🪐 feat: MCP OAuth 2.0 Discovery Support (#7924)
* chore: Update @modelcontextprotocol/sdk to version 1.12.3 in package.json and package-lock.json
- Bump version of @modelcontextprotocol/sdk to 1.12.3 to incorporate recent updates.
- Update dependencies for ajv and cross-spawn to their latest versions.
- Add ajv as a new dependency in the sdk module.
- Include json-schema-traverse as a new dependency in the sdk module.
* feat: @librechat/auth
* feat: Add crypto module exports to auth package
- Introduced a new crypto module by creating index.ts in the crypto directory.
- Updated the main index.ts of the auth package to export from the new crypto module.
* feat: Update package dependencies and build scripts for auth package
- Added @librechat/auth as a dependency in package.json and package-lock.json.
- Updated build scripts to include the auth package in both frontend and bun build processes.
- Removed unused mongoose and openid-client dependencies from package-lock.json for cleaner dependency management.
* refactor: Migrate crypto utility functions to @librechat/auth
- Replaced local crypto utility imports with the new @librechat/auth package across multiple files.
- Removed the obsolete crypto.js file and its exports.
- Updated relevant services and models to utilize the new encryption and decryption methods from @librechat/auth.
* feat: Enhance OAuth token handling and update dependencies in auth package
* chore: Remove Token model and TokenService due to restructuring of OAuth handling
- Deleted the Token.js model and TokenService.js, which were responsible for managing OAuth tokens.
- This change is part of a broader refactor to streamline OAuth token management and improve code organization.
* refactor: imports from '@librechat/auth' to '@librechat/api' and add OAuth token handling functionality
* refactor: Simplify logger usage in MCP and FlowStateManager classes
* chore: fix imports
* feat: Add OAuth configuration schema to MCP with token exchange method support
* feat: FIRST PASS Implement MCP OAuth flow with token management and error handling
- Added a new route for handling OAuth callbacks and token retrieval.
- Integrated OAuth token storage and retrieval mechanisms.
- Enhanced MCP connection to support automatic OAuth flow initiation on 401 errors.
- Implemented dynamic client registration and metadata discovery for OAuth.
- Updated MCPManager to manage OAuth tokens and handle authentication requirements.
- Introduced comprehensive logging for OAuth processes and error handling.
* refactor: Update MCPConnection and MCPManager to utilize new URL handling
- Added a `url` property to MCPConnection for better URL management.
- Refactored MCPManager to use the new `url` property instead of a deprecated method for OAuth handling.
- Changed logging from info to debug level for flow manager and token methods initialization.
- Improved comments for clarity on existing tokens and OAuth event listener setup.
* refactor: Improve connection timeout error messages in MCPConnection and MCPManager and use initTimeout for connection
- Updated the connection timeout error messages to include the duration of the timeout.
- Introduced a configurable `connectTimeout` variable in both MCPConnection and MCPManager for better flexibility.
* chore: cleanup MCP OAuth Token exchange handling; fix: erroneous use of flowsCache and remove verbose logs
* refactor: Update MCPManager and MCPTokenStorage to use TokenMethods for token management
- Removed direct token storage handling in MCPManager and replaced it with TokenMethods for better abstraction.
- Refactored MCPTokenStorage methods to accept parameters for token operations, enhancing flexibility and readability.
- Improved logging messages related to token persistence and retrieval processes.
* refactor: Update MCP OAuth handling to use static methods and improve flow management
- Refactored MCPOAuthHandler to utilize static methods for initiating and completing OAuth flows, enhancing clarity and reducing instance dependencies.
- Updated MCPManager to pass flowManager explicitly to OAuth handling methods, improving flexibility in flow state management.
- Enhanced comments and logging for better understanding of OAuth processes and flow state retrieval.
* refactor: Integrate token methods into createMCPTool for enhanced token management
* refactor: Change logging from info to debug level in MCPOAuthHandler for improved log management
* chore: clean up logging
* feat: first pass, auth URL from MCP OAuth flow
* chore: Improve logging format for OAuth authentication URL display
* chore: cleanup mcp manager comments
* feat: add connection reconnection logic in MCPManager
* refactor: reorganize token storage handling in MCP
- Moved token storage logic from MCPManager to a new MCPTokenStorage class for better separation of concerns.
- Updated imports to reflect the new token storage structure.
- Enhanced methods for storing, retrieving, updating, and deleting OAuth tokens, improving overall token management.
* chore: update comment for SYSTEM_USER_ID in MCPManager for clarity
* feat: implement refresh token functionality in MCP
- Added refresh token handling in MCPManager to support token renewal for both app-level and user-specific connections.
- Introduced a refreshTokens function to facilitate token refresh logic.
- Enhanced MCPTokenStorage to manage client information and refresh token processes.
- Updated logging for better traceability during token operations.
* chore: cleanup @librechat/auth
* feat: implement MCP server initialization in a separate service
- Added a new service to handle the initialization of MCP servers, improving code organization and readability.
- Refactored the server startup logic to utilize the new initializeMCP function.
- Removed redundant MCP initialization code from the main server file.
* fix: don't log auth url for user connections
* feat: enhance OAuth flow with success and error handling components
- Updated OAuth callback routes to redirect to new success and error pages instead of sending status messages.
- Introduced `OAuthSuccess` and `OAuthError` components to provide user feedback during authentication.
- Added localization support for success and error messages in the translation files.
- Implemented countdown functionality in the success component for a better user experience.
* fix: refresh token handling for user connections, add missing URL and methods
- add standard enum for system user id and helper for determining app-lvel vs. user-level connections
* refactor: update token handling in MCPManager and MCPTokenStorage
* fix: improve error logging in OAuth authentication handler
* fix: concurrency issues for both login url emission and concurrency of oauth flows for shared flows (same user, same server, multiple calls for same server)
* fix: properly fail shared flows for concurrent server calls and prevent duplication of tokens
* chore: remove unused auth package directory from update configuration
* ci: fix mocks in samlStrategy tests
* ci: add mcpConfig to AppService test setup
* chore: remove obsolete MCP OAuth implementation documentation
* fix: update build script for API to use correct command
* chore: bump version of @librechat/api to 1.2.4
* fix: update abort signal handling in createMCPTool function
* fix: add optional clientInfo parameter to refreshTokensFunction metadata
* refactor: replace app.locals.availableTools with getCachedTools in multiple services and controllers for improved tool management
* fix: concurrent refresh token handling issue
* refactor: add signal parameter to getUserConnection method for improved abort handling
* chore: JSDoc typing for `loadEphemeralAgent`
* refactor: update isConnectionActive method to use destructured parameters for improved readability
* feat: implement caching for MCP tools to handle app-level disconnects for loading list of tools
* ci: fix agent test
2025-06-17 13:50:33 -04:00
|
|
|
import axios from 'axios';
|
🧵 refactor: Migrate Endpoint Initialization to TypeScript (#10794)
* refactor: move endpoint initialization methods to typescript
* refactor: move agent init to packages/api
- Introduced `initialize.ts` for agent initialization, including file processing and tool loading.
- Updated `resources.ts` to allow optional appConfig parameter.
- Enhanced endpoint configuration handling in various initialization files to support model parameters.
- Added new artifacts and prompts for React component generation.
- Refactored existing code to improve type safety and maintainability.
* refactor: streamline endpoint initialization and enhance type safety
- Updated initialization functions across various endpoints to use a consistent request structure, replacing `unknown` types with `ServerResponse`.
- Simplified request handling by directly extracting keys from the request body.
- Improved type safety by ensuring user IDs are safely accessed with optional chaining.
- Removed unnecessary parameters and streamlined model options handling for better clarity and maintainability.
* refactor: moved ModelService and extractBaseURL to packages/api
- Added comprehensive tests for the models fetching functionality, covering scenarios for OpenAI, Anthropic, Google, and Ollama models.
- Updated existing endpoint index to include the new models module.
- Enhanced utility functions for URL extraction and model data processing.
- Improved type safety and error handling across the models fetching logic.
* refactor: consolidate utility functions and remove unused files
- Merged `deriveBaseURL` and `extractBaseURL` into the `@librechat/api` module for better organization.
- Removed redundant utility files and their associated tests to streamline the codebase.
- Updated imports across various client files to utilize the new consolidated functions.
- Enhanced overall maintainability by reducing the number of utility modules.
* refactor: replace ModelService references with direct imports from @librechat/api and remove ModelService file
* refactor: move encrypt/decrypt methods and key db methods to data-schemas, use `getProviderConfig` from `@librechat/api`
* chore: remove unused 'res' from options in AgentClient
* refactor: file model imports and methods
- Updated imports in various controllers and services to use the unified file model from '~/models' instead of '~/models/File'.
- Consolidated file-related methods into a new file methods module in the data-schemas package.
- Added comprehensive tests for file methods including creation, retrieval, updating, and deletion.
- Enhanced the initializeAgent function to accept dependency injection for file-related methods.
- Improved error handling and logging in file methods.
* refactor: streamline database method references in agent initialization
* refactor: enhance file method tests and update type references to IMongoFile
* refactor: consolidate database method imports in agent client and initialization
* chore: remove redundant import of initializeAgent from @librechat/api
* refactor: move checkUserKeyExpiry utility to @librechat/api and update references across endpoints
* refactor: move updateUserPlugins logic to user.ts and simplify UserController
* refactor: update imports for user key management and remove UserService
* refactor: remove unused Anthropics and Bedrock endpoint files and clean up imports
* refactor: consolidate and update encryption imports across various files to use @librechat/data-schemas
* chore: update file model mock to use unified import from '~/models'
* chore: import order
* refactor: remove migrated to TS agent.js file and its associated logic from the endpoints
* chore: add reusable function to extract imports from source code in unused-packages workflow
* chore: enhance unused-packages workflow to include @librechat/api dependencies and improve dependency extraction
* chore: improve dependency extraction in unused-packages workflow with enhanced error handling and debugging output
* chore: add detailed debugging output to unused-packages workflow for better visibility into unused dependencies and exclusion lists
* chore: refine subpath handling in unused-packages workflow to correctly process scoped and non-scoped package imports
* chore: clean up unused debug output in unused-packages workflow and reorganize type imports in initialize.ts
2025-12-03 17:21:41 -05:00
|
|
|
import { logger, encryptV2, decryptV2 } from '@librechat/data-schemas';
|
🪐 feat: MCP OAuth 2.0 Discovery Support (#7924)
* chore: Update @modelcontextprotocol/sdk to version 1.12.3 in package.json and package-lock.json
- Bump version of @modelcontextprotocol/sdk to 1.12.3 to incorporate recent updates.
- Update dependencies for ajv and cross-spawn to their latest versions.
- Add ajv as a new dependency in the sdk module.
- Include json-schema-traverse as a new dependency in the sdk module.
* feat: @librechat/auth
* feat: Add crypto module exports to auth package
- Introduced a new crypto module by creating index.ts in the crypto directory.
- Updated the main index.ts of the auth package to export from the new crypto module.
* feat: Update package dependencies and build scripts for auth package
- Added @librechat/auth as a dependency in package.json and package-lock.json.
- Updated build scripts to include the auth package in both frontend and bun build processes.
- Removed unused mongoose and openid-client dependencies from package-lock.json for cleaner dependency management.
* refactor: Migrate crypto utility functions to @librechat/auth
- Replaced local crypto utility imports with the new @librechat/auth package across multiple files.
- Removed the obsolete crypto.js file and its exports.
- Updated relevant services and models to utilize the new encryption and decryption methods from @librechat/auth.
* feat: Enhance OAuth token handling and update dependencies in auth package
* chore: Remove Token model and TokenService due to restructuring of OAuth handling
- Deleted the Token.js model and TokenService.js, which were responsible for managing OAuth tokens.
- This change is part of a broader refactor to streamline OAuth token management and improve code organization.
* refactor: imports from '@librechat/auth' to '@librechat/api' and add OAuth token handling functionality
* refactor: Simplify logger usage in MCP and FlowStateManager classes
* chore: fix imports
* feat: Add OAuth configuration schema to MCP with token exchange method support
* feat: FIRST PASS Implement MCP OAuth flow with token management and error handling
- Added a new route for handling OAuth callbacks and token retrieval.
- Integrated OAuth token storage and retrieval mechanisms.
- Enhanced MCP connection to support automatic OAuth flow initiation on 401 errors.
- Implemented dynamic client registration and metadata discovery for OAuth.
- Updated MCPManager to manage OAuth tokens and handle authentication requirements.
- Introduced comprehensive logging for OAuth processes and error handling.
* refactor: Update MCPConnection and MCPManager to utilize new URL handling
- Added a `url` property to MCPConnection for better URL management.
- Refactored MCPManager to use the new `url` property instead of a deprecated method for OAuth handling.
- Changed logging from info to debug level for flow manager and token methods initialization.
- Improved comments for clarity on existing tokens and OAuth event listener setup.
* refactor: Improve connection timeout error messages in MCPConnection and MCPManager and use initTimeout for connection
- Updated the connection timeout error messages to include the duration of the timeout.
- Introduced a configurable `connectTimeout` variable in both MCPConnection and MCPManager for better flexibility.
* chore: cleanup MCP OAuth Token exchange handling; fix: erroneous use of flowsCache and remove verbose logs
* refactor: Update MCPManager and MCPTokenStorage to use TokenMethods for token management
- Removed direct token storage handling in MCPManager and replaced it with TokenMethods for better abstraction.
- Refactored MCPTokenStorage methods to accept parameters for token operations, enhancing flexibility and readability.
- Improved logging messages related to token persistence and retrieval processes.
* refactor: Update MCP OAuth handling to use static methods and improve flow management
- Refactored MCPOAuthHandler to utilize static methods for initiating and completing OAuth flows, enhancing clarity and reducing instance dependencies.
- Updated MCPManager to pass flowManager explicitly to OAuth handling methods, improving flexibility in flow state management.
- Enhanced comments and logging for better understanding of OAuth processes and flow state retrieval.
* refactor: Integrate token methods into createMCPTool for enhanced token management
* refactor: Change logging from info to debug level in MCPOAuthHandler for improved log management
* chore: clean up logging
* feat: first pass, auth URL from MCP OAuth flow
* chore: Improve logging format for OAuth authentication URL display
* chore: cleanup mcp manager comments
* feat: add connection reconnection logic in MCPManager
* refactor: reorganize token storage handling in MCP
- Moved token storage logic from MCPManager to a new MCPTokenStorage class for better separation of concerns.
- Updated imports to reflect the new token storage structure.
- Enhanced methods for storing, retrieving, updating, and deleting OAuth tokens, improving overall token management.
* chore: update comment for SYSTEM_USER_ID in MCPManager for clarity
* feat: implement refresh token functionality in MCP
- Added refresh token handling in MCPManager to support token renewal for both app-level and user-specific connections.
- Introduced a refreshTokens function to facilitate token refresh logic.
- Enhanced MCPTokenStorage to manage client information and refresh token processes.
- Updated logging for better traceability during token operations.
* chore: cleanup @librechat/auth
* feat: implement MCP server initialization in a separate service
- Added a new service to handle the initialization of MCP servers, improving code organization and readability.
- Refactored the server startup logic to utilize the new initializeMCP function.
- Removed redundant MCP initialization code from the main server file.
* fix: don't log auth url for user connections
* feat: enhance OAuth flow with success and error handling components
- Updated OAuth callback routes to redirect to new success and error pages instead of sending status messages.
- Introduced `OAuthSuccess` and `OAuthError` components to provide user feedback during authentication.
- Added localization support for success and error messages in the translation files.
- Implemented countdown functionality in the success component for a better user experience.
* fix: refresh token handling for user connections, add missing URL and methods
- add standard enum for system user id and helper for determining app-lvel vs. user-level connections
* refactor: update token handling in MCPManager and MCPTokenStorage
* fix: improve error logging in OAuth authentication handler
* fix: concurrency issues for both login url emission and concurrency of oauth flows for shared flows (same user, same server, multiple calls for same server)
* fix: properly fail shared flows for concurrent server calls and prevent duplication of tokens
* chore: remove unused auth package directory from update configuration
* ci: fix mocks in samlStrategy tests
* ci: add mcpConfig to AppService test setup
* chore: remove obsolete MCP OAuth implementation documentation
* fix: update build script for API to use correct command
* chore: bump version of @librechat/api to 1.2.4
* fix: update abort signal handling in createMCPTool function
* fix: add optional clientInfo parameter to refreshTokensFunction metadata
* refactor: replace app.locals.availableTools with getCachedTools in multiple services and controllers for improved tool management
* fix: concurrent refresh token handling issue
* refactor: add signal parameter to getUserConnection method for improved abort handling
* chore: JSDoc typing for `loadEphemeralAgent`
* refactor: update isConnectionActive method to use destructured parameters for improved readability
* feat: implement caching for MCP tools to handle app-level disconnects for loading list of tools
* ci: fix agent test
2025-06-17 13:50:33 -04:00
|
|
|
import { TokenExchangeMethodEnum } from 'librechat-data-provider';
|
|
|
|
|
import type { TokenMethods } from '@librechat/data-schemas';
|
|
|
|
|
import type { AxiosError } from 'axios';
|
|
|
|
|
import { logAxiosError } from '~/utils';
|
|
|
|
|
|
|
|
|
|
export function createHandleOAuthToken({
|
|
|
|
|
findToken,
|
|
|
|
|
updateToken,
|
|
|
|
|
createToken,
|
|
|
|
|
}: {
|
|
|
|
|
findToken: TokenMethods['findToken'];
|
|
|
|
|
updateToken: TokenMethods['updateToken'];
|
|
|
|
|
createToken: TokenMethods['createToken'];
|
|
|
|
|
}) {
|
|
|
|
|
/**
|
|
|
|
|
* Handles the OAuth token by creating or updating the token.
|
|
|
|
|
* @param fields
|
|
|
|
|
* @param fields.userId - The user's ID.
|
|
|
|
|
* @param fields.token - The full token to store.
|
|
|
|
|
* @param fields.identifier - Unique, alternative identifier for the token.
|
|
|
|
|
* @param fields.expiresIn - The number of seconds until the token expires.
|
|
|
|
|
* @param fields.metadata - Additional metadata to store with the token.
|
|
|
|
|
* @param [fields.type="oauth"] - The type of token. Default is 'oauth'.
|
|
|
|
|
*/
|
|
|
|
|
return async function handleOAuthToken({
|
|
|
|
|
token,
|
|
|
|
|
userId,
|
|
|
|
|
identifier,
|
|
|
|
|
expiresIn,
|
|
|
|
|
metadata,
|
|
|
|
|
type = 'oauth',
|
|
|
|
|
}: {
|
|
|
|
|
token: string;
|
|
|
|
|
userId: string;
|
|
|
|
|
identifier: string;
|
|
|
|
|
expiresIn?: number | string | null;
|
|
|
|
|
metadata?: Record<string, unknown>;
|
|
|
|
|
type?: string;
|
|
|
|
|
}) {
|
|
|
|
|
const encrypedToken = await encryptV2(token);
|
|
|
|
|
let expiresInNumber = 3600;
|
|
|
|
|
if (typeof expiresIn === 'number') {
|
|
|
|
|
expiresInNumber = expiresIn;
|
|
|
|
|
} else if (expiresIn != null) {
|
|
|
|
|
expiresInNumber = parseInt(expiresIn, 10) || 3600;
|
|
|
|
|
}
|
|
|
|
|
const tokenData = {
|
|
|
|
|
type,
|
|
|
|
|
userId,
|
|
|
|
|
metadata,
|
|
|
|
|
identifier,
|
|
|
|
|
token: encrypedToken,
|
|
|
|
|
expiresIn: expiresInNumber,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const existingToken = await findToken({ userId, identifier });
|
|
|
|
|
if (existingToken) {
|
|
|
|
|
return await updateToken({ identifier }, tokenData);
|
|
|
|
|
} else {
|
|
|
|
|
return await createToken(tokenData);
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Processes the access tokens and stores them in the database.
|
|
|
|
|
* @param tokenData
|
|
|
|
|
* @param tokenData.access_token
|
|
|
|
|
* @param tokenData.expires_in
|
|
|
|
|
* @param [tokenData.refresh_token]
|
|
|
|
|
* @param [tokenData.refresh_token_expires_in]
|
|
|
|
|
* @param metadata
|
|
|
|
|
* @param metadata.userId
|
|
|
|
|
* @param metadata.identifier
|
|
|
|
|
*/
|
|
|
|
|
async function processAccessTokens(
|
|
|
|
|
tokenData: {
|
|
|
|
|
access_token: string;
|
|
|
|
|
expires_in: number;
|
|
|
|
|
refresh_token?: string;
|
|
|
|
|
refresh_token_expires_in?: number;
|
|
|
|
|
},
|
|
|
|
|
{ userId, identifier }: { userId: string; identifier: string },
|
|
|
|
|
{
|
|
|
|
|
findToken,
|
|
|
|
|
updateToken,
|
|
|
|
|
createToken,
|
|
|
|
|
}: {
|
|
|
|
|
findToken: TokenMethods['findToken'];
|
|
|
|
|
updateToken: TokenMethods['updateToken'];
|
|
|
|
|
createToken: TokenMethods['createToken'];
|
|
|
|
|
},
|
|
|
|
|
) {
|
|
|
|
|
const { access_token, expires_in = 3600, refresh_token, refresh_token_expires_in } = tokenData;
|
|
|
|
|
if (!access_token) {
|
|
|
|
|
logger.error('Access token not found: ', tokenData);
|
|
|
|
|
throw new Error('Access token not found');
|
|
|
|
|
}
|
|
|
|
|
const handleOAuthToken = createHandleOAuthToken({
|
|
|
|
|
findToken,
|
|
|
|
|
updateToken,
|
|
|
|
|
createToken,
|
|
|
|
|
});
|
|
|
|
|
await handleOAuthToken({
|
|
|
|
|
identifier,
|
|
|
|
|
token: access_token,
|
|
|
|
|
expiresIn: expires_in,
|
|
|
|
|
userId,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (refresh_token != null) {
|
|
|
|
|
logger.debug('Processing refresh token');
|
|
|
|
|
await handleOAuthToken({
|
|
|
|
|
token: refresh_token,
|
|
|
|
|
type: 'oauth_refresh',
|
|
|
|
|
userId,
|
|
|
|
|
identifier: `${identifier}:refresh`,
|
|
|
|
|
expiresIn: refresh_token_expires_in ?? null,
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
logger.debug('Access tokens processed');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Refreshes the access token using the refresh token.
|
|
|
|
|
* @param fields
|
|
|
|
|
* @param fields.userId - The ID of the user.
|
|
|
|
|
* @param fields.client_url - The URL of the OAuth provider.
|
|
|
|
|
* @param fields.identifier - The identifier for the token.
|
|
|
|
|
* @param fields.refresh_token - The refresh token to use.
|
|
|
|
|
* @param fields.token_exchange_method - The token exchange method ('default_post' or 'basic_auth_header').
|
|
|
|
|
* @param fields.encrypted_oauth_client_id - The client ID for the OAuth provider.
|
|
|
|
|
* @param fields.encrypted_oauth_client_secret - The client secret for the OAuth provider.
|
|
|
|
|
*/
|
|
|
|
|
export async function refreshAccessToken(
|
|
|
|
|
{
|
|
|
|
|
userId,
|
|
|
|
|
client_url,
|
|
|
|
|
identifier,
|
|
|
|
|
refresh_token,
|
|
|
|
|
token_exchange_method,
|
|
|
|
|
encrypted_oauth_client_id,
|
|
|
|
|
encrypted_oauth_client_secret,
|
|
|
|
|
}: {
|
|
|
|
|
userId: string;
|
|
|
|
|
client_url: string;
|
|
|
|
|
identifier: string;
|
|
|
|
|
refresh_token: string;
|
|
|
|
|
token_exchange_method: TokenExchangeMethodEnum;
|
|
|
|
|
encrypted_oauth_client_id: string;
|
|
|
|
|
encrypted_oauth_client_secret: string;
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
findToken,
|
|
|
|
|
updateToken,
|
|
|
|
|
createToken,
|
|
|
|
|
}: {
|
|
|
|
|
findToken: TokenMethods['findToken'];
|
|
|
|
|
updateToken: TokenMethods['updateToken'];
|
|
|
|
|
createToken: TokenMethods['createToken'];
|
|
|
|
|
},
|
|
|
|
|
): Promise<{
|
|
|
|
|
access_token: string;
|
|
|
|
|
expires_in: number;
|
|
|
|
|
refresh_token?: string;
|
|
|
|
|
refresh_token_expires_in?: number;
|
|
|
|
|
}> {
|
|
|
|
|
try {
|
|
|
|
|
const oauth_client_id = await decryptV2(encrypted_oauth_client_id);
|
|
|
|
|
const oauth_client_secret = await decryptV2(encrypted_oauth_client_secret);
|
|
|
|
|
|
|
|
|
|
const headers: Record<string, string> = {
|
|
|
|
|
'Content-Type': 'application/x-www-form-urlencoded',
|
|
|
|
|
Accept: 'application/json',
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const params = new URLSearchParams({
|
|
|
|
|
grant_type: 'refresh_token',
|
|
|
|
|
refresh_token,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (token_exchange_method === TokenExchangeMethodEnum.BasicAuthHeader) {
|
|
|
|
|
const basicAuth = Buffer.from(`${oauth_client_id}:${oauth_client_secret}`).toString('base64');
|
|
|
|
|
headers['Authorization'] = `Basic ${basicAuth}`;
|
|
|
|
|
} else {
|
|
|
|
|
params.append('client_id', oauth_client_id);
|
|
|
|
|
params.append('client_secret', oauth_client_secret);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const response = await axios({
|
|
|
|
|
method: 'POST',
|
|
|
|
|
url: client_url,
|
|
|
|
|
headers,
|
|
|
|
|
data: params.toString(),
|
|
|
|
|
});
|
|
|
|
|
await processAccessTokens(
|
|
|
|
|
response.data,
|
|
|
|
|
{
|
|
|
|
|
userId,
|
|
|
|
|
identifier,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
findToken,
|
|
|
|
|
updateToken,
|
|
|
|
|
createToken,
|
|
|
|
|
},
|
|
|
|
|
);
|
|
|
|
|
logger.debug(`Access token refreshed successfully for ${identifier}`);
|
|
|
|
|
return response.data;
|
|
|
|
|
} catch (error) {
|
|
|
|
|
const message = 'Error refreshing OAuth tokens';
|
|
|
|
|
throw new Error(
|
|
|
|
|
logAxiosError({
|
|
|
|
|
message,
|
|
|
|
|
error: error as AxiosError,
|
|
|
|
|
}),
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Handles the OAuth callback and exchanges the authorization code for tokens.
|
|
|
|
|
* @param {object} fields
|
|
|
|
|
* @param {string} fields.code - The authorization code returned by the provider.
|
|
|
|
|
* @param {string} fields.userId - The ID of the user.
|
|
|
|
|
* @param {string} fields.identifier - The identifier for the token.
|
|
|
|
|
* @param {string} fields.client_url - The URL of the OAuth provider.
|
|
|
|
|
* @param {string} fields.redirect_uri - The redirect URI for the OAuth provider.
|
|
|
|
|
* @param {string} fields.token_exchange_method - The token exchange method ('default_post' or 'basic_auth_header').
|
|
|
|
|
* @param {string} fields.encrypted_oauth_client_id - The client ID for the OAuth provider.
|
|
|
|
|
* @param {string} fields.encrypted_oauth_client_secret - The client secret for the OAuth provider.
|
|
|
|
|
*/
|
|
|
|
|
export async function getAccessToken(
|
|
|
|
|
{
|
|
|
|
|
code,
|
|
|
|
|
userId,
|
|
|
|
|
identifier,
|
|
|
|
|
client_url,
|
|
|
|
|
redirect_uri,
|
|
|
|
|
token_exchange_method,
|
|
|
|
|
encrypted_oauth_client_id,
|
|
|
|
|
encrypted_oauth_client_secret,
|
|
|
|
|
}: {
|
|
|
|
|
code: string;
|
|
|
|
|
userId: string;
|
|
|
|
|
identifier: string;
|
|
|
|
|
client_url: string;
|
|
|
|
|
redirect_uri: string;
|
|
|
|
|
token_exchange_method: TokenExchangeMethodEnum;
|
|
|
|
|
encrypted_oauth_client_id: string;
|
|
|
|
|
encrypted_oauth_client_secret: string;
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
findToken,
|
|
|
|
|
updateToken,
|
|
|
|
|
createToken,
|
|
|
|
|
}: {
|
|
|
|
|
findToken: TokenMethods['findToken'];
|
|
|
|
|
updateToken: TokenMethods['updateToken'];
|
|
|
|
|
createToken: TokenMethods['createToken'];
|
|
|
|
|
},
|
|
|
|
|
): Promise<{
|
|
|
|
|
access_token: string;
|
|
|
|
|
expires_in: number;
|
|
|
|
|
refresh_token?: string;
|
|
|
|
|
refresh_token_expires_in?: number;
|
|
|
|
|
}> {
|
|
|
|
|
const oauth_client_id = await decryptV2(encrypted_oauth_client_id);
|
|
|
|
|
const oauth_client_secret = await decryptV2(encrypted_oauth_client_secret);
|
|
|
|
|
|
|
|
|
|
const headers: Record<string, string> = {
|
|
|
|
|
'Content-Type': 'application/x-www-form-urlencoded',
|
|
|
|
|
Accept: 'application/json',
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const params = new URLSearchParams({
|
|
|
|
|
code,
|
|
|
|
|
grant_type: 'authorization_code',
|
|
|
|
|
redirect_uri,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (token_exchange_method === TokenExchangeMethodEnum.BasicAuthHeader) {
|
|
|
|
|
const basicAuth = Buffer.from(`${oauth_client_id}:${oauth_client_secret}`).toString('base64');
|
|
|
|
|
headers['Authorization'] = `Basic ${basicAuth}`;
|
|
|
|
|
} else {
|
|
|
|
|
params.append('client_id', oauth_client_id);
|
|
|
|
|
params.append('client_secret', oauth_client_secret);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
const response = await axios({
|
|
|
|
|
method: 'POST',
|
|
|
|
|
url: client_url,
|
|
|
|
|
headers,
|
|
|
|
|
data: params.toString(),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
await processAccessTokens(
|
|
|
|
|
response.data,
|
|
|
|
|
{
|
|
|
|
|
userId,
|
|
|
|
|
identifier,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
findToken,
|
|
|
|
|
updateToken,
|
|
|
|
|
createToken,
|
|
|
|
|
},
|
|
|
|
|
);
|
|
|
|
|
logger.debug(`Access tokens successfully created for ${identifier}`);
|
|
|
|
|
return response.data;
|
|
|
|
|
} catch (error) {
|
|
|
|
|
const message = 'Error exchanging OAuth code';
|
|
|
|
|
throw new Error(
|
|
|
|
|
logAxiosError({
|
|
|
|
|
message,
|
|
|
|
|
error: error as AxiosError,
|
|
|
|
|
}),
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|