UNPKG

start-oauth

Version:

Lightweight and Secure OAuth2 for SolidStart

github.com/thomasbuilds/start-oauth

thomasbuilds/start-oauth

114 lines (86 loc) 3.6 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
<div align="center"> [![Banner](https://assets.solidjs.com/banner?background=tiles&type=Start&project=oauth)](https://github.com/solidjs/solid-start) [![Version](https://img.shields.io/npm/v/start-oauth.svg?style=for-the-badge&color=blue&logo=npm)](https://www.npmjs.com/package/start-oauth) [![Downloads](https://img.shields.io/npm/dm/start-oauth.svg?style=for-the-badge&color=green&logo=npm)](https://www.npmjs.com/package/start-oauth) [![Stars](https://img.shields.io/github/stars/thomasbuilds/start-oauth.svg?style=for-the-badge&color=yellow&logo=github)](https://github.com/thomasbuilds/start-oauth) [![Discord](https://img.shields.io/discord/722131463138705510?label=join&style=for-the-badge&color=5865F2&logo=discord&logoColor=white)](https://discord.com/invite/solidjs) </div> **Lightweight and Secure OAuth2 for [SolidStart](https://start.solidjs.com)** — Access the `name`, `email`, and when available `image` of authenticated users. For extended usage, the `provider` name and access `token` are included in the `oauth` object. **Supported Providers:** Amazon, Discord, GitHub, Google, LinkedIn, Microsoft, Spotify, X, and Yahoo ## Installation Add `start-oauth` as a dependency in your **SolidStart** app ```bash # use preferred package manager npm add start-oauth ``` ## Configuration Create a catch-all API route at `routes/api/oauth/[...oauth].ts` ```ts import OAuth from "start-oauth"; import { redirect } from "@solidjs/router"; export const GET = OAuth({ password: process.env.PASSWORD!, // openssl rand -hex 32 discord: { id: process.env.DISCORD_ID!, secret: process.env.DISCORD_SECRET! }, google: { id: process.env.GOOGLE_ID!, secret: process.env.GOOGLE_SECRET! }, async handler({ name, email, image, oauth }, redirectTo) { // add your logic (e.g. database call, session creation) // const session = await getSession(); // await session.update({ name, email, image }); return redirect( // only allow internal redirects redirectTo?.startsWith("/") && !redirectTo.startsWith("//") ? redirectTo : "/defaultPage" ); } }); ``` In your OAuth provider's dashboard, set the redirect URIs - **Development**: `http://localhost:3000/api/oauth/[provider]` - **Production**: `https://your-domain.com/api/oauth/[provider]` ## Usage ```tsx // for example in routes/login.tsx import { useOAuthLogin } from "start-oauth"; export default function Login() { const login = useOAuthLogin(); return ( <div> <a href={login("discord")} rel="external"> Sign in with Discord </a> <a href={login("google")} rel="external"> Sign in with Google </a> </div> ); } ``` - To specify a post-login destination, append `?redirect=/dashboard` to the login URL—this value is passed as the `redirectTo` parameter to your handler. - On authentication failure, users are redirected to the login page with `?error=<reason>` for custom error handling. ## Example See `start-oauth` in action with the SolidStart [with-auth](https://github.com/solidjs/solid-start/tree/main/examples/with-auth) example ```bash # using npm npm create solid@latest -- -s -t with-auth ``` ```bash # using pnpm pnpm create solid@latest -s -t with-auth ``` ```bash # using bun bun create solid@latest --s --t with-auth ``` ## Security Features - Stateless PKCE with SHA-256 code challenges - AES-256-GCM encryption for state parameters to prevent tampering - Timeout-protected HTTP requests to avoid hanging connections - Strict validation of fallback URLs to prevent open redirects