vidspotai-shared 1.0.82 → 1.0.83

package/lib/services/socialOAuth/threads.oauth.js

@@ -0,0 +1,129 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ThreadsOAuthProvider = void 0;
+const types_1 = require("../../globals/types");
+/**
+ * Threads (Meta) OAuth provider. Phase 6 — fast-follow adapter. Threads has its
+ * OWN app + API host (graph.threads.net), separate from the Facebook/IG Graph.
+ *
+ * Config (env):
+ *   THREADS_APP_ID      — Threads app client id
+ *   THREADS_APP_SECRET  — Threads app client secret
+ *
+ * Token model (plan §3): short-lived code exchange → exchange for a LONG-LIVED
+ * token (~60 days) → refresh before expiry. The refresh daemon handles renewal.
+ */
+const AUTH_ENDPOINT = "https://threads.net/oauth/authorize";
+const TOKEN_ENDPOINT = "https://graph.threads.net/oauth/access_token";
+const LONG_LIVED_ENDPOINT = "https://graph.threads.net/access_token";
+const REFRESH_ENDPOINT = "https://graph.threads.net/refresh_access_token";
+const ME_ENDPOINT = "https://graph.threads.net/v1.0/me?fields=id,username,name,threads_profile_picture_url";
+const BASE_SCOPES = ["threads_basic", "threads_content_publish"];
+const BUSINESS_SCOPES = ["threads_manage_insights", "threads_manage_replies"];
+class ThreadsOAuthProvider {
+    constructor() {
+        this.provider = types_1.ESocialProvider.THREADS;
+    }
+    appId() {
+        const v = process.env.THREADS_APP_ID;
+        if (!v)
+            throw new Error("ThreadsOAuth: THREADS_APP_ID not set");
+        return v;
+    }
+    appSecret() {
+        const v = process.env.THREADS_APP_SECRET;
+        if (!v)
+            throw new Error("ThreadsOAuth: THREADS_APP_SECRET not set");
+        return v;
+    }
+    getAuthUrl({ state, redirectUri, requestBusinessScopes, }) {
+        const scopes = requestBusinessScopes
+            ? [...BASE_SCOPES, ...BUSINESS_SCOPES]
+            : BASE_SCOPES;
+        const params = new URLSearchParams({
+            client_id: this.appId(),
+            redirect_uri: redirectUri,
+            response_type: "code",
+            scope: scopes.join(","),
+            state,
+        });
+        return `${AUTH_ENDPOINT}?${params.toString()}`;
+    }
+    async exchangeCode({ code, redirectUri, }) {
+        // 1. Short-lived token (also returns the Threads user id).
+        const shortResp = await fetch(TOKEN_ENDPOINT, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: new URLSearchParams({
+                client_id: this.appId(),
+                client_secret: this.appSecret(),
+                grant_type: "authorization_code",
+                redirect_uri: redirectUri,
+                // Threads strips a trailing "#_" the browser may append.
+                code: code.replace(/#_$/, ""),
+            }).toString(),
+        });
+        const short = (await shortResp.json());
+        if (!shortResp.ok || short.error_type || !short.access_token) {
+            throw new Error(`ThreadsOAuth: code exchange ${shortResp.status} ${short.error_message ?? ""}`.trim());
+        }
+        // 2. Exchange for a long-lived (~60d) token.
+        const tokens = await this.toLongLived(short.access_token);
+        const account = await this.resolveAccount(tokens.accessToken);
+        return { account, tokens };
+    }
+    async refresh(refreshToken) {
+        // Threads long-lived tokens are refreshed (not re-granted) once ≥24h old.
+        const url = `${REFRESH_ENDPOINT}?${new URLSearchParams({
+            grant_type: "th_refresh_token",
+            access_token: refreshToken,
+        }).toString()}`;
+        const resp = await fetch(url);
+        const json = (await resp.json());
+        if (!resp.ok || json.error || !json.access_token) {
+            throw new Error(`ThreadsOAuth: refresh ${resp.status} ${json.error?.message ?? ""}`.trim());
+        }
+        return this.toTokens(json);
+    }
+    async toLongLived(shortToken) {
+        const url = `${LONG_LIVED_ENDPOINT}?${new URLSearchParams({
+            grant_type: "th_exchange_token",
+            client_secret: this.appSecret(),
+            access_token: shortToken,
+        }).toString()}`;
+        const resp = await fetch(url);
+        const json = (await resp.json());
+        if (!resp.ok || json.error || !json.access_token) {
+            throw new Error(`ThreadsOAuth: long-lived exchange ${resp.status} ${json.error?.message ?? ""}`.trim());
+        }
+        return this.toTokens(json);
+    }
+    toTokens(json) {
+        // Long-lived token doubles as its own refresh token (refresh_access_token
+        // takes the current access token). No separate refresh secret.
+        const accessToken = json.access_token;
+        return {
+            accessToken,
+            refreshToken: accessToken,
+            expiresAt: Date.now() + (json.expires_in ?? 60 * 24 * 3600) * 1000,
+            scopes: [],
+        };
+    }
+    async resolveAccount(accessToken) {
+        const resp = await fetch(ME_ENDPOINT, {
+            headers: { Authorization: `Bearer ${accessToken}` },
+        });
+        const json = (await resp.json());
+        if (!resp.ok || json.error || !json.id) {
+            throw new Error(`ThreadsOAuth: /me ${resp.status} ${json.error?.message ?? ""}`.trim());
+        }
+        return {
+            providerAccountId: json.id,
+            displayName: json.name ?? json.username ?? "Threads account",
+            handle: json.username,
+            avatarUrl: json.threads_profile_picture_url,
+            kind: types_1.ESocialAccountKind.CREATOR,
+        };
+    }
+}
+exports.ThreadsOAuthProvider = ThreadsOAuthProvider;

package/lib/services/socialOAuth/tiktok.oauth.d.ts

@@ -0,0 +1,15 @@
+import { ESocialProvider } from "../../globals/types";
+import { AuthUrlParams, ConnectResult, ExchangeCodeParams, ISocialOAuthProvider, OAuthTokens } from "./types";
+export declare class TikTokOAuthProvider implements ISocialOAuthProvider {
+    readonly provider = ESocialProvider.TIKTOK;
+    private clientKey;
+    private clientSecret;
+    getAuthUrl({ state, redirectUri, requestBusinessScopes, }: AuthUrlParams): string;
+    exchangeCode({ code, redirectUri, }: ExchangeCodeParams): Promise<ConnectResult>;
+    refresh(refreshToken: string): Promise<OAuthTokens>;
+    revoke(token: string): Promise<void>;
+    private postToken;
+    private toTokens;
+    private resolveAccount;
+}
+//# sourceMappingURL=tiktok.oauth.d.ts.map

package/lib/services/socialOAuth/tiktok.oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tiktok.oauth.d.ts","sourceRoot":"","sources":["../../../src/services/socialOAuth/tiktok.oauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAsB,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAE1E,OAAO,EACL,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,WAAW,EACZ,MAAM,SAAS,CAAC;AAoDjB,qBAAa,mBAAoB,YAAW,oBAAoB;IAC9D,QAAQ,CAAC,QAAQ,0BAA0B;IAE3C,OAAO,CAAC,SAAS;IAKjB,OAAO,CAAC,YAAY;IAMpB,UAAU,CAAC,EACT,KAAK,EACL,WAAW,EACX,qBAAqB,GACtB,EAAE,aAAa,GAAG,MAAM;IAcnB,YAAY,CAAC,EACjB,IAAI,EACJ,WAAW,GACZ,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC;IAiBxC,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAenD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;YAkB5B,SAAS;IAsBvB,OAAO,CAAC,QAAQ;YAaF,cAAc;CAmB7B"}

package/lib/services/socialOAuth/tiktok.oauth.js

@@ -0,0 +1,151 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TikTokOAuthProvider = void 0;
+const types_1 = require("../../globals/types");
+const logger_1 = require("../../utils/logger");
+/**
+ * TikTok (Login Kit v2) OAuth provider. Phase 6 — TikTok publish.
+ *
+ * Config (env):
+ *   TIKTOK_CLIENT_KEY     — app client key
+ *   TIKTOK_CLIENT_SECRET  — app client secret
+ *
+ * Notes / gates (plan §3, §G):
+ * - Access token lives 24h; refresh token 365d WITH rotation (a refresh returns
+ *   a NEW refresh token — we persist it). The refresh daemon is mandatory.
+ * - `video.publish` (direct post) + `video.upload` (draft) require the Content
+ *   Posting API audit; until approved, posts are forced SELF_ONLY/draft and only
+ *   test users can connect.
+ * - PULL_FROM_URL publishing needs the media domain (our CDN) verified in the
+ *   TikTok developer portal.
+ */
+const AUTH_ENDPOINT = "https://www.tiktok.com/v2/auth/authorize/";
+const TOKEN_ENDPOINT = "https://open.tiktokapis.com/v2/oauth/token/";
+const REVOKE_ENDPOINT = "https://open.tiktokapis.com/v2/oauth/revoke/";
+const USERINFO_ENDPOINT = "https://open.tiktokapis.com/v2/user/info/?fields=open_id,union_id,avatar_url,display_name,username";
+/** Basic scopes: identity + publish. `video.list` (read) gates metrics. */
+const BASE_SCOPES = ["user.info.basic", "video.publish", "video.upload"];
+const BUSINESS_SCOPES = ["video.list"];
+class TikTokOAuthProvider {
+    constructor() {
+        this.provider = types_1.ESocialProvider.TIKTOK;
+    }
+    clientKey() {
+        const k = process.env.TIKTOK_CLIENT_KEY;
+        if (!k)
+            throw new Error("TikTokOAuth: TIKTOK_CLIENT_KEY not set");
+        return k;
+    }
+    clientSecret() {
+        const s = process.env.TIKTOK_CLIENT_SECRET;
+        if (!s)
+            throw new Error("TikTokOAuth: TIKTOK_CLIENT_SECRET not set");
+        return s;
+    }
+    getAuthUrl({ state, redirectUri, requestBusinessScopes, }) {
+        const scopes = requestBusinessScopes
+            ? [...BASE_SCOPES, ...BUSINESS_SCOPES]
+            : BASE_SCOPES;
+        const params = new URLSearchParams({
+            client_key: this.clientKey(),
+            scope: scopes.join(","),
+            response_type: "code",
+            redirect_uri: redirectUri,
+            state,
+        });
+        return `${AUTH_ENDPOINT}?${params.toString()}`;
+    }
+    async exchangeCode({ code, redirectUri, }) {
+        const body = new URLSearchParams({
+            client_key: this.clientKey(),
+            client_secret: this.clientSecret(),
+            code,
+            grant_type: "authorization_code",
+            redirect_uri: redirectUri,
+        });
+        const token = await this.postToken(body);
+        if (!token.access_token) {
+            throw new Error("TikTokOAuth: token exchange returned no access_token");
+        }
+        const tokens = this.toTokens(token);
+        const account = await this.resolveAccount(token.access_token);
+        return { account, tokens };
+    }
+    async refresh(refreshToken) {
+        const body = new URLSearchParams({
+            client_key: this.clientKey(),
+            client_secret: this.clientSecret(),
+            grant_type: "refresh_token",
+            refresh_token: refreshToken,
+        });
+        const token = await this.postToken(body);
+        if (!token.access_token) {
+            throw new Error("TikTokOAuth: refresh returned no access_token");
+        }
+        // TikTok ROTATES the refresh token — keep whatever it returned.
+        return this.toTokens(token);
+    }
+    async revoke(token) {
+        try {
+            await fetch(REVOKE_ENDPOINT, {
+                method: "POST",
+                headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                body: new URLSearchParams({
+                    client_key: this.clientKey(),
+                    client_secret: this.clientSecret(),
+                    token,
+                }).toString(),
+            });
+        }
+        catch (err) {
+            logger_1.logger.warn("TikTokOAuth.revoke: failed (non-fatal)", {
+                error: err instanceof Error ? err.message : String(err),
+            });
+        }
+    }
+    async postToken(body) {
+        const resp = await fetch(TOKEN_ENDPOINT, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                "Cache-Control": "no-cache",
+            },
+            body: body.toString(),
+        });
+        const json = (await resp.json());
+        if (!resp.ok || json.error) {
+            throw new Error(`TikTokOAuth: token endpoint ${resp.status} ${json.error ?? ""} ${json.error_description ?? ""}`.trim());
+        }
+        return json;
+    }
+    toTokens(token) {
+        const now = Date.now();
+        return {
+            accessToken: token.access_token,
+            refreshToken: token.refresh_token,
+            expiresAt: now + (token.expires_in ?? 86400) * 1000,
+            refreshExpiresAt: token.refresh_expires_in
+                ? now + token.refresh_expires_in * 1000
+                : undefined,
+            scopes: token.scope ? token.scope.split(",").filter(Boolean) : [],
+        };
+    }
+    async resolveAccount(accessToken) {
+        const resp = await fetch(USERINFO_ENDPOINT, {
+            headers: { Authorization: `Bearer ${accessToken}` },
+        });
+        const json = (await resp.json());
+        const user = json.data?.user;
+        if (!resp.ok || json.error?.code || !user?.open_id) {
+            throw new Error(`TikTokOAuth: user info ${resp.status} ${json.error?.message ?? ""}`.trim());
+        }
+        return {
+            providerAccountId: user.open_id,
+            displayName: user.display_name ?? "TikTok account",
+            handle: user.username,
+            avatarUrl: user.avatar_url,
+            kind: types_1.ESocialAccountKind.CREATOR,
+        };
+    }
+}
+exports.TikTokOAuthProvider = TikTokOAuthProvider;

package/lib/services/socialOAuth/types.d.ts

@@ -0,0 +1,67 @@
+import { ESocialAccountKind, ESocialProvider } from "../../globals/types";
+/**
+ * X8 Social Suite — OAuth provider abstraction. One implementation per platform
+ * behind a single interface so the connect/callback controllers and the token
+ * refresh daemon are provider-agnostic. See notes/SOCIAL_SUITE_PLAN.md §4.
+ *
+ * IMPORTANT: this layer deals in CLEARTEXT tokens. Encryption (tokenVault) is
+ * applied by the persistence layer right before writing to Firestore, and
+ * decryption right after reading — providers never see ciphertext.
+ */
+/** Cleartext OAuth credential bundle returned by exchange/refresh. */
+export interface OAuthTokens {
+    accessToken: string;
+    refreshToken?: string;
+    /** Unix ms when the access token expires. */
+    expiresAt: number;
+    /** Unix ms when the refresh token expires, if applicable. */
+    refreshExpiresAt?: number;
+    /** Scopes actually granted (may differ from requested). */
+    scopes: string[];
+}
+/** Identity of the connected account, resolved after token exchange. */
+export interface ResolvedSocialAccount {
+    providerAccountId: string;
+    displayName: string;
+    handle?: string;
+    avatarUrl?: string;
+    kind: ESocialAccountKind;
+}
+export interface AuthUrlParams {
+    /** Opaque CSRF state we generate + verify on callback. */
+    state: string;
+    /** The OAuth redirect URI registered with the provider. */
+    redirectUri: string;
+    /** Ask for premium/business scopes (G-features) where supported. */
+    requestBusinessScopes?: boolean;
+}
+export interface ExchangeCodeParams {
+    code: string;
+    redirectUri: string;
+}
+/** Result of a successful connect: who they are + their (cleartext) tokens. */
+export interface ConnectResult {
+    account: ResolvedSocialAccount;
+    tokens: OAuthTokens;
+}
+/** Abstract OAuth provider. Implementations are stateless + config-driven. */
+export interface ISocialOAuthProvider {
+    readonly provider: ESocialProvider;
+    /** Build the provider authorization URL to redirect the user to. */
+    getAuthUrl(params: AuthUrlParams): string;
+    /** Exchange the callback `code` for tokens + resolve the account identity. */
+    exchangeCode(params: ExchangeCodeParams): Promise<ConnectResult>;
+    /**
+     * Multi-account variant: a single OAuth grant can yield several accounts (e.g.
+     * Meta returns every FB Page + linked IG Business account the user manages).
+     * When present, the callback upserts ALL returned accounts. Providers that map
+     * one grant → one account (YouTube) leave this undefined and the callback uses
+     * `exchangeCode`. See notes/SOCIAL_SUITE_PLAN.md §4.
+     */
+    exchangeCodeMulti?(params: ExchangeCodeParams): Promise<ConnectResult[]>;
+    /** Refresh an expiring access token using the stored refresh token. */
+    refresh(refreshToken: string): Promise<OAuthTokens>;
+    /** Best-effort revoke at the provider (called on disconnect). */
+    revoke?(token: string): Promise<void>;
+}
+//# sourceMappingURL=types.d.ts.map

package/lib/services/socialOAuth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/services/socialOAuth/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAE1E;;;;;;;;GAQG;AAEH,sEAAsE;AACtE,MAAM,WAAW,WAAW;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,6DAA6D;IAC7D,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,2DAA2D;IAC3D,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,wEAAwE;AACxE,MAAM,WAAW,qBAAqB;IACpC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,kBAAkB,CAAC;CAC1B;AAED,MAAM,WAAW,aAAa;IAC5B,0DAA0D;IAC1D,KAAK,EAAE,MAAM,CAAC;IACd,2DAA2D;IAC3D,WAAW,EAAE,MAAM,CAAC;IACpB,oEAAoE;IACpE,qBAAqB,CAAC,EAAE,OAAO,CAAC;CACjC;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,+EAA+E;AAC/E,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,qBAAqB,CAAC;IAC/B,MAAM,EAAE,WAAW,CAAC;CACrB;AAED,8EAA8E;AAC9E,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;IACnC,oEAAoE;IACpE,UAAU,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CAAC;IAC1C,8EAA8E;IAC9E,YAAY,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IACjE;;;;;;OAMG;IACH,iBAAiB,CAAC,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;IACzE,uEAAuE;IACvE,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IACpD,iEAAiE;IACjE,MAAM,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACvC"}

package/lib/services/socialOAuth/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/services/socialOAuth/x.oauth.d.ts

@@ -0,0 +1,17 @@
+import { ESocialProvider } from "../../globals/types";
+import { AuthUrlParams, ConnectResult, ExchangeCodeParams, ISocialOAuthProvider, OAuthTokens } from "./types";
+export declare class XOAuthProvider implements ISocialOAuthProvider {
+    readonly provider = ESocialProvider.X;
+    private clientId;
+    private clientSecret;
+    /** Deterministic PKCE verifier (base64url, 43 chars) — see header note. */
+    private codeVerifier;
+    private basicAuth;
+    getAuthUrl({ state, redirectUri }: AuthUrlParams): string;
+    exchangeCode({ code, redirectUri, }: ExchangeCodeParams): Promise<ConnectResult>;
+    refresh(refreshToken: string): Promise<OAuthTokens>;
+    private postToken;
+    private toTokens;
+    private resolveAccount;
+}
+//# sourceMappingURL=x.oauth.d.ts.map

package/lib/services/socialOAuth/x.oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"x.oauth.d.ts","sourceRoot":"","sources":["../../../src/services/socialOAuth/x.oauth.ts"],"names":[],"mappings":"AACA,OAAO,EAAsB,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC1E,OAAO,EACL,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,WAAW,EACZ,MAAM,SAAS,CAAC;AAuCjB,qBAAa,cAAe,YAAW,oBAAoB;IACzD,QAAQ,CAAC,QAAQ,qBAAqB;IAEtC,OAAO,CAAC,QAAQ;IAKhB,OAAO,CAAC,YAAY;IAKpB,2EAA2E;IAC3E,OAAO,CAAC,YAAY;IAKpB,OAAO,CAAC,SAAS;IAMjB,UAAU,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,aAAa,GAAG,MAAM;IAenD,YAAY,CAAC,EACjB,IAAI,EACJ,WAAW,GACZ,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC;IAkBxC,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;YAiB3C,SAAS;IAoBvB,OAAO,CAAC,QAAQ;YASF,cAAc;CAkB7B"}

package/lib/services/socialOAuth/x.oauth.js

@@ -0,0 +1,134 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XOAuthProvider = void 0;
+const crypto_1 = require("crypto");
+const types_1 = require("../../globals/types");
+/**
+ * X (Twitter) OAuth 2.0 provider with PKCE. Phase 6 — fast-follow adapter.
+ *
+ * Config (env):
+ *   X_CLIENT_ID
+ *   X_CLIENT_SECRET   — confidential client (sent via HTTP Basic on token calls)
+ *
+ * PKCE note: X mandates PKCE even for confidential clients, but the OAuth
+ * callback hands `exchangeCode` only {code, redirectUri} — not the per-session
+ * `state`. So we use a DETERMINISTIC app-level verifier derived from the client
+ * secret (method=plain): `getAuthUrl` and `exchangeCode` both recompute the same
+ * value with no shared session storage. With a confidential client the secret
+ * (Basic auth) is the real protection; the static verifier just satisfies the
+ * PKCE requirement. `offline.access` is required to receive a refresh token.
+ */
+const AUTH_ENDPOINT = "https://twitter.com/i/oauth2/authorize";
+const TOKEN_ENDPOINT = "https://api.twitter.com/2/oauth2/token";
+const ME_ENDPOINT = "https://api.twitter.com/2/users/me?user.fields=profile_image_url,username,name";
+const BASE_SCOPES = ["tweet.read", "tweet.write", "users.read", "offline.access"];
+class XOAuthProvider {
+    constructor() {
+        this.provider = types_1.ESocialProvider.X;
+    }
+    clientId() {
+        const v = process.env.X_CLIENT_ID;
+        if (!v)
+            throw new Error("XOAuth: X_CLIENT_ID not set");
+        return v;
+    }
+    clientSecret() {
+        const v = process.env.X_CLIENT_SECRET;
+        if (!v)
+            throw new Error("XOAuth: X_CLIENT_SECRET not set");
+        return v;
+    }
+    /** Deterministic PKCE verifier (base64url, 43 chars) — see header note. */
+    codeVerifier() {
+        return (0, crypto_1.createHash)("sha256")
+            .update(`${this.clientSecret()}:vidspot-x-pkce`)
+            .digest("base64url");
+    }
+    basicAuth() {
+        return Buffer.from(`${this.clientId()}:${this.clientSecret()}`).toString("base64");
+    }
+    getAuthUrl({ state, redirectUri }) {
+        const verifier = this.codeVerifier();
+        const params = new URLSearchParams({
+            response_type: "code",
+            client_id: this.clientId(),
+            redirect_uri: redirectUri,
+            scope: BASE_SCOPES.join(" "),
+            state,
+            // method=plain → challenge equals verifier verbatim.
+            code_challenge: verifier,
+            code_challenge_method: "plain",
+        });
+        return `${AUTH_ENDPOINT}?${params.toString()}`;
+    }
+    async exchangeCode({ code, redirectUri, }) {
+        const token = await this.postToken(new URLSearchParams({
+            grant_type: "authorization_code",
+            code,
+            redirect_uri: redirectUri,
+            client_id: this.clientId(),
+            code_verifier: this.codeVerifier(),
+        }));
+        if (!token.access_token) {
+            throw new Error("XOAuth: token exchange returned no access_token");
+        }
+        const tokens = this.toTokens(token);
+        const account = await this.resolveAccount(token.access_token);
+        return { account, tokens };
+    }
+    async refresh(refreshToken) {
+        const token = await this.postToken(new URLSearchParams({
+            grant_type: "refresh_token",
+            refresh_token: refreshToken,
+            client_id: this.clientId(),
+        }));
+        if (!token.access_token) {
+            throw new Error("XOAuth: refresh returned no access_token");
+        }
+        const tokens = this.toTokens(token);
+        // X rotates refresh tokens; keep the old one only if none came back.
+        if (!tokens.refreshToken)
+            tokens.refreshToken = refreshToken;
+        return tokens;
+    }
+    async postToken(body) {
+        const resp = await fetch(TOKEN_ENDPOINT, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                Authorization: `Basic ${this.basicAuth()}`,
+            },
+            body: body.toString(),
+        });
+        const json = (await resp.json());
+        if (!resp.ok || json.error) {
+            throw new Error(`XOAuth: token endpoint ${resp.status} ${json.error ?? ""} ${json.error_description ?? ""}`.trim());
+        }
+        return json;
+    }
+    toTokens(token) {
+        return {
+            accessToken: token.access_token,
+            refreshToken: token.refresh_token,
+            expiresAt: Date.now() + (token.expires_in ?? 7200) * 1000,
+            scopes: token.scope ? token.scope.split(" ").filter(Boolean) : [],
+        };
+    }
+    async resolveAccount(accessToken) {
+        const resp = await fetch(ME_ENDPOINT, {
+            headers: { Authorization: `Bearer ${accessToken}` },
+        });
+        const json = (await resp.json());
+        if (!resp.ok || !json.data?.id) {
+            throw new Error(`XOAuth: /users/me ${resp.status} ${json.errors?.[0]?.detail ?? ""}`.trim());
+        }
+        return {
+            providerAccountId: json.data.id,
+            displayName: json.data.name ?? "X account",
+            handle: json.data.username,
+            avatarUrl: json.data.profile_image_url,
+            kind: types_1.ESocialAccountKind.PERSONAL,
+        };
+    }
+}
+exports.XOAuthProvider = XOAuthProvider;

package/lib/services/socialOAuth/youtube.oauth.d.ts

@@ -0,0 +1,15 @@
+import { ESocialProvider } from "../../globals/types";
+import { AuthUrlParams, ConnectResult, ExchangeCodeParams, ISocialOAuthProvider, OAuthTokens } from "./types";
+export declare class YouTubeOAuthProvider implements ISocialOAuthProvider {
+    readonly provider = ESocialProvider.YOUTUBE;
+    private clientId;
+    private clientSecret;
+    getAuthUrl({ state, redirectUri, requestBusinessScopes, }: AuthUrlParams): string;
+    exchangeCode({ code, redirectUri, }: ExchangeCodeParams): Promise<ConnectResult>;
+    refresh(refreshToken: string): Promise<OAuthTokens>;
+    revoke(token: string): Promise<void>;
+    private postToken;
+    private toTokens;
+    private resolveAccount;
+}
+//# sourceMappingURL=youtube.oauth.d.ts.map

package/lib/services/socialOAuth/youtube.oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"youtube.oauth.d.ts","sourceRoot":"","sources":["../../../src/services/socialOAuth/youtube.oauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAsB,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAE1E,OAAO,EACL,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,WAAW,EACZ,MAAM,SAAS,CAAC;AAoDjB,qBAAa,oBAAqB,YAAW,oBAAoB;IAC/D,QAAQ,CAAC,QAAQ,2BAA2B;IAE5C,OAAO,CAAC,QAAQ;IAMhB,OAAO,CAAC,YAAY;IAOpB,UAAU,CAAC,EACT,KAAK,EACL,WAAW,EACX,qBAAqB,GACtB,EAAE,aAAa,GAAG,MAAM;IAiBnB,YAAY,CAAC,EACjB,IAAI,EACJ,WAAW,GACZ,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC;IAiBxC,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAiBnD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;YAc5B,SAAS;IAmBvB,OAAO,CAAC,QAAQ;YAUF,cAAc;CAwB7B"}