feat: add OAuth 2.1 endpoints (register, authorize, token)

Add well-known metadata, dynamic client registration, authorization
flow with PKCE, and token exchange/refresh endpoints with route-level
integration tests.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/server/index.ts

@@ -11,6 +11,7 @@ import { itemRoutes } from "./routes/items.ts";
 import { settingsRoutes } from "./routes/settings.ts";
 import { setupRoutes } from "./routes/setups.ts";
 import { threadRoutes } from "./routes/threads.ts";
+import { oauthRoutes, wellKnownRoute } from "./routes/oauth.ts";
 import { totalRoutes } from "./routes/totals.ts";
 
 // Seed default data on startup
@@ -33,6 +34,14 @@ app.get("/api/health", (c) => {
 	return c.json({ status: "ok" });
 });
 
+// OAuth routes (must be before /api/* middleware)
+app.use("/oauth/*", async (c, next) => {
+	c.set("db", prodDb);
+	return next();
+});
+app.route("/.well-known", wellKnownRoute);
+app.route("/oauth", oauthRoutes);
+
 // Inject production database into request context
 app.use("/api/*", async (c, next) => {
 	c.set("db", prodDb);

src/server/routes/oauth.ts

@@ -0,0 +1,261 @@
+import { Hono } from "hono";
+import { db as prodDb } from "../../db/index.ts";
+import { verifyPassword } from "../services/auth.service.ts";
+import {
+	cleanExpiredOAuthData,
+	createAuthorizationCode,
+	exchangeCode,
+	getClient,
+	refreshAccessToken,
+	registerClient,
+} from "../services/oauth.service.ts";
+
+type Env = { Variables: { db?: any } };
+
+function escapeHtml(str: string): string {
+	return str
+		.replace(/&/g, "&")
+		.replace(/</g, "&lt;")
+		.replace(/>/g, "&gt;")
+		.replace(/"/g, "&quot;")
+		.replace(/'/g, "&#x27;");
+}
+
+function getBaseUrl(c: any): string {
+	if (process.env.GEARBOX_URL) return process.env.GEARBOX_URL.replace(/\/$/, "");
+	return new URL(c.req.url).origin;
+}
+
+function renderLoginForm(params: {
+	clientName: string;
+	clientId: string;
+	redirectUri: string;
+	codeChallenge: string;
+	codeChallengeMethod: string;
+	state: string;
+	error?: string;
+}): string {
+	const errorHtml = params.error
+		? `<div style="background:#fef2f2;border:1px solid #fca5a5;color:#dc2626;padding:12px;border-radius:8px;margin-bottom:16px;font-size:14px;">${escapeHtml(params.error)}</div>`
+		: "";
+
+	return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>Authorize - GearBox</title>
+<style>
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif; background: #f9fafb; display: flex; align-items: center; justify-content: center; min-height: 100vh; }
+  .card { background: #fff; border-radius: 12px; box-shadow: 0 1px 3px rgba(0,0,0,0.1); padding: 32px; width: 100%; max-width: 400px; }
+  h1 { font-size: 24px; font-weight: 700; text-align: center; margin-bottom: 8px; }
+  .subtitle { text-align: center; color: #6b7280; margin-bottom: 24px; font-size: 14px; }
+  label { display: block; font-size: 14px; font-weight: 500; margin-bottom: 4px; color: #374151; }
+  input[type="text"], input[type="password"] { width: 100%; padding: 10px 12px; border: 1px solid #d1d5db; border-radius: 8px; font-size: 14px; margin-bottom: 16px; }
+  button { width: 100%; padding: 10px; background: #2563eb; color: #fff; border: none; border-radius: 8px; font-size: 14px; font-weight: 600; cursor: pointer; }
+  button:hover { background: #1d4ed8; }
+</style>
+</head>
+<body>
+<div class="card">
+  <h1>GearBox</h1>
+  <p class="subtitle">Authorize ${escapeHtml(params.clientName)} to access your data</p>
+  ${errorHtml}
+  <form method="POST" action="/oauth/authorize">
+    <label for="username">Username</label>
+    <input type="text" id="username" name="username" required>
+    <label for="password">Password</label>
+    <input type="password" id="password" name="password" required>
+    <input type="hidden" name="client_id" value="${escapeHtml(params.clientId)}">
+    <input type="hidden" name="redirect_uri" value="${escapeHtml(params.redirectUri)}">
+    <input type="hidden" name="code_challenge" value="${escapeHtml(params.codeChallenge)}">
+    <input type="hidden" name="code_challenge_method" value="${escapeHtml(params.codeChallengeMethod)}">
+    <input type="hidden" name="state" value="${escapeHtml(params.state)}">
+    <button type="submit">Authorize</button>
+  </form>
+</div>
+</body>
+</html>`;
+}
+
+// ── Well-Known Route ────────────────────────────────────────────────
+
+export const wellKnownRoute = new Hono<Env>();
+
+wellKnownRoute.get("/oauth-authorization-server", (c) => {
+	const baseUrl = getBaseUrl(c);
+	return c.json({
+		issuer: baseUrl,
+		authorization_endpoint: `${baseUrl}/oauth/authorize`,
+		token_endpoint: `${baseUrl}/oauth/token`,
+		registration_endpoint: `${baseUrl}/oauth/register`,
+		response_types_supported: ["code"],
+		grant_types_supported: ["authorization_code", "refresh_token"],
+		code_challenge_methods_supported: ["S256"],
+		token_endpoint_auth_methods_supported: ["none"],
+	});
+});
+
+// ── OAuth Routes ────────────────────────────────────────────────────
+
+export const oauthRoutes = new Hono<Env>();
+
+// POST /register — Dynamic Client Registration (RFC 7591)
+oauthRoutes.post("/register", async (c) => {
+	const db = c.get("db") ?? prodDb;
+	const body = await c.req.json();
+
+	if (
+		!body.redirect_uris ||
+		!Array.isArray(body.redirect_uris) ||
+		body.redirect_uris.length === 0
+	) {
+		return c.json({ error: "redirect_uris is required and must be a non-empty array" }, 400);
+	}
+
+	const clientName = body.client_name || "Unknown Client";
+	const { clientId } = registerClient(db, clientName, body.redirect_uris);
+
+	return c.json(
+		{
+			client_id: clientId,
+			client_name: clientName,
+			redirect_uris: body.redirect_uris,
+		},
+		201,
+	);
+});
+
+// GET /authorize — Show HTML login form
+oauthRoutes.get("/authorize", async (c) => {
+	const db = c.get("db") ?? prodDb;
+
+	const responseType = c.req.query("response_type");
+	const clientId = c.req.query("client_id");
+	const redirectUri = c.req.query("redirect_uri");
+	const codeChallenge = c.req.query("code_challenge");
+	const codeChallengeMethod = c.req.query("code_challenge_method");
+	const state = c.req.query("state") ?? "";
+
+	if (responseType !== "code") {
+		return c.json({ error: "response_type must be 'code'" }, 400);
+	}
+	if (!clientId || !redirectUri || !codeChallenge || !codeChallengeMethod) {
+		return c.json({ error: "Missing required parameters" }, 400);
+	}
+
+	const client = getClient(db, clientId);
+	if (!client) {
+		return c.json({ error: "Unknown client_id" }, 400);
+	}
+
+	const allowedUris: string[] = JSON.parse(client.redirectUris);
+	if (!allowedUris.includes(redirectUri)) {
+		return c.json({ error: "redirect_uri not allowed" }, 400);
+	}
+
+	return c.html(
+		renderLoginForm({
+			clientName: client.clientName,
+			clientId,
+			redirectUri,
+			codeChallenge,
+			codeChallengeMethod,
+			state,
+		}),
+	);
+});
+
+// POST /authorize — Process login form
+oauthRoutes.post("/authorize", async (c) => {
+	const db = c.get("db") ?? prodDb;
+	const body = await c.req.parseBody();
+
+	const username = body.username as string;
+	const password = body.password as string;
+	const clientId = body.client_id as string;
+	const redirectUri = body.redirect_uri as string;
+	const codeChallenge = body.code_challenge as string;
+	const codeChallengeMethod = body.code_challenge_method as string;
+	const state = (body.state as string) ?? "";
+
+	const user = await verifyPassword(db, username, password);
+	if (!user) {
+		const client = getClient(db, clientId);
+		return c.html(
+			renderLoginForm({
+				clientName: client?.clientName ?? "Unknown",
+				clientId,
+				redirectUri,
+				codeChallenge,
+				codeChallengeMethod,
+				state,
+				error: "Invalid username or password",
+			}),
+		);
+	}
+
+	const { code } = createAuthorizationCode(
+		db,
+		clientId,
+		codeChallenge,
+		codeChallengeMethod,
+		redirectUri,
+	);
+
+	const url = new URL(redirectUri);
+	url.searchParams.set("code", code);
+	if (state) url.searchParams.set("state", state);
+
+	return c.redirect(url.toString(), 302);
+});
+
+// POST /token — Token exchange
+oauthRoutes.post("/token", async (c) => {
+	const db = c.get("db") ?? prodDb;
+	const body = await c.req.parseBody();
+
+	const grantType = body.grant_type as string;
+
+	// Opportunistic cleanup
+	cleanExpiredOAuthData(db);
+
+	if (grantType === "authorization_code") {
+		const code = body.code as string;
+		const codeVerifier = body.code_verifier as string;
+		const clientId = body.client_id as string;
+		const redirectUri = body.redirect_uri as string;
+
+		const result = await exchangeCode(db, code, codeVerifier, clientId, redirectUri);
+		if (!result) {
+			return c.json({ error: "invalid_grant" }, 400);
+		}
+
+		return c.json({
+			access_token: result.accessToken,
+			refresh_token: result.refreshToken,
+			token_type: "Bearer",
+			expires_in: result.expiresIn,
+		});
+	}
+
+	if (grantType === "refresh_token") {
+		const refreshToken = body.refresh_token as string;
+		const clientId = body.client_id as string;
+
+		const result = await refreshAccessToken(db, refreshToken, clientId);
+		if (!result) {
+			return c.json({ error: "invalid_grant" }, 400);
+		}
+
+		return c.json({
+			access_token: result.accessToken,
+			refresh_token: result.refreshToken,
+			token_type: "Bearer",
+			expires_in: result.expiresIn,
+		});
+	}
+
+	return c.json({ error: "unsupported_grant_type" }, 400);
+});