Class: Rubino::OAuth::ConnectionRepository

Inherits:

Object

• Object
• Rubino::OAuth::ConnectionRepository

Defined in:

lib/rubino/oauth/connection_repository.rb

Overview

Persistence for OAuth connections backed by the oauth_connections table. Tokens are encrypted on write and decrypted on read through TokenEncryptor, so every hash returned by this repository carries plaintext :access_token/:refresh_token alongside parsed :scopes (Array) and :metadata (Hash) — callers never deal with ciphertext or raw JSON columns.

#upsert is keyed on (provider, account_id): re-authenticating the same provider account updates the existing row in place (preserving its id and created_at) rather than duplicating.

Instance Method Summary

• #destroy!(id) ⇒ Object
• #find(id) ⇒ Object
• #first_for_provider(provider) ⇒ Object
• #for_provider(provider) ⇒ Object
• #initialize(db: nil, encryptor: nil) ⇒ ConnectionRepository constructor

  A new instance of ConnectionRepository.

• #list ⇒ Object
• #upsert(provider:, account_id:, access_token:, account_email: nil, refresh_token: nil, expires_at: nil, scopes: [], metadata: {}) ⇒ Hash

  Insert or update a connection identified by (provider, account_id).

Constructor Details

#initialize(db: nil, encryptor: nil) ⇒ ConnectionRepository

Returns a new instance of ConnectionRepository.

# File 'lib/rubino/oauth/connection_repository.rb', line 20

def initialize(db: nil, encryptor: nil)
  @db = db || Rubino.database.db
  @encryptor = encryptor || TokenEncryptor.from_env
end

Instance Method Details

#destroy!(id) ⇒ Object

# File 'lib/rubino/oauth/connection_repository.rb', line 77

def destroy!(id)
  @db[:oauth_connections].where(id: id).delete
end

#find(id) ⇒ Object

# File 'lib/rubino/oauth/connection_repository.rb', line 60

def find(id)
  row = @db[:oauth_connections].where(id: id).first
  decrypt(row)
end

#first_for_provider(provider) ⇒ Object

# File 'lib/rubino/oauth/connection_repository.rb', line 69

def first_for_provider(provider)
  decrypt(@db[:oauth_connections].where(provider: provider.to_s).order(:created_at).first)
end

#for_provider(provider) ⇒ Object

# File 'lib/rubino/oauth/connection_repository.rb', line 65

def for_provider(provider)
  @db[:oauth_connections].where(provider: provider.to_s).order(:created_at).map { |r| decrypt(r) }
end

#list ⇒ Object

# File 'lib/rubino/oauth/connection_repository.rb', line 73

def list
  @db[:oauth_connections].order(:provider, :created_at).map { |r| decrypt(r) }
end

#upsert(provider:, account_id:, access_token:, account_email: nil, refresh_token: nil, expires_at: nil, scopes: [], metadata: {}) ⇒ Hash

Insert or update a connection identified by (provider, account_id). Tokens are encrypted before they hit the database.

Returns:

• (Hash) —

  the freshly-decrypted row as returned by #find: includes all schema columns plus plaintext :access_token and :refresh_token, :scopes (Array<String>) and :metadata (Hash). The :access_token/:refresh_token values are sensitive — never log them.

# File 'lib/rubino/oauth/connection_repository.rb', line 33

def upsert(provider:, account_id:, access_token:, account_email: nil, refresh_token: nil, expires_at: nil,
           scopes: [], metadata: {})
  now = Time.now.utc.iso8601
  existing = @db[:oauth_connections].where(provider: provider.to_s, account_id: account_id.to_s).first
  id = existing ? existing[:id] : SecureRandom.uuid

  attrs = {
    id: id,
    provider: provider.to_s,
    account_id: account_id.to_s,
    account_email: account_email,
    access_token: @encryptor.encrypt(access_token),
    refresh_token: @encryptor.encrypt(refresh_token),
    expires_at: expires_at,
    scopes_json: JSON.generate(scopes),
    metadata_json: JSON.generate(metadata),
    updated_at: now
  }

  if existing
    @db[:oauth_connections].where(id: id).update(attrs)
  else
    @db[:oauth_connections].insert(attrs.merge(created_at: now))
  end
  find(id)
end