@nextsparkjs/plugin-social-media-publisher 0.1.0-beta.44 → 0.1.0-beta.46

package/api/social/connect/callback/docs.md

@@ -0,0 +1,155 @@
+# OAuth Callback API
+
+Handles OAuth redirect from Facebook after user authorization.
+
+## Endpoint
+
+```
+GET /api/v1/plugin/social-media-publisher/social/connect/callback
+```
+
+## Description
+
+This endpoint receives the OAuth redirect from Facebook, exchanges the authorization code for access tokens, encrypts them, and stores connected accounts in the database.
+
+## Query Parameters
+
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `code` | string | Authorization code from Facebook |
+| `state` | string | CSRF token with embedded clientId, platform, mode |
+| `error` | string | (Optional) Error if user denied permission |
+| `error_description` | string | (Optional) Error description |
+
+### State Format
+
+The state parameter contains embedded values:
+```
+{randomState}&platform={platform}&clientId={clientId}&mode={mode}
+```
+
+## Response
+
+This endpoint returns HTML pages that communicate with the parent window via postMessage.
+
+### Success Response
+
+Returns HTML page that:
+1. Displays success message
+2. Sends postMessage to opener window:
+```javascript
+{
+  type: 'oauth-success',
+  platform: 'instagram_business',
+  connectedCount: 1
+}
+```
+3. Closes popup after 2 seconds
+
+### Preview Mode Response
+
+When `mode=preview` in state, returns account data without saving:
+```javascript
+{
+  type: 'oauth-preview',
+  platform: 'instagram_business',
+  accounts: [
+    {
+      platform: 'instagram_business',
+      platformAccountId: 'ig_123',
+      username: '@myaccount',
+      accessToken: '...',
+      tokenExpiresAt: '2024-03-15T10:30:00Z',
+      permissions: ['instagram_basic', 'instagram_content_publish'],
+      accountMetadata: {
+        followersCount: 5000,
+        profilePictureUrl: '...'
+      }
+    }
+  ]
+}
+```
+
+### Error Response
+
+Returns HTML page that:
+1. Displays error message
+2. Sends postMessage to opener:
+```javascript
+{
+  type: 'oauth-error',
+  error: 'user_cancelled',
+  errorDescription: 'You cancelled the authorization process'
+}
+```
+3. Closes popup after 3 seconds
+
+## Error Types
+
+| Error Type | Description |
+|------------|-------------|
+| `user_cancelled` | User cancelled OAuth flow |
+| `app_not_authorized` | App not authorized by Facebook |
+| `meta_server_error` | Facebook server temporarily unavailable |
+| `missing_client` | Client ID not in state |
+| `missing_code` | Authorization code not provided |
+| `no_instagram_accounts` | No Instagram Business accounts found |
+| `callback_exception` | Server error during processing |
+
+## Account Types
+
+### Instagram Business
+
+Fetches Instagram accounts linked to Facebook Pages:
+- Requires Facebook Page with linked Instagram Business Account
+- Returns profile picture, followers count, media count
+- Uses Page access token for Instagram Graph API
+
+### Facebook Page
+
+Fetches Facebook Pages the user manages:
+- Returns page name, category, fan count
+- Uses Page access token for publishing
+
+## Token Handling
+
+1. Authorization code exchanged for user access token
+2. User token exchanged for long-lived Page tokens (60 days)
+3. Tokens encrypted with AES-256-GCM before storage
+4. Expiration tracked for auto-refresh on publish
+
+## Database Storage
+
+Accounts stored in `clients_social_platforms` table:
+- Linked to client via `parentId`
+- Upsert on `platformAccountId` conflict
+- Audit log entry created for each connection
+
+## Frontend Integration
+
+```typescript
+// Open OAuth popup
+const popup = window.open(
+  '/api/v1/plugin/social-media-publisher/social/connect?platform=instagram_business&clientId=xxx',
+  'oauth',
+  'width=600,height=700'
+)
+
+// Listen for callback
+window.addEventListener('message', (event) => {
+  if (event.origin !== window.location.origin) return
+
+  if (event.data.type === 'oauth-success') {
+    console.log(`Connected ${event.data.connectedCount} accounts`)
+    refreshAccountList()
+  } else if (event.data.type === 'oauth-error') {
+    console.error(event.data.errorDescription)
+  }
+})
+```
+
+## Related APIs
+
+- [Connect](/api/v1/plugin/social-media-publisher/social/connect) - Initiate OAuth flow
+- [Publish](/api/v1/plugin/social-media-publisher/social/publish) - Publish content
+- [Disconnect](/api/v1/plugin/social-media-publisher/social/disconnect) - Disconnect account

package/api/social/connect/callback/presets.ts

@@ -0,0 +1,47 @@
+/**
+ * API Presets for OAuth Callback
+ *
+ * OAuth redirect handler - typically not called directly
+ */
+
+import { defineApiEndpoint } from '@nextsparkjs/core/types/api-presets'
+
+export default defineApiEndpoint({
+  endpoint: '/api/v1/plugin/social-media-publisher/social/connect/callback',
+  summary: 'OAuth callback handler for social media connections (browser redirect)',
+  presets: [
+    {
+      id: 'callback-success',
+      title: 'Callback with Code',
+      description: 'OAuth callback with authorization code (browser redirect)',
+      method: 'GET',
+      params: {
+        code: '{{authorizationCode}}',
+        state: '{{state}}&platform=instagram_business&clientId={{clientId}}'
+      },
+      tags: ['oauth', 'callback']
+    },
+    {
+      id: 'callback-preview',
+      title: 'Callback Preview Mode',
+      description: 'OAuth callback in preview mode (returns data without saving)',
+      method: 'GET',
+      params: {
+        code: '{{authorizationCode}}',
+        state: '{{state}}&platform=instagram_business&clientId={{clientId}}&mode=preview'
+      },
+      tags: ['oauth', 'callback', 'preview']
+    },
+    {
+      id: 'callback-error',
+      title: 'Callback with Error',
+      description: 'OAuth callback when user denies permission',
+      method: 'GET',
+      params: {
+        error: 'access_denied',
+        error_description: 'User cancelled the authorization'
+      },
+      tags: ['oauth', 'callback', 'error']
+    }
+  ]
+})

package/api/social/connect/docs.md

@@ -0,0 +1,135 @@
+# Social Media Connect API
+
+Initiate OAuth flow and connect Facebook Pages or Instagram Business accounts.
+
+## Endpoints
+
+```
+GET  /api/v1/plugin/social-media-publisher/social/connect
+POST /api/v1/plugin/social-media-publisher/social/connect (deprecated)
+```
+
+## GET - Initiate OAuth Flow
+
+Redirects user to Facebook OAuth authorization page to connect their social media accounts.
+
+### Query Parameters
+
+| Parameter | Type | Required | Default | Description |
+|-----------|------|----------|---------|-------------|
+| `platform` | string | No | instagram_business | Platform to connect |
+| `clientId` | string | Yes | - | Client ID to associate accounts with |
+| `state` | string | No | - | Random state for CSRF protection |
+| `mode` | string | No | save | "preview" returns data without saving |
+
+### Supported Platforms
+
+- `instagram_business` - Instagram Business Account (requires linked Facebook Page)
+- `facebook_page` - Facebook Page
+
+### Example Request
+
+```
+GET /api/v1/plugin/social-media-publisher/social/connect?platform=instagram_business&clientId=client_123&state=abc123
+```
+
+### Response
+
+Redirects to Facebook OAuth authorization URL:
+```
+https://www.facebook.com/v18.0/dialog/oauth?client_id=...&redirect_uri=...&scope=...&state=...
+```
+
+### OAuth Scopes Requested
+
+**For Instagram Business:**
+- `instagram_basic` - Basic account info
+- `instagram_content_publish` - Publish content
+- `instagram_manage_comments` - Manage comments
+- `pages_show_list` - List Facebook Pages
+- `pages_read_engagement` - Read engagement metrics
+
+**For Facebook Pages:**
+- `pages_show_list` - List Facebook Pages
+- `pages_manage_posts` - Publish posts
+- `pages_read_engagement` - Read engagement
+
+## POST - Handle OAuth Callback (Deprecated)
+
+Use `/api/v1/plugin/social-media-publisher/social/connect/callback` instead.
+
+This endpoint receives the authorization code and exchanges it for access tokens.
+
+### Request Body
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `code` | string | Yes | Authorization code from OAuth |
+| `state` | string | No | State for CSRF validation |
+| `platform` | string | Yes | Platform type |
+
+### Success Response (200)
+
+```json
+{
+  "success": true,
+  "message": "Successfully connected 1 instagram_business account(s)",
+  "accounts": [
+    {
+      "id": "acc_123",
+      "platform": "instagram_business",
+      "accountName": "@myaccount",
+      "permissions": ["instagram_basic", "instagram_content_publish"],
+      "metadata": {
+        "followersCount": 5000,
+        "mediaCount": 150
+      },
+      "connectedAt": "2024-01-15T10:30:00Z"
+    }
+  ]
+}
+```
+
+## Error Responses
+
+| Status | Error | Description |
+|--------|-------|-------------|
+| 400 | Missing clientId | clientId parameter required |
+| 400 | Invalid platform | Platform must be facebook_page or instagram_business |
+| 401 | Authentication required | User not logged in |
+| 404 | No Instagram accounts | No Instagram Business accounts found |
+| 500 | OAuth failed | Failed to exchange code for token |
+
+## Setup
+
+Configure Facebook OAuth credentials:
+
+```bash
+# plugins/social-media-publisher/.env
+FACEBOOK_CLIENT_ID=your_app_id
+FACEBOOK_CLIENT_SECRET=your_app_secret
+NEXT_PUBLIC_APP_URL=https://your-app.com
+```
+
+## OAuth Flow
+
+1. Frontend calls GET with clientId and platform
+2. User redirected to Facebook OAuth
+3. User authorizes requested permissions
+4. Facebook redirects to callback endpoint
+5. Callback exchanges code for tokens
+6. Tokens encrypted and stored in database
+7. Popup closes and parent window notified
+
+## Security
+
+- All access tokens are encrypted with AES-256-GCM
+- CSRF protection via state parameter
+- Token expiration tracked for auto-refresh
+- Audit logs created for all connections
+
+## Related APIs
+
+- [OAuth Callback](/api/v1/plugin/social-media-publisher/social/connect/callback) - OAuth redirect handler
+- [Publish](/api/v1/plugin/social-media-publisher/social/publish) - Publish content
+- [Disconnect](/api/v1/plugin/social-media-publisher/social/disconnect) - Disconnect account

package/api/social/connect/presets.ts

@@ -0,0 +1,48 @@
+/**
+ * API Presets for Social Media Connect
+ *
+ * OAuth connection for Facebook Pages and Instagram Business
+ */
+
+import { defineApiEndpoint } from '@nextsparkjs/core/types/api-presets'
+
+export default defineApiEndpoint({
+  endpoint: '/api/v1/plugin/social-media-publisher/social/connect',
+  summary: 'Connect Facebook Pages and Instagram Business accounts via OAuth',
+  presets: [
+    {
+      id: 'connect-instagram',
+      title: 'Connect Instagram',
+      description: 'Initiate OAuth for Instagram Business',
+      method: 'GET',
+      params: {
+        platform: 'instagram_business',
+        clientId: '{{clientId}}'
+      },
+      tags: ['oauth', 'instagram']
+    },
+    {
+      id: 'connect-facebook',
+      title: 'Connect Facebook',
+      description: 'Initiate OAuth for Facebook Page',
+      method: 'GET',
+      params: {
+        platform: 'facebook_page',
+        clientId: '{{clientId}}'
+      },
+      tags: ['oauth', 'facebook']
+    },
+    {
+      id: 'preview-mode',
+      title: 'Preview Mode',
+      description: 'Get account data without saving',
+      method: 'GET',
+      params: {
+        platform: '{{platform}}',
+        clientId: '{{clientId}}',
+        mode: 'preview'
+      },
+      tags: ['oauth', 'preview']
+    }
+  ]
+})

package/api/social/disconnect/docs.md

@@ -0,0 +1,119 @@
+# Social Media Disconnect API
+
+Disconnect (deactivate) a social media account.
+
+## Endpoint
+
+```
+POST   /api/v1/plugin/social-media-publisher/social/disconnect
+DELETE /api/v1/plugin/social-media-publisher/social/disconnect/:accountId
+```
+
+## Authentication
+
+Requires dual authentication (session or API key).
+
+**Headers:**
+```
+Authorization: Bearer <session-token>
+# OR
+x-api-key: <api-key>
+x-team-id: <team-id>
+```
+
+## POST - Disconnect Account
+
+Marks a social media account as inactive (soft delete).
+
+### Request Body
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `accountId` | string | Yes | Social account UUID |
+
+### Example Request
+
+```json
+{
+  "accountId": "123e4567-e89b-12d3-a456-426614174000"
+}
+```
+
+### Success Response (200)
+
+```json
+{
+  "success": true,
+  "accountId": "123e4567-e89b-12d3-a456-426614174000",
+  "message": "Successfully disconnected @myaccount (instagram_business)"
+}
+```
+
+## DELETE - Disconnect Account (Alternative)
+
+Alternative method using account ID in URL path.
+
+### Example Request
+
+```
+DELETE /api/v1/plugin/social-media-publisher/social/disconnect/123e4567-e89b-12d3-a456-426614174000
+```
+
+### Success Response (200)
+
+Same as POST method.
+
+## Error Responses
+
+| Status | Error | Description |
+|--------|-------|-------------|
+| 400 | Validation failed | Invalid request body |
+| 400 | Invalid account ID format | UUID format invalid |
+| 400 | Account already disconnected | Account is already inactive |
+| 401 | Authentication required | Not authenticated |
+| 404 | Account not found | Account doesn't exist or no access |
+| 500 | Failed to disconnect | Server error during operation |
+
+### Example Error
+
+```json
+{
+  "error": "Account already disconnected",
+  "message": "This account is already inactive."
+}
+```
+
+## Behavior
+
+1. **Soft Delete**: Account is marked as `isActive = false`, not deleted
+2. **Tokens Preserved**: Encrypted tokens remain in database for potential reconnection
+3. **Audit Log**: Disconnect event logged with timestamp and user info
+4. **Idempotent**: Returns error if already disconnected
+
+## Audit Logging
+
+Disconnect events are logged:
+
+```json
+{
+  "action": "account_disconnected",
+  "details": {
+    "platform": "instagram_business",
+    "accountName": "@myaccount",
+    "success": true,
+    "disconnectedAt": "2024-01-15T10:30:00Z"
+  }
+}
+```
+
+## Reconnecting
+
+To reconnect a disconnected account:
+1. Use the [Connect](/api/v1/plugin/social-media-publisher/social/connect) endpoint
+2. OAuth flow will update the existing record
+3. Account becomes active again with fresh tokens
+
+## Related APIs
+
+- [Connect](/api/v1/plugin/social-media-publisher/social/connect) - Connect accounts
+- [Publish](/api/v1/plugin/social-media-publisher/social/publish) - Publish content

package/api/social/disconnect/presets.ts

@@ -0,0 +1,34 @@
+/**
+ * API Presets for Social Media Disconnect
+ *
+ * Disconnect (deactivate) social media accounts
+ */
+
+import { defineApiEndpoint } from '@nextsparkjs/core/types/api-presets'
+
+export default defineApiEndpoint({
+  endpoint: '/api/v1/plugin/social-media-publisher/social/disconnect',
+  summary: 'Disconnect and deactivate social media accounts',
+  presets: [
+    {
+      id: 'disconnect-post',
+      title: 'Disconnect Account (POST)',
+      description: 'Disconnect account using POST method',
+      method: 'POST',
+      payload: {
+        accountId: '{{accountId}}'
+      },
+      tags: ['write', 'disconnect']
+    },
+    {
+      id: 'disconnect-delete',
+      title: 'Disconnect Account (DELETE)',
+      description: 'Disconnect account using DELETE method with path param',
+      method: 'DELETE',
+      pathParams: {
+        accountId: '{{accountId}}'
+      },
+      tags: ['write', 'disconnect']
+    }
+  ]
+})

package/api/social/publish/docs.md

@@ -0,0 +1,169 @@
+# Social Media Publish API
+
+Publish content to connected Instagram Business or Facebook Page accounts.
+
+## Endpoint
+
+```
+POST /api/v1/plugin/social-media-publisher/social/publish
+```
+
+## Authentication
+
+Requires dual authentication (session or API key).
+
+**Headers:**
+```
+Authorization: Bearer <session-token>
+# OR
+x-api-key: <api-key>
+x-team-id: <team-id>
+```
+
+## Request Body
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `accountId` | string | Yes | Social platform account ID |
+| `platform` | string | Yes | Platform type (instagram_business, facebook_page) |
+| `imageUrl` | string | No* | Single image URL |
+| `imageUrls` | string[] | No* | Multiple image URLs for carousel (2-10) |
+| `caption` | string | No | Post caption/message |
+
+*Instagram requires at least one image. Facebook supports text-only posts.
+
+### Example: Single Image Post
+
+```json
+{
+  "accountId": "acc_123",
+  "platform": "instagram_business",
+  "imageUrl": "https://example.com/photo.jpg",
+  "caption": "Check out our new product! #launch"
+}
+```
+
+### Example: Carousel Post
+
+```json
+{
+  "accountId": "acc_123",
+  "platform": "instagram_business",
+  "imageUrls": [
+    "https://example.com/photo1.jpg",
+    "https://example.com/photo2.jpg",
+    "https://example.com/photo3.jpg"
+  ],
+  "caption": "Swipe through our collection!"
+}
+```
+
+### Example: Text-Only Post (Facebook)
+
+```json
+{
+  "accountId": "acc_456",
+  "platform": "facebook_page",
+  "caption": "Exciting news coming soon!"
+}
+```
+
+## Success Response (200)
+
+```json
+{
+  "success": true,
+  "platform": "instagram_business",
+  "postId": "17895695668004550",
+  "postUrl": "https://www.instagram.com/p/ABC123/",
+  "message": "Successfully published to instagram_business"
+}
+```
+
+## Error Responses
+
+| Status | Error | Description |
+|--------|-------|-------------|
+| 400 | Validation failed | Invalid request body |
+| 400 | Platform requires image | Instagram requires at least one image |
+| 400 | Invalid image URL | Image URL format invalid |
+| 400 | Invalid caption | Caption exceeds platform limit |
+| 401 | Authentication required | Not authenticated |
+| 403 | Account inactive | Account disconnected, needs reconnection |
+| 403 | Token expired | Token refresh failed, reconnect account |
+| 404 | Account not found | Account doesn't exist or no access |
+| 500 | Publishing failed | API error during publishing |
+
+### Example Error
+
+```json
+{
+  "error": "Publishing failed",
+  "platform": "instagram_business",
+  "details": "Invalid image URL",
+  "errorDetails": { ... }
+}
+```
+
+## Platform Requirements
+
+### Instagram Business
+
+- **Image Required**: Yes (single or carousel)
+- **Carousel**: 2-10 images
+- **Caption Limit**: 2,200 characters
+- **Image Formats**: JPEG, PNG
+- **Image Size**: Max 8MB per image
+- **Aspect Ratio**: 4:5 to 1.91:1
+
+### Facebook Page
+
+- **Image Required**: No (text-only allowed)
+- **Carousel**: 2-10 images
+- **Caption Limit**: 63,206 characters
+- **Image Formats**: JPEG, PNG, GIF
+- **Image Size**: Max 4MB per image
+
+## Token Auto-Refresh
+
+The endpoint automatically handles token refresh:
+
+1. Checks token expiration before publishing
+2. If expiring within 10 minutes, refreshes token
+3. Uses Meta's fb_exchange_token endpoint
+4. Re-encrypts new token in database
+5. Blocks publish if refresh fails (prevents wasted API calls)
+
+## Audit Logging
+
+All publish attempts are logged to `audit_logs` table:
+
+```json
+{
+  "action": "post_published",
+  "details": {
+    "platform": "instagram_business",
+    "accountName": "@myaccount",
+    "success": true,
+    "postId": "17895695668004550",
+    "postType": "carousel",
+    "imageCount": 3,
+    "caption": "...",
+    "publishedAt": "2024-01-15T10:30:00Z"
+  }
+}
+```
+
+## Image URL Requirements
+
+Image URLs must be:
+- Publicly accessible
+- HTTPS protocol
+- Valid image extension or content-type
+- Not behind authentication
+- Reachable from Meta's servers
+
+## Related APIs
+
+- [Connect](/api/v1/plugin/social-media-publisher/social/connect) - Connect accounts
+- [Disconnect](/api/v1/plugin/social-media-publisher/social/disconnect) - Disconnect accounts

package/api/social/publish/presets.ts

@@ -0,0 +1,78 @@
+/**
+ * API Presets for Social Media Publish
+ *
+ * Publish content to Facebook Pages and Instagram Business
+ */
+
+import { defineApiEndpoint } from '@nextsparkjs/core/types/api-presets'
+
+export default defineApiEndpoint({
+  endpoint: '/api/v1/plugin/social-media-publisher/social/publish',
+  summary: 'Publish photos, carousels, and text posts to social media',
+  presets: [
+    {
+      id: 'instagram-photo',
+      title: 'Instagram Photo',
+      description: 'Publish single photo to Instagram',
+      method: 'POST',
+      payload: {
+        accountId: '{{accountId}}',
+        platform: 'instagram_business',
+        imageUrl: '{{imageUrl}}',
+        caption: 'Check out our latest post!'
+      },
+      tags: ['write', 'instagram', 'photo']
+    },
+    {
+      id: 'instagram-carousel',
+      title: 'Instagram Carousel',
+      description: 'Publish multi-image carousel to Instagram',
+      method: 'POST',
+      payload: {
+        accountId: '{{accountId}}',
+        platform: 'instagram_business',
+        imageUrls: ['{{imageUrl1}}', '{{imageUrl2}}', '{{imageUrl3}}'],
+        caption: 'Swipe through our collection!'
+      },
+      tags: ['write', 'instagram', 'carousel']
+    },
+    {
+      id: 'facebook-photo',
+      title: 'Facebook Photo',
+      description: 'Publish photo to Facebook Page',
+      method: 'POST',
+      payload: {
+        accountId: '{{accountId}}',
+        platform: 'facebook_page',
+        imageUrl: '{{imageUrl}}',
+        caption: 'New post on our page!'
+      },
+      tags: ['write', 'facebook', 'photo']
+    },
+    {
+      id: 'facebook-text',
+      title: 'Facebook Text Post',
+      description: 'Publish text-only post to Facebook Page',
+      method: 'POST',
+      payload: {
+        accountId: '{{accountId}}',
+        platform: 'facebook_page',
+        caption: 'Exciting news coming soon!'
+      },
+      tags: ['write', 'facebook', 'text']
+    },
+    {
+      id: 'facebook-carousel',
+      title: 'Facebook Carousel',
+      description: 'Publish multi-image carousel to Facebook Page',
+      method: 'POST',
+      payload: {
+        accountId: '{{accountId}}',
+        platform: 'facebook_page',
+        imageUrls: ['{{imageUrl1}}', '{{imageUrl2}}'],
+        caption: 'Check out our photo gallery!'
+      },
+      tags: ['write', 'facebook', 'carousel']
+    }
+  ]
+})

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nextsparkjs/plugin-social-media-publisher",
-  "version": "0.1.0-beta.44",
+  "version": "0.1.0-beta.46",
   "private": false,
   "main": "./plugin.config.ts",
   "requiredPlugins": [],
@@ -10,7 +10,7 @@
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
     "zod": "^4.0.0",
-    "@nextsparkjs/core": "0.1.0-beta.44"
+    "@nextsparkjs/core": "0.1.0-beta.46"
   },
   "nextspark": {
     "type": "plugin",