vidspotai-shared 1.0.82 → 1.0.83

package/lib/services/socialOAuth/linkedin.oauth.js

@@ -0,0 +1,127 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LinkedInOAuthProvider = void 0;
+const types_1 = require("../../globals/types");
+const logger_1 = require("../../utils/logger");
+/**
+ * LinkedIn OAuth provider. Phase 6 — fast-follow adapter.
+ *
+ * Config (env):
+ *   LINKEDIN_CLIENT_ID
+ *   LINKEDIN_CLIENT_SECRET
+ *
+ * Notes / gates (plan §G15-17):
+ * - Member posting uses `w_member_social` + OpenID (`openid profile`). Company-
+ *   page posting + analytics is the Community Management API — vetted via a
+ *   screencast review (business-tier G-features), requested via business scopes.
+ * - Refresh tokens are only issued to approved Marketing Developer Platform
+ *   apps; standard apps get a 60-day access token and must re-consent. `refresh`
+ *   still tries the refresh grant for approved apps.
+ */
+const AUTH_ENDPOINT = "https://www.linkedin.com/oauth/v2/authorization";
+const TOKEN_ENDPOINT = "https://www.linkedin.com/oauth/v2/accessToken";
+const USERINFO_ENDPOINT = "https://api.linkedin.com/v2/userinfo";
+const BASE_SCOPES = ["openid", "profile", "w_member_social"];
+const BUSINESS_SCOPES = ["r_organization_social", "w_organization_social"];
+class LinkedInOAuthProvider {
+    constructor() {
+        this.provider = types_1.ESocialProvider.LINKEDIN;
+    }
+    clientId() {
+        const v = process.env.LINKEDIN_CLIENT_ID;
+        if (!v)
+            throw new Error("LinkedInOAuth: LINKEDIN_CLIENT_ID not set");
+        return v;
+    }
+    clientSecret() {
+        const v = process.env.LINKEDIN_CLIENT_SECRET;
+        if (!v)
+            throw new Error("LinkedInOAuth: LINKEDIN_CLIENT_SECRET not set");
+        return v;
+    }
+    getAuthUrl({ state, redirectUri, requestBusinessScopes, }) {
+        const scopes = requestBusinessScopes
+            ? [...BASE_SCOPES, ...BUSINESS_SCOPES]
+            : BASE_SCOPES;
+        const params = new URLSearchParams({
+            response_type: "code",
+            client_id: this.clientId(),
+            redirect_uri: redirectUri,
+            state,
+            scope: scopes.join(" "),
+        });
+        return `${AUTH_ENDPOINT}?${params.toString()}`;
+    }
+    async exchangeCode({ code, redirectUri, }) {
+        const token = await this.postToken(new URLSearchParams({
+            grant_type: "authorization_code",
+            code,
+            redirect_uri: redirectUri,
+            client_id: this.clientId(),
+            client_secret: this.clientSecret(),
+        }));
+        if (!token.access_token) {
+            throw new Error("LinkedInOAuth: token exchange returned no access_token");
+        }
+        const tokens = this.toTokens(token);
+        const account = await this.resolveAccount(token.access_token);
+        return { account, tokens };
+    }
+    async refresh(refreshToken) {
+        const token = await this.postToken(new URLSearchParams({
+            grant_type: "refresh_token",
+            refresh_token: refreshToken,
+            client_id: this.clientId(),
+            client_secret: this.clientSecret(),
+        }));
+        if (!token.access_token) {
+            throw new Error("LinkedInOAuth: refresh returned no access_token");
+        }
+        const tokens = this.toTokens(token);
+        if (!tokens.refreshToken)
+            tokens.refreshToken = refreshToken;
+        return tokens;
+    }
+    async postToken(body) {
+        const resp = await fetch(TOKEN_ENDPOINT, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: body.toString(),
+        });
+        const json = (await resp.json());
+        if (!resp.ok || json.error) {
+            throw new Error(`LinkedInOAuth: token endpoint ${resp.status} ${json.error ?? ""} ${json.error_description ?? ""}`.trim());
+        }
+        return json;
+    }
+    toTokens(token) {
+        const now = Date.now();
+        return {
+            accessToken: token.access_token,
+            refreshToken: token.refresh_token,
+            expiresAt: now + (token.expires_in ?? 60 * 24 * 3600) * 1000,
+            refreshExpiresAt: token.refresh_token_expires_in
+                ? now + token.refresh_token_expires_in * 1000
+                : undefined,
+            scopes: token.scope ? token.scope.split(" ").filter(Boolean) : [],
+        };
+    }
+    async resolveAccount(accessToken) {
+        const resp = await fetch(USERINFO_ENDPOINT, {
+            headers: { Authorization: `Bearer ${accessToken}` },
+        });
+        const json = (await resp.json());
+        if (!resp.ok || !json.sub) {
+            throw new Error(`LinkedInOAuth: userinfo ${resp.status}`);
+        }
+        logger_1.logger.info("LinkedInOAuth: connected", { sub: json.sub });
+        return {
+            // Store the bare member id; the publisher builds urn:li:person:{id}.
+            providerAccountId: json.sub,
+            displayName: json.name ?? "LinkedIn member",
+            avatarUrl: json.picture,
+            kind: types_1.ESocialAccountKind.PERSONAL,
+        };
+    }
+}
+exports.LinkedInOAuthProvider = LinkedInOAuthProvider;

package/lib/services/socialOAuth/meta.oauth.d.ts

@@ -0,0 +1,31 @@
+import { ESocialProvider } from "../../globals/types";
+import { AuthUrlParams, ConnectResult, ExchangeCodeParams, ISocialOAuthProvider, OAuthTokens } from "./types";
+export declare class MetaOAuthProvider implements ISocialOAuthProvider {
+    readonly provider: ESocialProvider;
+    /** Which surface this instance resolves: FACEBOOK (Pages) or INSTAGRAM. */
+    private readonly target;
+    constructor(target: ESocialProvider);
+    private graphVersion;
+    private graph;
+    private appId;
+    private appSecret;
+    getAuthUrl({ state, redirectUri, requestBusinessScopes, }: AuthUrlParams): string;
+    /**
+     * Single-account path is unused for Meta (one grant → many accounts), but the
+     * interface requires it. We return the first resolved account so any caller
+     * that ignores `exchangeCodeMulti` still gets something sensible.
+     */
+    exchangeCode(params: ExchangeCodeParams): Promise<ConnectResult>;
+    exchangeCodeMulti(params: ExchangeCodeParams): Promise<ConnectResult[]>;
+    private resolveFacebookPages;
+    private resolveInstagramAccounts;
+    private pageTokens;
+    /**
+     * Meta Page tokens don't expire, so refresh should never be called by the
+     * daemon (far-future expiry). If it is, surface a reconnect rather than
+     * silently returning a possibly-revoked token.
+     */
+    refresh(): Promise<OAuthTokens>;
+    private getJson;
+}
+//# sourceMappingURL=meta.oauth.d.ts.map

package/lib/services/socialOAuth/meta.oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"meta.oauth.d.ts","sourceRoot":"","sources":["../../../src/services/socialOAuth/meta.oauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAsB,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAE1E,OAAO,EACL,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,WAAW,EACZ,MAAM,SAAS,CAAC;AAiFjB,qBAAa,iBAAkB,YAAW,oBAAoB;IAC5D,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;IAEnC,2EAA2E;IAC3E,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAkB;gBAE7B,MAAM,EAAE,eAAe;IAWnC,OAAO,CAAC,YAAY;IAIpB,OAAO,CAAC,KAAK;IAIb,OAAO,CAAC,KAAK;IAMb,OAAO,CAAC,SAAS;IAMjB,UAAU,CAAC,EACT,KAAK,EACL,WAAW,EACX,qBAAqB,GACtB,EAAE,aAAa,GAAG,MAAM;IAczB;;;;OAIG;IACG,YAAY,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC;IAahE,iBAAiB,CACrB,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,aAAa,EAAE,CAAC;YAgDb,oBAAoB;YA8BpB,wBAAwB;IAgCtC,OAAO,CAAC,UAAU;IASlB;;;;OAIG;IACG,OAAO,IAAI,OAAO,CAAC,WAAW,CAAC;YAMvB,OAAO;CAYtB"}

package/lib/services/socialOAuth/meta.oauth.js

@@ -0,0 +1,214 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MetaOAuthProvider = void 0;
+const types_1 = require("../../globals/types");
+const logger_1 = require("../../utils/logger");
+/**
+ * Meta (Facebook + Instagram) OAuth provider — Phase 3 of the Social Suite.
+ *
+ * One Facebook Login grant unlocks BOTH surfaces: every FB Page the user manages
+ * and each Page's linked IG Business/Creator account. We therefore key the OAuth
+ * factory with BOTH ESocialProvider.FACEBOOK and ESocialProvider.INSTAGRAM, each
+ * constructing a MetaOAuthProvider whose `target` decides which accounts the
+ * callback persists (Pages vs IG accounts). The auth dialog + token exchange are
+ * identical for both.
+ *
+ * Token model (important — differs from YouTube):
+ * - We exchange the short-lived user token for a LONG-LIVED user token
+ *   (`fb_exchange_token`, ~60 days).
+ * - We then read `/me/accounts`, whose Page access tokens — when derived from a
+ *   long-lived user token — DO NOT EXPIRE. We store the Page token per account
+ *   and use it for both FB and the linked IG account (IG publishing/insights run
+ *   through the managing Page token). So there is no refresh token and no
+ *   proactive refresh; we set a far-future expiry and let a 401 on use trigger a
+ *   reconnect. (Plan §3.)
+ *
+ * Config (env):
+ *   META_APP_ID      — Meta app id
+ *   META_APP_SECRET  — Meta app secret
+ *   META_GRAPH_VERSION (optional, default v21.0)
+ */
+const DEFAULT_GRAPH_VERSION = "v21.0";
+/** Pages/IG publishing + insights. Business scopes add lead/ads management. */
+const BASE_SCOPES = [
+    "pages_show_list",
+    "pages_read_engagement",
+    "pages_manage_posts",
+    "business_management",
+    "instagram_basic",
+    "instagram_content_publish",
+    "instagram_manage_insights",
+    "read_insights",
+];
+const BUSINESS_SCOPES = [
+    "pages_manage_engagement", // comment moderation (G-features)
+    "instagram_manage_comments",
+    "leads_retrieval",
+    "ads_management",
+];
+/** Page tokens from a long-lived user token don't expire; use a far horizon. */
+const PAGE_TOKEN_HORIZON_MS = 1000 * 60 * 60 * 24 * 365 * 5;
+class MetaOAuthProvider {
+    constructor(target) {
+        if (target !== types_1.ESocialProvider.FACEBOOK &&
+            target !== types_1.ESocialProvider.INSTAGRAM) {
+            throw new Error(`MetaOAuth: unsupported target '${target}'`);
+        }
+        this.provider = target;
+        this.target = target;
+    }
+    graphVersion() {
+        return process.env.META_GRAPH_VERSION || DEFAULT_GRAPH_VERSION;
+    }
+    graph(path) {
+        return `https://graph.facebook.com/${this.graphVersion()}${path}`;
+    }
+    appId() {
+        const id = process.env.META_APP_ID;
+        if (!id)
+            throw new Error("MetaOAuth: META_APP_ID not set");
+        return id;
+    }
+    appSecret() {
+        const secret = process.env.META_APP_SECRET;
+        if (!secret)
+            throw new Error("MetaOAuth: META_APP_SECRET not set");
+        return secret;
+    }
+    getAuthUrl({ state, redirectUri, requestBusinessScopes, }) {
+        const scopes = requestBusinessScopes
+            ? [...BASE_SCOPES, ...BUSINESS_SCOPES]
+            : BASE_SCOPES;
+        const params = new URLSearchParams({
+            client_id: this.appId(),
+            redirect_uri: redirectUri,
+            response_type: "code",
+            scope: scopes.join(","),
+            state,
+        });
+        return `https://www.facebook.com/${this.graphVersion()}/dialog/oauth?${params.toString()}`;
+    }
+    /**
+     * Single-account path is unused for Meta (one grant → many accounts), but the
+     * interface requires it. We return the first resolved account so any caller
+     * that ignores `exchangeCodeMulti` still gets something sensible.
+     */
+    async exchangeCode(params) {
+        const all = await this.exchangeCodeMulti(params);
+        const first = all[0];
+        if (!first) {
+            throw new Error(this.target === types_1.ESocialProvider.INSTAGRAM
+                ? "MetaOAuth: no IG Business account linked to any managed Page"
+                : "MetaOAuth: no Facebook Pages found on this account");
+        }
+        return first;
+    }
+    async exchangeCodeMulti(params) {
+        const { code, redirectUri } = params;
+        // 1. code → short-lived user token.
+        const short = await this.getJson(this.graph(`/oauth/access_token?${new URLSearchParams({
+            client_id: this.appId(),
+            client_secret: this.appSecret(),
+            redirect_uri: redirectUri,
+            code,
+        }).toString()}`));
+        if (!short.access_token) {
+            throw new Error(`MetaOAuth: code exchange returned no token ${short.error?.message ?? ""}`.trim());
+        }
+        // 2. short-lived → long-lived user token (~60d).
+        const longLived = await this.getJson(this.graph(`/oauth/access_token?${new URLSearchParams({
+            grant_type: "fb_exchange_token",
+            client_id: this.appId(),
+            client_secret: this.appSecret(),
+            fb_exchange_token: short.access_token,
+        }).toString()}`));
+        const userToken = longLived.access_token ?? short.access_token;
+        // 3. List managed Pages (each carries a Page access token).
+        const pages = await this.getJson(this.graph(`/me/accounts?fields=id,name,access_token,instagram_business_account&access_token=${encodeURIComponent(userToken)}`));
+        const list = pages.data ?? [];
+        if (!list.length) {
+            logger_1.logger.warn("MetaOAuth: user manages no Pages", { target: this.target });
+            return [];
+        }
+        return this.target === types_1.ESocialProvider.FACEBOOK
+            ? await this.resolveFacebookPages(list)
+            : await this.resolveInstagramAccounts(list);
+    }
+    async resolveFacebookPages(pages) {
+        const out = [];
+        for (const p of pages) {
+            if (!p.id || !p.access_token)
+                continue;
+            let avatarUrl;
+            try {
+                const pic = await this.getJson(this.graph(`/${p.id}/picture?type=large&redirect=false&access_token=${encodeURIComponent(p.access_token)}`));
+                avatarUrl = pic.data?.url;
+            }
+            catch {
+                // avatar is best-effort
+            }
+            out.push({
+                account: {
+                    providerAccountId: p.id,
+                    displayName: p.name ?? "Facebook Page",
+                    avatarUrl,
+                    kind: types_1.ESocialAccountKind.PAGE,
+                },
+                tokens: this.pageTokens(p.access_token),
+            });
+        }
+        return out;
+    }
+    async resolveInstagramAccounts(pages) {
+        const out = [];
+        for (const p of pages) {
+            const igId = p.instagram_business_account?.id;
+            if (!igId || !p.access_token)
+                continue;
+            let profile = {};
+            try {
+                profile = await this.getJson(this.graph(`/${igId}?fields=username,name,profile_picture_url&access_token=${encodeURIComponent(p.access_token)}`));
+            }
+            catch {
+                // profile lookup is best-effort
+            }
+            out.push({
+                account: {
+                    providerAccountId: igId,
+                    displayName: profile.name ?? profile.username ?? "Instagram account",
+                    handle: profile.username,
+                    avatarUrl: profile.profile_picture_url,
+                    kind: types_1.ESocialAccountKind.BUSINESS,
+                },
+                // IG publishing/insights run through the managing Page's token.
+                tokens: this.pageTokens(p.access_token),
+            });
+        }
+        return out;
+    }
+    pageTokens(pageToken) {
+        return {
+            accessToken: pageToken,
+            // No refresh token: Page tokens from a long-lived user token don't expire.
+            expiresAt: Date.now() + PAGE_TOKEN_HORIZON_MS,
+            scopes: [],
+        };
+    }
+    /**
+     * Meta Page tokens don't expire, so refresh should never be called by the
+     * daemon (far-future expiry). If it is, surface a reconnect rather than
+     * silently returning a possibly-revoked token.
+     */
+    async refresh() {
+        throw new Error("MetaOAuth: page tokens are long-lived — reconnect required if revoked");
+    }
+    async getJson(url) {
+        const resp = await fetch(url);
+        const json = (await resp.json());
+        if (!resp.ok || json.error) {
+            throw new Error(`MetaOAuth: graph ${resp.status} ${json.error?.message ?? ""}`.trim());
+        }
+        return json;
+    }
+}
+exports.MetaOAuthProvider = MetaOAuthProvider;

package/lib/services/socialOAuth/oauthState.d.ts

@@ -0,0 +1,14 @@
+import { ESocialProvider } from "../../globals/types";
+export interface OAuthStatePayload {
+    userId: string;
+    provider: ESocialProvider;
+    /** App path to return to after connect (optional). */
+    returnTo?: string;
+    /** Whether business-tier scopes were requested. */
+    business?: boolean;
+}
+/** Produce a signed state string to hand to the provider's auth URL. */
+export declare function signOAuthState(payload: OAuthStatePayload, nonce: string): string;
+/** Verify + decode a state string. Returns null if invalid, forged, or expired. */
+export declare function verifyOAuthState(state: string): OAuthStatePayload | null;
+//# sourceMappingURL=oauthState.d.ts.map

package/lib/services/socialOAuth/oauthState.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauthState.d.ts","sourceRoot":"","sources":["../../../src/services/socialOAuth/oauthState.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAetD,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,eAAe,CAAC;IAC1B,sDAAsD;IACtD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAgCD,wEAAwE;AACxE,wBAAgB,cAAc,CAAC,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAIhF;AAED,mFAAmF;AACnF,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CAuBxE"}

package/lib/services/socialOAuth/oauthState.js

@@ -0,0 +1,66 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signOAuthState = signOAuthState;
+exports.verifyOAuthState = verifyOAuthState;
+const crypto_1 = require("crypto");
+const tokenVault_1 = require("../crypto/tokenVault");
+/**
+ * Stateless, signed OAuth `state` for the social connect flow. The OAuth
+ * callback (`/v1/social/oauth/callback/:provider`) is UNAUTHENTICATED — the
+ * provider redirects the browser there with no Firebase token — so we carry the
+ * initiating user's id inside a signed, time-boxed `state` rather than a server
+ * session. HMAC-SHA256 prevents forgery; the TTL bounds replay.
+ *
+ * Secret: `SOCIAL_OAUTH_STATE_SECRET`, falling back to `SOCIAL_TOKEN_ENC_KEY`.
+ */
+const TTL_MS = 10 * 60 * 1000; // 10 minutes to complete consent
+function secret() {
+    const s = process.env.SOCIAL_OAUTH_STATE_SECRET ?? process.env.SOCIAL_TOKEN_ENC_KEY;
+    if (!s) {
+        throw new Error("oauthState: set SOCIAL_OAUTH_STATE_SECRET (or SOCIAL_TOKEN_ENC_KEY)");
+    }
+    return s;
+}
+function b64url(buf) {
+    return buf
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/, "");
+}
+function sign(body) {
+    return b64url((0, crypto_1.createHmac)("sha256", secret()).update(body).digest());
+}
+/** Produce a signed state string to hand to the provider's auth URL. */
+function signOAuthState(payload, nonce) {
+    const full = { ...payload, iat: Date.now(), n: nonce };
+    const body = b64url(Buffer.from(JSON.stringify(full), "utf8"));
+    return `${body}.${sign(body)}`;
+}
+/** Verify + decode a state string. Returns null if invalid, forged, or expired. */
+function verifyOAuthState(state) {
+    const dot = state.lastIndexOf(".");
+    if (dot <= 0)
+        return null;
+    const body = state.slice(0, dot);
+    const sig = state.slice(dot + 1);
+    if (!(0, tokenVault_1.safeEqual)(sig, sign(body)))
+        return null;
+    try {
+        const json = Buffer.from(body.replace(/-/g, "+").replace(/_/g, "/"), "base64").toString("utf8");
+        const parsed = JSON.parse(json);
+        if (!parsed.userId || !parsed.provider)
+            return null;
+        if (Date.now() - parsed.iat > TTL_MS)
+            return null;
+        return {
+            userId: parsed.userId,
+            provider: parsed.provider,
+            returnTo: parsed.returnTo,
+            business: parsed.business,
+        };
+    }
+    catch {
+        return null;
+    }
+}

package/lib/services/socialOAuth/pinterest.oauth.d.ts

@@ -0,0 +1,15 @@
+import { ESocialProvider } from "../../globals/types";
+import { AuthUrlParams, ConnectResult, ExchangeCodeParams, ISocialOAuthProvider, OAuthTokens } from "./types";
+export declare class PinterestOAuthProvider implements ISocialOAuthProvider {
+    readonly provider = ESocialProvider.PINTEREST;
+    private clientId;
+    private clientSecret;
+    private basicAuth;
+    getAuthUrl({ state, redirectUri, requestBusinessScopes, }: AuthUrlParams): string;
+    exchangeCode({ code, redirectUri, }: ExchangeCodeParams): Promise<ConnectResult>;
+    refresh(refreshToken: string): Promise<OAuthTokens>;
+    private postToken;
+    private toTokens;
+    private resolveAccount;
+}
+//# sourceMappingURL=pinterest.oauth.d.ts.map

package/lib/services/socialOAuth/pinterest.oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pinterest.oauth.d.ts","sourceRoot":"","sources":["../../../src/services/socialOAuth/pinterest.oauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAsB,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC1E,OAAO,EACL,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,WAAW,EACZ,MAAM,SAAS,CAAC;AAsCjB,qBAAa,sBAAuB,YAAW,oBAAoB;IACjE,QAAQ,CAAC,QAAQ,6BAA6B;IAE9C,OAAO,CAAC,QAAQ;IAKhB,OAAO,CAAC,YAAY;IAKpB,OAAO,CAAC,SAAS;IAMjB,UAAU,CAAC,EACT,KAAK,EACL,WAAW,EACX,qBAAqB,GACtB,EAAE,aAAa,GAAG,MAAM;IAcnB,YAAY,CAAC,EACjB,IAAI,EACJ,WAAW,GACZ,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC;IAgBxC,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;YAe3C,SAAS;IAsBvB,OAAO,CAAC,QAAQ;YAaF,cAAc;CAoB7B"}

package/lib/services/socialOAuth/pinterest.oauth.js

@@ -0,0 +1,126 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PinterestOAuthProvider = void 0;
+const types_1 = require("../../globals/types");
+/**
+ * Pinterest OAuth provider (v5 API). Phase 6 — fast-follow adapter.
+ *
+ * Config (env):
+ *   PINTEREST_CLIENT_ID
+ *   PINTEREST_CLIENT_SECRET
+ *
+ * Token calls use HTTP Basic (client_id:client_secret). Access token ~30 days;
+ * refresh token ~1 year. A connected app starts in "trial" (sandbox) until
+ * Pinterest approves standard access. (Plan §G.)
+ */
+const AUTH_ENDPOINT = "https://www.pinterest.com/oauth/";
+const TOKEN_ENDPOINT = "https://api.pinterest.com/v5/oauth/token";
+const ACCOUNT_ENDPOINT = "https://api.pinterest.com/v5/user_account";
+const BASE_SCOPES = ["boards:read", "pins:read", "pins:write", "user_accounts:read"];
+const BUSINESS_SCOPES = ["boards:read_secret", "pins:read_secret"];
+class PinterestOAuthProvider {
+    constructor() {
+        this.provider = types_1.ESocialProvider.PINTEREST;
+    }
+    clientId() {
+        const v = process.env.PINTEREST_CLIENT_ID;
+        if (!v)
+            throw new Error("PinterestOAuth: PINTEREST_CLIENT_ID not set");
+        return v;
+    }
+    clientSecret() {
+        const v = process.env.PINTEREST_CLIENT_SECRET;
+        if (!v)
+            throw new Error("PinterestOAuth: PINTEREST_CLIENT_SECRET not set");
+        return v;
+    }
+    basicAuth() {
+        return Buffer.from(`${this.clientId()}:${this.clientSecret()}`).toString("base64");
+    }
+    getAuthUrl({ state, redirectUri, requestBusinessScopes, }) {
+        const scopes = requestBusinessScopes
+            ? [...BASE_SCOPES, ...BUSINESS_SCOPES]
+            : BASE_SCOPES;
+        const params = new URLSearchParams({
+            response_type: "code",
+            client_id: this.clientId(),
+            redirect_uri: redirectUri,
+            scope: scopes.join(","),
+            state,
+        });
+        return `${AUTH_ENDPOINT}?${params.toString()}`;
+    }
+    async exchangeCode({ code, redirectUri, }) {
+        const token = await this.postToken(new URLSearchParams({
+            grant_type: "authorization_code",
+            code,
+            redirect_uri: redirectUri,
+        }));
+        if (!token.access_token) {
+            throw new Error("PinterestOAuth: token exchange returned no access_token");
+        }
+        const tokens = this.toTokens(token);
+        const account = await this.resolveAccount(token.access_token);
+        return { account, tokens };
+    }
+    async refresh(refreshToken) {
+        const token = await this.postToken(new URLSearchParams({
+            grant_type: "refresh_token",
+            refresh_token: refreshToken,
+        }));
+        if (!token.access_token) {
+            throw new Error("PinterestOAuth: refresh returned no access_token");
+        }
+        const tokens = this.toTokens(token);
+        if (!tokens.refreshToken)
+            tokens.refreshToken = refreshToken;
+        return tokens;
+    }
+    async postToken(body) {
+        const resp = await fetch(TOKEN_ENDPOINT, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                Authorization: `Basic ${this.basicAuth()}`,
+            },
+            body: body.toString(),
+        });
+        const json = (await resp.json());
+        if (!resp.ok || json.error) {
+            throw new Error(`PinterestOAuth: token endpoint ${resp.status} ${json.error ?? ""} ${json.error_description ?? json.message ?? ""}`.trim());
+        }
+        return json;
+    }
+    toTokens(token) {
+        const now = Date.now();
+        return {
+            accessToken: token.access_token,
+            refreshToken: token.refresh_token,
+            expiresAt: now + (token.expires_in ?? 30 * 24 * 3600) * 1000,
+            refreshExpiresAt: token.refresh_token_expires_in
+                ? now + token.refresh_token_expires_in * 1000
+                : undefined,
+            scopes: token.scope ? token.scope.split(/[ ,]/).filter(Boolean) : [],
+        };
+    }
+    async resolveAccount(accessToken) {
+        const resp = await fetch(ACCOUNT_ENDPOINT, {
+            headers: { Authorization: `Bearer ${accessToken}` },
+        });
+        const json = (await resp.json());
+        if (!resp.ok || !json.username) {
+            throw new Error(`PinterestOAuth: user_account ${resp.status}`);
+        }
+        return {
+            // Pinterest v5 keys the account by username (no separate stable id).
+            providerAccountId: json.username,
+            displayName: json.business_name ?? json.username,
+            handle: json.username,
+            avatarUrl: json.profile_image,
+            kind: json.account_type === "BUSINESS"
+                ? types_1.ESocialAccountKind.BUSINESS
+                : types_1.ESocialAccountKind.PERSONAL,
+        };
+    }
+}
+exports.PinterestOAuthProvider = PinterestOAuthProvider;

package/lib/services/socialOAuth/threads.oauth.d.ts

@@ -0,0 +1,14 @@
+import { ESocialProvider } from "../../globals/types";
+import { AuthUrlParams, ConnectResult, ExchangeCodeParams, ISocialOAuthProvider, OAuthTokens } from "./types";
+export declare class ThreadsOAuthProvider implements ISocialOAuthProvider {
+    readonly provider = ESocialProvider.THREADS;
+    private appId;
+    private appSecret;
+    getAuthUrl({ state, redirectUri, requestBusinessScopes, }: AuthUrlParams): string;
+    exchangeCode({ code, redirectUri, }: ExchangeCodeParams): Promise<ConnectResult>;
+    refresh(refreshToken: string): Promise<OAuthTokens>;
+    private toLongLived;
+    private toTokens;
+    private resolveAccount;
+}
+//# sourceMappingURL=threads.oauth.d.ts.map

package/lib/services/socialOAuth/threads.oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"threads.oauth.d.ts","sourceRoot":"","sources":["../../../src/services/socialOAuth/threads.oauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAsB,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC1E,OAAO,EACL,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,WAAW,EACZ,MAAM,SAAS,CAAC;AA4CjB,qBAAa,oBAAqB,YAAW,oBAAoB;IAC/D,QAAQ,CAAC,QAAQ,2BAA2B;IAE5C,OAAO,CAAC,KAAK;IAKb,OAAO,CAAC,SAAS;IAMjB,UAAU,CAAC,EACT,KAAK,EACL,WAAW,EACX,qBAAqB,GACtB,EAAE,aAAa,GAAG,MAAM;IAcnB,YAAY,CAAC,EACjB,IAAI,EACJ,WAAW,GACZ,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC;IA2BxC,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;YAgB3C,WAAW;IAgBzB,OAAO,CAAC,QAAQ;YAYF,cAAc;CAkB7B"}