Merge pull request #893 from helixml/feature/third-party-bff

UI polish, and first pass on multi-oauth provider support

Author: lukemarsden

.drone.yml

@@ -17,10 +17,11 @@ steps:
   depends_on: []
 
 - name: build-frontend
-  image: node:21-alpine
+  image: node:23-alpine
   commands:
     - cd frontend
     - yarn install
+    - yarn test
     - yarn build
   depends_on: []
 

README.md

@@ -72,4 +72,3 @@ Contributions to the source code are welcome, and by contributing you confirm th
 * We don't want cloud providers to take our open source code and build a rebranded service on top of it.
 
 If you would like to use some part of this code under a more permissive license, please [get in touch](mailto:[email protected]).
-

api/cmd/helix/serve.go

@@ -20,6 +20,7 @@ import (
 	"github.com/helixml/helix/api/pkg/janitor"
 	"github.com/helixml/helix/api/pkg/license"
 	"github.com/helixml/helix/api/pkg/notification"
+	"github.com/helixml/helix/api/pkg/oauth"
 	"github.com/helixml/helix/api/pkg/openai"
 	"github.com/helixml/helix/api/pkg/openai/logger"
 	"github.com/helixml/helix/api/pkg/openai/manager"
@@ -383,6 +384,15 @@ func serve(cmd *cobra.Command, cfg *config.ServerConfig) error {
 		RunnerController:     runnerController,
 	}
 
+	// Create the OAuth manager
+	oauthManager := oauth.NewManager(postgresStore)
+	if err := oauthManager.LoadProviders(ctx); err != nil {
+		log.Error().Err(err).Msg("failed to load oauth providers")
+	}
+
+	// Update controller options with the OAuth manager
+	controllerOptions.OAuthManager = oauthManager
+
 	appController, err = controller.NewController(ctx, controllerOptions)
 	if err != nil {
 		return err
@@ -443,6 +453,7 @@ func serve(cmd *cobra.Command, cfg *config.ServerConfig) error {
 		knowledgeReconciler,
 		scheduler,
 		pingService,
+		oauthManager,
 	)
 	if err != nil {
 		return err

api/pkg/controller/app_handlers.go

@@ -0,0 +1,66 @@
+package controller
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/helixml/helix/api/pkg/oauth"
+	"github.com/helixml/helix/api/pkg/types"
+	"github.com/rs/zerolog/log"
+)
+
+// getAppOAuthTokenEnv retrieves OAuth tokens for an app and returns them as environment variables
+// This function is currently unused but kept for future implementation
+// nolint:unused
+func (c *Controller) getAppOAuthTokenEnv(ctx context.Context, app *types.App, userID string) ([]string, error) {
+	if c.Options.OAuthManager == nil {
+		return nil, nil
+	}
+
+	var envVars []string
+
+	// Check each assistant's tools for OAuth provider requirements
+	for _, assistant := range app.Config.Helix.Assistants {
+		for _, tool := range assistant.Tools {
+			if tool.ToolType == types.ToolTypeAPI && tool.Config.API != nil && tool.Config.API.OAuthProvider != "" {
+				providerType := tool.Config.API.OAuthProvider
+				requiredScopes := tool.Config.API.OAuthScopes
+
+				token, err := c.Options.OAuthManager.GetTokenForTool(ctx, userID, providerType, requiredScopes)
+				if err != nil {
+					// Check if it's a scope error
+					var scopeErr *oauth.ScopeError
+					if errors.As(err, &scopeErr) {
+						log.Warn().
+							Str("app_id", app.ID).
+							Str("user_id", userID).
+							Str("provider", string(providerType)).
+							Strs("missing_scopes", scopeErr.Missing).
+							Msg("Missing required OAuth scopes for tool")
+
+						// Include this error in logs but continue with other providers
+						continue
+					}
+
+					// For other errors, log and continue
+					log.Warn().
+						Err(err).
+						Str("app_id", app.ID).
+						Str("user_id", userID).
+						Str("provider", string(providerType)).
+						Msg("Failed to get OAuth token for tool")
+
+					continue
+				}
+
+				// Add the token as an environment variable
+				envVar := fmt.Sprintf("OAUTH_TOKEN_%s=%s", strings.ToUpper(string(providerType)), token)
+				envVars = append(envVars, envVar)
+			}
+		}
+	}
+
+	return envVars, nil
+}

api/pkg/controller/controller.go

@@ -11,6 +11,7 @@ import (
 	"github.com/helixml/helix/api/pkg/janitor"
 	"github.com/helixml/helix/api/pkg/model"
 	"github.com/helixml/helix/api/pkg/notification"
+	"github.com/helixml/helix/api/pkg/oauth"
 	"github.com/helixml/helix/api/pkg/openai"
 	"github.com/helixml/helix/api/pkg/openai/manager"
 	"github.com/helixml/helix/api/pkg/pubsub"
@@ -35,6 +36,7 @@ type Options struct {
 	DataprepOpenAIClient openai.Client
 	Scheduler            *scheduler.Scheduler
 	RunnerController     *scheduler.RunnerController
+	OAuthManager         *oauth.Manager
 }
 
 type Controller struct {

api/pkg/controller/inference.go

@@ -3,6 +3,7 @@ package controller
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"path/filepath"
 	"strings"
@@ -20,17 +21,18 @@ import (
 	"github.com/helixml/helix/api/pkg/types"
 	"gopkg.in/yaml.v2"
 
+	"github.com/helixml/helix/api/pkg/oauth"
 	"github.com/rs/zerolog/log"
 	openai "github.com/sashabaranov/go-openai"
 )
 
 type ChatCompletionOptions struct {
-	AppID       string
-	AssistantID string
-	RAGSourceID string
-	Provider    string
-
-	QueryParams map[string]string
+	AppID        string
+	AssistantID  string
+	RAGSourceID  string
+	Provider     string
+	QueryParams  map[string]string
+	OAuthEnvVars []string // OAuth environment variables
 }
 
 // ChatCompletion is used by the OpenAI compatible API. Doesn't handle any historical sessions, etc.
@@ -87,6 +89,12 @@ func (c *Controller) ChatCompletion(ctx context.Context, user *types.User, req o
 		return nil, nil, fmt.Errorf("failed to get client: %v", err)
 	}
 
+	// Evaluate and add OAuth tokens
+	err = c.evalAndAddOAuthTokens(ctx, client, opts, user)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to add OAuth tokens: %w", err)
+	}
+
 	resp, err := client.CreateChatCompletion(ctx, req)
 	if err != nil {
 		log.Err(err).Msg("error creating chat completion")
@@ -156,6 +164,12 @@ func (c *Controller) ChatCompletionStream(ctx context.Context, user *types.User,
 		return nil, nil, fmt.Errorf("failed to get client: %v", err)
 	}
 
+	// Evaluate and add OAuth tokens
+	err = c.evalAndAddOAuthTokens(ctx, client, opts, user)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to add OAuth tokens: %w", err)
+	}
+
 	stream, err := client.CreateChatCompletionStream(ctx, req)
 	if err != nil {
 		log.Err(err).Msg("error creating chat completion stream")
@@ -919,3 +933,107 @@ func (c *Controller) UpdateSessionWithKnowledgeResults(ctx context.Context, sess
 
 	return nil
 }
+
+func (c *Controller) getAppOAuthTokens(ctx context.Context, userID string, app *types.App) ([]string, error) {
+	// Initialize empty slice for environment variables
+	var envVars []string
+
+	// Only proceed if we have an OAuth manager
+	if c.Options.OAuthManager == nil {
+		log.Debug().Msg("No OAuth manager available")
+		return nil, nil
+	}
+
+	// If app is nil, return empty slice
+	if app == nil {
+		return nil, nil
+	}
+
+	// Keep track of providers we've seen to avoid duplicates
+	seenProviders := make(map[types.OAuthProviderType]bool)
+
+	// First, check the tools defined in assistants
+	for _, assistant := range app.Config.Helix.Assistants {
+		for _, tool := range assistant.Tools {
+			if tool.ToolType == types.ToolTypeAPI && tool.Config.API != nil && tool.Config.API.OAuthProvider != "" {
+				providerType := tool.Config.API.OAuthProvider
+				requiredScopes := tool.Config.API.OAuthScopes
+
+				// Skip if we've already processed this provider
+				if seenProviders[providerType] {
+					continue
+				}
+				seenProviders[providerType] = true
+
+				token, err := c.Options.OAuthManager.GetTokenForTool(ctx, userID, providerType, requiredScopes)
+				if err == nil && token != "" {
+					envName := fmt.Sprintf("OAUTH_TOKEN_%s", strings.ToUpper(string(providerType)))
+					envVars = append(envVars, fmt.Sprintf("%s=%s", envName, token))
+					log.Debug().Str("provider", string(providerType)).Msg("Added OAuth token to app environment")
+				} else {
+					var scopeErr *oauth.ScopeError
+					if errors.As(err, &scopeErr) {
+						log.Warn().
+							Str("app_id", app.ID).
+							Str("user_id", userID).
+							Str("provider", string(providerType)).
+							Strs("missing_scopes", scopeErr.Missing).
+							Msg("Missing required OAuth scopes for tool")
+					} else {
+						log.Debug().Err(err).Str("provider", string(providerType)).Msg("Failed to get OAuth token for tool")
+					}
+				}
+			}
+		}
+	}
+
+	return envVars, nil
+}
+
+func (c *Controller) evalAndAddOAuthTokens(ctx context.Context, client oai.Client, opts *ChatCompletionOptions, user *types.User) error {
+	// If we already have OAuth tokens, use them
+	if len(opts.OAuthEnvVars) > 0 {
+		return nil
+	}
+
+	// If we have an app ID, try to get OAuth tokens
+	if opts.AppID != "" && c.Options.OAuthManager != nil {
+		app, err := c.Options.Store.GetApp(ctx, opts.AppID)
+		if err != nil {
+			log.Debug().Err(err).Str("app_id", opts.AppID).Msg("Failed to get app for OAuth tokens")
+			return nil // Continue without OAuth tokens
+		}
+
+		// Get OAuth tokens as environment variables
+		oauthEnvVars, err := c.getAppOAuthTokens(ctx, user.ID, app)
+		if err != nil {
+			log.Debug().Err(err).Str("app_id", opts.AppID).Msg("Failed to get OAuth tokens for app")
+			return nil // Continue without OAuth tokens
+		}
+
+		// Add OAuth tokens to the options
+		opts.OAuthEnvVars = oauthEnvVars
+
+		// If we have tokens, add them to the client as well
+		if len(oauthEnvVars) > 0 {
+			for _, envVar := range oauthEnvVars {
+				parts := strings.SplitN(envVar, "=", 2)
+				if len(parts) == 2 {
+					envKey, envValue := parts[0], parts[1]
+					// Only process OAUTH_TOKEN_ variables
+					if strings.HasPrefix(envKey, "OAUTH_TOKEN_") {
+						// Extract provider type from env var name (e.g., OAUTH_TOKEN_GITHUB -> github)
+						providerType := strings.ToLower(strings.TrimPrefix(envKey, "OAUTH_TOKEN_"))
+						log.Debug().Str("provider", providerType).Msg("Added OAuth token to API client HTTP headers")
+						// Add OAuth token to client (if supported)
+						if retryableClient, ok := client.(*oai.RetryableClient); ok {
+							retryableClient.AddOAuthToken(providerType, envValue)
+						}
+					}
+				}
+			}
+		}
+	}
+
+	return nil
+}