insforge 0.3.3 → 1.3.0

package/backend/src/providers/oauth/microsoft.provider.ts

@@ -0,0 +1,169 @@
+import axios from 'axios';
+import logger from '@/utils/logger.js';
+import { getApiBaseUrl } from '@/utils/environment.js';
+import { OAuthConfigService } from '@/services/auth/oauth-config.service.js';
+import { OAuthProvider } from './base.provider.js';
+import type { MicrosoftUserInfo, OAuthUserData } from '@/types/auth.js';
+
+/**
+ * Microsoft OAuth Service
+ * Handles all Microsoft OAuth operations including URL generation, token exchange, and user info retrieval
+ */
+export class MicrosoftOAuthProvider implements OAuthProvider {
+  private static instance: MicrosoftOAuthProvider;
+
+  private constructor() {
+    // Initialize OAuth helpers if needed
+  }
+
+  public static getInstance(): MicrosoftOAuthProvider {
+    if (!MicrosoftOAuthProvider.instance) {
+      MicrosoftOAuthProvider.instance = new MicrosoftOAuthProvider();
+    }
+    return MicrosoftOAuthProvider.instance;
+  }
+
+  /**
+   * Generate Microsoft OAuth authorization URL
+   */
+  async generateOAuthUrl(state?: string): Promise<string> {
+    const oAuthConfigService = OAuthConfigService.getInstance();
+    const config = await oAuthConfigService.getConfigByProvider('microsoft');
+    if (!config) {
+      throw new Error('Microsoft OAuth not configured');
+    }
+
+    const selfBaseUrl = getApiBaseUrl();
+
+    logger.debug('Microsoft OAuth Config (fresh from DB):', {
+      clientId: config.clientId ? 'SET' : 'NOT SET',
+    });
+
+    // Note: shared-keys path not implemented for Microsoft; configure local keys
+    const authUrl = new URL('https://login.microsoftonline.com/common/oauth2/v2.0/authorize');
+    authUrl.searchParams.set('client_id', config.clientId ?? '');
+    authUrl.searchParams.set('response_type', 'code');
+    authUrl.searchParams.set('redirect_uri', `${selfBaseUrl}/api/auth/oauth/microsoft/callback`);
+    authUrl.searchParams.set(
+      'scope',
+      config.scopes && config.scopes.length > 0
+        ? config.scopes.join(' ')
+        : 'openid email profile offline_access User.Read'
+    );
+    if (state) {
+      authUrl.searchParams.set('state', state);
+    }
+    return authUrl.toString();
+  }
+
+  /**
+   * Exchange Microsoft code for tokens
+   */
+  async exchangeCodeToToken(code: string): Promise<{ access_token: string; id_token?: string }> {
+    const oAuthConfigService = OAuthConfigService.getInstance();
+    const config = await oAuthConfigService.getConfigByProvider('microsoft');
+    if (!config) {
+      throw new Error('Microsoft OAuth not configured');
+    }
+
+    try {
+      logger.info('Exchanging Microsoft code for tokens', {
+        hasCode: !!code,
+        clientId: config.clientId?.substring(0, 10) + '...',
+      });
+
+      const clientSecret = await oAuthConfigService.getClientSecretByProvider('microsoft');
+      const selfBaseUrl = getApiBaseUrl();
+
+      const body = new URLSearchParams({
+        client_id: config.clientId ?? '',
+        client_secret: clientSecret ?? '',
+        code,
+        redirect_uri: `${selfBaseUrl}/api/auth/oauth/microsoft/callback`,
+        grant_type: 'authorization_code',
+        scope:
+          config.scopes && config.scopes.length > 0
+            ? config.scopes.join(' ')
+            : 'openid email profile offline_access User.Read',
+      });
+
+      const response = await axios.post(
+        'https://login.microsoftonline.com/common/oauth2/v2.0/token',
+        body.toString(),
+        {
+          headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        }
+      );
+
+      if (!response.data.access_token) {
+        throw new Error('Failed to get access token from Microsoft');
+      }
+      return {
+        access_token: response.data.access_token,
+        id_token: response.data.id_token, // optional
+      };
+    } catch (error) {
+      if (axios.isAxiosError(error) && error.response) {
+        logger.error('Microsoft token exchange failed', {
+          status: error.response.status,
+          error: error.response.data,
+        });
+        throw new Error(`Microsoft OAuth error: ${JSON.stringify(error.response.data)}`);
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Get Microsoft user info via Graph API
+   */
+  async getUserInfo(accessToken: string): Promise<MicrosoftUserInfo> {
+    try {
+      const userResp = await axios.get('https://graph.microsoft.com/v1.0/me', {
+        headers: { Authorization: `Bearer ${accessToken}` },
+      });
+
+      const data = userResp.data as {
+        id: string;
+        displayName?: string;
+        userPrincipalName?: string;
+        mail?: string | null;
+      };
+
+      const email = data.mail || data.userPrincipalName || `${data.id}@users.noreply.microsoft.com`;
+      const name = data.displayName || data.userPrincipalName || email;
+
+      return {
+        id: data.id,
+        email,
+        name,
+      };
+    } catch (error) {
+      logger.error('Microsoft user info retrieval failed:', error);
+      throw new Error(`Failed to get Microsoft user info: ${error}`);
+    }
+  }
+
+  /**
+   * Handle Microsoft OAuth callback
+   */
+  async handleCallback(payload: { code?: string; token?: string }): Promise<OAuthUserData> {
+    if (!payload.code) {
+      throw new Error('No authorization code provided');
+    }
+
+    const tokens = await this.exchangeCodeToToken(payload.code);
+    const microsoftUserInfo = await this.getUserInfo(tokens.access_token);
+
+    // Transform Microsoft user info to generic format
+    const userName = microsoftUserInfo.name || microsoftUserInfo.email.split('@')[0] || 'user';
+    return {
+      provider: 'microsoft',
+      providerId: microsoftUserInfo.id,
+      email: microsoftUserInfo.email,
+      userName,
+      avatarUrl: '', // Microsoft doesn't provide avatar in basic profile
+      identityData: microsoftUserInfo,
+    };
+  }
+}

package/backend/src/providers/oauth/x.provider.ts

@@ -0,0 +1,202 @@
+import crypto from 'crypto';
+import { XUserInfo, OAuthUserData } from '@/types/auth.js';
+import { getApiBaseUrl } from '@/utils/environment.js';
+import logger from '@/utils/logger.js';
+import { OAuthProvider } from './base.provider.js';
+import axios from 'axios';
+import { OAuthConfigService } from '@/services/auth/oauth-config.service.js';
+
+export class XOAuthProvider implements OAuthProvider {
+  private static instance: XOAuthProvider;
+  // OAuth helper for X(Twitter)
+  private verifierCodes: Map<string, string>;
+
+  private constructor() {
+    this.verifierCodes = new Map();
+  }
+
+  public static getInstance(): XOAuthProvider {
+    if (!XOAuthProvider.instance) {
+      XOAuthProvider.instance = new XOAuthProvider();
+    }
+    return XOAuthProvider.instance;
+  }
+
+  /**
+   * Generate X OAuth authorization URL
+   */
+  async generateOAuthUrl(state?: string): Promise<string> {
+    const oauthConfigService = OAuthConfigService.getInstance();
+    const config = await oauthConfigService.getConfigByProvider('x');
+    const verifier = crypto.randomBytes(32).toString('base64url');
+    const challenge = crypto.createHash('sha256').update(verifier).digest('base64url');
+
+    if (!config) {
+      throw new Error('X OAuth not configured');
+    }
+
+    const selfBaseUrl = getApiBaseUrl();
+
+    if (!state) {
+      throw new Error('State parameter is required.');
+    }
+    this.verifierCodes.set(state, verifier);
+    setTimeout(() => {
+      this.verifierCodes.delete(state);
+    }, 600000);
+
+    if (config?.useSharedKey) {
+      // Use shared keys if configured
+      const cloudBasedUrl = process.env.CLOUD_API_HOST || 'https://api.insforge.dev';
+      const redirectUri = `${selfBaseUrl}/api/auth/oauth/shared/callback/${state}`;
+      const response = await axios.get(
+        `${cloudBasedUrl}/oauth/twitter?redirect_uri=${encodeURIComponent(redirectUri)}`,
+        {
+          headers: {
+            'Content-Type': 'application/json',
+          },
+        }
+      );
+      return response.data.auth_url || response.data.url || '';
+    }
+
+    logger.debug('X OAuth Config (fresh from DB):', {
+      clientId: config.clientId ? 'SET' : 'NOT SET',
+    });
+
+    const authUrl = new URL('https://twitter.com/i/oauth2/authorize');
+    authUrl.searchParams.set('response_type', 'code');
+    authUrl.searchParams.set('client_id', config.clientId ?? '');
+    authUrl.searchParams.set('redirect_uri', `${selfBaseUrl}/api/auth/oauth/x/callback`);
+    authUrl.searchParams.set(
+      'scope',
+      config.scopes ? config.scopes.join(' ') : 'tweet.read users.read'
+    );
+    authUrl.searchParams.set('state', state ?? '');
+    authUrl.searchParams.set('code_challenge', challenge);
+    authUrl.searchParams.set('code_challenge_method', 'S256');
+
+    return authUrl.toString();
+  }
+
+  /**
+   *  Exchange X code for access token
+   */
+  async exchangeXCodeForToken(code: string, state: string): Promise<string> {
+    const verifier = this.verifierCodes.get(state);
+
+    if (!verifier) {
+      throw new Error('Missing or expired PKCE verifier for this state');
+    }
+
+    // Immediately remove it to prevent replay
+    this.verifierCodes.delete(state);
+
+    const oauthConfigService = OAuthConfigService.getInstance();
+    const config = await oauthConfigService.getConfigByProvider('x');
+
+    if (!config) {
+      throw new Error('X OAuth not configured');
+    }
+
+    const clientSecret = await oauthConfigService.getClientSecretByProvider('x');
+    const selfBaseUrl = getApiBaseUrl();
+
+    const body = new URLSearchParams({
+      code,
+      grant_type: 'authorization_code',
+      client_id: config.clientId ?? '',
+      redirect_uri: `${selfBaseUrl}/api/auth/oauth/x/callback`,
+      code_verifier: verifier,
+    });
+
+    const response = await axios.post('https://api.twitter.com/2/oauth2/token', body.toString(), {
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        Authorization:
+          'Basic ' + Buffer.from(`${config.clientId}:${clientSecret}`).toString('base64'),
+      },
+    });
+
+    if (!response.data.access_token) {
+      throw new Error('Failed to get access token from X');
+    }
+
+    return response.data.access_token;
+  }
+
+  /**
+   * Get X user info
+   */
+  async getXUserInfo(accessToken: string): Promise<XUserInfo> {
+    const userResponse = await axios.get('https://api.twitter.com/2/users/me', {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+      },
+      params: {
+        'user.fields': 'id,name,username,profile_image_url,verified',
+      },
+    });
+
+    const userData = userResponse.data.data;
+
+    return {
+      id: userData.id,
+      name: userData.name,
+      username: userData.username,
+      profile_image_url: userData.profile_image_url,
+      verified: userData.verified,
+    };
+  }
+
+  /**
+   * Handle X OAuth callback
+   */
+  async handleCallback(payload: {
+    code?: string;
+    token?: string;
+    state?: string;
+  }): Promise<OAuthUserData> {
+    if (!payload.code || !payload.state) {
+      throw new Error('No authorization code or state provided');
+    }
+
+    const accessToken = await this.exchangeXCodeForToken(payload.code, payload.state);
+    const xUserInfo = await this.getXUserInfo(accessToken);
+
+    // Transform X user info to generic format
+    const userName = xUserInfo.username || xUserInfo.name || `user${xUserInfo.id.substring(0, 8)}`;
+    const email = `${userName}@users.noreply.x.local`;
+
+    return {
+      provider: 'x',
+      providerId: xUserInfo.id,
+      email,
+      userName,
+      avatarUrl: xUserInfo.profile_image_url || '',
+      identityData: xUserInfo,
+    };
+  }
+
+  /**
+   * Handle shared callback payload transformation
+   */
+  handleSharedCallback(payloadData: Record<string, unknown>): OAuthUserData {
+    const providerId = String(payloadData.providerId ?? '');
+    const username = String(payloadData.username ?? '');
+    const name = String(payloadData.name ?? '');
+    const profileImageUrl = String(payloadData.profile_image_url ?? '');
+
+    const userName = username || name || `user${providerId.substring(0, 8)}`;
+    const email = `${userName}@users.noreply.x.local`;
+
+    return {
+      provider: 'x',
+      providerId,
+      email,
+      userName,
+      avatarUrl: profileImageUrl,
+      identityData: payloadData,
+    };
+  }
+}

package/backend/src/providers/storage/base.provider.ts

@@ -0,0 +1,29 @@
+import { UploadStrategyResponse, DownloadStrategyResponse } from '@insforge/shared-schemas';
+
+/**
+ * Storage provider interface
+ * Defines the contract that all storage providers must implement
+ */
+export interface StorageProvider {
+  initialize(): void | Promise<void>;
+  putObject(bucket: string, key: string, file: Express.Multer.File): Promise<void>;
+  getObject(bucket: string, key: string): Promise<Buffer | null>;
+  deleteObject(bucket: string, key: string): Promise<void>;
+  createBucket(bucket: string): Promise<void>;
+  deleteBucket(bucket: string): Promise<void>;
+
+  // Presigned URL support
+  supportsPresignedUrls(): boolean;
+  getUploadStrategy(
+    bucket: string,
+    key: string,
+    metadata: { contentType?: string; size?: number }
+  ): Promise<UploadStrategyResponse>;
+  getDownloadStrategy(
+    bucket: string,
+    key: string,
+    expiresIn?: number,
+    isPublic?: boolean
+  ): Promise<DownloadStrategyResponse>;
+  verifyObjectExists(bucket: string, key: string): Promise<boolean>;
+}

package/backend/src/providers/storage/local.provider.ts

@@ -0,0 +1,103 @@
+import fs from 'fs/promises';
+import path from 'path';
+import { UploadStrategyResponse, DownloadStrategyResponse } from '@insforge/shared-schemas';
+import { StorageProvider } from './base.provider.js';
+import { getApiBaseUrl } from '@/utils/environment.js';
+
+/**
+ * Local filesystem storage implementation
+ */
+export class LocalStorageProvider implements StorageProvider {
+  constructor(private baseDir: string) {}
+
+  async initialize(): Promise<void> {
+    await fs.mkdir(this.baseDir, { recursive: true });
+  }
+
+  private getFilePath(bucket: string, key: string): string {
+    return path.join(this.baseDir, bucket, key);
+  }
+
+  async putObject(bucket: string, key: string, file: Express.Multer.File): Promise<void> {
+    const filePath = this.getFilePath(bucket, key);
+    await fs.mkdir(path.dirname(filePath), { recursive: true });
+    await fs.writeFile(filePath, file.buffer);
+  }
+
+  async getObject(bucket: string, key: string): Promise<Buffer | null> {
+    try {
+      const filePath = this.getFilePath(bucket, key);
+      return await fs.readFile(filePath);
+    } catch {
+      return null;
+    }
+  }
+
+  async deleteObject(bucket: string, key: string): Promise<void> {
+    try {
+      const filePath = this.getFilePath(bucket, key);
+      await fs.unlink(filePath);
+    } catch {
+      // File might not exist, continue
+    }
+  }
+
+  async createBucket(bucket: string): Promise<void> {
+    const bucketPath = path.join(this.baseDir, bucket);
+    await fs.mkdir(bucketPath, { recursive: true });
+  }
+
+  async deleteBucket(bucket: string): Promise<void> {
+    try {
+      await fs.rmdir(path.join(this.baseDir, bucket), { recursive: true });
+    } catch {
+      // Directory might not exist
+    }
+  }
+
+  // Local storage doesn't support presigned URLs
+  supportsPresignedUrls(): boolean {
+    return false;
+  }
+
+  getUploadStrategy(
+    bucket: string,
+    key: string,
+    _metadata: { contentType?: string; size?: number }
+  ): Promise<UploadStrategyResponse> {
+    // For local storage, return direct upload strategy with absolute URL
+    const baseUrl = getApiBaseUrl();
+    return Promise.resolve({
+      method: 'direct',
+      uploadUrl: `${baseUrl}/api/storage/buckets/${bucket}/objects/${encodeURIComponent(key)}`,
+      key,
+      confirmRequired: false,
+    });
+  }
+
+  getDownloadStrategy(
+    bucket: string,
+    key: string,
+    _expiresIn?: number,
+    _isPublic?: boolean
+  ): Promise<DownloadStrategyResponse> {
+    // For local storage, return direct download URL with absolute URL
+    const baseUrl = getApiBaseUrl();
+    return Promise.resolve({
+      method: 'direct',
+      url: `${baseUrl}/api/storage/buckets/${bucket}/objects/${encodeURIComponent(key)}`,
+    });
+  }
+
+  async verifyObjectExists(bucket: string, key: string): Promise<boolean> {
+    // For local storage, check if file exists on disk
+    try {
+      const filePath = this.getFilePath(bucket, key);
+      await fs.access(filePath);
+      return true;
+    } catch {
+      // File doesn't exist
+      return false;
+    }
+  }
+}