feat: Add settings page for connection management, initial backend application, API reference, and onboarding pages.

Author: cliff-de-tech

backend/app.py

@@ -407,14 +407,13 @@ def linkedin_callback(code: str = None, state: str = None, redirect_uri: str = N
 
 
 # User settings endpoints
+# SECURITY: Only safe fields are accepted from frontend
 class UserSettingsRequest(BaseModel):
     user_id: str
-    linkedin_client_id: Optional[str] = None
-    linkedin_client_secret: Optional[str] = None
-    linkedin_user_urn: Optional[str] = None
-    groq_api_key: Optional[str] = None
     github_username: Optional[str] = None
-    unsplash_access_key: Optional[str] = None
+    onboarding_complete: Optional[bool] = None
+    # NOTE: API keys are managed server-side via environment variables
+    # Frontend NEVER sends credentials to this endpoint
 
 
 class AuthRefreshRequest(BaseModel):
@@ -454,40 +453,66 @@ def save_settings(settings: UserSettingsRequest):
 
 @app.get("/api/settings/{user_id}")
 def get_settings(user_id: str):
-    """Get user settings by user ID"""
+    """
+    Get user settings by user ID.
+    
+    SECURITY: Returns ONLY safe, non-sensitive data.
+    No credentials, tokens, or API keys are returned.
+    """
     if not get_user_settings:
         return {"error": "User settings service not available"}
     try:
         settings = get_user_settings(user_id)
         if settings:
-            # Return masked versions of secrets so frontend knows they're saved
-            # but doesn't expose the actual values
-            groq_key = settings.get("groq_api_key")
-            unsplash_key = settings.get("unsplash_access_key")
-            linkedin_id = settings.get("linkedin_client_id")
-            linkedin_secret = settings.get("linkedin_client_secret")
-            
+            # SECURITY: Only return safe data, no credentials
             return {
                 "user_id": settings.get("user_id"),
                 "github_username": settings.get("github_username") or "",
-                # Return masked versions for display
-                "groq_api_key": f"{groq_key[:8]}...{groq_key[-4:]}" if groq_key and len(groq_key) > 12 else ("••••••••" if groq_key else ""),
-                "unsplash_access_key": f"{unsplash_key[:8]}...{unsplash_key[-4:]}" if unsplash_key and len(unsplash_key) > 12 else ("••••••••" if unsplash_key else ""),
-                "linkedin_client_id": linkedin_id or "",
-                "linkedin_client_secret": "••••••••" if linkedin_secret else "",
-                # Also keep the boolean flags for compatibility
-                "has_linkedin": bool(linkedin_id),
-                "has_groq": bool(groq_key),
-                "has_unsplash": bool(unsplash_key),
+                "onboarding_complete": settings.get("onboarding_complete", False),
                 "subscription_tier": settings.get("subscription_tier") or "free",
                 "subscription_status": settings.get("subscription_status") or "active",
-                "subscription_expires_at": settings.get("subscription_expires_at"),
             }
         return {"error": "User not found"}
     except Exception as e:
         return {"error": str(e)}
 
 
+@app.get("/api/connection-status/{user_id}")
+def get_connection_status_endpoint(user_id: str):
+    """
+    Get connection status for a user.
+    
+    SECURITY: Returns ONLY boolean status and public identifiers.
+    No tokens or credentials are ever returned.
+    """
+    try:
+        # Import get_connection_status from token_store
+        from services.token_store import get_connection_status
+        
+        status = get_connection_status(user_id)
+        
+        # Also get github_username from settings
+        github_username = ''
+        if get_user_settings:
+            settings = get_user_settings(user_id)
+            if settings:
+                github_username = settings.get('github_username', '')
+        
+        return {
+            "linkedin_connected": status.get("linkedin_connected", False),
+            "linkedin_urn": status.get("linkedin_urn", ""),
+            "github_connected": bool(github_username),
+            "github_username": github_username,
+            "token_expires_at": status.get("token_expires_at"),
+        }
+    except Exception as e:
+        return {
+            "linkedin_connected": False,
+            "github_connected": False,
+            "error": str(e)
+        }
+
+
 # GitHub activity endpoints
 @app.get("/api/github/activity/{username}")
 def github_activity(username: str, limit: int = 10):

backend_tokens.db

@@ -80,30 +80,34 @@ export default function APIReference() {
     {
       method: 'GET',
       path: '/api/settings/{user_id}',
-      description: 'Get user settings',
+      description: 'Get user settings (safe data only, no credentials)',
       params: ['user_id: User identifier'],
-      response: '{"linkedin_client_id": "...", "groq_api_key": "...", ...}',
+      response: '{"user_id": "...", "github_username": "...", "onboarding_complete": true, "subscription_tier": "free"}',
     },
     {
       method: 'POST',
       path: '/api/settings',
-      description: 'Update user settings',
+      description: 'Update user settings (public identifiers only)',
       body: `{
   "user_id": "user_123",
-  "linkedin_client_id": "...",
-  "linkedin_client_secret": "...",
-  "groq_api_key": "...",
   "github_username": "johndoe",
-  "unsplash_access_key": "..."
+  "onboarding_complete": true
 }`,
       response: '{"success": true}',
     },
+    {
+      method: 'GET',
+      path: '/api/connection-status/{user_id}',
+      description: 'Get connection status (LinkedIn/GitHub)',
+      params: ['user_id: User identifier'],
+      response: '{"linkedin_connected": true, "github_connected": true, "github_username": "johndoe"}',
+    },
     {
       method: 'POST',
       path: '/api/auth/refresh',
-      description: 'Refresh LinkedIn access token',
+      description: 'Check LinkedIn connection status',
       body: '{"user_id": "user_123"}',
-      response: '{"access_token": "...", "expires_in": 3600}',
+      response: '{"authenticated": true, "user_urn": "..."}',
     },
   ];
 
@@ -129,11 +133,11 @@ export default function APIReference() {
           <ThemeToggle />
         </div>
       </header>
-      <SEOHead 
+      <SEOHead
         title="API Reference - LinkedIn Post Bot"
         description="Complete API documentation for LinkedIn Post Bot. Integrate and automate your LinkedIn content creation."
       />
-      
+
       {/* Header */}
       <header className="bg-white shadow-sm border-b border-gray-200">
         <div className="max-w-7xl mx-auto px-4 sm:px-6 lg:px-8 py-4 flex items-center justify-between">
@@ -162,7 +166,7 @@ export default function APIReference() {
           <p className="text-lg text-gray-600 mb-6">
             Complete documentation for integrating with LinkedIn Post Bot API
           </p>
-          
+
           <div className="bg-blue-50 border-l-4 border-blue-600 p-6 rounded-r-lg">
             <p className="text-blue-900 font-medium mb-2">Base URL</p>
             <code className="bg-white px-3 py-1 rounded text-blue-600 font-mono">
@@ -176,7 +180,7 @@ export default function APIReference() {
 
         <div className="space-y-6">
           {endpoints.map((endpoint, index) => (
-            <div 
+            <div
               key={index}
               className="bg-white rounded-2xl p-6 shadow-lg border border-gray-100 hover:shadow-xl transition-all"
             >
@@ -234,7 +238,7 @@ export default function APIReference() {
             Most endpoints require authentication via LinkedIn OAuth 2.0. Include the access token in requests:
           </p>
           <pre className="bg-black/20 p-4 rounded-lg text-sm">
-{`Authorization: Bearer YOUR_ACCESS_TOKEN`}
+            {`Authorization: Bearer YOUR_ACCESS_TOKEN`}
           </pre>
           <p className="text-blue-100 mt-4 text-sm">
             Tokens expire after 60 days. Use the <code className="bg-white/20 px-2 py-0.5 rounded">/api/auth/refresh</code> endpoint to renew.