@strav/social 0.4.31 → 1.0.0-alpha.24

package/src/ledger/apply_social_account_migration.ts

@@ -0,0 +1,66 @@
+/**
+ * `applySocialAccountMigration` — emit DDL for the
+ * `social_account` table plus its composite unique constraints
+ * and the `user_id` lookup index.
+ *
+ * Non-tenanted by default (framework policy: multitenancy is
+ * opt-in). Apps that need per-tenant scoping use
+ * `applyTenantedSocialAccountMigration` from
+ * `@strav/social/tenanted` instead.
+ *
+ * Apps drop one call into their migration:
+ *
+ * ```ts
+ * export const migration: Migration = {
+ *   name: '20260601000000_create_social_account',
+ *   async up(db) {
+ *     await applySocialAccountMigration(db, { registry })
+ *   },
+ *   async down(db) {
+ *     await db.execute(emitDropTable(socialAccountSchema.name).sql)
+ *   },
+ * }
+ * ```
+ */
+
+import {
+  emitCreateTable,
+  type DatabaseExecutor,
+  type SchemaRegistry,
+} from '@strav/database'
+import { socialAccountSchema } from './social_account_schema.ts'
+
+export interface ApplySocialAccountMigrationOptions {
+  /** Required for `emitCreateTable` to resolve relations. */
+  registry: SchemaRegistry
+}
+
+export async function applySocialAccountMigration(
+  db: DatabaseExecutor,
+  options: ApplySocialAccountMigrationOptions,
+): Promise<void> {
+  const { registry } = options
+
+  await db.execute(emitCreateTable(socialAccountSchema, { registry }).sql)
+
+  // Provider-identity uniqueness — one Google / Line / Facebook
+  // identity belongs to exactly one user. The sign-in lookup
+  // (`findByProviderIdentity`) leans on this index.
+  await db.execute(
+    `CREATE UNIQUE INDEX IF NOT EXISTS "idx_social_account_provider_identity"
+     ON "${socialAccountSchema.name}" ("provider", "provider_user_id")`,
+  )
+
+  // Per-user-per-provider uniqueness — a single user can only
+  // link one account per provider.
+  await db.execute(
+    `CREATE UNIQUE INDEX IF NOT EXISTS "idx_social_account_user_provider"
+     ON "${socialAccountSchema.name}" ("user_id", "provider")`,
+  )
+
+  // "All accounts for user" lookup — account-settings UI.
+  await db.execute(
+    `CREATE INDEX IF NOT EXISTS "idx_social_account_user"
+     ON "${socialAccountSchema.name}" ("user_id")`,
+  )
+}

package/src/ledger/index.ts

@@ -0,0 +1,12 @@
+export {
+  applySocialAccountMigration,
+  type ApplySocialAccountMigrationOptions,
+} from './apply_social_account_migration.ts'
+export { SocialAccount } from './social_account.ts'
+export { socialAccountSchema } from './social_account_schema.ts'
+export {
+  type ConnectInput,
+  type DisconnectInput,
+  SocialAccountAlreadyLinkedError,
+  SocialAccountRepository,
+} from './social_account_repository.ts'

package/src/ledger/social_account.ts

@@ -0,0 +1,32 @@
+/**
+ * `SocialAccount` — typed row of the linked-provider ledger.
+ *
+ * `@encrypt` on the token fields tells the Repository to wrap
+ * them through the registered `EncryptionProvider` on
+ * write/read. In memory they are plain strings; on disk they
+ * are bytea.
+ */
+
+import { encrypt, Model } from '@strav/database'
+import { socialAccountSchema } from './social_account_schema.ts'
+
+export class SocialAccount extends Model {
+  static override readonly schema = socialAccountSchema
+
+  id!: string
+  user_id!: string
+  provider!: string
+  provider_user_id!: string
+  email!: string | null
+  name!: string | null
+  avatar_url!: string | null
+  locale!: string | null
+  @encrypt access_token!: string
+  @encrypt refresh_token!: string | null
+  @encrypt id_token!: string | null
+  expires_at!: Date | null
+  scope!: string | null
+  metadata!: Record<string, unknown>
+  created_at!: Date
+  updated_at!: Date
+}

package/src/ledger/social_account_repository.ts

@@ -0,0 +1,203 @@
+/**
+ * `SocialAccountRepository` — domain helpers on top of the
+ * generic CRUD surface. The four methods apps actually use:
+ *
+ *   - `connect({ userId, provider, profile, tokens })` — upsert
+ *     by `(provider, provider_user_id)` within the tenant scope.
+ *     Runs on every sign-in: a returning user's tokens get
+ *     refreshed; a first-time link inserts.
+ *
+ *   - `disconnect({ userId, provider })` — delete the link.
+ *     Apps invoke this when the user unlinks a provider; for
+ *     full token revocation, drivers' `revoke()` runs separately
+ *     (this method doesn't reach the provider).
+ *
+ *   - `findByUser(userId)` — list every linked provider for a
+ *     user. Apps render account-settings UIs from this.
+ *
+ *   - `findByProviderIdentity(provider, providerUserId)` — the
+ *     sign-in lookup: "we just verified an OAuth identity, who
+ *     does it belong to?" Returns the row including `user_id`
+ *     so the caller can hydrate the app's User.
+ *
+ * Tokens are encrypted via the Model's `@encrypt` decorators —
+ * Repository hydration handles it transparently. Apps must have
+ * an `EncryptionProvider` registered; otherwise the first
+ * encrypt/decrypt throws `ConfigError`.
+ */
+
+import { quoteIdent, Repository } from '@strav/database'
+import { ulid } from '@strav/kernel'
+import type { OAuthTokens, SocialProfile } from '../dto/index.ts'
+import { SocialAccount } from './social_account.ts'
+import { socialAccountSchema } from './social_account_schema.ts'
+
+export interface ConnectInput {
+  /** App-side user id. */
+  userId: string
+  /** Provider-instance name (matches `social.use(name)`). Distinct from `profile.provider` when one driver is wired under multiple names. */
+  provider: string
+  profile: SocialProfile
+  tokens: OAuthTokens
+}
+
+export interface DisconnectInput {
+  userId: string
+  provider: string
+}
+
+export class SocialAccountRepository extends Repository<SocialAccount> {
+  static override readonly schema = socialAccountSchema
+  static override readonly model = SocialAccount
+
+  /**
+   * Upsert a social account by `(provider, provider_user_id)`.
+   * Insert on first link; update tokens + cached profile fields
+   * on subsequent sign-ins.
+   *
+   * No tenant scoping required — the default schema is
+   * non-tenanted. Apps that opted into the tenanted variant
+   * (`@strav/social/tenanted`) wrap calls in
+   * `TenantManager.withTenant(...)`; that variant ships its own
+   * Repository.
+   */
+  async connect(input: ConnectInput): Promise<SocialAccount> {
+    const existing = await this.findByProviderIdentity(
+      input.provider,
+      input.profile.id,
+    )
+    const now = new Date()
+
+    if (existing) {
+      // Cross-user link guard: if the existing row belongs to a
+      // different user, refuse — the app needs to resolve the
+      // conflict explicitly (typically "this Google account is
+      // already linked to another user").
+      if (existing.user_id !== input.userId) {
+        throw new SocialAccountAlreadyLinkedError({
+          provider: input.provider,
+          providerUserId: input.profile.id,
+          existingUserId: existing.user_id,
+          attemptedUserId: input.userId,
+        })
+      }
+      // Same user, returning sign-in: refresh tokens + cached
+      // profile fields via the standard Repository.update path
+      // (handles `@cast` / `@encrypt` round-trips for us).
+      return this.update(existing, {
+        email: input.profile.email ?? null,
+        name: input.profile.name ?? null,
+        avatar_url: input.profile.avatarUrl ?? null,
+        locale: input.profile.locale ?? null,
+        access_token: input.tokens.accessToken,
+        refresh_token: input.tokens.refreshToken ?? null,
+        id_token: input.tokens.idToken ?? null,
+        expires_at: input.tokens.expiresAt ?? null,
+        scope: input.tokens.scope ?? null,
+        updated_at: now,
+      } as Partial<SocialAccount>)
+    }
+
+    return this.create({
+      id: ulid(),
+      user_id: input.userId,
+      provider: input.provider,
+      provider_user_id: input.profile.id,
+      email: input.profile.email ?? null,
+      name: input.profile.name ?? null,
+      avatar_url: input.profile.avatarUrl ?? null,
+      locale: input.profile.locale ?? null,
+      access_token: input.tokens.accessToken,
+      refresh_token: input.tokens.refreshToken ?? null,
+      id_token: input.tokens.idToken ?? null,
+      expires_at: input.tokens.expiresAt ?? null,
+      scope: input.tokens.scope ?? null,
+      metadata: {},
+      created_at: now,
+      updated_at: now,
+    } as Partial<SocialAccount>)
+  }
+
+  /** Delete the link. No-op when nothing matches. */
+  async disconnect(input: DisconnectInput): Promise<void> {
+    const table = quoteIdent(socialAccountSchema.name)
+    await this.db.execute(
+      `DELETE FROM ${table} WHERE "user_id" = $1 AND "provider" = $2`,
+      [input.userId, input.provider],
+    )
+  }
+
+  /** Every social account linked to one user. */
+  async findByUser(userId: string): Promise<SocialAccount[]> {
+    const table = quoteIdent(socialAccountSchema.name)
+    const rows = await this.db.query<Record<string, unknown>>(
+      `SELECT * FROM ${table} WHERE "user_id" = $1 ORDER BY "created_at"`,
+      [userId],
+    )
+    return Promise.all(rows.map((r) => this.hydrate(r)))
+  }
+
+  /** Single (user, provider) lookup. */
+  async findByUserAndProvider(
+    userId: string,
+    provider: string,
+  ): Promise<SocialAccount | null> {
+    const table = quoteIdent(socialAccountSchema.name)
+    const rows = await this.db.query<Record<string, unknown>>(
+      `SELECT * FROM ${table} WHERE "user_id" = $1 AND "provider" = $2 LIMIT 1`,
+      [userId, provider],
+    )
+    if (rows.length === 0) return null
+    return this.hydrate(rows[0]!)
+  }
+
+  /**
+   * The sign-in lookup: given an OAuth identity, find the user
+   * it belongs to. Returns the account row (which includes
+   * `user_id`) or `null` when no link exists.
+   */
+  async findByProviderIdentity(
+    provider: string,
+    providerUserId: string,
+  ): Promise<SocialAccount | null> {
+    const table = quoteIdent(socialAccountSchema.name)
+    const rows = await this.db.query<Record<string, unknown>>(
+      `SELECT * FROM ${table}
+       WHERE "provider" = $1 AND "provider_user_id" = $2
+       LIMIT 1`,
+      [provider, providerUserId],
+    )
+    if (rows.length === 0) return null
+    return this.hydrate(rows[0]!)
+  }
+}
+
+/**
+ * Thrown when an OAuth identity is already linked to a DIFFERENT
+ * user than the caller is trying to attach it to. Apps catch this
+ * and surface a UI ("this Google account is already linked to
+ * <other_email>"). The framework refuses to silently move the
+ * link or fork the row.
+ */
+export class SocialAccountAlreadyLinkedError extends Error {
+  readonly provider: string
+  readonly providerUserId: string
+  readonly existingUserId: string
+  readonly attemptedUserId: string
+
+  constructor(info: {
+    provider: string
+    providerUserId: string
+    existingUserId: string
+    attemptedUserId: string
+  }) {
+    super(
+      `SocialAccount: provider "${info.provider}" identity "${info.providerUserId}" is already linked to user "${info.existingUserId}"; refusing to relink to "${info.attemptedUserId}".`,
+    )
+    this.name = 'SocialAccountAlreadyLinkedError'
+    this.provider = info.provider
+    this.providerUserId = info.providerUserId
+    this.existingUserId = info.existingUserId
+    this.attemptedUserId = info.attemptedUserId
+  }
+}

package/src/ledger/social_account_schema.ts

@@ -0,0 +1,75 @@
+/**
+ * `socialAccountSchema` — ledger of provider identities linked
+ * to app users. **Non-tenanted by default** (framework policy:
+ * multitenancy is opt-in). Apps that need per-tenant scoping
+ * import `tenantedSocialAccountSchema` from
+ * `@strav/social/tenanted` instead.
+ *
+ * Natural key is `(provider, provider_user_id)` — a given
+ * Google / Line / Facebook identity belongs to exactly one
+ * user. Composite uniqueness lives in the migration (the schema
+ * builder only exposes per-column `.unique()`).
+ *
+ * Tokens are encrypted-at-rest via `@strav/database`'s
+ * `t.encrypted(...)` column kind + `@encrypt` decorator on the
+ * Model. Apps must have an `EncryptionProvider` registered on
+ * the kernel container; otherwise the first repository call
+ * throws `ConfigError` at runtime.
+ *
+ * Why store tokens here at all: many apps need long-term
+ * offline access (Google `access_type=offline`) or to revoke
+ * later. Apps that only need "did this user sign in via X"
+ * set the encrypted columns to a sentinel via the Repository's
+ * upsert path and discard the real tokens after first use.
+ *
+ * Columns:
+ *
+ *   - `id`                 ULID PK.
+ *   - `user_id`            App-side user reference. Free-form
+ *                          string so apps with ULID / int / uuid
+ *                          PKs all fit.
+ *   - `provider`           Driver identifier (`'line'` /
+ *                          `'google'` / `'facebook'` / custom).
+ *   - `provider_user_id`   Provider-native subject id (Google
+ *                          `sub`, Line `userId`, Facebook `id`).
+ *   - `email`              Last known email — cached for app
+ *                          UI; canonical lookups go to the user.
+ *   - `name`               Last known display name.
+ *   - `avatar_url`         Last known avatar URL.
+ *   - `locale`             Last known locale (where the provider
+ *                          gives one; Line doesn't).
+ *   - `access_token`       Encrypted-at-rest.
+ *   - `refresh_token`      Encrypted-at-rest. Nullable (Facebook
+ *                          doesn't issue them).
+ *   - `id_token`           Encrypted-at-rest. Nullable (OIDC
+ *                          providers only).
+ *   - `expires_at`         When the access token expires.
+ *   - `scope`              Space-separated granted scope string.
+ *   - `metadata`           Free-form jsonb (provider extras).
+ *   - `created_at` / `updated_at`
+ */
+
+import { Archetype, defineSchema } from '@strav/database'
+
+export const socialAccountSchema = defineSchema(
+  'social_account',
+  Archetype.Entity,
+  (t) => {
+    t.id()
+    t.string('user_id').max(64).notNull()
+    t.string('provider').max(64).notNull()
+    t.string('provider_user_id').max(255).notNull()
+    t.string('email').max(320).nullable()
+    t.string('name').max(255).nullable()
+    t.string('avatar_url').max(1024).nullable()
+    t.string('locale').max(16).nullable()
+    t.encrypted('access_token').notNull()
+    t.encrypted('refresh_token').nullable()
+    t.encrypted('id_token').nullable()
+    t.timestamp('expires_at').nullable()
+    t.string('scope').max(512).nullable()
+    t.json('metadata').notNull().default({})
+    t.timestamp('created_at').notNull()
+    t.timestamp('updated_at').notNull()
+  },
+)

package/src/pkce.ts

@@ -0,0 +1,63 @@
+/**
+ * PKCE (Proof Key for Code Exchange) helpers — RFC 7636.
+ *
+ * For public clients (mobile, SPA, even server-side apps that
+ * can't keep a "client secret" truly secret), PKCE makes the
+ * authorization code worthless to an attacker who intercepts it
+ * mid-flight. Google requires PKCE on all new flows; Line supports
+ * it; Facebook ignores it.
+ *
+ * Flow:
+ *
+ *   1. `randomCodeVerifier()` → high-entropy random string.
+ *      Apps store this against the user's session for the
+ *      callback step.
+ *   2. `codeChallengeFor(verifier)` → base64url(sha256(verifier)).
+ *      Drivers include this on the authorize URL as
+ *      `code_challenge` + `code_challenge_method=S256`.
+ *   3. On callback, apps pass the stored verifier into
+ *      `driver.exchange({...codeVerifier})`. The provider
+ *      hashes it again and rejects the exchange if the hashes
+ *      don't match.
+ *
+ * Plain (S256-only) implementation — we never emit `method=plain`.
+ */
+
+const VERIFIER_LENGTH = 64 // RFC allows 43–128; 64 is comfortably above floor.
+
+/**
+ * Cryptographically-strong random verifier (URL-safe alphabet).
+ * 64 chars at 6 bits/char ≈ 384 bits of entropy.
+ */
+export function randomCodeVerifier(): string {
+  const bytes = new Uint8Array(VERIFIER_LENGTH)
+  crypto.getRandomValues(bytes)
+  return base64UrlEncode(bytes).slice(0, VERIFIER_LENGTH)
+}
+
+/** SHA-256 → base64url. The challenge the provider stores until callback. */
+export async function codeChallengeFor(verifier: string): Promise<string> {
+  const buf = new TextEncoder().encode(verifier)
+  const hash = await crypto.subtle.digest('SHA-256', buf)
+  return base64UrlEncode(new Uint8Array(hash))
+}
+
+/**
+ * Random state — opaque CSRF token apps include on the
+ * authorize URL and verify on the callback. Drivers expose the
+ * verification helper (`assertStateMatches`) so apps don't
+ * have to roll the comparison themselves.
+ */
+export function randomState(): string {
+  const bytes = new Uint8Array(32)
+  crypto.getRandomValues(bytes)
+  return base64UrlEncode(bytes)
+}
+
+function base64UrlEncode(bytes: Uint8Array): string {
+  // btoa needs a binary string; Bun + browsers + Node 18+ all
+  // handle this idiom identically.
+  let s = ''
+  for (let i = 0; i < bytes.length; i++) s += String.fromCharCode(bytes[i]!)
+  return btoa(s).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
+}

package/src/social_capabilities.ts

@@ -0,0 +1,35 @@
+/**
+ * `SocialCapability` — feature flags every driver declares.
+ *
+ * Apps that build account-connect UI check these to gate buttons
+ * / scopes / refresh-token flows. Drivers omit a flag when they
+ * can't fulfil it faithfully — partial / surprising behaviour is
+ * worse than `ProviderUnsupportedError`.
+ *
+ * Granularity is intentionally fine: e.g. Facebook supports
+ * `tokens.refresh` only for long-lived tokens issued by the Pages
+ * API path, so v1 marks it unsupported; Line supports it
+ * uniformly.
+ */
+
+export type SocialCapability =
+  // OIDC vs plain OAuth2
+  | 'openid' // returns an id_token + nonce flow
+  | 'pkce.support' // accepts PKCE (codeChallenge / codeVerifier)
+  | 'pkce.required' // mandates PKCE (Google)
+  // Profile data we can normalize
+  | 'profile.id'
+  | 'profile.email'
+  | 'profile.emailVerified'
+  | 'profile.name'
+  | 'profile.avatar'
+  | 'profile.locale'
+  // Token operations
+  | 'tokens.exchange'
+  | 'tokens.refresh'
+  | 'tokens.revoke'
+  | 'tokens.introspect'
+  // Scopes — each driver exposes its supported list separately
+  // via `driver.availableScopes`, but the flag here gates
+  // "scope picker UI" generation.
+  | 'scopes.discoverable'

package/src/social_driver.ts

@@ -0,0 +1,143 @@
+/**
+ * `SocialDriver` — the driver contract every adapter implements.
+ *
+ * One driver represents a configured provider instance
+ * (`config.social.providers[name]`). The manager holds one
+ * driver per configured name and routes calls into it.
+ *
+ * ## Capability gating — the "honest LSP violation" pattern
+ *
+ * Strictly speaking, the interface below violates Liskov substitution
+ * because `FacebookSocialDriver.refresh()` throws synchronously instead
+ * of returning `Promise<OAuthTokens>` (Facebook doesn't issue refresh
+ * tokens). Same shape for any future driver that lacks an operation
+ * its interface declares.
+ *
+ * The framework prefers this trade-off over the alternative (every
+ * provider gets its own narrowed sub-interface, every app does a
+ * `if (isRefreshable(driver))` narrowing dance) for three reasons:
+ *
+ *   1. **Discoverability**: apps see ONE `SocialDriver` interface
+ *      with all the operations a sign-in flow needs. They learn the
+ *      surface once, not per-adapter.
+ *
+ *   2. **Capability flags are the typed truth**: each driver
+ *      declares `capabilities: ReadonlySet<SocialCapability>`. Apps
+ *      that care about portability check the flag and branch — the
+ *      `unsupported` throw becomes the safety net for callers who
+ *      forgot, not the primary API.
+ *
+ *   3. **Failures are loud and synchronous**. Drivers use the
+ *      `unsupported(provider, op, reason?)` helper so the throw
+ *      happens on the function call, NOT after a network round-trip
+ *      had a chance to bill the user / consume rate limit. Apps fail
+ *      fast.
+ *
+ * Apps that want compile-time safety against unsupported ops wrap the
+ * driver themselves:
+ *
+ * ```ts
+ * function refreshableDriver(d: SocialDriver) {
+ *   if (!d.capabilities.has('tokens.refresh')) return null
+ *   return d  // narrowed by convention; refresh() is now safe to call.
+ * }
+ * ```
+ *
+ * A split into `SocialDriver` + `RefreshableSocialDriver` + ... may
+ * land later (`docs/code-quality.md` action item #4) — but doing so
+ * carries the manager's `use(name): SocialDriver` return type through
+ * a wider refactor. Until then, the capability set IS the contract.
+ */
+
+import type { OAuthTokens, SocialProfile } from './dto/index.ts'
+import type { SocialCapability } from './social_capabilities.ts'
+
+export interface AuthorizeInput {
+  /**
+   * Where the provider redirects after consent. Must match
+   * what's registered in the provider's developer console.
+   */
+  redirectUri: string
+  /**
+   * OAuth scope list. Drivers expose `availableScopes` for
+   * apps that want to render a picker; apps usually hard-code
+   * `['profile', 'email']` or `['openid', 'profile', 'email']`.
+   */
+  scopes?: readonly string[]
+  /**
+   * Override the CSRF state. When omitted, the driver generates
+   * one via `randomState()`. Apps that already have a
+   * session-bound nonce (and want to use it as state) pass it
+   * here.
+   */
+  state?: string
+  /**
+   * Override the PKCE code verifier. When omitted AND the driver
+   * supports/requires PKCE, the driver generates one and returns
+   * it on the result. Apps store the returned verifier against
+   * the session for the callback step.
+   */
+  codeVerifier?: string
+  /**
+   * Provider-specific extra query parameters (e.g. `prompt`,
+   * `access_type`, `bot_prompt` for Line). The driver merges
+   * these into the authorize URL after the standard params.
+   */
+  extra?: Record<string, string>
+}
+
+export interface AuthorizeResult {
+  /** The full URL the app redirects the customer to. */
+  url: string
+  state: string
+  /** Set when the driver issued / accepted a PKCE verifier. Apps persist this against the session. */
+  codeVerifier?: string
+}
+
+export interface ExchangeInput {
+  code: string
+  redirectUri: string
+  /** Pass the state value the app stored at authorize-time. The driver verifies it matches `expectedState` (which the app provides on the callback). */
+  state?: string
+  /** Expected state — `state` from the AuthorizeResult the app stored. */
+  expectedState?: string
+  /** PKCE verifier — required by drivers that declared `pkce.required`. */
+  codeVerifier?: string
+}
+
+export interface RefreshInput {
+  refreshToken: string
+  /** Optional narrowed scope list. Most providers ignore this. */
+  scopes?: readonly string[]
+}
+
+export interface SocialDriver {
+  /** Driver identifier — `'line'` / `'google'` / `'facebook'`. */
+  readonly name: string
+  /** App-chosen instance name (`config.social.providers[name]`). */
+  readonly instanceName: string
+  readonly capabilities: ReadonlySet<SocialCapability>
+  /** Provider-supported scope list. Apps render pickers from this; drivers reject unknown scopes at authorize time. */
+  readonly availableScopes: readonly string[]
+
+  /** Build the authorize URL + emit state / PKCE artefacts the app stores. */
+  authorize(input: AuthorizeInput): Promise<AuthorizeResult>
+
+  /** Exchange the callback code for tokens. Verifies state when both `state` and `expectedState` are provided. */
+  exchange(input: ExchangeInput): Promise<OAuthTokens>
+
+  /** Fetch the normalized user profile using a valid access token. */
+  profile(accessToken: string): Promise<SocialProfile>
+
+  /** Trade a refresh token for a fresh access token. Drivers without the `tokens.refresh` capability throw. */
+  refresh(input: RefreshInput): Promise<OAuthTokens>
+
+  /** Revoke a token. Drivers without `tokens.revoke` throw. */
+  revoke(token: string): Promise<void>
+}
+
+/** Factory the manager invokes per configured provider. */
+export type SocialDriverFactory = (config: {
+  instanceName: string
+  config: Record<string, unknown> & { driver: string }
+}) => SocialDriver