backend-manager 5.0.42 → 5.0.44

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "backend-manager",
-  "version": "5.0.42",
+  "version": "5.0.44",
   "description": "Quick tools for developing Firebase functions",
   "main": "src/manager/index.js",
   "bin": {

package/src/manager/routes/user/delete.js

@@ -49,10 +49,10 @@ module.exports = async ({ assistant, Manager, user, settings, libraries }) => {
     response: 'json',
     tries: 2,
     log: true,
-    headers: {
-      'Authorization': `Bearer ${process.env.BACKEND_MANAGER_KEY}`,
+    body: {
+      uid,
+      backendManagerKey: process.env.BACKEND_MANAGER_KEY,
     },
-    body: { uid },
   })
     .then((json) => {
       assistant.log(`Sign out of all sessions success`, json);
@@ -62,10 +62,11 @@ module.exports = async ({ assistant, Manager, user, settings, libraries }) => {
     });
 
   // Delete the user
-  await admin.auth().deleteUser(uid)
-    .catch((e) => {
-      return assistant.respond(`Failed to delete user: ${e}`, { code: 500 });
-    });
+  try {
+    await admin.auth().deleteUser(uid);
+  } catch (e) {
+    return assistant.respond(`Failed to delete user: ${e}`, { code: 500 });
+  }
 
   return assistant.respond({ success: true });
 };

package/src/manager/routes/user/oauth2/_helpers.js

@@ -0,0 +1,176 @@
+const crypto = require('crypto');
+const fetch = require('wonderful-fetch');
+const { arrayify } = require('node-powertools');
+
+// Constants
+const STATE_TTL_MINUTES = 10;
+
+// Derive OAuth state encryption key from BACKEND_MANAGER_KEY
+const STATE_KEY = process.env.BACKEND_MANAGER_KEY
+  ? crypto.createHash('sha256').update(`oauth2-state:${process.env.BACKEND_MANAGER_KEY}`).digest('hex')
+  : null;
+
+/**
+ * Build context object with common OAuth2 data
+ * Used by GET, POST, DELETE handlers
+ */
+async function buildContext({ assistant, Manager, user, settings, libraries, requireProvider = true }) {
+  const { admin } = libraries;
+
+  // Require authentication
+  if (!user.authenticated) {
+    return { error: { message: 'Authentication required', code: 401 } };
+  }
+
+  // Get target user (admin can manage other users)
+  const targetUid = settings.uid || user.auth.uid;
+
+  if (targetUid !== user.auth.uid && !user.roles.admin) {
+    return { error: { message: 'Admin required to manage other users', code: 403 } };
+  }
+
+  // Resolve target user data
+  let targetUser = user;
+
+  if (targetUid !== user.auth.uid) {
+    const doc = await admin.firestore().doc(`users/${targetUid}`).get();
+
+    if (!doc.exists) {
+      return { error: { message: 'User not found', code: 404 } };
+    }
+
+    targetUser = doc.data();
+  }
+
+  // Build redirect URI
+  const redirectUri = assistant.isDevelopment()
+    ? 'https://localhost:4000/oauth2'
+    : `${Manager.config.brand.url}/oauth2`;
+
+  // If provider not required (e.g., tokenize gets it from encrypted state), skip loading
+  if (!requireProvider) {
+    return {
+      assistant,
+      Manager,
+      admin,
+      settings,
+      targetUid,
+      targetUser,
+      redirectUri,
+    };
+  }
+
+  // Provider is required
+  if (!settings.provider) {
+    return { error: { message: 'The provider parameter is required', code: 400 } };
+  }
+
+  // Load provider module
+  let oauth2Provider;
+
+  try {
+    oauth2Provider = require(`./providers/${settings.provider}.js`);
+  } catch (e) {
+    return { error: { message: `Unknown OAuth2 provider: ${settings.provider}`, code: 400 } };
+  }
+
+  // Get OAuth2 credentials
+  const providerEnvKey = settings.provider.toUpperCase().replace(/-/g, '_');
+  const clientId = process.env[`OAUTH2_${providerEnvKey}_CLIENT_ID`];
+  const clientSecret = process.env[`OAUTH2_${providerEnvKey}_CLIENT_SECRET`];
+
+  return {
+    assistant,
+    Manager,
+    admin,
+    oauth2Provider,
+    settings,
+    targetUid,
+    targetUser,
+    clientId,
+    clientSecret,
+    redirectUri,
+  };
+}
+
+/**
+ * Load provider and credentials from provider name
+ */
+function loadProvider(providerName) {
+  let oauth2Provider;
+
+  try {
+    oauth2Provider = require(`./providers/${providerName}.js`);
+  } catch (e) {
+    return { error: { message: `Unknown OAuth2 provider: ${providerName}`, code: 400 } };
+  }
+
+  const providerEnvKey = providerName.toUpperCase().replace(/-/g, '_');
+  const clientId = process.env[`OAUTH2_${providerEnvKey}_CLIENT_ID`];
+  const clientSecret = process.env[`OAUTH2_${providerEnvKey}_CLIENT_SECRET`];
+
+  return { oauth2Provider, clientId, clientSecret };
+}
+
+// ============================================================================
+// Crypto Helpers
+// ============================================================================
+
+function generateCsrfToken() {
+  return crypto.randomBytes(32).toString('hex');
+}
+
+function encryptState(data) {
+  if (!STATE_KEY) {
+    throw new Error('BACKEND_MANAGER_KEY not configured');
+  }
+
+  const iv = crypto.randomBytes(16);
+  const cipher = crypto.createCipheriv('aes-256-gcm', Buffer.from(STATE_KEY, 'hex'), iv);
+
+  let encrypted = cipher.update(JSON.stringify(data), 'utf8', 'base64');
+  encrypted += cipher.final('base64');
+
+  const authTag = cipher.getAuthTag().toString('base64');
+
+  return `${iv.toString('base64')}.${encrypted}.${authTag}`;
+}
+
+function decryptState(encryptedState) {
+  if (!STATE_KEY) {
+    throw new Error('BACKEND_MANAGER_KEY not configured');
+  }
+
+  const parts = encryptedState.split('.');
+
+  if (parts.length !== 3) {
+    throw new Error('Invalid state format');
+  }
+
+  const [ivB64, encryptedB64, authTagB64] = parts;
+
+  const iv = Buffer.from(ivB64, 'base64');
+  const encrypted = Buffer.from(encryptedB64, 'base64');
+  const authTag = Buffer.from(authTagB64, 'base64');
+
+  const decipher = crypto.createDecipheriv('aes-256-gcm', Buffer.from(STATE_KEY, 'hex'), iv);
+  decipher.setAuthTag(authTag);
+
+  let decrypted = decipher.update(encrypted, 'base64', 'utf8');
+  decrypted += decipher.final('utf8');
+
+  return JSON.parse(decrypted);
+}
+
+module.exports = {
+  STATE_TTL_MINUTES,
+  STATE_KEY,
+  buildContext,
+  loadProvider,
+  generateCsrfToken,
+  encryptState,
+  decryptState,
+  // Re-export utilities for handlers
+  fetch,
+  arrayify,
+};

package/src/manager/routes/user/oauth2/delete.js

@@ -0,0 +1,42 @@
+const {
+  buildContext,
+} = require('./_helpers.js');
+
+/**
+ * DELETE /user/oauth2 - Remove OAuth connection
+ *
+ * Revokes tokens with the provider (best effort) and removes the connection.
+ */
+module.exports = async ({ assistant, Manager, user, settings, libraries }) => {
+  const context = await buildContext({ assistant, Manager, user, settings, libraries });
+
+  if (context.error) {
+    return assistant.respond(context.error.message, { code: context.error.code });
+  }
+
+  const { admin, oauth2Provider, targetUid, targetUser, clientId, clientSecret } = context;
+
+  assistant.log('OAuth2 DELETE request', { provider: settings.provider });
+
+  // Get current access token to revoke
+  const accessToken = targetUser?.oauth2?.[settings.provider]?.token?.access_token;
+
+  // Attempt to revoke token with provider (best effort)
+  if (accessToken && oauth2Provider.revokeToken) {
+    const revokeResult = await oauth2Provider.revokeToken(accessToken, {
+      assistant,
+      clientId,
+      clientSecret,
+    }).catch(e => ({ revoked: false, reason: e.message }));
+
+    assistant.log('Token revocation result:', revokeResult);
+  }
+
+  // Delete OAuth data from user document
+  await admin.firestore().doc(`users/${targetUid}`).update({
+    [`oauth2.${settings.provider}`]: admin.firestore.FieldValue.delete(),
+    metadata: Manager.Metadata().set({ tag: 'user/oauth2' }),
+  });
+
+  return assistant.respond({ success: true });
+};

package/src/manager/routes/user/oauth2/get.js

@@ -0,0 +1,132 @@
+const {
+  buildContext,
+  generateCsrfToken,
+  encryptState,
+} = require('./_helpers.js');
+
+/**
+ * GET /user/oauth2 - Read operations
+ *
+ * Actions:
+ *   - authorize (default): Get authorization URL
+ *   - status: Check connection status
+ */
+module.exports = async ({ assistant, Manager, user, settings, libraries }) => {
+  const context = await buildContext({ assistant, Manager, user, settings, libraries });
+
+  if (context.error) {
+    return assistant.respond(context.error.message, { code: context.error.code });
+  }
+
+  const { admin, oauth2Provider, targetUid, targetUser, clientId, clientSecret, redirectUri } = context;
+
+  assistant.log('OAuth2 GET request', { action: settings.action, provider: settings.provider });
+
+  switch (settings.action) {
+    case 'status':
+      return processStatus(context);
+
+    case 'authorize':
+    default:
+      return processAuthorize(context);
+  }
+};
+
+// ============================================================================
+// Handlers
+// ============================================================================
+
+async function processAuthorize(context) {
+  const { assistant, Manager, admin, oauth2Provider, settings, targetUid, clientId, redirectUri } = context;
+
+  if (!clientId) {
+    return assistant.respond(`Missing client_id for ${settings.provider} provider`, { code: 500 });
+  }
+
+  // Generate CSRF token
+  const csrfToken = generateCsrfToken();
+
+  // Store CSRF token in user's usage document (auto-cleaned daily)
+  await admin.firestore().doc(`usage/${targetUid}`).set({
+    oauth2: {
+      [settings.provider]: {
+        csrf: csrfToken,
+        createdAt: Date.now(),
+      },
+    },
+  }, { merge: true });
+
+  // Build minimal state (no unnecessary data)
+  const stateData = {
+    provider: settings.provider,
+    uid: targetUid,
+    csrf: csrfToken,
+    ts: Date.now(),
+  };
+
+  // Encrypt state
+  let encryptedState;
+
+  try {
+    encryptedState = encryptState(stateData);
+  } catch (e) {
+    return assistant.respond(e.message, { code: 500 });
+  }
+
+  // Build authorization URL
+  const url = new URL(oauth2Provider.urls.authorize);
+  url.searchParams.set('state', encryptedState);
+  url.searchParams.set('client_id', clientId);
+  url.searchParams.set('redirect_uri', redirectUri);
+  url.searchParams.set('response_type', 'code');
+
+  // Set scopes from app config, fall back to provider defaults
+  const appScopes = Manager.config?.oauth2?.[settings.provider]?.scope || [];
+  const finalScopes = appScopes.length > 0 ? appScopes : (oauth2Provider.scope || []);
+  url.searchParams.set('scope', finalScopes.join(' '));
+
+  // Add provider-specific auth params
+  const authParams = oauth2Provider.authParams || {};
+
+  for (const [key, value] of Object.entries(authParams)) {
+    url.searchParams.set(key, value);
+  }
+
+  const urlString = url.toString();
+
+  assistant.log('OAuth2 authorize URL generated');
+
+  if (settings.redirect) {
+    return assistant.redirect(urlString);
+  }
+
+  return assistant.respond({ url: urlString });
+}
+
+async function processStatus(context) {
+  const { assistant, Manager, admin, oauth2Provider, settings, targetUid, targetUser, clientId, clientSecret } = context;
+
+  const token = targetUser?.oauth2?.[settings.provider]?.token?.refresh_token;
+
+  if (!token) {
+    return assistant.respond({ status: 'disconnected' });
+  }
+
+  // Verify connection if provider supports it
+  if (oauth2Provider.verifyConnection) {
+    const status = await oauth2Provider.verifyConnection(token, { Manager, assistant, clientId, clientSecret })
+      .catch(() => 'error');
+
+    if ((status === 'disconnected' || status === 'error') && settings.removeInvalidTokens) {
+      await admin.firestore().doc(`users/${targetUid}`).update({
+        [`oauth2.${settings.provider}`]: admin.firestore.FieldValue.delete(),
+        metadata: Manager.Metadata().set({ tag: 'user/oauth2' }),
+      });
+      assistant.log(`Removed invalid token for user: ${targetUid}`);
+    }
+
+    return assistant.respond({ status });
+  }
+
+  return assistant.respond({ status: 'connected' });
+}

package/src/manager/routes/user/oauth2/post.js

@@ -1,326 +1,226 @@
-const _ = require('lodash');
-const fetch = require('wonderful-fetch');
-const { arrayify } = require('node-powertools');
+const {
+  buildContext,
+  loadProvider,
+  decryptState,
+  STATE_TTL_MINUTES,
+  fetch,
+} = require('./_helpers.js');
 
 /**
- * POST /user/oauth2 - OAuth2 operations
+ * POST /user/oauth2 - Write operations
  *
- * States:
- *   - authorize: Get authorization URL
- *   - tokenize: Exchange code for tokens
+ * Actions:
+ *   - tokenize (default): Exchange authorization code for tokens
  *   - refresh: Refresh access token
- *   - deauthorize: Remove OAuth2 connection
- *   - status: Check connection status
  */
 module.exports = async ({ assistant, Manager, user, settings, libraries }) => {
   const { admin } = libraries;
 
-  // Require authentication
-  if (!user.authenticated) {
-    return assistant.respond('Authentication required', { code: 401 });
-  }
-
-  // Require admin to manage other users' OAuth
-  const uid = settings.uid;
-
-  if (uid !== user.auth.uid && !user.roles.admin) {
-    return assistant.respond('Admin required', { code: 403 });
-  }
-
-  // Get target user data
-  let userData = user;
+  assistant.log('OAuth2 POST request', { action: settings.action });
 
-  if (uid !== user.auth.uid) {
-    const doc = await admin.firestore().doc(`users/${uid}`).get();
-
-    if (!doc.exists) {
-      return assistant.respond('User not found', { code: 404 });
-    }
+  switch (settings.action) {
+    case 'refresh':
+      return processRefresh({ assistant, Manager, user, settings, libraries });
 
-    userData = doc.data();
+    case 'tokenize':
+    default:
+      return processTokenize({ assistant, Manager, admin, settings });
   }
+};
 
-  // Validate provider
-  if (!settings.provider) {
-    return assistant.respond('The provider parameter is required.', { code: 400 });
+// ============================================================================
+// Handlers
+// ============================================================================
+
+async function processTokenize({ assistant, Manager, admin, settings }) {
+  assistant.log('processTokenize settings', {
+    hasCode: !!settings.code,
+    codeType: typeof settings.code,
+    codeLength: settings.code?.length,
+    hasEncryptedState: !!settings.encryptedState,
+    encryptedStateLength: settings.encryptedState?.length,
+  });
+
+  // Validate required params
+  if (!settings.code) {
+    return assistant.respond('Missing authorization code', { code: 400 });
   }
 
-  // Load provider module
-  let oauth2;
-
-  try {
-    oauth2 = require(`./providers/${settings.provider}.js`);
-  } catch (e) {
-    return assistant.respond(`Unknown OAuth2 provider: ${settings.provider}`, { code: 400 });
+  if (!settings.encryptedState) {
+    return assistant.respond('Missing encrypted state', { code: 400 });
   }
 
-  // Build OAuth2 URL for current state
-  const ultimateJekyllOAuth2Url = assistant.isDevelopment()
+  // Build redirect URI
+  const redirectUri = assistant.isDevelopment()
     ? 'https://localhost:4000/oauth2'
     : `${Manager.config.brand.url}/oauth2`;
 
-  // Get OAuth2 credentials from environment variables
-  // Format: OAUTH2_{PROVIDER}_CLIENT_ID, OAUTH2_{PROVIDER}_CLIENT_SECRET
-  const providerEnvKey = settings.provider.toUpperCase().replace(/-/g, '_');
-  const client_id = process.env[`OAUTH2_${providerEnvKey}_CLIENT_ID`];
-  const client_secret = process.env[`OAUTH2_${providerEnvKey}_CLIENT_SECRET`];
-
-  const state = settings.state;
-
-  assistant.log('OAuth2 settings', settings);
-
-  // Process by state
-  switch (state) {
-    case 'authorize':
-      return processAuthorize(assistant, Manager, settings, oauth2, ultimateJekyllOAuth2Url, client_id);
-
-    case 'tokenize':
-      return processTokenize(assistant, Manager, admin, settings, oauth2, ultimateJekyllOAuth2Url, client_id, client_secret, uid);
+  // Decrypt and validate state
+  let stateData;
 
-    case 'refresh':
-      return processRefresh(assistant, Manager, admin, settings, oauth2, client_id, client_secret, uid, userData);
-
-    case 'deauthorize':
-      return processDeauthorize(assistant, Manager, admin, settings, uid);
+  try {
+    stateData = decryptState(settings.encryptedState);
+  } catch (e) {
+    assistant.log('Failed to decrypt state:', e.message);
+    return assistant.respond('Invalid OAuth state', { code: 400 });
+  }
 
-    case 'status':
-      return processStatus(assistant, Manager, admin, settings, oauth2, uid, userData);
+  // Validate timestamp (10 min TTL)
+  const ageMinutes = (Date.now() - stateData.ts) / 1000 / 60;
 
-    default:
-      return assistant.respond(`Unknown OAuth2 state: ${state}`, { code: 400 });
+  if (ageMinutes > STATE_TTL_MINUTES) {
+    return assistant.respond('OAuth session expired. Please try again.', { code: 400 });
   }
-};
 
-async function processAuthorize(assistant, Manager, settings, oauth2, ultimateJekyllOAuth2Url, client_id) {
-  if (!client_id) {
-    return assistant.respond(`Missing client_id for ${settings.provider} provider`, { code: 500 });
+  // Load provider from decrypted state
+  const providerResult = loadProvider(stateData.provider);
+
+  if (providerResult.error) {
+    return assistant.respond(providerResult.error.message, { code: providerResult.error.code });
   }
 
-  // Build state data - some defaults require runtime context so we keep fallbacks here
-  const defaultReferrer = assistant.isDevelopment() ? 'https://localhost:4000/account' : `${Manager.config.brand.url}/account`;
-  const stateData = {
-    code: 'success',
-    provider: settings.provider,
-    authenticationToken: settings.authenticationToken,
-    serverUrl: settings.serverUrl || `${Manager.project.apiUrl}/backend-manager`,
-    referrer: settings.referrer || defaultReferrer,
-    redirectUrl: settings.redirect_uri || settings.referrer || defaultReferrer,
-  };
+  const { oauth2Provider, clientId, clientSecret } = providerResult;
 
-  const url = new URL(oauth2.urls.authorize);
-  url.searchParams.set('state', JSON.stringify(stateData));
-  url.searchParams.set('client_id', client_id);
-  url.searchParams.set('scope', arrayify(settings.scope).join(' '));
-  url.searchParams.set('redirect_uri', ultimateJekyllOAuth2Url);
-  url.searchParams.set('access_type', settings.access_type);
-  url.searchParams.set('prompt', settings.prompt);
-  url.searchParams.set('include_granted_scopes', settings.include_granted_scopes);
-  url.searchParams.set('response_type', settings.response_type);
+  // Retrieve stored CSRF token from user's usage document
+  const usageDocRef = admin.firestore().doc(`usage/${stateData.uid}`);
+  const usageDoc = await usageDocRef.get();
 
-  // Allow provider to modify URL
-  const finalUrl = oauth2.buildUrl('authorize', url, assistant);
-  const urlString = (finalUrl || url).toString();
+  if (!usageDoc.exists) {
+    return assistant.respond('OAuth session not found. Please try again.', { code: 400 });
+  }
 
-  assistant.log('OAuth2 authorize URL', urlString);
+  const storedCsrf = usageDoc.data()?.oauth2?.[stateData.provider]?.csrf;
 
-  if (settings.redirect) {
-    return assistant.redirect(urlString);
+  if (!storedCsrf) {
+    return assistant.respond('OAuth session not found. Please try again.', { code: 400 });
   }
 
-  return assistant.respond({ url: urlString });
-}
-
-async function processTokenize(assistant, Manager, admin, settings, oauth2, ultimateJekyllOAuth2Url, client_id, client_secret, uid) {
-  assistant.log('Running processTokenize()');
+  // Validate CSRF token
+  if (storedCsrf !== stateData.csrf) {
+    assistant.log('CSRF mismatch', { stored: storedCsrf, received: stateData.csrf });
+    return assistant.respond('Invalid OAuth session', { code: 400 });
+  }
 
+  // Exchange code for tokens
   const body = {
-    client_id,
-    client_secret,
+    client_id: clientId,
+    client_secret: clientSecret,
     grant_type: 'authorization_code',
-    redirect_uri: ultimateJekyllOAuth2Url,
+    redirect_uri: redirectUri,
     code: settings.code,
   };
 
-  assistant.log('tokenize body', body);
-
-  const tokenizeResponse = await fetch(oauth2.urls.tokenize, {
+  const tokenResponse = await fetch(oauth2Provider.urls.tokenize, {
     method: 'POST',
     timeout: 60000,
     response: 'json',
-    tries: 1,
-    log: true,
     body: new URLSearchParams(body),
-    cacheBreaker: false,
-    headers: {
-      'Content-Type': 'application/x-www-form-urlencoded',
-    },
-  }).catch((e) => e);
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+  }).catch(e => e);
 
-  assistant.log('tokenizeResponse', tokenizeResponse);
-
-  if (tokenizeResponse instanceof Error) {
-    return assistant.respond(tokenizeResponse.message, { code: 500 });
+  if (tokenResponse instanceof Error) {
+    return assistant.respond(`Token exchange failed: ${tokenResponse.message}`, { code: 500 });
   }
 
-  // Verify identity
-  const verifiedIdentity = await oauth2.verifyIdentity(tokenizeResponse, Manager, assistant)
-    .catch((e) => e);
-
-  assistant.log('verifiedIdentity', verifiedIdentity);
+  // Verify identity with provider
+  const verifiedIdentity = await oauth2Provider.verifyIdentity(tokenResponse, Manager, assistant)
+    .catch(e => e);
 
   if (verifiedIdentity instanceof Error) {
     return assistant.respond(verifiedIdentity.message, { code: 400 });
   }
 
-  if (tokenizeResponse && !tokenizeResponse.refresh_token) {
+  if (!tokenResponse.refresh_token) {
     return assistant.respond(
-      `Missing "refresh_token" in response. Visit ${oauth2.urls.removeAccess} and remove our app from your account and then try again.`,
+      `Missing refresh_token. Visit ${oauth2Provider.urls.removeAccess} and remove our app, then try again.`,
       { code: 400 }
     );
   }
 
-  // Store tokens
-  await admin.firestore().doc(`users/${uid}`)
-    .set({
-      oauth2: {
-        [settings.provider]: {
-          code: _.omit(settings, ['redirect', 'referrer', 'provider', 'state']),
-          token: tokenizeResponse,
-          identity: verifiedIdentity,
-          updated: {
-            timestamp: assistant.meta.startTime.timestamp,
-            timestampUNIX: assistant.meta.startTime.timestampUNIX,
-          },
+  // Store tokens (only necessary fields, no raw settings)
+  await admin.firestore().doc(`users/${stateData.uid}`).set({
+    oauth2: {
+      [stateData.provider]: {
+        token: {
+          access_token: tokenResponse.access_token,
+          refresh_token: tokenResponse.refresh_token,
+          token_type: tokenResponse.token_type,
+          expires_in: tokenResponse.expires_in,
+          scope: tokenResponse.scope,
+        },
+        identity: verifiedIdentity,
+        updated: {
+          timestamp: assistant.meta.startTime.timestamp,
+          timestampUNIX: assistant.meta.startTime.timestampUNIX,
         },
       },
-      metadata: Manager.Metadata().set({ tag: 'user/oauth2' }),
-    }, { merge: true })
-    .catch((e) => {
-      return assistant.respond(`Failed to store tokens: ${e.message}`, { code: 500 });
-    });
+    },
+    metadata: Manager.Metadata().set({ tag: 'user/oauth2' }),
+  }, { merge: true });
+
+  // Delete CSRF token (cleanup)
+  await usageDocRef.update({
+    [`oauth2.${stateData.provider}`]: admin.firestore.FieldValue.delete(),
+  });
+
+  assistant.log('OAuth2 tokenize complete');
 
   return assistant.respond({ success: true });
 }
 
-async function processRefresh(assistant, Manager, admin, settings, oauth2, client_id, client_secret, uid, userData) {
-  assistant.log('Running processRefresh()');
+async function processRefresh({ assistant, Manager, user, settings, libraries }) {
+  const context = await buildContext({ assistant, Manager, user, settings, libraries });
+
+  if (context.error) {
+    return assistant.respond(context.error.message, { code: context.error.code });
+  }
+
+  const { admin, oauth2Provider, targetUid, targetUser, clientId, clientSecret } = context;
 
-  const refresh_token = _.get(userData, `oauth2.${settings.provider}.token.refresh_token`);
+  const refreshToken = targetUser?.oauth2?.[settings.provider]?.token?.refresh_token;
 
-  if (!refresh_token) {
+  if (!refreshToken) {
     return assistant.respond('No refresh token found', { code: 400 });
   }
 
   const body = {
-    client_id,
-    client_secret,
+    client_id: clientId,
+    client_secret: clientSecret,
     grant_type: 'refresh_token',
-    refresh_token,
+    refresh_token: refreshToken,
   };
 
-  assistant.log('refresh body', body);
-
-  const refreshResponse = await fetch(oauth2.urls.refresh, {
+  const refreshResponse = await fetch(oauth2Provider.urls.refresh, {
     method: 'POST',
     timeout: 60000,
     response: 'json',
-    tries: 1,
-    log: true,
     body: new URLSearchParams(body),
-    cacheBreaker: false,
-    headers: {
-      'Content-Type': 'application/x-www-form-urlencoded',
-    },
-  }).catch((e) => e);
-
-  assistant.log('refreshResponse', refreshResponse);
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+  }).catch(e => e);
 
   if (refreshResponse instanceof Error) {
-    return assistant.respond(refreshResponse.message, { code: 500 });
+    return assistant.respond(`Token refresh failed: ${refreshResponse.message}`, { code: 500 });
   }
 
-  // Store refreshed tokens
-  await admin.firestore().doc(`users/${uid}`)
-    .set({
-      oauth2: {
-        [settings.provider]: {
-          token: refreshResponse,
-          updated: {
-            timestamp: assistant.meta.startTime.timestamp,
-            timestampUNIX: assistant.meta.startTime.timestampUNIX,
-          },
+  // Update stored tokens
+  await admin.firestore().doc(`users/${targetUid}`).set({
+    oauth2: {
+      [settings.provider]: {
+        token: {
+          access_token: refreshResponse.access_token,
+          refresh_token: refreshResponse.refresh_token || refreshToken, // Some providers don't return new refresh token
+          token_type: refreshResponse.token_type,
+          expires_in: refreshResponse.expires_in,
+          scope: refreshResponse.scope,
         },
-      },
-      metadata: Manager.Metadata().set({ tag: 'user/oauth2' }),
-    }, { merge: true })
-    .catch((e) => {
-      return assistant.respond(`Failed to store tokens: ${e.message}`, { code: 500 });
-    });
-
-  return assistant.respond({ success: true });
-}
-
-async function processDeauthorize(assistant, Manager, admin, settings, uid) {
-  await admin.firestore().doc(`users/${uid}`)
-    .set({
-      oauth2: {
-        [settings.provider]: {},
         updated: {
           timestamp: assistant.meta.startTime.timestamp,
           timestampUNIX: assistant.meta.startTime.timestampUNIX,
         },
       },
-      metadata: Manager.Metadata().set({ tag: 'user/oauth2' }),
-    }, { merge: true })
-    .catch((e) => {
-      return assistant.respond(`Failed to deauthorize: ${e.message}`, { code: 500 });
-    });
+    },
+    metadata: Manager.Metadata().set({ tag: 'user/oauth2' }),
+  }, { merge: true });
 
   return assistant.respond({ success: true });
 }
-
-async function processStatus(assistant, Manager, admin, settings, oauth2, uid, userData) {
-  const removeInvalidTokens = settings.removeInvalidTokens;
-
-  const token = _.get(userData, `oauth2.${settings.provider}.token.refresh_token`, '');
-
-  if (!token) {
-    return assistant.respond({ status: 'disconnected' });
-  }
-
-  // If provider has verifyConnection, use it
-  if (oauth2.verifyConnection) {
-    const status = await oauth2.verifyConnection(token, Manager, assistant)
-      .catch(async (e) => {
-        if (removeInvalidTokens) {
-          await removeOAuth2Token(admin, settings.provider, uid, assistant, Manager);
-        }
-        return 'error';
-      });
-
-    if (status === 'disconnected' && removeInvalidTokens) {
-      await removeOAuth2Token(admin, settings.provider, uid, assistant, Manager);
-    }
-
-    return assistant.respond({ status });
-  }
-
-  // Default to connected if we have a token
-  return assistant.respond({ status: 'connected' });
-}
-
-async function removeOAuth2Token(admin, provider, uid, assistant, Manager) {
-  await admin.firestore().doc(`users/${uid}`)
-    .set({
-      oauth2: {
-        [provider]: {},
-        updated: {
-          timestamp: assistant.meta.startTime.timestamp,
-          timestampUNIX: assistant.meta.startTime.timestampUNIX,
-        },
-      },
-      metadata: Manager.Metadata().set({ tag: 'user/oauth2' }),
-    }, { merge: true });
-
-  assistant.log(`Removed disconnected token for user: ${uid}`);
-}

package/src/manager/routes/user/oauth2/providers/discord.js

@@ -7,13 +7,36 @@ module.exports = {
     authorize: 'https://discord.com/api/oauth2/authorize',
     tokenize: 'https://discord.com/api/oauth2/token',
     refresh: 'https://discord.com/api/oauth2/token',
+    revoke: 'https://discord.com/api/oauth2/token/revoke',
     status: '',
     removeAccess: 'https://discord.com/channels/@me',
   },
+  scope: ['identify', 'email'],
 
-  buildUrl(state, url, assistant) {
-    // Additional URL building if needed for authorize state
-    return url;
+  // Discord doesn't need special auth params
+  authParams: {},
+
+  // Revoke a token with Discord
+  async revokeToken(token, context) {
+    const { assistant, clientId, clientSecret } = context;
+
+    const response = await fetch(this.urls.revoke, {
+      method: 'POST',
+      timeout: 30000,
+      body: new URLSearchParams({
+        token,
+        client_id: clientId,
+        client_secret: clientSecret,
+      }),
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    }).catch(e => e);
+
+    if (response instanceof Error) {
+      assistant.log('Discord revokeToken error:', response.message);
+      return { revoked: false, reason: response.message };
+    }
+
+    return { revoked: true };
   },
 
   async verifyIdentity(tokenizeResult, Manager, assistant) {

package/src/manager/routes/user/oauth2/providers/google.js

@@ -8,13 +8,36 @@ module.exports = {
     authorize: 'https://accounts.google.com/o/oauth2/v2/auth',
     tokenize: 'https://oauth2.googleapis.com/token',
     refresh: 'https://oauth2.googleapis.com/token',
+    revoke: 'https://oauth2.googleapis.com/revoke',
     status: 'https://oauth2.googleapis.com/tokeninfo',
     removeAccess: 'https://myaccount.google.com/security',
   },
+  scope: ['openid', 'email', 'profile'],
 
-  buildUrl(state, url, assistant) {
-    // Additional URL building if needed for authorize state
-    return url;
+  // Google-specific OAuth parameters
+  authParams: {
+    access_type: 'offline',
+    prompt: 'consent',
+    include_granted_scopes: 'true',
+  },
+
+  // Revoke a token with Google
+  async revokeToken(token, context) {
+    const { assistant } = context;
+
+    const response = await fetch(this.urls.revoke, {
+      method: 'POST',
+      timeout: 30000,
+      body: new URLSearchParams({ token }),
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    }).catch(e => e);
+
+    if (response instanceof Error) {
+      assistant.log('Google revokeToken error:', response.message);
+      return { revoked: false, reason: response.message };
+    }
+
+    return { revoked: true };
   },
 
   async verifyIdentity(tokenizeResult, Manager, assistant) {
@@ -24,6 +47,11 @@ module.exports = {
     const decoded = jwtDecode(tokenizeResult.id_token);
     assistant.log('verifyIdentity(): decoded', decoded);
 
+    // Require email scope for proper identity verification
+    if (!decoded.email) {
+      throw new Error('Email scope is required. Please ensure "email" scope is included in the OAuth request.');
+    }
+
     // Check if exists
     const snap = await Manager.libraries.admin.firestore().collection('users')
       .where('oauth2.google.identity.email', '==', decoded.email)

package/src/manager/routes/user/sessions/delete.js

@@ -32,10 +32,11 @@ module.exports = async ({ assistant, user, settings, libraries }) => {
   count += await signOutOfSession(admin, assistant, uid, 'gatherings/online');
 
   // Revoke Firebase refresh tokens
-  await admin.auth().revokeRefreshTokens(uid)
-    .catch((e) => {
-      return assistant.respond(`Failed to sign out of all sessions: ${e}`, { code: 500 });
-    });
+  try {
+    await admin.auth().revokeRefreshTokens(uid);
+  } catch (e) {
+    return assistant.respond(`Failed to sign out of all sessions: ${e}`, { code: 500 });
+  }
 
   return assistant.respond({
     sessions: count,

package/src/manager/schemas/user/oauth2/delete.js

@@ -0,0 +1,11 @@
+module.exports = ({ user }) => ({
+  uid: {
+    types: ['string'],
+    default: user?.auth?.uid,
+    required: false,
+  },
+  provider: {
+    types: ['string'],
+    required: true,
+  },
+});

package/src/manager/schemas/user/oauth2/get.js

@@ -0,0 +1,27 @@
+module.exports = ({ user }) => ({
+  uid: {
+    types: ['string'],
+    default: user?.auth?.uid,
+    required: false,
+  },
+  provider: {
+    types: ['string'],
+    required: true,
+  },
+  action: {
+    types: ['string'],
+    default: 'authorize',
+    enum: ['authorize', 'status'],
+    required: false,
+  },
+  redirect: {
+    types: ['boolean'],
+    default: true,
+    required: false,
+  },
+  removeInvalidTokens: {
+    types: ['boolean'],
+    default: true,
+    required: false,
+  },
+});

package/src/manager/schemas/user/oauth2/post.js

@@ -6,72 +6,20 @@ module.exports = ({ user }) => ({
   },
   provider: {
     types: ['string'],
-    default: undefined,
-    required: true,
+    required: false,  // Not required for tokenize (provider comes from encrypted state)
   },
-  state: {
+  action: {
     types: ['string'],
-    default: 'authorize',
-    required: false,
-  },
-  redirect: {
-    types: ['boolean'],
-    default: true,
-    required: false,
-  },
-  referrer: {
-    types: ['string'],
-    default: undefined,
-    required: false,
-  },
-  serverUrl: {
-    types: ['string'],
-    default: undefined,
-    required: false,
-  },
-  redirect_uri: {
-    types: ['string'],
-    default: undefined,
-    required: false,
-  },
-  scope: {
-    types: ['array', 'string'],
-    default: [],
+    default: 'tokenize',
+    enum: ['tokenize', 'refresh'],
     required: false,
   },
   code: {
     types: ['string'],
-    default: undefined,
-    required: false,
-  },
-  access_type: {
-    types: ['string'],
-    default: 'offline',
-    required: false,
-  },
-  prompt: {
-    types: ['string'],
-    default: 'consent',
-    required: false,
-  },
-  include_granted_scopes: {
-    types: ['string', 'boolean'],
-    default: 'true',
-    required: false,
-  },
-  response_type: {
-    types: ['string'],
-    default: 'code',
-    required: false,
+    required: false,  // Required for tokenize
   },
-  removeInvalidTokens: {
-    types: ['boolean'],
-    default: true,
-    required: false,
-  },
-  authenticationToken: {
+  encryptedState: {
     types: ['string'],
-    default: undefined,
-    required: false,
+    required: false,  // Required for tokenize
   },
 });

package/templates/_.gitignore

@@ -42,7 +42,7 @@ node_modules/
 .yarn-integrity
 
 # dotenv environment variables file
-.env
+.env*
 
 # BEM specific
 .runtimeconfig.json