Appearance
SocialAccountManager
Manages social account linking via OAuth 2.0 with PKCE, encrypted token storage, and profile synchronization.
Purpose
SocialAccountManager handles linking external social accounts (currently Twitter/X) to a user's portfolio. It implements the full OAuth 2.0 authorization code flow with PKCE (Proof Key for Code Exchange) for security, ensuring the code verifier is never exposed to the frontend.
OAuth tokens are encrypted at rest using AES-256-GCM with a server-side encryption key. Access tokens are automatically refreshed when they approach expiry (1-minute buffer), with retry logic and exponential backoff for transient failures. Profile data is cached and can be refreshed on demand with a 24-hour rate limit.
Unlinking uses soft delete (sets is_active = 0 and unlinked_at) to preserve history, while tokens are hard-deleted for security. After linking, unlinking, or profile refresh, the manager triggers a leaderboard update to reflect the social profile change.
Edge Cases & Error Handling
- PKCE verifier is stored server-side only (never sent to frontend), preventing authorization code interception attacks
- Token decryption failures throw
TOKEN_DECRYPTION_FAILEDwithout exposing error details - Encryption key must be exactly 32 bytes (AES-256); invalid length throws
ENCRYPTION_KEY_INVALID_LENGTH - Token refresh uses 3 retries with exponential backoff (500ms, 1s, 2s); non-retryable 4xx errors (except 429, 408) fail immediately
- Re-linking the same provider soft-deletes the old account before creating a new one
- Profile refresh rate limited to 24 hours to prevent Twitter API quota exhaustion
- OAuth sessions expire after 10 minutes to limit the window for CSRF attacks