More connected accounts (#1165)

Author: N2D4

.cursor/commands/pr-comments-review.md

@@ -1 +1 @@
-Please review the PR comments with `gh pr status` and fix & resolve those issues that are valid and relevant. Leave those comments that are mostly bullshit unresolved. Report the result to me in detail. Do NOT automatically commit or stage the changes back to the PR!
+Please review the PR comments with the `gh` CLI and fix those issues that are valid and relevant. Resolve the comments when you fix them. Also resolve all those comments that no longer exist or have already been resolved. Leave those comments that are mostly bullshit unresolved. Report the result to me in detail. Do NOT automatically commit or stage the changes back to the PR!

apps/backend/src/app/api/latest/connected-accounts/[user_id]/[provider_id]/[provider_account_id]/access-token/crud.tsx

@@ -0,0 +1,77 @@
+import { usersCrudHandlers } from "@/app/api/latest/users/crud";
+import { getProvider } from "@/oauth";
+import { getPrismaClientForTenancy } from "@/prisma-client";
+import { createCrudHandlers } from "@/route-handlers/crud-handler";
+import { KnownErrors } from "@stackframe/stack-shared";
+import { connectedAccountAccessTokenCrud } from "@stackframe/stack-shared/dist/interface/crud/connected-accounts";
+import { userIdOrMeSchema, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
+import { getEnvVariable, getNodeEnvironment } from "@stackframe/stack-shared/dist/utils/env";
+import { StatusError } from "@stackframe/stack-shared/dist/utils/errors";
+import { createLazyProxy } from "@stackframe/stack-shared/dist/utils/proxies";
+import { retrieveOrRefreshAccessToken } from "../../../../access-token-helpers";
+
+
+export const connectedAccountAccessTokenByAccountCrudHandlers = createLazyProxy(() => createCrudHandlers(connectedAccountAccessTokenCrud, {
+  paramsSchema: yupObject({
+    provider_id: yupString().defined(),
+    provider_account_id: yupString().defined(),
+    user_id: userIdOrMeSchema.defined(),
+  }),
+  async onCreate({ auth, data, params }) {
+    if (auth.type === 'client' && auth.user?.id !== params.user_id) {
+      throw new StatusError(StatusError.Forbidden, "Client can only access its own connected accounts");
+    }
+
+    const providerRaw = Object.entries(auth.tenancy.config.auth.oauth.providers).find(([providerId, _]) => providerId === params.provider_id);
+    if (!providerRaw) {
+      throw new KnownErrors.OAuthProviderNotFoundOrNotEnabled();
+    }
+
+    const provider = { id: providerRaw[0], ...providerRaw[1] };
+
+    if (provider.isShared && !getNodeEnvironment().includes('prod') && getEnvVariable('STACK_ALLOW_SHARED_OAUTH_ACCESS_TOKENS', '') !== 'true') {
+      throw new KnownErrors.OAuthAccessTokenNotAvailableWithSharedOAuthKeys();
+    }
+
+    const user = await usersCrudHandlers.adminRead({ tenancy: auth.tenancy, user_id: params.user_id });
+
+    const matchingProvider = user.oauth_providers.find(
+      p => p.id === params.provider_id && p.account_id === params.provider_account_id
+    );
+    if (!matchingProvider) {
+      throw new KnownErrors.OAuthConnectionNotConnectedToUser();
+    }
+
+    const providerInstance = await getProvider(provider);
+    const prisma = await getPrismaClientForTenancy(auth.tenancy);
+
+    const oauthAccount = await prisma.projectUserOAuthAccount.findFirst({
+      where: {
+        tenancyId: auth.tenancy.id,
+        projectUserId: params.user_id,
+        configOAuthProviderId: params.provider_id,
+        providerAccountId: params.provider_account_id,
+        allowConnectedAccounts: true,
+      },
+    });
+
+    if (!oauthAccount) {
+      throw new KnownErrors.OAuthConnectionNotConnectedToUser();
+    }
+
+    return await retrieveOrRefreshAccessToken({
+      prisma,
+      providerInstance,
+      tenancyId: auth.tenancy.id,
+      oauthAccountIds: [oauthAccount.id],
+      scope: data.scope,
+      errorContext: {
+        tenancyId: auth.tenancy.id,
+        providerId: params.provider_id,
+        providerAccountId: params.provider_account_id,
+        userId: params.user_id,
+        scope: data.scope,
+      },
+    });
+  },
+}));

apps/backend/src/app/api/latest/connected-accounts/[user_id]/[provider_id]/[provider_account_id]/access-token/route.tsx

@@ -0,0 +1,3 @@
+import { connectedAccountAccessTokenByAccountCrudHandlers } from "./crud";
+
+export const POST = connectedAccountAccessTokenByAccountCrudHandlers.createHandler;

apps/backend/src/app/api/latest/connected-accounts/[user_id]/[provider_id]/access-token/crud.tsx

@@ -1,16 +1,14 @@
 import { usersCrudHandlers } from "@/app/api/latest/users/crud";
 import { getProvider } from "@/oauth";
-import { TokenSet } from "@/oauth/providers/base";
 import { getPrismaClientForTenancy } from "@/prisma-client";
 import { createCrudHandlers } from "@/route-handlers/crud-handler";
 import { KnownErrors } from "@stackframe/stack-shared";
 import { connectedAccountAccessTokenCrud } from "@stackframe/stack-shared/dist/interface/crud/connected-accounts";
 import { userIdOrMeSchema, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
 import { getEnvVariable, getNodeEnvironment } from "@stackframe/stack-shared/dist/utils/env";
-import { StackAssertionError, StatusError, captureError } from "@stackframe/stack-shared/dist/utils/errors";
+import { StatusError } from "@stackframe/stack-shared/dist/utils/errors";
 import { createLazyProxy } from "@stackframe/stack-shared/dist/utils/proxies";
-import { Result } from "@stackframe/stack-shared/dist/utils/results";
-import { extractScopes } from "@stackframe/stack-shared/dist/utils/strings";
+import { retrieveOrRefreshAccessToken } from "../../../access-token-helpers";
 
 
 export const connectedAccountAccessTokenCrudHandlers = createLazyProxy(() => createCrudHandlers(connectedAccountAccessTokenCrud, {
@@ -40,136 +38,34 @@ export const connectedAccountAccessTokenCrudHandlers = createLazyProxy(() => cre
     }
 
     const providerInstance = await getProvider(provider);
-
-    // ====================== retrieve access token if it exists ======================
     const prisma = await getPrismaClientForTenancy(auth.tenancy);
-    const accessTokens = await prisma.oAuthAccessToken.findMany({
+
+    // Legacy endpoint: search tokens across ALL accounts for this provider and user
+    const oauthAccounts = await prisma.projectUserOAuthAccount.findMany({
       where: {
         tenancyId: auth.tenancy.id,
-        projectUserOAuthAccount: {
-          projectUserId: params.user_id,
-          configOAuthProviderId: params.provider_id,
-        },
-        expiresAt: {
-          // is at least 5 minutes in the future
-          gt: new Date(Date.now() + 5 * 60 * 1000),
-        },
-        isValid: true,
-      },
-      include: {
-        projectUserOAuthAccount: true,
+        projectUserId: params.user_id,
+        configOAuthProviderId: params.provider_id,
       },
+      select: { id: true },
     });
-    const filteredTokens = accessTokens.filter((t) => {
-      return extractScopes(data.scope || "").every((scope) => t.scopes.includes(scope));
-    });
-    for (const token of filteredTokens) {
-      // some providers (particularly GitHub) invalidate access tokens on the server-side, in which case we want to request a new access token
-      if (await providerInstance.checkAccessTokenValidity(token.accessToken)) {
-        return { access_token: token.accessToken };
-      } else {
-        // mark the token as invalid
-        await prisma.oAuthAccessToken.update({
-          where: {
-            id: token.id,
-          },
-          data: {
-            isValid: false,
-          },
-        });
-      }
-    }
 
-    // ============== no valid access token found, try to refresh the token ==============
+    if (oauthAccounts.length === 0) {
+      throw new KnownErrors.OAuthConnectionNotConnectedToUser();
+    }
 
-    const refreshTokens = await prisma.oAuthToken.findMany({
-      where: {
+    return await retrieveOrRefreshAccessToken({
+      prisma,
+      providerInstance,
+      tenancyId: auth.tenancy.id,
+      oauthAccountIds: oauthAccounts.map(a => a.id),
+      scope: data.scope,
+      errorContext: {
         tenancyId: auth.tenancy.id,
-        projectUserOAuthAccount: {
-          projectUserId: params.user_id,
-          configOAuthProviderId: params.provider_id,
-        },
-        isValid: true,
-      },
-      include: {
-        projectUserOAuthAccount: true,
+        providerId: params.provider_id,
+        userId: params.user_id,
+        scope: data.scope,
       },
     });
-
-    const filteredRefreshTokens = refreshTokens.filter((t) => {
-      return extractScopes(data.scope || "").every((scope) => t.scopes.includes(scope));
-    });
-
-    if (filteredRefreshTokens.length === 0) {
-      throw new KnownErrors.OAuthConnectionDoesNotHaveRequiredScope();
-    }
-
-    for (const token of filteredRefreshTokens) {
-      let tokenSetResult: Result<TokenSet, string>;
-      try {
-        tokenSetResult = await providerInstance.getAccessToken({
-          refreshToken: token.refreshToken,
-          scope: data.scope,
-        });
-      } catch (error) {
-        // Unexpected errors (not handled by the provider) are logged and we continue to the next token
-        captureError('oauth-access-token-refresh-unexpected-error', new StackAssertionError('Unexpected error refreshing access token — this may indicate a bug or misconfiguration', {
-          error,
-          tenancyId: auth.tenancy.id,
-          providerId: params.provider_id,
-          userId: params.user_id,
-          scope: data.scope,
-        }));
-
-        tokenSetResult = Result.error("Unexpected error refreshing access token");
-      }
-
-      if (tokenSetResult.status === "error") {
-        await prisma.oAuthToken.update({
-          where: { id: token.id },
-          data: { isValid: false },
-        });
-
-        continue;
-      }
-
-      const tokenSet = tokenSetResult.data;
-      if (tokenSet.accessToken) {
-        await prisma.oAuthAccessToken.create({
-          data: {
-            tenancyId: auth.tenancy.id,
-            accessToken: tokenSet.accessToken,
-            oauthAccountId: token.projectUserOAuthAccount.id,
-            scopes: token.scopes,
-            expiresAt: tokenSet.accessTokenExpiredAt
-          }
-        });
-
-        if (tokenSet.refreshToken) {
-          // mark the old token as invalid, add the new token to the DB
-          const oldToken = token;
-          await prisma.oAuthToken.update({
-            where: { id: oldToken.id },
-            data: { isValid: false },
-          });
-          await prisma.oAuthToken.create({
-            data: {
-              tenancyId: auth.tenancy.id,
-              refreshToken: tokenSet.refreshToken,
-              oauthAccountId: oldToken.projectUserOAuthAccount.id,
-              scopes: oldToken.scopes,
-            }
-          });
-        }
-
-        return { access_token: tokenSet.accessToken };
-      } else {
-        throw new StackAssertionError("No access token returned");
-      }
-    }
-
-    throw new KnownErrors.OAuthConnectionDoesNotHaveRequiredScope();
   },
 }));
-
-

apps/backend/src/app/api/latest/connected-accounts/[user_id]/crud.tsx

@@ -0,0 +1,50 @@
+import { ensureUserExists } from "@/lib/request-checks";
+import { getPrismaClientForTenancy } from "@/prisma-client";
+import { createCrudHandlers } from "@/route-handlers/crud-handler";
+import { KnownErrors } from "@stackframe/stack-shared";
+import { connectedAccountCrud } from "@stackframe/stack-shared/dist/interface/crud/connected-accounts";
+import { userIdOrMeSchema, yupObject } from "@stackframe/stack-shared/dist/schema-fields";
+import { StatusError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
+import { createLazyProxy } from "@stackframe/stack-shared/dist/utils/proxies";
+
+export const connectedAccountCrudHandlers = createLazyProxy(() => createCrudHandlers(connectedAccountCrud, {
+  paramsSchema: yupObject({
+    user_id: userIdOrMeSchema.defined(),
+  }),
+  async onList({ auth, params }) {
+    const userId = params.user_id;
+
+    if (auth.type === 'client') {
+      const currentUserId = auth.user?.id ?? throwErr(new KnownErrors.CannotGetOwnUserWithoutUser());
+      if (!userId || currentUserId !== userId) {
+        throw new StatusError(StatusError.Forbidden, 'Client can only list connected accounts for their own user.');
+      }
+    }
+
+    const prismaClient = await getPrismaClientForTenancy(auth.tenancy);
+
+    if (userId) {
+      await ensureUserExists(prismaClient, { tenancyId: auth.tenancy.id, userId });
+    }
+
+    const oauthAccounts = await prismaClient.projectUserOAuthAccount.findMany({
+      where: {
+        tenancyId: auth.tenancy.id,
+        projectUserId: userId,
+        allowConnectedAccounts: true,
+      },
+      orderBy: {
+        createdAt: 'asc',
+      },
+    });
+
+    return {
+      items: oauthAccounts.map((oauthAccount) => ({
+        user_id: oauthAccount.projectUserId ?? throwErr("OAuth account has no project user ID"),
+        provider: oauthAccount.configOAuthProviderId,
+        provider_account_id: oauthAccount.providerAccountId,
+      })),
+      is_paginated: false,
+    };
+  },
+}));

apps/backend/src/app/api/latest/connected-accounts/[user_id]/route.tsx

@@ -0,0 +1,3 @@
+import { connectedAccountCrudHandlers } from "./crud";
+
+export const GET = connectedAccountCrudHandlers.listHandler;