chahine/rebreak-monorepo
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
rebreak-monorepo/backend/server/api/mail/oauth/microsoft/callback.post.ts
chahinebrini fc69a14f25 feat(mail): outlook oauth — full end-to-end (backend + daemon + frontend) 
Microsoft hat App-Passwords für consumer-Outlook im September 2024 abgeschaltet.
Diese Welle bringt OAuth2/XOAUTH2-Support als zweiten AuthMethod-Pfad — Gmail/
iCloud/GMX/Yahoo bleiben unangetastet auf App-Password.

Backend (rebreak-backend):

- POST /api/mail/oauth/microsoft/init: PKCE-Flow-Start, generiert
  code_verifier + Authorization-URL, persistiert pending state mit TTL
- POST /api/mail/oauth/microsoft/callback: Token-Exchange (PKCE, kein
  client_secret weil Public Client), id_token-Decode für Email, MailConnection
  upsert mit auth_method='oauth2_microsoft' + encrypted Tokens
- Token-Refresh-Util backend/server/utils/ms-oauth.ts + DB-Function
  refreshAndSaveTokens(connectionId, clientId) mit optimistic-concurrency-
  Race-Condition-Schutz (UPDATE WHERE oauth_token_expiry = <gelesener-wert>,
  bei affected_rows=0 → frischen Wert lesen statt nochmal refreshen sonst
  invalid_grant via Token-Rotation)
- Neue Tabelle oauth_pending_states (TTL via createdAt + Cleanup-Job-TODO)
- [id].delete.ts: echter OAuth-Disconnect — DB-Token-Löschung + Audit-Log
  (MS hat keinen Drittanbieter-Revoke-Endpoint, daher User-Information-Pflicht
  per Frontend-Modal, siehe DSB-Memo Section 5.1)
- Consent-Gate auch in scan.post.ts + scan-internal.post.ts (Cron-Trigger
  war ohne Consent-Check = DSGVO-Lücke, jetzt geschlossen mit
  skippedNoConsent-Field in Response)

IDLE-Daemon (backend/imap-idle/index.mjs, mo):

- XOAUTH2-Auth-Branch via getCredentialsForConnection() — wenn
  auth_method='oauth2_microsoft', Token-Expiry-Check (<5min remaining →
  proaktiver Refresh), sonst decrypted accessToken zu ImapFlow
- AUTHENTICATIONFAILED-Recovery: bis 3× reaktiv refresh + reconnect, danach
  last_connect_error='auth_revoked' (kein Endlos-Loop)
- IDLE_RENEW_INTERVAL_MS = 10min — passt für MS 29min-Timeout (gleich wie
  Gmail/iCloud)
- Consent-Pause: Connections mit consent_at=null laufen IDLE weiter (für
  exists-Event-Wiederaufnahme), aber triggerScan() ist deaktiviert bis
  consent erteilt
- start-idle-staging.sh: MS_OAUTH_CLIENT_ID explizit weiterleiten in den
  inneren bash -c-Block (war Infisical-Var, ging aber durch strict-mode
  verloren)

Frontend (rebreak-native-ui):

- Outlook-Tile re-aktiviert (war disabled mit "Kommt bald" seit Sept-2024-
  Awareness), authMethod-Discriminator löst statt Email+Pw-Form den
  OAuth-Flow aus
- ConnectMailSheet: neuer view-State 'oauth_warning' (Outing-Effekt-Hinweis
  per Hans-Müller-Memo Section 6.1) + 'oauth_pending' (Browser-Step-Spinner)
- Deep-Link-Handler app/auth/mail-oauth-callback.tsx — auto-registriert
  durch expo-router-File-Routing, kein Native-Rebuild (scheme 'rebreak'
  schon im app.config.ts)
- mailConnectDraft-Store: pendingOAuthConnectionId für Title-Edit-Sheet
  direkt nach Connect
- MailAccountCard: Password-Row hidden für OAuth-Connections, Post-Disconnect-
  Modal mit MS-Account-Anleitung (DSB-konform — kompensiert fehlenden
  Drittanbieter-Revoke-Endpoint mit User-Information)

Hans-Müller-DSB-Memo (mail-outlook-oauth-dsgvo-review.md):

- Section 4.1 Datenschutzerklärung-Textbaustein: "Wir widerrufen den Token
  aktiv bei Microsoft"-Satz raus (war faktisch falsch — MS hat keinen
  Drittanbieter-Revoke). Neuer Wortlaut: DB-Löschung + User-Anleitung
  account.microsoft.com → Sicherheit → App-Berechtigungen
- Section 4.1: User.Read-Scope offen dokumentiert mit Datenminimierungs-
  Klausel (Scope breiter, wir nutzen NUR Display-Name + Email-Claim)
- Section 5.1: ehrliche Doku dass MS keinen RFC-7009-Revoke hat
- Section 9 Anwalts-Themen: neue Frage 5 zur Art. 17-Erfüllung trotz
  fehlendem MS-Revoke

Architektur-Eigenschaften:

- Generisches AuthMethod-Framework — Gmail/iCloud/Yahoo können später als
  reine Config-Erweiterung OAuth bekommen, kein Refactor nötig
- Token-Encryption via bestehendes crypto.ts (AES-256-GCM, Key aus
  Infisical)
- Consent-Gate konsistent: ConnectMailSheet-Consent-Step VOR Provider-
  Auswahl (Frontend), backend-Endpoint 412 wenn consent fehlt, Daemon +
  Scan-Endpoints pausieren bei consent_at=null

Open follow-ups:

- oauth_pending_states-Cleanup-Cron für abgelaufene Entries (TODO im
  Backend-Code dokumentiert)
- Anwalts-Klärung Hans-Müller Section 9 (DPA-Anspruch ohne MS-Lizenz +
  Art. 17 mit User-Information statt Revoke-Endpoint)
- TIA (Transfer Impact Assessment) für MS-Sub-AV — Hans-Müller-Draft-Aufgabe
- Outlook-Tile-Wieder-Aktivierung ist live, aber Phase-1-Production-Test
  steht aus (User Test auf iPhone nach Pipeline-Deploy)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 21:04:14 +02:00

179 lines
6.3 KiB
TypeScript
Raw Blame History

/**
* POST /api/mail/oauth/microsoft/callback
*
* Step 2 of the Microsoft OAuth PKCE flow.
*
* Called by the native app after it intercepts the deep-link redirect from Microsoft
* (rebreak://auth/mail-oauth-callback?code=…&state=…).
*
* NO requireUser — the state parameter is the auth mechanism here (CSRF-safe because
* only the user who initiated the flow has the stateId in their session). The userId
* is retrieved from oauth_pending_states.
*
* Consent-Gate strategy (Hans-Müller-aligned):
* We set consent_at = now() inline during this callback, because the user has
* already passed through the ConnectMailSheet Art. 9 consent step before reaching
* the Outlook-OAuth button. The consent_version is stamped as CURRENT_ART9_MAIL_VERSION.
* This is the same pattern as [id].post.ts (password-based connect).
*
* Body:
* code: string — authorization code from Microsoft
* state: string — stateId from the init step (CSRF validation)
*
* Response:
* 200: { connectionId, email, provider: 'outlook_oauth' }
* 400: { error: 'invalid_body' }
* 401: { error: 'invalid_state' } — state not found, expired, or already used
* 500: { error: 'token_exchange_failed' }
*/
import { CURRENT_ART9_MAIL_VERSION } from "../../../../utils/consent-texts";
import { writeConsentGrant, setMailConnectionConsent } from "../../../../db/consent";
import { getProfile } from "../../../../db/profile";
import { getPlanLimits } from "../../../../utils/plan-features";
export default defineEventHandler(async (event) => {
const config = useRuntimeConfig(event);
const clientId = config.msOauthClientId as string;
if (!clientId) {
throw createError({
statusCode: 500,
data: { error: "MS_OAUTH_CLIENT_ID not configured" },
});
}
const body = await readBody(event).catch(() => null) as {
code?: string;
state?: string;
} | null;
if (!body?.code || !body?.state) {
throw createError({
statusCode: 400,
data: { error: "invalid_body", detail: "code and state are required" },
});
}
const { code, state: stateId } = body;
// ── Validate + consume state ──────────────────────────────────────────────
const pendingState = await consumeOauthPendingState(stateId);
if (!pendingState) {
throw createError({
statusCode: 401,
data: {
error: "invalid_state",
detail: "State not found, expired (>10 min), or already used",
},
});
}
const { userId, codeVerifier, email: hintEmail } = pendingState;
// ── Plan-Limit check ──────────────────────────────────────────────────────
const profile = await getProfile(userId);
const limits = getPlanLimits(profile?.plan ?? "free");
if (limits.mailAgents !== Infinity) {
const count = await countMailConnections(userId);
if (count >= limits.mailAgents) {
throw createError({
statusCode: 403,
data: {
error: "plan_limit",
resource: "mail_accounts",
current: count,
limit: limits.mailAgents,
},
});
}
}
// ── Token Exchange ────────────────────────────────────────────────────────
let tokenResponse;
try {
tokenResponse = await exchangeCodeForTokens({
clientId,
code,
codeVerifier,
});
} catch (err: any) {
throw createError({
statusCode: 502,
data: {
error: "token_exchange_failed",
detail: err.message ?? "microsoft_error",
},
});
}
const { access_token, refresh_token, expires_in, scope, id_token } = tokenResponse;
// ── Extract email from ID-token ───────────────────────────────────────────
let outlookEmail: string | null = hintEmail ?? null;
if (id_token) {
const extracted = extractEmailFromIdToken(id_token);
if (extracted) outlookEmail = extracted;
}
if (!outlookEmail) {
throw createError({
statusCode: 502,
data: {
error: "email_extraction_failed",
detail: "Could not extract email from Microsoft ID-token. Ensure openid+User.Read scopes are granted.",
},
});
}
// ── Encrypt tokens ────────────────────────────────────────────────────────
const encryptedAccessToken = encrypt(access_token);
const encryptedRefreshToken = encrypt(refresh_token);
const tokenExpiry = new Date(Date.now() + expires_in * 1000);
// ── Consent setup ─────────────────────────────────────────────────────────
const now = new Date();
const ipAddress =
getHeader(event, "x-forwarded-for")?.split(",")[0]?.trim() ??
getHeader(event, "x-real-ip") ??
null;
const userAgent = getHeader(event, "user-agent") ?? null;
// ── Upsert MailConnection ─────────────────────────────────────────────────
const connection = await upsertOauthMicrosoftConnection({
userId,
email: outlookEmail,
encryptedAccessToken,
encryptedRefreshToken,
tokenExpiry,
scope: scope ?? MS_OAUTH_SCOPES,
});
// ── Consent stamp + audit log ─────────────────────────────────────────────
await setMailConnectionConsent({
connectionId: connection.id,
userId,
consentAt: now,
consentVersion: CURRENT_ART9_MAIL_VERSION,
consentIpAddress: ipAddress,
});
await writeConsentGrant({
userId,
consentType: "art9-mail",
consentVersion: CURRENT_ART9_MAIL_VERSION,
consentAt: now,
ipAddress,
userAgent,
mailConnectionId: connection.id,
});
return {
connectionId: connection.id,
email: outlookEmail,
provider: "outlook_oauth",
title: null,
};
});
Reference in New Issue View Git Blame Copy Permalink