feat: Phase 0 walking skeleton — auth, Todoist integration, tip page

- Google OAuth2/PKCE flow via openid-client v6; session cookie (30-day) - Next.js middleware auth guard — redirects before any client render - Todoist OAuth2 connect/disconnect; REST v1 task fetch (today|overdue) - RandomPolicy recommender behind stable POST /recommend contract - Feedback endpoint (done/dismiss/snooze); marks task complete in Todoist - 30s in-memory task cache per user (~1ms recommend on cache hit) - Tip page: pure opacity fade-in (3.5s), fast fade-out (0.3s), no motion - "reading you…" loading text with breathe animation - PWA icons + manifest - Ports pinned: API=3078, web=3079; Caddy at o.alogins.net Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 08:53:38 +00:00
parent 65218762be
commit 3123cb73fb
14 changed files with 276 additions and 177 deletions
--- a/services/api/src/config.ts
+++ b/services/api/src/config.ts
@@ -1,4 +1,7 @@
-import 'dotenv/config';
+import { config as dotenvConfig } from 'dotenv';
+// Load .env.local first (takes precedence), then .env as fallback
+dotenvConfig({ path: '../../.env.local', override: false });
+dotenvConfig({ path: '../../.env', override: false });

 function require(name: string): string {
  const val = process.env[name];
@@ -11,7 +14,7 @@ function optional(name: string, fallback: string): string {
 }

 export const config = {
-  PORT: parseInt(optional('PORT', '3001'), 10),
+  PORT: parseInt(optional('PORT', '3078'), 10),
  NODE_ENV: optional('NODE_ENV', 'development'),
  DATABASE_PATH: optional('DATABASE_PATH', './data/oo.db'),

--- a/services/api/src/routes/auth.ts
+++ b/services/api/src/routes/auth.ts
@@ -36,6 +36,7 @@ router.get('/login', async (req: Request, res: Response) => {
  setTimeout(() => pendingStates.delete(state), 10 * 60 * 1000);

  const redirectUri = `${config.API_BASE_URL}/api/auth/callback`;
+  console.log('[auth] redirect_uri sent to Google:', redirectUri);
  const authUrl = client.buildAuthorizationUrl(cfg, {
    redirect_uri: redirectUri,
    scope: 'openid email profile',
@@ -59,7 +60,10 @@ router.get('/callback', async (req: Request, res: Response) => {
  pendingStates.delete(state);

  const redirectUri = `${config.API_BASE_URL}/api/auth/callback`;
-  const currentUrl = new URL(req.url, config.API_BASE_URL);
+  // req.url is router-relative (/callback?...), so reconstruct the full callback URL
+  // using the known redirectUri base + the query string from the incoming request.
+  const incomingSearch = new URL(req.url, 'http://localhost').search;
+  const currentUrl = new URL(redirectUri + incomingSearch);

  let tokens: client.TokenEndpointResponse;
  try {
--- a/services/api/src/routes/recommender.ts
+++ b/services/api/src/routes/recommender.ts
@@ -8,27 +8,33 @@ import type { Tip } from '@oo/shared-types';

 const router: ExpressRouter = Router();

-/** Fetch active Todoist tasks for a user via their stored token */
-async function fetchTodoistTasks(accessToken: string): Promise<Tip[]> {
-  const res = await fetch('https://api.todoist.com/rest/v2/tasks?filter=today|overdue', {
+const CACHE_TTL_MS = 30_000; // 30 seconds
+const taskCache = new Map<string, { tips: Tip[]; fetchedAt: number }>();
+
+/** Fetch active Todoist tasks, with a 30s in-memory cache per user */
+async function fetchTodoistTasks(userId: string, accessToken: string): Promise<Tip[]> {
+  const cached = taskCache.get(userId);
+  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL_MS) {
+    return cached.tips;
+  }
+
+  const res = await fetch('https://api.todoist.com/api/v1/tasks?filter=today%7Coverdue', {
    headers: { Authorization: `Bearer ${accessToken}` },
  });

-  if (!res.ok) return [];
+  if (!res.ok) return cached?.tips ?? [];

-  const tasks = (await res.json()) as Array<{
-    id: string;
-    content: string;
-    due?: { string: string };
-  }>;
-
-  return tasks.map((t) => ({
+  const body = (await res.json()) as { results: Array<{ id: string; content: string }> };
+  const tips: Tip[] = (body.results ?? []).map((t) => ({
    id: `todoist:${t.id}`,
    content: t.content,
    source: 'todoist' as const,
    sourceId: t.id,
    createdAt: new Date().toISOString(),
  }));
+
+  taskCache.set(userId, { tips, fetchedAt: Date.now() });
+  return tips;
 }

 /**
@@ -41,7 +47,7 @@ function randomPolicy(candidates: Tip[]): Tip | null {
 }

 /** POST /api/recommend */
-router.post('/', requireAuth, async (req: AuthenticatedRequest, res: Response) => {
+router.post('/recommend', requireAuth, async (req: AuthenticatedRequest, res: Response) => {
  const [token] = await db
    .select()
    .from(integrationTokens)
@@ -58,7 +64,7 @@ router.post('/', requireAuth, async (req: AuthenticatedRequest, res: Response) =
    return;
  }

-  const candidates = await fetchTodoistTasks(token.accessToken);
+  const candidates = await fetchTodoistTasks(req.userId!, token.accessToken);
  const tip = randomPolicy(candidates);

  if (!tip) {
@@ -88,6 +94,9 @@ router.post('/tip/:id/feedback', requireAuth, async (req: AuthenticatedRequest,
    createdAt: new Date().toISOString(),
  });

+  // Invalidate cache so next recommend fetches fresh tasks
+  taskCache.delete(req.userId!);
+
  // If done, mark complete in Todoist
  if (action === 'done' && tipId.startsWith('todoist:')) {
    const todoistId = tipId.slice(8);
@@ -103,7 +112,7 @@ router.post('/tip/:id/feedback', requireAuth, async (req: AuthenticatedRequest,
      .limit(1);

    if (token) {
-      await fetch(`https://api.todoist.com/rest/v2/tasks/${todoistId}/close`, {
+      await fetch(`https://api.todoist.com/api/v1/tasks/${todoistId}/close`, {
        method: 'POST',
        headers: { Authorization: `Bearer ${token.accessToken}` },
      }).catch(() => {});