feat(oauth): integrate DB settings for state cookie and error redirect

- Add oauthStateMaxAge, oauthRequireVerifiedEmail, oauthErrorRedirectPath to AuthSettings
- Update authSettingsLoader to SELECT OAuth fields from app_settings_auth
- Replace hardcoded DEFAULT_OAUTH_STATE_MAX_AGE with authSettings.oauthStateMaxAge
- Replace hardcoded DEFAULT_ERROR_REDIRECT_PATH with authSettings.oauthErrorRedirectPath
- Use authSettings.oauthRequireVerifiedEmail to control signup email verification
- Apply authSettings cookie config (httpOnly, secure, sameSite) to OAuth state cookie

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: theothersideofgod

graphql/server/src/middleware/oauth.ts

@@ -46,6 +46,36 @@ const OAUTH_STATE_COOKIE = 'oauth_state';
 const DEFAULT_OAUTH_STATE_MAX_AGE = 10 * 60 * 1000; // 10 minutes
 const DEFAULT_ERROR_REDIRECT_PATH = '/auth/error';
 
+/**
+ * Parse PostgreSQL interval string to milliseconds.
+ * Supports: '10 minutes', '1 hour', '00:10:00' (HH:MM:SS), etc.
+ */
+function parseIntervalToMs(interval: string | null | undefined): number {
+  if (!interval) return DEFAULT_OAUTH_STATE_MAX_AGE;
+
+  // Handle HH:MM:SS format (PostgreSQL default interval output)
+  const hhmmss = interval.match(/^(\d+):(\d+):(\d+)$/);
+  if (hhmmss) {
+    const hours = parseInt(hhmmss[1], 10);
+    const minutes = parseInt(hhmmss[2], 10);
+    const seconds = parseInt(hhmmss[3], 10);
+    return (hours * 3600 + minutes * 60 + seconds) * 1000;
+  }
+
+  // Handle "N unit" format (e.g., "10 minutes")
+  const match = interval.match(/^(\d+)\s*(second|minute|hour|day)s?$/i);
+  if (!match) return DEFAULT_OAUTH_STATE_MAX_AGE;
+  const value = parseInt(match[1], 10);
+  const unit = match[2].toLowerCase();
+  const multipliers: Record<string, number> = {
+    second: 1000,
+    minute: 60 * 1000,
+    hour: 60 * 60 * 1000,
+    day: 24 * 60 * 60 * 1000,
+  };
+  return value * (multipliers[unit] || 60 * 1000);
+}
+
 // =============================================================================
 // Signed State Utilities
 // =============================================================================
@@ -376,28 +406,32 @@ export function createOAuthRoutes(_opts: ConstructiveOptions): Router {
       }
 
       const providerConfig = await getIdentityProvider(ctx, modules, provider);
+      const { authSettings } = modules;
+      const errorRedirectPath =
+        authSettings?.oauthErrorRedirectPath || DEFAULT_ERROR_REDIRECT_PATH;
+
       if (!providerConfig) {
         log.warn(`[oauth] Provider ${provider} not found or not configured`);
         return redirectToError(
           res,
           baseUrl,
-          DEFAULT_ERROR_REDIRECT_PATH,
+          errorRedirectPath,
           'PROVIDER_NOT_CONFIGURED',
           provider,
         );
       }
 
-      const stateMaxAge = DEFAULT_OAUTH_STATE_MAX_AGE;
+      const stateMaxAge = parseIntervalToMs(authSettings?.oauthStateMaxAge);
       const state = createSignedState(
         { redirect_uri: redirectUri, provider },
         stateMaxAge,
       );
 
       res.cookie(OAUTH_STATE_COOKIE, state, {
-        httpOnly: true,
-        secure: isProduction,
+        httpOnly: authSettings?.cookieHttponly ?? true,
+        secure: authSettings?.cookieSecure ?? isProduction,
         maxAge: stateMaxAge,
-        sameSite: 'lax',
+        sameSite: (authSettings?.cookieSamesite as 'lax' | 'strict' | 'none') ?? 'lax',
       });
 
       const client = createOAuthClientForProvider(providerConfig, baseUrl);
@@ -485,8 +519,9 @@ export function createOAuthRoutes(_opts: ConstructiveOptions): Router {
         );
       }
 
+      let modules: OAuthModules | null = null;
       try {
-        const modules = await resolveOAuthModules(ctx);
+        modules = await resolveOAuthModules(ctx);
         if (!modules) {
           log.error(
             `[oauth] Required modules not provisioned for ${provider}`,
@@ -500,6 +535,12 @@ export function createOAuthRoutes(_opts: ConstructiveOptions): Router {
           );
         }
 
+        const { authSettings } = modules;
+        const errorRedirectPath =
+          authSettings?.oauthErrorRedirectPath || DEFAULT_ERROR_REDIRECT_PATH;
+        const requireVerifiedEmail =
+          authSettings?.oauthRequireVerifiedEmail ?? true;
+
         const providerConfig = await getIdentityProvider(
           ctx,
           modules,
@@ -510,7 +551,7 @@ export function createOAuthRoutes(_opts: ConstructiveOptions): Router {
           return redirectToError(
             res,
             baseUrl,
-            DEFAULT_ERROR_REDIRECT_PATH,
+            errorRedirectPath,
             'PROVIDER_NOT_CONFIGURED',
             provider,
           );
@@ -591,7 +632,7 @@ export function createOAuthRoutes(_opts: ConstructiveOptions): Router {
                 `[oauth] Account not found for ${profile.email}, attempting signup`,
               );
 
-              if (!emailVerified) {
+              if (requireVerifiedEmail && !emailVerified) {
                 log.warn(
                   `[oauth] Rejecting unverified email for signup: ${profile.email}`,
                 );
@@ -623,7 +664,7 @@ export function createOAuthRoutes(_opts: ConstructiveOptions): Router {
           return redirectToError(
             res,
             baseUrl,
-            DEFAULT_ERROR_REDIRECT_PATH,
+            errorRedirectPath,
             'EMAIL_NOT_VERIFIED',
             provider,
           );
@@ -677,13 +718,10 @@ export function createOAuthRoutes(_opts: ConstructiveOptions): Router {
         }
       } catch (error: any) {
         log.error(`[oauth] Callback failed for ${provider}:`, error);
-        redirectToError(
-          res,
-          baseUrl,
-          DEFAULT_ERROR_REDIRECT_PATH,
-          'CALLBACK_FAILED',
-          provider,
-        );
+        const fallbackPath =
+          modules?.authSettings?.oauthErrorRedirectPath ||
+          DEFAULT_ERROR_REDIRECT_PATH;
+        redirectToError(res, baseUrl, fallbackPath, 'CALLBACK_FAILED', provider);
       }
     },
   );

packages/express-context/src/loaders/auth-settings.ts

@@ -33,7 +33,10 @@ const buildAuthSettingsQuery = (schemaName: string, tableName: string) => `
     cookie_path,
     remember_me_duration,
     enable_captcha,
-    captcha_site_key
+    captcha_site_key,
+    oauth_state_max_age,
+    oauth_require_verified_email,
+    oauth_error_redirect_path
   FROM "${schemaName}"."${tableName}"
   LIMIT 1
 `;
@@ -50,6 +53,9 @@ interface AuthSettingsRow {
   remember_me_duration: string | null;
   enable_captcha: boolean;
   captcha_site_key: string | null;
+  oauth_state_max_age: string | null;
+  oauth_require_verified_email: boolean;
+  oauth_error_redirect_path: string | null;
 }
 
 // ─── Loader ─────────────────────────────────────────────────────────────────
@@ -84,6 +90,9 @@ export const authSettingsLoader: ModuleLoader<AuthSettings> = createModuleLoader
       rememberMeDuration: row.remember_me_duration,
       enableCaptcha: row.enable_captcha,
       captchaSiteKey: row.captcha_site_key,
+      oauthStateMaxAge: row.oauth_state_max_age,
+      oauthRequireVerifiedEmail: row.oauth_require_verified_email,
+      oauthErrorRedirectPath: row.oauth_error_redirect_path,
     };
   },
 });

packages/express-context/src/types.ts

@@ -95,6 +95,9 @@ export interface AuthSettings {
   rememberMeDuration?: string | null;
   enableCaptcha?: boolean;
   captchaSiteKey?: string | null;
+  oauthStateMaxAge?: string | null;
+  oauthRequireVerifiedEmail?: boolean;
+  oauthErrorRedirectPath?: string | null;
 }
 
 export interface ApiStructure {