error("NOT_FOUND", `Table ${table} not found`);
+        const response = await this.waitForResponse(tableData.webhookUrl, row, tableData.timeoutInSeconds || timeoutInSeconds);
+        return response;
+    }
+}
+exports.ClayService = ClayService;

package/dist/src/modules/connect/connect.db.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.connect = void 0;
+const sqlite_core_1 = require("drizzle-orm/sqlite-core");
+const uuid_1 = require("uuid");
+exports.connect = (0, sqlite_core_1.sqliteTable)("connect", {
+    id: (0, sqlite_core_1.text)("id").primaryKey().$default(uuid_1.v4),
+    userId: (0, sqlite_core_1.text)("user_id").notNull(), // FK -> users.id
+    provider: (0, sqlite_core_1.text)("provider").notNull(), // e.g. "linkedin"
+    accountType: (0, sqlite_core_1.text)("account_type").notNull(), // "user" | "page" | "org" | "channel"
+    providerAccountId: (0, sqlite_core_1.text)("provider_account_id").notNull(), // e.g. LinkedIn URN, FB Page ID, IG business acct ID, X user ID
+    handle: (0, sqlite_core_1.text)("handle"), // @name or page slug
+    displayName: (0, sqlite_core_1.text)("display_name"),
+    avatarUrl: (0, sqlite_core_1.text)("avatar_url"),
+    // OAuth credentials (ENCRYPTED)
+    accessToken: (0, sqlite_core_1.text)("access_token").notNull(),
+    refreshToken: (0, sqlite_core_1.text)("refresh_token"), // may be null if provider doesn’t issue refresh tokens
+    tokenType: (0, sqlite_core_1.text)("token_type"), // e.g. "bearer"
+    scope: (0, sqlite_core_1.text)("scope"), // space- or comma-separated list, for auditing
+    expiresAt: (0, sqlite_core_1.integer)("expires_at", { mode: "timestamp" }), // epoch seconds
+    // Provider-specific glue
+    parentId: (0, sqlite_core_1.text)("parent_id"), // e.g. FB Page’s connected IG business account, or org URN
+    metadataJson: (0, sqlite_core_1.text)("metadata_json", { mode: "json" }), // JSON string for extras (region, perms, etc.)
+    revokedAt: (0, sqlite_core_1.integer)("revoked_at", { mode: "timestamp" }),
+    lastRefreshedAt: (0, sqlite_core_1.integer)("last_refreshed_at", { mode: "timestamp" }),
+    createdAt: (0, sqlite_core_1.integer)("created_at", { mode: "timestamp" })
+        .notNull()
+        .$default(() => new Date()),
+    updatedAt: (0, sqlite_core_1.integer)("updated_at", { mode: "timestamp" }),
+});

package/dist/src/modules/connect/connect.dto.js

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.connectDeleteOutputSchema = exports.connectDeleteInputSchema = exports.connectListOutputSchema = exports.connectListInputSchema = exports.connectSelectOutputSchema = exports.connectSelectSchema = void 0;
+const zod_1 = require("zod");
+exports.connectSelectSchema = zod_1.z.object({
+    id: zod_1.z.string(),
+    userId: zod_1.z.string(),
+    provider: zod_1.z.string(),
+    accountType: zod_1.z.string(),
+    providerAccountId: zod_1.z.string(),
+    handle: zod_1.z.string().nullish(),
+    displayName: zod_1.z.string().nullish(),
+    avatarUrl: zod_1.z.string().nullish(),
+    accessToken: zod_1.z.string(),
+    refreshToken: zod_1.z.string().nullish(),
+    tokenType: zod_1.z.string().nullish(),
+    scope: zod_1.z.string().nullish(),
+    expiresAt: zod_1.z.date().nullish(),
+    parentId: zod_1.z.string().nullish(),
+    metadataJson: zod_1.z.unknown().nullish(),
+    revokedAt: zod_1.z.date().nullish(),
+    lastRefreshedAt: zod_1.z.date().nullish(),
+    createdAt: zod_1.z.date(),
+    updatedAt: zod_1.z.date().nullish(),
+});
+exports.connectSelectOutputSchema = exports.connectSelectSchema.omit({
+    accessToken: true,
+    refreshToken: true,
+});
+exports.connectListInputSchema = zod_1.z.object({
+    providers: zod_1.z.array(zod_1.z.string()).optional(),
+    inactive: zod_1.z.boolean().optional(),
+});
+exports.connectListOutputSchema = zod_1.z.array(exports.connectSelectOutputSchema);
+exports.connectDeleteInputSchema = zod_1.z.object({ id: zod_1.z.string() });
+exports.connectDeleteOutputSchema = zod_1.z.object({ id: zod_1.z.string() });

package/dist/src/modules/connect/connect.linkedin.js

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createLinkedInProvider = createLinkedInProvider;
+function createLinkedInProvider() {
+    const clientId = process.env.LINKEDIN_CLIENT_ID;
+    const clientSecret = process.env.LINKEDIN_CLIENT_SECRET;
+    const baseUrl = process.env.VITE_SERVER_URL;
+    if (!clientId || !clientSecret || !baseUrl) {
+        throw new Error("Missing required LinkedIn OAuth environment variables: LINKEDIN_CLIENT_ID, LINKEDIN_CLIENT_SECRET, VITE_SERVER_URL");
+    }
+    return {
+        id: "linkedin",
+        clientId,
+        clientSecret,
+        redirectUri: `${baseUrl}/connect/linkedin/callback`,
+        // LinkedIn OpenID Connect scopes
+        scopes: ["openid", "profile", "w_member_social"],
+        // LinkedIn doesn't support PKCE - disable it
+        supportsPKCE: false,
+        // LinkedIn OpenID Connect endpoints
+        issuerConfig: {
+            issuer: "https://www.linkedin.com",
+            authorization_endpoint: "https://www.linkedin.com/oauth/v2/authorization",
+            token_endpoint: "https://www.linkedin.com/oauth/v2/accessToken",
+            userinfo_endpoint: "https://api.linkedin.com/v2/userinfo",
+        },
+        async mapProfile(accessToken) {
+            // Use OpenID Connect userinfo endpoint
+            const response = await fetch("https://api.linkedin.com/v2/userinfo", {
+                headers: {
+                    Authorization: `Bearer ${accessToken}`,
+                },
+            });
+            if (!response.ok) {
+                throw new Error(`LinkedIn API error: ${response.status} ${response.statusText}`);
+            }
+            const data = (await response.json());
+            return {
+                providerAccountId: data.sub,
+                displayName: data.name,
+                avatarUrl: data.picture,
+                accountType: "user",
+                metadata: {
+                    givenName: data.given_name,
+                    familyName: data.family_name,
+                    locale: data.locale,
+                    email: data.email,
+                    emailVerified: data.email_verified,
+                },
+            };
+        },
+    };
+}

package/dist/src/modules/connect/connect.oauth.js

@@ -0,0 +1,198 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateOAuthState = generateOAuthState;
+exports.getOAuthState = getOAuthState;
+exports.createConfiguration = createConfiguration;
+exports.buildAuthorizationUrl = buildAuthorizationUrl;
+exports.exchangeCodeForTokens = exchangeCodeForTokens;
+exports.refreshAccessToken = refreshAccessToken;
+const tslib_1 = require("tslib");
+const client = tslib_1.__importStar(require("openid-client"));
+const logger_1 = require("#utils/logger");
+// In-memory store for OAuth state (keyed by sessionId + provider)
+// In production, consider using Redis with TTL
+const oauthStateStore = new Map();
+const STATE_TTL_MS = 10 * 60 * 1000; // 10 minutes
+function getStateKey(sessionId, provider) {
+    return `${sessionId}:${provider}`;
+}
+async function generateOAuthState(sessionId, provider) {
+    const state = client.randomState();
+    const codeVerifier = client.randomPKCECodeVerifier();
+    const codeChallenge = await client.calculatePKCECodeChallenge(codeVerifier);
+    const oauthState = {
+        state,
+        codeVerifier,
+        codeChallenge,
+        sessionId,
+        provider,
+    };
+    const key = getStateKey(sessionId, provider);
+    oauthStateStore.set(key, oauthState);
+    // Clean up after TTL
+    setTimeout(() => {
+        oauthStateStore.delete(key);
+    }, STATE_TTL_MS);
+    return oauthState;
+}
+function getOAuthState(sessionId, provider, state) {
+    const key = getStateKey(sessionId, provider);
+    const stored = oauthStateStore.get(key);
+    if (!stored || stored.state !== state) {
+        return null;
+    }
+    // Clean up after use
+    oauthStateStore.delete(key);
+    return stored;
+}
+async function createConfiguration(provider) {
+    // LinkedIn uses client_secret_post (form-encoded body parameters)
+    // The library's ClientSecretPost handles this correctly
+    const clientAuth = provider.clientSecret
+        ? client.ClientSecretPost(provider.clientSecret)
+        : client.None();
+    if (provider.issuerConfig) {
+        // Use manual issuer config (e.g., LinkedIn) - create Configuration directly
+        // LinkedIn doesn't support OpenID Connect discovery
+        const serverMetadata = {
+            issuer: provider.issuerConfig.issuer,
+            authorization_endpoint: provider.issuerConfig.authorization_endpoint,
+            token_endpoint: provider.issuerConfig.token_endpoint,
+            ...(provider.issuerConfig.userinfo_endpoint && {
+                userinfo_endpoint: provider.issuerConfig.userinfo_endpoint,
+            }),
+            // LinkedIn JWKS URI for ID token signature verification
+            ...(provider.id === "linkedin" && {
+                jwks_uri: "https://www.linkedin.com/oauth/openid/jwks",
+            }),
+        };
+        const clientMetadata = {
+            client_id: provider.clientId,
+            ...(provider.clientSecret && { client_secret: provider.clientSecret }),
+            redirect_uris: [provider.redirectUri],
+        };
+        return new client.Configuration(serverMetadata, provider.clientId, clientMetadata, clientAuth);
+    }
+    // Auto-discovery from well-known endpoint
+    if (!provider.issuerUrl) {
+        throw new Error("Provider must have either issuerConfig or issuerUrl");
+    }
+    const serverUrl = new URL(provider.issuerUrl);
+    return await client.discovery(serverUrl, provider.clientId, undefined, clientAuth);
+}
+async function buildAuthorizationUrl(provider, state) {
+    const config = await createConfiguration(provider);
+    const parameters = {
+        scope: provider.scopes.join(" "),
+        state: state.state,
+        redirect_uri: provider.redirectUri,
+    };
+    // Add PKCE parameters only if provider supports it
+    if (provider.supportsPKCE !== false) {
+        parameters.code_challenge = state.codeChallenge;
+        parameters.code_challenge_method = "S256";
+    }
+    const url = client.buildAuthorizationUrl(config, parameters);
+    return url.toString();
+}
+async function exchangeCodeForTokens(provider, code, codeVerifier, redirectUri, state) {
+    const logger = logger_1.logger.child({ layer: "exchangeCodeForTokens" });
+    try {
+        // LinkedIn-specific workaround: Manual token exchange to bypass ID token validation
+        // LinkedIn's OpenID Connect ID token has non-standard claim format
+        if (provider.id === "linkedin" && provider.issuerConfig) {
+            const tokenEndpoint = provider.issuerConfig.token_endpoint;
+            const body = new URLSearchParams({
+                grant_type: "authorization_code",
+                code,
+                redirect_uri: provider.redirectUri,
+                client_id: provider.clientId,
+                client_secret: provider.clientSecret,
+            });
+            const response = await fetch(tokenEndpoint, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/x-www-form-urlencoded",
+                },
+                body: body.toString(),
+            });
+            if (!response.ok) {
+                const errorData = await response.json().catch(() => ({}));
+                throw new Error(`LinkedIn token exchange failed: ${response.status} ${response.statusText} - ${JSON.stringify(errorData)}`);
+            }
+            const tokenData = (await response.json());
+            return {
+                accessToken: tokenData.access_token,
+                refreshToken: tokenData.refresh_token,
+                tokenType: tokenData.token_type || "bearer",
+                expiresAt: tokenData.expires_in
+                    ? new Date(Date.now() + tokenData.expires_in * 1000)
+                    : undefined,
+                scope: tokenData.scope,
+            };
+        }
+        // Standard flow for other providers
+        const config = await createConfiguration(provider);
+        const currentUrl = new URL(redirectUri);
+        currentUrl.searchParams.set("code", code);
+        currentUrl.searchParams.set("state", state);
+        const checks = {
+            expectedState: state,
+        };
+        // Only include PKCE verifier if provider supports it
+        if (provider.supportsPKCE !== false) {
+            checks.pkceCodeVerifier = codeVerifier;
+        }
+        const tokenSet = await client.authorizationCodeGrant(config, currentUrl, checks);
+        return {
+            accessToken: tokenSet.access_token,
+            refreshToken: tokenSet.refresh_token,
+            tokenType: tokenSet.token_type,
+            expiresAt: tokenSet.expires_in
+                ? new Date(Date.now() + tokenSet.expires_in * 1000)
+                : undefined,
+            scope: tokenSet.scope,
+        };
+    }
+    catch (error) {
+        // Enhanced error logging for OAuth issues
+        logger.error("Token exchange error", { error, provider: provider.id });
+        if (error instanceof Error) {
+            const errorMessage = error.message || "Unknown error";
+            // Check if this is an ID token validation error for LinkedIn
+            // LinkedIn's ID token may have non-standard claim format, but we can still use the access token
+            if (provider.id === "linkedin" &&
+                errorMessage.includes("JWT claim") &&
+                error.code === "OAUTH_JWT_CLAIM_COMPARISON_FAILED") {
+                // Try to extract access token from the error response if available
+                // This is a workaround for LinkedIn's ID token validation issues
+                logger.warn("LinkedIn ID token validation failed, but token exchange may have succeeded. Check if access token is available.", { error: errorMessage });
+                // Re-throw for now - we need the access token to continue
+                // In a production scenario, you might want to manually parse the token response
+                throw new Error(`LinkedIn ID token validation failed: ${errorMessage}. This is a known issue with LinkedIn's OpenID Connect implementation.`);
+            }
+            // ResponseBodyError from oauth4webapi has a 'cause' property with the error details
+            const responseBodyError = error;
+            const errorDetails = responseBodyError.cause;
+            // Extract error and error_description from LinkedIn's response
+            const linkedInError = errorDetails?.error;
+            const linkedInErrorDescription = errorDetails?.error_description;
+            const fullErrorMessage = linkedInError
+                ? `LinkedIn OAuth error: ${linkedInError}${linkedInErrorDescription ? ` - ${linkedInErrorDescription}` : ""}`
+                : `Token exchange failed: ${errorMessage}${errorDetails ? ` - Details: ${JSON.stringify(errorDetails)}` : ""}`;
+            throw new Error(fullErrorMessage);
+        }
+        throw error;
+    }
+}
+async function refreshAccessToken(provider, refreshToken) {
+    const config = await createConfiguration(provider);
+    const tokenSet = await client.refreshTokenGrant(config, refreshToken);
+    return {
+        accessToken: tokenSet.access_token,
+        refreshToken: tokenSet.refresh_token || refreshToken,
+        tokenType: tokenSet.token_type,
+        expiresAt: tokenSet.expires_in ? new Date(Date.now() + tokenSet.expires_in * 1000) : undefined,
+        scope: tokenSet.scope,
+    };
+}

package/dist/src/modules/connect/connect.repository.d.ts

@@ -391,23 +391,23 @@ export declare class ConnectRepository extends BaseTableRepository<Orm, Schema,
     upsert(data: ConnectInsert, tx?: Orm): Promise<import("../base/base.dto").ServerResult<{
         id: string;
         userId: string;
+        updatedAt: Date | null;
+        createdAt: Date;
+        expiresAt: Date | null;
+        accessToken: string;
+        refreshToken: string | null;
+        scope: string | null;
         provider: string;
+        parentId: string | null;
         accountType: string;
         providerAccountId: string;
         handle: string | null;
         displayName: string | null;
         avatarUrl: string | null;
-        accessToken: string;
-        refreshToken: string | null;
         tokenType: string | null;
-        scope: string | null;
-        expiresAt: Date | null;
-        parentId: string | null;
         metadataJson: unknown;
         revokedAt: Date | null;
         lastRefreshedAt: Date | null;
-        createdAt: Date;
-        updatedAt: Date | null;
     }>>;
 }
 export {};