insforge 0.3.3 → 1.3.0

package/backend/src/providers/oauth/apple.provider.ts

@@ -0,0 +1,266 @@
+import axios from 'axios';
+import logger from '@/utils/logger.js';
+import { getApiBaseUrl } from '@/utils/environment.js';
+import { OAuthConfigService } from '@/services/auth/oauth-config.service.js';
+import type { AppleUserInfo, OAuthUserData } from '@/types/auth.js';
+import { OAuthProvider } from './base.provider.js';
+
+/**
+ * Apple OAuth Service
+ * Handles all Apple Sign In operations including URL generation, token exchange, and user info verification
+ *
+ * Apple OAuth specifics:
+ * - Uses OIDC with JWT id_token
+ * - Callback receives POST request with code, id_token, and user data
+ * - User info (name, email) is only provided on first authorization
+ * - client_secret is a JWT signed with Apple's private key
+ */
+export class AppleOAuthProvider implements OAuthProvider {
+  private static instance: AppleOAuthProvider;
+
+  private constructor() {
+    // No initialization needed - jose handles JWKS caching internally
+  }
+
+  public static getInstance(): AppleOAuthProvider {
+    if (!AppleOAuthProvider.instance) {
+      AppleOAuthProvider.instance = new AppleOAuthProvider();
+    }
+    return AppleOAuthProvider.instance;
+  }
+
+  /**
+   * Generate Apple OAuth authorization URL
+   */
+  async generateOAuthUrl(state?: string): Promise<string> {
+    const oAuthConfigService = OAuthConfigService.getInstance();
+    const config = await oAuthConfigService.getConfigByProvider('apple');
+
+    if (!config) {
+      throw new Error('Apple OAuth not configured');
+    }
+
+    const selfBaseUrl = getApiBaseUrl();
+
+    if (config?.useSharedKey) {
+      if (!state) {
+        logger.warn('Shared Apple OAuth called without state parameter');
+        throw new Error('State parameter is required for shared Apple OAuth');
+      }
+      // Use shared keys if configured
+      const cloudBaseUrl = process.env.CLOUD_API_HOST || 'https://api.insforge.dev';
+      const redirectUri = `${selfBaseUrl}/api/auth/oauth/shared/callback/${state}`;
+      const response = await axios.get(
+        `${cloudBaseUrl}/auth/v1/shared/apple?redirect_uri=${encodeURIComponent(redirectUri)}`,
+        {
+          headers: {
+            'Content-Type': 'application/json',
+          },
+        }
+      );
+      return response.data.auth_url || response.data.url || '';
+    }
+
+    logger.debug('Apple OAuth Config (fresh from DB):', {
+      clientId: config.clientId ? 'SET' : 'NOT SET',
+    });
+
+    const authUrl = new URL('https://appleid.apple.com/auth/authorize');
+    authUrl.searchParams.set('client_id', config.clientId ?? '');
+    authUrl.searchParams.set('redirect_uri', `${selfBaseUrl}/api/auth/oauth/apple/callback`);
+    authUrl.searchParams.set('response_type', 'code id_token');
+    authUrl.searchParams.set('response_mode', 'form_post');
+    authUrl.searchParams.set(
+      'scope',
+      config.scopes && config.scopes.length > 0 ? config.scopes.join(' ') : 'name email'
+    );
+    if (state) {
+      authUrl.searchParams.set('state', state);
+    }
+
+    return authUrl.toString();
+  }
+
+  /**
+   * Generate Apple client secret (JWT signed with private key)
+   * Apple requires a dynamically generated client_secret
+   */
+  private async generateClientSecret(): Promise<string> {
+    const oAuthConfigService = OAuthConfigService.getInstance();
+    const config = await oAuthConfigService.getConfigByProvider('apple');
+
+    if (!config) {
+      throw new Error('Apple OAuth not configured');
+    }
+
+    // Get additional config from client secret (stored as JSON with teamId, keyId, privateKey)
+    const secretData = await oAuthConfigService.getClientSecretByProvider('apple');
+    if (!secretData) {
+      throw new Error('Apple OAuth client secret not configured');
+    }
+
+    let appleConfig: { teamId: string; keyId: string; privateKey: string };
+    try {
+      appleConfig = JSON.parse(secretData);
+    } catch {
+      throw new Error(
+        'Apple OAuth client secret must be a JSON object with teamId, keyId, and privateKey'
+      );
+    }
+
+    const { teamId, keyId, privateKey } = appleConfig;
+
+    if (!teamId || !keyId || !privateKey) {
+      throw new Error('Apple OAuth requires teamId, keyId, and privateKey in client secret');
+    }
+
+    // Use jose to sign the client secret JWT
+    const { SignJWT, importPKCS8 } = await import('jose');
+
+    const key = await importPKCS8(privateKey, 'ES256');
+
+    const clientSecret = await new SignJWT({})
+      .setProtectedHeader({ alg: 'ES256', kid: keyId })
+      .setIssuer(teamId)
+      .setSubject(config.clientId ?? '')
+      .setAudience('https://appleid.apple.com')
+      .setIssuedAt()
+      .setExpirationTime('180d') // 180 days (Apple allows up to 6 months)
+      .sign(key);
+
+    return clientSecret;
+  }
+
+  /**
+   * Exchange Apple authorization code for tokens
+   */
+  async exchangeCodeToToken(code: string): Promise<{ access_token: string; id_token: string }> {
+    const oAuthConfigService = OAuthConfigService.getInstance();
+    const config = await oAuthConfigService.getConfigByProvider('apple');
+
+    if (!config) {
+      throw new Error('Apple OAuth not configured');
+    }
+
+    try {
+      logger.info('Exchanging Apple code for tokens', {
+        hasCode: !!code,
+        clientId: config.clientId?.substring(0, 10) + '...',
+      });
+
+      const clientSecret = await this.generateClientSecret();
+      const selfBaseUrl = getApiBaseUrl();
+
+      const body = new URLSearchParams({
+        client_id: config.clientId ?? '',
+        client_secret: clientSecret,
+        code,
+        grant_type: 'authorization_code',
+        redirect_uri: `${selfBaseUrl}/api/auth/oauth/apple/callback`,
+      });
+
+      const response = await axios.post('https://appleid.apple.com/auth/token', body.toString(), {
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      });
+
+      if (!response.data.id_token) {
+        throw new Error('Failed to get id_token from Apple');
+      }
+
+      return {
+        access_token: response.data.access_token || '',
+        id_token: response.data.id_token,
+      };
+    } catch (error) {
+      if (axios.isAxiosError(error) && error.response) {
+        logger.error('Apple token exchange failed', {
+          status: error.response.status,
+          error: error.response.data,
+        });
+        throw new Error(`Apple OAuth error: ${JSON.stringify(error.response.data)}`);
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Verify Apple ID token and extract user info
+   */
+  async verifyIdToken(idToken: string): Promise<AppleUserInfo> {
+    const oAuthConfigService = OAuthConfigService.getInstance();
+    const config = await oAuthConfigService.getConfigByProvider('apple');
+
+    if (!config) {
+      throw new Error('Apple OAuth not configured');
+    }
+
+    try {
+      const { createRemoteJWKSet, jwtVerify } = await import('jose');
+      const JWKS = createRemoteJWKSet(new URL('https://appleid.apple.com/auth/keys'));
+
+      const { payload } = await jwtVerify(idToken, JWKS, {
+        issuer: 'https://appleid.apple.com',
+        audience: config.clientId,
+      });
+
+      return {
+        sub: String(payload.sub),
+        email: (payload.email as string) || '',
+        email_verified: payload.email_verified === 'true' || payload.email_verified === true,
+        is_private_email: payload.is_private_email === 'true' || payload.is_private_email === true,
+      };
+    } catch (error) {
+      logger.error('Apple ID token verification failed:', error);
+      throw new Error(`Apple token verification failed: ${error}`);
+    }
+  }
+
+  /**
+   * Handle Apple OAuth callback
+   * Note: Apple sends a POST request with form data
+   */
+  async handleCallback(payload: { code?: string; token?: string }): Promise<OAuthUserData> {
+    let appleUserInfo: AppleUserInfo;
+
+    if (payload.token) {
+      // Token provided directly (e.g., from mobile app)
+      appleUserInfo = await this.verifyIdToken(payload.token);
+    } else if (payload.code) {
+      // Exchange code for tokens
+      const tokens = await this.exchangeCodeToToken(payload.code);
+      appleUserInfo = await this.verifyIdToken(tokens.id_token);
+    } else {
+      throw new Error('No authorization code or token provided');
+    }
+
+    // Transform Apple user info to generic format
+    // Note: Apple only provides name on first authorization, so we use email as fallback
+    const userName = appleUserInfo.name || appleUserInfo.email.split('@')[0];
+    return {
+      provider: 'apple',
+      providerId: appleUserInfo.sub,
+      email: appleUserInfo.email,
+      userName,
+      avatarUrl: '', // Apple doesn't provide avatar
+      identityData: appleUserInfo,
+    };
+  }
+
+  /**
+   * Handle shared callback payload transformation
+   */
+  handleSharedCallback(payloadData: Record<string, unknown>): OAuthUserData {
+    const providerId = String(payloadData.providerId ?? '');
+    const email = String(payloadData.email ?? '');
+    const name = String(payloadData.name ?? '');
+
+    return {
+      provider: 'apple',
+      providerId,
+      email,
+      userName: name || email.split('@')[0],
+      avatarUrl: '',
+      identityData: payloadData,
+    };
+  }
+}

package/backend/src/providers/oauth/base.provider.ts

@@ -0,0 +1,29 @@
+import type { OAuthUserData } from '@/types/auth.js';
+
+/**
+ * OAuth provider interface
+ * Defines the contract that all OAuth providers must implement
+ */
+export interface OAuthProvider {
+  /**
+   * Generate OAuth authorization URL
+   * @param state - Optional state parameter for CSRF protection
+   * @returns Authorization URL
+   */
+  generateOAuthUrl(state?: string): Promise<string>;
+
+  /**
+   * Handle OAuth callback and exchange code/token for user info
+   * @param payload - OAuth callback payload containing code or token
+   * @returns User data from OAuth provider
+   */
+  handleCallback(payload: { code?: string; token?: string }): Promise<OAuthUserData>;
+
+  /**
+   * Handle shared OAuth callback (for shared keys)
+   * Optional - not all providers support shared OAuth
+   * @param payloadData - Payload data from shared OAuth callback
+   * @returns User data transformed to standard format
+   */
+  handleSharedCallback?(payloadData: Record<string, unknown>): OAuthUserData;
+}

package/backend/src/providers/oauth/discord.provider.ts

@@ -0,0 +1,195 @@
+import axios from 'axios';
+import logger from '@/utils/logger.js';
+import { getApiBaseUrl } from '@/utils/environment.js';
+import { OAuthConfigService } from '@/services/auth/oauth-config.service.js';
+import { OAuthProvider } from './base.provider.js';
+import type { DiscordUserInfo, OAuthUserData } from '@/types/auth.js';
+
+/**
+ * Discord OAuth Service
+ * Handles all Discord OAuth operations including URL generation, token exchange, and user info retrieval
+ */
+export class DiscordOAuthProvider implements OAuthProvider {
+  private static instance: DiscordOAuthProvider;
+
+  private constructor() {
+    // Initialize OAuth helpers if needed
+  }
+
+  public static getInstance(): DiscordOAuthProvider {
+    if (!DiscordOAuthProvider.instance) {
+      DiscordOAuthProvider.instance = new DiscordOAuthProvider();
+    }
+    return DiscordOAuthProvider.instance;
+  }
+
+  /**
+   * Generate Discord OAuth authorization URL
+   */
+  async generateOAuthUrl(state?: string): Promise<string> {
+    const oAuthConfigService = OAuthConfigService.getInstance();
+    const config = await oAuthConfigService.getConfigByProvider('discord');
+
+    if (!config) {
+      throw new Error('Discord OAuth not configured');
+    }
+
+    const selfBaseUrl = getApiBaseUrl();
+
+    if (config?.useSharedKey) {
+      if (!state) {
+        logger.warn('Shared Discord OAuth called without state parameter');
+        throw new Error('State parameter is required for shared Discord OAuth');
+      }
+      // Use shared keys if configured
+      const cloudBaseUrl = process.env.CLOUD_API_HOST || 'https://api.insforge.dev';
+      const redirectUri = `${selfBaseUrl}/api/auth/oauth/shared/callback/${state}`;
+      const response = await axios.get(
+        `${cloudBaseUrl}/auth/v1/shared/discord?redirect_uri=${encodeURIComponent(redirectUri)}`,
+        {
+          headers: {
+            'Content-Type': 'application/json',
+          },
+        }
+      );
+      return response.data.auth_url || response.data.url || '';
+    }
+
+    logger.debug('Discord OAuth Config (fresh from DB):', {
+      clientId: config.clientId ? 'SET' : 'NOT SET',
+    });
+
+    const authUrl = new URL('https://discord.com/api/oauth2/authorize');
+    authUrl.searchParams.set('client_id', config.clientId ?? '');
+    authUrl.searchParams.set('redirect_uri', `${selfBaseUrl}/api/auth/oauth/discord/callback`);
+    authUrl.searchParams.set('response_type', 'code');
+    authUrl.searchParams.set('scope', config.scopes ? config.scopes.join(' ') : 'identify email');
+    if (state) {
+      authUrl.searchParams.set('state', state);
+    }
+
+    return authUrl.toString();
+  }
+
+  /**
+   * Exchange Discord code for access token
+   */
+  async exchangeCodeToToken(code: string): Promise<string> {
+    const oAuthConfigService = OAuthConfigService.getInstance();
+    const config = await oAuthConfigService.getConfigByProvider('discord');
+
+    if (!config) {
+      throw new Error('Discord OAuth not configured');
+    }
+
+    try {
+      logger.info('Exchanging Discord code for token', {
+        hasCode: !!code,
+        clientId: config.clientId?.substring(0, 10) + '...',
+      });
+
+      const clientSecret = await oAuthConfigService.getClientSecretByProvider('discord');
+      const selfBaseUrl = getApiBaseUrl();
+      const response = await axios.post(
+        'https://discord.com/api/oauth2/token',
+        new URLSearchParams({
+          client_id: config.clientId ?? '',
+          client_secret: clientSecret ?? '',
+          code,
+          redirect_uri: `${selfBaseUrl}/api/auth/oauth/discord/callback`,
+          grant_type: 'authorization_code',
+        }).toString(),
+        {
+          headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+          },
+        }
+      );
+
+      if (!response.data.access_token) {
+        throw new Error('Failed to get access token from Discord');
+      }
+
+      return response.data.access_token;
+    } catch (error) {
+      if (axios.isAxiosError(error) && error.response) {
+        logger.error('Discord token exchange failed', {
+          status: error.response.status,
+          error: error.response.data,
+        });
+        throw new Error(`Discord OAuth error: ${JSON.stringify(error.response.data)}`);
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Get Discord user info
+   */
+  async getUserInfo(accessToken: string): Promise<DiscordUserInfo> {
+    try {
+      const response = await axios.get('https://discord.com/api/users/@me', {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+        },
+      });
+
+      return {
+        id: response.data.id,
+        username: response.data.global_name || response.data.username,
+        email: response.data.email,
+        avatar: response.data.avatar
+          ? `https://cdn.discordapp.com/avatars/${response.data.id}/${response.data.avatar}.png`
+          : '',
+      };
+    } catch (error) {
+      logger.error('Discord user info retrieval failed:', error);
+      throw new Error(`Failed to get Discord user info: ${error}`);
+    }
+  }
+
+  /**
+   * Handle Discord OAuth callback
+   */
+  async handleCallback(payload: { code?: string; token?: string }): Promise<OAuthUserData> {
+    if (!payload.code) {
+      throw new Error('No authorization code provided');
+    }
+
+    const accessToken = await this.exchangeCodeToToken(payload.code);
+    const discordUserInfo = await this.getUserInfo(accessToken);
+
+    // Transform Discord user info to generic format
+    const userName = discordUserInfo.username;
+    const email = discordUserInfo.email || `${discordUserInfo.id}@users.noreply.discord.local`;
+    return {
+      provider: 'discord',
+      providerId: discordUserInfo.id,
+      email,
+      userName,
+      avatarUrl: discordUserInfo.avatar || '',
+      identityData: discordUserInfo,
+    };
+  }
+
+  /**
+   * Handle shared callback payload transformation
+   */
+  handleSharedCallback(payloadData: Record<string, unknown>): OAuthUserData {
+    const providerId = String(payloadData.providerId ?? '');
+    const username = String(payloadData.username ?? '');
+    const emailField = String(payloadData.email ?? '');
+    const avatar = String(payloadData.avatar ?? '');
+
+    const email = emailField || `${providerId}@users.noreply.discord.local`;
+
+    return {
+      provider: 'discord',
+      providerId,
+      email,
+      userName: username,
+      avatarUrl: avatar,
+      identityData: payloadData,
+    };
+  }
+}

package/backend/src/providers/oauth/facebook.provider.ts

@@ -0,0 +1,194 @@
+import axios from 'axios';
+import logger from '@/utils/logger.js';
+import { getApiBaseUrl } from '@/utils/environment.js';
+import { OAuthConfigService } from '@/services/auth/oauth-config.service.js';
+import { OAuthProvider } from './base.provider.js';
+import type { FacebookUserInfo, OAuthUserData } from '@/types/auth.js';
+
+/**
+ * Facebook OAuth Service
+ * Handles all Facebook OAuth operations including URL generation, token exchange, and user info retrieval
+ */
+export class FacebookOAuthProvider implements OAuthProvider {
+  private static instance: FacebookOAuthProvider;
+
+  private constructor() {
+    // Initialize OAuth helpers if needed
+  }
+
+  public static getInstance(): FacebookOAuthProvider {
+    if (!FacebookOAuthProvider.instance) {
+      FacebookOAuthProvider.instance = new FacebookOAuthProvider();
+    }
+    return FacebookOAuthProvider.instance;
+  }
+
+  /**
+   * Generate Facebook OAuth authorization URL
+   */
+  async generateOAuthUrl(state?: string): Promise<string> {
+    const oAuthConfigService = OAuthConfigService.getInstance();
+    const config = await oAuthConfigService.getConfigByProvider('facebook');
+
+    if (!config) {
+      throw new Error('Facebook OAuth not configured');
+    }
+
+    const selfBaseUrl = getApiBaseUrl();
+
+    if (config?.useSharedKey) {
+      if (!state) {
+        logger.warn('Shared Facebook OAuth called without state parameter');
+        throw new Error('State parameter is required for shared Facebook OAuth');
+      }
+      const cloudBaseUrl = process.env.CLOUD_API_HOST || 'https://api.insforge.dev';
+      const redirectUri = `${selfBaseUrl}/api/auth/oauth/shared/callback/${state}`;
+      const response = await axios.get(
+        `${cloudBaseUrl}/auth/v1/shared/facebook?redirect_uri=${encodeURIComponent(redirectUri)}`,
+        {
+          headers: {
+            'Content-Type': 'application/json',
+          },
+        }
+      );
+      return response.data.auth_url || response.data.url || '';
+    }
+
+    logger.debug('Facebook OAuth Config (fresh from DB):', {
+      clientId: config.clientId ? 'SET' : 'NOT SET',
+    });
+
+    const authUrl = new URL('https://www.facebook.com/v21.0/dialog/oauth');
+    authUrl.searchParams.set('client_id', config.clientId ?? '');
+    authUrl.searchParams.set('redirect_uri', `${selfBaseUrl}/api/auth/oauth/facebook/callback`);
+    authUrl.searchParams.set('response_type', 'code');
+    authUrl.searchParams.set(
+      'scope',
+      config.scopes ? config.scopes.join(',') : 'email,public_profile'
+    );
+    if (state) {
+      authUrl.searchParams.set('state', state);
+    }
+
+    return authUrl.toString();
+  }
+
+  /**
+   * Exchange Facebook code for access token
+   */
+  async exchangeCodeToToken(code: string): Promise<string> {
+    const oAuthConfigService = OAuthConfigService.getInstance();
+    const config = await oAuthConfigService.getConfigByProvider('facebook');
+
+    if (!config) {
+      throw new Error('Facebook OAuth not configured');
+    }
+
+    try {
+      logger.info('Exchanging Facebook code for token', {
+        hasCode: !!code,
+        clientId: config.clientId?.substring(0, 10) + '...',
+      });
+
+      const clientSecret = await oAuthConfigService.getClientSecretByProvider('facebook');
+      const selfBaseUrl = getApiBaseUrl();
+      const response = await axios.get('https://graph.facebook.com/v21.0/oauth/access_token', {
+        params: {
+          client_id: config.clientId,
+          client_secret: clientSecret,
+          code,
+          redirect_uri: `${selfBaseUrl}/api/auth/oauth/facebook/callback`,
+        },
+      });
+
+      if (!response.data.access_token) {
+        throw new Error('Failed to get access token from Facebook');
+      }
+
+      return response.data.access_token;
+    } catch (error) {
+      if (axios.isAxiosError(error) && error.response) {
+        logger.error('Facebook token exchange failed', {
+          status: error.response.status,
+          error: error.response.data,
+        });
+        throw new Error(`Facebook OAuth error: ${JSON.stringify(error.response.data)}`);
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Get Facebook user info
+   */
+  async getUserInfo(accessToken: string): Promise<FacebookUserInfo> {
+    try {
+      const response = await axios.get('https://graph.facebook.com/v21.0/me', {
+        params: {
+          fields: 'id,email,name,first_name,last_name,picture',
+          access_token: accessToken,
+        },
+      });
+
+      return response.data;
+    } catch (error) {
+      logger.error('Facebook user info retrieval failed:', error);
+      throw new Error(`Failed to get Facebook user info: ${error}`);
+    }
+  }
+
+  /**
+   * Handle Facebook OAuth callback
+   */
+  async handleCallback(payload: { code?: string; token?: string }): Promise<OAuthUserData> {
+    if (!payload.code) {
+      throw new Error('No authorization code provided');
+    }
+
+    const accessToken = await this.exchangeCodeToToken(payload.code);
+    const facebookUserInfo = await this.getUserInfo(accessToken);
+
+    // Transform Facebook user info to generic format
+    const email = facebookUserInfo.email || '';
+    const userName =
+      facebookUserInfo.name ||
+      facebookUserInfo.first_name ||
+      `User${facebookUserInfo.id.substring(0, 6)}`;
+    const avatarUrl = facebookUserInfo.picture?.data?.url || '';
+    return {
+      provider: 'facebook',
+      providerId: facebookUserInfo.id,
+      email,
+      userName,
+      avatarUrl,
+      identityData: facebookUserInfo,
+    };
+  }
+
+  /**
+   * Handle shared callback payload transformation
+   */
+  handleSharedCallback(payloadData: Record<string, unknown>): OAuthUserData {
+    const providerId = String(payloadData.providerId ?? '');
+    const email = String(payloadData.email ?? '');
+    const name = String(payloadData.name ?? '');
+    const firstName = String(payloadData.first_name ?? '');
+    const avatar = String(payloadData.avatar ?? '');
+
+    // Handle nested picture.data.url structure
+    const picture = payloadData.picture as { data?: { url?: string } } | undefined;
+    const pictureUrl = picture?.data?.url ?? '';
+
+    const userName = name || firstName || `User${providerId.substring(0, 6)}`;
+    const avatarUrl = pictureUrl || avatar;
+
+    return {
+      provider: 'facebook',
+      providerId,
+      email,
+      userName,
+      avatarUrl,
+      identityData: payloadData,
+    };
+  }
+}