Merge pull request LF-Decentralized-Trust-labs#265 from DarshanCode2005/main

Fix Groups.io integration reliability: cookie refresh, error handling, and webhook validation

Author: RAWx18

backend/src/serverless/integrations/usecases/groupsio/types.ts

@@ -2,6 +2,7 @@ export interface GroupsioIntegrationData {
   email: string
   token: string
   groupNames: GroupName[]
+  password?: string // Optional: if provided, will be encrypted and stored for cookie refresh
 }
 
 export interface GroupsioGetToken {

backend/src/services/integrationService.ts

@@ -48,6 +48,7 @@ import {
   GroupsioGetToken,
   GroupsioVerifyGroup,
 } from '@/serverless/integrations/usecases/groupsio/types'
+import { encrypt, decrypt } from '../utils/crypto'
 import SearchSyncService from './searchSyncService'
 
 const discordToken = DISCORD_CONFIG.token || DISCORD_CONFIG.token2
@@ -1555,20 +1556,51 @@ export default class IntegrationService {
 
     // integration data should have the following fields
     // email, token, array of groups
-    // we shouldn't store password and 2FA token in the database
-    // user should update them every time thety change something
+    // password is optional - if provided, will be encrypted and stored for automatic cookie refresh
 
     try {
       this.options.log.info('Creating Groups.io integration!')
+
+      // Try to get existing integration to preserve encrypted password
+      let existingSettings: any = {}
+      try {
+        const existingIntegration = await IntegrationRepository.findByPlatform(PlatformType.GROUPSIO, {
+          ...this.options,
+          transaction,
+        })
+        existingSettings = existingIntegration?.settings || {}
+      } catch (err) {
+        // Integration doesn't exist yet, that's fine
+      }
+
+      // Prepare settings
+      const settings: any = {
+        email: integrationData.email,
+        token: integrationData.token,
+        groups: integrationData.groupNames,
+        updateMemberAttributes: true,
+        lastTokenRefresh: Date.now(),
+      }
+
+      // Encrypt and store password if provided
+      if (integrationData.password) {
+        const encryptionKey = process.env.GROUPSIO_ENCRYPTION_KEY || process.env.ENCRYPTION_KEY || 'default-key-change-in-production'
+        try {
+          settings.encryptedPassword = encrypt(integrationData.password, encryptionKey)
+          this.options.log.info('Password encrypted and stored for Groups.io integration')
+        } catch (encryptErr) {
+          this.options.log.error(encryptErr, 'Failed to encrypt password for Groups.io integration')
+          // Continue without storing password - user will need to re-authenticate manually
+        }
+      } else if (existingSettings?.encryptedPassword) {
+        // Preserve existing encrypted password if not updating
+        settings.encryptedPassword = existingSettings.encryptedPassword
+      }
+
       integration = await this.createOrUpdate(
         {
           platform: PlatformType.GROUPSIO,
-          settings: {
-            email: integrationData.email,
-            token: integrationData.token,
-            groups: integrationData.groupNames,
-            updateMemberAttributes: true,
-          },
+          settings,
           status: 'in-progress',
         },
         transaction,
@@ -1619,16 +1651,47 @@ export default class IntegrationService {
       response = await axios(config)
 
       // we need to get cookie from the response
+      if (!response.headers['set-cookie'] || !response.headers['set-cookie'][0]) {
+        this.options.log.error({ email: data.email }, 'No set-cookie header in Groups.io login response')
+        throw new Error400(this.options.language, 'errors.groupsio.invalidCredentials')
+      }
 
       const cookie = response.headers['set-cookie'][0].split(';')[0]
 
+      if (!cookie) {
+        this.options.log.error({ email: data.email }, 'Invalid cookie format in Groups.io login response')
+        throw new Error400(this.options.language, 'errors.groupsio.invalidCredentials')
+      }
+
       return {
         groupsioCookie: cookie,
       }
     } catch (err) {
-      if ('two_factor_required' in response.data) {
-        throw new Error400(this.options.language, 'errors.groupsio.twoFactorRequired')
+      // Check if it's an axios error with response data
+      if (err.response && err.response.data) {
+        if ('two_factor_required' in err.response.data) {
+          throw new Error400(this.options.language, 'errors.groupsio.twoFactorRequired')
+        }
+        // Check for other specific error messages
+        if (err.response.status === 401 || err.response.status === 403) {
+          this.options.log.error(
+            { email: data.email, status: err.response.status },
+            'Authentication failed for Groups.io login',
+          )
+          throw new Error400(this.options.language, 'errors.groupsio.invalidCredentials')
+        }
       }
+
+      // If it's already an Error400, re-throw it
+      if (err instanceof Error400) {
+        throw err
+      }
+
+      // For network errors or other unexpected errors
+      this.options.log.error(
+        { email: data.email, error: err.message },
+        'Unexpected error during Groups.io login',
+      )
       throw new Error400(this.options.language, 'errors.groupsio.invalidCredentials')
     }
   }
@@ -1657,4 +1720,114 @@ export default class IntegrationService {
       throw new Error400(this.options.language, 'errors.groupsio.invalidGroup')
     }
   }
+
+  /**
+   * Refreshes the Groups.io cookie for an integration using stored credentials
+   * @param integrationId - The integration ID to refresh the cookie for
+   * @returns The new cookie string
+   * @throws Error400 if credentials are missing, decryption fails, or authentication fails
+   */
+  async refreshGroupsioCookie(integrationId: string): Promise<string> {
+    this.options.log.info({ integrationId }, 'Refreshing Groups.io cookie')
+
+    // Get the integration
+    const integration = await IntegrationRepository.findById(integrationId, this.options)
+    if (!integration) {
+      throw new Error404(this.options.language, 'errors.integration.notFound')
+    }
+
+    const settings = integration.settings as any
+    if (!settings) {
+      throw new Error400(this.options.language, 'errors.groupsio.invalidSettings')
+    }
+
+    // Check if we have encrypted password
+    if (!settings.encryptedPassword) {
+      this.options.log.error(
+        { integrationId },
+        'Cannot refresh Groups.io cookie: no encrypted password stored',
+      )
+      throw new Error400(
+        this.options.language,
+        'errors.groupsio.noStoredCredentials',
+        'No stored credentials available. Please reconnect the integration.',
+      )
+    }
+
+    if (!settings.email) {
+      throw new Error400(this.options.language, 'errors.groupsio.missingEmail')
+    }
+
+    // Decrypt password
+    const encryptionKey = process.env.GROUPSIO_ENCRYPTION_KEY || process.env.ENCRYPTION_KEY || 'default-key-change-in-production'
+    let password: string
+    try {
+      password = decrypt(settings.encryptedPassword, encryptionKey)
+    } catch (decryptErr) {
+      this.options.log.error(decryptErr, { integrationId }, 'Failed to decrypt Groups.io password')
+      throw new Error400(
+        this.options.language,
+        'errors.groupsio.decryptionFailed',
+        'Failed to decrypt stored credentials. Please reconnect the integration.',
+      )
+    }
+
+    // Get new token
+    let newCookie: string
+    try {
+      const tokenResult = await this.groupsioGetToken({
+        email: settings.email,
+        password,
+      })
+      newCookie = tokenResult.groupsioCookie
+    } catch (err) {
+      // Check if it's a 2FA error
+      if (err instanceof Error400 && err.message?.includes('twoFactorRequired')) {
+        this.options.log.warn(
+          { integrationId },
+          'Groups.io cookie refresh failed: 2FA required. Integration needs manual update.',
+        )
+        throw new Error400(
+          this.options.language,
+          'errors.groupsio.twoFactorRequired',
+          'Two-factor authentication is required. Please reconnect the integration with your 2FA code.',
+        )
+      }
+
+      this.options.log.error(err, { integrationId }, 'Failed to refresh Groups.io cookie')
+      throw new Error400(
+        this.options.language,
+        'errors.groupsio.refreshFailed',
+        'Failed to refresh authentication. Please check your credentials and reconnect the integration.',
+      )
+    }
+
+    // Update integration settings with new cookie
+    const transaction = await SequelizeRepository.createTransaction(this.options)
+    try {
+      await this.update(
+        integrationId,
+        {
+          settings: {
+            ...settings,
+            token: newCookie,
+            lastTokenRefresh: Date.now(),
+          },
+        },
+        transaction,
+      )
+      await SequelizeRepository.commitTransaction(transaction)
+
+      this.options.log.info(
+        { integrationId, refreshTime: new Date().toISOString() },
+        'Groups.io cookie refreshed successfully',
+      )
+    } catch (updateErr) {
+      await SequelizeRepository.rollbackTransaction(transaction)
+      this.options.log.error(updateErr, { integrationId }, 'Failed to update integration with new cookie')
+      throw updateErr
+    }
+
+    return newCookie
+  }
 }

backend/src/utils/crypto.ts

@@ -19,3 +19,51 @@ export function verifyWebhookSignature(
     buffer.Buffer.from(expectedSignature),
   )
 }
+
+/**
+ * Encrypts a string using AES-256-GCM
+ * @param text - The text to encrypt
+ * @param secretKey - The secret key (should be 32 bytes for AES-256)
+ * @returns Encrypted string in format: iv:authTag:encryptedData (all base64 encoded)
+ */
+export function encrypt(text: string, secretKey: string): string {
+  const algorithm = 'aes-256-gcm'
+  const key = crypto.scryptSync(secretKey, 'salt', 32)
+  const iv = crypto.randomBytes(16)
+  const cipher = crypto.createCipheriv(algorithm, key, iv)
+
+  let encrypted = cipher.update(text, 'utf8', 'base64')
+  encrypted += cipher.final('base64')
+  const authTag = cipher.getAuthTag()
+
+  // Return format: iv:authTag:encryptedData (all base64)
+  return `${iv.toString('base64')}:${authTag.toString('base64')}:${encrypted}`
+}
+
+/**
+ * Decrypts a string encrypted with encrypt()
+ * @param encryptedText - The encrypted text in format: iv:authTag:encryptedData
+ * @param secretKey - The secret key used for encryption
+ * @returns Decrypted string
+ */
+export function decrypt(encryptedText: string, secretKey: string): string {
+  const algorithm = 'aes-256-gcm'
+  const key = crypto.scryptSync(secretKey, 'salt', 32)
+  const parts = encryptedText.split(':')
+
+  if (parts.length !== 3) {
+    throw new Error('Invalid encrypted text format')
+  }
+
+  const iv = buffer.Buffer.from(parts[0], 'base64')
+  const authTag = buffer.Buffer.from(parts[1], 'base64')
+  const encrypted = parts[2]
+
+  const decipher = crypto.createDecipheriv(algorithm, key, iv)
+  decipher.setAuthTag(authTag)
+
+  let decrypted = decipher.update(encrypted, 'base64', 'utf8')
+  decrypted += decipher.final('utf8')
+
+  return decrypted
+}

frontend/components.d.ts

@@ -9,50 +9,37 @@ export {}
 
 declare module '@vue/runtime-core' {
   export interface GlobalComponents {
+    CommunityAbout: typeof import('./src/components/landing/CommunityAbout.vue')['default']
+    CommunityAnnouncement: typeof import('./src/components/landing/CommunityAnnouncement.vue')['default']
     CommunityFooter: typeof import('./src/components/landing/CommunityFooter.vue')['default']
     CommunityHeader: typeof import('./src/components/landing/CommunityHeader.vue')['default']
     CommunityHero: typeof import('./src/components/landing/CommunityHero.vue')['default']
     CommunityQuickStart: typeof import('./src/components/landing/CommunityQuickStart.vue')['default']
     ElAside: typeof import('element-plus/es')['ElAside']
     ElAvatar: typeof import('element-plus/es')['ElAvatar']
     ElButton: typeof import('element-plus/es')['ElButton']
-    ElButtonGroup: typeof import('element-plus/es')['ElButtonGroup']
     ElCard: typeof import('element-plus/es')['ElCard']
     ElCheckbox: typeof import('element-plus/es')['ElCheckbox']
     ElCollapse: typeof import('element-plus/es')['ElCollapse']
     ElCollapseItem: typeof import('element-plus/es')['ElCollapseItem']
     ElContainer: typeof import('element-plus/es')['ElContainer']
-    ElDatePicker: typeof import('element-plus/es')['ElDatePicker']
     ElDialog: typeof import('element-plus/es')['ElDialog']
     ElDivider: typeof import('element-plus/es')['ElDivider']
     ElDrawer: typeof import('element-plus/es')['ElDrawer']
     ElDropdown: typeof import('element-plus/es')['ElDropdown']
     ElDropdownItem: typeof import('element-plus/es')['ElDropdownItem']
-    ElDropdownMenu: typeof import('element-plus/es')['ElDropdownMenu']
     ElFooter: typeof import('element-plus/es')['ElFooter']
     ElForm: typeof import('element-plus/es')['ElForm']
     ElFormItem: typeof import('element-plus/es')['ElFormItem']
     ElInput: typeof import('element-plus/es')['ElInput']
     ElMain: typeof import('element-plus/es')['ElMain']
     ElMenu: typeof import('element-plus/es')['ElMenu']
     ElOption: typeof import('element-plus/es')['ElOption']
-    ElOptionGroup: typeof import('element-plus/es')['ElOptionGroup']
     ElPagination: typeof import('element-plus/es')['ElPagination']
     ElPopover: typeof import('element-plus/es')['ElPopover']
-    ElRadio: typeof import('element-plus/es')['ElRadio']
-    ElRadioButton: typeof import('element-plus/es')['ElRadioButton']
-    ElRadioGroup: typeof import('element-plus/es')['ElRadioGroup']
-    ElScrollbar: typeof import('element-plus/es')['ElScrollbar']
     ElSelect: typeof import('element-plus/es')['ElSelect']
     ElSwitch: typeof import('element-plus/es')['ElSwitch']
-    ElTable: typeof import('element-plus/es')['ElTable']
-    ElTableColumn: typeof import('element-plus/es')['ElTableColumn']
-    ElTabPane: typeof import('element-plus/es')['ElTabPane']
-    ElTabs: typeof import('element-plus/es')['ElTabs']
     ElTag: typeof import('element-plus/es')['ElTag']
-    ElTimeline: typeof import('element-plus/es')['ElTimeline']
-    ElTimelineItem: typeof import('element-plus/es')['ElTimelineItem']
-    ElTimeSelect: typeof import('element-plus/es')['ElTimeSelect']
     ElTooltip: typeof import('element-plus/es')['ElTooltip']
     RouterLink: typeof import('vue-router')['RouterLink']
     RouterView: typeof import('vue-router')['RouterView']

services/apps/webhook_api/src/repos/webhooks.repo.ts

@@ -57,10 +57,10 @@ export class WebhooksRepository extends RepositoryBase<WebhooksRepository> {
 
   public async findGroupsIoIntegrationByGroupName(
     groupName: string,
-  ): Promise<IDbIntegrationData | null> {
+  ): Promise<(IDbIntegrationData & { settings?: any }) | null> {
     const result = await this.db().oneOrNone(
       `
-      select id, "tenantId", platform from integrations
+      select id, "tenantId", platform, settings from integrations
       where platform = $(platform) and "deletedAt" is null
       and settings -> 'groups' ? $(groupName)
       `,