feat(oauth): add simple oauth module

.gitignore

@@ -46,6 +46,8 @@ lerna-debug.log*
 .temp
 .tmp
 
+.claude
+
 # Runtime data
 pids
 *.pid

src/app/app.module.ts

@@ -42,6 +42,7 @@ import { AddTagIdsToResources1755248141570 } from 'omniboxd/migrations/175524814
 import { CleanResourceNames1755396702021 } from 'omniboxd/migrations/1755396702021-clean-resource-names';
 import { UpdateAttachmentUrls1755499552000 } from 'omniboxd/migrations/1755499552000-update-attachment-urls';
 import { ScanResourceAttachments1755504936756 } from 'omniboxd/migrations/1755504936756-scan-resource-attachments';
+import { OAuthModule } from 'omniboxd/oauth2/oauth.module';
 
 @Module({})
 export class AppModule implements NestModule {
@@ -81,6 +82,7 @@ export class AppModule implements NestModule {
         InvitationsModule,
         AttachmentsModule,
         SharesModule,
+        OAuthModule,
         // CacheModule.registerAsync({
         //   imports: [ConfigModule],
         //   inject: [ConfigService],

src/auth/jwt.strategy.ts

@@ -13,7 +13,11 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
     });
   }
 
-  validate(payload: { sub: string; email: string }) {
-    return { id: payload.sub, email: payload.email };
+  validate(payload: { sub: string; email?: string; client_id?: string }) {
+    return {
+      id: payload.sub,
+      email: payload.email,
+      clientId: payload.client_id,
+    };
   }
 }

src/oauth2/oauth.controller.ts

@@ -0,0 +1,76 @@
+import { Public } from 'omniboxd/auth/decorators/public.auth.decorator';
+import { UserId } from 'omniboxd/decorators/user-id.decorator';
+import { OAuthService } from 'omniboxd/oauth2/oauth.service';
+import {
+  Controller,
+  Get,
+  Post,
+  Query,
+  Body,
+  BadRequestException,
+} from '@nestjs/common';
+
+@Controller('api/v1/oauth2')
+export class OAuthController {
+  constructor(private readonly oauthService: OAuthService) {}
+
+  @Get('authorize')
+  authorize(
+    @Query('response_type') responseType: string,
+    @Query('client_id') clientId: string,
+    @Query('redirect_uri') redirectUri: string,
+    @Query('state') state: string,
+    @UserId() userId: string,
+  ) {
+    if (responseType !== 'code') {
+      throw new BadRequestException(
+        'Only authorization code flow is supported',
+      );
+    }
+
+    if (!clientId || !redirectUri) {
+      throw new BadRequestException('client_id and redirect_uri are required');
+    }
+
+    const code = this.oauthService.createAuthorizationCode(
+      userId,
+      clientId,
+      redirectUri,
+    );
+
+    const redirectUrl = new URL(redirectUri);
+    redirectUrl.searchParams.set('code', code);
+    if (state) {
+      redirectUrl.searchParams.set('state', state);
+    }
+
+    // Most browsers will block automatic redirects, so we perform the redirect manually
+    return {
+      redirectUrl: redirectUrl.toString(),
+    };
+  }
+
+  @Public()
+  @Post('token')
+  async token(
+    @Body()
+    body: {
+      grant_type: string;
+      code: string;
+      client_id: string;
+    },
+  ) {
+    if (body.grant_type !== 'authorization_code') {
+      throw new BadRequestException(
+        'Only authorization_code grant type is supported',
+      );
+    }
+
+    const { code, client_id } = body;
+    if (!code || !client_id) {
+      throw new BadRequestException('Missing required parameters');
+    }
+
+    return await this.oauthService.exchangeCodeForTokens(code, client_id);
+  }
+}

src/oauth2/oauth.module.ts

@@ -0,0 +1,25 @@
+import { Module } from '@nestjs/common';
+import { JwtModule } from '@nestjs/jwt';
+import { UserModule } from 'omniboxd/user/user.module';
+import { ConfigModule, ConfigService } from '@nestjs/config';
+import { OAuthController } from 'omniboxd/oauth2/oauth.controller';
+import { OAuthService } from 'omniboxd/oauth2/oauth.service';
+
+@Module({
+  imports: [
+    UserModule,
+    JwtModule.registerAsync({
+      imports: [ConfigModule],
+      inject: [ConfigService],
+      useFactory: (config: ConfigService) => ({
+        global: true,
+        secret: config.get('OBB_JWT_SECRET'),
+        signOptions: { expiresIn: config.get('OBB_JWT_EXPIRE') },
+      }),
+    }),
+  ],
+  controllers: [OAuthController],
+  providers: [OAuthService],
+  exports: [OAuthService],
+})
+export class OAuthModule {}

src/oauth2/oauth.service.ts

@@ -0,0 +1,91 @@
+import { Injectable, BadRequestException } from '@nestjs/common';
+import { JwtService } from '@nestjs/jwt';
+import { nanoid } from 'nanoid';
+import { OAuthConfig, DEFAULT_OAUTH_CONFIG } from './types';
+import { UserService } from 'omniboxd/user/user.service';
+
+interface AuthorizationCode {
+  code: string;
+  userId: string;
+  clientId: string;
+  redirectUri: string;
+  expiresAt: Date;
+}
+
+@Injectable()
+export class OAuthService {
+  private config: OAuthConfig = DEFAULT_OAUTH_CONFIG;
+  private authorizationCodes: Map<string, AuthorizationCode> = new Map();
+
+  constructor(
+    private readonly jwtService: JwtService,
+    private readonly userService: UserService,
+  ) {}
+
+  createAuthorizationCode(
+    userId: string,
+    clientId: string,
+    redirectUri: string,
+  ) {
+    const code = nanoid(32);
+    const expiresAt = new Date();
+    expiresAt.setMinutes(
+      expiresAt.getMinutes() + this.config.authorizationCodeExpiryMinutes,
+    );
+
+    const authCode: AuthorizationCode = {
+      code,
+      userId,
+      clientId,
+      redirectUri,
+      expiresAt,
+    };
+
+    this.cleanupExpiredCodes();
+    this.authorizationCodes.set(code, authCode);
+    return code;
+  }
+
+  async exchangeCodeForTokens(code: string, clientId: string) {
+    const authCode = this.authorizationCodes.get(code);
+
+    if (!authCode || authCode.expiresAt < new Date()) {
+      throw new BadRequestException('Invalid or expired authorization code');
+    }
+
+    if (authCode.clientId !== clientId) {
+      throw new BadRequestException('Invalid authorization code');
+    }
+
+    this.authorizationCodes.delete(code);
+    this.cleanupExpiredCodes();
+    return await this.generateAccessToken(authCode.userId, clientId);
+  }
+
+  private async generateAccessToken(userId: string, clientId: string) {
+    const user = await this.userService.find(userId);
+    if (!user) {
+      throw new BadRequestException('Invalid user');
+    }
+    const payload = {
+      sub: userId,
+      client_id: clientId,
+      email: user.email,
+    };
+
+    const accessToken = this.jwtService.sign(payload);
+
+    return {
+      access_token: accessToken,
+    };
+  }
+
+  private cleanupExpiredCodes() {
+    const now = new Date();
+    for (const [code, authCode] of this.authorizationCodes.entries()) {
+      if (authCode.expiresAt < now) {
+        this.authorizationCodes.delete(code);
+      }
+    }
+  }
+}

src/oauth2/types.ts

@@ -0,0 +1,17 @@
+export interface AuthorizationCode {
+  code: string;
+  userId: string;
+  clientId: string;
+  redirectUri: string;
+  expiresAt: Date;
+}
+
+export interface OAuthConfig {
+  supportedGrantTypes: string[];
+  authorizationCodeExpiryMinutes: number;
+}
+
+export const DEFAULT_OAUTH_CONFIG: OAuthConfig = {
+  supportedGrantTypes: ['authorization_code'],
+  authorizationCodeExpiryMinutes: 10,
+};