@m5kdev/backend 0.8.6 → 0.8.8

package/dist/src/modules/connect/connect.oauth.cjs

@@ -0,0 +1,153 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const require_runtime = require("../../../_virtual/_rolldown/runtime.cjs");
+const require_src_utils_logger = require("../../utils/logger.cjs");
+let openid_client = require("openid-client");
+openid_client = require_runtime.__toESM(openid_client);
+//#region src/modules/connect/connect.oauth.ts
+const oauthStateStore = /* @__PURE__ */ new Map();
+const STATE_TTL_MS = 600 * 1e3;
+function getStateKey(sessionId, provider) {
+	return `${sessionId}:${provider}`;
+}
+async function generateOAuthState(sessionId, provider) {
+	const state = openid_client.randomState();
+	const codeVerifier = openid_client.randomPKCECodeVerifier();
+	const oauthState = {
+		state,
+		codeVerifier,
+		codeChallenge: await openid_client.calculatePKCECodeChallenge(codeVerifier),
+		sessionId,
+		provider
+	};
+	const key = getStateKey(sessionId, provider);
+	oauthStateStore.set(key, oauthState);
+	setTimeout(() => {
+		oauthStateStore.delete(key);
+	}, STATE_TTL_MS);
+	return oauthState;
+}
+function getOAuthState(sessionId, provider, state) {
+	const key = getStateKey(sessionId, provider);
+	const stored = oauthStateStore.get(key);
+	if (!stored || stored.state !== state) return null;
+	oauthStateStore.delete(key);
+	return stored;
+}
+async function createConfiguration(provider) {
+	const clientAuth = provider.clientSecret ? openid_client.ClientSecretPost(provider.clientSecret) : openid_client.None();
+	if (provider.issuerConfig) {
+		const serverMetadata = {
+			issuer: provider.issuerConfig.issuer,
+			authorization_endpoint: provider.issuerConfig.authorization_endpoint,
+			token_endpoint: provider.issuerConfig.token_endpoint,
+			...provider.issuerConfig.userinfo_endpoint && { userinfo_endpoint: provider.issuerConfig.userinfo_endpoint },
+			...provider.id === "linkedin" && { jwks_uri: "https://www.linkedin.com/oauth/openid/jwks" }
+		};
+		const clientMetadata = {
+			client_id: provider.clientId,
+			...provider.clientSecret && { client_secret: provider.clientSecret },
+			redirect_uris: [provider.redirectUri]
+		};
+		return new openid_client.Configuration(serverMetadata, provider.clientId, clientMetadata, clientAuth);
+	}
+	if (!provider.issuerUrl) throw new Error("Provider must have either issuerConfig or issuerUrl");
+	const serverUrl = new URL(provider.issuerUrl);
+	return await openid_client.discovery(serverUrl, provider.clientId, void 0, clientAuth);
+}
+async function buildAuthorizationUrl(provider, state) {
+	const config = await createConfiguration(provider);
+	const parameters = {
+		scope: provider.scopes.join(" "),
+		state: state.state,
+		redirect_uri: provider.redirectUri
+	};
+	if (provider.supportsPKCE !== false) {
+		parameters.code_challenge = state.codeChallenge;
+		parameters.code_challenge_method = "S256";
+	}
+	return openid_client.buildAuthorizationUrl(config, parameters).toString();
+}
+async function exchangeCodeForTokens(provider, code, codeVerifier, redirectUri, state) {
+	const logger$1 = require_src_utils_logger.logger.child({ layer: "exchangeCodeForTokens" });
+	try {
+		if (provider.id === "linkedin" && provider.issuerConfig) {
+			const tokenEndpoint = provider.issuerConfig.token_endpoint;
+			const body = new URLSearchParams({
+				grant_type: "authorization_code",
+				code,
+				redirect_uri: provider.redirectUri,
+				client_id: provider.clientId,
+				client_secret: provider.clientSecret
+			});
+			const response = await fetch(tokenEndpoint, {
+				method: "POST",
+				headers: { "Content-Type": "application/x-www-form-urlencoded" },
+				body: body.toString()
+			});
+			if (!response.ok) {
+				const errorData = await response.json().catch(() => ({}));
+				throw new Error(`LinkedIn token exchange failed: ${response.status} ${response.statusText} - ${JSON.stringify(errorData)}`);
+			}
+			const tokenData = await response.json();
+			return {
+				accessToken: tokenData.access_token,
+				refreshToken: tokenData.refresh_token,
+				tokenType: tokenData.token_type || "bearer",
+				expiresAt: tokenData.expires_in ? new Date(Date.now() + tokenData.expires_in * 1e3) : void 0,
+				scope: tokenData.scope
+			};
+		}
+		const config = await createConfiguration(provider);
+		const currentUrl = new URL(redirectUri);
+		currentUrl.searchParams.set("code", code);
+		currentUrl.searchParams.set("state", state);
+		const checks = { expectedState: state };
+		if (provider.supportsPKCE !== false) checks.pkceCodeVerifier = codeVerifier;
+		const tokenSet = await openid_client.authorizationCodeGrant(config, currentUrl, checks);
+		return {
+			accessToken: tokenSet.access_token,
+			refreshToken: tokenSet.refresh_token,
+			tokenType: tokenSet.token_type,
+			expiresAt: tokenSet.expires_in ? new Date(Date.now() + tokenSet.expires_in * 1e3) : void 0,
+			scope: tokenSet.scope
+		};
+	} catch (error) {
+		logger$1.error("Token exchange error", {
+			error,
+			provider: provider.id
+		});
+		if (error instanceof Error) {
+			const errorMessage = error.message || "Unknown error";
+			if (provider.id === "linkedin" && errorMessage.includes("JWT claim") && error.code === "OAUTH_JWT_CLAIM_COMPARISON_FAILED") {
+				logger$1.warn("LinkedIn ID token validation failed, but token exchange may have succeeded. Check if access token is available.", { error: errorMessage });
+				throw new Error(`LinkedIn ID token validation failed: ${errorMessage}. This is a known issue with LinkedIn's OpenID Connect implementation.`);
+			}
+			const errorDetails = error.cause;
+			const linkedInError = errorDetails?.error;
+			const linkedInErrorDescription = errorDetails?.error_description;
+			const fullErrorMessage = linkedInError ? `LinkedIn OAuth error: ${linkedInError}${linkedInErrorDescription ? ` - ${linkedInErrorDescription}` : ""}` : `Token exchange failed: ${errorMessage}${errorDetails ? ` - Details: ${JSON.stringify(errorDetails)}` : ""}`;
+			throw new Error(fullErrorMessage);
+		}
+		throw error;
+	}
+}
+async function refreshAccessToken(provider, refreshToken) {
+	const config = await createConfiguration(provider);
+	const tokenSet = await openid_client.refreshTokenGrant(config, refreshToken);
+	return {
+		accessToken: tokenSet.access_token,
+		refreshToken: tokenSet.refresh_token || refreshToken,
+		tokenType: tokenSet.token_type,
+		expiresAt: tokenSet.expires_in ? new Date(Date.now() + tokenSet.expires_in * 1e3) : void 0,
+		scope: tokenSet.scope
+	};
+}
+//#endregion
+exports.buildAuthorizationUrl = buildAuthorizationUrl;
+exports.createConfiguration = createConfiguration;
+exports.exchangeCodeForTokens = exchangeCodeForTokens;
+exports.generateOAuthState = generateOAuthState;
+exports.getOAuthState = getOAuthState;
+exports.refreshAccessToken = refreshAccessToken;
+
+//# sourceMappingURL=connect.oauth.cjs.map

package/dist/src/modules/connect/connect.oauth.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"connect.oauth.cjs","names":["client","logger","rootLogger"],"sources":["../../../../src/modules/connect/connect.oauth.ts"],"sourcesContent":["import * as client from \"openid-client\";\r\nimport { logger as rootLogger } from \"../../utils/logger\";\r\nimport type { ConnectProvider } from \"./connect.types\";\r\n\r\nexport interface OAuthState {\r\n  state: string;\r\n  codeVerifier: string;\r\n  codeChallenge: string;\r\n  sessionId: string;\r\n  provider: string;\r\n}\r\n\r\n// In-memory store for OAuth state (keyed by sessionId + provider)\r\n// In production, consider using Redis with TTL\r\nconst oauthStateStore = new Map<string, OAuthState>();\r\n\r\nconst STATE_TTL_MS = 10 * 60 * 1000; // 10 minutes\r\n\r\nfunction getStateKey(sessionId: string, provider: string): string {\r\n  return `${sessionId}:${provider}`;\r\n}\r\n\r\nexport async function generateOAuthState(sessionId: string, provider: string): Promise<OAuthState> {\r\n  const state = client.randomState();\r\n  const codeVerifier = client.randomPKCECodeVerifier();\r\n  const codeChallenge = await client.calculatePKCECodeChallenge(codeVerifier);\r\n\r\n  const oauthState: OAuthState = {\r\n    state,\r\n    codeVerifier,\r\n    codeChallenge,\r\n    sessionId,\r\n    provider,\r\n  };\r\n\r\n  const key = getStateKey(sessionId, provider);\r\n  oauthStateStore.set(key, oauthState);\r\n\r\n  // Clean up after TTL\r\n  setTimeout(() => {\r\n    oauthStateStore.delete(key);\r\n  }, STATE_TTL_MS);\r\n\r\n  return oauthState;\r\n}\r\n\r\nexport function getOAuthState(\r\n  sessionId: string,\r\n  provider: string,\r\n  state: string\r\n): OAuthState | null {\r\n  const key = getStateKey(sessionId, provider);\r\n  const stored = oauthStateStore.get(key);\r\n\r\n  if (!stored || stored.state !== state) {\r\n    return null;\r\n  }\r\n\r\n  // Clean up after use\r\n  oauthStateStore.delete(key);\r\n  return stored;\r\n}\r\n\r\nexport async function createConfiguration(\r\n  provider: ConnectProvider\r\n): Promise<client.Configuration> {\r\n  // LinkedIn uses client_secret_post (form-encoded body parameters)\r\n  // The library's ClientSecretPost handles this correctly\r\n  const clientAuth = provider.clientSecret\r\n    ? client.ClientSecretPost(provider.clientSecret)\r\n    : client.None();\r\n\r\n  if (provider.issuerConfig) {\r\n    // Use manual issuer config (e.g., LinkedIn) - create Configuration directly\r\n    // LinkedIn doesn't support OpenID Connect discovery\r\n    const serverMetadata: client.ServerMetadata = {\r\n      issuer: provider.issuerConfig.issuer,\r\n      authorization_endpoint: provider.issuerConfig.authorization_endpoint,\r\n      token_endpoint: provider.issuerConfig.token_endpoint,\r\n      ...(provider.issuerConfig.userinfo_endpoint && {\r\n        userinfo_endpoint: provider.issuerConfig.userinfo_endpoint,\r\n      }),\r\n      // LinkedIn JWKS URI for ID token signature verification\r\n      ...(provider.id === \"linkedin\" && {\r\n        jwks_uri: \"https://www.linkedin.com/oauth/openid/jwks\",\r\n      }),\r\n    };\r\n\r\n    const clientMetadata: Partial<client.ClientMetadata> = {\r\n      client_id: provider.clientId,\r\n      ...(provider.clientSecret && { client_secret: provider.clientSecret }),\r\n      redirect_uris: [provider.redirectUri],\r\n    };\r\n\r\n    return new client.Configuration(serverMetadata, provider.clientId, clientMetadata, clientAuth);\r\n  }\r\n\r\n  // Auto-discovery from well-known endpoint\r\n  if (!provider.issuerUrl) {\r\n    throw new Error(\"Provider must have either issuerConfig or issuerUrl\");\r\n  }\r\n\r\n  const serverUrl = new URL(provider.issuerUrl);\r\n  return await client.discovery(serverUrl, provider.clientId, undefined, clientAuth);\r\n}\r\n\r\nexport async function buildAuthorizationUrl(\r\n  provider: ConnectProvider,\r\n  state: OAuthState\r\n): Promise<string> {\r\n  const config = await createConfiguration(provider);\r\n\r\n  const parameters: Record<string, string> = {\r\n    scope: provider.scopes.join(\" \"),\r\n    state: state.state,\r\n    redirect_uri: provider.redirectUri,\r\n  };\r\n\r\n  // Add PKCE parameters only if provider supports it\r\n  if (provider.supportsPKCE !== false) {\r\n    parameters.code_challenge = state.codeChallenge;\r\n    parameters.code_challenge_method = \"S256\";\r\n  }\r\n\r\n  const url = client.buildAuthorizationUrl(config, parameters);\r\n  return url.toString();\r\n}\r\n\r\nexport async function exchangeCodeForTokens(\r\n  provider: ConnectProvider,\r\n  code: string,\r\n  codeVerifier: string,\r\n  redirectUri: string,\r\n  state: string\r\n): Promise<{\r\n  accessToken: string;\r\n  refreshToken?: string;\r\n  tokenType?: string;\r\n  expiresAt?: Date;\r\n  scope?: string;\r\n}> {\r\n  const logger = rootLogger.child({ layer: \"exchangeCodeForTokens\" });\r\n\r\n  try {\r\n    // LinkedIn-specific workaround: Manual token exchange to bypass ID token validation\r\n    // LinkedIn's OpenID Connect ID token has non-standard claim format\r\n    if (provider.id === \"linkedin\" && provider.issuerConfig) {\r\n      const tokenEndpoint = provider.issuerConfig.token_endpoint;\r\n      const body = new URLSearchParams({\r\n        grant_type: \"authorization_code\",\r\n        code,\r\n        redirect_uri: provider.redirectUri,\r\n        client_id: provider.clientId,\r\n        client_secret: provider.clientSecret,\r\n      });\r\n\r\n      const response = await fetch(tokenEndpoint, {\r\n        method: \"POST\",\r\n        headers: {\r\n          \"Content-Type\": \"application/x-www-form-urlencoded\",\r\n        },\r\n        body: body.toString(),\r\n      });\r\n\r\n      if (!response.ok) {\r\n        const errorData = await response.json().catch(() => ({}));\r\n        throw new Error(\r\n          `LinkedIn token exchange failed: ${response.status} ${response.statusText} - ${JSON.stringify(errorData)}`\r\n        );\r\n      }\r\n\r\n      const tokenData = (await response.json()) as {\r\n        access_token: string;\r\n        refresh_token?: string;\r\n        token_type?: string;\r\n        expires_in?: number;\r\n        scope?: string;\r\n      };\r\n\r\n      return {\r\n        accessToken: tokenData.access_token,\r\n        refreshToken: tokenData.refresh_token,\r\n        tokenType: tokenData.token_type || \"bearer\",\r\n        expiresAt: tokenData.expires_in\r\n          ? new Date(Date.now() + tokenData.expires_in * 1000)\r\n          : undefined,\r\n        scope: tokenData.scope,\r\n      };\r\n    }\r\n\r\n    // Standard flow for other providers\r\n    const config = await createConfiguration(provider);\r\n    const currentUrl = new URL(redirectUri);\r\n    currentUrl.searchParams.set(\"code\", code);\r\n    currentUrl.searchParams.set(\"state\", state);\r\n\r\n    const checks: {\r\n      pkceCodeVerifier?: string;\r\n      expectedState: string;\r\n    } = {\r\n      expectedState: state,\r\n    };\r\n\r\n    // Only include PKCE verifier if provider supports it\r\n    if (provider.supportsPKCE !== false) {\r\n      checks.pkceCodeVerifier = codeVerifier;\r\n    }\r\n\r\n    const tokenSet = await client.authorizationCodeGrant(config, currentUrl, checks);\r\n\r\n    return {\r\n      accessToken: tokenSet.access_token,\r\n      refreshToken: tokenSet.refresh_token,\r\n      tokenType: tokenSet.token_type,\r\n      expiresAt: tokenSet.expires_in\r\n        ? new Date(Date.now() + tokenSet.expires_in * 1000)\r\n        : undefined,\r\n      scope: tokenSet.scope,\r\n    };\r\n  } catch (error: unknown) {\r\n    // Enhanced error logging for OAuth issues\r\n    logger.error(\"Token exchange error\", { error, provider: provider.id });\r\n\r\n    if (error instanceof Error) {\r\n      const errorMessage = error.message || \"Unknown error\";\r\n\r\n      // Check if this is an ID token validation error for LinkedIn\r\n      // LinkedIn's ID token may have non-standard claim format, but we can still use the access token\r\n      if (\r\n        provider.id === \"linkedin\" &&\r\n        errorMessage.includes(\"JWT claim\") &&\r\n        (error as { code?: string }).code === \"OAUTH_JWT_CLAIM_COMPARISON_FAILED\"\r\n      ) {\r\n        // Try to extract access token from the error response if available\r\n        // This is a workaround for LinkedIn's ID token validation issues\r\n        logger.warn(\r\n          \"LinkedIn ID token validation failed, but token exchange may have succeeded. Check if access token is available.\",\r\n          { error: errorMessage }\r\n        );\r\n        // Re-throw for now - we need the access token to continue\r\n        // In a production scenario, you might want to manually parse the token response\r\n        throw new Error(\r\n          `LinkedIn ID token validation failed: ${errorMessage}. This is a known issue with LinkedIn's OpenID Connect implementation.`\r\n        );\r\n      }\r\n\r\n      // ResponseBodyError from oauth4webapi has a 'cause' property with the error details\r\n      const responseBodyError = error as { cause?: Record<string, unknown> };\r\n      const errorDetails = responseBodyError.cause;\r\n\r\n      // Extract error and error_description from LinkedIn's response\r\n      const linkedInError = errorDetails?.error as string | undefined;\r\n      const linkedInErrorDescription = errorDetails?.error_description as string | undefined;\r\n\r\n      const fullErrorMessage = linkedInError\r\n        ? `LinkedIn OAuth error: ${linkedInError}${linkedInErrorDescription ? ` - ${linkedInErrorDescription}` : \"\"}`\r\n        : `Token exchange failed: ${errorMessage}${\r\n            errorDetails ? ` - Details: ${JSON.stringify(errorDetails)}` : \"\"\r\n          }`;\r\n\r\n      throw new Error(fullErrorMessage);\r\n    }\r\n    throw error;\r\n  }\r\n}\r\n\r\nexport async function refreshAccessToken(\r\n  provider: ConnectProvider,\r\n  refreshToken: string\r\n): Promise<{\r\n  accessToken: string;\r\n  refreshToken?: string;\r\n  tokenType?: string;\r\n  expiresAt?: Date;\r\n  scope?: string;\r\n}> {\r\n  const config = await createConfiguration(provider);\r\n\r\n  const tokenSet = await client.refreshTokenGrant(config, refreshToken);\r\n\r\n  return {\r\n    accessToken: tokenSet.access_token,\r\n    refreshToken: tokenSet.refresh_token || refreshToken,\r\n    tokenType: tokenSet.token_type,\r\n    expiresAt: tokenSet.expires_in ? new Date(Date.now() + tokenSet.expires_in * 1000) : undefined,\r\n    scope: tokenSet.scope,\r\n  };\r\n}\r\n"],"mappings":";;;;;;AAcA,MAAM,kCAAkB,IAAI,KAAyB;AAErD,MAAM,eAAe,MAAU;AAE/B,SAAS,YAAY,WAAmB,UAA0B;AAChE,QAAO,GAAG,UAAU,GAAG;;AAGzB,eAAsB,mBAAmB,WAAmB,UAAuC;CACjG,MAAM,QAAQA,cAAO,aAAa;CAClC,MAAM,eAAeA,cAAO,wBAAwB;CAGpD,MAAM,aAAyB;EAC7B;EACA;EACA,eALoB,MAAMA,cAAO,2BAA2B,aAAa;EAMzE;EACA;EACD;CAED,MAAM,MAAM,YAAY,WAAW,SAAS;AAC5C,iBAAgB,IAAI,KAAK,WAAW;AAGpC,kBAAiB;AACf,kBAAgB,OAAO,IAAI;IAC1B,aAAa;AAEhB,QAAO;;AAGT,SAAgB,cACd,WACA,UACA,OACmB;CACnB,MAAM,MAAM,YAAY,WAAW,SAAS;CAC5C,MAAM,SAAS,gBAAgB,IAAI,IAAI;AAEvC,KAAI,CAAC,UAAU,OAAO,UAAU,MAC9B,QAAO;AAIT,iBAAgB,OAAO,IAAI;AAC3B,QAAO;;AAGT,eAAsB,oBACpB,UAC+B;CAG/B,MAAM,aAAa,SAAS,eACxBA,cAAO,iBAAiB,SAAS,aAAa,GAC9CA,cAAO,MAAM;AAEjB,KAAI,SAAS,cAAc;EAGzB,MAAM,iBAAwC;GAC5C,QAAQ,SAAS,aAAa;GAC9B,wBAAwB,SAAS,aAAa;GAC9C,gBAAgB,SAAS,aAAa;GACtC,GAAI,SAAS,aAAa,qBAAqB,EAC7C,mBAAmB,SAAS,aAAa,mBAC1C;GAED,GAAI,SAAS,OAAO,cAAc,EAChC,UAAU,8CACX;GACF;EAED,MAAM,iBAAiD;GACrD,WAAW,SAAS;GACpB,GAAI,SAAS,gBAAgB,EAAE,eAAe,SAAS,cAAc;GACrE,eAAe,CAAC,SAAS,YAAY;GACtC;AAED,SAAO,IAAIA,cAAO,cAAc,gBAAgB,SAAS,UAAU,gBAAgB,WAAW;;AAIhG,KAAI,CAAC,SAAS,UACZ,OAAM,IAAI,MAAM,sDAAsD;CAGxE,MAAM,YAAY,IAAI,IAAI,SAAS,UAAU;AAC7C,QAAO,MAAMA,cAAO,UAAU,WAAW,SAAS,UAAU,KAAA,GAAW,WAAW;;AAGpF,eAAsB,sBACpB,UACA,OACiB;CACjB,MAAM,SAAS,MAAM,oBAAoB,SAAS;CAElD,MAAM,aAAqC;EACzC,OAAO,SAAS,OAAO,KAAK,IAAI;EAChC,OAAO,MAAM;EACb,cAAc,SAAS;EACxB;AAGD,KAAI,SAAS,iBAAiB,OAAO;AACnC,aAAW,iBAAiB,MAAM;AAClC,aAAW,wBAAwB;;AAIrC,QADYA,cAAO,sBAAsB,QAAQ,WAAW,CACjD,UAAU;;AAGvB,eAAsB,sBACpB,UACA,MACA,cACA,aACA,OAOC;CACD,MAAMC,WAASC,yBAAAA,OAAW,MAAM,EAAE,OAAO,yBAAyB,CAAC;AAEnE,KAAI;AAGF,MAAI,SAAS,OAAO,cAAc,SAAS,cAAc;GACvD,MAAM,gBAAgB,SAAS,aAAa;GAC5C,MAAM,OAAO,IAAI,gBAAgB;IAC/B,YAAY;IACZ;IACA,cAAc,SAAS;IACvB,WAAW,SAAS;IACpB,eAAe,SAAS;IACzB,CAAC;GAEF,MAAM,WAAW,MAAM,MAAM,eAAe;IAC1C,QAAQ;IACR,SAAS,EACP,gBAAgB,qCACjB;IACD,MAAM,KAAK,UAAU;IACtB,CAAC;AAEF,OAAI,CAAC,SAAS,IAAI;IAChB,MAAM,YAAY,MAAM,SAAS,MAAM,CAAC,aAAa,EAAE,EAAE;AACzD,UAAM,IAAI,MACR,mCAAmC,SAAS,OAAO,GAAG,SAAS,WAAW,KAAK,KAAK,UAAU,UAAU,GACzG;;GAGH,MAAM,YAAa,MAAM,SAAS,MAAM;AAQxC,UAAO;IACL,aAAa,UAAU;IACvB,cAAc,UAAU;IACxB,WAAW,UAAU,cAAc;IACnC,WAAW,UAAU,aACjB,IAAI,KAAK,KAAK,KAAK,GAAG,UAAU,aAAa,IAAK,GAClD,KAAA;IACJ,OAAO,UAAU;IAClB;;EAIH,MAAM,SAAS,MAAM,oBAAoB,SAAS;EAClD,MAAM,aAAa,IAAI,IAAI,YAAY;AACvC,aAAW,aAAa,IAAI,QAAQ,KAAK;AACzC,aAAW,aAAa,IAAI,SAAS,MAAM;EAE3C,MAAM,SAGF,EACF,eAAe,OAChB;AAGD,MAAI,SAAS,iBAAiB,MAC5B,QAAO,mBAAmB;EAG5B,MAAM,WAAW,MAAMF,cAAO,uBAAuB,QAAQ,YAAY,OAAO;AAEhF,SAAO;GACL,aAAa,SAAS;GACtB,cAAc,SAAS;GACvB,WAAW,SAAS;GACpB,WAAW,SAAS,aAChB,IAAI,KAAK,KAAK,KAAK,GAAG,SAAS,aAAa,IAAK,GACjD,KAAA;GACJ,OAAO,SAAS;GACjB;UACM,OAAgB;AAEvB,WAAO,MAAM,wBAAwB;GAAE;GAAO,UAAU,SAAS;GAAI,CAAC;AAEtE,MAAI,iBAAiB,OAAO;GAC1B,MAAM,eAAe,MAAM,WAAW;AAItC,OACE,SAAS,OAAO,cAChB,aAAa,SAAS,YAAY,IACjC,MAA4B,SAAS,qCACtC;AAGA,aAAO,KACL,mHACA,EAAE,OAAO,cAAc,CACxB;AAGD,UAAM,IAAI,MACR,wCAAwC,aAAa,wEACtD;;GAKH,MAAM,eADoB,MACa;GAGvC,MAAM,gBAAgB,cAAc;GACpC,MAAM,2BAA2B,cAAc;GAE/C,MAAM,mBAAmB,gBACrB,yBAAyB,gBAAgB,2BAA2B,MAAM,6BAA6B,OACvG,0BAA0B,eACxB,eAAe,eAAe,KAAK,UAAU,aAAa,KAAK;AAGrE,SAAM,IAAI,MAAM,iBAAiB;;AAEnC,QAAM;;;AAIV,eAAsB,mBACpB,UACA,cAOC;CACD,MAAM,SAAS,MAAM,oBAAoB,SAAS;CAElD,MAAM,WAAW,MAAMA,cAAO,kBAAkB,QAAQ,aAAa;AAErE,QAAO;EACL,aAAa,SAAS;EACtB,cAAc,SAAS,iBAAiB;EACxC,WAAW,SAAS;EACpB,WAAW,SAAS,aAAa,IAAI,KAAK,KAAK,KAAK,GAAG,SAAS,aAAa,IAAK,GAAG,KAAA;EACrF,OAAO,SAAS;EACjB"}

package/dist/src/modules/connect/connect.oauth.d.cts

@@ -0,0 +1,32 @@
+import { ConnectProvider } from "./connect.types.cjs";
+import * as client from "openid-client";
+
+//#region src/modules/connect/connect.oauth.d.ts
+interface OAuthState {
+  state: string;
+  codeVerifier: string;
+  codeChallenge: string;
+  sessionId: string;
+  provider: string;
+}
+declare function generateOAuthState(sessionId: string, provider: string): Promise<OAuthState>;
+declare function getOAuthState(sessionId: string, provider: string, state: string): OAuthState | null;
+declare function createConfiguration(provider: ConnectProvider): Promise<client.Configuration>;
+declare function buildAuthorizationUrl(provider: ConnectProvider, state: OAuthState): Promise<string>;
+declare function exchangeCodeForTokens(provider: ConnectProvider, code: string, codeVerifier: string, redirectUri: string, state: string): Promise<{
+  accessToken: string;
+  refreshToken?: string;
+  tokenType?: string;
+  expiresAt?: Date;
+  scope?: string;
+}>;
+declare function refreshAccessToken(provider: ConnectProvider, refreshToken: string): Promise<{
+  accessToken: string;
+  refreshToken?: string;
+  tokenType?: string;
+  expiresAt?: Date;
+  scope?: string;
+}>;
+//#endregion
+export { OAuthState, buildAuthorizationUrl, createConfiguration, exchangeCodeForTokens, generateOAuthState, getOAuthState, refreshAccessToken };
+//# sourceMappingURL=connect.oauth.d.cts.map

package/dist/src/modules/connect/connect.repository.cjs

@@ -0,0 +1,42 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+require("../../../_virtual/_rolldown/runtime.cjs");
+const require_src_modules_base_base_repository = require("../base/base.repository.cjs");
+const require_src_modules_connect_connect_db = require("./connect.db.cjs");
+let drizzle_orm = require("drizzle-orm");
+let neverthrow = require("neverthrow");
+//#region src/modules/connect/connect.repository.ts
+({ ...require_src_modules_connect_connect_db.connect_db_exports });
+var ConnectRepository = class extends require_src_modules_base_base_repository.BaseTableRepository {
+	async list(data, tx) {
+		return this.throwableAsync(async () => {
+			const db = tx ?? this.orm;
+			const { ConditionBuilder } = this.helpers;
+			const conditions = new ConditionBuilder();
+			if (data.providers) conditions.push((0, drizzle_orm.inArray)(this.schema.connect.provider, data.providers));
+			if (data.inactive) conditions.push((0, drizzle_orm.isNull)(this.schema.connect.revokedAt));
+			conditions.push((0, drizzle_orm.eq)(this.schema.connect.userId, data.userId));
+			return (0, neverthrow.ok)(await db.select().from(this.schema.connect).where(conditions.join()));
+		});
+	}
+	async upsert(data, tx) {
+		return this.throwableAsync(async () => {
+			const db = tx ?? this.orm;
+			const [existing] = await db.select().from(this.schema.connect).where((0, drizzle_orm.and)((0, drizzle_orm.eq)(this.schema.connect.userId, data.userId), (0, drizzle_orm.eq)(this.schema.connect.provider, data.provider), (0, drizzle_orm.eq)(this.schema.connect.providerAccountId, data.providerAccountId))).limit(1);
+			if (existing) {
+				const [updated] = await db.update(this.schema.connect).set({
+					...data,
+					updatedAt: /* @__PURE__ */ new Date(),
+					lastRefreshedAt: /* @__PURE__ */ new Date()
+				}).where((0, drizzle_orm.eq)(this.schema.connect.id, existing.id)).returning();
+				return (0, neverthrow.ok)(updated);
+			}
+			const [created] = await db.insert(this.schema.connect).values(data).returning();
+			if (!created) return this.error("UNPROCESSABLE_CONTENT");
+			return (0, neverthrow.ok)(created);
+		});
+	}
+};
+//#endregion
+exports.ConnectRepository = ConnectRepository;
+
+//# sourceMappingURL=connect.repository.cjs.map

package/dist/src/modules/connect/connect.repository.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"connect.repository.cjs","names":["connect","BaseTableRepository"],"sources":["../../../../src/modules/connect/connect.repository.ts"],"sourcesContent":["import type { InferInsertModel, InferSelectModel } from \"drizzle-orm\";\r\nimport { and, eq, inArray, isNull } from \"drizzle-orm\";\r\nimport type { LibSQLDatabase } from \"drizzle-orm/libsql\";\r\nimport { ok } from \"neverthrow\";\r\nimport { BaseTableRepository } from \"../base/base.repository\";\r\nimport * as connect from \"./connect.db\";\r\nimport type { ConnectListInputSchema } from \"./connect.dto\";\r\n\r\nconst schema = { ...connect };\r\ntype Schema = typeof schema;\r\ntype Orm = LibSQLDatabase<Schema>;\r\n\r\nexport type ConnectRow = InferSelectModel<Schema[\"connect\"]>;\r\nexport type ConnectInsert = InferInsertModel<Schema[\"connect\"]>;\r\n\r\nexport class ConnectRepository extends BaseTableRepository<Orm, Schema, Record<string, never>, Schema[\"connect\"]> {\r\n  async list(data: ConnectListInputSchema & { userId: string }, tx?: Orm) {\r\n    return this.throwableAsync(async () => {\r\n      const db = tx ?? this.orm;\r\n      const { ConditionBuilder } = this.helpers;\r\n      const conditions = new ConditionBuilder();\r\n      if (data.providers) conditions.push(inArray(this.schema.connect.provider, data.providers));\r\n      if (data.inactive) conditions.push(isNull(this.schema.connect.revokedAt));\r\n      conditions.push(eq(this.schema.connect.userId, data.userId));\r\n      const rows = await db.select().from(this.schema.connect).where(conditions.join());\r\n      return ok(rows);\r\n    });\r\n  }\r\n\r\n  async upsert(data: ConnectInsert, tx?: Orm) {\r\n    return this.throwableAsync(async () => {\r\n      const db = tx ?? this.orm;\r\n      const [existing] = await db\r\n        .select()\r\n        .from(this.schema.connect)\r\n        .where(\r\n          and(\r\n            eq(this.schema.connect.userId, data.userId),\r\n            eq(this.schema.connect.provider, data.provider),\r\n            eq(this.schema.connect.providerAccountId, data.providerAccountId)\r\n          )\r\n        )\r\n        .limit(1);\r\n\r\n      if (existing) {\r\n        // Update existing\r\n        const [updated] = await db\r\n          .update(this.schema.connect)\r\n          .set({\r\n            ...data,\r\n            updatedAt: new Date(),\r\n            lastRefreshedAt: new Date(),\r\n          })\r\n          .where(eq(this.schema.connect.id, existing.id))\r\n          .returning();\r\n        return ok(updated);\r\n      }\r\n\r\n      // Create new\r\n      const [created] = await db.insert(this.schema.connect).values(data).returning();\r\n      if (!created) return this.error(\"UNPROCESSABLE_CONTENT\");\r\n      return ok(created);\r\n    });\r\n  }\r\n}\r\n"],"mappings":";;;;;;;CAQe,EAAE,GAAGA,uCAAAA,oBAAS;AAO7B,IAAa,oBAAb,cAAuCC,yCAAAA,oBAA2E;CAChH,MAAM,KAAK,MAAmD,IAAU;AACtE,SAAO,KAAK,eAAe,YAAY;GACrC,MAAM,KAAK,MAAM,KAAK;GACtB,MAAM,EAAE,qBAAqB,KAAK;GAClC,MAAM,aAAa,IAAI,kBAAkB;AACzC,OAAI,KAAK,UAAW,YAAW,MAAA,GAAA,YAAA,SAAa,KAAK,OAAO,QAAQ,UAAU,KAAK,UAAU,CAAC;AAC1F,OAAI,KAAK,SAAU,YAAW,MAAA,GAAA,YAAA,QAAY,KAAK,OAAO,QAAQ,UAAU,CAAC;AACzE,cAAW,MAAA,GAAA,YAAA,IAAQ,KAAK,OAAO,QAAQ,QAAQ,KAAK,OAAO,CAAC;AAE5D,WAAA,GAAA,WAAA,IADa,MAAM,GAAG,QAAQ,CAAC,KAAK,KAAK,OAAO,QAAQ,CAAC,MAAM,WAAW,MAAM,CAAC,CAClE;IACf;;CAGJ,MAAM,OAAO,MAAqB,IAAU;AAC1C,SAAO,KAAK,eAAe,YAAY;GACrC,MAAM,KAAK,MAAM,KAAK;GACtB,MAAM,CAAC,YAAY,MAAM,GACtB,QAAQ,CACR,KAAK,KAAK,OAAO,QAAQ,CACzB,OAAA,GAAA,YAAA,MAAA,GAAA,YAAA,IAEM,KAAK,OAAO,QAAQ,QAAQ,KAAK,OAAO,GAAA,GAAA,YAAA,IACxC,KAAK,OAAO,QAAQ,UAAU,KAAK,SAAS,GAAA,GAAA,YAAA,IAC5C,KAAK,OAAO,QAAQ,mBAAmB,KAAK,kBAAkB,CAClE,CACF,CACA,MAAM,EAAE;AAEX,OAAI,UAAU;IAEZ,MAAM,CAAC,WAAW,MAAM,GACrB,OAAO,KAAK,OAAO,QAAQ,CAC3B,IAAI;KACH,GAAG;KACH,2BAAW,IAAI,MAAM;KACrB,iCAAiB,IAAI,MAAM;KAC5B,CAAC,CACD,OAAA,GAAA,YAAA,IAAS,KAAK,OAAO,QAAQ,IAAI,SAAS,GAAG,CAAC,CAC9C,WAAW;AACd,YAAA,GAAA,WAAA,IAAU,QAAQ;;GAIpB,MAAM,CAAC,WAAW,MAAM,GAAG,OAAO,KAAK,OAAO,QAAQ,CAAC,OAAO,KAAK,CAAC,WAAW;AAC/E,OAAI,CAAC,QAAS,QAAO,KAAK,MAAM,wBAAwB;AACxD,WAAA,GAAA,WAAA,IAAU,QAAQ;IAClB"}