feat: surface per-user credentials to feed source providers

Add credentials parameter to FeedSourceProvider.feedSourceForUser so providers can receive decrypted per-user credentials (OAuth tokens, passwords) from the user_sources table. Wire CredentialEncryptor into UserSessionManager to handle encrypt/decrypt. Providers receive plaintext and handle validation internally. Existing providers ignore the new parameter. Co-authored-by: Ona <no-reply@ona.com>
2026-04-09 03:11:17 +01:00 · 2026-04-05 13:50:00 +00:00
parent bfc25fa704
commit 5cadb878ea
11 changed files with 452 additions and 20 deletions
--- a/apps/aelis-backend/src/sources/http.ts
+++ b/apps/aelis-backend/src/sources/http.ts
@@ -6,7 +6,12 @@ import { createMiddleware } from "hono/factory"
 import type { AuthSessionMiddleware } from "../auth/session-middleware.ts"
 import type { UserSessionManager } from "../session/index.ts"

-import { InvalidSourceConfigError, SourceNotFoundError } from "./errors.ts"
+import {
+	CredentialStorageUnavailableError,
+	InvalidSourceConfigError,
+	InvalidSourceCredentialsError,
+	SourceNotFoundError,
+} from "./errors.ts"

 type Env = {
 	Variables: {
@@ -48,6 +53,12 @@ export function registerSourcesHttpHandlers(
 	app.get("/api/sources/:sourceId", inject, authSessionMiddleware, handleGetSource)
 	app.patch("/api/sources/:sourceId", inject, authSessionMiddleware, handleUpdateSource)
 	app.put("/api/sources/:sourceId", inject, authSessionMiddleware, handleReplaceSource)
+	app.put(
+		"/api/sources/:sourceId/credentials",
+		inject,
+		authSessionMiddleware,
+		handleUpdateCredentials,
+	)
 }

 async function handleGetSource(c: Context<Env>) {
@@ -171,3 +182,43 @@ async function handleReplaceSource(c: Context<Env>) {

 	return c.body(null, 204)
 }
+
+async function handleUpdateCredentials(c: Context<Env>) {
+	const sourceId = c.req.param("sourceId")
+	if (!sourceId) {
+		return c.body(null, 404)
+	}
+
+	const sessionManager = c.get("sessionManager")
+
+	const provider = sessionManager.getProvider(sourceId)
+	if (!provider) {
+		return c.json({ error: `Source "${sourceId}" not found` }, 404)
+	}
+
+	let body: unknown
+	try {
+		body = await c.req.json()
+	} catch {
+		return c.json({ error: "Invalid JSON" }, 400)
+	}
+
+	const user = c.get("user")!
+
+	try {
+		await sessionManager.updateSourceCredentials(user.id, sourceId, body)
+	} catch (err) {
+		if (err instanceof SourceNotFoundError) {
+			return c.json({ error: err.message }, 404)
+		}
+		if (err instanceof InvalidSourceCredentialsError) {
+			return c.json({ error: err.message }, 400)
+		}
+		if (err instanceof CredentialStorageUnavailableError) {
+			return c.json({ error: err.message }, 503)
+		}
+		throw err
+	}
+
+	return c.body(null, 204)
+}