Refactor OAuth implementation: consolidate token refresh logic into a unified OAuthProvider class, implement provider-specific classes for Google, Discord, LinkedIn, Reddit, and GitHub, and add comprehensive tests for provider registry and token refresh functionality.

Author: bchapuis

apps/api/src/oauth/OAuthProvider.ts

@@ -0,0 +1,25 @@
+// Registry functions
+export type { ProviderName } from "./registry";
+export { getAllProviders, getProvider, isValidProvider } from "./registry";
+
+// Base class
+export { OAuthProvider } from "./OAuthProvider";
+
+// Types
+export type {
+  DiscordToken,
+  DiscordUser,
+  GitHubToken,
+  GitHubUser,
+  GoogleToken,
+  GoogleUser,
+  LinkedInToken,
+  LinkedInUser,
+  OAuthState,
+  RedditToken,
+  RedditUser,
+  ValidatedState,
+} from "./types";
+
+// Errors
+export { OAuthError } from "./types";

apps/api/src/oauth/index.ts

@@ -0,0 +1,122 @@
+import { describe, expect, it } from "vitest";
+
+import {
+  getAllProviders,
+  getProvider,
+  isValidProvider,
+  OAuthError,
+} from "./index";
+
+describe("OAuth Module", () => {
+  describe("Provider Registry", () => {
+    it("should return provider for valid provider names", () => {
+      expect(getProvider("google-mail")).toBeDefined();
+      expect(getProvider("google-calendar")).toBeDefined();
+      expect(getProvider("discord")).toBeDefined();
+      expect(getProvider("linkedin")).toBeDefined();
+      expect(getProvider("reddit")).toBeDefined();
+      expect(getProvider("github")).toBeDefined();
+    });
+
+    it("should throw error for unknown provider", () => {
+      expect(() => getProvider("unknown")).toThrow("Unknown OAuth provider");
+    });
+
+    it("should validate provider names", () => {
+      expect(isValidProvider("google-mail")).toBe(true);
+      expect(isValidProvider("discord")).toBe(true);
+      expect(isValidProvider("unknown")).toBe(false);
+    });
+
+    it("should return all providers", () => {
+      const providers = getAllProviders();
+      expect(providers).toHaveLength(6);
+    });
+  });
+
+  describe("Provider Configuration", () => {
+    it("should have correct refresh configuration for Google providers", () => {
+      const googleMail = getProvider("google-mail");
+      const googleCalendar = getProvider("google-calendar");
+
+      expect(googleMail.refreshEnabled).toBe(true);
+      expect(googleCalendar.refreshEnabled).toBe(true);
+    });
+
+    it("should have correct refresh configuration for Discord", () => {
+      const discord = getProvider("discord");
+      expect(discord.refreshEnabled).toBe(true);
+    });
+
+    it("should have correct refresh configuration for LinkedIn", () => {
+      const linkedin = getProvider("linkedin");
+      expect(linkedin.refreshEnabled).toBe(true);
+    });
+
+    it("should have correct refresh configuration for Reddit", () => {
+      const reddit = getProvider("reddit");
+      expect(reddit.refreshEnabled).toBe(true);
+    });
+
+    it("should have correct refresh configuration for GitHub", () => {
+      const github = getProvider("github");
+      expect(github.refreshEnabled).toBe(false);
+    });
+  });
+
+  describe("Token Refresh Logic", () => {
+    it("should determine when token needs refresh", () => {
+      const provider = getProvider("google-mail");
+
+      // No expiration date - no refresh needed
+      expect(provider.needsRefresh(undefined)).toBe(false);
+
+      // Token expires in 3 minutes (within 5 minute buffer) - needs refresh
+      const soonExpiry = new Date(Date.now() + 3 * 60 * 1000);
+      expect(provider.needsRefresh(soonExpiry)).toBe(true);
+
+      // Token expires in 10 minutes (beyond 5 minute buffer) - no refresh
+      const laterExpiry = new Date(Date.now() + 10 * 60 * 1000);
+      expect(provider.needsRefresh(laterExpiry)).toBe(false);
+
+      // Token already expired - needs refresh
+      const pastExpiry = new Date(Date.now() - 1 * 60 * 1000);
+      expect(provider.needsRefresh(pastExpiry)).toBe(true);
+    });
+
+    it("should respect custom buffer period", () => {
+      const provider = getProvider("google-mail");
+
+      // Token expires in 8 minutes
+      const expiresAt = new Date(Date.now() + 8 * 60 * 1000);
+
+      // With default 5 minute buffer - no refresh
+      expect(provider.needsRefresh(expiresAt)).toBe(false);
+
+      // With 10 minute buffer - needs refresh
+      expect(provider.needsRefresh(expiresAt, 10)).toBe(true);
+    });
+
+    it("should throw error when refreshing GitHub tokens", async () => {
+      const github = getProvider("github");
+
+      await expect(
+        github.refreshToken("test-token", "client-id", "client-secret")
+      ).rejects.toThrow("doesn't support token refresh");
+    });
+  });
+
+  describe("OAuthError", () => {
+    it("should create error with redirect error code", () => {
+      const error = new OAuthError("oauth_failed", "Authentication failed");
+      expect(error.message).toBe("Authentication failed");
+      expect(error.redirectError).toBe("oauth_failed");
+      expect(error.name).toBe("OAuthError");
+    });
+
+    it("should be instance of Error", () => {
+      const error = new OAuthError("oauth_failed", "Authentication failed");
+      expect(error instanceof Error).toBe(true);
+    });
+  });
+});

apps/api/src/oauth/oauth.test.ts

@@ -0,0 +1,42 @@
+import { OAuthProvider } from "../OAuthProvider";
+import type { DiscordToken, DiscordUser } from "../types";
+
+export class DiscordProvider extends OAuthProvider<DiscordToken, DiscordUser> {
+  readonly name = "discord";
+  readonly displayName = "Discord";
+  readonly authorizationEndpoint = "https://discord.com/oauth2/authorize";
+  readonly tokenEndpoint = "https://discord.com/api/oauth2/token";
+  readonly userInfoEndpoint = "https://discord.com/api/users/@me";
+  readonly scopes = ["identify", "email", "guilds"];
+
+  // Token refresh configuration
+  readonly refreshEnabled = true;
+  readonly refreshEndpoint = "https://discord.com/api/oauth2/token";
+
+  // Required implementations
+  protected formatIntegrationName(user: DiscordUser): string {
+    return `Discord - ${user.username || user.global_name || "User"}`;
+  }
+
+  protected formatUserMetadata(user: DiscordUser): Record<string, any> {
+    return {
+      username: user.username,
+      globalName: user.global_name,
+      discriminator: user.discriminator,
+      avatar: user.avatar,
+      userId: user.id,
+    };
+  }
+
+  protected extractAccessToken(token: DiscordToken): string {
+    return token.access_token;
+  }
+
+  protected extractRefreshToken(token: DiscordToken): string {
+    return token.refresh_token;
+  }
+
+  protected extractExpiresAt(token: DiscordToken): Date {
+    return new Date(Date.now() + token.expires_in * 1000);
+  }
+}

apps/api/src/oauth/providers/DiscordProvider.ts

@@ -0,0 +1,73 @@
+import { OAuthProvider } from "../OAuthProvider";
+import type { GitHubToken, GitHubUser } from "../types";
+
+export class GitHubProvider extends OAuthProvider<GitHubToken, GitHubUser> {
+  readonly name = "github";
+  readonly displayName = "GitHub";
+  readonly authorizationEndpoint = "https://github.com/login/oauth/authorize";
+  readonly tokenEndpoint = "https://github.com/login/oauth/access_token";
+  readonly userInfoEndpoint = "https://api.github.com/user";
+  readonly scopes = ["user", "repo", "read:org"];
+
+  // GitHub tokens don't expire, no refresh needed
+  readonly refreshEnabled = false;
+
+  // GitHub expects JSON response type header
+  protected getTokenHeaders(): Record<string, string> {
+    return {
+      Accept: "application/json",
+      "Content-Type": "application/json",
+    };
+  }
+
+  // GitHub uses JSON body instead of URLSearchParams
+  protected buildTokenRequestBody(
+    code: string,
+    clientId: string,
+    clientSecret: string,
+    redirectUri: string
+  ): any {
+    return JSON.stringify({
+      client_id: clientId,
+      client_secret: clientSecret,
+      code,
+      redirect_uri: redirectUri,
+    });
+  }
+
+  // GitHub user info needs special headers
+  protected getUserInfoHeaders(accessToken: string): Record<string, string> {
+    return {
+      Authorization: `Bearer ${accessToken}`,
+      Accept: "application/vnd.github.v3+json",
+      "User-Agent": "Dafthunk/1.0",
+    };
+  }
+
+  // Required implementations
+  protected formatIntegrationName(user: GitHubUser): string {
+    return `GitHub - ${user.login || user.name}`;
+  }
+
+  protected formatUserMetadata(user: GitHubUser): Record<string, any> {
+    return {
+      userId: user.id,
+      login: user.login,
+      name: user.name,
+      email: user.email,
+      avatarUrl: user.avatar_url,
+    };
+  }
+
+  protected extractAccessToken(token: GitHubToken): string {
+    return token.access_token;
+  }
+
+  protected extractRefreshToken(_token: GitHubToken): undefined {
+    return undefined; // GitHub tokens don't have refresh tokens
+  }
+
+  protected extractExpiresAt(_token: GitHubToken): undefined {
+    return undefined; // GitHub tokens don't expire
+  }
+}

apps/api/src/oauth/providers/GitHubProvider.ts

@@ -0,0 +1,55 @@
+import { OAuthProvider } from "../OAuthProvider";
+import type { GoogleToken, GoogleUser } from "../types";
+
+export class GoogleCalendarProvider extends OAuthProvider<
+  GoogleToken,
+  GoogleUser
+> {
+  readonly name = "google-calendar";
+  readonly displayName = "Google Calendar";
+  readonly authorizationEndpoint =
+    "https://accounts.google.com/o/oauth2/v2/auth";
+  readonly tokenEndpoint = "https://oauth2.googleapis.com/token";
+  readonly userInfoEndpoint = "https://www.googleapis.com/oauth2/v2/userinfo";
+  readonly scopes = [
+    "openid",
+    "email",
+    "profile",
+    "https://www.googleapis.com/auth/calendar",
+  ];
+
+  // Token refresh configuration
+  readonly refreshEnabled = true;
+  readonly refreshEndpoint = "https://oauth2.googleapis.com/token";
+
+  // Google-specific authorization parameters
+  protected customizeAuthUrl(url: URL): void {
+    url.searchParams.set("access_type", "offline");
+    url.searchParams.set("prompt", "consent");
+  }
+
+  // Required implementations
+  protected formatIntegrationName(user: GoogleUser): string {
+    return `Google Calendar - ${user.email || user.name}`;
+  }
+
+  protected formatUserMetadata(user: GoogleUser): Record<string, any> {
+    return {
+      email: user.email,
+      name: user.name,
+      picture: user.picture,
+    };
+  }
+
+  protected extractAccessToken(token: GoogleToken): string {
+    return token.access_token;
+  }
+
+  protected extractRefreshToken(token: GoogleToken): string | undefined {
+    return token.refresh_token;
+  }
+
+  protected extractExpiresAt(token: GoogleToken): Date {
+    return new Date(Date.now() + token.expires_in * 1000);
+  }
+}

apps/api/src/oauth/providers/GoogleCalendarProvider.ts

@@ -0,0 +1,52 @@
+import { OAuthProvider } from "../OAuthProvider";
+import type { GoogleToken, GoogleUser } from "../types";
+
+export class GoogleMailProvider extends OAuthProvider<GoogleToken, GoogleUser> {
+  readonly name = "google-mail";
+  readonly displayName = "Google Mail";
+  readonly authorizationEndpoint =
+    "https://accounts.google.com/o/oauth2/v2/auth";
+  readonly tokenEndpoint = "https://oauth2.googleapis.com/token";
+  readonly userInfoEndpoint = "https://www.googleapis.com/oauth2/v2/userinfo";
+  readonly scopes = [
+    "openid",
+    "email",
+    "profile",
+    "https://www.googleapis.com/auth/gmail.modify",
+  ];
+
+  // Token refresh configuration
+  readonly refreshEnabled = true;
+  readonly refreshEndpoint = "https://oauth2.googleapis.com/token";
+
+  // Google-specific authorization parameters
+  protected customizeAuthUrl(url: URL): void {
+    url.searchParams.set("access_type", "offline");
+    url.searchParams.set("prompt", "consent");
+  }
+
+  // Required implementations
+  protected formatIntegrationName(user: GoogleUser): string {
+    return `Google Mail - ${user.email || user.name}`;
+  }
+
+  protected formatUserMetadata(user: GoogleUser): Record<string, any> {
+    return {
+      email: user.email,
+      name: user.name,
+      picture: user.picture,
+    };
+  }
+
+  protected extractAccessToken(token: GoogleToken): string {
+    return token.access_token;
+  }
+
+  protected extractRefreshToken(token: GoogleToken): string | undefined {
+    return token.refresh_token;
+  }
+
+  protected extractExpiresAt(token: GoogleToken): Date {
+    return new Date(Date.now() + token.expires_in * 1000);
+  }
+}