open-sse 1.0.0

package/services/tokenRefresh.js

@@ -0,0 +1,542 @@
+import { PROVIDERS, OAUTH_ENDPOINTS } from "../config/constants.js";
+
+// Token expiry buffer (refresh if expires within 5 minutes)
+export const TOKEN_EXPIRY_BUFFER_MS = 5 * 60 * 1000;
+
+/**
+ * Refresh OAuth access token using refresh token
+ */
+export async function refreshAccessToken(provider, refreshToken, credentials, log) {
+  const config = PROVIDERS[provider];
+  
+  if (!config || !config.refreshUrl) {
+    log?.warn?.("TOKEN_REFRESH", `No refresh URL configured for provider: ${provider}`);
+    return null;
+  }
+
+  if (!refreshToken) {
+    log?.warn?.("TOKEN_REFRESH", `No refresh token available for provider: ${provider}`);
+    return null;
+  }
+
+  try {
+    const response = await fetch(config.refreshUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json",
+      },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: refreshToken,
+        client_id: config.clientId,
+        client_secret: config.clientSecret,
+      }),
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      log?.error?.("TOKEN_REFRESH", `Failed to refresh token for ${provider}`, {
+        status: response.status,
+        error: errorText,
+      });
+      return null;
+    }
+
+    const tokens = await response.json();
+    
+    log?.info?.("TOKEN_REFRESH", `Successfully refreshed token for ${provider}`, {
+      hasNewAccessToken: !!tokens.access_token,
+      hasNewRefreshToken: !!tokens.refresh_token,
+      expiresIn: tokens.expires_in,
+    });
+
+    return {
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token || refreshToken,
+      expiresIn: tokens.expires_in,
+    };
+  } catch (error) {
+    log?.error?.("TOKEN_REFRESH", `Error refreshing token for ${provider}`, {
+      error: error.message,
+    });
+    return null;
+  }
+}
+
+/**
+ * Specialized refresh for Claude OAuth tokens
+ */
+export async function refreshClaudeOAuthToken(refreshToken, log) {
+  const response = await fetch(OAUTH_ENDPOINTS.anthropic.token, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Accept: "application/json",
+    },
+    body: JSON.stringify({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_id: PROVIDERS.claude.clientId,
+    }),
+  });
+
+  if (!response.ok) {
+    const errorText = await response.text();
+    log?.error?.("TOKEN_REFRESH", "Failed to refresh Claude OAuth token", {
+      status: response.status,
+      error: errorText,
+    });
+    return null;
+  }
+
+  const tokens = await response.json();
+  
+  log?.info?.("TOKEN_REFRESH", "Successfully refreshed Claude OAuth token", {
+    hasNewAccessToken: !!tokens.access_token,
+    hasNewRefreshToken: !!tokens.refresh_token,
+    expiresIn: tokens.expires_in,
+  });
+
+  return {
+    accessToken: tokens.access_token,
+    refreshToken: tokens.refresh_token || refreshToken,
+    expiresIn: tokens.expires_in,
+  };
+}
+
+/**
+ * Specialized refresh for Google providers (Gemini, Antigravity)
+ */
+export async function refreshGoogleToken(refreshToken, clientId, clientSecret, log) {
+  const response = await fetch(OAUTH_ENDPOINTS.google.token, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json",
+    },
+    body: new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_id: clientId,
+      client_secret: clientSecret,
+    }),
+  });
+
+  if (!response.ok) {
+    const errorText = await response.text();
+    log?.error?.("TOKEN_REFRESH", "Failed to refresh Google token", {
+      status: response.status,
+      error: errorText,
+    });
+    return null;
+  }
+
+  const tokens = await response.json();
+  
+  log?.info?.("TOKEN_REFRESH", "Successfully refreshed Google token", {
+    hasNewAccessToken: !!tokens.access_token,
+    hasNewRefreshToken: !!tokens.refresh_token,
+    expiresIn: tokens.expires_in,
+  });
+
+  return {
+    accessToken: tokens.access_token,
+    refreshToken: tokens.refresh_token || refreshToken,
+    expiresIn: tokens.expires_in,
+  };
+}
+
+/**
+ * Specialized refresh for Qwen OAuth tokens
+ */
+export async function refreshQwenToken(refreshToken, log) {
+  const endpoint = OAUTH_ENDPOINTS.qwen.token;
+  
+  try {
+    const response = await fetch(endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json",
+      },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: refreshToken,
+        client_id: PROVIDERS.qwen.clientId,
+      }),
+    });
+
+    if (response.status === 200) {
+      const tokens = await response.json();
+      
+      log?.info?.("TOKEN_REFRESH", "Successfully refreshed Qwen token", {
+        hasNewAccessToken: !!tokens.access_token,
+        hasNewRefreshToken: !!tokens.refresh_token,
+        expiresIn: tokens.expires_in,
+      });
+
+      return {
+        accessToken: tokens.access_token,
+        refreshToken: tokens.refresh_token || refreshToken,
+        expiresIn: tokens.expires_in,
+      };
+    } else {
+      const errorText = await response.text().catch(() => "");
+      log?.warn?.("TOKEN_REFRESH", `Error with Qwen endpoint`, {
+        status: response.status,
+        error: errorText,
+      });
+    }
+  } catch (error) {
+    log?.warn?.("TOKEN_REFRESH", `Network error trying Qwen endpoint`, {
+      error: error.message,
+    });
+  }
+
+  log?.error?.("TOKEN_REFRESH", "Failed to refresh Qwen token");
+  return null;
+}
+
+/**
+ * Specialized refresh for Codex (OpenAI) OAuth tokens
+ */
+export async function refreshCodexToken(refreshToken, log) {
+  const response = await fetch(OAUTH_ENDPOINTS.openai.token, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json",
+    },
+    body: new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_id: PROVIDERS.codex.clientId,
+      scope: "openid profile email offline_access",
+    }),
+  });
+
+  if (!response.ok) {
+    const errorText = await response.text();
+    log?.error?.("TOKEN_REFRESH", "Failed to refresh Codex token", {
+      status: response.status,
+      error: errorText,
+    });
+    return null;
+  }
+
+  const tokens = await response.json();
+  
+  log?.info?.("TOKEN_REFRESH", "Successfully refreshed Codex token", {
+    hasNewAccessToken: !!tokens.access_token,
+    hasNewRefreshToken: !!tokens.refresh_token,
+    expiresIn: tokens.expires_in,
+  });
+
+  return {
+    accessToken: tokens.access_token,
+    refreshToken: tokens.refresh_token || refreshToken,
+    expiresIn: tokens.expires_in,
+  };
+}
+
+/**
+ * Specialized refresh for iFlow OAuth tokens
+ */
+export async function refreshIflowToken(refreshToken, log) {
+  const basicAuth = btoa(`${PROVIDERS.iflow.clientId}:${PROVIDERS.iflow.clientSecret}`);
+  
+  const response = await fetch(OAUTH_ENDPOINTS.iflow.token, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json",
+      Authorization: `Basic ${basicAuth}`,
+    },
+    body: new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_id: PROVIDERS.iflow.clientId,
+      client_secret: PROVIDERS.iflow.clientSecret,
+    }),
+  });
+
+  if (!response.ok) {
+    const errorText = await response.text();
+    log?.error?.("TOKEN_REFRESH", "Failed to refresh iFlow token", {
+      status: response.status,
+      error: errorText,
+    });
+    return null;
+  }
+
+  const tokens = await response.json();
+  
+  log?.info?.("TOKEN_REFRESH", "Successfully refreshed iFlow token", {
+    hasNewAccessToken: !!tokens.access_token,
+    hasNewRefreshToken: !!tokens.refresh_token,
+    expiresIn: tokens.expires_in,
+  });
+
+  return {
+    accessToken: tokens.access_token,
+    refreshToken: tokens.refresh_token || refreshToken,
+    expiresIn: tokens.expires_in,
+  };
+}
+
+/**
+ * Specialized refresh for GitHub Copilot OAuth tokens
+ */
+export async function refreshGitHubToken(refreshToken, log) {
+  const response = await fetch(OAUTH_ENDPOINTS.github.token, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json",
+    },
+    body: new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_id: PROVIDERS.github.clientId,
+      client_secret: PROVIDERS.github.clientSecret,
+    }),
+  });
+
+  if (!response.ok) {
+    const errorText = await response.text();
+    log?.error?.("TOKEN_REFRESH", "Failed to refresh GitHub token", {
+      status: response.status,
+      error: errorText,
+    });
+    return null;
+  }
+
+  const tokens = await response.json();
+  
+  log?.info?.("TOKEN_REFRESH", "Successfully refreshed GitHub token", {
+    hasNewAccessToken: !!tokens.access_token,
+    hasNewRefreshToken: !!tokens.refresh_token,
+    expiresIn: tokens.expires_in,
+  });
+
+  return {
+    accessToken: tokens.access_token,
+    refreshToken: tokens.refresh_token || refreshToken,
+    expiresIn: tokens.expires_in,
+  };
+}
+
+/**
+ * Refresh GitHub Copilot token using GitHub access token
+ */
+export async function refreshCopilotToken(githubAccessToken, log) {
+  try {
+    const response = await fetch("https://api.github.com/copilot_internal/v2/token", {
+      headers: {
+        "Authorization": `Bearer ${githubAccessToken}`,
+        "User-Agent": "GitHub-Copilot/1.0",
+        "Accept": "*/*"
+      }
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      log?.error?.("TOKEN_REFRESH", "Failed to refresh Copilot token", {
+        status: response.status,
+        error: errorText
+      });
+      return null;
+    }
+
+    const data = await response.json();
+    
+    log?.info?.("TOKEN_REFRESH", "Successfully refreshed Copilot token", {
+      hasToken: !!data.token,
+      expiresAt: data.expires_at
+    });
+
+    return {
+      token: data.token,
+      expiresAt: data.expires_at
+    };
+  } catch (error) {
+    log?.error?.("TOKEN_REFRESH", "Error refreshing Copilot token", {
+      error: error.message
+    });
+    return null;
+  }
+}
+
+/**
+ * Get access token for a specific provider
+ */
+export async function getAccessToken(provider, credentials, log) {
+  if (!credentials || !credentials.refreshToken) {
+    log?.warn?.("TOKEN_REFRESH", `No refresh token available for provider: ${provider}`);
+    return null;
+  }
+
+  switch (provider) {
+    case "gemini":
+    case "gemini-cli":
+    case "antigravity":
+      return await refreshGoogleToken(
+        credentials.refreshToken,
+        PROVIDERS[provider].clientId,
+        PROVIDERS[provider].clientSecret,
+        log
+      );
+    
+    case "claude":
+      return await refreshClaudeOAuthToken(credentials.refreshToken, log);
+    
+    case "codex":
+      return await refreshCodexToken(credentials.refreshToken, log);
+    
+    case "qwen":
+      return await refreshQwenToken(credentials.refreshToken, log);
+    
+    case "iflow":
+      return await refreshIflowToken(credentials.refreshToken, log);
+    
+    case "github":
+      return await refreshGitHubToken(credentials.refreshToken, log);
+    
+    default:
+      log?.warn?.("TOKEN_REFRESH", `Unsupported provider for token refresh: ${provider}`);
+      return null;
+  }
+}
+
+/**
+ * Refresh token by provider type (helper for handlers)
+ */
+export async function refreshTokenByProvider(provider, credentials, log) {
+  if (!credentials.refreshToken) return null;
+
+  switch (provider) {
+    case "gemini-cli":
+    case "antigravity":
+      return refreshGoogleToken(
+        credentials.refreshToken,
+        PROVIDERS[provider].clientId,
+        PROVIDERS[provider].clientSecret,
+        log
+      );
+    case "claude":
+      return refreshClaudeOAuthToken(credentials.refreshToken, log);
+    case "codex":
+      return refreshCodexToken(credentials.refreshToken, log);
+    case "qwen":
+      return refreshQwenToken(credentials.refreshToken, log);
+    case "iflow":
+      return refreshIflowToken(credentials.refreshToken, log);
+    case "github":
+      return refreshGitHubToken(credentials.refreshToken, log);
+    default:
+      return refreshAccessToken(provider, credentials.refreshToken, credentials, log);
+  }
+}
+
+/**
+ * Format credentials for provider
+ */
+export function formatProviderCredentials(provider, credentials, log) {
+  const config = PROVIDERS[provider];
+  if (!config) {
+    log?.warn?.("TOKEN_REFRESH", `No configuration found for provider: ${provider}`);
+    return null;
+  }
+
+  switch (provider) {
+    case "gemini":
+      return {
+        apiKey: credentials.apiKey,
+        accessToken: credentials.accessToken,
+        projectId: credentials.projectId
+      };
+    
+    case "claude":
+      return {
+        apiKey: credentials.apiKey,
+        accessToken: credentials.accessToken
+      };
+    
+    case "codex":
+    case "qwen":
+    case "iflow":
+    case "openai":
+    case "openrouter":
+      return {
+        apiKey: credentials.apiKey,
+        accessToken: credentials.accessToken
+      };
+    
+    case "antigravity":
+    case "gemini-cli":
+      return {
+        accessToken: credentials.accessToken,
+        refreshToken: credentials.refreshToken
+      };
+    
+    default:
+      return {
+        apiKey: credentials.apiKey,
+        accessToken: credentials.accessToken,
+        refreshToken: credentials.refreshToken
+      };
+  }
+}
+
+/**
+ * Get all access tokens for a user
+ */
+export async function getAllAccessTokens(userInfo, log) {
+  const results = {};
+  
+  if (userInfo.connections && Array.isArray(userInfo.connections)) {
+    for (const connection of userInfo.connections) {
+      if (connection.isActive && connection.provider) {
+        const token = await getAccessToken(connection.provider, {
+          refreshToken: connection.refreshToken
+        }, log);
+        
+        if (token) {
+          results[connection.provider] = token;
+        }
+      }
+    }
+  }
+  
+  return results;
+}
+
+/**
+ * Refresh token with retry and exponential backoff
+ * Retries on failure with increasing delay: 1s, 2s, 3s...
+ * @param {function} refreshFn - Async function that returns token or null
+ * @param {number} maxRetries - Max retry attempts (default 3)
+ * @param {object} log - Logger instance (optional)
+ * @returns {Promise<object|null>} Token result or null if all retries fail
+ */
+export async function refreshWithRetry(refreshFn, maxRetries = 3, log = null) {
+  for (let attempt = 0; attempt < maxRetries; attempt++) {
+    if (attempt > 0) {
+      const delay = attempt * 1000;
+      log?.debug?.("TOKEN_REFRESH", `Retry ${attempt}/${maxRetries} after ${delay}ms`);
+      await new Promise(r => setTimeout(r, delay));
+    }
+
+    try {
+      const result = await refreshFn();
+      if (result) return result;
+    } catch (error) {
+      log?.warn?.("TOKEN_REFRESH", `Attempt ${attempt + 1}/${maxRetries} failed: ${error.message}`);
+    }
+  }
+
+  log?.error?.("TOKEN_REFRESH", `All ${maxRetries} retry attempts failed`);
+  return null;
+}
+