fix(auth): split Github App from connection (#3946)

## Changes

Fixes https://linear.app/nango/issue/NAN-2935/app-client

- Split Github App from connection.service.ts
No logic change. Just removing some unrelated code from the model
This one is a bit all over the place, unfortunately

    
<!-- This is an auto-generated description by mrge. -->
---

## Summary by mrge
Moved Github App authentication logic out of connection.service.ts into
a new githubApp.ts file for better separation. No logic changes were
made.

<!-- End of auto-generated description by mrge. -->

Author: bodinsamuel

docs-v2/integrations/all/docuware/connect.mdx

@@ -8,7 +8,7 @@ sidebarTitle: DocuWare
 
 To authenticate with DocuWare, you will need:
 1. **Domain** - The domain to your DocuWare account.
-2. **Username** - The username used to log in to your DocuWare account. 
+2. **Username** - The username used to log in to your DocuWare account.
 3. **Password** - The password associated with the above DocuWare account.
 
 

packages/server/lib/controllers/appAuth.controller.ts

@@ -1,7 +1,7 @@
 import db from '@nangohq/database';
 import { logContextGetter } from '@nangohq/logs';
-import { configService, connectionService, environmentService, errorManager, getProvider, linkConnection } from '@nangohq/shared';
-import { stringifyError } from '@nangohq/utils';
+import { configService, connectionService, environmentService, errorManager, getProvider, githubAppClient, linkConnection } from '@nangohq/shared';
+import { report, stringifyError } from '@nangohq/utils';
 
 import publisher from '../clients/publisher.client.js';
 import { connectionCreated as connectionCreatedHook, connectionCreationFailed as connectionCreationFailedHook } from '../hooks/hooks.js';
@@ -11,7 +11,7 @@ import { missesInterpolationParam } from '../utils/utils.js';
 import * as WSErrBuilder from '../utils/web-socket-error.js';
 
 import type { ConnectSessionAndEndUser } from '../services/connectSession.service.js';
-import type { AuthCredentials, NangoError } from '@nangohq/shared';
+import type { ProviderGithubApp } from '@nangohq/types';
 import type { NextFunction, Request, Response } from 'express';
 
 class AppAuthController {
@@ -125,36 +125,19 @@ class AppAuthController {
                 return;
             }
 
-            const { success, error, response: credentials } = await connectionService.getAppCredentials(provider, config, connectionConfig);
-
-            if (!success || !credentials) {
-                void logCtx.error('Error during app token retrieval call', { error });
+            const credentialsRes = await githubAppClient.createCredentials({ provider: provider as ProviderGithubApp, integration: config, connectionConfig });
+            if (credentialsRes.isErr()) {
+                report(credentialsRes.error);
+                void logCtx.error('Error during Github App credentials creation', { error: credentialsRes.error });
                 await logCtx.failed();
-
-                void connectionCreationFailedHook(
-                    {
-                        connection: { connection_id: connectionId, provider_config_key: providerConfigKey },
-                        environment,
-                        account,
-                        auth_mode: 'APP',
-                        error: {
-                            type: 'unknown',
-                            description: `Error during app token retrieval call: ${error?.message}`
-                        },
-                        operation: 'unknown'
-                    },
-                    account,
-                    config
-                );
-
-                await publisher.notifyErr(res, wsClientId, providerConfigKey, connectionId, error as NangoError);
+                await publisher.notifyErr(res, wsClientId, providerConfigKey, connectionId, credentialsRes.error);
                 return;
             }
 
             const [updatedConnection] = await connectionService.upsertConnection({
                 connectionId,
                 providerConfigKey,
-                parsedRawCredentials: credentials as unknown as AuthCredentials,
+                parsedRawCredentials: credentialsRes.value,
                 connectionConfig,
                 environmentId: environment.id
             });

packages/server/lib/controllers/connection.controller.ts

@@ -1,6 +1,6 @@
 import db from '@nangohq/database';
 import { logContextGetter } from '@nangohq/logs';
-import { NangoError, accountService, configService, connectionService, errorManager, getProvider } from '@nangohq/shared';
+import { NangoError, accountService, configService, connectionService, errorManager, getProvider, githubAppClient } from '@nangohq/shared';
 
 import { NANGO_ADMIN_UUID } from './account.controller.js';
 import { preConnectionDeletion } from '../hooks/connection/on/connection-deleted.js';
@@ -13,8 +13,16 @@ import { slackService } from '../services/slack.js';
 import { getOrchestrator } from '../utils/utils.js';
 
 import type { RequestLocals } from '../utils/express.js';
-import type { AuthCredentials, ConnectionUpsertResponse, OAuth2Credentials } from '@nangohq/shared';
-import type { ApiKeyCredentials, BasicApiCredentials, ConnectionConfig, OAuth1Credentials, OAuth2ClientCredentials, TbaCredentials } from '@nangohq/types';
+import type { ConnectionUpsertResponse, OAuth2Credentials } from '@nangohq/shared';
+import type {
+    ApiKeyCredentials,
+    BasicApiCredentials,
+    ConnectionConfig,
+    OAuth1Credentials,
+    OAuth2ClientCredentials,
+    ProviderGithubApp,
+    TbaCredentials
+} from '@nangohq/types';
 import type { NextFunction, Request, Response } from 'express';
 
 const orchestrator = getOrchestrator();
@@ -494,17 +502,20 @@ class ConnectionController {
                     return;
                 }
 
-                const { success, error, response: credentials } = await connectionService.getAppCredentials(provider, config, connectionConfig);
-
-                if (!success || !credentials) {
-                    errorManager.errResFromNangoErr(res, error);
+                const credentialsRes = await githubAppClient.createCredentials({
+                    provider: provider as ProviderGithubApp,
+                    integration: config,
+                    connectionConfig
+                });
+                if (credentialsRes.isErr()) {
+                    errorManager.errResFromNangoErr(res, credentialsRes.error);
                     return;
                 }
 
                 const [imported] = await connectionService.upsertConnection({
                     connectionId,
                     providerConfigKey: provider_config_key,
-                    parsedRawCredentials: credentials as unknown as AuthCredentials,
+                    parsedRawCredentials: credentialsRes.value,
                     connectionConfig,
                     environmentId: environment.id,
                     metadata

packages/server/lib/controllers/oauth.controller.ts

@@ -44,7 +44,7 @@ import type { ConnectSessionAndEndUser } from '../services/connectSession.servic
 import type { RequestLocals } from '../utils/express.js';
 import type { LogContext } from '@nangohq/logs';
 import type { Config as ProviderConfig, ConnectionUpsertResponse, OAuth1RequestTokenResult, OAuth2Credentials, OAuthSession } from '@nangohq/shared';
-import type { ConnectionConfig, DBEnvironment, DBTeam, Provider, ProviderOAuth2 } from '@nangohq/types';
+import type { ConnectionConfig, DBEnvironment, DBTeam, Provider, ProviderGithubApp, ProviderOAuth2 } from '@nangohq/types';
 import type { NextFunction, Request, Response } from 'express';
 
 class OAuthController {
@@ -1188,7 +1188,20 @@ class OAuthController {
                         { initiateSync: true, runPostConnectionScript: false }
                     );
                 };
-                await connectionService.getAppCredentialsAndFinishConnection(connectionId, config, provider, connectionConfig, logCtx, connCreatedHook);
+                const createRes = await connectionService.getAppCredentialsAndFinishConnection(
+                    connectionId,
+                    config,
+                    provider as unknown as ProviderGithubApp,
+                    connectionConfig,
+                    logCtx,
+                    connCreatedHook
+                );
+                if (createRes.isErr()) {
+                    void logCtx.error('Failed to create credentials');
+                    await logCtx.failed();
+                    await publisher.notifyErr(res, channel, providerConfigKey, connectionId, WSErrBuilder.UnknownError('failed to create credentials'));
+                    return;
+                }
             }
 
             await logCtx.success();

packages/server/lib/webhook/github-app-oauth-webhook-routing.ts

@@ -10,7 +10,7 @@ import { connectionCreated as connectionCreatedHook } from '../hooks/hooks.js';
 import type { WebhookHandler } from './types.js';
 import type { LogContextGetter } from '@nangohq/logs';
 import type { Config as ProviderConfig, ConnectionUpsertResponse } from '@nangohq/shared';
-import type { ConnectionConfig } from '@nangohq/types';
+import type { ConnectionConfig, ProviderGithubApp } from '@nangohq/types';
 
 const logger = getLogger('Webhook.GithubAppOauth');
 
@@ -116,7 +116,7 @@ async function handleCreateWebhook(integration: ProviderConfig, body: any, logCo
         await connectionService.getAppCredentialsAndFinishConnection(
             connection.connection_id,
             integration,
-            provider,
+            provider as ProviderGithubApp,
             connectionConfig,
             logCtx,
             connCreatedHook

packages/shared/lib/auth/githubApp.ts

@@ -0,0 +1,69 @@
+import { Err, Ok } from '@nangohq/utils';
+
+import * as jwtClient from './jwt.js';
+import { AuthCredentialsError } from '../utils/error.js';
+import { interpolateStringFromObject } from '../utils/utils.js';
+
+import type { AppCredentials, ConnectionConfig, IntegrationConfig, ProviderGithubApp } from '@nangohq/types';
+import type { Result } from '@nangohq/utils';
+
+/**
+ * Create Github APP credentials
+ */
+export async function createCredentials({
+    provider,
+    integration,
+    connectionConfig
+}: {
+    provider: ProviderGithubApp;
+    integration: IntegrationConfig;
+    connectionConfig: ConnectionConfig;
+}): Promise<Result<AppCredentials, AuthCredentialsError>> {
+    try {
+        const tokenUrl = interpolateStringFromObject(provider.token_url, { connectionConfig });
+        const privateKeyBase64 = integration.custom ? integration.custom['private_key'] : integration.oauth_client_secret;
+
+        const privateKey = Buffer.from(privateKeyBase64 as string, 'base64').toString('utf8');
+
+        const headers = {
+            Accept: 'application/vnd.github.v3+json'
+        };
+
+        const now = Math.floor(Date.now() / 1000);
+        const expiration = now + 10 * 60;
+
+        const payload: Record<string, string | number> = {
+            iat: now,
+            exp: expiration,
+            iss: (integration.custom ? integration.custom['app_id'] : integration.oauth_client_id) as string
+        };
+
+        if (!payload['iss'] && connectionConfig['app_id']) {
+            payload['iss'] = connectionConfig['app_id'];
+        }
+
+        const create = await jwtClient.createCredentialsFromURL({
+            privateKey,
+            url: tokenUrl,
+            payload,
+            additionalApiHeaders: headers,
+            options: { algorithm: 'RS256' }
+        });
+
+        if (create.isErr()) {
+            return Err(create.error);
+        }
+
+        const rawCredentials = create.value;
+        const credentials: AppCredentials = {
+            type: 'APP',
+            access_token: rawCredentials.token!,
+            expires_at: rawCredentials.expires_at,
+            raw: rawCredentials
+        };
+
+        return Ok(credentials);
+    } catch (err) {
+        return Err(new AuthCredentialsError('github_app_token_fetch_error', { cause: err }));
+    }
+}

packages/shared/lib/index.ts

@@ -20,6 +20,7 @@ import errorManager, { ErrorSourceEnum } from './utils/error.manager.js';
 export { productTracking } from './utils/productTracking.js';
 export * as appleAppStoreClient from './auth/appleAppStore.js';
 export * as billClient from './auth/bill.js';
+export * as githubAppClient from './auth/githubApp.js';
 export * as jwtClient from './auth/jwt.js';
 export * as signatureClient from './auth/signature.js';
 export * as tableauClient from './auth/tableau.js';

packages/shared/lib/models/Auth.ts

@@ -70,6 +70,7 @@ export type AuthCredentials =
     | JwtCredentials
     | ApiKeyCredentials
     | BasicApiCredentials
+    | AppCredentials
     | AppStoreCredentials;
 
 export interface AppCredentials {