Recover expired Google connect callbacks (#1834)

* fix(web): recover expired google connect callbacks

* test(web): cover google callback session recovery

* refactor(web): name google auth api error shape

Author: Uarmagan

CONTEXT.md

@@ -45,7 +45,7 @@ An authenticated user with usable Google credentials stored by the backend.
 
 **Google authorization**:
 The Google approval step that lets Compass sign a user in with Google or connect
-Google Calendar to an existing Compass session.
+Google Calendar to an active existing Compass session.
 _Avoid_: Google login mode
 
 **Google authorization intent**:
@@ -256,6 +256,10 @@ during Import or Public watch notification handling.
   event changes to Google.
 - A **Google authorization** must preserve its **Google authorization intent**
   instead of inferring the user's goal from the later session state.
+- A Google Calendar connect/reconnect **Google authorization intent** requires
+  an active **Authenticated user** session. If that session is missing or
+  expired at callback time, Compass should recover through Google sign-in
+  instead of calling the authenticated Google connect endpoint.
 - **Public watch notifications** are separate from browser API and **SSE**
   traffic; browser traffic can be local, but Google webhook posts need public
   HTTPS when continuous sync is expected.

bun.lock

@@ -40,6 +40,23 @@ const getCallbackUrl = (state: string, scope = REQUIRED_SCOPES.join(" ")) =>
     state,
   )}&code=auth-code&scope=${encodeURIComponent(scope)}`;
 
+const expectGoogleAuthRequestBody = (
+  request: CapturedAuthRequest | undefined,
+  state: string,
+) => {
+  expect(request?.body).toMatchObject({
+    thirdPartyId: "google",
+    clientType: "web",
+    redirectURIInfo: {
+      redirectURIOnProviderDashboard: expect.stringContaining(CALLBACK_PATH),
+      redirectURIQueryParams: {
+        code: "auth-code",
+        state,
+      },
+    },
+  });
+};
+
 const writeGoogleAuthorizationIntent = async ({
   intent,
   page,
@@ -67,6 +84,34 @@ const writeGoogleAuthorizationIntent = async ({
   );
 };
 
+const setActiveCompassSession = async (page: Page) => {
+  const now = Date.now();
+  const pageOrigin = new URL(page.url()).origin;
+  const expires = Math.floor(now / 1000) + 60 * 60;
+  const frontToken = Buffer.from(
+    JSON.stringify({
+      ate: now + 60 * 60 * 1000,
+      uid: "test-user-id",
+      up: {},
+    }),
+  ).toString("base64");
+
+  await page.context().addCookies([
+    {
+      expires,
+      name: "st-last-access-token-update",
+      url: pageOrigin,
+      value: now.toString(),
+    },
+    {
+      expires,
+      name: "sFrontToken",
+      url: pageOrigin,
+      value: frontToken,
+    },
+  ]);
+};
+
 const prepareGoogleAuthCallbackPage = async (
   page: Page,
   options: ApiMockOptions = {},
@@ -186,17 +231,7 @@ test.describe("Google auth callback", () => {
     expect(apiMocks.loginOrSignup).toHaveLength(1);
     expect(apiMocks.connectGoogle).toHaveLength(0);
     expect(apiMocks.loginOrSignup[0]?.headers.rid).toBe("thirdparty");
-    expect(apiMocks.loginOrSignup[0]?.body).toMatchObject({
-      thirdPartyId: "google",
-      clientType: "web",
-      redirectURIInfo: {
-        redirectURIOnProviderDashboard: expect.stringContaining(CALLBACK_PATH),
-        redirectURIQueryParams: {
-          code: "auth-code",
-          state,
-        },
-      },
-    });
+    expectGoogleAuthRequestBody(apiMocks.loginOrSignup[0], state);
     expect(
       await page.evaluate(
         (key) => sessionStorage.getItem(key),
@@ -205,7 +240,9 @@ test.describe("Google auth callback", () => {
     ).toBeNull();
   });
 
-  test("finishes a saved Google Calendar connect intent", async ({ page }) => {
+  test("finishes a saved Google Calendar connect intent when the Compass session is active", async ({
+    page,
+  }) => {
     const state = "connect-calendar-state";
     const apiMocks = await prepareGoogleAuthCallbackPage(page);
 
@@ -215,23 +252,36 @@ test.describe("Google auth callback", () => {
       returnPath: "/week",
       state,
     });
+    await setActiveCompassSession(page);
 
     await page.goto(getCallbackUrl(state));
 
     await expect(page).toHaveURL(/\/week$/);
     expect(apiMocks.loginOrSignup).toHaveLength(0);
     expect(apiMocks.connectGoogle).toHaveLength(1);
-    expect(apiMocks.connectGoogle[0]?.body).toMatchObject({
-      thirdPartyId: "google",
-      clientType: "web",
-      redirectURIInfo: {
-        redirectURIOnProviderDashboard: expect.stringContaining(CALLBACK_PATH),
-        redirectURIQueryParams: {
-          code: "auth-code",
-          state,
-        },
-      },
+    expectGoogleAuthRequestBody(apiMocks.connectGoogle[0], state);
+  });
+
+  test("recovers a saved Google Calendar connect intent through Google sign-in when the Compass session is missing", async ({
+    page,
+  }) => {
+    const state = "connect-calendar-session-missing-state";
+    const apiMocks = await prepareGoogleAuthCallbackPage(page);
+
+    await writeGoogleAuthorizationIntent({
+      intent: "connectCalendar",
+      page,
+      returnPath: "/week",
+      state,
     });
+
+    await page.goto(getCallbackUrl(state));
+
+    await expect(page).toHaveURL(/\/week$/);
+    expect(apiMocks.connectGoogle).toHaveLength(0);
+    expect(apiMocks.loginOrSignup).toHaveLength(1);
+    expect(apiMocks.loginOrSignup[0]?.headers.rid).toBe("thirdparty");
+    expectGoogleAuthRequestBody(apiMocks.loginOrSignup[0], state);
   });
 
   test("rejects callbacks that are missing required Google Calendar scopes", async ({

e2e/oauth/google-auth-callback.spec.ts

@@ -13,7 +13,6 @@
     "helmet": "^7.0.0",
     "lodash.mergewith": "^4.6.2",
     "mongodb": "^7.2.0",
-    "morgan": "^1.10.0",
     "rrule": "^2.7.2",
     "saslprep": "^1.0.3",
     "supertokens-node": "^23.0.1",
@@ -26,7 +25,6 @@
     "@types/express": "^4.17.13",
     "@types/jest": "^29.0.0",
     "@types/lodash.mergewith": "^4.6.9",
-    "@types/morgan": "^1.9.4",
     "@types/node": "^22.13.10",
     "@types/supertest": "^6.0.3",
     "jest-environment-node": "^29.7.0",

packages/backend/package.json

@@ -0,0 +1,36 @@
+import { type Request, type Response } from "express";
+import { EventEmitter } from "node:events";
+
+const { httpLoggingMiddleware } = jest.requireActual<
+  typeof import("@backend/common/middleware/http.logger.middleware")
+>("@backend/common/middleware/http.logger.middleware");
+
+describe("httpLoggingMiddleware", () => {
+  it("logs completed requests without reading the request IP address", () => {
+    const req = {
+      method: "GET",
+      originalUrl: "/api/health",
+      get ip() {
+        throw new Error("request IP should not be read");
+      },
+    } as unknown as Request;
+    const res = Object.assign(new EventEmitter(), {
+      statusCode: 200,
+    }) as unknown as Response;
+    const next = jest.fn();
+    const logSpy = jest.spyOn(console, "log").mockImplementation(() => {});
+
+    try {
+      httpLoggingMiddleware(req, res, next);
+      res.emit("finish");
+
+      expect(next).toHaveBeenCalledTimes(1);
+      expect(logSpy).toHaveBeenCalledWith(expect.stringContaining("GET"));
+      expect(logSpy).toHaveBeenCalledWith(
+        expect.stringContaining("/api/health"),
+      );
+    } finally {
+      logSpy.mockRestore();
+    }
+  });
+});

packages/backend/src/common/middleware/http.logger.middleware.test.ts

@@ -1,29 +1,8 @@
-import morgan from "morgan";
-import { type IncomingMessage, type ServerResponse } from "node:http";
+import { type RequestHandler } from "express";
 import { styleText } from "node:util";
 
 type HttpLogColor = "cyanBright" | "yellow" | "red" | "magentaBright";
 
-const get = (
-  key: string,
-  tokens: morgan.TokenIndexer<IncomingMessage, ServerResponse<IncomingMessage>>,
-  req?: IncomingMessage,
-  res?: ServerResponse<IncomingMessage>,
-): string => {
-  const token = tokens[key];
-  if (token === undefined) {
-    return "unknown";
-  }
-  if (req && res) {
-    if (typeof token === "function") {
-      const val = token(req, res);
-      return val === undefined ? "unknown" : String(val);
-    }
-    return String(token);
-  }
-  return "unknown";
-};
-
 const getStatusColor = (status: string): HttpLogColor => {
   switch (status[0]) {
     case "1":
@@ -43,18 +22,26 @@ const getStatusColor = (status: string): HttpLogColor => {
   }
 };
 
-export const httpLoggingMiddleware = morgan((tokens, req, res) => {
-  const responseTime =
-    get("response-time", tokens, req, res)?.toString() || "unknown";
+export const httpLoggingMiddleware: RequestHandler = (req, res, next) => {
+  const startTime = process.hrtime.bigint();
+
+  res.once("finish", () => {
+    const elapsedMs = Number(process.hrtime.bigint() - startTime) / 1_000_000;
+    const status = String(res.statusCode);
+    const statusColor = getStatusColor(status);
+    const method = req.method || "unknown";
+    const url = req.originalUrl || req.url || "unknown";
 
-  const status = get("status", tokens, req, res);
-  const statusColor = getStatusColor(status);
+    console.log(
+      [
+        styleText(["bold", statusColor], status),
+        styleText(["bold", "whiteBright"], method),
+        styleText(["bold", "cyanBright"], url),
+        styleText(["bold", "blueBright"], `${elapsedMs.toFixed(3)}ms`),
+        styleText(["bold", "magentaBright"], new Date().toUTCString()),
+      ].join(" "),
+    );
+  });
 
-  return [
-    styleText(["bold", statusColor], status),
-    styleText(["bold", "whiteBright"], get("method", tokens, req, res)),
-    styleText(["bold", "cyanBright"], get("url", tokens, req, res)),
-    styleText(["bold", "blueBright"], `${responseTime}ms`),
-    styleText(["bold", "magentaBright"], get("date", tokens, req, res)),
-  ].join(" ");
-});
+  next();
+};