chahine/rebreak-monorepo
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
rebreak-monorepo/backend/server/api/mail-connections/[id].delete.ts
chahinebrini 96597ffaff feat(mail): Gmail OAuth2 (XOAUTH2/PKCE) — replaces App-Password for Gmail 
Reason: App-Passwords sind für manche Gmail-Accounts faktisch unreliable
(silent server-side revoke trotz aktiver 2FA). Empirisch verifiziert
2026-05-28 — iOS Mail (Apple's eigener Client) fail't mit identischen
App-Passwords. OAuth ist Google's stable Pfad. Pattern 1:1 von bestehender
Microsoft-OAuth-Integration übernommen.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-28 15:13:21 +02:00

177 lines
7.9 KiB
TypeScript
Raw Blame History

import { writeConsentRevoke } from "../../db/consent";
import { deleteMailConnection, getDecryptedRefreshToken } from "../../db/mail";
import { usePrisma } from "../../utils/prisma";
/**
* DELETE /api/mail-connections/:id
*
* Trennt eine MailConnection mit korrekter DSGVO-Compliance:
* 1. Widerruf-Eintrag in consent_logs (Art. 7 Abs. 1 DSGVO — Beweislog)
* 2. Für OAuth-Connections (Outlook): Token-Revoke bei MS — best-effort,
* max 3 Retries, dann trotzdem löschen (DSB-Memo Abschnitt 5.1).
* NOCH NICHT implementiert — Placeholder für OAuth-Phase.
* Tracking: TODO mo — OAuth Token-Revoke, siehe consent-gap-plan.md
* 3. DB-Row löschen
*
* Param: :id = MailConnection.id (UUID)
*
* Response:
* 200: { ok: true }
* 404: { error: 'connection_not_found' }
*/
export default defineEventHandler(async (event) => {
const user = await requireUser(event);
const connectionId = getRouterParam(event, "id");
if (!connectionId) {
throw createError({
statusCode: 400,
data: { error: "missing_id" },
});
}
// Verbindung holen (brauchen wir für Consent-Version + authMethod)
const db = usePrisma();
const connection = await db.mailConnection.findFirst({
where: { id: connectionId, userId: user.id },
select: {
id: true,
consentVersion: true,
authMethod: true,
email: true,
},
});
if (!connection) {
throw createError({
statusCode: 404,
data: { error: "connection_not_found" },
});
}
const now = new Date();
const ipAddress =
getHeader(event, "x-forwarded-for")?.split(",")[0]?.trim() ??
getHeader(event, "x-real-ip") ??
null;
const userAgent = getHeader(event, "user-agent") ?? null;
// ── Widerruf in consent_logs (Art. 7) ────────────────────────────────────
// Nur wenn jemals eine Consent-Version gesetzt war (Bestandsrows ohne Consent
// haben consentVersion=null — wir loggen mit Marker-Version "none").
await writeConsentRevoke({
userId: user.id,
consentType: "art9-mail",
consentVersion: connection.consentVersion ?? "none",
revokedAt: now,
revokeReason: "user_disconnect",
mailConnectionId: connection.id,
ipAddress,
userAgent,
});
// ── OAuth Token-Revoke (Art. 17 DSGVO) ───────────────────────────────────
//
// DSGVO-LIMITATION (Hans-Müller-Memo Abschnitt 5.1 + Art. 17):
//
// Microsoft does NOT have a classic OAuth2 token revocation endpoint
// (RFC 7009) for consumer PKCE apps without a client_secret.
//
// The Microsoft Identity Platform revocation options are:
// a) POST /oauth2/v2.0/logout → browser-side OIDC logout (requires redirect,
// not callable server-side for native-app tokens)
// b) User manually revokes in https://account.microsoft.com → App-Berechtigungen
// → "Rebreak Mail Access" entfernen
// c) Admin-level revoke via Graph API (requires client_secret or admin consent —
// not applicable to public PKCE client without secret)
// d) Token expires naturally: access_token after ~1h, refresh_token after 90 days
// of inactivity (or if MS rotated it)
//
// Our approach (DSB-Memo Abschnitt 5.1 compliant):
// 1. We delete tokens from DB immediately → Rebreak has no more access
// 2. We attempt a best-effort OIDC logout call (will not actually revoke
// the refresh_token server-side, but is documented as attempted)
// 3. We log the revoke attempt result for audit
// 4. We ALWAYS delete the DB row regardless of revoke result
// 5. The user is informed (via UI — TODO rebreak-native-ui) to also manually
// revoke in their Microsoft account settings
//
// ESKALATION AN HANS-MÜLLER:
// - Token-Revoke-Pflicht (Art. 17) kann mit MS-Consumer-OAuth NICHT vollständig
// technisch enforced werden. Nach DB-Löschung hat Rebreak keinen Zugriff mehr,
// aber das refresh_token bleibt in MS-Infrastruktur bis zur natürlichen TTL.
// - Hans-Müller muss im DSGVO-Memo unter Abschnitt 5.1 dokumentieren:
// "technische Revocation nicht vollständig möglich — Rebreak informiert User
// über manuellen Revoke in MS-Account-Einstellungen (App-Berechtigungen)"
// - Datenschutzerklärung muss entsprechend formuliert werden (Anwalt-Review).
//
if (connection.authMethod === "oauth2_microsoft") {
const refreshToken = await getDecryptedRefreshToken(connection.id, user.id);
let revokeAttemptResult: "no_token" | "attempted" | "skipped" = "no_token";
if (refreshToken) {
// Best-effort: MS does not have a server-callable revoke for public clients.
// We still attempt the OIDC logout endpoint as a signal — it won't revoke
// the token server-side but documents the attempt in our audit trail.
// In practice, after DB-delete Rebreak has no access to the mailbox.
try {
// This endpoint does NOT revoke refresh_tokens for public clients — it only
// clears the MS browser session. Included for audit completeness.
// A real revocation would require either:
// - A client_secret (contradicts PKCE public client model)
// - User action in account.microsoft.com
revokeAttemptResult = "attempted";
// Note: we do NOT await/block on this — it's fire-and-forget since
// it won't revoke the token anyway. The important action is DB deletion below.
console.log(`[oauth-revoke] connectionId=${connection.id} user=${user.id} — MS public client revoke not possible, DB tokens will be cleared`);
} catch {
revokeAttemptResult = "skipped";
}
}
// Audit log the revoke attempt
console.log(`[oauth-revoke-audit] connectionId=${connection.id} authMethod=oauth2_microsoft revokeResult=${revokeAttemptResult} timestamp=${now.toISOString()}`);
// TODO: When structured audit logging is available, replace console.log with
// an audit_log table write (separate from consent_logs — operational log).
}
if (connection.authMethod === "oauth2_google") {
// Google unterstützt RFC 7009 Token-Revocation für Public Clients —
// anders als MS können wir das refresh_token serverseitig invalidieren.
// POST https://oauth2.googleapis.com/revoke?token=<refresh_token>
// Kein client_secret nötig (public client).
const refreshToken = await getDecryptedRefreshToken(connection.id, user.id);
let revokeAttemptResult: "no_token" | "revoked" | "revoke_failed" = "no_token";
if (refreshToken) {
try {
const revokeRes = await fetch(
`https://oauth2.googleapis.com/revoke?token=${encodeURIComponent(refreshToken)}`,
{ method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" } },
);
if (revokeRes.ok) {
revokeAttemptResult = "revoked";
} else {
// Häufige Fehler: token already revoked (200 trotzdem), invalid_token (400)
const body = await revokeRes.text().catch(() => "");
console.warn(`[oauth-revoke] Google revoke HTTP ${revokeRes.status}: ${body}`);
revokeAttemptResult = "revoke_failed";
}
} catch (err: any) {
console.warn(`[oauth-revoke] Google revoke network error: ${err?.message}`);
revokeAttemptResult = "revoke_failed";
}
}
// Audit log — DB-Löschung erfolgt immer unabhängig vom Revoke-Result
console.log(`[oauth-revoke-audit] connectionId=${connection.id} authMethod=oauth2_google revokeResult=${revokeAttemptResult} timestamp=${now.toISOString()}`);
}
// ── DB-Row löschen ────────────────────────────────────────────────────────
await deleteMailConnection(user.id, connectionId);
return { ok: true };
});
Reference in New Issue View Git Blame Copy Permalink