k-linkedin-mcp 0.1.0 → 0.2.0

package/.gitlab-ci.yml

@@ -1,15 +1,11 @@
 # linkedin-mcp — GitLab CI/CD Pipeline
-# Stages: test → build image → deploy to homelab
+# test: shared runner (bun image)
+# deploy: homelab runner (runs directly on the server — no SSH needed)
 
 stages:
   - test
-  - build
   - deploy
 
-variables:
-  IMAGE_NAME: registry.gitlab.com/kpihx-labs/linkedin-mcp
-  CONTAINER_NAME: linkedin_mcp
-
 # ── Test ──────────────────────────────────────────────────────────────────────
 
 test:
@@ -18,61 +14,48 @@ test:
   script:
     - bun install --frozen-lockfile
     - bun test
-  coverage: '/\d+ pass/'
-  artifacts:
-    reports:
-      junit: test-results.xml
-    when: always
-    expire_in: 7 days
   rules:
     - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
     - if: '$CI_COMMIT_BRANCH == "main"'
     - if: '$CI_COMMIT_BRANCH == "develop"'
 
-# ── Build Docker image ────────────────────────────────────────────────────────
-
-build:
-  stage: build
-  image: docker:27
-  services:
-    - docker:27-dind
-  before_script:
-    - echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
-  script:
-    - docker build -t $IMAGE_NAME:$CI_COMMIT_SHORT_SHA -t $IMAGE_NAME:latest .
-    - docker push $IMAGE_NAME:$CI_COMMIT_SHORT_SHA
-    - docker push $IMAGE_NAME:latest
-  rules:
-    - if: '$CI_COMMIT_BRANCH == "main"'
-
 # ── Deploy to Homelab ─────────────────────────────────────────────────────────
 
 deploy:
   stage: deploy
-  image: alpine:3.20
-  before_script:
-    - apk add --no-cache openssh-client
-    - mkdir -p ~/.ssh
-    - echo "$HOMELAB_SSH_KEY" > ~/.ssh/id_ed25519
-    - chmod 600 ~/.ssh/id_ed25519
-    - ssh-keyscan -H $HOMELAB_HOST >> ~/.ssh/known_hosts
+  tags:
+    - homelab
+  only:
+    - main
+  needs:
+    - test
   script:
+    - echo "Deploying linkedin-mcp to the homelab..."
+    - cd deploy
+    - echo "LINKEDIN_CLIENT_ID=$LINKEDIN_CLIENT_ID"                         > .env
+    - echo "LINKEDIN_CLIENT_SECRET=$LINKEDIN_CLIENT_SECRET"                >> .env
+    - echo "TELEGRAM_LINKEDIN_HOMELAB_TOKEN=$TELEGRAM_LINKEDIN_HOMELAB_TOKEN" >> .env
+    - echo "TELEGRAM_CHAT_IDS=$TELEGRAM_CHAT_IDS"                          >> .env
+    - echo "LINKEDIN_MCP_HTTP_HOST=0.0.0.0"                                >> .env
+    - echo "LINKEDIN_MCP_HTTP_PORT=8095"                                   >> .env
+    - echo "LINKEDIN_MCP_HTTP_PATH=/mcp"                                   >> .env
+    - echo "LINKEDIN_MCP_PUBLIC_URL=https://linkedin.kpihx-labs.com"       >> .env
+    - echo "LINKEDIN_STATE_DIR=/data/state"                                >> .env
+    - docker compose -p linkedin-mcp config -q
+    - docker rm -f linkedin-mcp || true
+    - docker compose -p linkedin-mcp up -d --build --remove-orphans
     - |
-      ssh -i ~/.ssh/id_ed25519 kpihx@$HOMELAB_HOST "
-        echo '$CI_REGISTRY_PASSWORD' | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
-        docker pull $IMAGE_NAME:latest
-        cd ~/stacks/linkedin-mcp && docker compose pull && docker compose up -d --remove-orphans
-        docker image prune -f
-      "
-  environment:
-    name: homelab
-    url: https://linkedin.kpihx-labs.com
-  rules:
-    - if: '$CI_COMMIT_BRANCH == "main"'
-  needs: [build]
-
-# ── Variables to define in GitLab CI/CD Settings → Variables ─────────────────
-# HOMELAB_SSH_KEY    — private SSH key for homelab deploy user (masked, protected)
-# HOMELAB_HOST       — homelab IP/hostname reachable from CI runner (masked)
-# CI_REGISTRY_USER   — GitLab container registry user (auto)
-# CI_REGISTRY_PASSWORD — GitLab registry password / deploy token (masked)
+      for attempt in $(seq 1 20); do
+        status="$(docker inspect --format '{{if .State.Health}}{{.State.Health.Status}}{{else}}starting{{end}}' linkedin-mcp 2>/dev/null || true)"
+        if [ "$status" = "healthy" ]; then
+          break
+        fi
+        if [ "$status" = "unhealthy" ]; then
+          docker logs --tail 200 linkedin-mcp
+          exit 1
+        fi
+        sleep 3
+      done
+    - docker inspect --format '{{.State.Health.Status}}' linkedin-mcp | grep -qx healthy
+    - docker exec linkedin-mcp bun -e "fetch('http://127.0.0.1:8095/health').then(r=>{if(!r.ok)process.exit(1);console.log('health OK')}).catch(()=>process.exit(1))"
+    - docker image prune -f

package/CHANGELOG.md

@@ -2,6 +2,21 @@
 
 ---
 
+## [0.2.0] — 2026-03-22
+
+### Added
+- [x] Unified credential management — CLI, HTTP, Telegram: `client-id set/unset`, `client-secret set/unset`, `token set/unset`
+- [x] Admin env file pattern (`LINKEDIN_ADMIN_ENV_FILE`, default `/data/linkedin-admin.env`) — persists credentials across restarts
+- [x] `auth --port N` option to avoid `EADDRINUSE` (default port moved to 3001 via `config.json`)
+- [x] OAuth callback port externalized to `config.json` (not hardcoded — DEFAULTS remain 3000 as last-resort fallback)
+- [x] New HTTP POST routes: `/admin/{client-id,client-secret,token}/{set,unset}`
+- [x] New Telegram commands: `/token_set`, `/token_unset`, `/client_id_set`, `/client_id_unset`, `/client_secret_set`, `/client_secret_unset`
+- [x] Status table cleaned: shows `LINKEDIN_CLIENT_ID`, `LINKEDIN_CLIENT_SECRET`, `OAuth Token` — Telegram token removed
+- [x] 61 tests (18 new) — all pass
+
+### Fixed
+- [x] `TELEGRAM_LINKEDIN_TOKEN` → `TELEGRAM_LINKEDIN_HOMELAB_TOKEN` reference in HTTP status handler
+
 ## [0.1.0] — 2026-03-22
 
 ### Added

package/Dockerfile

@@ -16,6 +16,7 @@ RUN chmod +x /app/src/main.js /app/src/admin.js /app/src/admin/cli.js \
 
 ENV NODE_ENV=production
 ENV LINKEDIN_STATE_DIR=/data/state
+ENV LINKEDIN_ADMIN_ENV_FILE=/data/linkedin-admin.env
 ENV LINKEDIN_MCP_HTTP_HOST=0.0.0.0
 ENV LINKEDIN_MCP_HTTP_PORT=8095
 ENV LINKEDIN_MCP_HTTP_PATH=/mcp

package/PRIVACY.md

@@ -0,0 +1,36 @@
+# Privacy Policy — linkedin-mcp
+
+**Last updated: 2026-03-22**
+
+## Overview
+
+`linkedin-mcp` is a personal tool used exclusively by its author (KpihX / Ivann KAMDEM).
+It is not a public service and has no end-users other than the author.
+
+## Data collected
+
+This application does **not** collect, store, or share any personal data from third parties.
+
+The only data persisted is:
+
+- **LinkedIn OAuth token** — stored locally on the author's own infrastructure (`~/.mcps/linkedin/token.json`), containing the access token, expiry date, and the author's own LinkedIn member ID, name, and email. This data is never transmitted to any third party.
+- **Admin logs** — operational log lines (auth events, command invocations) stored locally in `~/.mcps/linkedin/linkedin-admin.log`. These logs are never transmitted externally.
+
+## LinkedIn API usage
+
+This application uses the official LinkedIn OAuth 2.0 API with the following scopes:
+
+- `openid` — identity verification
+- `profile` — read own profile
+- `email` — read own email
+- `w_member_social` — post, like, and comment as the authenticated member
+
+All API calls are made exclusively on behalf of the authenticated member (the author) to their own LinkedIn account.
+
+## Third-party services
+
+No analytics, tracking, telemetry, or third-party SDKs are included.
+
+## Contact
+
+For any questions: [GitHub](https://github.com/KpihX/linkedin-mcp)

package/config.json

@@ -8,8 +8,8 @@
     "fallback_base_url": "https://linkedin.homelab"
   },
   "oauth": {
-    "redirect_port": 3000,
-    "redirect_uri": "http://localhost:3000/callback",
+    "redirect_port": 3001,
+    "redirect_uri": "http://localhost:3001/callback",
     "scopes": ["openid", "profile", "email", "w_member_social"]
   },
   "logging": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "k-linkedin-mcp",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "MCP server for LinkedIn — intent-first posting, profile management, and professional networking over stdio and HTTP.",
   "main": "src/main.js",
   "bin": {

package/src/.env.example

@@ -7,8 +7,8 @@ LINKEDIN_CLIENT_SECRET=your_client_secret_here
 # LINKEDIN_ACCESS_TOKEN=your_access_token_here
 
 # Optional: Telegram admin bot
-# TELEGRAM_LINKEDIN_TOKEN=your_bot_token_here   (from @BotFather)
-# TELEGRAM_CHAT_IDS=123456789,987654321         (comma-separated chat IDs)
+# TELEGRAM_LINKEDIN_HOMELAB_TOKEN=your_bot_token_here   (from @BotFather)
+# TELEGRAM_CHAT_IDS=123456789,987654321                 (comma-separated chat IDs)
 
 # Optional server overrides
 # LINKEDIN_MCP_HTTP_HOST=0.0.0.0

package/src/admin/cli.js

@@ -3,37 +3,119 @@
  * linkedin-mcp — Admin CLI (linkedin-admin).
  *
  * Commands:
- *   auth             Start OAuth 2.0 flow (opens browser, saves token)
- *   status [--json]  Show token + member info
- *   logout           Clear stored token
- *   logs [--lines N] Tail the admin log
- *   health           Show HTTP endpoint URLs
- *   urls             Show all public URLs
- *   guide            Show admin capabilities
+ *   auth [--port N]          Start OAuth 2.0 flow (opens browser, saves token)
+ *   status [--json]          Show credentials + token status table
+ *   logout                   Clear stored token
+ *   logs [--lines N]         Tail the admin log
+ *   health                   Show HTTP endpoint URLs
+ *   urls                     Show all public URLs
+ *   client-id set <value>    Set LINKEDIN_CLIENT_ID in admin env file
+ *   client-id unset          Clear LINKEDIN_CLIENT_ID from admin env file
+ *   client-secret set <v>    Set LINKEDIN_CLIENT_SECRET in admin env file
+ *   client-secret unset      Clear LINKEDIN_CLIENT_SECRET from admin env file
+ *   token set <value>        Set access token directly (bypasses OAuth)
+ *   token unset              Clear stored access token (logout)
  */
 
 "use strict";
 
 const { Command } = require("commander");
 
-const { loadConfig }       = require("../config");
-const { tokenSummary, clearToken } = require("../token");
-const { runOAuthFlow }     = require("./oauth");
+const { loadConfig, resolveEnv, ENV_VARS } = require("../config");
+const { tokenSummary, clearToken }         = require("../token");
+const { runOAuthFlow }                     = require("./oauth");
 const {
+  adminEnvFilePath,
   adminHelpText,
+  appendAdminLog,
   getLogsText,
+  getSecretsStatus,
   healthSummaryText,
+  setAccessToken,
+  setClientId,
+  setClientSecret,
   statusSummaryText,
+  unsetAccessToken,
+  unsetClientId,
+  unsetClientSecret,
   urlsSummary,
-  appendAdminLog,
 } = require("./service");
 
 const PKG = require("../../package.json");
 
+// ── Simple Rich-style table renderer ─────────────────────────────────────────
+
+function _pad(str, len) {
+  return String(str || "").padEnd(len);
+}
+
+function _printStatusTable(title, rows) {
+  // rows: [{ variable, status, masked, source }]
+  const cols = [
+    { key: "variable", label: "Variable",       width: 36 },
+    { key: "status",   label: "Status",         width: 11 },
+    { key: "masked",   label: "Value (masked)",  width: 16 },
+    { key: "source",   label: "Source",          width: 24 },
+  ];
+  const tl = "╭", tr = "╮", bl = "╰", br = "╯";
+  const ml = "├", mr = "┤", cross = "┼";
+  const vl = "│";
+  const hl = "─";
+
+  const totalWidth = cols.reduce((s, c) => s + c.width + 3, 1);
+
+  // Top border
+  let top = tl;
+  cols.forEach((c, i) => {
+    top += hl.repeat(c.width + 2);
+    top += (i < cols.length - 1) ? "┬" : tr;
+  });
+
+  // Header row
+  let header = vl;
+  cols.forEach((c) => {
+    header += ` ${_pad(c.label, c.width)} ${vl}`;
+  });
+
+  // Middle separator
+  let mid = ml;
+  cols.forEach((c, i) => {
+    mid += hl.repeat(c.width + 2);
+    mid += (i < cols.length - 1) ? cross : mr;
+  });
+
+  // Bottom border
+  let bot = bl;
+  cols.forEach((c, i) => {
+    bot += hl.repeat(c.width + 2);
+    bot += (i < cols.length - 1) ? "┴" : br;
+  });
+
+  const titlePad = Math.floor((totalWidth - 2 - title.length) / 2);
+  console.log(" ".repeat(Math.max(0, titlePad)) + title);
+  console.log(top);
+  console.log(header);
+  console.log(mid);
+
+  rows.forEach((r, idx) => {
+    let row = vl;
+    row += ` ${_pad(r.variable, cols[0].width)} ${vl}`;
+    row += ` ${_pad(r.status,   cols[1].width)} ${vl}`;
+    row += ` ${_pad(r.masked,   cols[2].width)} ${vl}`;
+    row += ` ${_pad(r.source,   cols[3].width)} ${vl}`;
+    console.log(row);
+    if (idx < rows.length - 1) console.log(mid);
+  });
+
+  console.log(bot);
+}
+
+// ── CLI program ───────────────────────────────────────────────────────────────
+
 const program = new Command();
 program
   .name("linkedin-admin")
-  .description("linkedin-mcp administration: auth, status, logout, logs")
+  .description("linkedin-mcp administration: auth, status, logout, logs, credential management")
   .version(PKG.version);
 
 // ── auth ─────────────────────────────────────────────────────────────────────
@@ -41,7 +123,8 @@ program
 program
   .command("auth")
   .description("Start LinkedIn OAuth 2.0 flow. Opens a browser for authorization.")
-  .action(async () => {
+  .option("--port <n>", "Local callback port (default 3001)", "3001")
+  .action(async (opts) => {
     const config = loadConfig();
     if (!config.oauth.client_id || !config.oauth.client_secret) {
       console.error(
@@ -49,13 +132,15 @@ program
         "Steps:\n" +
         "  1. Create app at https://developer.linkedin.com\n" +
         "  2. Add products: 'Sign In with LinkedIn using OpenID Connect' + 'Share on LinkedIn'\n" +
-        "  3. Set redirect URI: http://localhost:3000/callback\n" +
-        "  4. Store credentials via bw-env: LINKEDIN_CLIENT_ID, LINKEDIN_CLIENT_SECRET\n",
+        "  3. Set redirect URI: http://localhost:3001/callback\n" +
+        "  4. Store credentials via bw-env: LINKEDIN_CLIENT_ID, LINKEDIN_CLIENT_SECRET\n" +
+        "     or: linkedin-admin client-id set <value>\n",
       );
       process.exit(1);
     }
+    const port = parseInt(opts.port, 10) || 3000;
     console.log("\nStarting LinkedIn OAuth flow...");
-    console.log(`Redirect URI : ${config.oauth.redirect_uri}`);
+    console.log(`Redirect URI : http://localhost:${port}/callback`);
     console.log(`Scopes       : ${config.oauth.scopes.join(", ")}\n`);
     try {
       const tokenData = await runOAuthFlow(config, (url) => {
@@ -63,7 +148,7 @@ program
         console.log(`  ${url}\n`);
         const { execSync } = require("child_process");
         try { execSync(`xdg-open "${url}"`, { stdio: "ignore" }); } catch { /* silent */ }
-      });
+      }, port);
       appendAdminLog(`auth success member=${tokenData.member_id} name=${tokenData.name}`);
       console.log(`\nAuthenticated: ${tokenData.name || "LinkedIn member"}`);
       console.log(`Email        : ${tokenData.email || "N/A"}`);
@@ -80,16 +165,42 @@ program
 
 program
   .command("status")
-  .description("Show current authentication status and token details.")
+  .description("Show current authentication status, credentials, and token details.")
   .option("--json", "Output raw JSON")
   .action((opts) => {
     const config  = loadConfig();
     const summary = tokenSummary(config);
+    const secrets = getSecretsStatus();
+
     if (opts.json) {
-      console.log(JSON.stringify(summary, null, 2));
+      console.log(JSON.stringify({ token: summary, credentials: secrets }, null, 2));
+      return;
+    }
+
+    console.log();
+    console.log(`Admin env file : ${adminEnvFilePath()}`);
+    console.log();
+
+    // Credentials table
+    const rows = secrets.map((s) => ({
+      variable: s.name,
+      status:   s.present ? "✓ set" : "✗ missing",
+      masked:   s.masked,
+      source:   s.source,
+    }));
+    _printStatusTable("linkedin-admin status", rows);
+
+    // Token summary below table
+    console.log();
+    if (summary.valid) {
+      console.log(`Token   : valid — ${summary.name} <${summary.email}> — ${summary.days_left} days left`);
+      console.log(`Expires : ${summary.expires_at}`);
+    } else if (summary.present) {
+      console.log("Token   : present but EXPIRED — run 'linkedin-admin auth' or 'linkedin-admin token set <value>'");
     } else {
-      console.log(`\n${statusSummaryText()}\n`);
+      console.log("Token   : absent — run 'linkedin-admin auth' or 'linkedin-admin token set <value>'");
     }
+    console.log();
   });
 
 // ── logout ────────────────────────────────────────────────────────────────────
@@ -133,13 +244,70 @@ program
     console.log(`\n${urlsSummary()}\n`);
   });
 
-// ── guide ─────────────────────────────────────────────────────────────────────
+// ── client-id ─────────────────────────────────────────────────────────────────
 
-program
-  .command("guide")
-  .description("Show full admin capabilities (CLI + HTTP + Telegram).")
+const clientIdCmd = program
+  .command("client-id")
+  .description("Manage LINKEDIN_CLIENT_ID in the admin env file.");
+
+clientIdCmd
+  .command("set <value>")
+  .description("Set LINKEDIN_CLIENT_ID.")
+  .action((value) => {
+    setClientId(value);
+    console.log("\nLINKEDIN_CLIENT_ID set successfully.\n");
+  });
+
+clientIdCmd
+  .command("unset")
+  .description("Clear LINKEDIN_CLIENT_ID from the admin env file.")
+  .action(() => {
+    unsetClientId();
+    console.log("\nLINKEDIN_CLIENT_ID cleared.\n");
+  });
+
+// ── client-secret ─────────────────────────────────────────────────────────────
+
+const clientSecretCmd = program
+  .command("client-secret")
+  .description("Manage LINKEDIN_CLIENT_SECRET in the admin env file.");
+
+clientSecretCmd
+  .command("set <value>")
+  .description("Set LINKEDIN_CLIENT_SECRET.")
+  .action((value) => {
+    setClientSecret(value);
+    console.log("\nLINKEDIN_CLIENT_SECRET set successfully.\n");
+  });
+
+clientSecretCmd
+  .command("unset")
+  .description("Clear LINKEDIN_CLIENT_SECRET from the admin env file.")
+  .action(() => {
+    unsetClientSecret();
+    console.log("\nLINKEDIN_CLIENT_SECRET cleared.\n");
+  });
+
+// ── token ─────────────────────────────────────────────────────────────────────
+
+const tokenCmd = program
+  .command("token")
+  .description("Manage the OAuth access token directly.");
+
+tokenCmd
+  .command("set <value>")
+  .description("Set access token directly (bypasses OAuth flow, 60-day default expiry).")
+  .action((value) => {
+    setAccessToken(value);
+    console.log("\nAccess token set successfully. linkedin-mcp is ready.\n");
+  });
+
+tokenCmd
+  .command("unset")
+  .description("Clear the stored access token (same as logout).")
   .action(() => {
-    console.log(`\n${adminHelpText()}\n`);
+    unsetAccessToken();
+    console.log("\nAccess token cleared. Run 'linkedin-admin auth' to re-authenticate.\n");
   });
 
 module.exports = { program };

package/src/admin/oauth.js

@@ -1,12 +1,14 @@
 /**
  * linkedin-mcp — OAuth 2.0 flow manager.
  *
- * Launches a local HTTP server on redirect_port (default 3000) to catch
+ * Launches a local HTTP server on a configurable port (default 3000) to catch
  * the authorization code from LinkedIn, then exchanges it for an access token.
  *
  * Usage:
  *   const { runOAuthFlow } = require("./oauth");
- *   const tokenData = await runOAuthFlow(config);
+ *   const tokenData = await runOAuthFlow(config, onUrl);
+ *   // or with port override:
+ *   const tokenData = await runOAuthFlow(config, onUrl, 8080);
  */
 
 "use strict";
@@ -21,11 +23,11 @@ const LI_TOKEN_URL = "https://www.linkedin.com/oauth/v2/accessToken";
 /**
  * Build the LinkedIn OAuth authorization URL.
  */
-function buildAuthUrl(config, state) {
+function buildAuthUrl(config, state, redirectUri) {
   const params = new URLSearchParams({
     response_type: "code",
     client_id: config.oauth.client_id,
-    redirect_uri: config.oauth.redirect_uri,
+    redirect_uri: redirectUri,
     state,
     scope: config.oauth.scopes.join(" "),
   });
@@ -35,11 +37,11 @@ function buildAuthUrl(config, state) {
 /**
  * Exchange an authorization code for an access token.
  */
-async function exchangeCode(config, code) {
+async function exchangeCode(config, code, redirectUri) {
   const body = new URLSearchParams({
     grant_type: "authorization_code",
     code,
-    redirect_uri: config.oauth.redirect_uri,
+    redirect_uri: redirectUri,
     client_id: config.oauth.client_id,
     client_secret: config.oauth.client_secret,
   });
@@ -68,18 +70,19 @@ async function fetchProfile(accessToken) {
 
 /**
  * Run the full OAuth flow:
- *  1. Start local callback server
+ *  1. Start local callback server on the given port
  *  2. Return the auth URL for the user to open
  *  3. Wait for callback with code
  *  4. Exchange code → token
  *  5. Fetch profile → enrich token
  *  6. Persist token to disk
  *
- * @param {object} config
- * @param {function} onUrl  - Called with the auth URL string so caller can print/open it
+ * @param {object}   config
+ * @param {function} onUrl        - Called with the auth URL string so caller can print/open it
+ * @param {number}   [portOverride] - Override the callback port (default: config.oauth.redirect_port || 3000)
  * @returns {Promise<object>} tokenData
  */
-function runOAuthFlow(config, onUrl) {
+function runOAuthFlow(config, onUrl, portOverride) {
   return new Promise((resolve, reject) => {
     if (!config.oauth.client_id || !config.oauth.client_secret) {
       return reject(new Error(
@@ -88,9 +91,10 @@ function runOAuthFlow(config, onUrl) {
       ));
     }
 
-    const state  = crypto.randomBytes(16).toString("hex");
-    const port   = config.oauth.redirect_port || 3000;
-    const authUrl = buildAuthUrl(config, state);
+    const port        = portOverride || config.oauth.redirect_port || 3000;
+    const redirectUri = `http://localhost:${port}/callback`;
+    const state       = crypto.randomBytes(16).toString("hex");
+    const authUrl     = buildAuthUrl(config, state, redirectUri);
 
     const server = http.createServer(async (req, res) => {
       const url = new URL(req.url, `http://localhost:${port}`);
@@ -125,7 +129,7 @@ function runOAuthFlow(config, onUrl) {
       }
 
       try {
-        const tokenData = await exchangeCode(config, code);
+        const tokenData = await exchangeCode(config, code, redirectUri);
         const profile   = await fetchProfile(tokenData.access_token);
         const enriched  = {
           ...tokenData,