@nativesquare/soma 0.5.0 → 0.7.0

package/src/component/public.ts

@@ -8,6 +8,7 @@ import { dailyValidator } from "./validators/daily.js";
 import { sleepValidator } from "./validators/sleep.js";
 import { menstruationValidator } from "./validators/menstruation.js";
 import { nutritionValidator } from "./validators/nutrition.js";
+import { plannedWorkoutValidator } from "./validators/plannedWorkout.js";
 
 // ─── Return Validators ──────────────────────────────────────────────────────
 
@@ -776,6 +777,140 @@ export const paginateMenstruation = query({
   },
 });
 
+// ── Planned Workouts ────────────────────────────────────────────────────────
+
+/**
+ * Ingest a planned workout record.
+ *
+ * Upserts by `connectionId + metadata.id` when an id is present.
+ * Falls back to insert if no id is provided.
+ */
+export const ingestPlannedWorkout = mutation({
+  args: plannedWorkoutValidator,
+  returns: v.id("plannedWorkouts"),
+  handler: async (ctx, args) => {
+    const metadataId = args.metadata.id;
+    if (metadataId) {
+      const results = await ctx.db
+        .query("plannedWorkouts")
+        .withIndex("by_connectionId", (q) =>
+          q.eq("connectionId", args.connectionId),
+        )
+        .collect();
+      const existing = results.find((r) => r.metadata.id === metadataId);
+
+      if (existing) {
+        await ctx.db.patch(existing._id, args);
+        return existing._id;
+      }
+    }
+    return await ctx.db.insert("plannedWorkouts", args);
+  },
+});
+
+/**
+ * List planned workout records for a user, optionally filtered by planned date range.
+ *
+ * @param args.userId - The host app's user identifier
+ * @param args.startDate - Optional lower bound (inclusive) on metadata.planned_date (YYYY-MM-DD)
+ * @param args.endDate - Optional upper bound (inclusive) on metadata.planned_date (YYYY-MM-DD)
+ * @param args.order - Sort order: "asc" or "desc" (default: "desc")
+ * @param args.limit - Optional max number of results to return
+ */
+export const listPlannedWorkouts = query({
+  args: {
+    userId: v.string(),
+    startDate: v.optional(v.string()),
+    endDate: v.optional(v.string()),
+    order: v.optional(v.union(v.literal("asc"), v.literal("desc"))),
+    limit: v.optional(v.number()),
+  },
+  handler: async (ctx, args) => {
+    const q = ctx.db
+      .query("plannedWorkouts")
+      .withIndex("by_userId_plannedDate", (q) => {
+        const base = q.eq("userId", args.userId);
+        if (args.startDate !== undefined && args.endDate !== undefined) {
+          return base
+            .gte("metadata.planned_date", args.startDate)
+            .lte("metadata.planned_date", args.endDate);
+        }
+        if (args.startDate !== undefined) {
+          return base.gte("metadata.planned_date", args.startDate);
+        }
+        if (args.endDate !== undefined) {
+          return base.lte("metadata.planned_date", args.endDate);
+        }
+        return base;
+      })
+      .order(args.order ?? "desc");
+    return args.limit ? await q.take(args.limit) : await q.collect();
+  },
+});
+
+/**
+ * Paginate planned workout records for a user, optionally filtered by planned date range.
+ *
+ * Returns `{ page, isDone, continueCursor }` for cursor-based pagination.
+ */
+export const paginatePlannedWorkouts = query({
+  args: {
+    userId: v.string(),
+    startDate: v.optional(v.string()),
+    endDate: v.optional(v.string()),
+    paginationOpts: paginationOptsValidator,
+  },
+  handler: async (ctx, args) => {
+    return await ctx.db
+      .query("plannedWorkouts")
+      .withIndex("by_userId_plannedDate", (q) => {
+        const base = q.eq("userId", args.userId);
+        if (args.startDate !== undefined && args.endDate !== undefined) {
+          return base
+            .gte("metadata.planned_date", args.startDate)
+            .lte("metadata.planned_date", args.endDate);
+        }
+        if (args.startDate !== undefined) {
+          return base.gte("metadata.planned_date", args.startDate);
+        }
+        if (args.endDate !== undefined) {
+          return base.lte("metadata.planned_date", args.endDate);
+        }
+        return base;
+      })
+      .order("desc")
+      .paginate(args.paginationOpts);
+  },
+});
+
+/**
+ * Delete a planned workout by document ID.
+ */
+export const deletePlannedWorkout = mutation({
+  args: { plannedWorkoutId: v.id("plannedWorkouts") },
+  returns: v.null(),
+  handler: async (ctx, args) => {
+    const existing = await ctx.db.get(args.plannedWorkoutId);
+    if (!existing) {
+      throw new Error(
+        `Planned workout "${args.plannedWorkoutId}" not found`,
+      );
+    }
+    await ctx.db.delete(existing._id);
+    return null;
+  },
+});
+
+/**
+ * Get a single planned workout by document ID.
+ */
+export const getPlannedWorkout = query({
+  args: { plannedWorkoutId: v.id("plannedWorkouts") },
+  handler: async (ctx, args) => {
+    return await ctx.db.get(args.plannedWorkoutId);
+  },
+});
+
 // ── Athletes ────────────────────────────────────────────────────────────────
 
 /**

package/src/component/schema.ts

@@ -115,26 +115,25 @@ export default defineSchema({
     .index("by_userId_plannedDate", ["userId", "metadata.planned_date"]),
 
   // ── Provider Tokens ────────────────────────────────────────────────────────
-  // OAuth tokens for cloud-based providers (Strava, Garmin, etc.).
+  // OAuth 2.0 tokens for cloud-based providers (Strava, Garmin, etc.).
   // Stored separately from connections to keep the connection table
   // provider-agnostic. One token record per connection.
   providerTokens: defineTable({
     connectionId: v.id("connections"),
     accessToken: v.string(),
-    refreshToken: v.optional(v.string()), // OAuth 2.0 providers (Strava)
-    tokenSecret: v.optional(v.string()), // OAuth 1.0a providers (Garmin)
-    expiresAt: v.optional(v.number()), // Unix epoch seconds; absent for permanent tokens
+    refreshToken: v.optional(v.string()),
+    expiresAt: v.optional(v.number()),
   }).index("by_connectionId", ["connectionId"]),
 
   // ── Pending OAuth ─────────────────────────────────────────────────────────
-  // Temporary storage for in-progress OAuth flows. Bridges the gap between
-  // initiating OAuth (Step 1) and the callback (Step 3) for providers like
-  // Garmin that use OAuth 1.0a and don't have a `state` parameter.
+  // Temporary storage for in-progress OAuth 2.0 PKCE flows. Bridges the gap
+  // between initiating OAuth (auth URL) and the callback (code exchange).
+  // The `state` parameter links the callback back to the pending entry.
   pendingOAuth: defineTable({
     provider: v.string(),
-    oauthToken: v.string(),
-    tokenSecret: v.string(),
+    state: v.string(),
+    codeVerifier: v.string(),
     userId: v.string(),
     createdAt: v.number(),
-  }).index("by_oauthToken", ["oauthToken"]),
+  }).index("by_state", ["state"]),
 });

package/src/component/strava.ts

@@ -75,7 +75,6 @@ export const getTokens = internalQuery({
       connectionId: v.id("connections"),
       accessToken: v.string(),
       refreshToken: v.optional(v.string()),
-      tokenSecret: v.optional(v.string()),
       expiresAt: v.optional(v.number()),
     }),
     v.null(),

package/src/garmin/auth.test.ts

@@ -1,128 +1,103 @@
 import { describe, expect, it } from "vitest";
 import {
-  buildOAuthSignature,
-  buildOAuthHeader,
-  percentEncode,
-  generateNonce,
-  getTimestamp,
+  generateCodeVerifier,
+  generateCodeChallenge,
+  generateState,
+  buildAuthUrl,
 } from "./auth.js";
 
-describe("percentEncode", () => {
-  it("encodes special characters per RFC 3986", () => {
-    expect(percentEncode("hello world")).toBe("hello%20world");
-    expect(percentEncode("a=b&c=d")).toBe("a%3Db%26c%3Dd");
-    expect(percentEncode("test!")).toBe("test%21");
-    expect(percentEncode("100%")).toBe("100%25");
+describe("generateCodeVerifier", () => {
+  it("returns a 64-character string by default", () => {
+    const verifier = generateCodeVerifier();
+    expect(verifier).toHaveLength(64);
   });
 
-  it("encodes characters that encodeURIComponent misses", () => {
-    expect(percentEncode("a'b")).toBe("a%27b");
-    expect(percentEncode("a(b)")).toBe("a%28b%29");
-    expect(percentEncode("a*b")).toBe("a%2Ab");
+  it("only contains valid PKCE characters", () => {
+    const verifier = generateCodeVerifier();
+    expect(verifier).toMatch(/^[A-Za-z0-9\-._~]+$/);
   });
 
-  it("does not encode unreserved characters", () => {
-    expect(percentEncode("abcXYZ123")).toBe("abcXYZ123");
-    expect(percentEncode("-._~")).toBe("-._~");
+  it("respects custom length", () => {
+    const verifier = generateCodeVerifier(128);
+    expect(verifier).toHaveLength(128);
+  });
+
+  it("generates unique values", () => {
+    const v1 = generateCodeVerifier();
+    const v2 = generateCodeVerifier();
+    expect(v1).not.toBe(v2);
   });
 });
 
-describe("generateNonce", () => {
-  it("returns a 32-character hex string", () => {
-    const nonce = generateNonce();
-    expect(nonce).toHaveLength(32);
-    expect(nonce).toMatch(/^[0-9a-f]+$/);
+describe("generateState", () => {
+  it("returns a 64-character hex string", () => {
+    const state = generateState();
+    expect(state).toHaveLength(64);
+    expect(state).toMatch(/^[0-9a-f]+$/);
   });
 
   it("generates unique values", () => {
-    const nonce1 = generateNonce();
-    const nonce2 = generateNonce();
-    expect(nonce1).not.toBe(nonce2);
+    const s1 = generateState();
+    const s2 = generateState();
+    expect(s1).not.toBe(s2);
   });
 });
 
-describe("getTimestamp", () => {
-  it("returns a Unix timestamp string", () => {
-    const ts = getTimestamp();
-    const parsed = parseInt(ts, 10);
-    expect(parsed).toBeGreaterThan(1700000000);
-    expect(String(parsed)).toBe(ts);
+describe("generateCodeChallenge", () => {
+  it("produces a base64url-encoded string", async () => {
+    const verifier = generateCodeVerifier();
+    const challenge = await generateCodeChallenge(verifier);
+    expect(challenge).toMatch(/^[A-Za-z0-9\-_]+$/);
+    expect(challenge).not.toContain("+");
+    expect(challenge).not.toContain("/");
+    expect(challenge).not.toContain("=");
   });
-});
-
-describe("buildOAuthSignature", () => {
-  it("produces a valid HMAC-SHA1 signature", async () => {
-    const signature = await buildOAuthSignature(
-      "GET",
-      "https://api.example.com/resource",
-      {
-        oauth_consumer_key: "consumer_key",
-        oauth_nonce: "kllo9940pd9333jh",
-        oauth_signature_method: "HMAC-SHA1",
-        oauth_timestamp: "1191242096",
-        oauth_version: "1.0",
-      },
-      "consumer_secret",
-      "",
-    );
 
-    expect(signature).toBeTruthy();
-    expect(typeof signature).toBe("string");
-    expect(signature).toMatch(/^[A-Za-z0-9+/]+=*$/);
+  it("produces different challenges for different verifiers", async () => {
+    const c1 = await generateCodeChallenge("verifier_one_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
+    const c2 = await generateCodeChallenge("verifier_two_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
+    expect(c1).not.toBe(c2);
   });
 
-  it("includes token secret in signing key when provided", async () => {
-    const sig1 = await buildOAuthSignature(
-      "POST",
-      "https://api.example.com/resource",
-      { oauth_consumer_key: "key", oauth_nonce: "abc", oauth_timestamp: "123" },
-      "consumer_secret",
-      "",
-    );
+  it("produces consistent challenges for the same verifier", async () => {
+    const verifier = "consistent_verifier_test_aaaaaaaaaaaaaaaaaa";
+    const c1 = await generateCodeChallenge(verifier);
+    const c2 = await generateCodeChallenge(verifier);
+    expect(c1).toBe(c2);
+  });
+});
 
-    const sig2 = await buildOAuthSignature(
-      "POST",
-      "https://api.example.com/resource",
-      { oauth_consumer_key: "key", oauth_nonce: "abc", oauth_timestamp: "123" },
-      "consumer_secret",
-      "token_secret",
-    );
+describe("buildAuthUrl", () => {
+  it("builds a valid authorization URL with required params", () => {
+    const url = buildAuthUrl({
+      clientId: "test-client-id",
+      codeChallenge: "test-challenge",
+    });
 
-    expect(sig1).not.toBe(sig2);
+    expect(url).toContain("https://connect.garmin.com/oauth2Confirm?");
+    expect(url).toContain("client_id=test-client-id");
+    expect(url).toContain("response_type=code");
+    expect(url).toContain("code_challenge=test-challenge");
+    expect(url).toContain("code_challenge_method=S256");
   });
 
-  it("sorts parameters alphabetically", async () => {
-    const sig1 = await buildOAuthSignature(
-      "GET",
-      "https://api.example.com/resource",
-      { z_param: "last", a_param: "first", m_param: "middle" },
-      "secret",
-    );
-    const sig2 = await buildOAuthSignature(
-      "GET",
-      "https://api.example.com/resource",
-      { a_param: "first", m_param: "middle", z_param: "last" },
-      "secret",
-    );
+  it("includes optional redirect_uri", () => {
+    const url = buildAuthUrl({
+      clientId: "test-client-id",
+      codeChallenge: "test-challenge",
+      redirectUri: "https://example.com/callback",
+    });
 
-    expect(sig1).toBe(sig2);
+    expect(url).toContain("redirect_uri=https%3A%2F%2Fexample.com%2Fcallback");
   });
-});
 
-describe("buildOAuthHeader", () => {
-  it("builds a valid OAuth Authorization header", () => {
-    const header = buildOAuthHeader({
-      oauth_consumer_key: "my_key",
-      oauth_nonce: "abc123",
-      oauth_signature: "sig%3D",
-      oauth_signature_method: "HMAC-SHA1",
-      oauth_timestamp: "1234567890",
-      oauth_version: "1.0",
+  it("includes optional state", () => {
+    const url = buildAuthUrl({
+      clientId: "test-client-id",
+      codeChallenge: "test-challenge",
+      state: "my-state-value",
     });
 
-    expect(header).toMatch(/^OAuth /);
-    expect(header).toContain('oauth_consumer_key="my_key"');
-    expect(header).toContain('oauth_nonce="abc123"');
-    expect(header).toContain('oauth_version="1.0"');
+    expect(url).toContain("state=my-state-value");
   });
 });