feat: OAuth middleware with module loaders for identity/secrets/auth config

graphql/env/__tests__/__snapshots__/merge.test.ts.snap

@@ -17,6 +17,7 @@ exports[`getEnvOptions merges pgpm defaults, graphql defaults, config, env, and
     ],
     "roleName": "env_role",
   },
+  "captcha": {},
   "cdn": {
     "awsAccessKey": "minioadmin",
     "awsRegion": "us-east-1",
@@ -100,6 +101,7 @@ exports[`getEnvOptions merges pgpm defaults, graphql defaults, config, env, and
       "useTx": false,
     },
   },
+  "oauth": {},
   "pg": {
     "database": "config-db",
     "host": "override-host",
@@ -120,5 +122,6 @@ exports[`getEnvOptions merges pgpm defaults, graphql defaults, config, env, and
     "port": 587,
     "secure": false,
   },
+  "upload": {},
 }
 `;

graphql/server/package.json

@@ -46,6 +46,7 @@
     "@constructive-io/express-context": "workspace:^",
     "@constructive-io/graphql-env": "workspace:^",
     "@constructive-io/graphql-types": "workspace:^",
+    "@constructive-io/oauth": "workspace:^",
     "@constructive-io/s3-utils": "workspace:^",
     "@constructive-io/upload-names": "workspace:^",
     "@constructive-io/url-domains": "workspace:^",

graphql/server/src/middleware/captcha.ts

@@ -1,4 +1,5 @@
 import { Logger } from '@pgpmjs/logger';
+import { getEnvVars } from '@pgpmjs/env';
 import type { NextFunction, Request, RequestHandler, Response } from 'express';
 import './types'; // for Request type
 
@@ -94,7 +95,7 @@ export const createCaptchaMiddleware = (): RequestHandler => {
     }
 
     // Secret key must be set server-side (env var, not stored in DB for security)
-    const secretKey = process.env.RECAPTCHA_SECRET_KEY;
+    const secretKey = getEnvVars().captcha?.recaptchaSecretKey;
     if (!secretKey) {
       log.warn('[captcha] enable_captcha is true but RECAPTCHA_SECRET_KEY env var is not set; skipping verification');
       return next();

graphql/server/src/middleware/cookie.ts

@@ -1,11 +1,28 @@
 import type { Request, Response } from 'express';
-import type { AuthSettings } from '../types';
+import type { AuthSettings, PgInterval } from '../types';
 
 export const SESSION_COOKIE_NAME = 'constructive_session';
 export const DEVICE_TOKEN_COOKIE_NAME = 'constructive_device_token';
 
 const DEVICE_TOKEN_MAX_AGE = 90 * 24 * 60 * 60; // 90 days in seconds
 
+export const parseIntervalToSeconds = (interval: string | PgInterval | null | undefined): number | null => {
+  if (!interval) return null;
+  if (typeof interval === 'string') {
+    const parsed = parseInt(interval, 10);
+    return isNaN(parsed) ? null : parsed;
+  }
+  let totalSeconds = 0;
+  if (interval.years) totalSeconds += interval.years * 365 * 24 * 60 * 60;
+  if (interval.months) totalSeconds += interval.months * 30 * 24 * 60 * 60;
+  if (interval.days) totalSeconds += interval.days * 24 * 60 * 60;
+  if (interval.hours) totalSeconds += interval.hours * 60 * 60;
+  if (interval.minutes) totalSeconds += interval.minutes * 60;
+  if (interval.seconds) totalSeconds += interval.seconds;
+  if (interval.milliseconds) totalSeconds += interval.milliseconds / 1000;
+  return totalSeconds > 0 ? totalSeconds : null;
+};
+
 export interface CookieConfig {
   secure: boolean;
   sameSite: 'strict' | 'lax' | 'none';
@@ -25,11 +42,11 @@ export const getSessionCookieConfig = (
   const DEFAULT_MAX_AGE = 86400; // 24 hours
   let maxAge = DEFAULT_MAX_AGE;
   if (rememberMe && authSettings?.rememberMeDuration) {
-    const parsed = parseInt(authSettings.rememberMeDuration, 10);
-    if (!isNaN(parsed)) maxAge = parsed;
+    const parsed = parseIntervalToSeconds(authSettings.rememberMeDuration);
+    if (parsed !== null) maxAge = parsed;
   } else if (authSettings?.cookieMaxAge) {
-    const parsed = parseInt(authSettings.cookieMaxAge, 10);
-    if (!isNaN(parsed)) maxAge = parsed;
+    const parsed = parseIntervalToSeconds(authSettings.cookieMaxAge);
+    if (parsed !== null) maxAge = parsed;
   }
 
   return {