chore(deps): update package versions and add OAuth token revocation services (#1946)

Author: Marfuen

apps/api/src/app/s3.ts

@@ -1,4 +1,4 @@
-import { GetObjectCommand, S3Client } from '@aws-sdk/client-s3';
+import { GetObjectCommand, S3Client, type GetObjectCommandOutput } from '@aws-sdk/client-s3';
 import { Logger } from '@nestjs/common';
 import '../config/load-env';
 
@@ -126,7 +126,7 @@ export async function getFleetAgent({
   os,
 }: {
   os: 'macos' | 'windows' | 'linux';
-}) {
+}): Promise<GetObjectCommandOutput['Body']> {
   if (!s3Client) {
     throw new Error('S3 client not configured');
   }

apps/api/src/integration-platform/integration-platform.module.ts

@@ -12,6 +12,8 @@ import { CredentialVaultService } from './services/credential-vault.service';
 import { ConnectionService } from './services/connection.service';
 import { OAuthCredentialsService } from './services/oauth-credentials.service';
 import { AutoCheckRunnerService } from './services/auto-check-runner.service';
+import { ConnectionAuthTeardownService } from './services/connection-auth-teardown.service';
+import { OAuthTokenRevocationService } from './services/oauth-token-revocation.service';
 import { ProviderRepository } from './repositories/provider.repository';
 import { ConnectionRepository } from './repositories/connection.repository';
 import { CredentialRepository } from './repositories/credential.repository';
@@ -38,6 +40,8 @@ import { CheckRunRepository } from './repositories/check-run.repository';
     ConnectionService,
     OAuthCredentialsService,
     AutoCheckRunnerService,
+    OAuthTokenRevocationService,
+    ConnectionAuthTeardownService,
     // Repositories
     ProviderRepository,
     ConnectionRepository,

apps/api/src/integration-platform/repositories/credential.repository.ts

@@ -95,4 +95,12 @@ export class CredentialRepository {
 
     return result.count;
   }
+
+  async deleteAllByConnection(connectionId: string): Promise<number> {
+    const result = await db.integrationCredentialVersion.deleteMany({
+      where: { connectionId },
+    });
+
+    return result.count;
+  }
 }

apps/api/src/integration-platform/services/connection-auth-teardown.service.ts

@@ -0,0 +1,73 @@
+import { Injectable, Logger } from '@nestjs/common';
+import { CredentialVaultService } from './credential-vault.service';
+import { OAuthTokenRevocationService } from './oauth-token-revocation.service';
+import { ConnectionRepository } from '../repositories/connection.repository';
+import { CredentialRepository } from '../repositories/credential.repository';
+
+@Injectable()
+export class ConnectionAuthTeardownService {
+  private readonly logger = new Logger(ConnectionAuthTeardownService.name);
+
+  constructor(
+    private readonly connectionRepository: ConnectionRepository,
+    private readonly credentialVaultService: CredentialVaultService,
+    private readonly credentialRepository: CredentialRepository,
+    private readonly oauthTokenRevocationService: OAuthTokenRevocationService,
+  ) {}
+
+  /**
+   * Best-effort teardown of a connection's auth:
+   * - Revoke provider token if supported/configured
+   * - Delete all stored credential versions
+   * - Clear active credential pointer
+   */
+  async teardown({ connectionId }: { connectionId: string }): Promise<void> {
+    const connection = await this.connectionRepository.findById(connectionId);
+    if (!connection) return;
+
+    const providerSlug = (connection as { provider?: { slug: string } })
+      .provider?.slug;
+
+    const credentials =
+      await this.credentialVaultService.getDecryptedCredentials(connectionId);
+    const accessToken = credentials?.access_token;
+
+    if (providerSlug && accessToken) {
+      try {
+        await this.oauthTokenRevocationService.revokeAccessToken({
+          providerSlug,
+          accessToken,
+          organizationId: connection.organizationId,
+        });
+      } catch (error) {
+        this.logger.warn(
+          `Failed to revoke OAuth token for ${providerSlug} connection ${connectionId}: ${
+            error instanceof Error ? error.message : String(error)
+          }`,
+        );
+      }
+    }
+
+    try {
+      await this.credentialRepository.deleteAllByConnection(connectionId);
+    } catch (error) {
+      this.logger.warn(
+        `Failed deleting credential versions for connection ${connectionId}: ${
+          error instanceof Error ? error.message : String(error)
+        }`,
+      );
+    }
+
+    try {
+      await this.connectionRepository.update(connectionId, {
+        activeCredentialVersionId: null,
+      });
+    } catch (error) {
+      this.logger.warn(
+        `Failed clearing active credential pointer for connection ${connectionId}: ${
+          error instanceof Error ? error.message : String(error)
+        }`,
+      );
+    }
+  }
+}

apps/api/src/integration-platform/services/connection.service.ts

@@ -5,6 +5,7 @@ import {
 } from '@nestjs/common';
 import { ConnectionRepository } from '../repositories/connection.repository';
 import { ProviderRepository } from '../repositories/provider.repository';
+import { ConnectionAuthTeardownService } from './connection-auth-teardown.service';
 import type {
   IntegrationConnection,
   IntegrationConnectionStatus,
@@ -22,6 +23,7 @@ export class ConnectionService {
   constructor(
     private readonly connectionRepository: ConnectionRepository,
     private readonly providerRepository: ProviderRepository,
+    private readonly connectionAuthTeardownService: ConnectionAuthTeardownService,
   ) {}
 
   async getConnection(connectionId: string): Promise<IntegrationConnection> {
@@ -117,11 +119,19 @@ export class ConnectionService {
   async disconnectConnection(
     connectionId: string,
   ): Promise<IntegrationConnection> {
-    return this.updateConnectionStatus(connectionId, 'disconnected');
+    await this.connectionAuthTeardownService.teardown({ connectionId });
+
+    return this.connectionRepository.update(connectionId, {
+      status: 'disconnected',
+      errorMessage: null,
+      activeCredentialVersionId: null,
+    });
   }
 
   async deleteConnection(connectionId: string): Promise<void> {
     await this.getConnection(connectionId); // Verify exists
+    await this.connectionAuthTeardownService.teardown({ connectionId });
+
     await this.connectionRepository.delete(connectionId);
   }
 

apps/api/src/integration-platform/services/oauth-token-revocation.service.ts

@@ -0,0 +1,149 @@
+import { Injectable, Logger } from '@nestjs/common';
+import { getManifest } from '@comp/integration-platform';
+import { OAuthCredentialsService } from './oauth-credentials.service';
+
+type OAuthRevokeConfig = {
+  url: string;
+  method?: 'POST' | 'DELETE';
+  auth?: 'basic' | 'bearer' | 'none';
+  body?: 'form' | 'json';
+  tokenField?: string;
+  extraBodyFields?: Record<string, string>;
+};
+
+const isOAuthRevokeConfig = (value: unknown): value is OAuthRevokeConfig => {
+  if (!value || typeof value !== 'object') return false;
+
+  const v = value as Record<string, unknown>;
+  if (typeof v.url !== 'string') return false;
+
+  if (v.method !== undefined && v.method !== 'POST' && v.method !== 'DELETE') {
+    return false;
+  }
+
+  if (
+    v.auth !== undefined &&
+    v.auth !== 'basic' &&
+    v.auth !== 'bearer' &&
+    v.auth !== 'none'
+  ) {
+    return false;
+  }
+
+  if (v.body !== undefined && v.body !== 'form' && v.body !== 'json') {
+    return false;
+  }
+
+  if (v.tokenField !== undefined && typeof v.tokenField !== 'string') {
+    return false;
+  }
+
+  if (
+    v.extraBodyFields !== undefined &&
+    (typeof v.extraBodyFields !== 'object' || v.extraBodyFields === null)
+  ) {
+    return false;
+  }
+
+  return true;
+};
+
+@Injectable()
+export class OAuthTokenRevocationService {
+  private readonly logger = new Logger(OAuthTokenRevocationService.name);
+
+  constructor(
+    private readonly oauthCredentialsService: OAuthCredentialsService,
+  ) {}
+
+  async revokeAccessToken({
+    providerSlug,
+    organizationId,
+    accessToken,
+  }: {
+    providerSlug: string;
+    organizationId: string;
+    accessToken: string;
+  }): Promise<void> {
+    const manifest = getManifest(providerSlug);
+    if (!manifest || manifest.auth.type !== 'oauth2') return;
+
+    const oauthConfig = manifest.auth.config;
+    if (!('revoke' in oauthConfig)) return;
+
+    const revokeConfigUnknown = oauthConfig.revoke;
+    if (!isOAuthRevokeConfig(revokeConfigUnknown)) return;
+
+    const revokeConfig = {
+      url: revokeConfigUnknown.url,
+      method: revokeConfigUnknown.method ?? 'POST',
+      auth: revokeConfigUnknown.auth ?? 'basic',
+      body: revokeConfigUnknown.body ?? 'form',
+      tokenField: revokeConfigUnknown.tokenField ?? 'token',
+      extraBodyFields: revokeConfigUnknown.extraBodyFields,
+    };
+
+    const oauthCreds = await this.oauthCredentialsService.getCredentials(
+      providerSlug,
+      organizationId,
+    );
+
+    const url = revokeConfig.url.replace(
+      '{CLIENT_ID}',
+      encodeURIComponent(oauthCreds?.clientId ?? ''),
+    );
+
+    const headers: Record<string, string> = {
+      Accept: 'application/json',
+      'User-Agent': 'CompAI-Integration',
+    };
+
+    if (revokeConfig.auth === 'basic') {
+      if (!oauthCreds?.clientId || !oauthCreds.clientSecret) {
+        this.logger.warn(
+          `OAuth credentials not configured; cannot revoke token for ${providerSlug} org ${organizationId}`,
+        );
+        return;
+      }
+
+      const basicAuth = Buffer.from(
+        `${oauthCreds.clientId}:${oauthCreds.clientSecret}`,
+      ).toString('base64');
+      headers.Authorization = `Basic ${basicAuth}`;
+    }
+
+    if (revokeConfig.auth === 'bearer') {
+      headers.Authorization = `Bearer ${accessToken}`;
+    }
+
+    let body: string | undefined;
+    if (revokeConfig.body === 'json') {
+      headers['Content-Type'] = 'application/json';
+      body = JSON.stringify({
+        [revokeConfig.tokenField]: accessToken,
+        ...(revokeConfig.extraBodyFields ?? {}),
+      });
+    } else {
+      headers['Content-Type'] = 'application/x-www-form-urlencoded';
+      const params = new URLSearchParams({
+        [revokeConfig.tokenField]: accessToken,
+        ...(revokeConfig.extraBodyFields ?? {}),
+      });
+      body = params.toString();
+    }
+
+    const response = await fetch(url, {
+      method: revokeConfig.method,
+      headers,
+      body,
+    });
+
+    // Treat 404 as already revoked.
+    if (response.ok || response.status === 404) return;
+
+    const text = await response.text().catch(() => '');
+    throw new Error(
+      `Token revoke failed for ${providerSlug} (${response.status}): ${text.slice(0, 200)}`,
+    );
+  }
+}

bun.lock

@@ -13,56 +13,56 @@
         "react-syntax-highlighter": "^15.6.6",
         "unpdf": "^1.4.0",
         "xlsx": "^0.18.5",
-        "zod": "^4.0.0",
+        "zod": "^4.2.1",
       },
       "devDependencies": {
         "@azure/core-http": "^3.0.5",
-        "@azure/core-rest-pipeline": "^1.21.0",
-        "@azure/core-tracing": "^1.2.0",
-        "@azure/identity": "^4.10.0",
+        "@azure/core-rest-pipeline": "^1.22.2",
+        "@azure/core-tracing": "^1.3.1",
+        "@azure/identity": "^4.13.0",
         "@commitlint/cli": "^19.8.1",
         "@commitlint/config-conventional": "^19.8.1",
-        "@hookform/resolvers": "^5.1.1",
-        "@number-flow/react": "^0.5.9",
+        "@hookform/resolvers": "^5.2.2",
+        "@number-flow/react": "^0.5.10",
         "@prisma/adapter-pg": "6.10.1",
         "@react-email/components": "^0.0.41",
-        "@react-email/render": "^1.1.2",
+        "@react-email/render": "^1.4.0",
         "@semantic-release/changelog": "^6.0.3",
         "@semantic-release/commit-analyzer": "^13.0.1",
         "@semantic-release/git": "^10.0.1",
-        "@semantic-release/github": "^11.0.3",
-        "@semantic-release/npm": "^12.0.1",
-        "@semantic-release/release-notes-generator": "^14.0.3",
-        "@types/bun": "^1.2.15",
+        "@semantic-release/github": "^11.0.6",
+        "@semantic-release/npm": "^12.0.2",
+        "@semantic-release/release-notes-generator": "^14.1.0",
+        "@types/bun": "^1.3.4",
         "@types/d3": "^7.4.3",
-        "@types/lodash": "^4.17.17",
-        "@types/react": "^19.1.6",
-        "@types/react-dom": "^19.1.1",
-        "ai": "^5.0.0",
-        "concurrently": "^9.1.2",
+        "@types/lodash": "^4.17.21",
+        "@types/react": "^19.2.7",
+        "@types/react-dom": "^19.2.3",
+        "ai": "^5.0.115",
+        "concurrently": "^9.2.1",
         "d3": "^7.9.0",
         "date-fns": "^4.1.0",
-        "dayjs": "^1.11.13",
-        "execa": "^9.0.0",
+        "dayjs": "^1.11.19",
+        "execa": "^9.6.1",
         "gitmoji": "^1.1.1",
         "gray-matter": "^4.0.3",
         "husky": "^9.1.7",
-        "prettier": "^3.5.3",
-        "prettier-plugin-organize-imports": "^4.1.0",
-        "prettier-plugin-tailwindcss": "^0.6.0",
+        "prettier": "^3.7.4",
+        "prettier-plugin-organize-imports": "^4.3.0",
+        "prettier-plugin-tailwindcss": "^0.6.14",
         "react-dnd": "^16.0.1",
         "react-dnd-html5-backend": "^16.0.1",
-        "react-email": "^4.0.15",
-        "react-hook-form": "^7.61.1",
-        "semantic-release": "^24.2.8",
+        "react-email": "^4.3.2",
+        "react-hook-form": "^7.68.0",
+        "semantic-release": "^24.2.9",
         "semantic-release-discord": "^1.2.0",
-        "semantic-release-discord-notifier": "^1.0.11",
-        "sharp": "^0.34.2",
+        "semantic-release-discord-notifier": "^1.1.1",
+        "sharp": "^0.34.5",
         "syncpack": "^13.0.4",
-        "tsup": "^8.5.0",
-        "turbo": "^2.5.4",
-        "typescript": "^5.8.3",
-        "use-debounce": "^10.0.4",
+        "tsup": "^8.5.1",
+        "turbo": "^2.6.3",
+        "typescript": "^5.9.3",
+        "use-debounce": "^10.0.6",
       },
     },
     "apps/api": {