feat: calendar (#774)

* feat: calendar

* fix: coderabbit suggestions

* chore: add calendar

* fix: cal build

* fix: env var

* fix: env var

* feat: curr time

Author: coodos

platforms/calendar-api/package.json

@@ -0,0 +1,30 @@
+{
+  "name": "calendar-api",
+  "version": "1.0.0",
+  "description": "W3DS auth and eVault-backed calendar events API",
+  "main": "dist/index.js",
+  "scripts": {
+    "start": "node dist/index.js",
+    "dev": "ts-node src/index.ts",
+    "build": "tsc"
+  },
+  "dependencies": {
+    "cors": "^2.8.5",
+    "dotenv": "^16.4.5",
+    "express": "^4.18.2",
+    "graphql-request": "^6.1.0",
+    "jsonwebtoken": "^9.0.2",
+    "signature-validator": "workspace:*",
+    "uuid": "^9.0.1",
+    "axios": "^1.6.7"
+  },
+  "devDependencies": {
+    "@types/cors": "^2.8.17",
+    "@types/express": "^4.17.21",
+    "@types/jsonwebtoken": "^9.0.5",
+    "@types/node": "^20.11.19",
+    "@types/uuid": "^9.0.8",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.3.3"
+  }
+}

platforms/calendar-api/src/constants.ts

@@ -0,0 +1,25 @@
+export const CALENDAR_EVENT_ONTOLOGY_ID =
+  "880e8400-e29b-41d4-a716-446655440099";
+
+const SESSION_TTL_MS = 5 * 60 * 1000; // 5 minutes
+
+export interface StoredSession {
+  createdAt: number;
+}
+
+export const sessionStore = new Map<string, StoredSession>();
+
+export function addSession(sessionId: string): void {
+  sessionStore.set(sessionId, { createdAt: Date.now() });
+}
+
+export function isSessionValid(sessionId: string): boolean {
+  const s = sessionStore.get(sessionId);
+  if (!s) return false;
+  if (Date.now() - s.createdAt > SESSION_TTL_MS) {
+    sessionStore.delete(sessionId);
+    return false;
+  }
+  sessionStore.delete(sessionId); // one-time use
+  return true;
+}

platforms/calendar-api/src/controllers/AuthController.ts

@@ -0,0 +1,136 @@
+import { Request, Response } from "express";
+import { EventEmitter } from "events";
+import { v4 as uuidv4 } from "uuid";
+import jwt from "jsonwebtoken";
+import { verifySignature } from "signature-validator";
+import { isVersionValid } from "../utils/version";
+import { addSession, isSessionValid } from "../constants";
+
+const MIN_REQUIRED_VERSION = "0.4.0";
+const JWT_EXPIRES_IN = "7d";
+
+export class AuthController {
+  private eventEmitter = new EventEmitter();
+
+  getOffer = async (_req: Request, res: Response) => {
+    console.log("[auth] GET /api/auth/offer hit");
+    const baseUrl = process.env.NEXT_PUBLIC_CALENDAR_APP_URL;
+    if (!baseUrl) {
+      console.error("[auth] NEXT_PUBLIC_CALENDAR_APP_URL is not set");
+      return res.status(500).json({ error: "Server configuration error: NEXT_PUBLIC_CALENDAR_APP_URL not set" });
+    }
+
+    let redirectUri: string;
+    try {
+      redirectUri = new URL("/api/auth", baseUrl).toString();
+    } catch (err) {
+      console.error("[auth] Invalid NEXT_PUBLIC_CALENDAR_APP_URL:", baseUrl, err);
+      return res.status(500).json({ error: "Server configuration error: invalid base URL" });
+    }
+
+    const session = uuidv4();
+    addSession(session);
+    const offer = `w3ds://auth?redirect=${encodeURIComponent(redirectUri)}&session=${session}&platform=${encodeURIComponent(baseUrl)}`;
+    console.log("[auth] offer created, redirectUri=", redirectUri, "platform=", baseUrl);
+    res.json({ uri: offer, sessionId: session });
+  };
+
+  sseStream = async (req: Request, res: Response) => {
+    const { id } = req.params;
+    console.log("[auth] GET /api/auth/sessions/:id hit, sessionId=", id);
+    res.writeHead(200, {
+      "Content-Type": "text/event-stream",
+      "Cache-Control": "no-cache",
+      Connection: "keep-alive",
+      "Access-Control-Allow-Origin": "*",
+    });
+    const handler = (data: unknown) => {
+      res.write(`data: ${JSON.stringify(data)}\n\n`);
+    };
+    this.eventEmitter.on(id, handler);
+    const heartbeat = setInterval(() => {
+      try {
+        res.write(": heartbeat\n\n");
+      } catch {
+        clearInterval(heartbeat);
+      }
+    }, 30000);
+    req.on("close", () => {
+      clearInterval(heartbeat);
+      this.eventEmitter.off(id, handler);
+      res.end();
+    });
+  };
+
+  login = async (req: Request, res: Response) => {
+    console.log("[auth] POST /api/auth hit");
+    try {
+      const { ename, session, signature, appVersion } = req.body;
+      console.log("[auth] body: ename=", ename, "session=", session?.slice(0, 8) + "...", "appVersion=", appVersion, "signature present=", !!signature);
+
+      if (!ename) {
+        console.log("[auth] reject: ename missing");
+        return res.status(400).json({ error: "ename is required" });
+      }
+      if (!session) {
+        console.log("[auth] reject: session missing");
+        return res.status(400).json({ error: "session is required" });
+      }
+      if (!signature) {
+        console.log("[auth] reject: signature missing");
+        return res.status(400).json({ error: "signature is required" });
+      }
+
+      if (!isSessionValid(session)) {
+        console.log("[auth] reject: invalid or expired session");
+        return res
+          .status(400)
+          .json({ error: "Invalid or expired session", message: "Please request a new login offer." });
+      }
+
+      if (!appVersion || !isVersionValid(appVersion, MIN_REQUIRED_VERSION)) {
+        console.log("[auth] reject: app version too old", appVersion);
+        return res.status(400).json({
+          error: "App version too old",
+          message: `Please update eID Wallet to version ${MIN_REQUIRED_VERSION} or later.`,
+        });
+      }
+
+      const registryBaseUrl = process.env.PUBLIC_REGISTRY_URL;
+      if (!registryBaseUrl) {
+        console.log("[auth] reject: PUBLIC_REGISTRY_URL not set");
+        return res.status(500).json({ error: "Server configuration error" });
+      }
+
+      console.log("[auth] verifying signature with registry", registryBaseUrl);
+      const verificationResult = await verifySignature({
+        eName: ename,
+        signature,
+        payload: session,
+        registryBaseUrl,
+      });
+
+      if (!verificationResult.valid) {
+        console.log("[auth] reject: signature invalid", verificationResult.error);
+        return res.status(401).json({
+          error: "Invalid signature",
+          message: verificationResult.error,
+        });
+      }
+
+      const secret = process.env.JWT_SECRET || "calendar-api-dev-secret";
+      const token = jwt.sign(
+        { ename },
+        secret,
+        { expiresIn: JWT_EXPIRES_IN }
+      );
+
+      console.log("[auth] login success, ename=", ename);
+      this.eventEmitter.emit(session, { token });
+      res.status(200).json({ token });
+    } catch (error) {
+      console.error("[auth] login error:", error);
+      res.status(500).json({ error: "Internal server error" });
+    }
+  };
+}

platforms/calendar-api/src/controllers/EventsController.ts

@@ -0,0 +1,109 @@
+import { Response } from "express";
+import { EVaultService } from "../services/EVaultService";
+import { AuthenticatedRequest } from "../middleware/auth";
+
+const evaultService = new EVaultService();
+
+export class EventsController {
+  list = async (req: AuthenticatedRequest, res: Response) => {
+    try {
+      const ename = req.user?.ename;
+      if (!ename) {
+        res.status(401).json({ error: "Unauthorized" });
+        return;
+      }
+      const first = Math.min(
+        parseInt(String(req.query.first), 10) || 100,
+        500
+      );
+      const after = (req.query.after as string) || undefined;
+      const events = await evaultService.listEvents(ename, first, after);
+      res.json(events);
+    } catch (error) {
+      console.error("List events error:", error);
+      res.status(500).json({
+        error: "Failed to list events",
+        message: error instanceof Error ? error.message : "Unknown error",
+      });
+    }
+  };
+
+  create = async (req: AuthenticatedRequest, res: Response) => {
+    try {
+      const ename = req.user?.ename;
+      if (!ename) {
+        res.status(401).json({ error: "Unauthorized" });
+        return;
+      }
+      const { title, color, start, end } = req.body;
+      if (!title || !start || !end) {
+        res.status(400).json({
+          error: "Missing required fields",
+          message: "title, start, and end are required",
+        });
+        return;
+      }
+      const event = await evaultService.createEvent(ename, {
+        title,
+        color: color ?? "",
+        start,
+        end,
+      });
+      res.status(201).json(event);
+    } catch (error) {
+      console.error("Create event error:", error);
+      res.status(500).json({
+        error: "Failed to create event",
+        message: error instanceof Error ? error.message : "Unknown error",
+      });
+    }
+  };
+
+  update = async (req: AuthenticatedRequest, res: Response) => {
+    try {
+      const ename = req.user?.ename;
+      if (!ename) {
+        res.status(401).json({ error: "Unauthorized" });
+        return;
+      }
+      const id = req.params.id;
+      const { title, color, start, end } = req.body;
+      const payload: Record<string, string> = {};
+      if (title !== undefined) payload.title = title;
+      if (color !== undefined) payload.color = color;
+      if (start !== undefined) payload.start = start;
+      if (end !== undefined) payload.end = end;
+      if (Object.keys(payload).length === 0) {
+        res.status(400).json({ error: "No fields to update" });
+        return;
+      }
+      const event = await evaultService.updateEvent(ename, id, payload);
+      res.json(event);
+    } catch (error) {
+      console.error("Update event error:", error);
+      res.status(500).json({
+        error: "Failed to update event",
+        message: error instanceof Error ? error.message : "Unknown error",
+      });
+    }
+  };
+
+  remove = async (req: AuthenticatedRequest, res: Response) => {
+    try {
+      const ename = req.user?.ename;
+      if (!ename) {
+        res.status(401).json({ error: "Unauthorized" });
+        return;
+      }
+      const id = req.params.id;
+      await evaultService.removeEvent(ename, id);
+      res.status(204).send();
+    } catch (error) {
+      console.error("Remove event error:", error);
+      res.status(500).json({
+        error: "Failed to delete event",
+        message: error instanceof Error ? error.message : "Unknown error",
+      });
+    }
+  }
+}

platforms/calendar-api/src/index.ts

@@ -0,0 +1,54 @@
+import dotenv from "dotenv";
+import fs from "fs";
+import path from "path";
+import express from "express";
+import cors from "cors";
+
+// Load .env: try monorepo root, then calendar-api parent, then cwd (no fallback)
+const candidates = [
+  path.resolve(__dirname, "../../../.env"), // repo root from dist/
+  path.resolve(__dirname, "../../.env"),   // repo root from src/ or platforms/.env
+  path.resolve(process.cwd(), ".env"),
+];
+const envPath = candidates.find((p) => fs.existsSync(p));
+if (envPath) {
+  dotenv.config({ path: envPath });
+} else {
+  console.warn(
+    "No .env found at",
+    candidates.join(", "),
+    "- env vars must be set by shell or elsewhere"
+  );
+}
+import { AuthController } from "./controllers/AuthController";
+import { EventsController } from "./controllers/EventsController";
+import { authMiddleware } from "./middleware/auth";
+
+const app = express();
+const port = process.env.PORT ?? 4001;
+
+app.use(
+  cors({
+    origin: true,
+    methods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
+    allowedHeaders: ["Content-Type", "Authorization"],
+    credentials: true,
+  })
+);
+app.use(express.json());
+
+const authController = new AuthController();
+const eventsController = new EventsController();
+
+app.get("/api/auth/offer", authController.getOffer);
+app.get("/api/auth/sessions/:id", authController.sseStream);
+app.post("/api/auth", authController.login);
+
+app.get("/api/events", authMiddleware, eventsController.list);
+app.post("/api/events", authMiddleware, eventsController.create);
+app.patch("/api/events/:id", authMiddleware, eventsController.update);
+app.delete("/api/events/:id", authMiddleware, eventsController.remove);
+
+app.listen(port, () => {
+  console.log(`Calendar API running on port ${port}`);
+});

platforms/calendar-api/src/middleware/auth.ts

@@ -0,0 +1,37 @@
+import { Request, Response, NextFunction } from "express";
+import jwt from "jsonwebtoken";
+
+export interface AuthPayload {
+  ename: string;
+}
+
+export interface AuthenticatedRequest extends Request {
+  user?: AuthPayload;
+}
+
+export function authMiddleware(
+  req: AuthenticatedRequest,
+  res: Response,
+  next: NextFunction
+): void {
+  const authHeader = req.headers.authorization;
+  if (!authHeader?.startsWith("Bearer ")) {
+    res.status(401).json({ error: "Missing or invalid Authorization header" });
+    return;
+  }
+
+  const token = authHeader.slice(7);
+  const secret = process.env.JWT_SECRET || "calendar-api-dev-secret";
+
+  try {
+    const decoded = jwt.verify(token, secret) as AuthPayload;
+    if (!decoded.ename) {
+      res.status(401).json({ error: "Invalid token payload" });
+      return;
+    }
+    req.user = { ename: decoded.ename };
+    next();
+  } catch {
+    res.status(401).json({ error: "Invalid or expired token" });
+  }
+}