Refactor: address remaining technical debt with senior architectural patterns

sangalo20 · sangalo20 · commit 0de2ff9cd41c · 2026-04-07T10:55:34.000+03:00
Resolves #30 by implementing a gRPC Interceptor. Resolves #27 by using a Config struct to avoid constructor over-injection. Resolves #21 by leveraging Go's encoding/json UnmarshalJSON for token parsing.
diff --git a/nexus-broker/cmd/nexus-broker/main.go b/nexus-broker/cmd/nexus-broker/main.go
@@ -99,8 +99,21 @@ func main() {
 		redirectPath = "/auth/callback"
 	}
 	providersHandler := handlers.NewProvidersHandler(store)
-	consentHandler := handlers.NewConsentHandler(db, baseURL, redirectPath, stateKey, cachingClient)
-	callbackHandler := handlers.NewCallbackHandler(db, baseURL, redirectPath, encryptionKey, stateKey, cachingClient)
+	consentHandler := handlers.NewConsentHandler(handlers.ConsentHandlerConfig{
+		DB:           db,
+		BaseURL:      baseURL,
+		RedirectPath: redirectPath,
+		StateKey:     stateKey,
+		HTTPClient:   cachingClient,
+	})
+	callbackHandler := handlers.NewCallbackHandler(handlers.CallbackHandlerConfig{
+		DB:            db,
+		BaseURL:       baseURL,
+		RedirectPath:  redirectPath,
+		EncryptionKey: encryptionKey,
+		StateKey:      stateKey,
+		HTTPClient:    cachingClient,
+	})
 
 	// Setup routes
 	router := srv.Router()
diff --git a/nexus-broker/pkg/handlers/callback.go b/nexus-broker/pkg/handlers/callback.go
@@ -40,8 +40,18 @@ type CallbackHandler struct {
 	metricTokenGet        *prometheus.CounterVec
 }
 
+// CallbackHandlerConfig holds the dependencies for CallbackHandler
+type CallbackHandlerConfig struct {
+	DB            *sqlx.DB
+	BaseURL       string
+	RedirectPath  string
+	EncryptionKey []byte
+	StateKey      []byte
+	HTTPClient    *http.Client
+}
+
 // NewCallbackHandler creates a new callback handler
-func NewCallbackHandler(db *sqlx.DB, baseURL, redirectPath string, encryptionKey, stateKey []byte, httpClient *http.Client) *CallbackHandler {
+func NewCallbackHandler(cfg CallbackHandlerConfig) *CallbackHandler {
 	success := prometheus.NewCounter(prometheus.CounterOpts{
 		Name:        "oauth_token_exchanges_total",
 		Help:        "Total OAuth token exchanges",
@@ -76,12 +86,12 @@ func NewCallbackHandler(db *sqlx.DB, baseURL, redirectPath string, encryptionKey
 	}
 
 	return &CallbackHandler{
-		db:                    db,
-		baseURL:               baseURL,
-		redirectPath:          redirectPath,
-		encryptionKey:         encryptionKey,
-		stateKey:              stateKey,
-		httpClient:            httpClient,
+		db:                    cfg.DB,
+		baseURL:               cfg.BaseURL,
+		redirectPath:          cfg.RedirectPath,
+		encryptionKey:         cfg.EncryptionKey,
+		stateKey:              cfg.StateKey,
+		httpClient:            cfg.HTTPClient,
 		metricExchangeSuccess: success,
 		metricExchangeError:   failure,
 		histogramExchangeDur:  hist,
diff --git a/nexus-broker/pkg/handlers/callback_test.go b/nexus-broker/pkg/handlers/callback_test.go
@@ -26,7 +26,14 @@ func TestRefresh_StaticKeyProvider(t *testing.T) {
 	defer db.Close()
 
 	sqlxDB := sqlx.NewDb(db, "sqlmock")
-	handler := NewCallbackHandler(sqlxDB, "http://localhost:8080", "/auth/callback", []byte("test-key"), []byte("test-key"), http.DefaultClient)
+	handler := NewCallbackHandler(CallbackHandlerConfig{
+		DB:            sqlxDB,
+		BaseURL:       "http://localhost:8080",
+		RedirectPath:  "/auth/callback",
+		EncryptionKey: []byte("test-key"),
+		StateKey:      []byte("test-key"),
+		HTTPClient:    http.DefaultClient,
+	})
 
 	// Mock the initial query to find the connection
 
@@ -66,7 +73,14 @@ func TestRefresh_OAuth2Provider(t *testing.T) {
 	}))
 	defer mockProviderServer.Close()
 
-	handler := NewCallbackHandler(sqlxDB, "http://localhost:8080", "/auth/callback", []byte("01234567890123456789012345678901"), []byte("01234567890123456789012345678901"), mockProviderServer.Client())
+	handler := NewCallbackHandler(CallbackHandlerConfig{
+		DB:            sqlxDB,
+		BaseURL:       "http://localhost:8080",
+		RedirectPath:  "/auth/callback",
+		EncryptionKey: []byte("01234567890123456789012345678901"),
+		StateKey:      []byte("01234567890123456789012345678901"),
+		HTTPClient:    mockProviderServer.Client(),
+	})
 
 	// Mock the initial query to find the connection
 
@@ -117,7 +131,14 @@ func TestGetCaptureSchema(t *testing.T) {
 	sqlxDB := sqlx.NewDb(db, "sqlmock")
 	// Use a real key for signing/verifying state
 	stateKey := []byte("01234567890123456789012345678901")
-	handler := NewCallbackHandler(sqlxDB, "http://localhost:8080", "/auth/callback", nil, stateKey, http.DefaultClient)
+	handler := NewCallbackHandler(CallbackHandlerConfig{
+		DB:            sqlxDB,
+		BaseURL:       "http://localhost:8080",
+		RedirectPath:  "/auth/callback",
+		EncryptionKey: nil,
+		StateKey:      stateKey,
+		HTTPClient:    http.DefaultClient,
+	})
 
 	providerID := uuid.New()
 	stateData := auth.StateData{
@@ -170,7 +191,14 @@ func TestSaveCredential_ValidState(t *testing.T) {
 	sqlxDB := sqlx.NewDb(db, "sqlmock")
 	stateKey := []byte("01234567890123456789012345678901")
 	encryptionKey := []byte("01234567890123456789012345678901")
-	handler := NewCallbackHandler(sqlxDB, "http://localhost:8080", "/auth/callback", encryptionKey, stateKey, http.DefaultClient)
+	handler := NewCallbackHandler(CallbackHandlerConfig{
+		DB:            sqlxDB,
+		BaseURL:       "http://localhost:8080",
+		RedirectPath:  "/auth/callback",
+		EncryptionKey: encryptionKey,
+		StateKey:      stateKey,
+		HTTPClient:    http.DefaultClient,
+	})
 
 	connectionID := uuid.New()
 	stateData := auth.StateData{
@@ -224,7 +252,14 @@ func TestSaveCredential_ValidState(t *testing.T) {
 }
 
 func TestSaveCredential_InvalidState(t *testing.T) {
-	handler := NewCallbackHandler(nil, "http://localhost:8080", "/auth/callback", nil, []byte("test-key"), http.DefaultClient)
+	handler := NewCallbackHandler(CallbackHandlerConfig{
+		DB:            nil,
+		BaseURL:       "http://localhost:8080",
+		RedirectPath:  "/auth/callback",
+		EncryptionKey: nil,
+		StateKey:      []byte("test-key"),
+		HTTPClient:    http.DefaultClient,
+	})
 
 	creds := map[string]interface{}{"api_key": "test-key"}
 	body := map[string]interface{}{
@@ -245,7 +280,14 @@ func TestSaveCredential_InvalidState(t *testing.T) {
 }
 
 func TestSaveCredential_InvalidJSON(t *testing.T) {
-	handler := NewCallbackHandler(nil, "http://localhost:8080", "/auth/callback", nil, nil, http.DefaultClient)
+	handler := NewCallbackHandler(CallbackHandlerConfig{
+		DB:            nil,
+		BaseURL:       "http://localhost:8080",
+		RedirectPath:  "/auth/callback",
+		EncryptionKey: nil,
+		StateKey:      nil,
+		HTTPClient:    http.DefaultClient,
+	})
 
 	req, err := http.NewRequest("POST", "/auth/capture-credential", bytes.NewBuffer([]byte("not-json")))
 	assert.NoError(t, err)
diff --git a/nexus-broker/pkg/handlers/consent.go b/nexus-broker/pkg/handlers/consent.go
@@ -40,8 +40,17 @@ type ConsentHandler struct {
 	consentsOpenID prometheus.Counter
 }
 
+// ConsentHandlerConfig holds the dependencies for ConsentHandler
+type ConsentHandlerConfig struct {
+	DB           *sqlx.DB
+	BaseURL      string
+	RedirectPath string
+	StateKey     []byte
+	HTTPClient   *http.Client
+}
+
 // NewConsentHandler creates a new consent handler
-func NewConsentHandler(db *sqlx.DB, baseURL, redirectPath string, stateKey []byte, httpClient *http.Client) *ConsentHandler {
+func NewConsentHandler(cfg ConsentHandlerConfig) *ConsentHandler {
 	metric := prometheus.NewCounter(prometheus.CounterOpts{
 		Name: "oauth_consents_created_total",
 		Help: "Total OAuth consents created",
@@ -61,11 +70,11 @@ func NewConsentHandler(db *sqlx.DB, baseURL, redirectPath string, stateKey []byt
 	}
 
 	return &ConsentHandler{
-		db:             db,
-		baseURL:        baseURL,
-		redirectPath:   redirectPath,
-		stateKey:       stateKey,
-		httpClient:     httpClient,
+		db:             cfg.DB,
+		baseURL:        cfg.BaseURL,
+		redirectPath:   cfg.RedirectPath,
+		stateKey:       cfg.StateKey,
+		httpClient:     cfg.HTTPClient,
 		consentsMetric: metric,
 		consentsOpenID: metricOpenID,
 	}
diff --git a/nexus-broker/pkg/handlers/consent_test.go b/nexus-broker/pkg/handlers/consent_test.go
@@ -32,7 +32,13 @@ func TestGetSpec_OAuth2(t *testing.T) {
 	defer mockProviderServer.Close()
 
 	// Pass the test server's client to the handler
-	handler := NewConsentHandler(sqlxDB, "http://localhost:8080", "/auth/callback", []byte("test-key"), mockProviderServer.Client())
+	handler := NewConsentHandler(ConsentHandlerConfig{
+		DB:           sqlxDB,
+		BaseURL:      "http://localhost:8080",
+		RedirectPath: "/auth/callback",
+		StateKey:     []byte("test-key"),
+		HTTPClient:   mockProviderServer.Client(),
+	})
 
 	paramsJSON := []byte(`{"access_type": "offline", "prompt": "consent"}`)
 
@@ -81,7 +87,13 @@ func TestGetSpec_StaticKey(t *testing.T) {
 
 	sqlxDB := sqlx.NewDb(db, "sqlmock")
 	// For static key tests, we can pass a default client as no external calls are made.
-	handler := NewConsentHandler(sqlxDB, "http://localhost:8080", "/auth/callback", []byte("test-key"), http.DefaultClient)
+	handler := NewConsentHandler(ConsentHandlerConfig{
+		DB:           sqlxDB,
+		BaseURL:      "http://localhost:8080",
+		RedirectPath: "/auth/callback",
+		StateKey:     []byte("test-key"),
+		HTTPClient:   http.DefaultClient,
+	})
 
 	rows := sqlmock.NewRows([]string{"id", "name", "auth_type", "auth_url", "client_id", "scopes", "params"}).
 		AddRow("b1b1b1b1-b1b1-b1b1-b1b1-b1b1b1b1b1b1", "Test API", "api_key", nil, nil, "{}", []byte("{}"))
@@ -141,7 +153,13 @@ func TestGetSpec_MixedOAuth2_Discovery(t *testing.T) {
 	defer ts.Close()
 
 	// Handler under test
-	handler := NewConsentHandler(sqlxDB, "http://localhost:8080", "/auth/callback", []byte("test-key"), ts.Client())
+	handler := NewConsentHandler(ConsentHandlerConfig{
+		DB:           sqlxDB,
+		BaseURL:      "http://localhost:8080",
+		RedirectPath: "/auth/callback",
+		StateKey:     []byte("test-key"),
+		HTTPClient:   ts.Client(),
+	})
 
 	// Define the configured (legacy) auth URL
 	configuredAuthURL := ts.URL + "/oauth/v2/authorize"
diff --git a/nexus-gateway/pkg/grpc/server_grpc.go b/nexus-gateway/pkg/grpc/server_grpc.go
@@ -31,19 +31,26 @@ func NewService(handler *usecase.Handler) *Service {
 	return &Service{usecaseHandler: handler}
 }
 
-func mapUsecaseError(err error, msg string) error {
-	switch {
-	case errors.Is(err, usecase.ErrProviderNotFound):
-		return status.Errorf(codes.NotFound, "%s: %v", msg, err)
-	case errors.Is(err, usecase.ErrInvalidState):
-		return status.Errorf(codes.InvalidArgument, "%s: %v", msg, err)
-	case errors.Is(err, usecase.ErrProviderAmbiguous):
-		return status.Errorf(codes.FailedPrecondition, "%s: %v", msg, err)
-	case errors.Is(err, usecase.ErrBrokerUnavailable):
-		return status.Errorf(codes.Unavailable, "%s: %v", msg, err)
-	default:
-		return status.Errorf(codes.Internal, "%s: %v", msg, err)
+func usecaseErrorInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+	resp, err := handler(ctx, req)
+	if err != nil {
+		switch {
+		case errors.Is(err, usecase.ErrProviderNotFound):
+			return nil, status.Errorf(codes.NotFound, "%v", err)
+		case errors.Is(err, usecase.ErrInvalidState):
+			return nil, status.Errorf(codes.InvalidArgument, "%v", err)
+		case errors.Is(err, usecase.ErrProviderAmbiguous):
+			return nil, status.Errorf(codes.FailedPrecondition, "%v", err)
+		case errors.Is(err, usecase.ErrBrokerUnavailable):
+			return nil, status.Errorf(codes.Unavailable, "%v", err)
+		default:
+			if _, ok := status.FromError(err); ok {
+				return nil, err
+			}
+			return nil, status.Errorf(codes.Internal, "%v", err)
+		}
 	}
+	return resp, nil
 }
 
 // RequestConnection implements NexusServiceServer.RequestConnection.
@@ -60,7 +67,7 @@ func (s *Service) RequestConnection(ctx context.Context, req *nexuspb.RequestCon
 		Action:       req.GetAction(),
 	})
 	if err != nil {
-		return nil, mapUsecaseError(err, "request connection failed")
+		return nil, err
 	}
 	return &nexuspb.RequestConnectionResponse{
 		AuthUrl:      out.AuthURL,
@@ -79,7 +86,7 @@ func (s *Service) CheckConnection(ctx context.Context, req *nexuspb.CheckConnect
 	}
 	statusStr, err := s.usecaseHandler.CheckConnectionCore(ctx, req.GetConnectionId())
 	if err != nil {
-		return nil, mapUsecaseError(err, "check connection failed")
+		return nil, err
 	}
 	return &nexuspb.CheckConnectionResponse{Status: statusStr}, nil
 }
@@ -92,7 +99,7 @@ func (s *Service) GetToken(ctx context.Context, req *nexuspb.GetTokenRequest) (*
 	data, code, err := s.usecaseHandler.GetTokenCore(ctx, req.GetConnectionId())
 	if err != nil {
 		_ = code // keep the HTTP status for potential mapping if needed later
-		return nil, mapUsecaseError(err, "get token failed")
+		return nil, err
 	}
 	st, err := structpb.NewStruct(data)
 	if err != nil {
@@ -109,7 +116,7 @@ func (s *Service) RefreshConnection(ctx context.Context, req *nexuspb.RefreshCon
 	data, code, err := s.usecaseHandler.RefreshConnectionCore(ctx, req.GetConnectionId())
 	if err != nil {
 		_ = code // unused
-		return nil, mapUsecaseError(err, "refresh connection failed")
+		return nil, err
 	}
 	st, err := structpb.NewStruct(data)
 	if err != nil {
@@ -144,7 +151,7 @@ func NewServer(opts Options) (*Server, error) {
 		opts.HTTPAddress = ":8090"
 	}
 	service := NewService(opts.Handler)
-	grpcSrv := grpc.NewServer()
+	grpcSrv := grpc.NewServer(grpc.UnaryInterceptor(usecaseErrorInterceptor))
 	nexuspb.RegisterNexusServiceServer(grpcSrv, service)
 	return &Server{
 		grpcAddress: opts.GRPCAddress,
diff --git a/nexus-sdk/client.go b/nexus-sdk/client.go
@@ -147,9 +147,9 @@ func (c *Client) GetToken(ctx context.Context, connectionID string) (*TokenRespo
     resp, err := c.do(ctx, http.MethodGet, c.GatewayBaseURL+"/v1/token/"+url.PathEscape(connectionID), nil, nil)
     if err != nil { return nil, err }
     defer resp.Body.Close()
-    var raw map[string]any
-    if err := json.NewDecoder(resp.Body).Decode(&raw); err != nil { return nil, err }
-    return parseTokenResponse(raw), nil
+    var out TokenResponse
+    if err := json.NewDecoder(resp.Body).Decode(&out); err != nil { return nil, err }
+    return &out, nil
 }
 
 // RefreshConnection calls the Gateway to force a token refresh.
@@ -158,24 +158,22 @@ func (c *Client) RefreshConnection(ctx context.Context, connectionID string) (*T
     resp, err := c.do(ctx, http.MethodPost, c.GatewayBaseURL+"/v1/refresh/"+url.PathEscape(connectionID), nil, nil)
     if err != nil { return nil, err }
     defer resp.Body.Close()
-    var raw map[string]any
-    if err := json.NewDecoder(resp.Body).Decode(&raw); err != nil { return nil, err }
-    return parseTokenResponse(raw), nil
+    var out TokenResponse
+    if err := json.NewDecoder(resp.Body).Decode(&out); err != nil { return nil, err }
+    return &out, nil
 }
 
-func parseTokenResponse(raw map[string]any) *TokenResponse {
-    tr := &TokenResponse{Raw: raw}
-    if v, ok := raw["access_token"].(string); ok { tr.AccessToken = v }
-    if v, ok := raw["token_type"].(string); ok { tr.TokenType = &v }
-    if v, ok := raw["expires_in"].(float64); ok { vv := int64(v); tr.ExpiresIn = &vv }
-    if v, ok := raw["expires_at"]; ok { tr.ExpiresAt = v }
-    if v, ok := raw["scope"].(string); ok { tr.Scope = &v }
-    if v, ok := raw["id_token"].(string); ok { tr.IDToken = &v }
-    if v, ok := raw["refresh_token"].(string); ok { tr.RefreshToken = &v }
-    if v, ok := raw["provider"].(string); ok { tr.Provider = &v }
-    if v, ok := raw["strategy"].(map[string]interface{}); ok { tr.Strategy = v }
-    if v, ok := raw["credentials"].(map[string]interface{}); ok { tr.Credentials = v }
-    return tr
+func (t *TokenResponse) UnmarshalJSON(data []byte) error {
+    type Alias TokenResponse
+    var aux Alias
+    if err := json.Unmarshal(data, &aux); err != nil {
+        return err
+    }
+    *t = TokenResponse(aux)
+    if err := json.Unmarshal(data, &t.Raw); err != nil {
+        return err
+    }
+    return nil
 }
 
 // RefreshViaBroker calls RefreshConnection (Gateway Proxy).
