Support Quest Platform SDK auth with oculusId fallback

When the Data Use Checkup hasn't granted numeric ID access, the SDK returns oculusId (string username) instead. This makes nonce optional, skips nonce verification for non-numeric userIds, and uses oculusId as the metaId when numeric ID is unavailable.
2026-02-24 12:41:54 +01:00
parent 0eab05f15b
commit 7351003c6b
4 changed files with 66 additions and 48 deletions
--- a/src/services/meta-auth.service.ts
+++ b/src/services/meta-auth.service.ts
@@ -1,55 +1,58 @@
 import { config } from '../config.js';

-interface MetaTokenResponse {
-  access_token: string;
-  token_type: string;
-  expires_in: number;
+interface NonceValidateResponse {
+  is_valid: boolean;
 }

-interface MetaProfile {
+interface OculusUserResponse {
  id: string;
-  name: string;
-  email?: string;
-  picture?: { data?: { url?: string } };
+  alias: string;
+  avatar_uri?: string;
 }

-export async function exchangeMetaCode(code: string): Promise<{ accessToken: string }> {
+/**
+ * Verify a Quest Platform SDK user proof (nonce) via Meta's server-side API.
+ * The app calls Users.getUserProof() on-device, sends the nonce + userId here,
+ * and we verify it with Meta using an app access token.
+ */
+export async function verifyUserProof(userId: string, nonce: string): Promise<boolean> {
+  const accessToken = `OC|${config.meta.appId}|${config.meta.appSecret}`;
  const params = new URLSearchParams({
-    client_id: config.meta.appId,
-    client_secret: config.meta.appSecret,
-    redirect_uri: config.meta.redirectUri,
-    code,
+    access_token: accessToken,
+    nonce,
+    user_id: userId,
  });

  const res = await fetch(
-    `https://graph.facebook.com/v19.0/oauth/access_token?${params}`,
+    `https://graph.oculus.com/user_nonce_validate?${params}`,
+    { method: 'POST' },
  );
  if (!res.ok) {
    const body = await res.text();
-    throw new Error(`Meta token exchange failed: ${res.status} ${body}`);
+    throw new Error(`Nonce validation request failed: ${res.status} ${body}`);
  }
-  const data = (await res.json()) as MetaTokenResponse;
-  return { accessToken: data.access_token };
+  const data = (await res.json()) as NonceValidateResponse;
+  return data.is_valid;
 }

-export async function fetchMetaProfile(accessToken: string): Promise<{
+/**
+ * Fetch Oculus user profile using an app access token.
+ */
+export async function fetchOculusProfile(userId: string): Promise<{
  metaId: string;
  displayName: string;
-  email: string | null;
-  avatarUrl: string | null;
 }> {
+  const accessToken = `OC|${config.meta.appId}|${config.meta.appSecret}`;
  const res = await fetch(
-    `https://graph.facebook.com/v19.0/me?fields=id,name,email,picture.type(large)&access_token=${accessToken}`,
+    `https://graph.oculus.com/${userId}?fields=id,alias&access_token=${accessToken}`,
  );
  if (!res.ok) {
    const body = await res.text();
-    throw new Error(`Meta profile fetch failed: ${res.status} ${body}`);
+    throw new Error(`Oculus profile fetch failed: ${res.status} ${body}`);
  }
-  const data = (await res.json()) as MetaProfile;
+  const data = (await res.json()) as OculusUserResponse;
  return {
    metaId: data.id,
-    displayName: data.name,
-    email: data.email ?? null,
-    avatarUrl: data.picture?.data?.url ?? null,
+    displayName: data.alias,
  };
 }