@draftlab/auth 0.10.4 → 0.12.0

package/dist/core.d.mts

@@ -3,7 +3,6 @@ import { UnknownStateError } from "./error.mjs";
 import { Prettify } from "./util.mjs";
 import { SubjectPayload, SubjectSchema } from "./subject.mjs";
 import { StorageAdapter } from "./storage/storage.mjs";
-import { Plugin } from "./plugin/types.mjs";
 import { Provider } from "./provider/provider.mjs";
 import { Theme } from "./themes/theme.mjs";
 import { AuthorizationState } from "./types.mjs";
@@ -61,8 +60,6 @@ interface IssuerInput<Providers extends Record<string, Provider<unknown>>, Subje
   error?(error: UnknownStateError, req: Request): Promise<Response>;
   /** Client authorization check function */
   allow?(input: AllowCheckInput, req: Request): Promise<boolean>;
-  /** Plugin configuration */
-  plugins?: Plugin[];
   /**
    * Refresh callback for updating user claims.
    *

package/dist/core.mjs

@@ -5,7 +5,6 @@ import { validatePKCE } from "./pkce.mjs";
 import { generateSecureToken } from "./random.mjs";
 import { Storage } from "./storage/storage.mjs";
 import { encryptionKeys, signingKeys } from "./keys.mjs";
-import { PluginManager } from "./plugin/manager.mjs";
 import { Revocation } from "./revocation.mjs";
 import { setTheme } from "./themes/theme.mjs";
 import { Select } from "./ui/select.mjs";
@@ -188,15 +187,6 @@ const issuer = (input) => {
 			const authorization = await getAuthorization(ctx);
 			const currentProvider = ctx.get("provider") || "unknown";
 			if (!authorization.client_id) throw new Error("client_id is required");
-			if (manager) try {
-				const subjectProperties = properties && typeof properties === "object" ? properties : {};
-				await manager.executeSuccessHooks(authorization.client_id, currentProvider, {
-					type: currentProvider,
-					properties: subjectProperties
-				});
-			} catch (error$1) {
-				console.error("Plugin success hook failed:", error$1);
-			}
 			return await input.success({ async subject(type, properties$1, subjectOpts) {
 				const subject = subjectOpts?.subject ?? await resolveSubject(type, properties$1);
 				await successOpts?.invalidate?.(await resolveSubject(type, properties$1));
@@ -287,22 +277,6 @@ const issuer = (input) => {
 		storage
 	};
 	const app = new Router({ basePath: input.basePath });
-	const manager = input.plugins && input.plugins.length > 0 ? new PluginManager(input.storage) : null;
-	let pluginsInitialized = false;
-	if (manager && input.plugins) {
-		manager.registerAll(input.plugins);
-		manager.setupRoutes(app);
-		app.use(async (c, next) => {
-			if (!pluginsInitialized) try {
-				await manager.initialize();
-				pluginsInitialized = true;
-			} catch (error$1) {
-				console.error("Plugin initialization failed:", error$1);
-				return c.newResponse("Plugin initialization failed", { status: 500 });
-			}
-			return await next();
-		});
-	}
 	for (const [name, value] of Object.entries(input.providers)) {
 		const route = new Router();
 		route.use(async (c, next) => {
@@ -590,10 +564,6 @@ const issuer = (input) => {
 			redirectURI: redirect_uri,
 			audience
 		}, c.request)) throw new UnauthorizedClientError(client_id, redirect_uri);
-		if (manager) {
-			const scopes = scope ? scope.split(" ") : void 0;
-			await manager.executeAuthorizeHooks(client_id, provider, scopes);
-		}
 		await auth.set(c, "authorization", 900, authorization);
 		if (provider) return c.redirect(`${provider}/authorize`);
 		const availableProviders = Object.keys(input.providers);
@@ -601,12 +571,6 @@ const issuer = (input) => {
 		return auth.forward(c, await select()(Object.fromEntries(Object.entries(input.providers).map(([key, value]) => [key, value.type])), c.request));
 	});
 	app.onError(async (err, c) => {
-		if (manager) try {
-			const errorObj = err instanceof Error ? err : new Error(String(err));
-			await manager.executeErrorHooks(errorObj);
-		} catch (hookError) {
-			console.error("Plugin error hook failed:", hookError);
-		}
 		if (err instanceof UnknownStateError) return auth.forward(c, await error(err, c.request));
 		try {
 			const authorization = await getAuthorization(c);

package/dist/toolkit/client.d.mts

@@ -0,0 +1,169 @@
+import { OAuthStrategy } from "./providers/strategy.mjs";
+import { AuthStorage } from "./storage.mjs";
+
+//#region src/toolkit/client.d.ts
+
+/**
+ * Configuration for a single OAuth provider.
+ */
+interface ProviderConfig<TStrategy extends OAuthStrategy> {
+  /** OAuth strategy defining endpoints and defaults */
+  readonly strategy: TStrategy;
+  /** OAuth client ID from provider */
+  readonly clientId: string;
+  /** OAuth client secret from provider */
+  readonly clientSecret: string;
+  /** Redirect URI registered with provider */
+  readonly redirectUri: string;
+  /** Optional default scopes for this provider */
+  readonly scopes?: string[];
+}
+/**
+ * Options for initiating OAuth authorization flow.
+ */
+interface AuthorizeOptions {
+  /** Optional scopes to request (overrides provider defaults) */
+  readonly scopes?: string[];
+  /** Optional additional parameters to include in authorization URL */
+  readonly params?: Record<string, string>;
+  /** Optional nonce for additional security */
+  readonly nonce?: string;
+}
+/**
+ * Result of successful OAuth callback handling.
+ */
+interface CallbackResult {
+  /** OAuth provider that was used */
+  readonly provider: string;
+  /** Access token from provider */
+  readonly accessToken: string;
+  /** Optional refresh token from provider */
+  readonly refreshToken?: string;
+  /** Token expiration time in seconds */
+  readonly expiresIn?: number;
+  /** Token type (usually "Bearer") */
+  readonly tokenType?: string;
+  /** Optional ID token (OpenID Connect) */
+  readonly idToken?: string;
+}
+/**
+ * OAuth 2.0 client configuration.
+ */
+interface OAuthClientConfig<TProviders extends Record<string, ProviderConfig<OAuthStrategy>>> {
+  /** Provider configurations keyed by provider name */
+  readonly providers: TProviders;
+  /** Storage adapter for PKCE state (defaults to sessionStorage in browser) */
+  readonly storage?: AuthStorage;
+}
+/**
+ * OAuth 2.0 client for managing authentication flows.
+ */
+interface OAuthClient<TProviders extends Record<string, ProviderConfig<OAuthStrategy>>> {
+  /**
+   * Initiate OAuth authorization flow.
+   *
+   * @param provider - Provider name (key from providers config)
+   * @param options - Authorization options
+   * @returns Authorization URL to redirect user to
+   *
+   * @example
+   * ```ts
+   * // Basic usage
+   * const { url } = await client.authorize('github')
+   * window.location.href = url
+   *
+   * // With custom scopes
+   * const { url } = await client.authorize('google', {
+   *   scopes: ['openid', 'email', 'profile']
+   * })
+   *
+   * // With additional params
+   * const { url } = await client.authorize('github', {
+   *   params: { prompt: 'consent' }
+   * })
+   * ```
+   */
+  authorize(provider: (string & {}) | keyof TProviders, options?: AuthorizeOptions): Promise<{
+    url: string;
+    state: string;
+  }>;
+  /**
+   * Handle OAuth callback and exchange code for tokens.
+   *
+   * @param callbackUrl - Full callback URL with query parameters
+   * @returns Token exchange result
+   *
+   * @throws {Error} If callback URL is invalid, state mismatch, or token exchange fails
+   *
+   * @example
+   * ```ts
+   * // Client-side
+   * const result = await client.handleCallback(window.location.href)
+   * console.log(result.accessToken, result.provider)
+   *
+   * // Server-side (Next.js)
+   * export async function GET(req: Request) {
+   *   const result = await client.handleCallback(req.url)
+   *   // Store tokens, create session, etc.
+   *   return Response.redirect('/')
+   * }
+   * ```
+   */
+  handleCallback(callbackUrl: string): Promise<CallbackResult>;
+  /**
+   * Get user info from OAuth provider using access token.
+   *
+   * @param provider - Provider name
+   * @param accessToken - Access token from provider
+   * @returns User info from provider
+   *
+   * @example
+   * ```ts
+   * const userInfo = await client.getUserInfo('github', accessToken)
+   * console.log(userInfo.email, userInfo.name)
+   * ```
+   */
+  getUserInfo(provider: (string & {}) | keyof TProviders, accessToken: string): Promise<Record<string, unknown>>;
+}
+/**
+ * Creates an OAuth 2.0 client for managing authentication flows.
+ *
+ * Supports PKCE (Proof Key for Code Exchange) for enhanced security.
+ * Works in both client-side (browser) and server-side (Node.js) environments.
+ *
+ * @param config - OAuth client configuration
+ * @returns OAuth client instance
+ *
+ * @example
+ * ```ts
+ * import { createOAuthClient } from '@draftlab/auth/toolkit/client'
+ * import { GitHubStrategy, GoogleStrategy } from '@draftlab/auth/toolkit/providers'
+ *
+ * const client = createOAuthClient({
+ *   providers: {
+ *     github: {
+ *       strategy: GitHubStrategy,
+ *       clientId: 'YOUR_CLIENT_ID',
+ *       clientSecret: 'YOUR_CLIENT_SECRET',
+ *       redirectUri: 'http://localhost:3000/auth/callback'
+ *     },
+ *     google: {
+ *       strategy: GoogleStrategy,
+ *       clientId: 'YOUR_CLIENT_ID',
+ *       clientSecret: 'YOUR_CLIENT_SECRET',
+ *       redirectUri: 'http://localhost:3000/auth/callback',
+ *       scopes: ['openid', 'email', 'profile']
+ *     }
+ *   }
+ * })
+ *
+ * // Initiate login
+ * const { url } = await client.authorize('github')
+ *
+ * // Handle callback
+ * const result = await client.handleCallback(callbackUrl)
+ * ```
+ */
+declare const createOAuthClient: <TProviders extends Record<string, ProviderConfig<OAuthStrategy>>>(config: OAuthClientConfig<TProviders>) => OAuthClient<TProviders>;
+//#endregion
+export { AuthorizeOptions, CallbackResult, OAuthClient, OAuthClientConfig, ProviderConfig, createOAuthClient };

package/dist/toolkit/client.mjs

@@ -0,0 +1,209 @@
+import { generatePKCE } from "../pkce.mjs";
+import { createSessionStorage } from "./storage.mjs";
+import { generateSecureRandom } from "./utils.mjs";
+
+//#region src/toolkit/client.ts
+/**
+* Lightweight OAuth 2.0 client toolkit for DraftAuth.
+*
+* Provides a simple, framework-agnostic way to implement OAuth 2.0 authentication
+* with PKCE support. Works in both client-side (SPA) and server-side (Next.js, Remix) environments.
+*
+* @example
+* ```ts
+* // Client-side SPA (React, Vue, Solid, etc.)
+* import { createOAuthClient } from '@draftlab/auth/toolkit/client'
+* import { GitHubStrategy, GoogleStrategy } from '@draftlab/auth/toolkit/providers'
+* import { createSessionStorage } from '@draftlab/auth/toolkit/storage'
+*
+* const client = createOAuthClient({
+*   providers: {
+*     github: {
+*       strategy: GitHubStrategy,
+*       clientId: 'YOUR_CLIENT_ID',
+*       clientSecret: 'YOUR_CLIENT_SECRET',
+*       redirectUri: 'http://localhost:3000/auth/callback'
+*     },
+*     google: {
+*       strategy: GoogleStrategy,
+*       clientId: 'YOUR_CLIENT_ID',
+*       clientSecret: 'YOUR_CLIENT_SECRET',
+*       redirectUri: 'http://localhost:3000/auth/callback'
+*     }
+*   },
+*   storage: createSessionStorage()
+* })
+*
+* // Initiate login
+* const { url } = await client.authorize('github', { scopes: ['user:email'] })
+* window.location.href = url
+*
+* // Handle callback
+* const result = await client.handleCallback(window.location.href)
+* console.log(result.accessToken, result.provider)
+* ```
+*
+* @example
+* ```ts
+* // Server-side (Next.js App Router)
+* import { createOAuthClient } from '@draftlab/auth/toolkit/client'
+* import { GitHubStrategy } from '@draftlab/auth/toolkit/providers'
+* import { createCookieStorage } from '@draftlab/auth/toolkit/storage'
+* import { cookies } from 'next/headers'
+*
+* export async function GET(req: Request) {
+*   const client = createOAuthClient({
+*     providers: {
+*       github: {
+*         strategy: GitHubStrategy,
+*         clientId: process.env.GITHUB_CLIENT_ID!,
+*         clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+*         redirectUri: 'https://myapp.com/auth/callback'
+*       }
+*     },
+*     storage: createCookieStorage({
+*       getCookie: (name) => cookies().get(name)?.value ?? null,
+*       setCookie: (name, value, opts) => cookies().set(name, value, opts),
+*       deleteCookie: (name) => cookies().delete(name)
+*     })
+*   })
+*
+*   const { url } = await client.authorize('github')
+*   return Response.redirect(url)
+* }
+* ```
+*/
+/**
+* Creates an OAuth 2.0 client for managing authentication flows.
+*
+* Supports PKCE (Proof Key for Code Exchange) for enhanced security.
+* Works in both client-side (browser) and server-side (Node.js) environments.
+*
+* @param config - OAuth client configuration
+* @returns OAuth client instance
+*
+* @example
+* ```ts
+* import { createOAuthClient } from '@draftlab/auth/toolkit/client'
+* import { GitHubStrategy, GoogleStrategy } from '@draftlab/auth/toolkit/providers'
+*
+* const client = createOAuthClient({
+*   providers: {
+*     github: {
+*       strategy: GitHubStrategy,
+*       clientId: 'YOUR_CLIENT_ID',
+*       clientSecret: 'YOUR_CLIENT_SECRET',
+*       redirectUri: 'http://localhost:3000/auth/callback'
+*     },
+*     google: {
+*       strategy: GoogleStrategy,
+*       clientId: 'YOUR_CLIENT_ID',
+*       clientSecret: 'YOUR_CLIENT_SECRET',
+*       redirectUri: 'http://localhost:3000/auth/callback',
+*       scopes: ['openid', 'email', 'profile']
+*     }
+*   }
+* })
+*
+* // Initiate login
+* const { url } = await client.authorize('github')
+*
+* // Handle callback
+* const result = await client.handleCallback(callbackUrl)
+* ```
+*/
+const createOAuthClient = (config) => {
+	const storage = config.storage || (typeof sessionStorage !== "undefined" ? createSessionStorage() : null);
+	if (!storage) throw new Error("No storage adapter provided. Please provide a storage adapter for server-side environments.");
+	return {
+		async authorize(provider, options) {
+			const providerConfig = config.providers[provider];
+			if (!providerConfig) throw new Error(`Provider '${String(provider)}' not configured`);
+			const pkce = await generatePKCE();
+			const state = generateSecureRandom(16);
+			await storage.set({
+				state,
+				verifier: pkce.verifier,
+				provider: String(provider),
+				nonce: options?.nonce
+			});
+			const scopes = options?.scopes || providerConfig.scopes || providerConfig.strategy.scopes;
+			const params = new URLSearchParams({
+				client_id: providerConfig.clientId,
+				redirect_uri: providerConfig.redirectUri,
+				response_type: "code",
+				scope: Array.isArray(scopes) ? scopes.join(" ") : scopes,
+				state,
+				code_challenge: pkce.challenge,
+				code_challenge_method: pkce.method,
+				...options?.params
+			});
+			return {
+				url: `${providerConfig.strategy.authorizationEndpoint}?${params.toString()}`,
+				state
+			};
+		},
+		async handleCallback(callbackUrl) {
+			const url = new URL(callbackUrl);
+			const code = url.searchParams.get("code");
+			const state = url.searchParams.get("state");
+			const error = url.searchParams.get("error");
+			const errorDescription = url.searchParams.get("error_description");
+			if (error) throw new Error(`OAuth error: ${error}${errorDescription ? ` - ${errorDescription}` : ""}`);
+			if (!code || !state) throw new Error("Invalid callback URL: missing code or state parameter");
+			const storedState = await storage.get();
+			await storage.clear();
+			if (!storedState) throw new Error("No stored PKCE state found. OAuth flow may have expired or been tampered with.");
+			if (state !== storedState.state) throw new Error("State mismatch. Possible CSRF attack detected.");
+			const providerConfig = config.providers[storedState.provider];
+			if (!providerConfig) throw new Error(`Provider '${storedState.provider}' from callback not configured`);
+			const tokenParams = new URLSearchParams({
+				grant_type: "authorization_code",
+				code,
+				redirect_uri: providerConfig.redirectUri,
+				client_id: providerConfig.clientId,
+				client_secret: providerConfig.clientSecret,
+				code_verifier: storedState.verifier
+			});
+			const tokenResponse = await fetch(providerConfig.strategy.tokenEndpoint, {
+				method: "POST",
+				headers: {
+					"Content-Type": "application/x-www-form-urlencoded",
+					Accept: "application/json"
+				},
+				body: tokenParams
+			});
+			if (!tokenResponse.ok) {
+				const errorText = await tokenResponse.text();
+				throw new Error(`Token exchange failed (${tokenResponse.status}): ${errorText}`);
+			}
+			const tokenData = await tokenResponse.json();
+			if (!tokenData.access_token) throw new Error("No access token in provider response");
+			return {
+				provider: storedState.provider,
+				accessToken: tokenData.access_token,
+				refreshToken: tokenData.refresh_token,
+				expiresIn: tokenData.expires_in,
+				tokenType: tokenData.token_type,
+				idToken: tokenData.id_token
+			};
+		},
+		async getUserInfo(provider, accessToken) {
+			const providerConfig = config.providers[provider];
+			if (!providerConfig) throw new Error(`Provider '${String(provider)}' not configured`);
+			if (!providerConfig.strategy.userInfoEndpoint) throw new Error(`Provider '${String(provider)}' does not support user info endpoint`);
+			const response = await fetch(providerConfig.strategy.userInfoEndpoint, { headers: {
+				Authorization: `Bearer ${accessToken}`,
+				Accept: "application/json"
+			} });
+			if (!response.ok) {
+				const errorText = await response.text();
+				throw new Error(`Failed to fetch user info (${response.status}): ${errorText}`);
+			}
+			return response.json();
+		}
+	};
+};
+
+//#endregion
+export { createOAuthClient };

package/dist/toolkit/index.d.mts

@@ -0,0 +1,9 @@
+import { generatePKCE } from "../pkce.mjs";
+import { OAuth2TokenResponse, OAuthStrategy } from "./providers/strategy.mjs";
+import { AuthStorage, PKCEState, createCookieStorage, createLocalStorage, createMemoryStorage, createSessionStorage } from "./storage.mjs";
+import { AuthorizeOptions, CallbackResult, OAuthClient, OAuthClientConfig, ProviderConfig, createOAuthClient } from "./client.mjs";
+import { FacebookStrategy } from "./providers/facebook.mjs";
+import { GitHubStrategy } from "./providers/github.mjs";
+import { GoogleStrategy } from "./providers/google.mjs";
+import { generateSecureRandom } from "./utils.mjs";
+export { type AuthStorage, type AuthorizeOptions, type CallbackResult, FacebookStrategy, GitHubStrategy, GoogleStrategy, type OAuth2TokenResponse, type OAuthClient, type OAuthClientConfig, type OAuthStrategy, type PKCEState, type ProviderConfig, createCookieStorage, createLocalStorage, createMemoryStorage, createOAuthClient, createSessionStorage, generatePKCE, generateSecureRandom };

package/dist/toolkit/index.mjs

@@ -0,0 +1,9 @@
+import { generatePKCE } from "../pkce.mjs";
+import { createCookieStorage, createLocalStorage, createMemoryStorage, createSessionStorage } from "./storage.mjs";
+import { generateSecureRandom } from "./utils.mjs";
+import { createOAuthClient } from "./client.mjs";
+import { FacebookStrategy } from "./providers/facebook.mjs";
+import { GitHubStrategy } from "./providers/github.mjs";
+import { GoogleStrategy } from "./providers/google.mjs";
+
+export { FacebookStrategy, GitHubStrategy, GoogleStrategy, createCookieStorage, createLocalStorage, createMemoryStorage, createOAuthClient, createSessionStorage, generatePKCE, generateSecureRandom };

package/dist/toolkit/providers/facebook.d.mts

@@ -0,0 +1,12 @@
+import { OAuthStrategy } from "./strategy.mjs";
+
+//#region src/toolkit/providers/facebook.d.ts
+
+/**
+ * Facebook OAuth 2.0 strategy.
+ *
+ * @see https://developers.facebook.com/docs/facebook-login/guides/advanced/manual-flow
+ */
+declare const FacebookStrategy: OAuthStrategy;
+//#endregion
+export { FacebookStrategy };

package/dist/toolkit/providers/facebook.mjs

@@ -0,0 +1,16 @@
+//#region src/toolkit/providers/facebook.ts
+/**
+* Facebook OAuth 2.0 strategy.
+*
+* @see https://developers.facebook.com/docs/facebook-login/guides/advanced/manual-flow
+*/
+const FacebookStrategy = {
+	name: "facebook",
+	authorizationEndpoint: "https://www.facebook.com/v23.0/dialog/oauth",
+	tokenEndpoint: "https://graph.facebook.com/v23.0/oauth/access_token",
+	userInfoEndpoint: "https://graph.facebook.com/me?fields=id,name,email",
+	scopes: ["public_profile", "email"]
+};
+
+//#endregion
+export { FacebookStrategy };

package/dist/toolkit/providers/github.d.mts

@@ -0,0 +1,12 @@
+import { OAuthStrategy } from "./strategy.mjs";
+
+//#region src/toolkit/providers/github.d.ts
+
+/**
+ * GitHub OAuth 2.0 strategy.
+ *
+ * @see https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps
+ */
+declare const GitHubStrategy: OAuthStrategy;
+//#endregion
+export { GitHubStrategy };

package/dist/toolkit/providers/github.mjs

@@ -0,0 +1,16 @@
+//#region src/toolkit/providers/github.ts
+/**
+* GitHub OAuth 2.0 strategy.
+*
+* @see https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps
+*/
+const GitHubStrategy = {
+	name: "github",
+	authorizationEndpoint: "https://github.com/login/oauth/authorize",
+	tokenEndpoint: "https://github.com/login/oauth/access_token",
+	userInfoEndpoint: "https://api.github.com/user",
+	scopes: ["read:user", "user:email"]
+};
+
+//#endregion
+export { GitHubStrategy };

package/dist/toolkit/providers/google.d.mts

@@ -0,0 +1,12 @@
+import { OAuthStrategy } from "./strategy.mjs";
+
+//#region src/toolkit/providers/google.d.ts
+
+/**
+ * Google OAuth 2.0 / OpenID Connect strategy.
+ *
+ * @see https://developers.google.com/identity/protocols/oauth2
+ */
+declare const GoogleStrategy: OAuthStrategy;
+//#endregion
+export { GoogleStrategy };

package/dist/toolkit/providers/google.mjs

@@ -0,0 +1,20 @@
+//#region src/toolkit/providers/google.ts
+/**
+* Google OAuth 2.0 / OpenID Connect strategy.
+*
+* @see https://developers.google.com/identity/protocols/oauth2
+*/
+const GoogleStrategy = {
+	name: "google",
+	authorizationEndpoint: "https://accounts.google.com/o/oauth2/v2/auth",
+	tokenEndpoint: "https://oauth2.googleapis.com/token",
+	userInfoEndpoint: "https://www.googleapis.com/oauth2/v3/userinfo",
+	scopes: [
+		"openid",
+		"email",
+		"profile"
+	]
+};
+
+//#endregion
+export { GoogleStrategy };

package/dist/toolkit/providers/strategy.d.mts

@@ -0,0 +1,40 @@
+//#region src/toolkit/providers/strategy.d.ts
+/**
+ * OAuth 2.0 strategy interface and types for provider configurations.
+ */
+/**
+ * OAuth 2.0 token response from provider's token endpoint.
+ * Based on RFC 6749 Section 5.1.
+ */
+interface OAuth2TokenResponse {
+  /** The access token issued by the authorization server */
+  access_token: string;
+  /** The type of token (usually "Bearer") */
+  token_type?: string;
+  /** The lifetime in seconds of the access token */
+  expires_in?: number;
+  /** The refresh token for obtaining new access tokens */
+  refresh_token?: string;
+  /** The scope of the access token (space-separated list) */
+  scope?: string;
+  /** OpenID Connect ID token (JWT) */
+  id_token?: string;
+}
+/**
+ * OAuth 2.0 provider strategy definition.
+ * Defines the endpoints and default configuration for an OAuth provider.
+ */
+interface OAuthStrategy {
+  /** Provider name (e.g., "github", "google") */
+  readonly name: string;
+  /** OAuth authorization endpoint URL */
+  readonly authorizationEndpoint: string;
+  /** OAuth token exchange endpoint URL */
+  readonly tokenEndpoint: string;
+  /** Optional user info endpoint URL (for OpenID Connect) */
+  readonly userInfoEndpoint?: string;
+  /** Default scopes to request */
+  readonly scopes: string[];
+}
+//#endregion
+export { OAuth2TokenResponse, OAuthStrategy };