npm - servcraft - Versions diffs - 0.1.0 → 0.1.1 - Mend

servcraft 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (216) hide show

package/.claude/settings.local.json +29 -0
package/.github/CODEOWNERS +18 -0
package/.github/PULL_REQUEST_TEMPLATE.md +46 -0
package/.github/dependabot.yml +59 -0
package/.github/workflows/ci.yml +188 -0
package/.github/workflows/release.yml +195 -0
package/AUDIT.md +602 -0
package/README.md +1070 -1
package/dist/cli/index.cjs +2026 -2168
package/dist/cli/index.cjs.map +1 -1
package/dist/cli/index.js +2026 -2168
package/dist/cli/index.js.map +1 -1
package/dist/index.cjs +595 -616
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +114 -52
package/dist/index.d.ts +114 -52
package/dist/index.js +595 -616
package/dist/index.js.map +1 -1
package/docs/CLI-001_MULTI_DB_PLAN.md +546 -0
package/docs/DATABASE_MULTI_ORM.md +399 -0
package/docs/PHASE1_BREAKDOWN.md +346 -0
package/docs/PROGRESS.md +550 -0
package/docs/modules/ANALYTICS.md +226 -0
package/docs/modules/API-VERSIONING.md +252 -0
package/docs/modules/AUDIT.md +192 -0
package/docs/modules/AUTH.md +431 -0
package/docs/modules/CACHE.md +346 -0
package/docs/modules/EMAIL.md +254 -0
package/docs/modules/FEATURE-FLAG.md +291 -0
package/docs/modules/I18N.md +294 -0
package/docs/modules/MEDIA-PROCESSING.md +281 -0
package/docs/modules/MFA.md +266 -0
package/docs/modules/NOTIFICATION.md +311 -0
package/docs/modules/OAUTH.md +237 -0
package/docs/modules/PAYMENT.md +804 -0
package/docs/modules/QUEUE.md +540 -0
package/docs/modules/RATE-LIMIT.md +339 -0
package/docs/modules/SEARCH.md +288 -0
package/docs/modules/SECURITY.md +327 -0
package/docs/modules/SESSION.md +382 -0
package/docs/modules/SWAGGER.md +305 -0
package/docs/modules/UPLOAD.md +296 -0
package/docs/modules/USER.md +505 -0
package/docs/modules/VALIDATION.md +294 -0
package/docs/modules/WEBHOOK.md +270 -0
package/docs/modules/WEBSOCKET.md +691 -0
package/package.json +53 -38
package/prisma/schema.prisma +395 -1
package/src/cli/commands/add-module.ts +520 -87
package/src/cli/commands/db.ts +3 -4
package/src/cli/commands/docs.ts +256 -6
package/src/cli/commands/generate.ts +12 -19
package/src/cli/commands/init.ts +384 -214
package/src/cli/index.ts +0 -4
package/src/cli/templates/repository.ts +6 -1
package/src/cli/templates/routes.ts +6 -21
package/src/cli/utils/docs-generator.ts +6 -7
package/src/cli/utils/env-manager.ts +717 -0
package/src/cli/utils/field-parser.ts +16 -7
package/src/cli/utils/interactive-prompt.ts +223 -0
package/src/cli/utils/template-manager.ts +346 -0
package/src/config/database.config.ts +183 -0
package/src/config/env.ts +0 -10
package/src/config/index.ts +0 -14
package/src/core/server.ts +1 -1
package/src/database/adapters/mongoose.adapter.ts +132 -0
package/src/database/adapters/prisma.adapter.ts +118 -0
package/src/database/connection.ts +190 -0
package/src/database/interfaces/database.interface.ts +85 -0
package/src/database/interfaces/index.ts +7 -0
package/src/database/interfaces/repository.interface.ts +129 -0
package/src/database/models/mongoose/index.ts +7 -0
package/src/database/models/mongoose/payment.schema.ts +347 -0
package/src/database/models/mongoose/user.schema.ts +154 -0
package/src/database/prisma.ts +1 -4
package/src/database/redis.ts +101 -0
package/src/database/repositories/mongoose/index.ts +7 -0
package/src/database/repositories/mongoose/payment.repository.ts +380 -0
package/src/database/repositories/mongoose/user.repository.ts +255 -0
package/src/database/seed.ts +6 -1
package/src/index.ts +9 -20
package/src/middleware/security.ts +2 -6
package/src/modules/analytics/analytics.routes.ts +80 -0
package/src/modules/analytics/analytics.service.ts +364 -0
package/src/modules/analytics/index.ts +18 -0
package/src/modules/analytics/types.ts +180 -0
package/src/modules/api-versioning/index.ts +15 -0
package/src/modules/api-versioning/types.ts +86 -0
package/src/modules/api-versioning/versioning.middleware.ts +120 -0
package/src/modules/api-versioning/versioning.routes.ts +54 -0
package/src/modules/api-versioning/versioning.service.ts +189 -0
package/src/modules/audit/audit.repository.ts +206 -0
package/src/modules/audit/audit.service.ts +27 -59
package/src/modules/auth/auth.controller.ts +2 -2
package/src/modules/auth/auth.middleware.ts +3 -9
package/src/modules/auth/auth.routes.ts +10 -107
package/src/modules/auth/auth.service.ts +126 -23
package/src/modules/auth/index.ts +3 -4
package/src/modules/cache/cache.service.ts +367 -0
package/src/modules/cache/index.ts +10 -0
package/src/modules/cache/types.ts +44 -0
package/src/modules/email/email.service.ts +3 -10
package/src/modules/email/templates.ts +2 -8
package/src/modules/feature-flag/feature-flag.repository.ts +303 -0
package/src/modules/feature-flag/feature-flag.routes.ts +247 -0
package/src/modules/feature-flag/feature-flag.service.ts +566 -0
package/src/modules/feature-flag/index.ts +20 -0
package/src/modules/feature-flag/types.ts +192 -0
package/src/modules/i18n/i18n.middleware.ts +186 -0
package/src/modules/i18n/i18n.routes.ts +191 -0
package/src/modules/i18n/i18n.service.ts +456 -0
package/src/modules/i18n/index.ts +18 -0
package/src/modules/i18n/types.ts +118 -0
package/src/modules/media-processing/index.ts +17 -0
package/src/modules/media-processing/media-processing.routes.ts +111 -0
package/src/modules/media-processing/media-processing.service.ts +245 -0
package/src/modules/media-processing/types.ts +156 -0
package/src/modules/mfa/index.ts +20 -0
package/src/modules/mfa/mfa.repository.ts +206 -0
package/src/modules/mfa/mfa.routes.ts +595 -0
package/src/modules/mfa/mfa.service.ts +572 -0
package/src/modules/mfa/totp.ts +150 -0
package/src/modules/mfa/types.ts +57 -0
package/src/modules/notification/index.ts +20 -0
package/src/modules/notification/notification.repository.ts +356 -0
package/src/modules/notification/notification.service.ts +483 -0
package/src/modules/notification/types.ts +119 -0
package/src/modules/oauth/index.ts +20 -0
package/src/modules/oauth/oauth.repository.ts +219 -0
package/src/modules/oauth/oauth.routes.ts +446 -0
package/src/modules/oauth/oauth.service.ts +293 -0
package/src/modules/oauth/providers/apple.provider.ts +250 -0
package/src/modules/oauth/providers/facebook.provider.ts +181 -0
package/src/modules/oauth/providers/github.provider.ts +248 -0
package/src/modules/oauth/providers/google.provider.ts +189 -0
package/src/modules/oauth/providers/twitter.provider.ts +214 -0
package/src/modules/oauth/types.ts +94 -0
package/src/modules/payment/index.ts +19 -0
package/src/modules/payment/payment.repository.ts +733 -0
package/src/modules/payment/payment.routes.ts +390 -0
package/src/modules/payment/payment.service.ts +354 -0
package/src/modules/payment/providers/mobile-money.provider.ts +274 -0
package/src/modules/payment/providers/paypal.provider.ts +190 -0
package/src/modules/payment/providers/stripe.provider.ts +215 -0
package/src/modules/payment/types.ts +140 -0
package/src/modules/queue/cron.ts +438 -0
package/src/modules/queue/index.ts +87 -0
package/src/modules/queue/queue.routes.ts +600 -0
package/src/modules/queue/queue.service.ts +842 -0
package/src/modules/queue/types.ts +222 -0
package/src/modules/queue/workers.ts +366 -0
package/src/modules/rate-limit/index.ts +59 -0
package/src/modules/rate-limit/rate-limit.middleware.ts +134 -0
package/src/modules/rate-limit/rate-limit.routes.ts +269 -0
package/src/modules/rate-limit/rate-limit.service.ts +348 -0
package/src/modules/rate-limit/stores/memory.store.ts +165 -0
package/src/modules/rate-limit/stores/redis.store.ts +322 -0
package/src/modules/rate-limit/types.ts +153 -0
package/src/modules/search/adapters/elasticsearch.adapter.ts +326 -0
package/src/modules/search/adapters/meilisearch.adapter.ts +261 -0
package/src/modules/search/adapters/memory.adapter.ts +278 -0
package/src/modules/search/index.ts +21 -0
package/src/modules/search/search.service.ts +234 -0
package/src/modules/search/types.ts +214 -0
package/src/modules/security/index.ts +40 -0
package/src/modules/security/sanitize.ts +223 -0
package/src/modules/security/security-audit.service.ts +388 -0
package/src/modules/security/security.middleware.ts +398 -0
package/src/modules/session/index.ts +3 -0
package/src/modules/session/session.repository.ts +159 -0
package/src/modules/session/session.service.ts +340 -0
package/src/modules/session/types.ts +38 -0
package/src/modules/swagger/index.ts +7 -1
package/src/modules/swagger/schema-builder.ts +16 -4
package/src/modules/swagger/swagger.service.ts +9 -10
package/src/modules/swagger/types.ts +0 -2
package/src/modules/upload/index.ts +14 -0
package/src/modules/upload/types.ts +83 -0
package/src/modules/upload/upload.repository.ts +199 -0
package/src/modules/upload/upload.routes.ts +311 -0
package/src/modules/upload/upload.service.ts +448 -0
package/src/modules/user/index.ts +3 -3
package/src/modules/user/user.controller.ts +15 -9
package/src/modules/user/user.repository.ts +237 -113
package/src/modules/user/user.routes.ts +39 -164
package/src/modules/user/user.service.ts +4 -3
package/src/modules/validation/validator.ts +12 -17
package/src/modules/webhook/index.ts +91 -0
package/src/modules/webhook/retry.ts +196 -0
package/src/modules/webhook/signature.ts +135 -0
package/src/modules/webhook/types.ts +181 -0
package/src/modules/webhook/webhook.repository.ts +358 -0
package/src/modules/webhook/webhook.routes.ts +442 -0
package/src/modules/webhook/webhook.service.ts +457 -0
package/src/modules/websocket/features.ts +504 -0
package/src/modules/websocket/index.ts +106 -0
package/src/modules/websocket/middlewares.ts +298 -0
package/src/modules/websocket/types.ts +181 -0
package/src/modules/websocket/websocket.service.ts +692 -0
package/src/utils/errors.ts +7 -0
package/src/utils/pagination.ts +4 -1
package/tests/helpers/db-check.ts +79 -0
package/tests/integration/auth-redis.test.ts +94 -0
package/tests/integration/cache-redis.test.ts +387 -0
package/tests/integration/mongoose-repositories.test.ts +410 -0
package/tests/integration/payment-prisma.test.ts +637 -0
package/tests/integration/queue-bullmq.test.ts +417 -0
package/tests/integration/user-prisma.test.ts +441 -0
package/tests/integration/websocket-socketio.test.ts +552 -0
package/tests/setup.ts +11 -9
package/vitest.config.ts +3 -8
package/npm-cache/_cacache/content-v2/sha512/1c/d0/03440d500a0487621aad1d6402978340698976602046db8e24fa03c01ee6c022c69b0582f969042d9442ee876ac35c038e960dd427d1e622fa24b8eb7dba +0 -0
package/npm-cache/_cacache/content-v2/sha512/42/55/28b493ca491833e5aab0e9c3108d29ab3f36c248ca88f45d4630674fce9130959e56ae308797ac2b6328fa7f09a610b9550ed09cb971d039876d293fc69d +0 -0
package/npm-cache/_cacache/content-v2/sha512/e0/12/f360dc9315ee5f17844a0c8c233ee6bf7c30837c4a02ea0d56c61c7f7ab21c0e958e50ed2c57c59f983c762b93056778c9009b2398ffc26def0183999b13 +0 -0
package/npm-cache/_cacache/content-v2/sha512/ed/b0/fae1161902898f4c913c67d7f6cdf6be0665aec3b389b9c4f4f0a101ca1da59badf1b59c4e0030f5223023b8d63cfe501c46a32c20c895d4fb3f11ca2232 +0 -0
package/npm-cache/_cacache/index-v5/58/94/c2cba79e0f16b4c10e95a87e32255741149e8222cc314a476aab67c39cc0 +0 -5

package/src/modules/oauth/oauth.service.ts ADDED Viewed

@@ -0,0 +1,293 @@
+/**
+ * OAuth Service
+ * Handles OAuth authentication with multiple providers
+ *
+ * Persistence:
+ * - OAuth states: Redis with TTL (temporary, 10-minute expiration)
+ * - Linked accounts: Prisma/PostgreSQL (persistent)
+ */
+import { logger } from '../../core/logger.js';
+import { BadRequestError, NotFoundError } from '../../utils/errors.js';
+import { prisma } from '../../database/prisma.js';
+import { getRedis } from '../../database/redis.js';
+import { OAuthRepository } from './oauth.repository.js';
+import { GoogleOAuthProvider } from './providers/google.provider.js';
+import { FacebookOAuthProvider } from './providers/facebook.provider.js';
+import { GitHubOAuthProvider } from './providers/github.provider.js';
+import type { OAuthConfig, OAuthProvider, OAuthUser, OAuthState, LinkedAccount } from './types.js';
+// State expiration time (10 minutes)
+const STATE_EXPIRATION_SECONDS = 10 * 60;
+const OAUTH_STATE_PREFIX = 'oauth:state:';
+export class OAuthService {
+  private config: OAuthConfig;
+  private repository: OAuthRepository;
+  private googleProvider?: GoogleOAuthProvider;
+  private facebookProvider?: FacebookOAuthProvider;
+  private githubProvider?: GitHubOAuthProvider;
+  constructor(config: OAuthConfig) {
+    this.config = config;
+    this.repository = new OAuthRepository(prisma);
+    if (config.google) {
+      this.googleProvider = new GoogleOAuthProvider(config.google, config.callbackBaseUrl);
+    }
+    if (config.facebook) {
+      this.facebookProvider = new FacebookOAuthProvider(config.facebook, config.callbackBaseUrl);
+    }
+    if (config.github) {
+      this.githubProvider = new GitHubOAuthProvider(config.github, config.callbackBaseUrl);
+    }
+  }
+  /**
+   * Get authorization URL for a provider
+   */
+  async getAuthorizationUrl(provider: OAuthProvider): Promise<{ url: string; state: string }> {
+    const providerInstance = this.getProvider(provider);
+    const { url, state } = providerInstance.generateAuthUrl();
+    // Store state in Redis with TTL
+    const redis = getRedis();
+    await redis.setex(
+      `${OAUTH_STATE_PREFIX}${state.state}`,
+      STATE_EXPIRATION_SECONDS,
+      JSON.stringify(state)
+    );
+    logger.debug({ provider, state: state.state }, 'OAuth authorization URL generated');
+    return { url, state: state.state };
+  }
+  /**
+   * Handle OAuth callback
+   */
+  async handleCallback(provider: OAuthProvider, code: string, state: string): Promise<OAuthUser> {
+    // Validate state from Redis
+    const redis = getRedis();
+    const storedStateJson = await redis.get(`${OAUTH_STATE_PREFIX}${state}`);
+    if (!storedStateJson) {
+      throw new BadRequestError('Invalid or expired OAuth state');
+    }
+    const storedState = JSON.parse(storedStateJson) as OAuthState;
+    // Remove used state immediately
+    await redis.del(`${OAUTH_STATE_PREFIX}${state}`);
+    const providerInstance = this.getProvider(provider);
+    // Exchange code for tokens
+    const tokens = await providerInstance.exchangeCode(code, storedState.codeVerifier);
+    // Get user info
+    const user = await providerInstance.getUser(tokens.accessToken);
+    // Update tokens in user object
+    user.accessToken = tokens.accessToken;
+    user.refreshToken = tokens.refreshToken;
+    user.expiresAt = tokens.expiresIn ? Date.now() + tokens.expiresIn * 1000 : undefined;
+    logger.info({ provider, userId: user.providerAccountId }, 'OAuth user authenticated');
+    return user;
+  }
+  /**
+   * Link an OAuth account to a user
+   */
+  async linkAccount(userId: string, oauthUser: OAuthUser): Promise<LinkedAccount> {
+    // Check if already linked
+    const existingLink = await this.repository.findByProviderAccount(
+      oauthUser.provider,
+      oauthUser.providerAccountId
+    );
+    if (existingLink) {
+      if (existingLink.userId !== userId) {
+        throw new BadRequestError('This account is already linked to another user');
+      }
+      // Update existing link
+      const updated = await this.repository.update(existingLink.id, {
+        email: oauthUser.email || existingLink.email,
+        name: oauthUser.name || existingLink.name,
+        picture: oauthUser.picture || existingLink.picture,
+        accessToken: oauthUser.accessToken,
+        refreshToken: oauthUser.refreshToken || existingLink.refreshToken,
+        expiresAt: oauthUser.expiresAt ? new Date(oauthUser.expiresAt) : existingLink.expiresAt,
+      });
+      if (!updated) {
+        throw new NotFoundError('Linked account');
+      }
+      logger.info({ userId, provider: oauthUser.provider }, 'OAuth account updated');
+      return updated;
+    }
+    // Create new linked account
+    const linkedAccount = await this.repository.create({
+      userId,
+      provider: oauthUser.provider,
+      providerAccountId: oauthUser.providerAccountId,
+      email: oauthUser.email || undefined,
+      name: oauthUser.name || undefined,
+      picture: oauthUser.picture || undefined,
+      accessToken: oauthUser.accessToken,
+      refreshToken: oauthUser.refreshToken,
+      expiresAt: oauthUser.expiresAt ? new Date(oauthUser.expiresAt) : undefined,
+    });
+    logger.info({ userId, provider: oauthUser.provider }, 'OAuth account linked');
+    return linkedAccount;
+  }
+  /**
+   * Unlink an OAuth account from a user
+   */
+  async unlinkAccount(userId: string, provider: OAuthProvider): Promise<void> {
+    const deleted = await this.repository.deleteByUserAndProvider(userId, provider);
+    if (!deleted) {
+      throw new NotFoundError('Linked account');
+    }
+    logger.info({ userId, provider }, 'OAuth account unlinked');
+  }
+  /**
+   * Get user's linked accounts
+   */
+  async getUserLinkedAccounts(userId: string): Promise<LinkedAccount[]> {
+    return this.repository.getByUserId(userId);
+  }
+  /**
+   * Find linked account by provider and account ID
+   */
+  async findLinkedAccount(
+    provider: OAuthProvider,
+    providerAccountId: string
+  ): Promise<LinkedAccount | null> {
+    return this.repository.findByProviderAccount(provider, providerAccountId);
+  }
+  /**
+   * Find user by linked account
+   */
+  async findUserByOAuth(
+    provider: OAuthProvider,
+    providerAccountId: string
+  ): Promise<string | null> {
+    const account = await this.repository.findByProviderAccount(provider, providerAccountId);
+    return account?.userId || null;
+  }
+  /**
+   * Refresh OAuth tokens
+   */
+  async refreshTokens(linkedAccountId: string): Promise<LinkedAccount> {
+    const account = await this.repository.getById(linkedAccountId);
+    if (!account) {
+      throw new NotFoundError('Linked account');
+    }
+    if (!account.refreshToken) {
+      throw new BadRequestError('No refresh token available');
+    }
+    const provider = this.getProvider(account.provider);
+    if ('refreshToken' in provider) {
+      const tokens = await (provider as GoogleOAuthProvider).refreshToken(account.refreshToken);
+      const updated = await this.repository.update(linkedAccountId, {
+        accessToken: tokens.accessToken,
+        expiresAt: tokens.expiresIn ? new Date(Date.now() + tokens.expiresIn * 1000) : undefined,
+      });
+      if (!updated) {
+        throw new NotFoundError('Linked account');
+      }
+      return updated;
+    }
+    return account;
+  }
+  /**
+   * Get linked account by ID
+   */
+  async getLinkedAccount(id: string): Promise<LinkedAccount | null> {
+    return this.repository.getById(id);
+  }
+  /**
+   * Delete all linked accounts for a user
+   */
+  async deleteUserAccounts(userId: string): Promise<number> {
+    return this.repository.deleteByUserId(userId);
+  }
+  /**
+   * Get supported providers
+   */
+  getSupportedProviders(): OAuthProvider[] {
+    const providers: OAuthProvider[] = [];
+    if (this.googleProvider) providers.push('google');
+    if (this.facebookProvider) providers.push('facebook');
+    if (this.githubProvider) providers.push('github');
+    return providers;
+  }
+  /**
+   * Check if provider is enabled
+   */
+  isProviderEnabled(provider: OAuthProvider): boolean {
+    return this.getSupportedProviders().includes(provider);
+  }
+  // Private methods
+  private getProvider(
+    provider: OAuthProvider
+  ): GoogleOAuthProvider | FacebookOAuthProvider | GitHubOAuthProvider {
+    switch (provider) {
+      case 'google':
+        if (!this.googleProvider) {
+          throw new BadRequestError('Google OAuth not configured');
+        }
+        return this.googleProvider;
+      case 'facebook':
+        if (!this.facebookProvider) {
+          throw new BadRequestError('Facebook OAuth not configured');
+        }
+        return this.facebookProvider;
+      case 'github':
+        if (!this.githubProvider) {
+          throw new BadRequestError('GitHub OAuth not configured');
+        }
+        return this.githubProvider;
+      default:
+        throw new BadRequestError(`Unsupported OAuth provider: ${provider}`);
+    }
+  }
+}
+let oauthService: OAuthService | null = null;
+export function getOAuthService(): OAuthService {
+  if (!oauthService) {
+    throw new Error('OAuth service not initialized. Call createOAuthService first.');
+  }
+  return oauthService;
+}
+export function createOAuthService(config: OAuthConfig): OAuthService {
+  oauthService = new OAuthService(config);
+  return oauthService;
+}

package/src/modules/oauth/providers/apple.provider.ts ADDED Viewed

@@ -0,0 +1,250 @@
+import { randomBytes, createSign } from 'crypto';
+import { logger } from '../../../core/logger.js';
+import type { AppleOAuthConfig, OAuthUser, OAuthTokens, OAuthState } from '../types.js';
+const APPLE_AUTH_URL = 'https://appleid.apple.com/auth/authorize';
+const APPLE_TOKEN_URL = 'https://appleid.apple.com/auth/token';
+const APPLE_KEYS_URL = 'https://appleid.apple.com/auth/keys';
+const DEFAULT_SCOPES = ['name', 'email'];
+interface AppleIdToken {
+  iss: string;
+  aud: string;
+  exp: number;
+  iat: number;
+  sub: string; // User ID
+  email?: string;
+  email_verified?: string;
+  is_private_email?: string;
+  auth_time: number;
+  nonce_supported: boolean;
+}
+export class AppleOAuthProvider {
+  private config: AppleOAuthConfig;
+  private callbackUrl: string;
+  constructor(config: AppleOAuthConfig, callbackBaseUrl: string) {
+    this.config = config;
+    this.callbackUrl = `${callbackBaseUrl}/auth/oauth/apple/callback`;
+  }
+  /**
+   * Generate authorization URL
+   */
+  generateAuthUrl(state?: string): { url: string; state: OAuthState } {
+    const stateValue = state || randomBytes(32).toString('hex');
+    const nonce = randomBytes(16).toString('hex');
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: this.callbackUrl,
+      response_type: 'code id_token',
+      response_mode: 'form_post',
+      scope: DEFAULT_SCOPES.join(' '),
+      state: stateValue,
+      nonce,
+    });
+    const oauthState: OAuthState = {
+      state: stateValue,
+      redirectUri: this.callbackUrl,
+      createdAt: Date.now(),
+    };
+    return {
+      url: `${APPLE_AUTH_URL}?${params.toString()}`,
+      state: oauthState,
+    };
+  }
+  /**
+   * Generate client secret (JWT signed with private key)
+   */
+  private generateClientSecret(): string {
+    const now = Math.floor(Date.now() / 1000);
+    const exp = now + 3600; // 1 hour
+    const header = {
+      alg: 'ES256',
+      kid: this.config.keyId,
+    };
+    const payload = {
+      iss: this.config.teamId,
+      iat: now,
+      exp,
+      aud: 'https://appleid.apple.com',
+      sub: this.config.clientId,
+    };
+    const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64url');
+    const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64url');
+    const signatureInput = `${headerB64}.${payloadB64}`;
+    const sign = createSign('SHA256');
+    sign.update(signatureInput);
+    const signature = sign.sign(this.config.privateKey, 'base64url');
+    return `${signatureInput}.${signature}`;
+  }
+  /**
+   * Exchange authorization code for tokens
+   */
+  async exchangeCode(code: string): Promise<OAuthTokens> {
+    const clientSecret = this.generateClientSecret();
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      client_secret: clientSecret,
+      code,
+      grant_type: 'authorization_code',
+      redirect_uri: this.callbackUrl,
+    });
+    const response = await fetch(APPLE_TOKEN_URL, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+      body: params.toString(),
+    });
+    if (!response.ok) {
+      const error = await response.text();
+      logger.error({ error }, 'Apple token exchange failed');
+      throw new Error(`Failed to exchange code: ${error}`);
+    }
+    const data = (await response.json()) as {
+      access_token: string;
+      refresh_token?: string;
+      expires_in: number;
+      token_type: string;
+      id_token: string;
+    };
+    return {
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      expiresIn: data.expires_in,
+      tokenType: data.token_type,
+      idToken: data.id_token,
+    };
+  }
+  /**
+   * Get user information from Apple ID token
+   * Note: Apple only provides user info on first authorization
+   */
+  async getUser(
+    accessToken: string,
+    idToken?: string,
+    userInfo?: { name?: { firstName?: string; lastName?: string }; email?: string }
+  ): Promise<OAuthUser> {
+    if (!idToken) {
+      throw new Error('ID token is required for Apple Sign In');
+    }
+    // Decode ID token (in production, verify signature with Apple's public keys)
+    const [, payloadB64] = idToken.split('.');
+    const payload = JSON.parse(Buffer.from(payloadB64 ?? '', 'base64').toString()) as AppleIdToken;
+    // Apple only sends user info on first authorization
+    // After that, you must store it yourself
+    const firstName = userInfo?.name?.firstName || null;
+    const lastName = userInfo?.name?.lastName || null;
+    const email = userInfo?.email || payload.email || null;
+    return {
+      id: payload.sub,
+      email,
+      emailVerified: payload.email_verified === 'true',
+      name: firstName && lastName ? `${firstName} ${lastName}` : null,
+      firstName,
+      lastName,
+      picture: null, // Apple doesn't provide profile pictures
+      provider: 'apple',
+      providerAccountId: payload.sub,
+      accessToken,
+      raw: { ...payload, userInfo },
+    };
+  }
+  /**
+   * Refresh access token
+   */
+  async refreshToken(refreshToken: string): Promise<OAuthTokens> {
+    const clientSecret = this.generateClientSecret();
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      client_secret: clientSecret,
+      refresh_token: refreshToken,
+      grant_type: 'refresh_token',
+    });
+    const response = await fetch(APPLE_TOKEN_URL, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+      body: params.toString(),
+    });
+    if (!response.ok) {
+      throw new Error('Failed to refresh token');
+    }
+    const data = (await response.json()) as {
+      access_token: string;
+      expires_in: number;
+      token_type: string;
+      id_token: string;
+    };
+    return {
+      accessToken: data.access_token,
+      expiresIn: data.expires_in,
+      tokenType: data.token_type,
+      idToken: data.id_token,
+    };
+  }
+  /**
+   * Revoke refresh token
+   */
+  async revokeToken(refreshToken: string): Promise<void> {
+    const clientSecret = this.generateClientSecret();
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      client_secret: clientSecret,
+      token: refreshToken,
+      token_type_hint: 'refresh_token',
+    });
+    await fetch('https://appleid.apple.com/auth/revoke', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+      body: params.toString(),
+    });
+  }
+  /**
+   * Get Apple's public keys for ID token verification
+   */
+  async getPublicKeys(): Promise<
+    Array<{ kty: string; kid: string; use: string; alg: string; n: string; e: string }>
+  > {
+    const response = await fetch(APPLE_KEYS_URL);
+    const data = (await response.json()) as {
+      keys: Array<{ kty: string; kid: string; use: string; alg: string; n: string; e: string }>;
+    };
+    return data.keys;
+  }
+}