feat(campaigns): refresh OAuth tokens automatically before sending campaigns (#2635)

* chore: ignore local worktree directory

* fix: pass SUPABASE_PROJECT_URL to leadminer.io for edge functions deployment

- Add SUPABASE_PROJECT_URL to repository_dispatch client_payload for QA and prod triggers
- Add validation to fail if secret is missing before dispatching
- This enables edge functions to use the public URL instead of internal kong URL for tracking links

* docs: clarify SUPABASE_PROJECT_URL usage for self-hosted/prod

Add clear comments explaining that SUPABASE_PROJECT_URL needs to be
set to the public Supabase URL (e.g., https://db.yourdomain.com) for
self-hosted and production deployments.

* fix: refresh sources after mining completes/stops, update wording

* fix: show GDPR toast when starting mining

* feat(campaigns): add OAuth token refresh function

* fix(campaigns): add error logging in OAuth token refresh

* feat(campaigns): add database update function for credentials

* fix(campaigns): add error logging and input validation to updateMiningSourceCredentials

* fix(campaigns): add logging for silent failures in listUniqueSenderSources and refreshOAuthToken

* feat(campaigns): refresh OAuth tokens before verifying sender availability

* fix(campaigns): add error handling for token refresh in resolveSenderOptions

* fix(campaigns): add warning when token refresh fails

* style: fix DeepSource issues - optional chaining and property shorthand

Author: baderdean

frontend/src/i18n/messages.json

@@ -136,7 +136,10 @@
       "toast_canceled_title": "Mining canceled",
       "toast_canceled_by_connection_detail": "Your mining was interrupted due to an internet connection issue.",
       "extract_signatures_option": "Extract contact details from signatures",
-      "extract_signatures_sub": "( this may take more time )"
+      "extract_signatures_sub": "( this may take more time )",
+      "contacts_got_rights_title": "Your contacts have rights",
+      "contacts_got_rights_detail": "You need consent or legitimate interest to contact them.",
+      "learn_more_about_rights": "Learn more about your contacts' rights"
     },
     "error": {
       "default": {
@@ -287,7 +290,10 @@
       "toast_canceled_title": "Extraction annulée",
       "toast_canceled_by_connection_detail": "Connexion perdue. Extraction annulée. Veuillez vous reconnecter pour commencer une nouvelle extraction.",
       "extract_signatures_option": "Extraire les coordonnées depuis les signatures",
-      "extract_signatures_sub": "(l'extraction prendra plus de temps)"
+      "extract_signatures_sub": "(l'extraction prendra plus de temps)",
+      "contacts_got_rights_title": "Vos contacts ont des droits",
+      "contacts_got_rights_detail": "Vous avez besoin du consentement ou d'un intérêt légitime pour les contacter.",
+      "learn_more_about_rights": "En savoir plus sur les droits de vos contacts"
     },
     "error": {
       "default": {

frontend/src/stores/leadminer.ts

@@ -274,8 +274,9 @@ export const useLeadminerStore = defineStore('leadminer', () => {
       onMiningCompleted: () => {
         console.info('Mining marked as completed.');
         miningCompleted.value = true;
-        setTimeout(() => {
+        setTimeout(async () => {
           miningTask.value = undefined;
+          await fetchMiningSources();
         }, 100);
       },
     });
@@ -448,11 +449,13 @@ export const useLeadminerStore = defineStore('leadminer', () => {
       fetchingFinished.value = true;
       extractionFinished.value = true;
       isLoadingStopMining.value = false;
+      await fetchMiningSources();
     } catch (err) {
       fetchingFinished.value = true;
       extractionFinished.value = true;
       cleaningFinished.value = true;
       isLoadingStopMining.value = false;
+      await fetchMiningSources();
       throw err;
     }
   }

frontend/src/utils/extras.ts

@@ -3,8 +3,26 @@ import type { NormalizedLocation } from '~/types/contact';
 export const PrivacyPolicyButton = null;
 export const AcceptNewsLetter = null;
 export const CampaignButton = null;
-// skipcq: JS-0321
-export function startMiningNotification() {}
+
+export function startMiningNotification() {
+  const { t } = useI18n({ useScope: 'global' });
+  const $toast = useToast();
+
+  $toast.add({
+    severity: 'info',
+    summary: t('mining.contacts_got_rights_title'),
+    detail: {
+      message: t('mining.contacts_got_rights_detail'),
+      link: {
+        text: t('mining.learn_more_about_rights'),
+        url: 'https://leadminer.io/donnees-personnelles',
+      },
+    },
+    life: 8000,
+    group: 'has-links',
+  });
+}
+
 export function getLocationUrl(location: NormalizedLocation) {
   return `https://www.openstreetmap.org/${location.osm_type}/${location.osm_id}`;
 }

supabase/functions/email-campaigns/index.ts

@@ -12,6 +12,8 @@ import { sendEmail, verifyTransport } from "./email.ts";
 import {
   getSenderCredentialIssue,
   listUniqueSenderSources,
+  refreshOAuthToken,
+  updateMiningSourceCredentials,
 } from "./sender-options.ts";
 
 const functionName = "email-campaigns";
@@ -569,10 +571,43 @@ async function resolveSenderOptions(authorization: string, userEmail: string) {
   const transportBySender: Record<string, Transport | null> = {
     [fallbackSenderEmail]: null,
   };
+  const supabaseAdmin = createSupabaseAdmin();
+
   const sources = listUniqueSenderSources(
     await getUserMiningSources(authorization),
   );
 
+  for (let i = 0; i < sources.length; i++) {
+    const source = sources[i];
+    const credentialIssue = getSenderCredentialIssue(source);
+
+    if (credentialIssue?.includes("expired")) {
+      try {
+        const refreshed = await refreshOAuthToken(source);
+        if (refreshed) {
+          const updated = await updateMiningSourceCredentials(
+            supabaseAdmin,
+            source.email,
+            refreshed.credentials,
+          );
+          if (updated) {
+            sources[i] = refreshed;
+          }
+        } else {
+          console.warn(
+            `Could not refresh token for ${source.email}, source will remain unavailable`,
+          );
+        }
+      } catch (error) {
+        console.error(
+          "Failed to refresh token for source:",
+          source.email,
+          error,
+        );
+      }
+    }
+  }
+
   for (const source of sources) {
     const credentialIssue = getSenderCredentialIssue(source);
     if (credentialIssue) {

supabase/functions/email-campaigns/sender-options.ts

@@ -1,18 +1,104 @@
 import { normalizeEmail } from "../_shared/email.ts";
+import { createSupabaseAdmin } from "../_shared/supabase.ts";
 
 export type MiningSourceCredential = {
   email: string;
   type: string;
   credentials: Record<string, unknown>;
 };
 
+export async function refreshOAuthToken(
+  source: MiningSourceCredential,
+): Promise<MiningSourceCredential | null> {
+  const kind = source.type.trim().toLowerCase();
+  if (kind !== "google" && kind !== "azure") {
+    return null;
+  }
+
+  const refreshToken = String(source.credentials.refreshToken || "");
+  if (!refreshToken) {
+    return null;
+  }
+
+  let tokenUrl: string;
+  let clientId: string;
+  let clientSecret: string;
+
+  if (kind === "google") {
+    tokenUrl = "https://oauth2.googleapis.com/token";
+    clientId = Deno.env.get("GOOGLE_OAUTH_CLIENT_ID") || "";
+    clientSecret = Deno.env.get("GOOGLE_OAUTH_CLIENT_SECRET") || "";
+  } else {
+    tokenUrl = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
+    clientId = Deno.env.get("AZURE_OAUTH_CLIENT_ID") || "";
+    clientSecret = Deno.env.get("AZURE_OAUTH_CLIENT_SECRET") || "";
+  }
+
+  if (!clientId || !clientSecret) {
+    return null;
+  }
+
+  const params = new URLSearchParams({
+    client_id: clientId,
+    client_secret: clientSecret,
+    refresh_token: refreshToken,
+    grant_type: "refresh_token",
+  });
+
+  const expiresAtInput = Number(source.credentials.expiresAt);
+  if (!Number.isFinite(expiresAtInput) || expiresAtInput <= 0) {
+    console.warn("Missing or invalid expiresAt in source credentials");
+  }
+
+  try {
+    const response = await fetch(tokenUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: params.toString(),
+    });
+
+    if (!response.ok) {
+      const status = response.status;
+      const body = await response.text();
+      console.error(`OAuth token refresh failed: ${status} - ${body}`);
+      return null;
+    }
+
+    const tokenData = (await response.json()) as {
+      access_token: string;
+      refresh_token?: string;
+      expires_in: number;
+    };
+
+    const nowMs = Date.now();
+    const expiresAt = nowMs + tokenData.expires_in * 1000;
+
+    return {
+      ...source,
+      credentials: {
+        ...source.credentials,
+        accessToken: tokenData.access_token,
+        refreshToken: tokenData.refresh_token || refreshToken,
+        expiresAt,
+      },
+    };
+  } catch (error) {
+    console.error("Failed to refresh OAuth token:", error);
+    return null;
+  }
+}
+
 export function listUniqueSenderSources(
   sources: MiningSourceCredential[],
 ): MiningSourceCredential[] {
   const byEmail = new Map<string, MiningSourceCredential>();
   for (const source of sources) {
     const key = normalizeEmail(source.email);
-    if (!key || byEmail.has(key)) continue;
+    if (!key) {
+      console.warn("Skipping source with invalid email:", source.email);
+      continue;
+    }
+    if (byEmail.has(key)) continue;
     byEmail.set(key, source);
   }
   return [...byEmail.values()];
@@ -34,3 +120,24 @@ export function getSenderCredentialIssue(
 
   return null;
 }
+
+export async function updateMiningSourceCredentials(
+  supabaseAdmin: ReturnType<typeof createSupabaseAdmin>,
+  email: string,
+  credentials: Record<string, unknown>,
+): Promise<boolean> {
+  if (!email || typeof email !== "string") {
+    console.error("Invalid email provided to updateMiningSourceCredentials");
+    return false;
+  }
+
+  const { error } = await supabaseAdmin
+    .from("mining_sources")
+    .update({ credentials })
+    .eq("email", email);
+
+  if (error) {
+    console.error("Failed to update mining source credentials:", error);
+  }
+  return !error;
+}