feat: add backend OAuth provider configuration API

Matthew Valancy · Matthew Valancy · commit 3a8af4509ee6 · 2025-11-12T13:36:08.000-08:00
- Add oauth_provider_config table to SQLite schema
- Implement CRUD methods in SQLiteAuthStore:
  - getOAuthProviderConfig()
  - getAllOAuthProviderConfigs()
  - upsertOAuthProviderConfig()
  - deleteOAuthProviderConfig()
- Add GraphQL schema types and operations:
  - OAuthProviderConfig type
  - OAuthProviderConfigInput input
  - Query: oauthProviderConfigs, oauthProviderConfig
  - Mutation: updateOAuthProviderConfig, deleteOAuthProviderConfig
- Implement admin-only resolvers with proper authorization
- All operations restricted to ADMIN role users
diff --git a/packages/server/src/auth/sqlite-auth.ts b/packages/server/src/auth/sqlite-auth.ts
@@ -262,6 +262,19 @@ class SQLiteAuthStore {
           )
         `);
 
+        // OAuth provider configuration table for admin panel
+        db.run(`
+          CREATE TABLE IF NOT EXISTS oauth_provider_config (
+            provider TEXT PRIMARY KEY, -- 'google', 'linkedin', 'github'
+            enabled BOOLEAN DEFAULT 0,
+            clientId TEXT,
+            clientSecret TEXT,
+            callbackUrl TEXT,
+            createdAt TEXT NOT NULL,
+            updatedAt TEXT NOT NULL
+          )
+        `);
+
         // Shareable link access log
         db.run(`
           CREATE TABLE IF NOT EXISTS shareable_link_access (
@@ -1501,6 +1514,100 @@ class SQLiteAuthStore {
       );
     });
   }
+
+  async getOAuthProviderConfig(provider: 'google' | 'linkedin' | 'github'): Promise<any> {
+    const db = await this.getDb();
+
+    return new Promise((resolve, reject) => {
+      db.get(
+        'SELECT provider, enabled, clientId, clientSecret, callbackUrl, createdAt, updatedAt FROM oauth_provider_config WHERE provider = ?',
+        [provider],
+        (err, row) => {
+          if (err) {
+            reject(err);
+          } else {
+            resolve(row || null);
+          }
+        }
+      );
+    });
+  }
+
+  async getAllOAuthProviderConfigs(): Promise<any[]> {
+    const db = await this.getDb();
+
+    return new Promise((resolve, reject) => {
+      db.all(
+        'SELECT provider, enabled, clientId, clientSecret, callbackUrl, createdAt, updatedAt FROM oauth_provider_config',
+        [],
+        (err, rows) => {
+          if (err) {
+            reject(err);
+          } else {
+            resolve(rows || []);
+          }
+        }
+      );
+    });
+  }
+
+  async upsertOAuthProviderConfig(config: {
+    provider: 'google' | 'linkedin' | 'github';
+    enabled: boolean;
+    clientId: string;
+    clientSecret: string;
+    callbackUrl: string;
+  }): Promise<void> {
+    const db = await this.getDb();
+    const now = new Date().toISOString();
+
+    return new Promise((resolve, reject) => {
+      db.run(
+        `INSERT INTO oauth_provider_config (provider, enabled, clientId, clientSecret, callbackUrl, createdAt, updatedAt)
+         VALUES (?, ?, ?, ?, ?, ?, ?)
+         ON CONFLICT(provider) DO UPDATE SET
+           enabled = excluded.enabled,
+           clientId = excluded.clientId,
+           clientSecret = excluded.clientSecret,
+           callbackUrl = excluded.callbackUrl,
+           updatedAt = excluded.updatedAt`,
+        [
+          config.provider,
+          config.enabled ? 1 : 0,
+          config.clientId,
+          config.clientSecret,
+          config.callbackUrl,
+          now,
+          now,
+        ],
+        (err) => {
+          if (err) {
+            reject(err);
+          } else {
+            resolve();
+          }
+        }
+      );
+    });
+  }
+
+  async deleteOAuthProviderConfig(provider: 'google' | 'linkedin' | 'github'): Promise<void> {
+    const db = await this.getDb();
+
+    return new Promise((resolve, reject) => {
+      db.run(
+        'DELETE FROM oauth_provider_config WHERE provider = ?',
+        [provider],
+        (err) => {
+          if (err) {
+            reject(err);
+          } else {
+            resolve();
+          }
+        }
+      );
+    });
+  }
 }
 
 export const sqliteAuthStore = new SQLiteAuthStore();
diff --git a/packages/server/src/resolvers/sqlite-auth.ts b/packages/server/src/resolvers/sqlite-auth.ts
@@ -271,6 +271,51 @@ export const sqliteAuthResolvers = {
         console.error('❌ Get folder graphs error:', error);
         throw new GraphQLError('Failed to get folder graphs');
       }
+    },
+
+    // Get all OAuth provider configurations (Admin only)
+    oauthProviderConfigs: async (_: any, __: any, context: any) => {
+      if (!context.user || context.user.role !== 'ADMIN') {
+        throw new GraphQLError('Unauthorized', {
+          extensions: { code: 'FORBIDDEN' }
+        });
+      }
+
+      try {
+        const configs = await sqliteAuthStore.getAllOAuthProviderConfigs();
+        return configs.map((config: any) => ({
+          ...config,
+          enabled: Boolean(config.enabled),
+          configured: Boolean(config.clientId && config.clientSecret)
+        }));
+      } catch (error: any) {
+        console.error('❌ Get OAuth provider configs error:', error);
+        throw new GraphQLError('Failed to get OAuth provider configurations');
+      }
+    },
+
+    // Get specific OAuth provider configuration (Admin only)
+    oauthProviderConfig: async (_: any, { provider }: { provider: string }, context: any) => {
+      if (!context.user || context.user.role !== 'ADMIN') {
+        throw new GraphQLError('Unauthorized', {
+          extensions: { code: 'FORBIDDEN' }
+        });
+      }
+
+      try {
+        const config = await sqliteAuthStore.getOAuthProviderConfig(provider as any);
+        if (!config) {
+          return null;
+        }
+        return {
+          ...config,
+          enabled: Boolean(config.enabled),
+          configured: Boolean(config.clientId && config.clientSecret)
+        };
+      } catch (error: any) {
+        console.error('❌ Get OAuth provider config error:', error);
+        throw new GraphQLError('Failed to get OAuth provider configuration');
+      }
     }
   },
 
@@ -794,6 +839,55 @@ export const sqliteAuthResolvers = {
         console.error('❌ Reorder graphs error:', error);
         throw new GraphQLError('Failed to reorder graphs in folder');
       }
+    },
+
+    // Update OAuth provider configuration (Admin only)
+    updateOAuthProviderConfig: async (_: any, { input }: { input: { provider: string; enabled: boolean; clientId: string; clientSecret: string; callbackUrl: string } }, context: any) => {
+      if (!context.user || context.user.role !== 'ADMIN') {
+        throw new GraphQLError('Unauthorized', {
+          extensions: { code: 'FORBIDDEN' }
+        });
+      }
+
+      try {
+        await sqliteAuthStore.upsertOAuthProviderConfig({
+          provider: input.provider as any,
+          enabled: input.enabled,
+          clientId: input.clientId,
+          clientSecret: input.clientSecret,
+          callbackUrl: input.callbackUrl
+        });
+
+        const config = await sqliteAuthStore.getOAuthProviderConfig(input.provider as any);
+        return {
+          ...config,
+          enabled: Boolean(config.enabled),
+          configured: Boolean(config.clientId && config.clientSecret)
+        };
+      } catch (error: any) {
+        console.error('❌ Update OAuth provider config error:', error);
+        throw new GraphQLError('Failed to update OAuth provider configuration');
+      }
+    },
+
+    // Delete OAuth provider configuration (Admin only)
+    deleteOAuthProviderConfig: async (_: any, { provider }: { provider: string }, context: any) => {
+      if (!context.user || context.user.role !== 'ADMIN') {
+        throw new GraphQLError('Unauthorized', {
+          extensions: { code: 'FORBIDDEN' }
+        });
+      }
+
+      try {
+        await sqliteAuthStore.deleteOAuthProviderConfig(provider as any);
+        return {
+          success: true,
+          message: 'OAuth provider configuration deleted successfully'
+        };
+      } catch (error: any) {
+        console.error('❌ Delete OAuth provider config error:', error);
+        throw new GraphQLError('Failed to delete OAuth provider configuration');
+      }
     }
   }
 };
diff --git a/packages/server/src/schema/auth-schema.ts b/packages/server/src/schema/auth-schema.ts
@@ -141,6 +141,26 @@ export const authTypeDefs = gql`
     code: String!
   }
 
+  # OAuth Provider Configuration (Admin Only)
+  type OAuthProviderConfig {
+    provider: String!
+    enabled: Boolean!
+    clientId: String
+    clientSecret: String
+    callbackUrl: String!
+    configured: Boolean!
+    createdAt: String
+    updatedAt: String
+  }
+
+  input OAuthProviderConfigInput {
+    provider: String!
+    enabled: Boolean!
+    clientId: String!
+    clientSecret: String!
+    callbackUrl: String!
+  }
+
   type Query {
     # Get current user from JWT token
     me: User
@@ -172,6 +192,10 @@ export const authTypeDefs = gql`
 
     # Get OAuth providers for current user
     myOAuthProviders: [OAuthProvider!]!
+
+    # Get OAuth provider configurations (Admin only)
+    oauthProviderConfigs: [OAuthProviderConfig!]!
+    oauthProviderConfig(provider: String!): OAuthProviderConfig
   }
 
   type Mutation {
@@ -239,6 +263,10 @@ export const authTypeDefs = gql`
     # OAuth mutations
     oauthLogin(input: OAuthLoginInput!): AuthPayload!
     unlinkOAuthProvider(provider: String!): MessageResponse!
+
+    # OAuth provider configuration mutations (Admin only)
+    updateOAuthProviderConfig(input: OAuthProviderConfigInput!): OAuthProviderConfig!
+    deleteOAuthProviderConfig(provider: String!): MessageResponse!
   }
   
   input GraphOrderInput {
