@draftlab/auth 0.0.1

package/dist/icon-Ci5uqGB_.js

@@ -0,0 +1,192 @@
+//#region src/ui/icon.ts
+/**
+* Icon components for Draft Auth UI.
+* Provides SVG icons for various authentication providers and common UI elements.
+*
+* ## Usage
+*
+* ```ts
+* import { ICON_GITHUB, ICON_GOOGLE, ICON_EMAIL } from "./icon"
+*
+* // In provider buttons
+* const buttonHtml = `
+*   <button>
+*     ${ICON_GITHUB}
+*     Continue with GitHub
+*   </button>
+* `
+*
+* // In form elements
+* const formHtml = `
+*   <div>
+*     ${ICON_EMAIL}
+*     Email verification
+*   </div>
+* `
+* ```
+*
+* ## Features
+*
+* - **Consistent sizing**: All icons are properly sized and scalable
+* - **Accessibility**: Proper ARIA labels and semantic markup
+* - **Current color**: Icons inherit text color for easy theming
+* - **Optimized SVGs**: Clean, minimal SVG markup for performance
+*
+* @packageDocumentation
+*/
+/**
+* GitHub brand icon with official logo design.
+* Used for GitHub authentication provider buttons and references.
+*
+* @example
+* ```ts
+* const buttonHtml = `
+*   <button data-component="provider-button">
+*     ${ICON_GITHUB}
+*     Sign in with GitHub
+*   </button>
+* `
+* ```
+*/
+const ICON_GITHUB = `
+	<svg
+		aria-label="GitHub"
+		fill="currentColor"
+		height="250"
+		preserveAspectRatio="xMidYMid"
+		role="img"
+		viewBox="0 0 256 250"
+		width="256"
+		xmlns="http://www.w3.org/2000/svg"
+	>
+		<path d="M128.001 0C57.317 0 0 57.307 0 128.001c0 56.554 36.676 104.535 87.535 121.46 6.397 1.185 8.746-2.777 8.746-6.158 0-3.052-.12-13.135-.174-23.83-35.61 7.742-43.124-15.103-43.124-15.103-5.823-14.795-14.213-18.73-14.213-18.73-11.613-7.944.876-7.78.876-7.78 12.853.902 19.621 13.19 19.621 13.19 11.417 19.568 29.945 13.911 37.249 10.64 1.149-8.272 4.466-13.92 8.127-17.116-28.431-3.236-58.318-14.212-58.318-63.258 0-13.975 5-25.394 13.188-34.358-1.329-3.224-5.71-16.242 1.24-33.874 0 0 10.749-3.44 35.21 13.121 10.21-2.836 21.16-4.258 32.038-4.307 10.878.049 21.837 1.47 32.066 4.307 24.431-16.56 35.165-13.12 35.165-13.12 6.967 17.63 2.584 30.65 1.255 33.873 8.207 8.964 13.173 20.383 13.173 34.358 0 49.163-29.944 59.988-58.447 63.157 4.591 3.972 8.682 11.762 8.682 23.704 0 17.126-.148 30.91-.148 35.126 0 3.407 2.304 7.398 8.792 6.14C219.37 232.5 256 184.537 256 128.002 256 57.307 198.691 0 128.001 0Zm-80.06 182.34c-.282.636-1.283.827-2.194.39-.929-.417-1.45-1.284-1.15-1.922.276-.655 1.279-.838 2.205-.399.93.418 1.46 1.293 1.139 1.931Zm6.296 5.618c-.61.566-1.804.303-2.614-.591-.837-.892-.994-2.086-.375-2.66.63-.566 1.787-.301 2.626.591.838.903 1 2.088.363 2.66Zm4.32 7.188c-.785.545-2.067.034-2.86-1.104-.784-1.138-.784-2.503.017-3.05.795-.547 2.058-.055 2.861 1.075.782 1.157.782 2.522-.019 3.08Zm7.304 8.325c-.701.774-2.196.566-3.29-.49-1.119-1.032-1.43-2.496-.726-3.27.71-.776 2.213-.558 3.315.49 1.11 1.03 1.45 2.505.701 3.27Zm9.442 2.81c-.31 1.003-1.75 1.459-3.199 1.033-1.448-.439-2.395-1.613-2.103-2.626.301-1.01 1.747-1.484 3.207-1.028 1.446.436 2.396 1.602 2.095 2.622Zm10.744 1.193c.036 1.055-1.193 1.93-2.715 1.95-1.53.034-2.769-.82-2.786-1.86 0-1.065 1.202-1.932 2.733-1.958 1.522-.03 2.768.818 2.768 1.868Zm10.555-.405c.182 1.03-.875 2.088-2.387 2.37-1.485.271-2.861-.365-3.05-1.386-.184-1.056.893-2.114 2.376-2.387 1.514-.263 2.868.356 3.061 1.403Z" />
+	</svg>
+`;
+/**
+* Google brand icon with official multicolor logo design.
+* Used for Google authentication provider buttons and references.
+*
+* @example
+* ```ts
+* const buttonHtml = `
+*   <button data-component="provider-button">
+*     ${ICON_GOOGLE}
+*     Continue with Google
+*   </button>
+* `
+* ```
+*/
+const ICON_GOOGLE = `
+	<svg
+		aria-label="Google"
+		height="262"
+		preserveAspectRatio="xMidYMid"
+		role="img"
+		viewBox="0 0 256 262"
+		width="256"
+		xmlns="http://www.w3.org/2000/svg"
+	>
+		<path
+			d="M255.878 133.451c0-10.734-.871-18.567-2.756-26.69H130.55v48.448h71.947c-1.45 12.04-9.283 30.172-26.69 42.356l-.244 1.622 38.755 30.023 2.685.268c24.659-22.774 38.875-56.282 38.875-96.027"
+			fill="#4285F4"
+		/>
+		<path
+			d="M130.55 261.1c35.248 0 64.839-11.605 86.453-31.622l-41.196-31.913c-11.024 7.688-25.82 13.055-45.257 13.055-34.523 0-63.824-22.773-74.269-54.25l-1.531.13-40.298 31.187-.527 1.465C35.393 231.798 79.49 261.1 130.55 261.1"
+			fill="#34A853"
+		/>
+		<path
+			d="M56.281 156.37c-2.756-8.123-4.351-16.827-4.351-25.82 0-8.994 1.595-17.697 4.206-25.82l-.073-1.73L15.26 71.312l-1.335.635C5.077 89.644 0 109.517 0 130.55s5.077 40.905 13.925 58.602l42.356-32.782"
+			fill="#FBBC05"
+		/>
+		<path
+			d="M130.55 50.479c24.514 0 41.05 10.589 50.479 19.438l36.844-35.974C195.245 12.91 165.798 0 130.55 0 79.49 0 35.393 29.301 13.925 71.947l42.211 32.783c10.59-31.477 39.891-54.251 74.414-54.251"
+			fill="#EB4335"
+		/>
+	</svg>
+`;
+/**
+* Email envelope icon for email-related authentication flows.
+* Used in email verification, password reset, and contact forms.
+*
+* @example
+* ```ts
+* const inputGroupHtml = `
+*   <div data-component="input-group">
+*     ${ICON_EMAIL}
+*     <input type="email" placeholder="Enter your email" />
+*   </div>
+* `
+* ```
+*/
+const ICON_EMAIL = `
+	<svg
+		aria-label="Email"
+		fill="none"
+		role="img"
+		stroke="currentColor"
+		stroke-width="1.5"
+		viewBox="0 0 24 24"
+		xmlns="http://www.w3.org/2000/svg"
+	>
+		<path
+			d="M21.75 6.75v10.5a2.25 2.25 0 0 1-2.25 2.25h-15a2.25 2.25 0 0 1-2.25-2.25V6.75m19.5 0A2.25 2.25 0 0 0 19.5 4.5h-15a2.25 2.25 0 0 0-2.25 2.25m19.5 0v.243a2.25 2.25 0 0 1-1.07 1.916l-7.5 4.615a2.25 2.25 0 0 1-2.36 0L3.32 8.91a2.25 2.25 0 0 1-1.07-1.916V6.75"
+			stroke-linecap="round"
+			stroke-linejoin="round"
+		/>
+	</svg>
+`;
+/**
+* Slack brand icon with official logo design.
+* Used for Slack authentication provider buttons and workplace integrations.
+*
+* @example
+* ```ts
+* const buttonHtml = `
+*   <button data-component="provider-button">
+*     ${ICON_SLACK}
+*     Continue with Slack
+*   </button>
+* `
+* ```
+*/
+const ICON_SLACK = `
+	<svg
+		aria-label="Slack"
+		fill="none"
+		height="24"
+		role="img"
+		viewBox="0 0 24 24"
+		width="24"
+		xmlns="http://www.w3.org/2000/svg"
+	>
+		<g>
+			<path
+				clip-rule="evenodd"
+				d="M8.79948 0C7.47279 0.000978593 6.39909 1.07547 6.40007 2.39951C6.39909 3.72355 7.47377 4.79804 8.80046 4.79902H11.2009V2.40049C11.2018 1.07645 10.1271 0.00195719 8.79948 0ZM8.79948 6.4H2.40039C1.07371 6.40098 -0.000977873 7.47547 2.67973e-06 8.79951C-0.00195842 10.1235 1.07273 11.198 2.39941 11.2H8.79948C10.1262 11.199 11.2009 10.1245 11.1999 8.80049C11.2009 7.47547 10.1262 6.40098 8.79948 6.4Z"
+				fill="currentColor"
+				fill-rule="evenodd"
+			/>
+			<path
+				clip-rule="evenodd"
+				d="M24.0007 8.79951C24.0016 7.47547 22.9269 6.40098 21.6003 6.4C20.2736 6.40098 19.1989 7.47547 19.1999 8.79951V11.2H21.6003C22.9269 11.199 24.0016 10.1245 24.0007 8.79951ZM17.6006 8.79951V2.39951C17.6016 1.07645 16.5279 0.00195719 15.2012 0C13.8745 0.000978593 12.7998 1.07547 12.8008 2.39951V8.79951C12.7988 10.1235 13.8735 11.198 15.2002 11.2C16.5269 11.199 17.6016 10.1245 17.6006 8.79951Z"
+				fill="currentColor"
+				fill-rule="evenodd"
+			/>
+			<path
+				clip-rule="evenodd"
+				d="M15.1992 23.9998C16.5259 23.9988 17.6006 22.9243 17.5996 21.6003C17.6006 20.2763 16.5259 19.2018 15.1992 19.2008H12.7988V21.6003C12.7978 22.9234 13.8725 23.9978 15.1992 23.9998ZM15.1992 17.5988H21.5993C22.926 17.5978 24.0007 16.5234 23.9997 15.1993C24.0016 13.8753 22.927 12.8008 21.6003 12.7988H15.2002C13.8735 12.7998 12.7988 13.8743 12.7998 15.1983C12.7988 16.5234 13.8725 17.5978 15.1992 17.5988Z"
+				fill="currentColor"
+				fill-rule="evenodd"
+			/>
+			<path
+				clip-rule="evenodd"
+				d="M0 15.1993C-0.000979882 16.5234 1.07371 17.5978 2.40039 17.5988C3.72708 17.5978 4.80177 16.5234 4.80079 15.1993V12.7998H2.40039C1.07371 12.8008 -0.000979882 13.8753 0 15.1993ZM6.40007 15.1993V21.5993C6.3981 22.9234 7.47279 23.9978 8.79948 23.9998C10.1262 23.9988 11.2009 22.9243 11.1999 21.6003V15.2013C11.2018 13.8772 10.1271 12.8027 8.80046 12.8008C7.47279 12.8008 6.39909 13.8753 6.40007 15.1993Z"
+				fill="currentColor"
+				fill-rule="evenodd"
+			/>
+		</g>
+	</svg>
+`;
+
+//#endregion
+export { ICON_EMAIL, ICON_GITHUB, ICON_GOOGLE, ICON_SLACK };

package/dist/index.d.ts

@@ -0,0 +1,9 @@
+import "./allow-CixonwTW.js";
+import "./error-CWAdNAzm.js";
+import "./util-ChlgVqPN.js";
+import "./subject-DiQdRWGt.js";
+import "./storage-CxKerLlc.js";
+import "./provider-CwWMG-1l.js";
+import "./theme-C9by7VXf.js";
+import { issuer } from "./core-8WTqfnb4.js";
+export { issuer };

package/dist/index.js

@@ -0,0 +1,14 @@
+import "./util-CSdHUFOo.js";
+import "./allow-DX5cehSc.js";
+import "./error-DgAKK7b2.js";
+import "./pkce-276Za_rZ.js";
+import "./random-SXMYlaVr.js";
+import "./storage-BEaqEPNQ.js";
+import "./keys-EEfxEGfO.js";
+import "./theme-CswaLtbW.js";
+import "./base-DRutbxgL.js";
+import "./icon-Ci5uqGB_.js";
+import "./select-BjySLL8I.js";
+import { issuer } from "./core-CncE5rPg.js";
+
+export { issuer };

package/dist/keys-EEfxEGfO.js

@@ -0,0 +1,140 @@
+import { generateSecureToken } from "./random-SXMYlaVr.js";
+import { Storage } from "./storage-BEaqEPNQ.js";
+import { exportJWK, exportPKCS8, exportSPKI, generateKeyPair, importPKCS8, importSPKI } from "jose";
+
+//#region src/keys.ts
+/**
+* Cryptographic key management for JWT signing and encryption operations.
+* Handles automatic key generation, rotation, and storage for OAuth operations.
+*/
+/** Elliptic Curve algorithm used for JWT signing operations */
+const signingAlg = "ES256";
+/** RSA algorithm used for token encryption operations */
+const encryptionAlg = "RSA-OAEP-512";
+/**
+* Loads or generates signing keys for JWT operations.
+* Returns existing valid keys, or generates new ones if none are available.
+* Keys are automatically sorted by creation date (newest first).
+*
+* @param storage - Storage adapter for persistent key storage
+* @returns Promise resolving to array of available signing key pairs
+*
+* @example
+* ```ts
+* const keys = await signingKeys(storage)
+* const currentKey = keys[0] // Most recent key
+*
+* // Use for JWT signing
+* const jwt = await new SignJWT(payload)
+*   .setProtectedHeader({ alg: currentKey.alg, kid: currentKey.id })
+*   .sign(currentKey.private)
+* ```
+*/
+const signingKeys = async (storage) => {
+	const results = [];
+	const scanner = Storage.scan(storage, ["signing:key"]);
+	for await (const [, value] of scanner) try {
+		const publicKey = await importSPKI(value.publicKey, value.alg, { extractable: true });
+		const privateKey = await importPKCS8(value.privateKey, value.alg);
+		const jwk$1 = await exportJWK(publicKey);
+		jwk$1.kid = value.id;
+		jwk$1.use = "sig";
+		results.push({
+			id: value.id,
+			alg: signingAlg,
+			created: new Date(value.created),
+			expired: value.expired ? new Date(value.expired) : void 0,
+			public: publicKey,
+			private: privateKey,
+			jwk: jwk$1
+		});
+	} catch {}
+	results.sort((a, b) => b.created.getTime() - a.created.getTime());
+	if (results.filter((item) => !item.expired).length) return results;
+	const key = await generateKeyPair(signingAlg, { extractable: true });
+	const serialized = {
+		id: generateSecureToken(16),
+		publicKey: await exportSPKI(key.publicKey),
+		privateKey: await exportPKCS8(key.privateKey),
+		created: Date.now(),
+		alg: signingAlg
+	};
+	await Storage.set(storage, ["signing:key", serialized.id], serialized);
+	const jwk = await exportJWK(key.publicKey);
+	jwk.kid = serialized.id;
+	jwk.use = "sig";
+	const newKeyPair = {
+		id: serialized.id,
+		alg: signingAlg,
+		created: new Date(serialized.created),
+		expired: serialized.expired ? new Date(serialized.expired) : void 0,
+		public: key.publicKey,
+		private: key.privateKey,
+		jwk
+	};
+	return [newKeyPair, ...results];
+};
+/**
+* Loads or generates encryption keys for token encryption operations.
+* Returns existing valid keys, or generates new ones if none are available.
+* Keys are automatically sorted by creation date (newest first).
+*
+* @param storage - Storage adapter for persistent key storage
+* @returns Promise resolving to array of available encryption key pairs
+*
+* @example
+* ```ts
+* const keys = await encryptionKeys(storage)
+* const currentKey = keys[0] // Most recent key
+*
+* // Use for token encryption
+* const encrypted = await new EncryptJWT(payload)
+*   .setProtectedHeader({ alg: 'RSA-OAEP-512', enc: 'A256GCM' })
+*   .encrypt(currentKey.public)
+* ```
+*/
+const encryptionKeys = async (storage) => {
+	const results = [];
+	const scanner = Storage.scan(storage, ["encryption:key"]);
+	for await (const [, value] of scanner) try {
+		const publicKey = await importSPKI(value.publicKey, value.alg, { extractable: true });
+		const privateKey = await importPKCS8(value.privateKey, value.alg);
+		const jwk$1 = await exportJWK(publicKey);
+		jwk$1.kid = value.id;
+		results.push({
+			id: value.id,
+			alg: encryptionAlg,
+			created: new Date(value.created),
+			expired: value.expired ? new Date(value.expired) : void 0,
+			public: publicKey,
+			private: privateKey,
+			jwk: jwk$1
+		});
+	} catch {}
+	results.sort((a, b) => b.created.getTime() - a.created.getTime());
+	if (results.filter((item) => !item.expired).length) return results;
+	const key = await generateKeyPair(encryptionAlg, { extractable: true });
+	const serialized = {
+		id: generateSecureToken(16),
+		publicKey: await exportSPKI(key.publicKey),
+		privateKey: await exportPKCS8(key.privateKey),
+		created: Date.now(),
+		alg: encryptionAlg
+	};
+	await Storage.set(storage, ["encryption:key", serialized.id], serialized);
+	const jwk = await exportJWK(key.publicKey);
+	jwk.kid = serialized.id;
+	const newKeyPair = {
+		id: serialized.id,
+		alg: encryptionAlg,
+		created: new Date(serialized.created),
+		expired: serialized.expired ? new Date(serialized.expired) : void 0,
+		public: key.publicKey,
+		private: key.privateKey,
+		jwk
+	};
+	return [newKeyPair, ...results];
+};
+
+//#endregion
+export { encryptionKeys, signingKeys };

package/dist/keys.d.ts

@@ -0,0 +1,67 @@
+import { StorageAdapter } from "./storage-CxKerLlc.js";
+import { CryptoKey, JWK } from "jose";
+
+//#region src/keys.d.ts
+
+/**
+ * Runtime key pair with loaded cryptographic keys and metadata.
+ * Ready for immediate use in signing and encryption operations.
+ */
+interface KeyPair {
+  /** Unique identifier for the key pair */
+  readonly id: string;
+  /** Algorithm used for this key pair */
+  readonly alg: string;
+  /** Loaded public key for verification/encryption */
+  readonly public: CryptoKey;
+  /** Loaded private key for signing/decryption */
+  readonly private: CryptoKey;
+  /** Date when the key was created */
+  readonly created: Date;
+  /** Optional expiration date */
+  readonly expired?: Date;
+  /** JSON Web Key representation for JWKS endpoints */
+  readonly jwk: JWK;
+}
+/**
+ * Loads or generates signing keys for JWT operations.
+ * Returns existing valid keys, or generates new ones if none are available.
+ * Keys are automatically sorted by creation date (newest first).
+ *
+ * @param storage - Storage adapter for persistent key storage
+ * @returns Promise resolving to array of available signing key pairs
+ *
+ * @example
+ * ```ts
+ * const keys = await signingKeys(storage)
+ * const currentKey = keys[0] // Most recent key
+ *
+ * // Use for JWT signing
+ * const jwt = await new SignJWT(payload)
+ *   .setProtectedHeader({ alg: currentKey.alg, kid: currentKey.id })
+ *   .sign(currentKey.private)
+ * ```
+ */
+declare const signingKeys: (storage: StorageAdapter) => Promise<KeyPair[]>;
+/**
+ * Loads or generates encryption keys for token encryption operations.
+ * Returns existing valid keys, or generates new ones if none are available.
+ * Keys are automatically sorted by creation date (newest first).
+ *
+ * @param storage - Storage adapter for persistent key storage
+ * @returns Promise resolving to array of available encryption key pairs
+ *
+ * @example
+ * ```ts
+ * const keys = await encryptionKeys(storage)
+ * const currentKey = keys[0] // Most recent key
+ *
+ * // Use for token encryption
+ * const encrypted = await new EncryptJWT(payload)
+ *   .setProtectedHeader({ alg: 'RSA-OAEP-512', enc: 'A256GCM' })
+ *   .encrypt(currentKey.public)
+ * ```
+ */
+declare const encryptionKeys: (storage: StorageAdapter) => Promise<KeyPair[]>;
+//#endregion
+export { KeyPair, encryptionKeys, signingKeys };

package/dist/keys.js

@@ -0,0 +1,5 @@
+import "./random-SXMYlaVr.js";
+import "./storage-BEaqEPNQ.js";
+import { encryptionKeys, signingKeys } from "./keys-EEfxEGfO.js";
+
+export { encryptionKeys, signingKeys };

package/dist/oauth2-B7-6Z7Lc.js

@@ -0,0 +1,155 @@
+import { getRelativeUrl } from "./util-CSdHUFOo.js";
+import { OauthError } from "./error-DgAKK7b2.js";
+import { generatePKCE } from "./pkce-276Za_rZ.js";
+import { generateSecureToken, timingSafeCompare } from "./random-SXMYlaVr.js";
+
+//#region src/provider/oauth2.ts
+/**
+* Creates an OAuth 2.0 authentication provider.
+* Implements the Authorization Code Grant flow with optional PKCE support.
+*
+* @param config - OAuth 2.0 provider configuration
+* @returns Provider instance implementing OAuth 2.0 authentication
+*
+* @example
+* ```ts
+* // GitHub provider with basic configuration
+* const githubProvider = Oauth2Provider({
+*   clientID: process.env.GITHUB_CLIENT_ID,
+*   clientSecret: process.env.GITHUB_CLIENT_SECRET,
+*   endpoint: {
+*     authorization: "https://github.com/login/oauth/authorize",
+*     token: "https://github.com/login/oauth/access_token"
+*   },
+*   scopes: ["user:email", "read:user"]
+* })
+*
+* // Provider with PKCE and custom parameters
+* const customProvider = Oauth2Provider({
+*   clientID: "my-client-id",
+*   clientSecret: "my-client-secret",
+*   endpoint: {
+*     authorization: "https://provider.com/oauth/authorize",
+*     token: "https://provider.com/oauth/token",
+*     jwks: "https://provider.com/.well-known/jwks.json"
+*   },
+*   scopes: ["read", "write"],
+*   pkce: true,
+*   query: {
+*     prompt: "consent",
+*     access_type: "offline"
+*   }
+* })
+* ```
+*/
+const Oauth2Provider = (config) => {
+	const authQuery = config.query || {};
+	/**
+	* Handles the OAuth 2.0 callback logic for both GET and POST requests.
+	* Exchanges the authorization code for tokens and processes the response.
+	*/
+	const handleCallbackLogic = async (c, ctx, provider, code) => {
+		if (!(provider && code)) return c.redirect(getRelativeUrl(c, "./authorize"));
+		const tokenRequestBody = new URLSearchParams({
+			client_id: config.clientID,
+			client_secret: config.clientSecret,
+			code,
+			grant_type: "authorization_code",
+			redirect_uri: provider.redirect,
+			...provider.codeVerifier ? { code_verifier: provider.codeVerifier } : {}
+		});
+		try {
+			const response = await fetch(config.endpoint.token, {
+				method: "POST",
+				headers: {
+					"Content-Type": "application/x-www-form-urlencoded",
+					Accept: "application/json"
+				},
+				body: tokenRequestBody.toString()
+			});
+			if (!response.ok) throw new Error(`Token request failed with status ${response.status}`);
+			const tokenData = await response.json();
+			if (tokenData.error) throw new OauthError(tokenData.error, tokenData.error_description || "");
+			return await ctx.success(c, {
+				clientID: config.clientID,
+				tokenset: {
+					get access() {
+						return tokenData.access_token;
+					},
+					get refresh() {
+						return tokenData.refresh_token || "";
+					},
+					get expiry() {
+						return tokenData.expires_in || 0;
+					},
+					get raw() {
+						return tokenData;
+					}
+				}
+			});
+		} catch (error) {
+			if (error instanceof OauthError) throw error;
+			throw new OauthError("server_error", `Token exchange failed: ${error instanceof Error ? error.message : "Unknown error"}`);
+		}
+	};
+	return {
+		type: config.type || "oauth2",
+		init(routes, ctx) {
+			/**
+			* Initiates OAuth 2.0 authorization flow.
+			* Redirects user to the provider's authorization endpoint with proper parameters.
+			*/
+			routes.get("/authorize", async (c) => {
+				const state = generateSecureToken();
+				const pkce = config.pkce ? await generatePKCE() : void 0;
+				await ctx.set(c, "provider", 60 * 10, {
+					state,
+					redirect: getRelativeUrl(c, "./callback"),
+					codeVerifier: pkce?.verifier
+				});
+				const authorizationUrl = new URL(config.endpoint.authorization);
+				authorizationUrl.searchParams.set("client_id", config.clientID);
+				authorizationUrl.searchParams.set("redirect_uri", getRelativeUrl(c, "./callback"));
+				authorizationUrl.searchParams.set("response_type", "code");
+				authorizationUrl.searchParams.set("state", state);
+				authorizationUrl.searchParams.set("scope", config.scopes.join(" "));
+				if (pkce) {
+					authorizationUrl.searchParams.set("code_challenge", pkce.challenge);
+					authorizationUrl.searchParams.set("code_challenge_method", pkce.method);
+				}
+				for (const [key, value] of Object.entries(authQuery)) authorizationUrl.searchParams.set(key, value);
+				return c.redirect(authorizationUrl.toString());
+			});
+			/**
+			* Handles OAuth 2.0 callback via query parameters (GET request).
+			* Standard OAuth 2.0 callback method for most providers.
+			*/
+			routes.get("/callback", async (c) => {
+				const provider = await ctx.get(c, "provider");
+				const code = c.query("code");
+				const state = c.query("state");
+				const error = c.query("error");
+				if (error) throw new OauthError(error, c.query("error_description") || "");
+				if (!(provider && code) || provider.state && !timingSafeCompare(state || "", provider.state)) return c.redirect(getRelativeUrl(c, "./authorize"));
+				return await handleCallbackLogic(c, ctx, provider, code);
+			});
+			/**
+			* Handles OAuth 2.0 callback via form data (POST request).
+			* Alternative callback method supported by some providers.
+			*/
+			routes.post("/callback", async (c) => {
+				const provider = await ctx.get(c, "provider");
+				const formData = await c.formData();
+				const code = formData.get("code")?.toString();
+				const state = formData.get("state")?.toString();
+				const error = formData.get("error")?.toString();
+				if (error) throw new OauthError(error, formData.get("error_description")?.toString() || "");
+				if (!(provider && code) || provider.state && !timingSafeCompare(state || "", provider.state)) return c.redirect(getRelativeUrl(c, "./authorize"));
+				return await handleCallbackLogic(c, ctx, provider, code);
+			});
+		}
+	};
+};
+
+//#endregion
+export { Oauth2Provider };