@open-mercato/channel-gmail 0.6.4

package/src/modules/channel_gmail/lib/oauth.ts

@@ -0,0 +1,128 @@
+/**
+ * Thin Gmail OAuth client wrapper. Uses raw `fetch` against Google's well-known
+ * endpoints so the adapter can stay agnostic of the `googleapis` SDK and tests
+ * can stub `setGoogleOAuthClient(...)` without loading the SDK at all.
+ *
+ * Endpoints — locked to Google's documented OAuth2 v2 surface:
+ *   - Authorize  https://accounts.google.com/o/oauth2/v2/auth
+ *   - Token      https://oauth2.googleapis.com/token
+ *   - Userinfo   https://www.googleapis.com/oauth2/v3/userinfo
+ */
+
+import {
+  requestOAuthToken,
+  tokenResponseToExpiresAt,
+  type OAuthTokenResponse,
+} from '@open-mercato/core/modules/communication_channels/lib/oauth-token'
+import { parseScopes } from './credentials'
+
+export { tokenResponseToExpiresAt }
+
+export const GMAIL_OAUTH_AUTHORIZE_URL = 'https://accounts.google.com/o/oauth2/v2/auth'
+export const GMAIL_OAUTH_TOKEN_URL = 'https://oauth2.googleapis.com/token'
+export const GMAIL_OAUTH_USERINFO_URL = 'https://www.googleapis.com/oauth2/v3/userinfo'
+
+export interface BuildAuthorizeUrlInput {
+  clientId: string
+  redirectUri: string
+  state: string
+  scopes: string[]
+  loginHint?: string
+}
+
+export interface ExchangeCodeInput {
+  clientId: string
+  clientSecret: string
+  redirectUri: string
+  code: string
+}
+
+export interface RefreshTokenInput {
+  clientId: string
+  clientSecret: string
+  refreshToken: string
+}
+
+export type TokenResponse = OAuthTokenResponse
+
+export interface UserInfoResponse {
+  sub?: string
+  email?: string
+  email_verified?: boolean
+  name?: string
+  picture?: string
+}
+
+export interface GoogleOAuthClient {
+  buildAuthorizeUrl(input: BuildAuthorizeUrlInput): string
+  exchangeCode(input: ExchangeCodeInput): Promise<TokenResponse>
+  refreshToken(input: RefreshTokenInput): Promise<TokenResponse>
+  fetchUserInfo(accessToken: string): Promise<UserInfoResponse>
+}
+
+class RealGoogleOAuthClient implements GoogleOAuthClient {
+  buildAuthorizeUrl(input: BuildAuthorizeUrlInput): string {
+    const url = new URL(GMAIL_OAUTH_AUTHORIZE_URL)
+    url.searchParams.set('client_id', input.clientId)
+    url.searchParams.set('redirect_uri', input.redirectUri)
+    url.searchParams.set('response_type', 'code')
+    url.searchParams.set('scope', (input.scopes.length ? input.scopes : parseScopes(undefined)).join(' '))
+    url.searchParams.set('state', input.state)
+    url.searchParams.set('access_type', 'offline')
+    url.searchParams.set('prompt', 'consent')
+    url.searchParams.set('include_granted_scopes', 'true')
+    if (input.loginHint) url.searchParams.set('login_hint', input.loginHint)
+    return url.toString()
+  }
+
+  async exchangeCode(input: ExchangeCodeInput): Promise<TokenResponse> {
+    const params = new URLSearchParams()
+    params.set('grant_type', 'authorization_code')
+    params.set('code', input.code)
+    params.set('redirect_uri', input.redirectUri)
+    params.set('client_id', input.clientId)
+    params.set('client_secret', input.clientSecret)
+    return requestOAuthToken(GMAIL_OAUTH_TOKEN_URL, params, {
+      errorLabel: 'Gmail OAuth code exchange failed',
+    })
+  }
+
+  async refreshToken(input: RefreshTokenInput): Promise<TokenResponse> {
+    const params = new URLSearchParams()
+    params.set('grant_type', 'refresh_token')
+    params.set('refresh_token', input.refreshToken)
+    params.set('client_id', input.clientId)
+    params.set('client_secret', input.clientSecret)
+    return requestOAuthToken(GMAIL_OAUTH_TOKEN_URL, params, {
+      errorLabel: 'Gmail OAuth refresh failed',
+    })
+  }
+
+  async fetchUserInfo(accessToken: string): Promise<UserInfoResponse> {
+    const controller = new AbortController()
+    const timeout = setTimeout(() => controller.abort(), 10_000)
+    try {
+      const res = await fetch(GMAIL_OAUTH_USERINFO_URL, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+        signal: controller.signal,
+      })
+      if (!res.ok) {
+        throw new Error(`Gmail userinfo fetch failed: ${res.status} ${res.statusText}`)
+      }
+      return (await res.json()) as UserInfoResponse
+    } finally {
+      clearTimeout(timeout)
+    }
+  }
+}
+
+let cachedClient: GoogleOAuthClient | null = null
+
+export function getGoogleOAuthClient(): GoogleOAuthClient {
+  if (!cachedClient) cachedClient = new RealGoogleOAuthClient()
+  return cachedClient
+}
+
+export function setGoogleOAuthClient(client: GoogleOAuthClient | null): void {
+  cachedClient = client
+}

package/src/modules/channel_gmail/setup.ts

@@ -0,0 +1,36 @@
+import type { ModuleSetupConfig } from '@open-mercato/shared/modules/setup'
+import {
+  hasChannelAdapter,
+  registerChannelAdapter,
+} from '@open-mercato/core/modules/communication_channels/lib/adapter-registry-singleton'
+import { getGmailChannelAdapter } from './lib/adapter'
+
+/**
+ * Register the Gmail `ChannelAdapter` once per process at import time. The
+ * registry is process-wide so the underlying `setRegister` call is idempotent;
+ * we guard with `hasChannelAdapter` to silence the registry's duplicate error
+ * on dev-mode HMR + repeated test imports.
+ *
+ * Tenant-level OAuth client config (Client ID + Client Secret) is persisted via
+ * the standard `IntegrationCredentials` flow for the `gmail` provider; this
+ * module does not preconfigure per-tenant credentials from env (Google Cloud
+ * Console projects are explicit per-tenant).
+ */
+function ensureGmailAdapterRegistered(): void {
+  if (hasChannelAdapter('gmail')) return
+  registerChannelAdapter(getGmailChannelAdapter())
+}
+
+ensureGmailAdapterRegistered()
+
+export const setup: ModuleSetupConfig = {
+  defaultRoleFeatures: {
+    superadmin: ['channel_gmail.view', 'channel_gmail.configure'],
+    admin: ['channel_gmail.view', 'channel_gmail.configure'],
+  },
+  async onTenantCreated() {
+    ensureGmailAdapterRegistered()
+  },
+}
+
+export default setup

package/src/modules/channel_gmail/widgets/injection/connect/widget.client.tsx

@@ -0,0 +1,28 @@
+'use client'
+
+import * as React from 'react'
+import type { InjectionWidgetComponentProps } from '@open-mercato/shared/modules/widgets/injection'
+import { useT } from '@open-mercato/shared/lib/i18n/context'
+import { SocialButton } from '@open-mercato/ui/primitives/social-button'
+import { useConnectChannel } from '@open-mercato/core/modules/communication_channels/lib/use-connect-channel'
+
+export default function ConnectGmailWidget(
+  _props: InjectionWidgetComponentProps<Record<string, unknown>, Record<string, unknown>>,
+) {
+  const t = useT()
+  const { connect, pending } = useConnectChannel({ providerKey: 'gmail' })
+
+  return (
+    <SocialButton
+      type="button"
+      brand="google"
+      appearance="stroke"
+      onClick={() => void connect()}
+      disabled={pending}
+    >
+      {pending
+        ? t('communication_channels.profile.connect.connecting', 'Connecting...')
+        : t('communication_channels.profile.connect.gmail', 'Connect Gmail')}
+    </SocialButton>
+  )
+}

package/src/modules/channel_gmail/widgets/injection/connect/widget.ts

@@ -0,0 +1,16 @@
+import type { InjectionWidgetModule } from '@open-mercato/shared/modules/widgets/injection'
+import ConnectGmailWidget from './widget.client'
+
+const widget: InjectionWidgetModule<Record<string, unknown>, Record<string, unknown>> = {
+  metadata: {
+    id: 'channel_gmail.injection.connect',
+    title: 'Connect Gmail',
+    description: 'Starts the per-user Gmail OAuth connection flow.',
+    features: ['communication_channels.connect_user_channel'],
+    priority: 120,
+    enabled: true,
+  },
+  Widget: ConnectGmailWidget,
+}
+
+export default widget

package/src/modules/channel_gmail/widgets/injection-table.ts

@@ -0,0 +1,12 @@
+import type { ModuleInjectionTable } from '@open-mercato/shared/modules/widgets/injection'
+
+export const injectionTable: ModuleInjectionTable = {
+  'profile:communication-channels:connect': [
+    {
+      widgetId: 'channel_gmail.injection.connect',
+      priority: 120,
+    },
+  ],
+}
+
+export default injectionTable

package/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "$schema": "https://json.schemastore.org/tsconfig",
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "noEmit": true
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist", "**/__tests__/**"]
+}

package/watch.mjs

@@ -0,0 +1,7 @@
+import { watch } from '../../scripts/watch.mjs'
+import { dirname } from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+const __dirname = dirname(fileURLToPath(import.meta.url))
+
+watch(__dirname)