Add OAuth2 server module with token verification and management APIs #6

Copilot · 2026-01-13T04:49:27Z

Implements OAuth2 server functionality for token verification, validation, and personal access token management.

New APIs

Token Verification

GET /oauth/token/info - Verify token validity with expiration check
GET /oauth/token/details - Get comprehensive token metadata
POST /oauth/token/validate - Validate token from request body

Personal Access Token Management

GET /oauth/personal-access-tokens - List user's tokens
POST /oauth/personal-access-tokens - Create token (returns once)
DELETE /oauth/personal-access-tokens/:token_id - Revoke token

Health Check

GET /ayaka/oauth2-server - Module status endpoint

Implementation

Module Structure (services/web/modules/oauth2-server/)

SecretsHelper.js - SHA-512 token hashing (matches existing Overleaf OAuth implementation)
Oauth2Server.js - Token lookup, verification, and expiration logic
OAuthPersonalAccessTokenManager.mjs - CRUD operations on oauthAccessTokens collection
TokenController.js - Token verification endpoints with Bearer token extraction
OAuthPersonalAccessTokenController.js - Protected endpoints requiring login
Oauth2ServerRouter.mjs - Route definitions

Token Format

Prefix: olpat_ (64 hex chars)
Storage: SHA-512 hash in oauthAccessTokens.accessToken
Display: Last 8 chars in accessTokenPartial
Tracking: Updates lastUsedAt on each use

Usage

# Verify token validity
curl -H "Authorization: Bearer olpat_..." \
  http://localhost:3000/oauth/token/info

# Response
{
  "valid": true,
  "token": {
    "type": "personal",
    "scope": "*",
    "user_id": "...",
    "createdAt": "...",
    "expiresAt": null
  }
}

Configuration

Added oauth2-server to moduleImportSequence in services/web/config/settings.defaults.js for automatic module loading.

Original prompt

import logger from '@overleaf/logger'
import AuthenticationController from '../../../../app/src/Features/Authentication/AuthenticationController.mjs'
import OAuthPersonalAccessTokenController from './OAuthPersonalAccessTokenController.js'
import TokenController from './TokenController.js'

export default {
apply(webRouter) {
logger.debug({}, 'Oauth2Server router')
webRouter.get('/ayaka/oauth2-server', (req, res) => {
res.json({ message: 'Dev by ayaka-notes' })
})
    webRouter.get('/oauth/token/info', TokenController.checkOAuthToken)

    webRouter.get('/oauth/personal-access-tokens',
        AuthenticationController.requireLogin(),
        OAuthPersonalAccessTokenController.getUserPersonalAccessTokens
    )

    webRouter.post('/oauth/personal-access-tokens',
        AuthenticationController.requireLogin(),
        OAuthPersonalAccessTokenController.createPersonalAccessToken
    )

    webRouter.delete('/oauth/personal-access-tokens/:token_id',
        AuthenticationController.requireLogin(),
        OAuthPersonalAccessTokenController.deletePersonalAccessToken
    )
}
}
我觉得你之前写的不错但是还需要下面几个api 起码我要能获取、验证、还有校验是否一个oauth token是合法的吧具体我该怎么做教我

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Co-authored-by: Musicminion <84625273+Musicminion@users.noreply.github.com>

Initial plan

37c1e24

Copilot AI assigned Copilot and Musicminion Jan 13, 2026

Copilot started work on behalf of Musicminion January 13, 2026 04:49 View session

Copilot AI and others added 4 commits January 13, 2026 04:58

Add OAuth2 server module with token management APIs

45a11f5

Co-authored-by: Musicminion <84625273+Musicminion@users.noreply.github.com>

Fix ObjectId handling in token deletion and add documentation

8162690

Co-authored-by: Musicminion <84625273+Musicminion@users.noreply.github.com>

Add comprehensive Chinese usage guide for OAuth2 APIs

9f3ba20

Co-authored-by: Musicminion <84625273+Musicminion@users.noreply.github.com>

Improve Bearer token extraction and add security documentation

6f31e38

Co-authored-by: Musicminion <84625273+Musicminion@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Add OAuth2 server routes for personal access tokens~~ Add OAuth2 server module with token verification and management APIs Jan 13, 2026

Copilot AI requested a review from Musicminion January 13, 2026 05:03

Copilot finished work on behalf of Musicminion January 13, 2026 05:03

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add OAuth2 server module with token verification and management APIs #6

Add OAuth2 server module with token verification and management APIs #6

Uh oh!

Copilot AI commented Jan 13, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Add OAuth2 server module with token verification and management APIs #6

Are you sure you want to change the base?

Add OAuth2 server module with token verification and management APIs #6

Uh oh!

Conversation

Copilot AI commented Jan 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

New APIs

Implementation

Usage

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Copilot AI commented Jan 13, 2026 •

edited

Loading