interloper-api 0.11.0__tar.gz → 0.14.0__tar.gz

{interloper_api-0.11.0 → interloper_api-0.14.0}/PKG-INFO

@@ -1,12 +1,13 @@
 Metadata-Version: 2.3
 Name: interloper-api
-Version: 0.11.0
+Version: 0.14.0
 Summary: Interloper FastAPI routes
 Author: Guillaume Onfroy
 Author-email: Guillaume Onfroy <guillaume@digitlcloud.com>
 Requires-Dist: interloper-core
 Requires-Dist: interloper-db
 Requires-Dist: fastapi>=0.115.0
+Requires-Dist: google-auth>=2.0.0
 Requires-Dist: httpx>=0.28.0
 Requires-Dist: psycopg2-binary>=2.9.0
 Requires-Dist: uvicorn[standard]>=0.41.0

{interloper_api-0.11.0 → interloper_api-0.14.0}/pyproject.toml

@@ -3,7 +3,7 @@
 # ###############
 [project]
 name = "interloper-api"
-version = "0.11.0"
+version = "0.14.0"
 description = "Interloper FastAPI routes"
 readme = "README.md"
 authors = [{ name = "Guillaume Onfroy", email = "guillaume@digitlcloud.com" }]
@@ -12,6 +12,7 @@ dependencies = [
     "interloper-core",
     "interloper-db",
     "fastapi>=0.115.0",
+    "google-auth>=2.0.0",
     "httpx>=0.28.0",
     "psycopg2-binary>=2.9.0",
     "uvicorn[standard]>=0.41.0",

{interloper_api-0.11.0 → interloper_api-0.14.0}/src/interloper_api/routes/external/__init__.py

@@ -38,11 +38,13 @@ def handle_error(error: Exception, context: str) -> None:
 from interloper_api.routes.external.amazon_ads import sub_router as amazon_ads_router  # noqa: E402
 from interloper_api.routes.external.facebook_ads import sub_router as facebook_ads_router  # noqa: E402
 from interloper_api.routes.external.google_ads import sub_router as google_ads_router  # noqa: E402
+from interloper_api.routes.external.google_cloud import sub_router as google_cloud_router  # noqa: E402
 from interloper_api.routes.external.pinterest_ads import sub_router as pinterest_ads_router  # noqa: E402
 from interloper_api.routes.external.snapchat_ads import sub_router as snapchat_ads_router  # noqa: E402
 
 router.include_router(amazon_ads_router)
 router.include_router(facebook_ads_router)
 router.include_router(google_ads_router)
+router.include_router(google_cloud_router)
 router.include_router(pinterest_ads_router)
 router.include_router(snapchat_ads_router)

interloper_api-0.14.0/src/interloper_api/routes/external/google_cloud.py

@@ -0,0 +1,167 @@
+"""Google Cloud external API routes."""
+
+from __future__ import annotations
+
+import json
+import time
+from typing import Any
+
+import httpx
+from fastapi import APIRouter, Depends, HTTPException
+from google.auth import crypt, jwt
+from interloper_db import Profile
+from pydantic import BaseModel, field_validator
+
+from interloper_api.dependencies import require_viewer
+from interloper_api.routes.external import handle_error
+
+sub_router = APIRouter()
+
+_TOKEN_URL = "https://oauth2.googleapis.com/token"
+# BigQuery's own projects.list: returns the projects the credential holds a
+# BigQuery role on -- exactly the candidates for a BigQuery destination --
+# and only requires the BigQuery API, which is necessarily enabled wherever
+# the destination can work (unlike the Cloud Resource Manager API, which is
+# frequently disabled).
+_PROJECTS_URL = "https://bigquery.googleapis.com/bigquery/v2/projects"
+_SCOPE = "https://www.googleapis.com/auth/bigquery.readonly"
+
+
+class GoogleCloudConnectionRequest(BaseModel):
+    """Google Cloud connection credentials (matches GoogleCloudConnection fields)."""
+
+    service_account_key: str
+
+    @field_validator("service_account_key", mode="before")
+    @classmethod
+    def _serialize_key(cls, v: object) -> object:
+        if isinstance(v, dict):
+            return json.dumps(v)
+        return v
+
+    @property
+    def key_info(self) -> dict[str, Any]:
+        """The parsed service account key.
+
+        Returns:
+            The key as a dict.
+
+        Raises:
+            HTTPException: If the key is not valid JSON.
+        """
+        try:
+            return json.loads(self.service_account_key)
+        except json.JSONDecodeError:
+            raise HTTPException(status_code=400, detail="service_account_key is not valid JSON.")
+
+
+def _make_assertion(key_info: dict[str, Any]) -> str:
+    """Build a signed JWT-bearer assertion for the service account.
+
+    Only the signing comes from google-auth; the token exchange itself goes
+    through httpx like every other external route.
+
+    Args:
+        key_info: The parsed service account key.
+
+    Returns:
+        The signed JWT assertion.
+    """
+    signer = crypt.RSASigner.from_service_account_info(key_info)
+    now = int(time.time())
+    payload = {
+        "iss": key_info["client_email"],
+        "scope": _SCOPE,
+        "aud": _TOKEN_URL,
+        "iat": now,
+        "exp": now + 600,
+    }
+    return jwt.encode(signer, payload).decode()
+
+
+async def _get_access_token(client: httpx.AsyncClient, key_info: dict[str, Any]) -> str:
+    """Exchange a service account JWT assertion for an access token."""
+    resp = await client.post(
+        _TOKEN_URL,
+        data={
+            "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
+            "assertion": _make_assertion(key_info),
+        },
+    )
+    resp.raise_for_status()
+    return resp.json()["access_token"]
+
+
+async def _list_projects(client: httpx.AsyncClient, access_token: str) -> list[dict[str, str]]:
+    """List the projects the credential has BigQuery access to, following pagination.
+
+    Returns:
+        Project options with ``project_id`` and a display ``name``.
+    """
+    results: list[dict[str, str]] = []
+    page_token: str | None = None
+    while True:
+        params: dict[str, str] = {"maxResults": "500"}
+        if page_token:
+            params["pageToken"] = page_token
+        resp = await client.get(
+            _PROJECTS_URL,
+            params=params,
+            headers={"Authorization": f"Bearer {access_token}"},
+        )
+        resp.raise_for_status()
+        data = resp.json()
+        for project in data.get("projects", []):
+            project_id = project["id"]
+            name = project.get("friendlyName") or project_id
+            results.append({"project_id": project_id, "name": f"{name} ({project_id})"})
+        page_token = data.get("nextPageToken")
+        if not page_token:
+            break
+    return sorted(results, key=lambda p: p["name"].lower())
+
+
+def _upstream_detail(exc: httpx.HTTPStatusError) -> str:
+    """Extract the human-readable error message from a Google error response.
+
+    The token endpoint answers ``{"error": ..., "error_description": ...}``;
+    the Cloud Resource Manager answers ``{"error": {"message": ...}}``.
+
+    Returns:
+        Google's error message, or the raw body as a fallback.
+    """
+    try:
+        payload = exc.response.json()
+    except ValueError:
+        return exc.response.text[:200]
+    error = payload.get("error")
+    if isinstance(error, dict):
+        return str(error.get("message") or error)
+    description = payload.get("error_description")
+    return str(description or error or exc.response.text[:200])
+
+
+@sub_router.post("/google-cloud/projects")
+async def google_cloud_projects(
+    body: GoogleCloudConnectionRequest,
+    _user: Profile = Depends(require_viewer),
+) -> list[dict[str, str]]:
+    """Fetch the Google Cloud projects accessible by the connection."""
+    key_info = body.key_info
+    try:
+        async with httpx.AsyncClient(timeout=30) as client:
+            access_token = await _get_access_token(client, key_info)
+            return await _list_projects(client, access_token)
+    except httpx.HTTPStatusError as exc:
+        # Surface Google's own message (e.g. "Cloud Resource Manager API has
+        # not been used in project ...", "Invalid JWT Signature.") so the
+        # form error is actionable, instead of the generic handle_error text.
+        status = exc.response.status_code
+        detail = _upstream_detail(exc)
+        raise HTTPException(
+            status_code=status if status in (401, 403, 404) else 502,
+            detail=f"Google Cloud error while fetching projects: {detail}",
+        )
+    except Exception as exc:
+        handle_error(exc, "fetching Google Cloud projects")
+        return []  # unreachable, but satisfies type checker

interloper_api-0.14.0/src/interloper_api/routes/oauth.py

@@ -0,0 +1,184 @@
+"""OAuth2 token exchange routes.
+
+Providers come from the core registry (``interloper.oauth``): each
+``OAuthProvider`` carries a declarative token-exchange spec (URL, method,
+encoding, parameter names), so the exchange is performed generically —
+adding a provider is an ``interloper.oauth_providers`` entry point, not a
+new route.
+
+The connector *app* credentials (``client_id`` / ``client_secret`` /
+``redirect_uri``) are read from provider-scoped environment variables
+(``<PROVIDER>_CLIENT_ID``, …) and injected into the token response so they
+can be stored alongside the tokens.
+
+The ``GET /providers`` endpoint returns metadata for all providers that
+have credentials configured, so the frontend knows which "Sign in with X"
+buttons to render.
+"""
+
+from __future__ import annotations
+
+import base64
+import logging
+import os
+from typing import Any
+
+import httpx
+from fastapi import APIRouter, HTTPException
+from interloper.oauth import OAuthProvider, providers
+from pydantic import BaseModel
+
+logger = logging.getLogger(__name__)
+
+router = APIRouter(prefix="/oauth", tags=["oauth"])
+
+
+# ---------------------------------------------------------------------------
+# App credentials (environment)
+# ---------------------------------------------------------------------------
+
+
+class _ProviderConfig:
+    """Connector app credentials resolved from environment variables."""
+
+    def __init__(self, key: str, *, env_prefix: str | None = None) -> None:
+        prefix = (env_prefix or key).upper()
+        self.key = key
+        self.client_id = os.environ.get(f"{prefix}_CLIENT_ID", "")
+        self.client_secret = os.environ.get(f"{prefix}_CLIENT_SECRET", "")
+        self.redirect_uri = os.environ.get(f"{prefix}_REDIRECT_URI", "")
+
+    @property
+    def configured(self) -> bool:
+        return bool(self.client_id and self.client_secret and self.redirect_uri)
+
+
+def _load_providers() -> dict[str, _ProviderConfig]:
+    return {key: _ProviderConfig(key) for key in providers()}
+
+
+# ---------------------------------------------------------------------------
+# Generic token exchange
+# ---------------------------------------------------------------------------
+
+
+async def _exchange(
+    client: httpx.AsyncClient,
+    spec: OAuthProvider,
+    cfg: _ProviderConfig,
+    code: str,
+) -> dict[str, Any]:
+    """Exchange an authorization code for tokens, driven by the provider spec.
+
+    Args:
+        client: The HTTP client to use.
+        spec: The provider's token-exchange spec.
+        cfg: The connector app credentials.
+        code: The authorization code.
+
+    Returns:
+        The token response, with ``client_id`` / ``client_secret`` injected
+        so they can be stored alongside the tokens.
+    """
+    logical_values = {
+        "grant_type": "authorization_code",
+        "code": code,
+        "redirect_uri": cfg.redirect_uri,
+        "client_id": cfg.client_id,
+        "client_secret": cfg.client_secret,
+    }
+    params = {wire: logical_values[logical] for logical, wire in spec.token_params.items()}
+
+    headers: dict[str, str] = {}
+    if spec.token_basic_auth:
+        creds = base64.b64encode(f"{cfg.client_id}:{cfg.client_secret}".encode()).decode()
+        headers["Authorization"] = f"Basic {creds}"
+
+    if spec.token_method == "get":
+        resp = await client.get(spec.token_url, params=params, headers=headers)
+    elif spec.token_encoding == "form":
+        headers["Content-Type"] = "application/x-www-form-urlencoded"
+        resp = await client.post(spec.token_url, data=params, headers=headers)
+    else:
+        resp = await client.post(spec.token_url, json=params, headers=headers)
+    resp.raise_for_status()
+
+    result = resp.json()
+    result["client_id"] = cfg.client_id
+    result["client_secret"] = cfg.client_secret
+    return result
+
+
+# ---------------------------------------------------------------------------
+# Routes
+# ---------------------------------------------------------------------------
+
+
+class TokenExchangeRequest(BaseModel):
+    """Request body for exchanging an authorization code for tokens."""
+
+    code: str
+
+
+class ProviderInfo(BaseModel):
+    """Public provider metadata (no secrets)."""
+
+    key: str
+    client_id: str
+    redirect_uri: str
+    auth_url: str = ""
+    label: str = ""
+    icon: str = ""
+
+
+@router.get("/providers")
+def list_providers() -> list[ProviderInfo]:
+    """Return metadata for all configured OAuth providers.
+
+    Only registered providers with ``CLIENT_ID``, ``CLIENT_SECRET``, and
+    ``REDIRECT_URI`` environment variables set are included.  Metadata
+    (auth_url, label, icon) comes from the provider registry.
+    """
+    specs = providers()
+    return [
+        ProviderInfo(
+            key=cfg.key,
+            client_id=cfg.client_id,
+            redirect_uri=cfg.redirect_uri,
+            auth_url=specs[cfg.key].auth_url,
+            label=specs[cfg.key].label,
+            icon=specs[cfg.key].icon,
+        )
+        for cfg in _load_providers().values()
+        if cfg.configured
+    ]
+
+
+@router.post("/{provider}")
+async def exchange_token(provider: str, body: TokenExchangeRequest) -> dict[str, Any]:
+    """Exchange an authorization code for tokens.
+
+    The response includes ``client_id`` and ``client_secret`` so they
+    can be stored alongside the tokens in the connection data.
+    """
+    spec = providers().get(provider)
+    if spec is None:
+        raise HTTPException(status_code=400, detail=f"Unknown OAuth provider: {provider}")
+
+    cfg = _ProviderConfig(provider)
+    if not cfg.configured:
+        raise HTTPException(status_code=400, detail=f"OAuth provider {provider} is not configured")
+
+    try:
+        logger.info("Exchanging auth code for provider %s", provider)
+        async with httpx.AsyncClient(timeout=30) as client:
+            result = await _exchange(client, spec, cfg, body.code)
+        logger.info("Successfully exchanged auth code for provider %s", provider)
+        return result
+    except httpx.HTTPStatusError as exc:
+        detail = exc.response.text
+        logger.error("Token exchange failed for %s: %s %s", provider, exc.response.status_code, detail)
+        raise HTTPException(status_code=500, detail=f"Failed to exchange auth code: {detail}")
+    except Exception as exc:
+        logger.error("Token exchange failed for %s: %s", provider, exc)
+        raise HTTPException(status_code=500, detail=f"Failed to exchange auth code: {exc}")

{interloper_api-0.11.0 → interloper_api-0.14.0}/src/interloper_api/routes/runs.py

@@ -71,6 +71,7 @@ class EventResponse(BaseModel):
     error: str | None
     traceback: str | None
     message: str | None
+    level: str | None
     timestamp: str
 
 
@@ -119,6 +120,7 @@ def _event_to_response(event: Event) -> EventResponse:
         error=event.error,
         traceback=event.traceback,
         message=event.message,
+        level=event.level,
         timestamp=str(event.timestamp),
     )
 
@@ -219,20 +221,22 @@ def list_run_events(
     response: Response,
     limit: int = 100,
     offset: int = 0,
+    asset_id: UUID | None = None,
     user: Profile = Depends(require_viewer),
     store: Store = Depends(get_store),
 ) -> list[EventResponse]:
     """List events for a run, oldest first.
 
     Events are ordered ``timestamp ASC`` and paged with ``limit``/``offset``.
-    The total number of events for the run (ignoring ``limit``/``offset``) is
-    returned in the ``X-Total-Count`` response header so clients can page
+    ``asset_id`` narrows the listing to one asset's events. The total number
+    of matching events (ignoring ``limit``/``offset``, honouring ``asset_id``)
+    is returned in the ``X-Total-Count`` response header so clients can page
     through every event — including the terminal/outcome events
     (``asset_completed``, ``asset_failed``, ``run_failed``, …) that sort last.
     """
     limit = max(1, min(limit, MAX_EVENTS_PAGE_SIZE))
     offset = max(0, offset)
-    total = store.count_events(run_id=run_id)
+    total = store.count_events(run_id=run_id, asset_id=asset_id)
     response.headers["X-Total-Count"] = str(total)
-    events = store.list_events(run_id=run_id, limit=limit, offset=offset)
+    events = store.list_events(run_id=run_id, asset_id=asset_id, limit=limit, offset=offset)
     return [_event_to_response(e) for e in events]

interloper_api-0.11.0/src/interloper_api/routes/oauth.py

@@ -1,345 +0,0 @@
-"""OAuth2 token exchange routes.
-
-Each provider has an explicit exchange function with its own URL,
-HTTP method, body encoding, and parameter names.  The ``client_id``
-and ``client_secret`` are read from environment variables and injected
-into the token response so they can be stored alongside the tokens.
-
-The ``GET /providers`` endpoint returns metadata for all providers
-that have credentials configured, so the frontend knows which
-"Sign in with X" buttons to render.
-"""
-
-from __future__ import annotations
-
-import base64
-import logging
-import os
-from typing import Any
-
-import httpx
-from fastapi import APIRouter, Depends, HTTPException
-from pydantic import BaseModel
-
-from interloper_api.dependencies import get_catalog
-
-logger = logging.getLogger(__name__)
-
-router = APIRouter(prefix="/oauth", tags=["oauth"])
-
-
-# ---------------------------------------------------------------------------
-# Provider registry
-# ---------------------------------------------------------------------------
-
-
-class _ProviderConfig:
-    """Runtime provider config resolved from environment variables."""
-
-    def __init__(self, key: str, *, env_prefix: str | None = None) -> None:
-        prefix = (env_prefix or key).upper()
-        self.key = key
-        self.client_id = os.environ.get(f"{prefix}_CLIENT_ID", "")
-        self.client_secret = os.environ.get(f"{prefix}_CLIENT_SECRET", "")
-        self.redirect_uri = os.environ.get(f"{prefix}_REDIRECT_URI", "")
-
-    @property
-    def configured(self) -> bool:
-        return bool(self.client_id and self.client_secret and self.redirect_uri)
-
-
-_PROVIDER_KEYS = [
-    "amazon",
-    "criteo",
-    "facebook",
-    "google",
-    "linkedin",
-    "microsoft",
-    "pinterest",
-    "snapchat",
-    "tiktok",
-]
-
-
-def _load_providers() -> dict[str, _ProviderConfig]:
-    return {k: _ProviderConfig(k) for k in _PROVIDER_KEYS}
-
-
-# ---------------------------------------------------------------------------
-# Token exchange functions (one per provider)
-# ---------------------------------------------------------------------------
-
-
-async def _amazon(client: httpx.AsyncClient, cfg: _ProviderConfig, code: str) -> dict[str, Any]:
-    resp = await client.post(
-        "https://api.amazon.com/auth/o2/token",
-        json={
-            "grant_type": "authorization_code",
-            "code": code,
-            "redirect_uri": cfg.redirect_uri,
-            "client_id": cfg.client_id,
-            "client_secret": cfg.client_secret,
-        },
-    )
-    resp.raise_for_status()
-    result = resp.json()
-    result["client_id"] = cfg.client_id
-    result["client_secret"] = cfg.client_secret
-    return result
-
-
-async def _criteo(client: httpx.AsyncClient, cfg: _ProviderConfig, code: str) -> dict[str, Any]:
-    resp = await client.post(
-        "https://api.criteo.com/oauth2/token",
-        json={
-            "grant_type": "authorization_code",
-            "code": code,
-            "redirect_uri": cfg.redirect_uri,
-            "client_id": cfg.client_id,
-            "client_secret": cfg.client_secret,
-        },
-    )
-    resp.raise_for_status()
-    result = resp.json()
-    result["client_id"] = cfg.client_id
-    result["client_secret"] = cfg.client_secret
-    return result
-
-
-async def _facebook(client: httpx.AsyncClient, cfg: _ProviderConfig, code: str) -> dict[str, Any]:
-    resp = await client.get(
-        "https://graph.facebook.com/v19.0/oauth/access_token",
-        params={
-            "code": code,
-            "redirect_uri": cfg.redirect_uri,
-            "client_id": cfg.client_id,
-            "client_secret": cfg.client_secret,
-        },
-    )
-    resp.raise_for_status()
-    result = resp.json()
-    result["client_id"] = cfg.client_id
-    result["client_secret"] = cfg.client_secret
-    return result
-
-
-async def _google(client: httpx.AsyncClient, cfg: _ProviderConfig, code: str) -> dict[str, Any]:
-    resp = await client.post(
-        "https://oauth2.googleapis.com/token",
-        json={
-            "grant_type": "authorization_code",
-            "code": code,
-            "redirect_uri": cfg.redirect_uri,
-            "client_id": cfg.client_id,
-            "client_secret": cfg.client_secret,
-        },
-    )
-    resp.raise_for_status()
-    result = resp.json()
-    result["client_id"] = cfg.client_id
-    result["client_secret"] = cfg.client_secret
-    return result
-
-
-async def _linkedin(client: httpx.AsyncClient, cfg: _ProviderConfig, code: str) -> dict[str, Any]:
-    resp = await client.post(
-        "https://www.linkedin.com/oauth/v2/accessToken",
-        data={
-            "grant_type": "authorization_code",
-            "code": code,
-            "redirect_uri": cfg.redirect_uri,
-            "client_id": cfg.client_id,
-            "client_secret": cfg.client_secret,
-        },
-        headers={"Content-Type": "application/x-www-form-urlencoded"},
-    )
-    resp.raise_for_status()
-    result = resp.json()
-    result["client_id"] = cfg.client_id
-    result["client_secret"] = cfg.client_secret
-    return result
-
-
-async def _microsoft(client: httpx.AsyncClient, cfg: _ProviderConfig, code: str) -> dict[str, Any]:
-    resp = await client.post(
-        "https://login.microsoftonline.com/common/oauth2/v2.0/token",
-        data={
-            "grant_type": "authorization_code",
-            "code": code,
-            "redirect_uri": cfg.redirect_uri,
-            "client_id": cfg.client_id,
-            "client_secret": cfg.client_secret,
-        },
-        headers={"Content-Type": "application/x-www-form-urlencoded"},
-    )
-    resp.raise_for_status()
-    result = resp.json()
-    result["client_id"] = cfg.client_id
-    result["client_secret"] = cfg.client_secret
-    return result
-
-
-async def _pinterest(client: httpx.AsyncClient, cfg: _ProviderConfig, code: str) -> dict[str, Any]:
-    creds = base64.b64encode(f"{cfg.client_id}:{cfg.client_secret}".encode()).decode()
-    resp = await client.post(
-        "https://api.pinterest.com/v5/oauth/token",
-        data={
-            "grant_type": "authorization_code",
-            "code": code,
-            "redirect_uri": cfg.redirect_uri,
-            "client_id": cfg.client_id,
-            "client_secret": cfg.client_secret,
-        },
-        headers={
-            "Content-Type": "application/x-www-form-urlencoded",
-            "Authorization": f"Basic {creds}",
-        },
-    )
-    resp.raise_for_status()
-    result = resp.json()
-    result["client_id"] = cfg.client_id
-    result["client_secret"] = cfg.client_secret
-    return result
-
-
-async def _snapchat(client: httpx.AsyncClient, cfg: _ProviderConfig, code: str) -> dict[str, Any]:
-    resp = await client.post(
-        "https://accounts.snapchat.com/login/oauth2/access_token",
-        data={
-            "grant_type": "authorization_code",
-            "code": code,
-            "redirect_uri": cfg.redirect_uri,
-            "client_id": cfg.client_id,
-            "client_secret": cfg.client_secret,
-        },
-        headers={"Content-Type": "application/x-www-form-urlencoded"},
-    )
-    resp.raise_for_status()
-    result = resp.json()
-    result["client_id"] = cfg.client_id
-    result["client_secret"] = cfg.client_secret
-    return result
-
-
-async def _tiktok(client: httpx.AsyncClient, cfg: _ProviderConfig, code: str) -> dict[str, Any]:
-    resp = await client.post(
-        "https://business-api.tiktok.com/open_api/v1.3/oauth2/access_token",
-        json={
-            "auth_code": code,
-            "app_id": cfg.client_id,
-            "secret": cfg.client_secret,
-        },
-    )
-    resp.raise_for_status()
-    result = resp.json()
-    result["client_id"] = cfg.client_id
-    result["client_secret"] = cfg.client_secret
-    return result
-
-
-_EXCHANGE_FNS: dict[str, Any] = {
-    "amazon": _amazon,
-    "criteo": _criteo,
-    "facebook": _facebook,
-    "google": _google,
-    "linkedin": _linkedin,
-    "microsoft": _microsoft,
-    "pinterest": _pinterest,
-    "snapchat": _snapchat,
-    "tiktok": _tiktok,
-}
-
-
-# ---------------------------------------------------------------------------
-# Routes
-# ---------------------------------------------------------------------------
-
-
-class TokenExchangeRequest(BaseModel):
-    """Request body for exchanging an authorization code for tokens."""
-
-    code: str
-
-
-class ProviderInfo(BaseModel):
-    """Public provider metadata (no secrets)."""
-
-    key: str
-    client_id: str
-    redirect_uri: str
-    auth_url: str = ""
-    label: str = ""
-    icon: str = ""
-
-
-def _extract_oauth_metadata(catalog: dict[str, Any]) -> dict[str, dict[str, str]]:
-    """Extract OAuth metadata (auth_url, label, icon) from catalog definitions.
-
-    Scans all resource definitions for ``x-oauth`` config schema extensions.
-    Returns a dict keyed by provider key.
-    """
-    metadata: dict[str, dict[str, str]] = {}
-    for defn in catalog.values():
-        oauth_ext = defn.get("config_schema", {}).get("x-oauth")
-        if oauth_ext and isinstance(oauth_ext, dict):
-            provider = oauth_ext.get("provider", "")
-            if provider and provider not in metadata:
-                metadata[provider] = {
-                    "auth_url": oauth_ext.get("auth_url", ""),
-                    "label": oauth_ext.get("label", ""),
-                    "icon": oauth_ext.get("icon", ""),
-                }
-    return metadata
-
-
-@router.get("/providers")
-def list_providers(catalog: dict[str, Any] = Depends(get_catalog)) -> list[ProviderInfo]:
-    """Return metadata for all configured OAuth providers.
-
-    Only providers with ``CLIENT_ID``, ``CLIENT_SECRET``, and
-    ``REDIRECT_URI`` environment variables set are included.
-    Metadata (auth_url, label, icon) is extracted from the catalog.
-    """
-    providers = _load_providers()
-    oauth_meta = _extract_oauth_metadata(catalog)
-    return [
-        ProviderInfo(
-            key=cfg.key,
-            client_id=cfg.client_id,
-            redirect_uri=cfg.redirect_uri,
-            **(oauth_meta.get(cfg.key, {})),
-        )
-        for cfg in providers.values()
-        if cfg.configured
-    ]
-
-
-@router.post("/{provider}")
-async def exchange_token(provider: str, body: TokenExchangeRequest) -> dict[str, Any]:
-    """Exchange an authorization code for tokens.
-
-    The response includes ``client_id`` and ``client_secret`` so they
-    can be stored alongside the tokens in the connection data.
-    """
-    exchange = _EXCHANGE_FNS.get(provider)
-    if exchange is None:
-        raise HTTPException(status_code=400, detail=f"Unknown OAuth provider: {provider}")
-
-    providers = _load_providers()
-    cfg = providers.get(provider)
-    if cfg is None or not cfg.configured:
-        raise HTTPException(status_code=400, detail=f"OAuth provider {provider} is not configured")
-
-    try:
-        logger.info("Exchanging auth code for provider %s", provider)
-        async with httpx.AsyncClient(timeout=30) as client:
-            result = await exchange(client, cfg, body.code)
-        logger.info("Successfully exchanged auth code for provider %s", provider)
-        return result
-    except httpx.HTTPStatusError as exc:
-        detail = exc.response.text
-        logger.error("Token exchange failed for %s: %s %s", provider, exc.response.status_code, detail)
-        raise HTTPException(status_code=500, detail=f"Failed to exchange auth code: {detail}")
-    except Exception as exc:
-        logger.error("Token exchange failed for %s: %s", provider, exc)
-        raise HTTPException(status_code=500, detail=f"Failed to exchange auth code: {exc}")