Add X integration with OAuth 2.0 PKCE and 12 workflow nodes

Adds a complete X (formerly Twitter) integration:
- OAuth 2.0 provider with PKCE support (code verifier embedded in state)
- 12 workflow nodes: get/search/create/delete posts, get user, list
  followers/following/mentions/user posts, like, repost, follow
- Usage costs proportional to X API pricing (10/20/30 credits)
- Subscription-gated nodes bypass billing check in non-production envs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: bchapuis

apps/api/.dev.vars.example

@@ -54,6 +54,10 @@ INTEGRATION_REDDIT_CLIENT_SECRET=CHANGE_ME
 INTEGRATION_GITHUB_CLIENT_ID=CHANGE_ME
 INTEGRATION_GITHUB_CLIENT_SECRET=CHANGE_ME
 
+# X integration
+INTEGRATION_X_CLIENT_ID=CHANGE_ME
+INTEGRATION_X_CLIENT_SECRET=CHANGE_ME
+
 TWILIO_ACCOUNT_SID=CHANGE_ME
 TWILIO_AUTH_TOKEN=CHANGE_ME
 TWILIO_PHONE_NUMBER=CHANGE_ME

apps/api/src/context.ts

@@ -50,6 +50,8 @@ export interface Bindings {
   INTEGRATION_REDDIT_CLIENT_SECRET?: string;
   INTEGRATION_LINKEDIN_CLIENT_ID?: string;
   INTEGRATION_LINKEDIN_CLIENT_SECRET?: string;
+  INTEGRATION_X_CLIENT_ID?: string;
+  INTEGRATION_X_CLIENT_SECRET?: string;
   TWILIO_ACCOUNT_SID?: string;
   TWILIO_AUTH_TOKEN?: string;
   TWILIO_PHONE_NUMBER?: string;

apps/api/src/db/queries.ts

@@ -2154,11 +2154,18 @@ export async function getOrganizationBillingInfo(
 /**
  * Derive user plan from organization billing info.
  * Pro if has active subscription OR canceled but still in billing period.
+ * In non-production environments, always grants pro so all nodes are available during development.
  */
-export function resolveOrganizationPlan(billingInfo: {
-  subscriptionStatus: string | null;
-  currentPeriodEnd: Date | null;
-}): string {
+export function resolveOrganizationPlan(
+  billingInfo: {
+    subscriptionStatus: string | null;
+    currentPeriodEnd: Date | null;
+  },
+  cloudflareEnv?: string
+): string {
+  if (cloudflareEnv && cloudflareEnv !== "production") {
+    return "pro";
+  }
   const hasProAccess =
     billingInfo.subscriptionStatus === "active" ||
     (billingInfo.subscriptionStatus === "canceled" &&

apps/api/src/db/schema/index.ts

@@ -71,6 +71,7 @@ export const IntegrationProvider = {
   GITHUB: "github",
   REDDIT: "reddit",
   LINKEDIN: "linkedin",
+  X: "x",
 } as const;
 
 export type IntegrationProviderType =

apps/api/src/email.ts

@@ -179,7 +179,7 @@ async function triggerWorkflowForEmail({
     userId: "email_trigger",
     organizationId,
     computeCredits: billingInfo.computeCredits,
-    userPlan: resolveOrganizationPlan(billingInfo),
+    userPlan: resolveOrganizationPlan(billingInfo, env.CLOUDFLARE_ENV),
     workflow: {
       id: workflow.id,
       name: workflow.name,

apps/api/src/oauth/providers/XProvider.ts

@@ -0,0 +1,177 @@
+import type { Context } from "hono";
+import type { ApiContext } from "../../context";
+import { OAuthProvider } from "../OAuthProvider";
+import type { XToken, XUser } from "../types";
+
+/**
+ * Generate a random code verifier for PKCE (43-128 chars, URL-safe)
+ */
+function generateCodeVerifier(): string {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  return base64UrlEncode(array);
+}
+
+/**
+ * Base64 URL encode (no padding, URL-safe chars)
+ */
+function base64UrlEncode(buffer: Uint8Array): string {
+  return btoa(String.fromCharCode(...buffer))
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/, "");
+}
+
+/**
+ * Generate SHA-256 code challenge from verifier
+ */
+async function generateCodeChallenge(verifier: string): Promise<string> {
+  const data = new TextEncoder().encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+
+/**
+ * Delimiter used to embed code_verifier in the state parameter.
+ * X/Twitter passes state back unchanged in the callback, so the
+ * verifier survives the round-trip without needing external storage.
+ */
+const PKCE_DELIMITER = "~";
+
+export class XProvider extends OAuthProvider<XToken, XUser> {
+  readonly name = "x";
+  readonly displayName = "X";
+  readonly authorizationEndpoint = "https://x.com/i/oauth2/authorize";
+  readonly tokenEndpoint = "https://api.x.com/2/oauth2/token";
+  readonly userInfoEndpoint =
+    "https://api.x.com/2/users/me?user.fields=id,name,username,profile_image_url,description";
+  readonly scopes = [
+    "tweet.read",
+    "tweet.write",
+    "users.read",
+    "follows.read",
+    "follows.write",
+    "like.read",
+    "like.write",
+    "offline.access",
+  ];
+
+  // Token refresh configuration
+  readonly refreshEnabled = true;
+  readonly refreshEndpoint = "https://api.x.com/2/oauth2/token";
+
+  /**
+   * Override initiateAuth to inject PKCE parameters.
+   * Generates a code_verifier, computes the S256 challenge, and embeds
+   * the verifier in the state so it can be retrieved on callback.
+   */
+  async initiateAuth(c: Context<ApiContext>): Promise<string> {
+    // Get the base authorization URL (includes signed state)
+    const authUrl = await super.initiateAuth(c);
+    const url = new URL(authUrl);
+
+    // Generate PKCE pair
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = await generateCodeChallenge(codeVerifier);
+
+    // Add PKCE parameters
+    url.searchParams.set("code_challenge", codeChallenge);
+    url.searchParams.set("code_challenge_method", "S256");
+
+    // Embed verifier in state (X returns state unchanged on callback)
+    const state = url.searchParams.get("state")!;
+    url.searchParams.set("state", `${state}${PKCE_DELIMITER}${codeVerifier}`);
+
+    return url.toString();
+  }
+
+  /**
+   * Override handleCallback to extract the PKCE code_verifier from state
+   * and include it in the token exchange.
+   */
+  async handleCallback(
+    c: Context<ApiContext>,
+    code: string,
+    stateParam: string
+  ): Promise<{ orgId: string }> {
+    // Split state to extract code_verifier
+    const delimiterIndex = stateParam.lastIndexOf(PKCE_DELIMITER);
+    if (delimiterIndex === -1) {
+      throw new Error("Missing PKCE code_verifier in state");
+    }
+    const actualState = stateParam.substring(0, delimiterIndex);
+    const codeVerifier = stateParam.substring(delimiterIndex + 1);
+
+    // Validate the original signed state
+    const { organizationId, orgId } = await this.validateState(c, actualState);
+
+    // Get credentials
+    const { clientId, clientSecret } = this.getClientCredentials(c.env);
+    const redirectUri = this.getRedirectUri(c.env);
+
+    // Exchange code for token with PKCE verifier
+    const response = await fetch(this.tokenEndpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        client_id: clientId,
+        client_secret: clientSecret,
+        redirect_uri: redirectUri,
+        code_verifier: codeVerifier,
+      }),
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      console.error("X token exchange failed:", errorText);
+      throw new Error(`Token exchange failed: ${errorText}`);
+    }
+
+    const token = (await response.json()) as XToken;
+
+    // Fetch user info
+    const user = await this.getUserInfo(token.access_token);
+
+    // Create integration
+    await this.createIntegration(organizationId, token, user, c.env);
+
+    return { orgId };
+  }
+
+  /**
+   * X API v2 wraps user info in a { data: ... } envelope
+   */
+  protected parseUserResponse(data: { data: XUser }): XUser {
+    return data.data;
+  }
+
+  protected formatIntegrationName(user: XUser): string {
+    return `@${user.username}`;
+  }
+
+  protected formatUserMetadata(user: XUser): Record<string, string> {
+    return {
+      userId: user.id,
+      username: user.username,
+      name: user.name,
+      ...(user.profile_image_url && {
+        profileImageUrl: user.profile_image_url,
+      }),
+      ...(user.description && { description: user.description }),
+    };
+  }
+
+  extractAccessToken(token: XToken): string {
+    return token.access_token;
+  }
+
+  extractRefreshToken(token: XToken): string | undefined {
+    return token.refresh_token;
+  }
+
+  extractExpiresAt(token: XToken): Date {
+    return new Date(Date.now() + token.expires_in * 1000);
+  }
+}

apps/api/src/oauth/registry.ts

@@ -5,6 +5,7 @@ import { GoogleCalendarProvider } from "./providers/GoogleCalendarProvider";
 import { GoogleMailProvider } from "./providers/GoogleMailProvider";
 import { LinkedInProvider } from "./providers/LinkedInProvider";
 import { RedditProvider } from "./providers/RedditProvider";
+import { XProvider } from "./providers/XProvider";
 
 // Instantiate all providers
 const providers = {
@@ -14,6 +15,7 @@ const providers = {
   linkedin: new LinkedInProvider(),
   reddit: new RedditProvider(),
   github: new GitHubProvider(),
+  x: new XProvider(),
 } as const;
 
 export type ProviderName = keyof typeof providers;

apps/api/src/oauth/types.ts

@@ -144,6 +144,28 @@ export interface RedditUser {
   icon_img?: string;
 }
 
+/**
+ * X OAuth token response
+ */
+export interface XToken {
+  access_token: string;
+  refresh_token?: string;
+  expires_in: number;
+  token_type: string;
+  scope: string;
+}
+
+/**
+ * X user information (from /2/users/me)
+ */
+export interface XUser {
+  id: string;
+  name: string;
+  username: string;
+  profile_image_url?: string;
+  description?: string;
+}
+
 /**
  * GitHub OAuth token response
  */

apps/api/src/queue.ts

@@ -42,7 +42,7 @@ async function executeWorkflow(
       userId: "queue_trigger",
       organizationId: workflowInfo.organizationId,
       computeCredits: billingInfo.computeCredits,
-      userPlan: resolveOrganizationPlan(billingInfo),
+      userPlan: resolveOrganizationPlan(billingInfo, env.CLOUDFLARE_ENV),
       workflow: {
         id: workflowInfo.id,
         name: workflowData.name,

apps/api/src/routes/discord-webhook.ts

@@ -299,7 +299,7 @@ async function executeWorkflow(
     userId: "discord_trigger",
     organizationId,
     computeCredits: billingInfo.computeCredits,
-    userPlan: resolveOrganizationPlan(billingInfo),
+    userPlan: resolveOrganizationPlan(billingInfo, env.CLOUDFLARE_ENV),
     workflow: {
       id: workflow.id,
       name: workflow.name,