@m5kdev/backend 0.1.4 → 0.2.0

package/src/modules/connect/connect.oauth.ts

@@ -1,288 +0,0 @@
-import * as client from "openid-client";
-import { logger as rootLogger } from "#utils/logger";
-import type { ConnectProvider } from "./connect.types";
-
-export interface OAuthState {
-  state: string;
-  codeVerifier: string;
-  codeChallenge: string;
-  sessionId: string;
-  provider: string;
-}
-
-// In-memory store for OAuth state (keyed by sessionId + provider)
-// In production, consider using Redis with TTL
-const oauthStateStore = new Map<string, OAuthState>();
-
-const STATE_TTL_MS = 10 * 60 * 1000; // 10 minutes
-
-function getStateKey(sessionId: string, provider: string): string {
-  return `${sessionId}:${provider}`;
-}
-
-export async function generateOAuthState(sessionId: string, provider: string): Promise<OAuthState> {
-  const state = client.randomState();
-  const codeVerifier = client.randomPKCECodeVerifier();
-  const codeChallenge = await client.calculatePKCECodeChallenge(codeVerifier);
-
-  const oauthState: OAuthState = {
-    state,
-    codeVerifier,
-    codeChallenge,
-    sessionId,
-    provider,
-  };
-
-  const key = getStateKey(sessionId, provider);
-  oauthStateStore.set(key, oauthState);
-
-  // Clean up after TTL
-  setTimeout(() => {
-    oauthStateStore.delete(key);
-  }, STATE_TTL_MS);
-
-  return oauthState;
-}
-
-export function getOAuthState(
-  sessionId: string,
-  provider: string,
-  state: string
-): OAuthState | null {
-  const key = getStateKey(sessionId, provider);
-  const stored = oauthStateStore.get(key);
-
-  if (!stored || stored.state !== state) {
-    return null;
-  }
-
-  // Clean up after use
-  oauthStateStore.delete(key);
-  return stored;
-}
-
-export async function createConfiguration(
-  provider: ConnectProvider
-): Promise<client.Configuration> {
-  // LinkedIn uses client_secret_post (form-encoded body parameters)
-  // The library's ClientSecretPost handles this correctly
-  const clientAuth = provider.clientSecret
-    ? client.ClientSecretPost(provider.clientSecret)
-    : client.None();
-
-  if (provider.issuerConfig) {
-    // Use manual issuer config (e.g., LinkedIn) - create Configuration directly
-    // LinkedIn doesn't support OpenID Connect discovery
-    const serverMetadata: client.ServerMetadata = {
-      issuer: provider.issuerConfig.issuer,
-      authorization_endpoint: provider.issuerConfig.authorization_endpoint,
-      token_endpoint: provider.issuerConfig.token_endpoint,
-      ...(provider.issuerConfig.userinfo_endpoint && {
-        userinfo_endpoint: provider.issuerConfig.userinfo_endpoint,
-      }),
-      // LinkedIn JWKS URI for ID token signature verification
-      ...(provider.id === "linkedin" && {
-        jwks_uri: "https://www.linkedin.com/oauth/openid/jwks",
-      }),
-    };
-
-    const clientMetadata: Partial<client.ClientMetadata> = {
-      client_id: provider.clientId,
-      ...(provider.clientSecret && { client_secret: provider.clientSecret }),
-      redirect_uris: [provider.redirectUri],
-    };
-
-    return new client.Configuration(serverMetadata, provider.clientId, clientMetadata, clientAuth);
-  }
-
-  // Auto-discovery from well-known endpoint
-  if (!provider.issuerUrl) {
-    throw new Error("Provider must have either issuerConfig or issuerUrl");
-  }
-
-  const serverUrl = new URL(provider.issuerUrl);
-  return await client.discovery(serverUrl, provider.clientId, undefined, clientAuth);
-}
-
-export async function buildAuthorizationUrl(
-  provider: ConnectProvider,
-  state: OAuthState
-): Promise<string> {
-  const config = await createConfiguration(provider);
-
-  const parameters: Record<string, string> = {
-    scope: provider.scopes.join(" "),
-    state: state.state,
-    redirect_uri: provider.redirectUri,
-  };
-
-  // Add PKCE parameters only if provider supports it
-  if (provider.supportsPKCE !== false) {
-    parameters.code_challenge = state.codeChallenge;
-    parameters.code_challenge_method = "S256";
-  }
-
-  const url = client.buildAuthorizationUrl(config, parameters);
-  return url.toString();
-}
-
-export async function exchangeCodeForTokens(
-  provider: ConnectProvider,
-  code: string,
-  codeVerifier: string,
-  redirectUri: string,
-  state: string
-): Promise<{
-  accessToken: string;
-  refreshToken?: string;
-  tokenType?: string;
-  expiresAt?: Date;
-  scope?: string;
-}> {
-  const logger = rootLogger.child({ layer: "exchangeCodeForTokens" });
-
-  try {
-    // LinkedIn-specific workaround: Manual token exchange to bypass ID token validation
-    // LinkedIn's OpenID Connect ID token has non-standard claim format
-    if (provider.id === "linkedin" && provider.issuerConfig) {
-      const tokenEndpoint = provider.issuerConfig.token_endpoint;
-      const body = new URLSearchParams({
-        grant_type: "authorization_code",
-        code,
-        redirect_uri: provider.redirectUri,
-        client_id: provider.clientId,
-        client_secret: provider.clientSecret,
-      });
-
-      const response = await fetch(tokenEndpoint, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/x-www-form-urlencoded",
-        },
-        body: body.toString(),
-      });
-
-      if (!response.ok) {
-        const errorData = await response.json().catch(() => ({}));
-        throw new Error(
-          `LinkedIn token exchange failed: ${response.status} ${response.statusText} - ${JSON.stringify(errorData)}`
-        );
-      }
-
-      const tokenData = (await response.json()) as {
-        access_token: string;
-        refresh_token?: string;
-        token_type?: string;
-        expires_in?: number;
-        scope?: string;
-      };
-
-      return {
-        accessToken: tokenData.access_token,
-        refreshToken: tokenData.refresh_token,
-        tokenType: tokenData.token_type || "bearer",
-        expiresAt: tokenData.expires_in
-          ? new Date(Date.now() + tokenData.expires_in * 1000)
-          : undefined,
-        scope: tokenData.scope,
-      };
-    }
-
-    // Standard flow for other providers
-    const config = await createConfiguration(provider);
-    const currentUrl = new URL(redirectUri);
-    currentUrl.searchParams.set("code", code);
-    currentUrl.searchParams.set("state", state);
-
-    const checks: {
-      pkceCodeVerifier?: string;
-      expectedState: string;
-    } = {
-      expectedState: state,
-    };
-
-    // Only include PKCE verifier if provider supports it
-    if (provider.supportsPKCE !== false) {
-      checks.pkceCodeVerifier = codeVerifier;
-    }
-
-    const tokenSet = await client.authorizationCodeGrant(config, currentUrl, checks);
-
-    return {
-      accessToken: tokenSet.access_token,
-      refreshToken: tokenSet.refresh_token,
-      tokenType: tokenSet.token_type,
-      expiresAt: tokenSet.expires_in
-        ? new Date(Date.now() + tokenSet.expires_in * 1000)
-        : undefined,
-      scope: tokenSet.scope,
-    };
-  } catch (error: unknown) {
-    // Enhanced error logging for OAuth issues
-    logger.error("Token exchange error", { error, provider: provider.id });
-
-    if (error instanceof Error) {
-      const errorMessage = error.message || "Unknown error";
-
-      // Check if this is an ID token validation error for LinkedIn
-      // LinkedIn's ID token may have non-standard claim format, but we can still use the access token
-      if (
-        provider.id === "linkedin" &&
-        errorMessage.includes("JWT claim") &&
-        (error as { code?: string }).code === "OAUTH_JWT_CLAIM_COMPARISON_FAILED"
-      ) {
-        // Try to extract access token from the error response if available
-        // This is a workaround for LinkedIn's ID token validation issues
-        logger.warn(
-          "LinkedIn ID token validation failed, but token exchange may have succeeded. Check if access token is available.",
-          { error: errorMessage }
-        );
-        // Re-throw for now - we need the access token to continue
-        // In a production scenario, you might want to manually parse the token response
-        throw new Error(
-          `LinkedIn ID token validation failed: ${errorMessage}. This is a known issue with LinkedIn's OpenID Connect implementation.`
-        );
-      }
-
-      // ResponseBodyError from oauth4webapi has a 'cause' property with the error details
-      const responseBodyError = error as { cause?: Record<string, unknown> };
-      const errorDetails = responseBodyError.cause;
-
-      // Extract error and error_description from LinkedIn's response
-      const linkedInError = errorDetails?.error as string | undefined;
-      const linkedInErrorDescription = errorDetails?.error_description as string | undefined;
-
-      const fullErrorMessage = linkedInError
-        ? `LinkedIn OAuth error: ${linkedInError}${linkedInErrorDescription ? ` - ${linkedInErrorDescription}` : ""}`
-        : `Token exchange failed: ${errorMessage}${
-            errorDetails ? ` - Details: ${JSON.stringify(errorDetails)}` : ""
-          }`;
-
-      throw new Error(fullErrorMessage);
-    }
-    throw error;
-  }
-}
-
-export async function refreshAccessToken(
-  provider: ConnectProvider,
-  refreshToken: string
-): Promise<{
-  accessToken: string;
-  refreshToken?: string;
-  tokenType?: string;
-  expiresAt?: Date;
-  scope?: string;
-}> {
-  const config = await createConfiguration(provider);
-
-  const tokenSet = await client.refreshTokenGrant(config, refreshToken);
-
-  return {
-    accessToken: tokenSet.access_token,
-    refreshToken: tokenSet.refresh_token || refreshToken,
-    tokenType: tokenSet.token_type,
-    expiresAt: tokenSet.expires_in ? new Date(Date.now() + tokenSet.expires_in * 1000) : undefined,
-    scope: tokenSet.scope,
-  };
-}

package/src/modules/connect/connect.repository.ts

@@ -1,65 +0,0 @@
-import type { InferInsertModel, InferSelectModel } from "drizzle-orm";
-import { and, eq, inArray, isNull } from "drizzle-orm";
-import type { LibSQLDatabase } from "drizzle-orm/libsql";
-import { ok } from "neverthrow";
-import { BaseTableRepository } from "#modules/base/base.repository";
-import * as connect from "#modules/connect/connect.db";
-import type { ConnectListInputSchema } from "#modules/connect/connect.dto";
-
-const schema = { ...connect };
-type Schema = typeof schema;
-type Orm = LibSQLDatabase<Schema>;
-
-export type ConnectRow = InferSelectModel<Schema["connect"]>;
-export type ConnectInsert = InferInsertModel<Schema["connect"]>;
-
-export class ConnectRepository extends BaseTableRepository<Orm, Schema, Record<string, never>, Schema["connect"]> {
-  async list(data: ConnectListInputSchema & { userId: string }, tx?: Orm) {
-    return this.throwableAsync(async () => {
-      const db = tx ?? this.orm;
-      const { ConditionBuilder } = this.helpers;
-      const conditions = new ConditionBuilder();
-      if (data.providers) conditions.push(inArray(this.schema.connect.provider, data.providers));
-      if (data.inactive) conditions.push(isNull(this.schema.connect.revokedAt));
-      conditions.push(eq(this.schema.connect.userId, data.userId));
-      const rows = await db.select().from(this.schema.connect).where(conditions.join());
-      return ok(rows);
-    });
-  }
-
-  async upsert(data: ConnectInsert, tx?: Orm) {
-    return this.throwableAsync(async () => {
-      const db = tx ?? this.orm;
-      const [existing] = await db
-        .select()
-        .from(this.schema.connect)
-        .where(
-          and(
-            eq(this.schema.connect.userId, data.userId),
-            eq(this.schema.connect.provider, data.provider),
-            eq(this.schema.connect.providerAccountId, data.providerAccountId)
-          )
-        )
-        .limit(1);
-
-      if (existing) {
-        // Update existing
-        const [updated] = await db
-          .update(this.schema.connect)
-          .set({
-            ...data,
-            updatedAt: new Date(),
-            lastRefreshedAt: new Date(),
-          })
-          .where(eq(this.schema.connect.id, existing.id))
-          .returning();
-        return ok(updated);
-      }
-
-      // Create new
-      const [created] = await db.insert(this.schema.connect).values(data).returning();
-      if (!created) return this.error("UNPROCESSABLE_CONTENT");
-      return ok(created);
-    });
-  }
-}

package/src/modules/connect/connect.router.ts

@@ -1,76 +0,0 @@
-import { Router } from "express";
-import type { AuthMiddleware, AuthRequest } from "#modules/auth/auth.middleware";
-import type { ConnectService } from "./connect.service";
-
-export function createConnectRouter(
-  authMiddleware: AuthMiddleware,
-  connectService: ConnectService
-): Router {
-  const connectRouter = Router();
-
-  connectRouter.get("/:provider/start", authMiddleware, async (req: AuthRequest, res) => {
-    const user = req.user;
-    const session = req.session;
-    if (!user || !session) {
-      return res.status(401).json({ message: "Unauthorized" });
-    }
-    const { provider } = req.params;
-    const { redirect } = req.query;
-
-    const result = await connectService.startAuth(user, session.id, provider);
-
-    if (result.isErr()) {
-      const errorUrl = redirect
-        ? `${redirect}?error=${encodeURIComponent(result.error.message)}`
-        : `${process.env.VITE_APP_URL || process.env.VITE_SERVER_URL || "/"}?connect_error=${encodeURIComponent(result.error.message)}`;
-      return res.redirect(errorUrl);
-    }
-
-    return res.redirect(result.value.url);
-  });
-
-  connectRouter.get("/:provider/callback", authMiddleware, async (req: AuthRequest, res) => {
-    const user = req.user;
-    const session = req.session;
-    if (!user || !session) {
-      return res.status(401).json({ message: "Unauthorized" });
-    }
-    const { provider } = req.params;
-    const { code, state, error, error_description } = req.query;
-    const { redirect } = req.query;
-
-    const successUrl =
-      redirect && typeof redirect === "string"
-        ? redirect
-        : `${process.env.VITE_APP_URL || process.env.VITE_SERVER_URL || "/"}?connect_success=true`;
-
-    // Handle OAuth errors from provider
-    if (error) {
-      const errorMessage = error_description || error || "OAuth error";
-      const errorUrl = `${successUrl}&error=${encodeURIComponent(String(errorMessage))}`;
-      return res.redirect(errorUrl);
-    }
-
-    if (!code || !state) {
-      const errorUrl = `${successUrl}&error=${encodeURIComponent("Missing code or state")}`;
-      return res.redirect(errorUrl);
-    }
-
-    const result = await connectService.handleCallback(
-      user,
-      session.id,
-      provider,
-      String(code),
-      String(state)
-    );
-
-    if (result.isErr()) {
-      const errorUrl = `${successUrl}&error=${encodeURIComponent(result.error.message)}`;
-      return res.redirect(errorUrl);
-    }
-
-    return res.redirect(`${successUrl}&provider=${provider}`);
-  });
-
-  return connectRouter;
-}

package/src/modules/connect/connect.service.ts

@@ -1,171 +0,0 @@
-import { err, ok } from "neverthrow";
-import type { User } from "#modules/auth/auth.lib";
-import type { ServerResultAsync } from "#modules/base/base.dto";
-import { BaseService } from "#modules/base/base.service";
-import type {
-  ConnectDeleteInputSchema,
-  ConnectListInputSchema,
-} from "#modules/connect/connect.dto";
-import {
-  buildAuthorizationUrl,
-  exchangeCodeForTokens,
-  generateOAuthState,
-  getOAuthState,
-  refreshAccessToken,
-} from "./connect.oauth";
-import type { ConnectRepository } from "./connect.repository";
-import type { ConnectProvider } from "./connect.types";
-
-export class ConnectService extends BaseService<{ connect: ConnectRepository }, never> {
-  private providers = new Map<string, ConnectProvider>();
-
-  constructor(repositories: { connect: ConnectRepository }, providers: ConnectProvider[]) {
-    super(repositories);
-    this.providers = new Map(providers.map((provider) => [provider.id, provider]));
-  }
-
-  getProvider(id: string): ConnectProvider | null {
-    return this.providers.get(id) || null;
-  }
-
-  async startAuth(
-    _user: User,
-    sessionId: string,
-    providerId: string
-  ): ServerResultAsync<{ url: string }> {
-    return this.throwableAsync(async () => {
-      const provider = this.getProvider(providerId);
-      if (!provider) {
-        return this.error("BAD_REQUEST", `Unknown provider: ${providerId}`);
-      }
-
-      const state = await generateOAuthState(sessionId, providerId);
-      const url = await buildAuthorizationUrl(provider, state);
-
-      return ok({ url });
-    });
-  }
-
-  async handleCallback(
-    user: User,
-    sessionId: string,
-    providerId: string,
-    code: string,
-    state: string
-  ) {
-    return this.throwableAsync(async () => {
-      const provider = this.getProvider(providerId);
-      if (!provider) {
-        return this.error("BAD_REQUEST", `Unknown provider: ${providerId}`);
-      }
-
-      const oauthState = getOAuthState(sessionId, providerId, state);
-      if (!oauthState) {
-        return this.error("BAD_REQUEST", "Invalid or expired state");
-      }
-
-      // Exchange code for tokens
-      // Note: redirectUri must match exactly what was used in authorization request
-      const tokens = await exchangeCodeForTokens(
-        provider,
-        code,
-        oauthState.codeVerifier,
-        provider.redirectUri,
-        state
-      );
-
-      // Fetch profile
-      const profile = await provider.mapProfile(tokens.accessToken);
-
-      // Upsert connection
-      const connection = await this.repository.connect.upsert({
-        userId: user.id,
-        provider: providerId,
-        accountType: profile.accountType,
-        providerAccountId: profile.providerAccountId,
-        handle: profile.handle,
-        displayName: profile.displayName,
-        avatarUrl: profile.avatarUrl,
-        accessToken: tokens.accessToken,
-        refreshToken: tokens.refreshToken,
-        tokenType: tokens.tokenType || "bearer",
-        scope: tokens.scope,
-        expiresAt: tokens.expiresAt,
-        parentId: profile.parentId,
-        metadataJson: profile.metadata ? JSON.stringify(profile.metadata) : null,
-      });
-
-      if (connection.isErr()) {
-        return this.error("INTERNAL_SERVER_ERROR", "Failed to save connection", {
-          cause: connection.error,
-        });
-      }
-
-      return ok(connection.value);
-    });
-  }
-
-  async refreshToken(connectionId: string) {
-    return this.throwableAsync(async () => {
-      const connection = await this.repository.connect.findById(connectionId);
-      if (connection.isErr() || !connection.value) {
-        return this.error("NOT_FOUND", "Connection not found");
-      }
-
-      const conn = connection.value;
-      if (!conn.refreshToken) {
-        return this.error("BAD_REQUEST", "No refresh token available");
-      }
-
-      const provider = this.getProvider(conn.provider);
-      if (!provider) {
-        return this.error("BAD_REQUEST", `Unknown provider: ${conn.provider}`);
-      }
-
-      const tokens = await refreshAccessToken(provider, conn.refreshToken);
-
-      const updateData: {
-        id: string;
-        accessToken: string;
-        refreshToken?: string | null;
-        tokenType?: string | null;
-        scope?: string | null;
-        expiresAt?: Date | null;
-        lastRefreshedAt: Date;
-      } = {
-        id: conn.id,
-        accessToken: tokens.accessToken,
-        refreshToken: tokens.refreshToken || null,
-        tokenType: tokens.tokenType || conn.tokenType || null,
-        scope: tokens.scope || conn.scope || null,
-        expiresAt: tokens.expiresAt || null,
-        lastRefreshedAt: new Date(),
-      };
-
-      const updated = await this.repository.connect.update(updateData);
-
-      if (updated.isErr()) {
-        return this.error("INTERNAL_SERVER_ERROR", "Failed to update tokens", {
-          cause: updated.error,
-        });
-      }
-
-      return ok(updated.value);
-    });
-  }
-
-  async list(input: ConnectListInputSchema, { user }: { user: User }) {
-    return this.repository.connect.list({ userId: user.id, ...input });
-  }
-
-  async delete({ id }: ConnectDeleteInputSchema, { user }: { user: User }) {
-    const connection = await this.repository.connect.findById(id);
-    if (connection.isOk()) {
-      if (connection.value?.userId !== user.id) {
-        return this.error("FORBIDDEN", "Not your connection");
-      }
-      return this.repository.connect.deleteById(id);
-    }
-    return err(connection.error);
-  }
-}

package/src/modules/connect/connect.trpc.ts

@@ -1,26 +0,0 @@
-import { handleTRPCResult, procedure, router } from "#trpc";
-import {
-  connectDeleteInputSchema,
-  connectDeleteOutputSchema,
-  connectListInputSchema,
-  connectListOutputSchema,
-} from "./connect.dto";
-import type { ConnectService } from "./connect.service";
-
-export function createConnectTRPC(connectService: ConnectService) {
-  return router({
-    list: procedure
-      .input(connectListInputSchema)
-      .output(connectListOutputSchema)
-      .query(async ({ ctx, input }) => {
-        return handleTRPCResult(await connectService.list(input, ctx));
-      }),
-
-    delete: procedure
-      .input(connectDeleteInputSchema)
-      .output(connectDeleteOutputSchema)
-      .mutation(async ({ ctx, input }) => {
-        return handleTRPCResult(await connectService.delete(input, ctx));
-      }),
-  });
-}

package/src/modules/connect/connect.types.ts

@@ -1,27 +0,0 @@
-export interface ConnectProvider {
-  id: string;
-  clientId: string;
-  clientSecret: string;
-  redirectUri: string;
-  scopes: string[];
-  issuerConfig?: {
-    issuer: string;
-    authorization_endpoint: string;
-    token_endpoint: string;
-    userinfo_endpoint?: string;
-  };
-  issuerUrl?: string; // For auto-discovery
-  supportsPKCE?: boolean; // Whether provider supports PKCE (default: true)
-  mapProfile: (accessToken: string) => Promise<ConnectProfile>;
-}
-
-export interface ConnectProfile {
-  providerAccountId: string;
-  displayName?: string;
-  avatarUrl?: string;
-  handle?: string;
-  accountType: "user" | "page" | "org" | "channel";
-  parentId?: string;
-  metadata?: Record<string, unknown>;
-}
-

package/src/modules/crypto/crypto.db.ts

@@ -1,15 +0,0 @@
-import { integer, real, sqliteTable as table, text } from "drizzle-orm/sqlite-core";
-import { v4 as uuidv4 } from "uuid";
-
-export const cryptoPayments = table("crypto_payments", {
-  id: text("id").primaryKey().$default(uuidv4),
-  createdAt: integer("created_at", { mode: "timestamp" })
-    .notNull()
-    .$default(() => new Date()),
-  updatedAt: integer("updated_at", { mode: "timestamp" }),
-  address: text("address").notNull(),
-  referenceId: text("reference_id").notNull(),
-  status: text("status").notNull().default("pending"),
-  derivationIndex: integer("derivation_index").notNull(),
-  amountExpected: real("amount_expected").notNull(),
-});

package/src/modules/crypto/crypto.repository.ts

@@ -1,13 +0,0 @@
-import type { LibSQLDatabase } from "drizzle-orm/libsql";
-import { BaseTableRepository } from "#modules/base/base.repository";
-import * as crypto from "#modules/crypto/crypto.db";
-
-const schema = { ...crypto };
-type Schema = typeof schema;
-
-export class CryptoRepository extends BaseTableRepository<
-  LibSQLDatabase<Schema>,
-  Schema,
-  Record<string, never>,
-  Schema["cryptoPayments"]
-> {}