@aura-stack/auth 0.1.0 → 0.2.0-rc.1

package/dist/chunk-3EUWD5BB.js

@@ -0,0 +1,63 @@
+import {
+  createAuthorizationURL,
+  createRedirectTo,
+  createRedirectURI
+} from "./chunk-N4SX7TZT.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  createPKCE,
+  generateSecure
+} from "./chunk-N2APGLXA.js";
+
+// src/actions/signIn/signIn.ts
+import { z } from "zod";
+import { createEndpoint, createEndpointConfig, HeadersBuilder } from "@aura-stack/router";
+var signInConfig = (oauth) => {
+  return createEndpointConfig("/signIn/:oauth", {
+    schemas: {
+      params: z.object({
+        oauth: z.enum(
+          Object.keys(oauth),
+          "The OAuth provider is not supported or invalid."
+        )
+      }),
+      searchParams: z.object({
+        redirectTo: z.string().optional()
+      })
+    }
+  });
+};
+var signInAction = (oauth) => {
+  return createEndpoint(
+    "GET",
+    "/signIn/:oauth",
+    async (ctx) => {
+      const {
+        request,
+        params: { oauth: oauth2 },
+        searchParams: { redirectTo },
+        context: { oauth: providers, cookies, trustedProxyHeaders, basePath }
+      } = ctx;
+      const state = generateSecure();
+      const redirectURI = createRedirectURI(request, oauth2, basePath, trustedProxyHeaders);
+      const redirectToValue = createRedirectTo(request, redirectTo, trustedProxyHeaders);
+      const { codeVerifier, codeChallenge, method } = await createPKCE();
+      const authorization = createAuthorizationURL(providers[oauth2], redirectURI, state, codeChallenge, method);
+      const headers = new HeadersBuilder(cacheControl).setHeader("Location", authorization).setCookie(cookies.state.name, state, cookies.state.attributes).setCookie(cookies.redirectURI.name, redirectURI, cookies.redirectURI.attributes).setCookie(cookies.redirectTo.name, redirectToValue, cookies.redirectTo.attributes).setCookie(cookies.codeVerifier.name, codeVerifier, cookies.codeVerifier.attributes).toHeaders();
+      return Response.json(
+        { oauth: oauth2 },
+        {
+          status: 302,
+          headers
+        }
+      );
+    },
+    signInConfig(oauth)
+  );
+};
+
+export {
+  signInAction
+};

package/dist/chunk-6R2YZ4AC.js

@@ -0,0 +1,22 @@
+// src/oauth/strava.ts
+var strava = {
+  id: "strava",
+  name: "Strava",
+  authorizeURL: "https://www.strava.com/oauth/authorize",
+  accessToken: "https://www.strava.com/oauth/token",
+  userInfo: "https://www.strava.com/api/v3/athlete",
+  scope: "read",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id.toString(),
+      name: `${profile.firstname} ${profile.lastname}`,
+      image: profile.profile,
+      email: ""
+    };
+  }
+};
+
+export {
+  strava
+};

package/dist/chunk-A3N4PVAT.js

@@ -0,0 +1,70 @@
+import {
+  createRedirectTo
+} from "./chunk-N4SX7TZT.js";
+import {
+  expiredCookieAttributes
+} from "./chunk-W6LG7BFW.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  verifyCSRF
+} from "./chunk-N2APGLXA.js";
+import {
+  getNormalizedOriginPath
+} from "./chunk-CXLATHS5.js";
+import {
+  AuthSecurityError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/actions/signOut/signOut.ts
+import { z } from "zod";
+import { createEndpoint, createEndpointConfig, HeadersBuilder, statusCode } from "@aura-stack/router";
+var config = createEndpointConfig({
+  schemas: {
+    searchParams: z.object({
+      token_type_hint: z.literal("session_token"),
+      redirectTo: z.string().optional()
+    })
+  }
+});
+var signOutAction = createEndpoint(
+  "POST",
+  "/signOut",
+  async (ctx) => {
+    const {
+      request,
+      headers,
+      searchParams: { redirectTo },
+      context: { jose, cookies }
+    } = ctx;
+    const session = headers.getCookie(cookies.sessionToken.name);
+    const csrfToken = headers.getCookie(cookies.csrfToken.name);
+    const header = headers.getHeader("X-CSRF-Token");
+    if (!session) {
+      throw new AuthSecurityError("SESSION_TOKEN_MISSING", "The sessionToken is missing.");
+    }
+    if (!csrfToken) {
+      throw new AuthSecurityError("CSRF_TOKEN_MISSING", "The CSRF token is missing.");
+    }
+    if (!header) {
+      throw new AuthSecurityError("CSRF_TOKEN_MISSING", "The CSRF header is missing.");
+    }
+    await verifyCSRF(jose, csrfToken, header);
+    await jose.decodeJWT(session);
+    const normalizedOriginPath = getNormalizedOriginPath(request.url);
+    const location = createRedirectTo(
+      new Request(normalizedOriginPath, {
+        headers: headers.toHeaders()
+      }),
+      redirectTo
+    );
+    const headersList = new HeadersBuilder(cacheControl).setHeader("Location", location).setCookie(cookies.csrfToken.name, "", expiredCookieAttributes).setCookie(cookies.sessionToken.name, "", expiredCookieAttributes).toHeaders();
+    return Response.json({ message: "Signed out successfully" }, { status: statusCode.ACCEPTED, headers: headersList });
+  },
+  config
+);
+
+export {
+  signOutAction
+};

package/dist/chunk-B737EUJV.js

@@ -0,0 +1,22 @@
+// src/oauth/mailchimp.ts
+var mailchimp = {
+  id: "mailchimp",
+  name: "Mailchimp",
+  authorizeURL: "https://login.mailchimp.com/oauth2/authorize",
+  accessToken: "https://login.mailchimp.com/oauth2/token",
+  userInfo: "https://login.mailchimp.com/oauth2/metadata",
+  scope: "",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.user_id,
+      name: profile.accountname,
+      email: profile.login.login_email,
+      image: null
+    };
+  }
+};
+
+export {
+  mailchimp
+};

package/dist/{chunk-256KIVJL.js → chunk-CXLATHS5.js}

@@ -1,9 +1,11 @@
 import {
-  isAuthError
-} from "./chunk-FJUDBLCP.js";
+  isAuthInternalError,
+  isAuthSecurityError,
+  isOAuthProtocolError
+} from "./chunk-RRLIF4PQ.js";
 
 // src/utils.ts
-import { isRouterError } from "@aura-stack/router";
+import { isInvalidZodSchemaError, isRouterError } from "@aura-stack/router";
 var toSnakeCase = (str) => {
   return str.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2").toLowerCase().replace(/^_+/, "");
 };
@@ -64,13 +66,35 @@ var isValidRelativePath = (path) => {
 var onErrorHandler = (error) => {
   if (isRouterError(error)) {
     const { message, status, statusText } = error;
-    return Response.json({ error: "invalid_request", error_description: message }, { status, statusText });
+    return Response.json({ type: "ROUTER_ERROR", code: "ROUTER_INTERNAL_ERROR", message }, { status, statusText });
   }
-  if (isAuthError(error)) {
-    const { type, message } = error;
-    return Response.json({ error: type, error_description: message }, { status: 400 });
+  if (isInvalidZodSchemaError(error)) {
+    return Response.json({ type: "ROUTER_ERROR", code: "INVALID_REQUEST", message: error.errors }, { status: 422 });
   }
-  return Response.json({ error: "server_error", error_description: "An unexpected error occurred" }, { status: 500 });
+  if (isOAuthProtocolError(error)) {
+    const { error: errorCode, message, type, errorURI } = error;
+    return Response.json(
+      {
+        type,
+        error: errorCode,
+        error_description: message,
+        error_uri: errorURI
+      },
+      { status: 400 }
+    );
+  }
+  if (isAuthInternalError(error) || isAuthSecurityError(error)) {
+    const { type, code, message } = error;
+    return Response.json(
+      {
+        type,
+        code,
+        message
+      },
+      { status: 400 }
+    );
+  }
+  return Response.json({ type: "SERVER_ERROR", code: "server_error", message: "An unexpected error occurred" }, { status: 500 });
 };
 var getNormalizedOriginPath = (path) => {
   try {
@@ -85,6 +109,24 @@ var getNormalizedOriginPath = (path) => {
 var toISOString = (date) => {
   return new Date(date).toISOString();
 };
+var useSecureCookies = (request, trustedProxyHeaders) => {
+  return trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || (request.headers.get("Forwarded")?.includes("proto=https") ?? false) : request.url.startsWith("https://");
+};
+var formatZodError = (error) => {
+  if (!error.issues || error.issues.length === 0) {
+    return {};
+  }
+  return error.issues.reduce((previous, issue) => {
+    const key = issue.path.join(".");
+    return {
+      ...previous,
+      [key]: {
+        code: issue.code,
+        message: issue.message
+      }
+    };
+  }, {});
+};
 
 export {
   toSnakeCase,
@@ -95,5 +137,7 @@ export {
   isValidRelativePath,
   onErrorHandler,
   getNormalizedOriginPath,
-  toISOString
+  toISOString,
+  useSecureCookies,
+  formatZodError
 };

package/dist/{chunk-6SM22VVJ.js → chunk-EIL2FPSS.js}

@@ -10,9 +10,13 @@ var isValidURL = (value) => {
   const regex = /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()*+,;=:@-]*)*\/?$/;
   return regex.test(value);
 };
+var isJWTPayloadWithToken = (payload) => {
+  return typeof payload === "object" && payload !== null && "token" in payload && typeof payload?.token === "string";
+};
 
 export {
   isFalsy,
   isRequest,
-  isValidURL
+  isValidURL,
+  isJWTPayloadWithToken
 };

package/dist/{chunk-VFTYH33W.js → chunk-EMKJA2GJ.js}

@@ -1,3 +1,6 @@
+import {
+  x
+} from "./chunk-42XB3YCW.js";
 import {
   figma
 } from "./chunk-FKRDCWBF.js";
@@ -7,18 +10,33 @@ import {
 import {
   gitlab
 } from "./chunk-KRNOMBXQ.js";
+import {
+  mailchimp
+} from "./chunk-B737EUJV.js";
+import {
+  pinterest
+} from "./chunk-HP34YGGJ.js";
 import {
   spotify
 } from "./chunk-E3OXBRYF.js";
 import {
-  x
-} from "./chunk-42XB3YCW.js";
+  strava
+} from "./chunk-6R2YZ4AC.js";
 import {
   bitbucket
 } from "./chunk-FIPU4MLT.js";
 import {
   discord
-} from "./chunk-EBPE35JT.js";
+} from "./chunk-IUYZQTJV.js";
+import {
+  formatZodError
+} from "./chunk-CXLATHS5.js";
+import {
+  AuthInternalError
+} from "./chunk-RRLIF4PQ.js";
+import {
+  OAuthEnvSchema
+} from "./chunk-YRCB5FLE.js";
 
 // src/oauth/index.ts
 var builtInOAuthProviders = {
@@ -28,14 +46,24 @@ var builtInOAuthProviders = {
   discord,
   gitlab,
   spotify,
-  x
+  x,
+  strava,
+  mailchimp,
+  pinterest
 };
 var defineOAuthEnvironment = (oauth) => {
   const env = process.env;
-  return {
-    clientId: env[`AURA_AUTH_${oauth.toUpperCase()}_CLIENT_ID`],
-    clientSecret: env[`AURA_AUTH_${oauth.toUpperCase()}_CLIENT_SECRET`]
-  };
+  const clientIdSuffix = `${oauth.toUpperCase()}_CLIENT_ID`;
+  const clientSecretSuffix = `${oauth.toUpperCase()}_CLIENT_SECRET`;
+  const loadEnvs = OAuthEnvSchema.safeParse({
+    clientId: env[`AURA_AUTH_${clientIdSuffix}`] ?? env[`AUTH_${clientIdSuffix}`] ?? env[`${clientIdSuffix}`],
+    clientSecret: env[`AURA_AUTH_${clientSecretSuffix}`] ?? env[`AUTH_${clientSecretSuffix}`] ?? env[`${clientSecretSuffix}`]
+  });
+  if (!loadEnvs.success) {
+    const msg = JSON.stringify(formatZodError(loadEnvs.error), null, 2);
+    throw new AuthInternalError("INVALID_ENVIRONMENT_CONFIGURATION", msg);
+  }
+  return loadEnvs.data;
 };
 var defineOAuthProviderConfig = (config) => {
   if (typeof config === "string") {

package/dist/{chunk-UJJ7R56J.js → chunk-GA2SMTJO.js}

@@ -1,23 +1,29 @@
 import {
-  AuthError,
-  ERROR_RESPONSE,
-  throwAuthError
-} from "./chunk-FJUDBLCP.js";
+  formatZodError
+} from "./chunk-CXLATHS5.js";
+import {
+  AuthInternalError,
+  OAuthProtocolError
+} from "./chunk-RRLIF4PQ.js";
+import {
+  fetchAsync
+} from "./chunk-ZNCZVF6U.js";
 import {
   OAuthAccessToken,
   OAuthAccessTokenErrorResponse,
   OAuthAccessTokenResponse
-} from "./chunk-HMRKN75I.js";
+} from "./chunk-YRCB5FLE.js";
 
 // src/actions/callback/access-token.ts
 var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier) => {
   const parsed = OAuthAccessToken.safeParse({ ...oauthConfig, redirectURI, code, codeVerifier });
   if (!parsed.success) {
-    throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Invalid OAuth configuration");
+    const msg = JSON.stringify(formatZodError(parsed.error), null, 2);
+    throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg);
   }
   const { accessToken, clientId, clientSecret, code: codeParsed, redirectURI: redirectParsed } = parsed.data;
   try {
-    const response = await fetch(accessToken, {
+    const response = await fetchAsync(accessToken, {
       method: "POST",
       headers: {
         Accept: "application/json",
@@ -37,13 +43,13 @@ var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier) =>
     if (!token.success) {
       const { success, data } = OAuthAccessTokenErrorResponse.safeParse(json);
       if (!success) {
-        throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_GRANT, "Invalid access token response format");
+        throw new OAuthProtocolError("INVALID_REQUEST", "Invalid access token response format");
       }
-      throw new AuthError(data.error, data?.error_description ?? "Failed to retrieve access token");
+      throw new OAuthProtocolError(data.error, data?.error_description ?? "Failed to retrieve access token");
     }
     return token.data;
   } catch (error) {
-    throw throwAuthError(error, "Failed to create access token");
+    throw error;
   }
 };
 

package/dist/chunk-HP34YGGJ.js

@@ -0,0 +1,22 @@
+// src/oauth/pinterest.ts
+var pinterest = {
+  id: "pinterest",
+  name: "Pinterest",
+  authorizeURL: "https://api.pinterest.com/oauth/",
+  accessToken: "https://api.pinterest.com/v5/oauth/token",
+  userInfo: "https://api.pinterest.com/v5/user_account",
+  scope: "user_accounts:read",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id,
+      name: profile.username,
+      email: null,
+      image: profile.profile_image
+    };
+  }
+};
+
+export {
+  pinterest
+};

package/dist/chunk-HT4YLL7N.js

@@ -0,0 +1,35 @@
+import {
+  getCookie,
+  setCookie
+} from "./chunk-W6LG7BFW.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  createCSRF
+} from "./chunk-N2APGLXA.js";
+
+// src/actions/csrfToken/csrfToken.ts
+import { createEndpoint } from "@aura-stack/router";
+var getCSRFToken = (request, cookieName) => {
+  try {
+    return getCookie(request, cookieName);
+  } catch {
+    return void 0;
+  }
+};
+var csrfTokenAction = createEndpoint("GET", "/csrfToken", async (ctx) => {
+  const {
+    request,
+    context: { jose, cookies }
+  } = ctx;
+  const token = getCSRFToken(request, cookies.csrfToken.name);
+  const csrfToken = await createCSRF(jose, token);
+  const headers = new Headers(cacheControl);
+  headers.append("Set-Cookie", setCookie(cookies.csrfToken.name, csrfToken, cookies.csrfToken.attributes));
+  return Response.json({ csrfToken }, { headers });
+});
+
+export {
+  csrfTokenAction
+};

package/dist/{chunk-EBPE35JT.js → chunk-IUYZQTJV.js}

@@ -18,7 +18,6 @@ var discord = {
     }
     return {
       sub: profile.id,
-      // https://discord.com/developers/docs/change-log#display-names
       name: profile.global_name ?? profile.username,
       email: profile.email ?? "",
       image

package/dist/{chunk-RLT4RFKV.js → chunk-IVET23KF.js}

@@ -1,13 +1,17 @@
 import {
   generateSecure
-} from "./chunk-GZU3RBTB.js";
+} from "./chunk-N2APGLXA.js";
 import {
-  AuthError,
-  throwAuthError
-} from "./chunk-FJUDBLCP.js";
+  OAuthProtocolError,
+  isNativeError,
+  isOAuthProtocolError
+} from "./chunk-RRLIF4PQ.js";
+import {
+  fetchAsync
+} from "./chunk-ZNCZVF6U.js";
 import {
   OAuthErrorResponse
-} from "./chunk-HMRKN75I.js";
+} from "./chunk-YRCB5FLE.js";
 
 // src/actions/callback/userinfo.ts
 var getDefaultUserInfo = (profile) => {
@@ -22,7 +26,7 @@ var getDefaultUserInfo = (profile) => {
 var getUserInfo = async (oauthConfig, accessToken) => {
   const userinfoEndpoint = oauthConfig.userInfo;
   try {
-    const response = await fetch(userinfoEndpoint, {
+    const response = await fetchAsync(userinfoEndpoint, {
       method: "GET",
       headers: {
         Accept: "application/json",
@@ -32,11 +36,20 @@ var getUserInfo = async (oauthConfig, accessToken) => {
     const json = await response.json();
     const { success, data } = OAuthErrorResponse.safeParse(json);
     if (success) {
-      throw new AuthError(data.error, data?.error_description ?? "An error occurred while fetching user information.");
+      throw new OAuthProtocolError(
+        data.error,
+        data?.error_description ?? "An error occurred while fetching user information."
+      );
     }
     return oauthConfig?.profile ? oauthConfig.profile(json) : getDefaultUserInfo(json);
   } catch (error) {
-    throw throwAuthError(error, "Failed to retrieve userinfo");
+    if (isOAuthProtocolError(error)) {
+      throw error;
+    }
+    if (isNativeError(error)) {
+      throw new OAuthProtocolError("invalid_request", error.message, "", { cause: error });
+    }
+    throw new OAuthProtocolError("invalid_request", "Failed to fetch user information.", "", { cause: error });
   }
 };
 

package/dist/{chunk-XXJKNKGQ.js → chunk-JVFTCTTE.js}

@@ -1,33 +1,29 @@
 import {
-  expireCookie,
-  getCookie,
-  secureCookieOptions
-} from "./chunk-ZV4BH47P.js";
+  expiredCookieAttributes,
+  getCookie
+} from "./chunk-W6LG7BFW.js";
 import {
   cacheControl
 } from "./chunk-STHEPPUZ.js";
 import {
   toISOString
-} from "./chunk-256KIVJL.js";
+} from "./chunk-CXLATHS5.js";
 
 // src/actions/session/session.ts
-import { createEndpoint } from "@aura-stack/router";
+import { createEndpoint, HeadersBuilder } from "@aura-stack/router";
 var sessionAction = createEndpoint("GET", "/session", async (ctx) => {
   const {
     request,
-    context: { cookies, jose, trustedProxyHeaders }
+    context: { jose, cookies }
   } = ctx;
-  const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
   try {
-    const session = getCookie(request, "sessionToken", cookieOptions);
+    const session = getCookie(request, cookies.sessionToken.name);
     const decoded = await jose.decodeJWT(session);
     const { exp, iat, jti, nbf, ...user } = decoded;
     const headers = new Headers(cacheControl);
     return Response.json({ user, expires: toISOString(exp * 1e3) }, { headers });
-  } catch {
-    const headers = new Headers(cacheControl);
-    const sessionCookie = expireCookie("sessionToken", cookieOptions);
-    headers.set("Set-Cookie", sessionCookie);
+  } catch (error) {
+    const headers = new HeadersBuilder(cacheControl).setCookie(cookies.sessionToken.name, "", expiredCookieAttributes).toHeaders();
     return Response.json({ authenticated: false, message: "Unauthorized" }, { status: 401, headers });
   }
 });

package/dist/chunk-KSWLO5ZU.js

@@ -0,0 +1,102 @@
+import {
+  createAccessToken
+} from "./chunk-GA2SMTJO.js";
+import {
+  getUserInfo
+} from "./chunk-IVET23KF.js";
+import {
+  createSessionCookie,
+  expiredCookieAttributes,
+  getCookie
+} from "./chunk-W6LG7BFW.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  createCSRF
+} from "./chunk-N2APGLXA.js";
+import {
+  equals,
+  isValidRelativePath,
+  sanitizeURL
+} from "./chunk-CXLATHS5.js";
+import {
+  AuthSecurityError,
+  OAuthProtocolError
+} from "./chunk-RRLIF4PQ.js";
+import {
+  OAuthAuthorizationErrorResponse
+} from "./chunk-YRCB5FLE.js";
+
+// src/actions/callback/callback.ts
+import { z } from "zod";
+import { createEndpoint, createEndpointConfig, HeadersBuilder } from "@aura-stack/router";
+var callbackConfig = (oauth) => {
+  return createEndpointConfig("/callback/:oauth", {
+    schemas: {
+      params: z.object({
+        oauth: z.enum(
+          Object.keys(oauth),
+          "The OAuth provider is not supported or invalid."
+        )
+      }),
+      searchParams: z.object({
+        code: z.string("Missing code parameter in the OAuth authorization response."),
+        state: z.string("Missing state parameter in the OAuth authorization response.")
+      })
+    },
+    middlewares: [
+      (ctx) => {
+        const response = OAuthAuthorizationErrorResponse.safeParse(ctx.searchParams);
+        if (response.success) {
+          const { error, error_description } = response.data;
+          throw new OAuthProtocolError(error, error_description ?? "OAuth Authorization Error");
+        }
+        return ctx;
+      }
+    ]
+  });
+};
+var callbackAction = (oauth) => {
+  return createEndpoint(
+    "GET",
+    "/callback/:oauth",
+    async (ctx) => {
+      const {
+        request,
+        params: { oauth: oauth2 },
+        searchParams: { code, state },
+        context: { oauth: providers, cookies, jose }
+      } = ctx;
+      const oauthConfig = providers[oauth2];
+      const cookieState = getCookie(request, cookies.state.name);
+      const cookieRedirectTo = getCookie(request, cookies.redirectTo.name);
+      const cookieRedirectURI = getCookie(request, cookies.redirectURI.name);
+      const codeVerifier = getCookie(request, cookies.codeVerifier.name);
+      if (!equals(cookieState, state)) {
+        throw new AuthSecurityError(
+          "MISMATCHING_STATE",
+          "The provided state passed in the OAuth response does not match the stored state."
+        );
+      }
+      const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier);
+      const sanitized = sanitizeURL(cookieRedirectTo);
+      if (!isValidRelativePath(sanitized)) {
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+          "Invalid redirect path. Potential open redirect attack detected."
+        );
+      }
+      const userInfo = await getUserInfo(oauthConfig, accessToken.access_token);
+      const sessionCookie = await createSessionCookie(jose, userInfo);
+      const csrfToken = await createCSRF(jose);
+      const headers = new HeadersBuilder(cacheControl).setHeader("Location", sanitized).setCookie(cookies.sessionToken.name, sessionCookie, cookies.sessionToken.attributes).setCookie(cookies.csrfToken.name, csrfToken, cookies.csrfToken.attributes).setCookie(cookies.state.name, "", expiredCookieAttributes).setCookie(cookies.redirectURI.name, "", expiredCookieAttributes).setCookie(cookies.redirectTo.name, "", expiredCookieAttributes).setCookie(cookies.codeVerifier.name, "", expiredCookieAttributes).toHeaders();
+      return Response.json({ oauth: oauth2 }, { status: 302, headers });
+    },
+    callbackConfig(oauth)
+  );
+};
+
+export {
+  callbackAction
+};