insforge 0.3.3 → 1.3.0

package/backend/src/providers/oauth/github.provider.ts

@@ -0,0 +1,208 @@
+import axios from 'axios';
+import logger from '@/utils/logger.js';
+import { getApiBaseUrl } from '@/utils/environment.js';
+import { OAuthConfigService } from '@/services/auth/oauth-config.service.js';
+import type { GitHubUserInfo, GitHubEmailInfo, OAuthUserData } from '@/types/auth.js';
+import { OAuthProvider } from './base.provider.js';
+
+/**
+ * GitHub OAuth Service
+ * Handles all GitHub OAuth operations including URL generation, token exchange, and user info retrieval
+ */
+export class GitHubOAuthProvider implements OAuthProvider {
+  private static instance: GitHubOAuthProvider;
+
+  private constructor() {
+    // Initialize OAuth helpers if needed
+  }
+
+  public static getInstance(): GitHubOAuthProvider {
+    if (!GitHubOAuthProvider.instance) {
+      GitHubOAuthProvider.instance = new GitHubOAuthProvider();
+    }
+    return GitHubOAuthProvider.instance;
+  }
+
+  /**
+   * Generate GitHub OAuth authorization URL
+   */
+  async generateOAuthUrl(state?: string): Promise<string> {
+    const oAuthConfigService = OAuthConfigService.getInstance();
+    const config = await oAuthConfigService.getConfigByProvider('github');
+
+    if (!config) {
+      throw new Error('GitHub OAuth not configured');
+    }
+
+    const selfBaseUrl = getApiBaseUrl();
+
+    if (config?.useSharedKey) {
+      if (!state) {
+        logger.warn('Shared GitHub OAuth called without state parameter');
+        throw new Error('State parameter is required for shared GitHub OAuth');
+      }
+      // Use shared keys if configured
+      const cloudBaseUrl = process.env.CLOUD_API_HOST || 'https://api.insforge.dev';
+      const redirectUri = `${selfBaseUrl}/api/auth/oauth/shared/callback/${state}`;
+      const response = await axios.get(
+        `${cloudBaseUrl}/auth/v1/shared/github?redirect_uri=${encodeURIComponent(redirectUri)}`,
+        {
+          headers: {
+            'Content-Type': 'application/json',
+          },
+        }
+      );
+      return response.data.auth_url || response.data.url || '';
+    }
+
+    logger.debug('GitHub OAuth Config (fresh from DB):', {
+      clientId: config.clientId ? 'SET' : 'NOT SET',
+    });
+
+    const authUrl = new URL('https://github.com/login/oauth/authorize');
+    authUrl.searchParams.set('client_id', config.clientId ?? '');
+    authUrl.searchParams.set('redirect_uri', `${selfBaseUrl}/api/auth/oauth/github/callback`);
+    authUrl.searchParams.set('scope', config.scopes ? config.scopes.join(' ') : 'user:email');
+    if (state) {
+      authUrl.searchParams.set('state', state);
+    }
+
+    return authUrl.toString();
+  }
+
+  /**
+   * Exchange GitHub code for access token
+   */
+  async exchangeCodeToToken(code: string): Promise<string> {
+    const oAuthConfigService = OAuthConfigService.getInstance();
+    const config = await oAuthConfigService.getConfigByProvider('github');
+
+    if (!config) {
+      throw new Error('GitHub OAuth not configured');
+    }
+
+    try {
+      logger.info('Exchanging GitHub code for token', {
+        hasCode: !!code,
+        clientId: config.clientId?.substring(0, 10) + '...',
+      });
+
+      const clientSecret = await oAuthConfigService.getClientSecretByProvider('github');
+      const selfBaseUrl = getApiBaseUrl();
+      const response = await axios.post(
+        'https://github.com/login/oauth/access_token',
+        {
+          client_id: config.clientId,
+          client_secret: clientSecret,
+          code,
+          redirect_uri: `${selfBaseUrl}/api/auth/oauth/github/callback`,
+        },
+        {
+          headers: {
+            Accept: 'application/json',
+          },
+        }
+      );
+
+      if (!response.data.access_token) {
+        throw new Error('Failed to get access token from GitHub');
+      }
+
+      return response.data.access_token;
+    } catch (error) {
+      if (axios.isAxiosError(error) && error.response) {
+        logger.error('GitHub token exchange failed', {
+          status: error.response.status,
+          error: error.response.data,
+        });
+        throw new Error(`GitHub OAuth error: ${JSON.stringify(error.response.data)}`);
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Get GitHub user info
+   */
+  async getUserInfo(accessToken: string): Promise<GitHubUserInfo> {
+    try {
+      const userResponse = await axios.get('https://api.github.com/user', {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+        },
+      });
+
+      // GitHub doesn't always return email in user endpoint
+      let email = userResponse.data.email;
+
+      if (!email) {
+        const emailResponse = await axios.get('https://api.github.com/user/emails', {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+          },
+        });
+
+        const primaryEmail = emailResponse.data.find((e: GitHubEmailInfo) => e.primary);
+        email = primaryEmail ? primaryEmail.email : emailResponse.data[0]?.email;
+      }
+
+      return {
+        id: userResponse.data.id,
+        login: userResponse.data.login,
+        name: userResponse.data.name,
+        email: email || `${userResponse.data.login}@users.noreply.github.com`,
+        avatar_url: userResponse.data.avatar_url,
+      };
+    } catch (error) {
+      logger.error('GitHub user info retrieval failed:', error);
+      throw new Error(`Failed to get GitHub user info: ${error}`);
+    }
+  }
+
+  /**
+   * Handle GitHub OAuth callback
+   */
+  async handleCallback(payload: { code?: string; token?: string }): Promise<OAuthUserData> {
+    if (!payload.code) {
+      throw new Error('No authorization code provided');
+    }
+
+    const accessToken = await this.exchangeCodeToToken(payload.code);
+    const githubUserInfo = await this.getUserInfo(accessToken);
+
+    // Transform GitHub user info to generic format
+    const userName = githubUserInfo.name || githubUserInfo.login;
+    const email = githubUserInfo.email || `${githubUserInfo.login}@users.noreply.github.com`;
+    return {
+      provider: 'github',
+      providerId: githubUserInfo.id.toString(),
+      email,
+      userName,
+      avatarUrl: githubUserInfo.avatar_url || '',
+      identityData: githubUserInfo,
+    };
+  }
+
+  /**
+   * Handle shared callback payload transformation
+   */
+  handleSharedCallback(payloadData: Record<string, unknown>): OAuthUserData {
+    const providerId = String(payloadData.providerId ?? '');
+    const name = String(payloadData.name ?? '');
+    const login = String(payloadData.login ?? '');
+    const emailField = String(payloadData.email ?? '');
+    const avatar = String(payloadData.avatar ?? '');
+
+    const userName = name || login;
+    const email = emailField || `${login}@users.noreply.github.com`;
+
+    return {
+      provider: 'github',
+      providerId,
+      email,
+      userName,
+      avatarUrl: avatar,
+      identityData: payloadData,
+    };
+  }
+}

package/backend/src/providers/oauth/google.provider.ts

@@ -0,0 +1,249 @@
+import axios from 'axios';
+import { OAuth2Client } from 'google-auth-library';
+import logger from '@/utils/logger.js';
+import { getApiBaseUrl } from '@/utils/environment.js';
+import { OAuthConfigService } from '@/services/auth/oauth-config.service.js';
+import type { GoogleUserInfo, OAuthUserData } from '@/types/auth.js';
+import { OAuthProvider } from './base.provider.js';
+
+/**
+ * Google OAuth Service
+ * Handles all Google OAuth operations including URL generation, token exchange, and user info verification
+ */
+export class GoogleOAuthProvider implements OAuthProvider {
+  private static instance: GoogleOAuthProvider;
+  private processedCodes: Set<string>;
+  private tokenCache: Map<string, { access_token: string; id_token: string }>;
+
+  private constructor() {
+    // Initialize OAuth helpers
+    this.processedCodes = new Set();
+    this.tokenCache = new Map();
+  }
+
+  public static getInstance(): GoogleOAuthProvider {
+    if (!GoogleOAuthProvider.instance) {
+      GoogleOAuthProvider.instance = new GoogleOAuthProvider();
+    }
+    return GoogleOAuthProvider.instance;
+  }
+
+  /**
+   * Generate Google OAuth authorization URL
+   */
+  async generateOAuthUrl(state?: string): Promise<string> {
+    const oauthConfigService = OAuthConfigService.getInstance();
+    const config = await oauthConfigService.getConfigByProvider('google');
+
+    if (!config) {
+      throw new Error('Google OAuth not configured');
+    }
+
+    const selfBaseUrl = getApiBaseUrl();
+
+    if (config?.useSharedKey) {
+      if (!state) {
+        logger.warn('Shared Google OAuth called without state parameter');
+        throw new Error('State parameter is required for shared Google OAuth');
+      }
+      // Use shared keys if configured
+      const cloudBaseUrl = process.env.CLOUD_API_HOST || 'https://api.insforge.dev';
+      const redirectUri = `${selfBaseUrl}/api/auth/oauth/shared/callback/${state}`;
+      const response = await axios.get(
+        `${cloudBaseUrl}/auth/v1/shared/google?redirect_uri=${encodeURIComponent(redirectUri)}`,
+        {
+          headers: {
+            'Content-Type': 'application/json',
+          },
+        }
+      );
+      return response.data.auth_url || response.data.url || '';
+    }
+
+    logger.debug('Google OAuth Config (fresh from DB):', {
+      clientId: config.clientId ? 'SET' : 'NOT SET',
+    });
+
+    const authUrl = new URL('https://accounts.google.com/o/oauth2/v2/auth');
+    authUrl.searchParams.set('client_id', config.clientId ?? '');
+    authUrl.searchParams.set('redirect_uri', `${selfBaseUrl}/api/auth/oauth/google/callback`);
+    authUrl.searchParams.set('response_type', 'code');
+    authUrl.searchParams.set(
+      'scope',
+      config.scopes ? config.scopes.join(' ') : 'openid email profile'
+    );
+    authUrl.searchParams.set('access_type', 'offline');
+    if (state) {
+      authUrl.searchParams.set('state', state);
+    }
+
+    return authUrl.toString();
+  }
+
+  /**
+   * Exchange Google code for tokens
+   */
+  async exchangeCodeToToken(code: string): Promise<{ access_token: string; id_token: string }> {
+    // Check cache first
+    if (this.processedCodes.has(code)) {
+      const cachedTokens = this.tokenCache.get(code);
+      if (cachedTokens) {
+        logger.debug('Returning cached tokens for already processed code.');
+        return cachedTokens;
+      }
+      throw new Error('Authorization code is currently being processed.');
+    }
+
+    const oauthConfigService = OAuthConfigService.getInstance();
+    const config = await oauthConfigService.getConfigByProvider('google');
+
+    if (!config) {
+      throw new Error('Google OAuth not configured');
+    }
+
+    try {
+      this.processedCodes.add(code);
+
+      logger.info('Exchanging Google code for tokens', {
+        hasCode: !!code,
+        clientId: config.clientId?.substring(0, 10) + '...',
+      });
+
+      const clientSecret = await oauthConfigService.getClientSecretByProvider('google');
+      const selfBaseUrl = getApiBaseUrl();
+      const response = await axios.post('https://oauth2.googleapis.com/token', {
+        code,
+        client_id: config.clientId,
+        client_secret: clientSecret,
+        redirect_uri: `${selfBaseUrl}/api/auth/oauth/google/callback`,
+        grant_type: 'authorization_code',
+      });
+
+      if (!response.data.access_token || !response.data.id_token) {
+        throw new Error('Failed to get tokens from Google');
+      }
+
+      const result = {
+        access_token: response.data.access_token,
+        id_token: response.data.id_token,
+      };
+
+      // Cache the successful token exchange
+      this.tokenCache.set(code, result);
+
+      // Set a timeout to clear the code and cache to prevent memory leaks
+      setTimeout(() => {
+        this.processedCodes.delete(code);
+        this.tokenCache.delete(code);
+      }, 60000); // 1 minute timeout
+
+      return result;
+    } catch (error) {
+      // If the request fails, remove the code immediately to allow for a retry
+      this.processedCodes.delete(code);
+
+      if (axios.isAxiosError(error) && error.response) {
+        logger.error('Google token exchange failed', {
+          status: error.response.status,
+          error: error.response.data,
+        });
+        throw new Error(`Google OAuth error: ${JSON.stringify(error.response.data)}`);
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Verify Google ID token and get user info
+   */
+  async verifyToken(idToken: string): Promise<GoogleUserInfo> {
+    const oauthConfigService = OAuthConfigService.getInstance();
+    const config = await oauthConfigService.getConfigByProvider('google');
+
+    if (!config) {
+      throw new Error('Google OAuth not configured');
+    }
+
+    const clientSecret = await oauthConfigService.getClientSecretByProvider('google');
+
+    if (!clientSecret) {
+      throw new Error('Google Client Secret not configured.');
+    }
+
+    // Create OAuth2Client with fresh config
+    const googleClient = new OAuth2Client(config.clientId, clientSecret, config.redirectUri);
+
+    try {
+      // Properly verify the ID token with Google's servers
+      const ticket = await googleClient.verifyIdToken({
+        idToken,
+        audience: config.clientId,
+      });
+
+      const payload = ticket.getPayload();
+      if (!payload) {
+        throw new Error('Invalid Google token payload');
+      }
+
+      return {
+        sub: payload.sub,
+        email: payload.email || '',
+        email_verified: payload.email_verified || false,
+        name: payload.name || '',
+        picture: payload.picture || '',
+        given_name: payload.given_name || '',
+        family_name: payload.family_name || '',
+        locale: payload.locale || '',
+      };
+    } catch (error) {
+      logger.error('Google token verification failed:', error);
+      throw new Error(`Google token verification failed: ${error}`);
+    }
+  }
+
+  /**
+   * Handle Google OAuth callback
+   */
+  async handleCallback(payload: { code?: string; token?: string }): Promise<OAuthUserData> {
+    let googleUserInfo: GoogleUserInfo;
+
+    if (payload.token) {
+      googleUserInfo = await this.verifyToken(payload.token);
+    } else if (payload.code) {
+      const tokens = await this.exchangeCodeToToken(payload.code);
+      googleUserInfo = await this.verifyToken(tokens.id_token);
+    } else {
+      throw new Error('No authorization code or token provided');
+    }
+
+    // Transform Google user info to generic format
+    const userName = googleUserInfo.name || googleUserInfo.email.split('@')[0];
+    return {
+      provider: 'google',
+      providerId: googleUserInfo.sub,
+      email: googleUserInfo.email,
+      userName,
+      avatarUrl: googleUserInfo.picture || '',
+      identityData: googleUserInfo,
+    };
+  }
+
+  /**
+   * Handle shared callback payload transformation
+   */
+  handleSharedCallback(payloadData: Record<string, unknown>): OAuthUserData {
+    const providerId = String(payloadData.providerId ?? '');
+    const email = String(payloadData.email ?? '');
+    const name = String(payloadData.name ?? '');
+    const avatar = String(payloadData.avatar ?? '');
+
+    return {
+      provider: 'google',
+      providerId,
+      email,
+      userName: name || email.split('@')[0],
+      avatarUrl: avatar,
+      identityData: payloadData,
+    };
+  }
+}

package/backend/src/providers/oauth/index.ts

@@ -0,0 +1,8 @@
+export { GoogleOAuthProvider } from './google.provider.js';
+export { GitHubOAuthProvider } from './github.provider.js';
+export { DiscordOAuthProvider } from './discord.provider.js';
+export { LinkedInOAuthProvider } from './linkedin.provider.js';
+export { FacebookOAuthProvider } from './facebook.provider.js';
+export { MicrosoftOAuthProvider } from './microsoft.provider.js';
+export { XOAuthProvider } from './x.provider.js';
+export { AppleOAuthProvider } from './apple.provider.js';

package/backend/src/providers/oauth/linkedin.provider.ts

@@ -0,0 +1,240 @@
+import axios from 'axios';
+import logger from '@/utils/logger.js';
+import { getApiBaseUrl } from '@/utils/environment.js';
+import { OAuthConfigService } from '@/services/auth/oauth-config.service.js';
+import { OAuthProvider } from './base.provider.js';
+import type { LinkedInUserInfo, OAuthUserData } from '@/types/auth.js';
+
+/**
+ * LinkedIn OAuth Service
+ * Handles all LinkedIn OAuth operations including URL generation, token exchange, and user info verification
+ */
+export class LinkedInOAuthProvider implements OAuthProvider {
+  private static instance: LinkedInOAuthProvider;
+  private processedCodes: Set<string>;
+  private tokenCache: Map<string, { access_token: string; id_token: string }>;
+
+  private constructor() {
+    // Initialize OAuth helpers
+    this.processedCodes = new Set();
+    this.tokenCache = new Map();
+  }
+
+  public static getInstance(): LinkedInOAuthProvider {
+    if (!LinkedInOAuthProvider.instance) {
+      LinkedInOAuthProvider.instance = new LinkedInOAuthProvider();
+    }
+    return LinkedInOAuthProvider.instance;
+  }
+
+  /**
+   * Generate LinkedIn OAuth authorization URL
+   */
+  async generateOAuthUrl(state?: string): Promise<string> {
+    const oAuthConfigService = OAuthConfigService.getInstance();
+    const config = await oAuthConfigService.getConfigByProvider('linkedin');
+
+    if (!config) {
+      throw new Error('LinkedIn OAuth not configured');
+    }
+
+    const selfBaseUrl = getApiBaseUrl();
+
+    if (config?.useSharedKey) {
+      if (!state) {
+        logger.warn('Shared LinkedIn OAuth called without state parameter');
+        throw new Error('State parameter is required for shared LinkedIn OAuth');
+      }
+      const cloudBaseUrl = process.env.CLOUD_API_HOST || 'https://api.insforge.dev';
+      const redirectUri = `${selfBaseUrl}/api/auth/oauth/shared/callback/${state}`;
+      const response = await axios.get(
+        `${cloudBaseUrl}/auth/v1/shared/linkedin?redirect_uri=${encodeURIComponent(redirectUri)}`,
+        {
+          headers: {
+            'Content-Type': 'application/json',
+          },
+        }
+      );
+      return response.data.auth_url || response.data.url || '';
+    }
+
+    logger.debug('LinkedIn OAuth Config (fresh from DB):', {
+      clientId: config.clientId ? 'SET' : 'NOT SET',
+    });
+
+    const authUrl = new URL('https://www.linkedin.com/oauth/v2/authorization');
+    authUrl.searchParams.set('client_id', config.clientId ?? '');
+    authUrl.searchParams.set('redirect_uri', `${selfBaseUrl}/api/auth/oauth/linkedin/callback`);
+    authUrl.searchParams.set('response_type', 'code');
+    authUrl.searchParams.set(
+      'scope',
+      config.scopes ? config.scopes.join(' ') : 'openid profile email'
+    );
+    if (state) {
+      authUrl.searchParams.set('state', state);
+    }
+
+    return authUrl.toString();
+  }
+
+  /**
+   * Exchange LinkedIn code for tokens
+   */
+  async exchangeCodeToToken(code: string): Promise<{ access_token: string; id_token: string }> {
+    if (this.processedCodes.has(code)) {
+      const cachedTokens = this.tokenCache.get(code);
+      if (cachedTokens) {
+        logger.debug('Returning cached tokens for already processed code.');
+        return cachedTokens;
+      }
+      throw new Error('Authorization code is currently being processed.');
+    }
+
+    const oAuthConfigService = OAuthConfigService.getInstance();
+    const config = await oAuthConfigService.getConfigByProvider('linkedin');
+
+    if (!config) {
+      throw new Error('LinkedIn OAuth not configured');
+    }
+
+    try {
+      this.processedCodes.add(code);
+
+      logger.info('Exchanging LinkedIn code for tokens', {
+        hasCode: !!code,
+        clientId: config.clientId?.substring(0, 10) + '...',
+      });
+
+      const clientSecret = await oAuthConfigService.getClientSecretByProvider('linkedin');
+      const selfBaseUrl = getApiBaseUrl();
+      const response = await axios.post(
+        'https://www.linkedin.com/oauth/v2/accessToken',
+        new URLSearchParams({
+          code,
+          client_id: config.clientId ?? '',
+          client_secret: clientSecret ?? '',
+          redirect_uri: `${selfBaseUrl}/api/auth/oauth/linkedin/callback`,
+          grant_type: 'authorization_code',
+        }),
+        {
+          headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+          },
+        }
+      );
+
+      if (!response.data.access_token || !response.data.id_token) {
+        throw new Error('Failed to get tokens from LinkedIn');
+      }
+
+      const result = {
+        access_token: response.data.access_token,
+        id_token: response.data.id_token,
+      };
+
+      this.tokenCache.set(code, result);
+
+      setTimeout(() => {
+        this.processedCodes.delete(code);
+        this.tokenCache.delete(code);
+      }, 60000);
+
+      return result;
+    } catch (error) {
+      this.processedCodes.delete(code);
+
+      if (axios.isAxiosError(error) && error.response) {
+        logger.error('LinkedIn token exchange failed', {
+          status: error.response.status,
+          error: error.response.data,
+        });
+        throw new Error(`LinkedIn OAuth error: ${JSON.stringify(error.response.data)}`);
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Verify LinkedIn ID token and get user info
+   */
+  async verifyToken(idToken: string): Promise<LinkedInUserInfo> {
+    const oAuthConfigService = OAuthConfigService.getInstance();
+    const config = await oAuthConfigService.getConfigByProvider('linkedin');
+
+    if (!config) {
+      throw new Error('LinkedIn OAuth not configured');
+    }
+
+    try {
+      const { createRemoteJWKSet, jwtVerify } = await import('jose');
+      const JWKS = createRemoteJWKSet(new URL('https://www.linkedin.com/oauth/openid/jwks'));
+
+      const { payload } = await jwtVerify(idToken, JWKS, {
+        issuer: 'https://www.linkedin.com/oauth',
+        audience: config.clientId,
+      });
+
+      return {
+        sub: String(payload.sub),
+        email: (payload.email as string) || '',
+        email_verified: Boolean(payload.email_verified),
+        name: (payload.name as string) || '',
+        picture: (payload.picture as string) || '',
+        given_name: (payload.given_name as string) || '',
+        family_name: (payload.family_name as string) || '',
+        locale: (payload.locale as string) || '',
+      };
+    } catch (error) {
+      logger.error('LinkedIn token verification failed:', error);
+      throw new Error('LinkedIn token verification failed');
+    }
+  }
+
+  /**
+   * Handle LinkedIn OAuth callback
+   */
+  async handleCallback(payload: { code?: string; token?: string }): Promise<OAuthUserData> {
+    let linkedinUserInfo: LinkedInUserInfo;
+
+    if (payload.token) {
+      linkedinUserInfo = await this.verifyToken(payload.token);
+    } else if (payload.code) {
+      const tokens = await this.exchangeCodeToToken(payload.code);
+      linkedinUserInfo = await this.verifyToken(tokens.id_token);
+    } else {
+      throw new Error('No authorization code or token provided');
+    }
+
+    // Transform LinkedIn user info to generic format
+    const userName = linkedinUserInfo.name || linkedinUserInfo.email.split('@')[0];
+    return {
+      provider: 'linkedin',
+      providerId: linkedinUserInfo.sub,
+      email: linkedinUserInfo.email,
+      userName,
+      avatarUrl: linkedinUserInfo.picture || '',
+      identityData: linkedinUserInfo,
+    };
+  }
+
+  /**
+   * Handle shared callback payload transformation
+   */
+  handleSharedCallback(payloadData: Record<string, unknown>): OAuthUserData {
+    const providerId = String(payloadData.providerId ?? '');
+    const email = String(payloadData.email ?? '');
+    const name = String(payloadData.name ?? '');
+    const avatar = String(payloadData.avatar ?? '');
+
+    const userName = name || email.split('@')[0];
+
+    return {
+      provider: 'linkedin',
+      providerId,
+      email,
+      userName,
+      avatarUrl: avatar,
+      identityData: payloadData,
+    };
+  }
+}