apsinghdev
diff --git a/‎apps/api/src/prisma.ts‎
Lines changed: 85 additions & 4 deletions b/‎apps/api/src/prisma.ts‎
Lines changed: 85 additions & 4 deletions
diff --git a/‎apps/api/src/routers/auth.ts‎
Lines changed: 43 additions & 2 deletions b/‎apps/api/src/routers/auth.ts‎
Lines changed: 43 additions & 2 deletions
diff --git a/‎apps/api/src/services/auth.service.ts‎
Lines changed: 138 additions & 2 deletions b/‎apps/api/src/services/auth.service.ts‎
Lines changed: 138 additions & 2 deletions
@@ -1,23 +1,105 @@
 import { PrismaClient } from "@prisma/client";
 import dotenv from "dotenv";
+import {
+  encryptAccountTokens,
+  decryptAccountTokens,
+} from "./utils/encryption.js";
 
 dotenv.config();
 
-const prisma = new PrismaClient({
+const basePrisma = new PrismaClient({
   datasources: {
     db: {
       url: process.env.DATABASE_URL!,
     },
   },
-  log: ['error', 'warn'],
+  log: ["error", "warn"],
+});
+
+/**
+ * Prisma Client Extension for automatic token encryption/decryption
+ * Encrypts sensitive OAuth tokens before storing and decrypts when reading
+ */
+const prisma = basePrisma.$extends({
+  query: {
+    account: {
+      async create({ args, query }) {
+        args.data = encryptAccountTokens(args.data);
+        const result = await query(args);
+        return decryptAccountTokens(result);
+      },
+      async update({ args, query }) {
+        args.data = encryptAccountTokens(args.data);
+        const result = await query(args);
+        return decryptAccountTokens(result);
+      },
+      async upsert({ args, query }) {
+        args.create = encryptAccountTokens(args.create);
+        args.update = encryptAccountTokens(args.update);
+        const result = await query(args);
+        return decryptAccountTokens(result);
+      },
+      async findUnique({ args, query }) {
+        const result = await query(args);
+        return decryptAccountTokens(result);
+      },
+      async findFirst({ args, query }) {
+        const result = await query(args);
+        return decryptAccountTokens(result);
+      },
+      async findMany({ args, query }) {
+        const result = await query(args);
+        return result?.map((account: any) => decryptAccountTokens(account));
+      },
+    },
+    user: {
+      // Decrypt nested accounts in user queries
+      async findUnique({ args, query }) {
+        const result = await query(args);
+        if (result?.accounts) {
+          result.accounts = Array.isArray(result.accounts)
+            ? result.accounts.map((account: any) =>
+                decryptAccountTokens(account)
+              )
+            : decryptAccountTokens(result.accounts);
+        }
+        return result;
+      },
+      async findFirst({ args, query }) {
+        const result = await query(args);
+        if (result?.accounts) {
+          result.accounts = Array.isArray(result.accounts)
+            ? result.accounts.map((account: any) =>
+                decryptAccountTokens(account)
+              )
+            : decryptAccountTokens(result.accounts);
+        }
+        return result;
+      },
+      async findMany({ args, query }) {
+        const result = await query(args);
+        return result?.map((user: any) => {
+          if (user?.accounts) {
+            user.accounts = user.accounts.map((account: any) =>
+              decryptAccountTokens(account)
+            );
+          }
+          return user;
+        });
+      },
+    },
+  },
 });
 
 const withTimeout = async <T>(
   operation: Promise<T>,
   timeoutMs: number = 5000
 ): Promise<T> => {
   const timeoutPromise = new Promise<never>((_, reject) => {
-    setTimeout(() => reject(new Error('Database operation timed out')), timeoutMs);
+    setTimeout(
+      () => reject(new Error("Database operation timed out")),
+      timeoutMs
+    );
   });
 
   return Promise.race([operation, timeoutPromise]);
@@ -33,6 +115,5 @@ async function connectDB() {
   }
 }
 
-
 export { withTimeout };
 export default { prisma, connectDB };
@@ -2,11 +2,19 @@ import { router, publicProcedure, protectedProcedure } from "../trpc.js";
 import { z } from "zod";
 import { TRPCError } from "@trpc/server";
 import { authService } from "../services/auth.service.js";
+import { generateToken } from "../utils/auth.js";
 
 const googleAuthSchema = z.object({
-  email: z.string().email("Invalid email format"),
+  email: z.email("Invalid email format"),
   firstName: z.string().optional(),
   authMethod: z.string().optional(),
+  providerAccountId: z.string().optional(),
+  access_token: z.string().optional(),
+  refresh_token: z.string().optional(),
+  id_token: z.string().optional(),
+  expires_at: z.number().optional(),
+  token_type: z.string().optional(),
+  scope: z.string().optional(),
 });
 
 export const authRouter = router({
@@ -19,7 +27,35 @@ export const authRouter = router({
           firstName: input.firstName,
           authMethod: input.authMethod,
         };
-        return await authService.handleGoogleAuth(ctx.db.prisma, authInput);
+        const authResult = await authService.handleGoogleAuth(
+          ctx.db.prisma,
+          authInput
+        );
+
+        // Store OAuth tokens (encrypted automatically) if present
+        if (input.providerAccountId) {
+          const oauthInput: any = {
+            userId: authResult.user.id,
+            provider: "google",
+            providerAccountId: input.providerAccountId,
+          };
+
+          // Only include defined values
+          if (input.access_token) oauthInput.access_token = input.access_token;
+          if (input.refresh_token)
+            oauthInput.refresh_token = input.refresh_token;
+          if (input.id_token) oauthInput.id_token = input.id_token;
+          if (input.expires_at) oauthInput.expires_at = input.expires_at;
+          if (input.token_type) oauthInput.token_type = input.token_type;
+          if (input.scope) oauthInput.scope = input.scope;
+
+          await authService.createOrUpdateOAuthAccount(
+            ctx.db.prisma,
+            oauthInput
+          );
+        }
+
+        return authResult;
       } catch (error) {
         if (process.env.NODE_ENV !== "production") {
           console.error("Google auth error:", error);
@@ -35,4 +71,9 @@ export const authRouter = router({
       return authService.getSession(ctx.user);
     }
   ),
+  generateJWT: publicProcedure
+    .input(z.object({ email: z.string() }))
+    .mutation(({ input }) => {
+      return { token: generateToken(input.email) };
+    }),
 });
@@ -1,18 +1,31 @@
 import { generateToken } from "../utils/auth.js";
-import { PrismaClient } from "@prisma/client";
+import type { PrismaClient } from "@prisma/client";
 
 interface GoogleAuthInput {
   email: string;
   firstName?: string | undefined;
   authMethod?: string | undefined;
 }
 
+interface OAuthAccountInput {
+  userId: string;
+  provider: string;
+  providerAccountId: string;
+  access_token?: string;
+  refresh_token?: string;
+  id_token?: string;
+  expires_at?: number;
+  token_type?: string;
+  scope?: string;
+  session_state?: string;
+}
+
 export const authService = {
   /**
    * Handle Google authentication
    * Creates or updates user and generates JWT token
    */
-  async handleGoogleAuth(prisma: PrismaClient, input: GoogleAuthInput) {
+  async handleGoogleAuth(prisma: any, input: GoogleAuthInput) {
     const { email, firstName, authMethod } = input;
 
     const user = await prisma.user.upsert({
@@ -36,6 +49,129 @@ export const authService = {
     };
   },
 
+  /**
+   * Create or update OAuth account with encrypted tokens
+   * Tokens (refresh_token, access_token, id_token) are automatically encrypted
+   * by Prisma Client Extension before storage
+   */
+  async createOrUpdateOAuthAccount(prisma: any, input: OAuthAccountInput) {
+    const {
+      userId,
+      provider,
+      providerAccountId,
+      access_token,
+      refresh_token,
+      id_token,
+      expires_at,
+      token_type,
+      scope,
+      session_state,
+    } = input;
+
+    // Tokens are automatically encrypted by Prisma Client Extension
+    // Build update/create objects dynamically to avoid undefined values
+    const updateData: any = {};
+    const createData: any = {
+      userId,
+      type: "oauth",
+      provider,
+      providerAccountId,
+    };
+
+    // Only include defined values to satisfy exactOptionalPropertyTypes
+    if (access_token !== undefined) {
+      updateData.access_token = access_token;
+      createData.access_token = access_token;
+    }
+    if (refresh_token !== undefined) {
+      updateData.refresh_token = refresh_token;
+      createData.refresh_token = refresh_token;
+    }
+    if (id_token !== undefined) {
+      updateData.id_token = id_token;
+      createData.id_token = id_token;
+    }
+    if (expires_at !== undefined) {
+      updateData.expires_at = expires_at;
+      createData.expires_at = expires_at;
+    }
+    if (token_type !== undefined) {
+      updateData.token_type = token_type;
+      createData.token_type = token_type;
+    }
+    if (scope !== undefined) {
+      updateData.scope = scope;
+      createData.scope = scope;
+    }
+    if (session_state !== undefined) {
+      updateData.session_state = session_state;
+      createData.session_state = session_state;
+    }
+
+    const account = await prisma.account.upsert({
+      where: {
+        provider_providerAccountId: {
+          provider,
+          providerAccountId,
+        },
+      },
+      update: updateData,
+      create: createData,
+    });
+
+    return account;
+  },
+
+  /**
+   * Get OAuth account with decrypted tokens
+   * Tokens are automatically decrypted by Prisma Client Extension when reading
+   */
+  async getOAuthAccount(
+    prisma: any,
+    provider: string,
+    providerAccountId: string
+  ) {
+    const account = await prisma.account.findUnique({
+      where: {
+        provider_providerAccountId: {
+          provider,
+          providerAccountId,
+        },
+      },
+    });
+
+    return account;
+  },
+
+  /**
+   * Get all OAuth accounts for a user with decrypted tokens
+   */
+  async getUserOAuthAccounts(prisma: any, userId: string) {
+    const accounts = await prisma.account.findMany({
+      where: { userId },
+    });
+
+    return accounts;
+  },
+
+  /**
+   * Delete OAuth account (e.g., when user disconnects provider)
+   */
+  async deleteOAuthAccount(
+    prisma: any,
+    provider: string,
+    providerAccountId: string
+  ) {
+    await prisma.account.delete({
+      where: {
+        provider_providerAccountId: {
+          provider,
+          providerAccountId,
+        },
+      },
+    });
+  },
+
   /**
    * Get user session information
    */