✨ feat: add Fitbit integration with OAuth flow and data sync

- Implement complete Fitbit OAuth 2.0 authentication flow
- Add Fitbit weight data synchronization with automatic kg conversion
- Refactor provider token storage to use Dictionary<string,object> pattern
- Implement rate limiting with automatic request throttling
- Handle Fitbit API limitations (32-day chunks, 2009-01-01 minimum date)
- Add proper provider disconnection that deletes both link and source data
- Update frontend to support Fitbit provider in link page
- Fix toast notifications to properly display success/error messages
- Add comprehensive error handling and logging for Fitbit API
- Update documentation with Fitbit setup instructions

Co-Authored-By: Assistant <assistant@anthropic.com>

Author: ervwalter

CLAUDE.md

@@ -126,12 +126,17 @@ VITE_SUPABASE_ANON_KEY=[anon-key]
   },
   "Withings": {
     "ClientId": "[client-id]",
-    "ClientSecret": "[client-secret]",
-    "RedirectUri": "http://localhost:5173/oauth/withings/callback"
+    "ClientSecret": "[client-secret]"
+  },
+  "Fitbit": {
+    "ClientId": "[client-id]",
+    "ClientSecret": "[client-secret]"
   }
 }
 ```
 
+**Note**: OAuth redirect URLs are constructed dynamically using `Request.Scheme` and `Request.Host` to support different deployment environments. Never hardcode URLs in configuration.
+
 ## Database Schema (Supabase)
 
 ### Tables
@@ -184,6 +189,7 @@ VITE_SUPABASE_ANON_KEY=[anon-key]
 
 ### OAuth Callback Routes
 - `/oauth/withings/callback` - Withings OAuth callback handler
+- `/oauth/fitbit/callback` - Fitbit OAuth callback handler
 
 ## Authentication
 
@@ -431,6 +437,12 @@ The containerized application:
 3. **Respect user's timezone** - All date operations must be timezone-aware
 4. **Test on mobile** - The app must be fully responsive
 5. **Keep accessibility in mind** - Use semantic HTML and ARIA labels
+6. **Provider disconnection** - When a user disconnects a provider, both the provider link AND the associated source data are deleted to ensure clean state
+7. **Fitbit API limitations**:
+   - Weight data requests cannot start before 2009-01-01
+   - Maximum date range per request is 32 days (not 31 or 33)
+   - Body-weight endpoint may return extrapolated data, not actual measurements
+   - Always use initial sync date of 2009-01-01 for Fitbit
 
 # important-instruction-reminders
 Do what has been asked; nothing more, nothing less.

PROJECT_STATUS.md

@@ -56,19 +56,22 @@ This issues tracks the implementation status of TrendWeight migration
 - [x] Data access layer in backend
 - [x] Type-safe API client
 
-### ⚙️ Provider Integrations
+### ✅ Provider Integrations
 
 - [x] Withings OAuth flow
 - [x] Withings data sync
 - [x] Withings token refresh
 - [x] Provider link management API
-- [ ] Fitbit OAuth flow
-- [ ] Fitbit data sync
-- [ ] Fitbit token refresh
+- [x] Fitbit OAuth flow
+- [x] Fitbit data sync (with pounds-to-kg conversion)
+- [x] Fitbit token refresh
+- [x] Fitbit rate limiting (automatic handling with delays)
+- [x] Fitbit date range handling (32-day chunks, 2009-01-01 minimum)
 - [x] OAuth callback handling
 - [ ] OAuth error handling/recovery
-- [ ] Bulk historical data import
+- [x] Bulk historical data import (Fitbit fetches all available data)
 - [x] Manual data resync (with resync_requested flag for resilient handling)
+- [x] Provider disconnection (removes both link and source data)
 
 ### ✅ Dashboard & Visualization
 

README.md

@@ -22,7 +22,7 @@ TrendWeight uses a modern web architecture:
 - **Backend**: C# ASP.NET Core Web API
   - Supabase (PostgreSQL) for data storage
   - JWT-based authentication
-  - Provider integrations for Withings and Fitbit
+  - Provider integrations for Withings and Fitbit (NEW)
 
 ## Getting Started
 
@@ -76,6 +76,11 @@ TrendWeight uses a modern web architecture:
      "Withings": {
        "ClientId": "your-withings-client-id",
        "ClientSecret": "your-withings-client-secret"
+     },
+     "Fitbit": {
+       "ClientId": "your-fitbit-client-id",
+       "ClientSecret": "your-fitbit-client-secret",
+       "RedirectUri": "http://localhost:5173/oauth/fitbit/callback"
      }
    }
    ```
@@ -156,6 +161,8 @@ The application uses different environment variables at build time vs runtime:
 - `Supabase__JwtSecret` - Your Supabase JWT secret
 - `Withings__ClientId` - Withings OAuth client ID
 - `Withings__ClientSecret` - Withings OAuth client secret
+- `Fitbit__ClientId` - Fitbit OAuth client ID
+- `Fitbit__ClientSecret` - Fitbit OAuth client secret
 - `Jwt__SigningKey` - JWT signing key for the API
 
 ### GitHub Actions CI/CD
@@ -198,8 +205,10 @@ docker run -d \
   -e Supabase__AnonKey="your-anon-key" \
   -e Supabase__ServiceKey="your-service-key" \
   -e Supabase__JwtSecret="your-jwt-secret" \
-  -e Withings__ClientId="your-client-id" \
-  -e Withings__ClientSecret="your-client-secret" \
+  -e Withings__ClientId="your-withings-client-id" \
+  -e Withings__ClientSecret="your-withings-client-secret" \
+  -e Fitbit__ClientId="your-fitbit-client-id" \
+  -e Fitbit__ClientSecret="your-fitbit-client-secret" \
   -e Jwt__SigningKey="your-signing-key" \
   ghcr.io/[your-username]/trendweight:latest
 ```

apps/api/TrendWeight/Features/Measurements/ISourceDataService.cs

@@ -47,4 +47,11 @@ public interface ISourceDataService
     /// <param name="provider">Provider name</param>
     /// <returns>True if resync is requested</returns>
     Task<bool> IsResyncRequestedAsync(Guid userId, string provider);
+
+    /// <summary>
+    /// Deletes source data for a user
+    /// </summary>
+    /// <param name="userId">User's Supabase UID</param>
+    /// <param name="provider">Provider name to delete specific provider data</param>
+    Task DeleteSourceDataAsync(Guid userId, string provider);
 }

apps/api/TrendWeight/Features/Measurements/SourceDataService.cs

@@ -317,4 +317,26 @@ private bool AreMeasurementsEqual(List<RawMeasurement> list1, List<RawMeasuremen
 
         return true;
     }
+
+    /// <inheritdoc />
+    public async Task DeleteSourceDataAsync(Guid userId, string provider)
+    {
+        try
+        {
+            var sourceData = await _supabaseService.QueryAsync<DbSourceData>(q =>
+                q.Where(sd => sd.Uid == userId && sd.Provider == provider));
+
+            var data = sourceData.FirstOrDefault();
+            if (data != null)
+            {
+                await _supabaseService.DeleteAsync<DbSourceData>(data);
+                _logger.LogInformation("Deleted source data row for user {UserId} provider {Provider}", userId, provider);
+            }
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Error deleting source data for user {UserId} provider {Provider}", userId, provider);
+            throw;
+        }
+    }
 }

apps/api/TrendWeight/Features/ProviderLinks/Services/IProviderLinkService.cs

@@ -1,4 +1,3 @@
-using TrendWeight.Features.Providers.Models;
 using DbProviderLink = TrendWeight.Infrastructure.DataAccess.Models.DbProviderLink;
 
 namespace TrendWeight.Features.ProviderLinks.Services;
@@ -12,5 +11,5 @@ public interface IProviderLinkService
     Task<DbProviderLink> UpdateAsync(DbProviderLink providerLink);
     Task DeleteAsync(Guid uid, string provider);
     Task RemoveProviderLinkAsync(Guid uid, string provider);
-    Task StoreProviderLinkAsync(Guid uid, string provider, AccessToken token, string? updateReason = null);
+    Task StoreProviderLinkAsync(Guid uid, string provider, Dictionary<string, object> token, string? updateReason = null);
 }

apps/api/TrendWeight/Features/ProviderLinks/Services/ProviderLinkService.cs

@@ -1,6 +1,6 @@
+using System.Text.Json;
 using TrendWeight.Infrastructure.DataAccess;
 using TrendWeight.Infrastructure.DataAccess.Models;
-using TrendWeight.Features.Providers.Models;
 
 namespace TrendWeight.Features.ProviderLinks.Services;
 
@@ -79,7 +79,7 @@ public Task RemoveProviderLinkAsync(Guid uid, string provider)
         return DeleteAsync(uid, provider);
     }
 
-    public async Task StoreProviderLinkAsync(Guid uid, string provider, AccessToken token, string? updateReason = null)
+    public async Task StoreProviderLinkAsync(Guid uid, string provider, Dictionary<string, object> token, string? updateReason = null)
     {
         var existingLink = await GetAsync(uid, provider);
 

apps/api/TrendWeight/Features/Providers/Fitbit/FitbitCallbackController.cs

@@ -0,0 +1,118 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Text;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.IdentityModel.Tokens;
+using TrendWeight.Infrastructure.Auth;
+
+namespace TrendWeight.Features.Providers.Fitbit;
+
+/// <summary>
+/// Controller for handling Fitbit OAuth callbacks
+/// </summary>
+[ApiController]
+[Route("api/fitbit")]
+[AllowAnonymous]
+public class FitbitCallbackController : ControllerBase
+{
+    private readonly IFitbitService _fitbitService;
+    private readonly FitbitConfig _config;
+    private readonly IConfiguration _configuration;
+    private readonly ILogger<FitbitCallbackController> _logger;
+
+    /// <summary>
+    /// Constructor
+    /// </summary>
+    public FitbitCallbackController(
+        IFitbitService fitbitService,
+        FitbitConfig config,
+        IConfiguration configuration,
+        ILogger<FitbitCallbackController> logger)
+    {
+        _fitbitService = fitbitService;
+        _config = config;
+        _configuration = configuration;
+        _logger = logger;
+    }
+
+    /// <summary>
+    /// Handles OAuth callback from Fitbit
+    /// </summary>
+    [HttpGet("callback")]
+    public async Task<IActionResult> Callback([FromQuery] string code, [FromQuery] string state)
+    {
+        try
+        {
+            // Get JWT signing key
+            var jwtSigningKey = _configuration["Jwt:SigningKey"];
+            if (string.IsNullOrEmpty(jwtSigningKey))
+            {
+                _logger.LogError("JWT signing key not configured");
+                return StatusCode(500, new { error = "JWT signing key not configured" });
+            }
+
+            // Validate state token
+            var tokenHandler = new JwtSecurityTokenHandler();
+            var key = Encoding.ASCII.GetBytes(jwtSigningKey);
+
+            var validationParameters = new TokenValidationParameters
+            {
+                ValidateIssuerSigningKey = true,
+                IssuerSigningKey = new SymmetricSecurityKey(key),
+                ValidateIssuer = false,
+                ValidateAudience = false,
+                ValidateLifetime = true,
+                ClockSkew = TimeSpan.Zero
+            };
+
+            var principal = tokenHandler.ValidateToken(state, validationParameters, out var validatedToken);
+
+            var uid = principal.FindFirst("uid")?.Value;
+            var reason = principal.FindFirst("reason")?.Value;
+
+            if (string.IsNullOrEmpty(uid) || string.IsNullOrEmpty(reason))
+            {
+                throw new SecurityTokenException("Invalid state token");
+            }
+
+            if (!Guid.TryParse(uid, out var userId))
+            {
+                _logger.LogWarning("Invalid user ID in state token");
+                return BadRequest("Invalid user ID");
+            }
+
+            // Exchange code for tokens
+            // ForwardedHeaders middleware has already updated Request.Scheme and Request.Host
+            var callbackUrl = $"{Request.Scheme}://{Request.Host}/api/fitbit/callback";
+
+            _logger.LogDebug("Exchanging code for token with callback URL: {CallbackUrl}", callbackUrl);
+
+            var success = await _fitbitService.ExchangeAuthorizationCodeAsync(code, callbackUrl, userId);
+
+            if (!success)
+            {
+                _logger.LogError("Failed to exchange Fitbit authorization code");
+                return BadRequest("Failed to complete authorization");
+            }
+
+            // Redirect to frontend success page
+            var redirectUrl = $"{Request.Scheme}://{Request.Host}/oauth/fitbit/callback?success=true";
+
+            _logger.LogDebug("Redirecting to: {RedirectUrl}", redirectUrl);
+
+            return Redirect(redirectUrl);
+        }
+        catch (SecurityTokenExpiredException)
+        {
+            _logger.LogWarning("State token expired");
+            return BadRequest("Authorization expired. Please try again.");
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Error handling Fitbit callback");
+
+            // Redirect to frontend error page
+            return Redirect($"{Request.Scheme}://{Request.Host}/oauth/fitbit/callback?success=false&error={Uri.EscapeDataString(ex.Message)}");
+        }
+    }
+}

apps/api/TrendWeight/Features/Providers/Fitbit/FitbitConfig.cs

@@ -0,0 +1,17 @@
+namespace TrendWeight.Features.Providers.Fitbit;
+
+/// <summary>
+/// Configuration for Fitbit OAuth
+/// </summary>
+public class FitbitConfig
+{
+    /// <summary>
+    /// Fitbit OAuth client ID
+    /// </summary>
+    public string ClientId { get; set; } = string.Empty;
+
+    /// <summary>
+    /// Fitbit OAuth client secret
+    /// </summary>
+    public string ClientSecret { get; set; } = string.Empty;
+}

apps/api/TrendWeight/Features/Providers/Fitbit/FitbitLinkController.cs

@@ -0,0 +1,81 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Text;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.IdentityModel.Tokens;
+using TrendWeight.Features.Common;
+
+namespace TrendWeight.Features.Providers.Fitbit;
+
+/// <summary>
+/// Controller for initiating Fitbit OAuth flow
+/// </summary>
+[ApiController]
+[Route("api/fitbit")]
+public class FitbitLinkController : BaseAuthController
+{
+    private readonly IFitbitService _fitbitService;
+    private readonly FitbitConfig _config;
+    private readonly IConfiguration _configuration;
+    private readonly ILogger<FitbitLinkController> _logger;
+
+    /// <summary>
+    /// Constructor
+    /// </summary>
+    public FitbitLinkController(
+        IFitbitService fitbitService,
+        FitbitConfig config,
+        IConfiguration configuration,
+        ILogger<FitbitLinkController> logger)
+    {
+        _fitbitService = fitbitService;
+        _config = config;
+        _configuration = configuration;
+        _logger = logger;
+    }
+
+    /// <summary>
+    /// Initiates Fitbit OAuth flow
+    /// </summary>
+    [HttpGet("link")]
+    public IActionResult LinkFitbit()
+    {
+        // Get JWT signing key
+        var jwtSigningKey = _configuration["Jwt:SigningKey"];
+        if (string.IsNullOrEmpty(jwtSigningKey))
+        {
+            _logger.LogError("JWT signing key not configured");
+            return StatusCode(500, new { error = "JWT signing key not configured" });
+        }
+
+        // Generate state token with user ID and expiration
+        var tokenHandler = new JwtSecurityTokenHandler();
+        var key = Encoding.ASCII.GetBytes(jwtSigningKey);
+
+        var tokenDescriptor = new SecurityTokenDescriptor
+        {
+            Subject = new ClaimsIdentity(new[]
+            {
+                new Claim("uid", UserId),
+                new Claim("reason", "link")
+            }),
+            Expires = DateTime.UtcNow.AddHours(1),
+            SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
+        };
+
+        var token = tokenHandler.CreateToken(tokenDescriptor);
+        var state = tokenHandler.WriteToken(token);
+
+        // Get callback URL - ForwardedHeaders middleware has already updated Request.Scheme and Request.Host
+        var callbackUrl = $"{Request.Scheme}://{Request.Host}/api/fitbit/callback";
+
+        _logger.LogInformation("Using callback URL: {CallbackUrl}", callbackUrl);
+
+        // Get authorization URL
+        var authUrl = _fitbitService.GetAuthorizationUrl(state, callbackUrl);
+
+        _logger.LogInformation("Generated authorization URL: {AuthorizationUrl}", authUrl);
+
+        return Ok(new { url = authUrl });
+    }
+}