@devcoffee/nuxt-core 1.0.1 → 1.1.0

package/dist/runtime/server/core/helpers.js

@@ -0,0 +1,355 @@
+import { createError } from "#devcoffee-core/server/adapters/http";
+import {
+  allowInsecureRequests,
+  authorizationCodeGrant as authorizationCodeGrantOidc,
+  buildAuthorizationUrl as buildAuthorizationUrlOidc,
+  calculatePKCECodeChallenge,
+  Configuration,
+  discovery,
+  fetchUserInfo as fetchUserInfoFromOidc,
+  randomPKCECodeVerifier,
+  randomState,
+  refreshTokenGrant as refreshTokenGrantFromOidc,
+  revokeToken
+} from "#devcoffee-core/server/adapters/oidc";
+import { deepMerge, omit } from "#devcoffee-core/server/adapters/utils";
+import useServerLogger from "#devcoffee-core/server/composables/useServerLogger";
+import { useRuntimeConfig } from "#imports";
+import { useStorage } from "nitropack/runtime/internal/storage";
+import { decryptTokenSet, encryptTokenSet, generateSessionId, isValidSessionId, verifySessionId } from "./crypto.js";
+import { tryAcquireLock } from "./mutex.js";
+function getAnonymousUser(extras) {
+  const anonymous = useRuntimeConfig().nuxtCore.authts.auth.anonymousUser;
+  const { defaultLocale, defaultTimeZone, defaultLanguage } = useRuntimeConfig().nuxtCore;
+  return deepMerge(
+    {},
+    {
+      id: "anonymous",
+      email: "",
+      sub: "anonymous",
+      firstName: "Anonymous",
+      lastName: "User",
+      locale: defaultLocale,
+      language: defaultLanguage,
+      timezone: defaultTimeZone
+    },
+    anonymous,
+    extras || {}
+  );
+}
+function getSessionStorageKey(storagePrefix, sessionId) {
+  return storagePrefix ? `${storagePrefix}:${sessionId}` : sessionId;
+}
+export function isSameOrigin(redirectUrl, requestUrl) {
+  try {
+    return new URL(redirectUrl).origin === requestUrl.origin;
+  } catch {
+    return false;
+  }
+}
+export async function getSession(sessionId, opts) {
+  const storage = useStorage(opts.storageName);
+  const sessingKey = getSessionStorageKey(opts.storagePrefix, sessionId);
+  if (!await storage.hasItem(sessingKey)) return null;
+  const session = await storage.getItem(sessingKey);
+  if (!session) return null;
+  if (session.auth?.tokenSet && session.auth.tokenSet.encrypted === true) {
+    if (opts.secret) {
+      const decrypted = decryptTokenSet(session.auth.tokenSet, opts.secret);
+      session.auth.tokenSet = decrypted ?? void 0;
+    } else {
+      const logger = useServerLogger({ tag: "authts-helper", level: 3 });
+      logger.warn(
+        "[getSession] tokenSet is encrypted but sessions.secret is not configured \u2014 tokenSet will be inaccessible"
+      );
+      session.auth.tokenSet = void 0;
+    }
+  }
+  return session;
+}
+function newSession(sessionId, expiresAt) {
+  return {
+    id: sessionId,
+    auth: { status: "unauthenticated" },
+    user: getAnonymousUser(),
+    data: {},
+    expiresAt,
+    issuedAt: Date.now()
+  };
+}
+export async function validateSession(sessionCookieId, opts) {
+  const storage = useStorage(opts.storageName);
+  const now = Date.now();
+  const expiresAt = now + opts.expiresIn;
+  let sessionId = void 0;
+  let sessionKey = void 0;
+  let deleteSessionKey = void 0;
+  let session = null;
+  const rawSessionId = verifySessionId(sessionCookieId, opts.secret);
+  if (rawSessionId && isValidSessionId(rawSessionId)) {
+    sessionId = rawSessionId;
+  }
+  if (sessionId) {
+    sessionKey = getSessionStorageKey(opts.storagePrefix, sessionId);
+    if (await storage.hasItem(sessionKey)) {
+      session = await storage.getItem(sessionKey);
+    }
+    if (!session || session.expiresAt <= now) {
+      deleteSessionKey = session ? sessionKey : void 0;
+      session = newSession(generateSessionId(), expiresAt);
+      sessionKey = getSessionStorageKey(opts.storagePrefix, session.id);
+    } else {
+      session.expiresAt = expiresAt;
+    }
+  }
+  session = session || newSession(generateSessionId(), expiresAt);
+  sessionKey = sessionKey || getSessionStorageKey(opts.storagePrefix, session.id);
+  if (deleteSessionKey && deleteSessionKey !== sessionKey) {
+    await storage.removeItem(deleteSessionKey);
+  }
+  await storage.setItem(sessionKey, session, {
+    ttl: opts.expiresIn / 1e3 | 0
+  });
+  return session;
+}
+export async function updateSession(sessionId, input, opts) {
+  const now = Date.now();
+  const storage = useStorage(opts.storageName);
+  const serverKey = `${opts.storagePrefix}:${sessionId}`;
+  const normalizedInput = omit(
+    input,
+    ["id", "issuedAt", "expiresAt"]
+  );
+  let session = await storage.getItem(serverKey);
+  if (!session) {
+    throw createError({
+      status: 500,
+      fatal: true,
+      message: `session '${sessionId}' was not found.`
+    });
+  }
+  session = deepMerge({}, session, normalizedInput);
+  session.expiresAt = now + opts.expiresIn;
+  const sessionToStore = { ...session };
+  if (opts.secret && sessionToStore.auth?.tokenSet) {
+    sessionToStore.auth = {
+      ...sessionToStore.auth,
+      tokenSet: encryptTokenSet(
+        sessionToStore.auth.tokenSet,
+        opts.secret
+      )
+    };
+  }
+  await storage.setItem(serverKey, sessionToStore, {
+    ttl: opts.expiresIn / 1e3 | 0
+  });
+  return session;
+}
+export async function renewSession(sessionId, opts) {
+  const storage = useStorage(opts.storageName);
+  let sessionKey = getSessionStorageKey(opts.storagePrefix, sessionId);
+  if (await storage.hasItem(sessionKey)) {
+    await storage.removeItem(sessionKey);
+  }
+  const session = newSession(generateSessionId(), Date.now() + opts.expiresIn);
+  sessionKey = getSessionStorageKey(opts.storagePrefix, session.id);
+  await storage.setItem(sessionKey, session, {
+    ttl: opts.expiresIn / 1e3 | 0
+  });
+  return session;
+}
+export async function deleteSession(sessionId, opts) {
+  const storage = useStorage(opts.storageName);
+  const sessionKey = getSessionStorageKey(opts.storagePrefix, sessionId);
+  if (await storage.hasItem(sessionKey)) {
+    await storage.removeItem(sessionKey);
+  }
+}
+export async function discoveryOpendId(wellKnownUrl, opts) {
+  const logger = useServerLogger({ tag: "authts-helper", level: 3 });
+  const {
+    cache: { prefix: cachedPrefix, expires },
+    clientId,
+    clientSecret
+  } = opts;
+  const storage = useStorage("cache");
+  const cacheKey = `${cachedPrefix}:${clientId}`;
+  let meta = await storage.getItem(cacheKey);
+  if (!meta) {
+    const isHttpEndpoint = wellKnownUrl.startsWith("http://");
+    const config = await discovery(
+      new URL(wellKnownUrl),
+      clientId,
+      {
+        client_id: clientId,
+        client_secret: clientSecret
+      },
+      void 0,
+      isHttpEndpoint ? { execute: [allowInsecureRequests] } : void 0
+    );
+    meta = {
+      server: config.serverMetadata(),
+      client: config.clientMetadata()
+    };
+    await storage.setItem(cacheKey, meta, { ttl: expires / 1e3 | 0 });
+    logger.info('Fetching OpenID Connect metadata from "%s"', wellKnownUrl);
+  }
+  return meta;
+}
+export async function getOpenIdConfiguration(wellKnownUrl, opts) {
+  const meta = await discoveryOpendId(wellKnownUrl, opts);
+  const configuration = new Configuration(meta.server, opts.clientId, meta.client);
+  if (wellKnownUrl.startsWith("http://")) {
+    allowInsecureRequests(configuration);
+  }
+  return configuration;
+}
+function getOpenIdRedirectUrl(origin, redirectUri) {
+  return new URL(redirectUri, origin.origin);
+}
+export async function buildAuthorizationUrl(session, opt) {
+  const {
+    wellKnownUrl,
+    cache,
+    clientId,
+    clientSecret,
+    origin,
+    redirectUri,
+    scopes,
+    usePkce,
+    codeChallengeMethod,
+    sessionExpires,
+    sessionStorageName,
+    sessionStoragePrefix,
+    sessionSecret = ""
+  } = opt;
+  const config = await getOpenIdConfiguration(wellKnownUrl, { cache, clientId, clientSecret });
+  const serverMeta = config.serverMetadata();
+  const state = randomState();
+  const results = {
+    state
+  };
+  const parameters = {
+    state,
+    redirect_uri: getOpenIdRedirectUrl(origin, redirectUri).toString(),
+    scope: scopes.join(" ")
+  };
+  if (usePkce && serverMeta.supportsPKCE(codeChallengeMethod)) {
+    const codeVerifier = randomPKCECodeVerifier();
+    parameters.code_challenge_method = codeChallengeMethod;
+    parameters.code_challenge = await calculatePKCECodeChallenge(codeVerifier);
+    results.pkceCodeVerifier = codeVerifier;
+  }
+  await updateSession(
+    session.id,
+    { auth: { status: "unauthenticated" } },
+    {
+      storageName: sessionStorageName,
+      storagePrefix: sessionStoragePrefix,
+      expiresIn: sessionExpires,
+      secret: sessionSecret
+    }
+  );
+  results.authorizeUrl = buildAuthorizationUrlOidc(config, parameters).toString();
+  return results;
+}
+export async function authorizationCodeGrant(authorizeParams, opts) {
+  const { wellKnownUrl, cache, clientId, clientSecret, origin, redirectUri, usePkce, codeChallengeMethod } = opts;
+  const config = await getOpenIdConfiguration(wellKnownUrl, { cache, clientId, clientSecret });
+  const serverMeta = config.serverMetadata();
+  const redirectUrl = getOpenIdRedirectUrl(origin, redirectUri);
+  if (authorizeParams.code) {
+    redirectUrl.searchParams.set("code", authorizeParams.code);
+  }
+  if (authorizeParams.state) {
+    redirectUrl.searchParams.set("state", authorizeParams.state);
+  }
+  const checks = {
+    expectedState: authorizeParams.checks?.expectedState
+  };
+  if (usePkce && serverMeta.supportsPKCE(codeChallengeMethod)) {
+    checks.pkceCodeVerifier = authorizeParams.checks?.pkceCodeVerifier;
+  }
+  const parameters = {
+    grant_type: "authorization_code",
+    client_id: config.clientMetadata().client_id,
+    client_secret: config.clientMetadata().client_secret,
+    redirect_uri: redirectUrl.toString()
+  };
+  return authorizationCodeGrantOidc(config, redirectUrl, checks, parameters);
+}
+async function refreshTokenGrant(refreshToken, opts) {
+  const { wellKnownUrl, ...discoveryOption } = opts;
+  const config = await getOpenIdConfiguration(wellKnownUrl, discoveryOption);
+  return refreshTokenGrantFromOidc(config, refreshToken);
+}
+export function constructTokenSet(input) {
+  let tokenType = input.token_type;
+  if (tokenType.toUpperCase() === "BEARER") {
+    tokenType = "Bearer";
+  }
+  return {
+    tokenType,
+    idToken: input.id_token,
+    accessToken: input.access_token,
+    refreshToken: input.refresh_token,
+    scopes: (input.scope || "").split(" "),
+    expiresAt: Date.now() + (input.expires_in || 0) * 1e3
+  };
+}
+export async function refreshTokenIfNeeded(session, opts) {
+  const logger = useServerLogger({ tag: "authts-helper", level: 3 });
+  let updateSession2 = {
+    auth: { status: "unauthenticated", tokenSet: void 0 },
+    user: getAnonymousUser()
+  };
+  if (session?.auth?.status === "authenticated" && session?.auth?.tokenSet) {
+    const { accessToken, refreshToken, expiresAt } = session.auth.tokenSet;
+    const accessExpired = Boolean(accessToken && expiresAt - opts.tokenRefreshBufferMs < Date.now());
+    if (!accessExpired) {
+      updateSession2 = {
+        auth: {
+          status: session.auth.status,
+          tokenSet: session.auth.tokenSet
+        },
+        user: session.user
+      };
+    } else if (accessExpired && refreshToken) {
+      const lockStorage = useStorage("cache");
+      const lockKey = `${opts.cache.prefix}:refresh-lock:${session.id}`;
+      const acquired = await tryAcquireLock(lockStorage, lockKey, 10, opts.distributedLock ?? false);
+      if (!acquired) {
+        logger.debug('[refreshTokenIfNeeded] refresh lock held for session "%s" \u2014 skipping', session.id);
+        return { auth: { status: session.auth.status, tokenSet: session.auth.tokenSet }, user: session.user };
+      }
+      logger.info('Refreshing access token for session "%s"', session.id);
+      const tokenSet = await refreshTokenGrant(refreshToken, {
+        wellKnownUrl: opts.wellKnownUrl,
+        cache: opts.cache,
+        clientId: opts.clientId,
+        clientSecret: opts.clientSecret
+      });
+      await lockStorage.removeItem(`${opts.cache.prefix}:userinfo:${session.id}`);
+      updateSession2 = {
+        auth: {
+          status: session.auth.status,
+          tokenSet: constructTokenSet(tokenSet)
+        },
+        user: session.user
+      };
+    }
+  }
+  return updateSession2;
+}
+export async function fetchUserInfo(accessToken, sub, opts) {
+  const { wellKnownUrl, cache, clientId, clientSecret } = opts;
+  const config = await getOpenIdConfiguration(wellKnownUrl, { cache, clientId, clientSecret });
+  return fetchUserInfoFromOidc(config, accessToken, sub);
+}
+export async function revokeTokens(tokens, opts) {
+  const { wellKnownUrl, cache, clientId, clientSecret } = opts;
+  const config = await getOpenIdConfiguration(wellKnownUrl, { cache, clientId, clientSecret });
+  return Promise.allSettled(
+    tokens.map((token) => !token ? Promise.resolve() : revokeToken(config, token))
+  );
+}

package/dist/runtime/server/core/index.d.ts

@@ -0,0 +1 @@
+export * as helpers from './helpers.js';

package/dist/runtime/server/core/index.js

@@ -0,0 +1 @@
+export * as helpers from "./helpers.js";

package/dist/runtime/server/core/mutex.d.ts

@@ -0,0 +1,19 @@
+import type { Storage } from 'unstorage';
+/**
+ * Attempts to acquire a distributed or optimistic mutex lock in Nitro cache storage.
+ *
+ * Two-tier strategy (D-01):
+ * - Tier 1 (atomic, `useAtomic: true`): Uses IORedis `SET NX EX` via the unstorage Redis driver's
+ *   `getInstance()` accessor. Only effective when the Nitro `cache` mount is backed by a Redis driver.
+ *   Falls through to optimistic path if the driver accessor is unavailable.
+ * - Tier 2 (optimistic, `useAtomic: false`): `hasItem` check followed by `setItem` with TTL.
+ *   This is the Phase 7 behavior and remains the default path.
+ *
+ * @param storage - Prefixed cache storage (`useStorage('cache')`). Used for the optimistic path.
+ * @param lockKey - The lock key (without the cache prefix). Must be unique per session.
+ * @param ttlSeconds - Lock TTL in seconds. Lock expires automatically; no explicit release needed.
+ * @param useAtomic - When `true`, attempt atomic NX acquisition via Redis native client.
+ * @returns `true` if the lock was acquired by this caller, `false` if the lock was already held.
+ * @since 1.0.0
+ */
+export declare function tryAcquireLock(storage: Storage, lockKey: string, ttlSeconds: number, useAtomic: boolean): Promise<boolean>;

package/dist/runtime/server/core/mutex.js

@@ -0,0 +1,39 @@
+import useServerLogger from "#devcoffee-core/server/composables/useServerLogger";
+import { useStorage } from "nitropack/runtime/internal/storage";
+const logger = useServerLogger({ tag: "authts-mutex", level: 3 });
+export async function tryAcquireLock(storage, lockKey, ttlSeconds, useAtomic) {
+  if (useAtomic) {
+    try {
+      const baseStorage = useStorage();
+      const { driver, base } = baseStorage.getMount("cache:");
+      const client = driver.getInstance?.();
+      if (client) {
+        const prefixedKey = base + lockKey;
+        const result = await client.set(
+          prefixedKey,
+          "1",
+          "NX",
+          "EX",
+          ttlSeconds
+        );
+        if (result === "OK") {
+          logger.debug('[mutex] atomic lock acquired for key "%s"', lockKey);
+          return true;
+        }
+        logger.debug('[mutex] atomic lock held for key "%s" \u2014 skipping', lockKey);
+        return false;
+      }
+      logger.warn("[mutex] atomic lock unavailable (getInstance not present on driver) \u2014 falling back to optimistic");
+    } catch (err) {
+      logger.warn("[mutex] atomic lock failed (%s) \u2014 falling back to optimistic", String(err));
+    }
+  }
+  logger.debug('[mutex] using optimistic lock for key "%s"', lockKey);
+  const lockExists = await storage.hasItem(lockKey);
+  if (lockExists) {
+    logger.debug('[mutex] optimistic lock held for key "%s" \u2014 skipping', lockKey);
+    return false;
+  }
+  await storage.setItem(lockKey, true, { ttl: ttlSeconds });
+  return true;
+}

package/dist/runtime/server/core/nuxtAuthtsHandler.d.ts

@@ -0,0 +1,26 @@
+import type { NuxtAuthOptions } from '#devcoffee-core/server/adapters/http';
+/**
+ * Creates a universal authentication handler for Nuxt, integrating with OpenID Connect.
+ *
+ * Handles three main endpoints:
+ * - `/api/_auth/session`: Returns the current normalized session.
+ * - `/api/_auth/authorize-url`: Builds and returns the OpenID authorization URL.
+ * - `/api/_auth/token`: Handles the authorization code exchange and updates the session.
+ *
+ * @param options - Optional custom overrides for session/user mapping callbacks.
+ * @returns An h3 event handler to be registered under the `/api/_auth/*` routes.
+ *
+ * @example
+ * ```ts
+ * export default NuxtAuthtsHandler({
+ *   userInfo: async (user, tokenSet) => ({
+ *     id: user.sub,
+ *     email: user.email ?? '',
+ *     name: user.name ?? '',
+ *   }),
+ * })
+ * ```
+ *
+ * @since 1.0.0
+ */
+export default function NuxtAuthtsHandler(options?: DeepPartial<NuxtAuthOptions>): any;

package/dist/runtime/server/core/nuxtAuthtsHandler.js

@@ -0,0 +1,238 @@
+import {
+  createError,
+  deleteCookie,
+  eventHandler,
+  getCookie,
+  getQuery,
+  getRequestURL,
+  readFormData,
+  setCookie,
+  useRuntimeConfig
+} from "#devcoffee-core/server/adapters/http";
+import { deepMerge, omit } from "#devcoffee-core/server/adapters/utils";
+import { useStorage } from "nitropack/runtime/internal/storage";
+import {
+  authorizationCodeGrant,
+  buildAuthorizationUrl,
+  constructTokenSet,
+  deleteSession,
+  fetchUserInfo,
+  getSession,
+  isSameOrigin,
+  revokeTokens,
+  updateSession
+} from "./helpers.js";
+const AUTH_API_PREFIX = "/api/_auth";
+var AuthSupportAction = /* @__PURE__ */ ((AuthSupportAction2) => {
+  AuthSupportAction2["GET_SESSION"] = "session";
+  AuthSupportAction2["AUTHORIZE_URL"] = "authorize-url";
+  AuthSupportAction2["TOKEN"] = "token";
+  AuthSupportAction2["LOGOUT"] = "logout";
+  return AuthSupportAction2;
+})(AuthSupportAction || {});
+function getAuthAction(requestUrl) {
+  const parts = requestUrl.pathname.toLocaleLowerCase().replace(AUTH_API_PREFIX, "").split("/").filter(Boolean);
+  if (!parts[0] || !Object.values(AuthSupportAction).includes(parts[0]))
+    throw createError({
+      status: 500,
+      fatal: true,
+      statusMessage: "auth action not support",
+      message: `AuthSupportAction does not support '${parts[0]}'`
+    });
+  return parts[0];
+}
+const defaultNuxtAuthOptions = {
+  /**
+   * Default Devcoffee Nuxt AuthTS option callbacks for session and user mapping.
+   * These can be overridden by passing custom callbacks to `NuxtAuthtsHandler()`.
+   * @since 1.0.0
+   */
+  session: async (session, auth) => {
+    return Promise.resolve(
+      deepMerge(omit(session, ["issuedAt", "expiresAt"]), {
+        isAuthenticated: auth.status === "authenticated" && Boolean(auth.tokenSet && session.user.id)
+      })
+    );
+  },
+  /**
+   * Maps the OpenID Connect user info response to your local user schema.
+   *
+   * @param user - The raw user info response from the OpenID provider.
+   * @param opts - The token response containing access and ID tokens.
+   * @returns A normalized user object.
+   * @since 1.0.0
+   */
+  userInfo: async (user, opts) => user
+};
+export default function NuxtAuthtsHandler(options) {
+  const { enabled: authEnabled, sessions: sessionConfig, openid, auth } = useRuntimeConfig().nuxtCore.authts;
+  const nuxtAuthOptions = deepMerge({ ...defaultNuxtAuthOptions }, options || {});
+  return eventHandler(async (event) => {
+    const requestUrl = getRequestURL(event);
+    const queryParams = getQuery(event);
+    const authAction = getAuthAction(requestUrl);
+    let session = await getSession(event.context.sessionId, {
+      storageName: sessionConfig.storage.name,
+      storagePrefix: sessionConfig.storage.prefix,
+      secret: sessionConfig.secret || ""
+    });
+    if (!session) {
+      throw createError({
+        status: 500,
+        fatal: true,
+        message: `session '${event.context.sessionId}' was not found!`
+      });
+    }
+    if (!authEnabled && !["session" /* GET_SESSION */].includes(authAction)) {
+      throw createError({
+        status: 500,
+        fatal: true,
+        message: `Action '${authAction}' is disabled!`
+      });
+    }
+    const authCookieOpts = omit(sessionConfig.cookieOpts, ["expires", "maxAge"]);
+    let redirectUrl;
+    let tokenSet;
+    switch (authAction) {
+      case "session" /* GET_SESSION */:
+        const refetchSessionData = {};
+        if (openid.autoFetchUser && session.auth?.status === "authenticated" && session.auth?.tokenSet) {
+          const cacheStorage2 = useStorage("cache");
+          const userInfoCacheKey = `${openid.cache.prefix}:userinfo:${session.id}`;
+          let cachedUser = await cacheStorage2.getItem(userInfoCacheKey);
+          if (!cachedUser) {
+            cachedUser = await nuxtAuthOptions.userInfo(session.user, { tokenSet: session.auth.tokenSet });
+            await cacheStorage2.setItem(userInfoCacheKey, cachedUser, { ttl: openid.autoFetchUserTtl });
+          }
+          refetchSessionData.user = cachedUser;
+        }
+        if (Object.keys(refetchSessionData).length > 0) {
+          session = await updateSession(session.id, refetchSessionData, {
+            storageName: sessionConfig.storage.name,
+            storagePrefix: sessionConfig.storage.prefix,
+            expiresIn: sessionConfig.expiresIn,
+            secret: sessionConfig.secret || ""
+          });
+        }
+        event.context.sessionId = session.id;
+        return nuxtAuthOptions.session(omit(session, ["auth"]), session.auth);
+      case "authorize-url" /* AUTHORIZE_URL */:
+        const { authorizeUrl, state, pkceCodeVerifier } = await buildAuthorizationUrl(session, {
+          codeChallengeMethod: openid.codeChallengeMethod,
+          sessionExpires: sessionConfig.expiresIn,
+          cache: openid.cache,
+          origin: requestUrl,
+          wellKnownUrl: openid.wellKnownUrl,
+          usePkce: openid.usePkce,
+          clientId: openid.clientId,
+          clientSecret: openid.clientSecret,
+          redirectUri: openid.redirectUri,
+          scopes: openid.scopes,
+          sessionStorageName: sessionConfig.storage.name,
+          sessionStoragePrefix: sessionConfig.storage.prefix
+        });
+        if (pkceCodeVerifier) {
+          setCookie(event, sessionConfig.names.pkce, pkceCodeVerifier, authCookieOpts);
+        }
+        if (queryParams.redirectUrl) {
+          const candidateUrl = String(queryParams.redirectUrl);
+          if (!isSameOrigin(candidateUrl, requestUrl)) {
+            throw createError({
+              status: 400,
+              statusMessage: "redirect URL must be same-origin",
+              message: `Redirect URL '${candidateUrl}' is not same-origin with '${requestUrl.origin}'`
+            });
+          }
+          setCookie(event, sessionConfig.names.redirectUrl, candidateUrl, authCookieOpts);
+        }
+        setCookie(event, sessionConfig.names.state, state, authCookieOpts);
+        event.context.sessionId = session.id;
+        return { redirectUrl: authorizeUrl };
+      case "token" /* TOKEN */:
+        const formData = await readFormData(event);
+        const openIdTokenSet = await authorizationCodeGrant(
+          {
+            code: formData.get("code") || void 0,
+            state: formData.get("state") || void 0,
+            checks: {
+              expectedState: getCookie(event, sessionConfig.names.state),
+              pkceCodeVerifier: getCookie(event, sessionConfig.names.pkce)
+            }
+          },
+          {
+            cache: openid.cache,
+            origin: requestUrl,
+            usePkce: openid.usePkce,
+            clientId: openid.clientId,
+            redirectUri: openid.redirectUri,
+            wellKnownUrl: openid.wellKnownUrl,
+            clientSecret: openid.clientSecret,
+            codeChallengeMethod: openid.codeChallengeMethod
+          }
+        );
+        const candidateRedirect = getCookie(event, sessionConfig.names.redirectUrl);
+        if (candidateRedirect && !isSameOrigin(candidateRedirect, requestUrl)) {
+          throw createError({
+            status: 400,
+            statusMessage: "redirect URL must be same-origin",
+            message: `Redirect URL '${candidateRedirect}' is not same-origin with '${requestUrl.origin}'`
+          });
+        }
+        redirectUrl = candidateRedirect || auth.defaultLoginRedirectUri;
+        Array.of(sessionConfig.names.state, sessionConfig.names.pkce, sessionConfig.names.redirectUrl).forEach(
+          (cookie) => deleteCookie(event, cookie, authCookieOpts)
+        );
+        tokenSet = constructTokenSet(openIdTokenSet);
+        const sessionData = {
+          auth: {
+            status: "authenticated",
+            tokenSet
+          }
+        };
+        if (openid.fetchUserOnLogin) {
+          const openidUser = await fetchUserInfo(tokenSet.accessToken, openIdTokenSet.claims()?.sub || "", {
+            cache: openid.cache,
+            clientId: openid.clientId,
+            clientSecret: openid.clientSecret,
+            wellKnownUrl: openid.wellKnownUrl
+          });
+          sessionData.user = await nuxtAuthOptions.userInfo(session.user, { openidUser, tokenSet });
+        }
+        await updateSession(session.id, sessionData, {
+          storageName: sessionConfig.storage.name,
+          storagePrefix: sessionConfig.storage.prefix,
+          expiresIn: sessionConfig.expiresIn,
+          secret: sessionConfig.secret || ""
+        });
+        event.context.sessionId = session.id;
+        return { redirectUrl };
+      case "logout" /* LOGOUT */:
+        redirectUrl = auth.defaultLogoutRedirectUri;
+        tokenSet = session.auth.tokenSet;
+        if (tokenSet) {
+          await revokeTokens([tokenSet.accessToken, tokenSet.refreshToken, tokenSet.idToken], {
+            cache: openid.cache,
+            clientId: openid.clientId,
+            clientSecret: openid.clientSecret,
+            wellKnownUrl: openid.wellKnownUrl
+          });
+        }
+        await deleteSession(session.id, {
+          storageName: sessionConfig.storage.name,
+          storagePrefix: sessionConfig.storage.prefix
+        });
+        const cacheStorage = useStorage("cache");
+        await cacheStorage.removeItem(`${openid.cache.prefix}:userinfo:${session.id}`);
+        deleteCookie(event, sessionConfig.names.sessionId, authCookieOpts);
+        event.context.sessionId = "";
+        return { redirectUrl };
+      default:
+        break;
+    }
+    throw createError({
+      status: 500,
+      fatal: true,
+      message: `Action '${authAction}' is disabled!`
+    });
+  });
+}