Feat/issue 968 quickbooks oauth

[Shadow-MMN]

Description

This PR implements a secure OAuth 2.0 Authorization Code flow for QuickBooks Online. It ensures all sensitive tokens are encrypted at rest using AES-256-GCM and introduces automated token maintenance via a BullMQ refresh worker that triggers 10 minutes before expiry.

Related Issue

Fixes #968

Type of Change

• Bug fix
• New feature
• Documentation update
• Code refactoring
• Performance improvement

Changes Made

• Secure Token Persistence: Updated AccountingService to use encryptField and decryptField utilities for all QuickBooks and Xero tokens stored in
  the database.
• Automated Refresh Worker: Created src/queue/accountingTokenRefreshWorker.ts using BullMQ to handle background token updates.
• Refined OAuth Endpoints:
  • GET /api/accounting/quickbooks/auth: Generates session-persisted CSRF state and redirects to Intuit.
  • GET /api/accounting/quickbooks/callback: Validates state and realmID before completing the token exchange.
• App Lifecycle Integration: Registered the accounting router and initialized the token refresh worker in src/index.ts.
• Configuration Hardening: Added required environment variables for QuickBooks and Xero to the envalid schema in src/config/env.ts.

Testing

• Manual Verification: Verified the redirect flow to QuickBooks App Center.
• Security Check: Confirmed that tokens in the accounting_connections table are stored in encrypted format (prefixed with v1:).
• Worker Logic: Mocked token expiry timestamps to trigger the BullMQ worker and verified successful refresh rotation.
• Unit Tests: Updated existing accounting service tests to accommodate encryption wrappers.

Checklist

• Code follows project style
• Self-reviewed my code
• Commented complex code
• Updated documentation
• No new warnings
• Added tests (if applicable)

Screenshots (if applicable)

Additional Notes

Ensure that QUICKBOOKS_CLIENT_ID, QUICKBOOKS_CLIENT_SECRET, and QUICKBOOKS_REDIRECT_URI are added to your local .env file before testing the live flow. The redirect URI must match the one configured in your Intuit Developer Portal.

[drips-wave]

@Shadow-MMN Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

Since your pull request originates from a forked repository, GitGuardian is not able to associate the secrets uncovered with secret incidents on your GitGuardian dashboard.
Skipping this check run and merging your pull request will create secret incidents on your GitGuardian dashboard.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
29318208	Triggered	Generic Password	a4ee975	src/stellar/sep02.ts	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}