feat: add hubspot provider

README.md

@@ -214,6 +214,7 @@ It can also be set using environment variables:
 - GitHub
 - GitLab
 - Google
+- Hubspot
 - Instagram
 - Keycloak
 - Linear

playground/.env.example

@@ -96,3 +96,7 @@ NUXT_OAUTH_AUTHENTIK_DOMAIN=
 # Strava
 NUXT_OAUTH_STRAVA_CLIENT_ID=
 NUXT_OAUTH_STRAVA_CLIENT_SECRET=
+# Hubspot
+NUXT_OAUTH_HUBSPOT_CLIENT_ID=
+NUXT_OAUTH_HUBSPOT_CLIENT_SECRET=
+NUXT_OAUTH_HUBSPOT_REDIRECT_URL=

playground/app.vue

@@ -177,6 +177,12 @@ const providers = computed(() =>
       disabled: Boolean(user.value?.strava),
       icon: 'i-simple-icons-strava',
     },
+    {
+      label: user.value?.hubspot || 'HubSpot',
+      to: '/auth/hubspot',
+      disabled: Boolean(user.value?.hubspot),
+      icon: 'i-simple-icons-hubspot',
+    },
   ].map(p => ({
     ...p,
     prefetch: false,

playground/auth.d.ts

@@ -32,6 +32,7 @@ declare module '#auth-utils' {
     authentik?: string
     seznam?: string
     strava?: string
+    hubspot?: string
   }
 
   interface UserSession {

playground/server/routes/auth/hubspot.get.ts

@@ -0,0 +1,15 @@
+export default defineOAuthHubspotEventHandler({
+  config: {
+    scope: ['oauth'],
+  },
+  async onSuccess(event, { user }) {
+    await setUserSession(event, {
+      user: {
+        hubspot: user.email,
+      },
+      loggedInAt: Date.now(),
+    })
+
+    return sendRedirect(event, '/')
+  },
+})

src/module.ts

@@ -347,5 +347,11 @@ export default defineNuxtModule<ModuleOptions>({
       clientSecret: '',
       redirectURL: '',
     })
+    // Hubspot OAuth
+    runtimeConfig.oauth.hubspot = defu(runtimeConfig.oauth.hubspot, {
+      clientId: '',
+      clientSecret: '',
+      redirectURL: '',
+    })
   },
 })

src/runtime/server/lib/oauth/hubspot.ts

@@ -0,0 +1,121 @@
+import type { H3Event } from 'h3'
+import { eventHandler, getQuery, sendRedirect } from 'h3'
+import { withQuery } from 'ufo'
+import defu from 'defu'
+import {
+  getOAuthRedirectURL,
+  handleAccessTokenErrorResponse,
+  handleMissingConfiguration,
+  requestAccessToken,
+} from '../utils'
+import { useRuntimeConfig } from '#imports'
+import type { OAuthConfig } from '#auth-utils'
+
+export interface OAuthHubspotConfig {
+  /**
+   * Hubspot OAuth Client ID
+   * @default process.env.NUXT_OAUTH_HUBSPOT_CLIENT_ID
+   */
+  clientId?: string
+
+  /**
+   * Hubspot OAuth Client Secret
+   * @default process.env.NUXT_OAUTH_HUBSPOT_CLIENT_SECRET
+   */
+  clientSecret?: string
+
+  /**
+   * Hubspot OAuth Redirect URL
+   * @default process.env.NUXT_OAUTH_HUBSPOT_REDIRECT_URL
+   */
+  redirectURL?: string
+
+  /**
+   * Hubspot OAuth Scope
+   * @default ['oauth']
+   * @see https://developers.hubspot.com/beta-docs/guides/apps/authentication/scopes
+   * @example ['accounting', 'automation', 'actions']
+   */
+  scope?: string[]
+}
+interface SignedAccessToken {
+  expiresAt: number
+  scopes: string
+  hubId: number
+  userId: number
+  appId: number
+  signature: string
+  scopeToScopeGroupPks?: string
+  newSignature?: string
+  hublet?: string
+  trialScopes?: string
+  trialScopeToScopeGroupPks?: string
+  isUserLevel: boolean
+}
+
+interface OAuthHubspotAccessInfo {
+  token: string
+  user: string
+  hub_domain: string
+  scopes: string[]
+  signed_access_token: SignedAccessToken
+  hub_id: number
+  app_id: number
+  expires_in: number
+  user_id: number
+  token_type: string
+}
+
+export function defineOAuthHubspotEventHandler({ config, onSuccess, onError }: OAuthConfig<OAuthHubspotConfig>) {
+  return eventHandler(async (event: H3Event) => {
+    config = defu(config, useRuntimeConfig(event).oauth?.hubspot) as OAuthHubspotConfig
+
+    if (!config.clientId || !config.clientSecret || !config.redirectURL) {
+      return handleMissingConfiguration(event, 'hubspot', ['clientId', 'clientSecret', 'redirectURL'], onError)
+    }
+
+    const query = getQuery<{ code?: string, state?: string, error?: string, error_description?: string }>(event)
+    const redirectURL = config.redirectURL || getOAuthRedirectURL(event)
+
+    if (query.error) {
+      return handleAccessTokenErrorResponse(event, 'hubspot', query, onError)
+    }
+
+    if (!query.code) {
+      return sendRedirect(
+        event,
+        withQuery('https://app.hubspot.com/oauth/authorize', {
+          client_id: config.clientId,
+          redirect_uri: redirectURL,
+          scope: config.scope?.join(' ') || 'oauth',
+        }),
+      )
+    }
+
+    const tokens = await requestAccessToken(
+      'https://api.hubapi.com/oauth/v1/token', {
+        body: {
+          client_id: config.clientId,
+          client_secret: config.clientSecret,
+          code: query.code as string,
+          redirect_uri: redirectURL,
+          grant_type: 'authorization_code',
+        },
+      })
+
+    if (tokens.error) {
+      return handleAccessTokenErrorResponse(event, 'hubspot', tokens, onError)
+    }
+
+    const info: OAuthHubspotAccessInfo = await $fetch('https://api.hubapi.com/oauth/v1/access-tokens/' + tokens.access_token)
+
+    return onSuccess(event, {
+      user: {
+        id: info.user_id,
+        email: info.user,
+        domain: info.hub_domain,
+      },
+      tokens,
+    })
+  })
+}

src/runtime/types/oauth-config.ts

@@ -1,6 +1,6 @@
 import type { H3Event, H3Error } from 'h3'
 
-export type OAuthProvider = 'auth0' | 'authentik' | 'battledotnet' | 'cognito' | 'discord' | 'dropbox' | 'facebook' | 'github' | 'gitlab' | 'google' | 'instagram' | 'keycloak' | 'linear' | 'linkedin' | 'microsoft' | 'paypal' | 'polar' | 'spotify' | 'seznam' | 'steam' | 'strava' | 'tiktok' | 'twitch' | 'vk' | 'workos' | 'x' | 'xsuaa' | 'yandex' | 'zitadel' | (string & {})
+export type OAuthProvider = 'auth0' | 'authentik' | 'battledotnet' | 'cognito' | 'discord' | 'dropbox' | 'facebook' | 'github' | 'gitlab' | 'google' | 'hubspot' | 'instagram' | 'keycloak' | 'linear' | 'linkedin' | 'microsoft' | 'paypal' | 'polar' | 'spotify' | 'seznam' | 'steam' | 'strava' | 'tiktok' | 'twitch' | 'vk' | 'workos' | 'x' | 'xsuaa' | 'yandex' | 'zitadel' | (string & {})
 
 export type OnError = (event: H3Event, error: H3Error) => Promise<void> | void