feat: surface per-user credentials to feed source providers

Add credentials parameter to FeedSourceProvider.feedSourceForUser so providers can receive decrypted per-user credentials (OAuth tokens, passwords) from the user_sources table. Wire CredentialEncryptor into UserSessionManager to handle encrypt/decrypt. Providers receive plaintext and handle validation internally. Existing providers ignore the new parameter. Co-authored-by: Ona <no-reply@ona.com>
2026-04-08 11:01:17 +01:00 · 2026-04-05 13:50:00 +00:00
parent bfc25fa704
commit 5cadb878ea
11 changed files with 452 additions and 20 deletions
--- a/apps/aelis-backend/src/sources/errors.ts
+++ b/apps/aelis-backend/src/sources/errors.ts
@@ -24,3 +24,26 @@ export class InvalidSourceConfigError extends Error {
 		this.sourceId = sourceId
 	}
 }
+
+/**
+ * Thrown by providers when credentials fail validation.
+ */
+export class InvalidSourceCredentialsError extends Error {
+	readonly sourceId: string
+
+	constructor(sourceId: string, summary: string) {
+		super(summary)
+		this.name = "InvalidSourceCredentialsError"
+		this.sourceId = sourceId
+	}
+}
+
+/**
+ * Thrown when credential storage is not configured (missing encryption key).
+ */
+export class CredentialStorageUnavailableError extends Error {
+	constructor() {
+		super("Credential storage is not configured")
+		this.name = "CredentialStorageUnavailableError"
+	}
+}