@flink-app/oauth-plugin 0.12.1-alpha.33

package/dist/OAuthPlugin.js

@@ -0,0 +1,220 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthPlugin = void 0;
+const flink_1 = require("@flink-app/flink");
+const OAuthSessionRepo_1 = __importDefault(require("./repos/OAuthSessionRepo"));
+const OAuthConnectionRepo_1 = __importDefault(require("./repos/OAuthConnectionRepo"));
+const encryption_utils_1 = require("./utils/encryption-utils");
+/**
+ * OAuth Plugin Factory Function
+ *
+ * Creates a Flink plugin for OAuth 2.0 authentication with GitHub and Google providers.
+ * Integrates with JWT Auth Plugin for token generation.
+ *
+ * @param options - OAuth plugin configuration options
+ * @returns FlinkPlugin instance
+ *
+ * @example
+ * ```typescript
+ * import { jwtAuthPlugin } from '@flink-app/jwt-auth-plugin';
+ * import { oauthPlugin } from '@flink-app/oauth-plugin';
+ *
+ * const app = new FlinkApp({
+ *   plugins: [
+ *     // JWT Auth Plugin must be registered first
+ *     jwtAuthPlugin({
+ *       secret: process.env.JWT_SECRET!,
+ *       getUser: async (tokenData) => {
+ *         return ctx.repos.userRepo.getById(tokenData.userId);
+ *       },
+ *       rolePermissions: {
+ *         user: ['read:own'],
+ *         admin: ['read:all', 'write:all']
+ *       }
+ *     }),
+ *
+ *     // OAuth Plugin uses JWT Auth Plugin in callbacks
+ *     oauthPlugin({
+ *       providers: {
+ *         github: {
+ *           clientId: process.env.GITHUB_CLIENT_ID!,
+ *           clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+ *           callbackUrl: 'https://myapp.com/oauth/github/callback'
+ *         }
+ *       },
+ *       onAuthSuccess: async ({ profile, provider }, ctx) => {
+ *         // Find or create user
+ *         let user = await ctx.repos.userRepo.getOne({ email: profile.email });
+ *
+ *         if (!user) {
+ *           user = await ctx.repos.userRepo.create({
+ *             email: profile.email,
+ *             name: profile.name,
+ *             oauthProvider: provider,
+ *             oauthProviderId: profile.id
+ *           });
+ *         }
+ *
+ *         // Generate JWT token using JWT Auth Plugin
+ *         const token = await ctx.plugins.jwtAuth.createToken(
+ *           { userId: user._id, email: user.email },
+ *           ['user']
+ *         );
+ *
+ *         return {
+ *           user,
+ *           token,
+ *           redirectUrl: 'https://myapp.com/dashboard'
+ *         };
+ *       }
+ *     })
+ *   ]
+ * });
+ * ```
+ */
+function oauthPlugin(options) {
+    // Validation
+    if (!options.providers || Object.keys(options.providers).length === 0) {
+        throw new Error("OAuth Plugin: At least one provider must be configured");
+    }
+    // Validate provider configurations
+    const configuredProviders = Object.keys(options.providers);
+    for (const providerName of configuredProviders) {
+        const providerConfig = options.providers[providerName];
+        if (!providerConfig)
+            continue;
+        if (!providerConfig.clientId) {
+            throw new Error(`OAuth Plugin: ${providerName} clientId is required`);
+        }
+        if (!providerConfig.clientSecret) {
+            throw new Error(`OAuth Plugin: ${providerName} clientSecret is required`);
+        }
+        if (!providerConfig.callbackUrl) {
+            throw new Error(`OAuth Plugin: ${providerName} callbackUrl is required`);
+        }
+    }
+    if (!options.onAuthSuccess) {
+        throw new Error("OAuth Plugin: onAuthSuccess callback is required");
+    }
+    // Determine encryption key
+    let encryptionKey = options.encryptionKey;
+    if (!encryptionKey) {
+        // Derive from first configured provider's client secret
+        const firstProvider = configuredProviders[0];
+        const firstProviderConfig = options.providers[firstProvider];
+        if (firstProviderConfig) {
+            encryptionKey = firstProviderConfig.clientSecret;
+            flink_1.log.warn("OAuth Plugin: No encryption key provided, deriving from client secret. " + "For better security, provide a dedicated encryptionKey in options.");
+        }
+    }
+    if (!encryptionKey || encryptionKey.length < 32) {
+        throw new Error("OAuth Plugin: Encryption key must be at least 32 characters");
+    }
+    // Validate encryption key
+    (0, encryption_utils_1.validateEncryptionSecret)(encryptionKey);
+    let flinkApp;
+    let sessionRepo;
+    let connectionRepo;
+    /**
+     * Plugin initialization
+     */
+    async function init(app, db) {
+        flink_1.log.info("Initializing OAuth Plugin...");
+        flinkApp = app;
+        try {
+            if (!db) {
+                throw new Error("OAuth Plugin: Database connection is required");
+            }
+            // Initialize repositories
+            const sessionsCollectionName = options.sessionsCollectionName || "oauth_sessions";
+            const connectionsCollectionName = options.connectionsCollectionName || "oauth_connections";
+            sessionRepo = new OAuthSessionRepo_1.default(sessionsCollectionName, db);
+            connectionRepo = new OAuthConnectionRepo_1.default(connectionsCollectionName, db);
+            flinkApp.addRepo("oauthSessionRepo", sessionRepo);
+            flinkApp.addRepo("oauthConnectionRepo", connectionRepo);
+            // Create TTL index for session expiration
+            const sessionTTL = options.sessionTTL || 600; // Default 10 minutes
+            await db.collection(sessionsCollectionName).createIndex({ createdAt: 1 }, { expireAfterSeconds: sessionTTL });
+            flink_1.log.info(`OAuth Plugin: Created TTL index on ${sessionsCollectionName} with ${sessionTTL}s expiration`);
+            // Register handlers for each configured provider
+            // Note: Handlers will be registered dynamically
+            // This requires handlers to be imported, but we'll handle that in the handler files
+            // For now, we'll skip handler registration and implement it when handlers are ready
+            flink_1.log.info(`OAuth Plugin initialized with providers: ${configuredProviders.join(", ")}`);
+        }
+        catch (error) {
+            flink_1.log.error("Failed to initialize OAuth Plugin:", error);
+            throw error;
+        }
+    }
+    /**
+     * Get OAuth connection for a user
+     */
+    async function getConnection(userId, provider) {
+        if (!connectionRepo) {
+            throw new Error("OAuth Plugin: Plugin not initialized");
+        }
+        const connection = await connectionRepo.findByUserAndProvider(userId, provider);
+        if (!connection) {
+            return null;
+        }
+        // Decrypt tokens before returning
+        if (connection.accessToken && encryptionKey) {
+            connection.accessToken = (0, encryption_utils_1.decryptToken)(connection.accessToken, encryptionKey);
+        }
+        if (connection.refreshToken && encryptionKey) {
+            connection.refreshToken = (0, encryption_utils_1.decryptToken)(connection.refreshToken, encryptionKey);
+        }
+        return connection;
+    }
+    /**
+     * Get all OAuth connections for a user
+     */
+    async function getConnections(userId) {
+        if (!connectionRepo) {
+            throw new Error("OAuth Plugin: Plugin not initialized");
+        }
+        const connections = await connectionRepo.findByUserId(userId);
+        // Decrypt tokens in each connection
+        return connections.map((connection) => {
+            if (connection.accessToken && encryptionKey) {
+                connection.accessToken = (0, encryption_utils_1.decryptToken)(connection.accessToken, encryptionKey);
+            }
+            if (connection.refreshToken && encryptionKey) {
+                connection.refreshToken = (0, encryption_utils_1.decryptToken)(connection.refreshToken, encryptionKey);
+            }
+            return connection;
+        });
+    }
+    /**
+     * Delete OAuth connection for a user
+     */
+    async function deleteConnection(userId, provider) {
+        if (!connectionRepo) {
+            throw new Error("OAuth Plugin: Plugin not initialized");
+        }
+        await connectionRepo.deleteByUserAndProvider(userId, provider);
+        flink_1.log.info(`OAuth Plugin: Deleted ${provider} connection for user ${userId}`);
+    }
+    /**
+     * Plugin context exposed via ctx.plugins.oauth
+     */
+    const pluginCtx = {
+        getConnection,
+        getConnections,
+        deleteConnection,
+        options: Object.freeze({ ...options }),
+    };
+    return {
+        id: "oauth",
+        db: {
+            useHostDb: true,
+        },
+        ctx: pluginCtx,
+        init,
+    };
+}
+exports.oauthPlugin = oauthPlugin;

package/dist/OAuthPluginContext.d.ts

@@ -0,0 +1,49 @@
+import OAuthConnection from "./schemas/OAuthConnection";
+import { OAuthPluginOptions } from "./OAuthPluginOptions";
+/**
+ * OAuth Plugin context API exposed via ctx.plugins.oauth
+ *
+ * Provides methods for managing OAuth connections (stored tokens) for users.
+ * Only applicable when storeTokens option is enabled.
+ */
+export interface OAuthPluginContext {
+    oauth: {
+        /**
+         * Get stored OAuth connection for a specific user and provider
+         *
+         * Tokens are automatically decrypted before being returned.
+         * Returns null if no connection exists.
+         *
+         * @param userId - The user's unique identifier
+         * @param provider - The OAuth provider (github or google)
+         * @returns The OAuth connection with decrypted tokens, or null
+         */
+        getConnection: (userId: string, provider: "github" | "google") => Promise<OAuthConnection | null>;
+        /**
+         * Get all stored OAuth connections for a specific user
+         *
+         * Tokens are automatically decrypted before being returned.
+         * Returns empty array if no connections exist.
+         *
+         * @param userId - The user's unique identifier
+         * @returns Array of OAuth connections with decrypted tokens
+         */
+        getConnections: (userId: string) => Promise<OAuthConnection[]>;
+        /**
+         * Delete OAuth connection for a specific user and provider
+         *
+         * Used when unlinking an OAuth provider from a user account.
+         * Also deletes the encrypted tokens from storage.
+         *
+         * @param userId - The user's unique identifier
+         * @param provider - The OAuth provider (github or google)
+         * @returns void
+         */
+        deleteConnection: (userId: string, provider: "github" | "google") => Promise<void>;
+        /**
+         * Plugin configuration (read-only)
+         * Provides access to plugin options for custom logic
+         */
+        options: Readonly<OAuthPluginOptions>;
+    };
+}

package/dist/OAuthPluginContext.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/OAuthPluginOptions.d.ts

@@ -0,0 +1,111 @@
+import { OAuthProfile, OAuthTokens } from "./providers/OAuthProvider";
+/**
+ * OAuth error information
+ */
+export interface OAuthError {
+    code: string;
+    message: string;
+    details?: any;
+}
+/**
+ * Response from onAuthSuccess callback
+ * Must include JWT token generated by the application
+ */
+export interface AuthSuccessCallbackResponse {
+    user: any;
+    token: string;
+    redirectUrl?: string;
+}
+/**
+ * Response from onAuthError callback
+ */
+export interface AuthErrorCallbackResponse {
+    redirectUrl?: string;
+}
+/**
+ * Configuration options for OAuth Plugin with JWT integration
+ *
+ * The plugin depends on @flink-app/jwt-auth-plugin being installed and configured.
+ * The onAuthSuccess callback receives the Flink context as a second parameter,
+ * allowing the application to generate JWT tokens using ctx.plugins.jwtAuth.createToken().
+ */
+export interface OAuthPluginOptions {
+    /**
+     * OAuth provider configurations
+     * At least one provider must be configured
+     */
+    providers: {
+        github?: {
+            clientId: string;
+            clientSecret: string;
+            callbackUrl: string;
+            scope?: string[];
+        };
+        google?: {
+            clientId: string;
+            clientSecret: string;
+            callbackUrl: string;
+            scope?: string[];
+        };
+    };
+    /**
+     * Whether to store OAuth tokens for future API access
+     * If false, tokens are discarded after authentication
+     * Default: false
+     */
+    storeTokens?: boolean;
+    /**
+     * Callback invoked after successful OAuth authentication
+     *
+     * Application responsibilities:
+     * 1. Find or create user based on OAuth profile
+     * 2. Link OAuth provider to user account
+     * 3. Generate JWT token using ctx.plugins.jwtAuth.createToken(payload, roles)
+     * 4. Return user object, JWT token, and optional redirect URL
+     *
+     * @param params - OAuth profile, provider name, and tokens (if storeTokens enabled)
+     * @param ctx - Flink context with access to repos and plugins (including jwtAuth)
+     * @returns User object, JWT token, and optional redirect URL
+     */
+    onAuthSuccess: (params: {
+        profile: OAuthProfile;
+        provider: "github" | "google";
+        tokens?: OAuthTokens;
+    }, ctx: any) => Promise<AuthSuccessCallbackResponse>;
+    /**
+     * Callback invoked on OAuth errors
+     *
+     * Application responsibilities:
+     * - Log error for debugging
+     * - Optionally provide redirect URL for error page
+     *
+     * @param params - Error information and provider name
+     * @returns Optional redirect URL for error page
+     */
+    onAuthError?: (params: {
+        error: OAuthError;
+        provider: "github" | "google";
+    }) => Promise<AuthErrorCallbackResponse>;
+    /**
+     * Custom collection name for OAuth sessions
+     * Default: 'oauth_sessions'
+     */
+    sessionsCollectionName?: string;
+    /**
+     * Custom collection name for OAuth connections (if storeTokens enabled)
+     * Default: 'oauth_connections'
+     */
+    connectionsCollectionName?: string;
+    /**
+     * Session TTL in seconds
+     * Sessions are automatically cleaned up after this duration
+     * Default: 600 (10 minutes)
+     */
+    sessionTTL?: number;
+    /**
+     * Encryption key for encrypting stored OAuth tokens
+     * If not provided, will be derived from first configured provider's client secret
+     * Recommended: Use a dedicated encryption key from environment variables
+     */
+    encryptionKey?: string;
+}

package/dist/OAuthPluginOptions.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/index.d.ts

@@ -0,0 +1,48 @@
+/**
+ * @flink-app/oauth-plugin
+ *
+ * OAuth 2.0 plugin for Flink supporting GitHub and Google providers
+ * with JWT token integration and flexible user management.
+ *
+ * @example
+ * ```typescript
+ * import { jwtAuthPlugin } from '@flink-app/jwt-auth-plugin';
+ * import { oauthPlugin } from '@flink-app/oauth-plugin';
+ *
+ * const app = new FlinkApp({
+ *   plugins: [
+ *     jwtAuthPlugin({ ... }),
+ *     oauthPlugin({
+ *       providers: {
+ *         github: {
+ *           clientId: process.env.GITHUB_CLIENT_ID!,
+ *           clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+ *           callbackUrl: 'https://myapp.com/oauth/github/callback'
+ *         }
+ *       },
+ *       onAuthSuccess: async ({ profile }, ctx) => {
+ *         const user = await ctx.repos.userRepo.getOne({ email: profile.email });
+ *         const token = await ctx.plugins.jwtAuth.createToken({ userId: user._id }, ['user']);
+ *         return { user, token };
+ *       }
+ *     })
+ *   ]
+ * });
+ * ```
+ */
+export { oauthPlugin } from "./OAuthPlugin";
+export type { OAuthPluginOptions, OAuthError, AuthSuccessCallbackResponse, AuthErrorCallbackResponse } from "./OAuthPluginOptions";
+export type { OAuthPluginContext } from "./OAuthPluginContext";
+export type { OAuthInternalContext } from "./OAuthInternalContext";
+export type { OAuthProvider, OAuthTokens, OAuthProfile, AuthorizationUrlParams, TokenExchangeParams, ProviderConfig } from "./providers/OAuthProvider";
+export { GitHubProvider } from "./providers/GitHubProvider";
+export { GoogleProvider } from "./providers/GoogleProvider";
+export { OAuthProviderBase } from "./providers/OAuthProviderBase";
+export { getProvider, type ProviderName } from "./providers/ProviderRegistry";
+export type { default as OAuthSession } from "./schemas/OAuthSession";
+export type { default as OAuthConnection } from "./schemas/OAuthConnection";
+export { default as OAuthSessionRepo } from "./repos/OAuthSessionRepo";
+export { default as OAuthConnectionRepo } from "./repos/OAuthConnectionRepo";
+export { encryptToken, decryptToken, validateEncryptionSecret } from "./utils/encryption-utils";
+export { generateState, validateState } from "./utils/state-utils";
+export { createOAuthError, handleProviderError } from "./utils/error-utils";

package/dist/index.js

@@ -0,0 +1,66 @@
+"use strict";
+/**
+ * @flink-app/oauth-plugin
+ *
+ * OAuth 2.0 plugin for Flink supporting GitHub and Google providers
+ * with JWT token integration and flexible user management.
+ *
+ * @example
+ * ```typescript
+ * import { jwtAuthPlugin } from '@flink-app/jwt-auth-plugin';
+ * import { oauthPlugin } from '@flink-app/oauth-plugin';
+ *
+ * const app = new FlinkApp({
+ *   plugins: [
+ *     jwtAuthPlugin({ ... }),
+ *     oauthPlugin({
+ *       providers: {
+ *         github: {
+ *           clientId: process.env.GITHUB_CLIENT_ID!,
+ *           clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+ *           callbackUrl: 'https://myapp.com/oauth/github/callback'
+ *         }
+ *       },
+ *       onAuthSuccess: async ({ profile }, ctx) => {
+ *         const user = await ctx.repos.userRepo.getOne({ email: profile.email });
+ *         const token = await ctx.plugins.jwtAuth.createToken({ userId: user._id }, ['user']);
+ *         return { user, token };
+ *       }
+ *     })
+ *   ]
+ * });
+ * ```
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleProviderError = exports.createOAuthError = exports.validateState = exports.generateState = exports.validateEncryptionSecret = exports.decryptToken = exports.encryptToken = exports.OAuthConnectionRepo = exports.OAuthSessionRepo = exports.getProvider = exports.OAuthProviderBase = exports.GoogleProvider = exports.GitHubProvider = exports.oauthPlugin = void 0;
+// Plugin factory function
+var OAuthPlugin_1 = require("./OAuthPlugin");
+Object.defineProperty(exports, "oauthPlugin", { enumerable: true, get: function () { return OAuthPlugin_1.oauthPlugin; } });
+// Provider implementations
+var GitHubProvider_1 = require("./providers/GitHubProvider");
+Object.defineProperty(exports, "GitHubProvider", { enumerable: true, get: function () { return GitHubProvider_1.GitHubProvider; } });
+var GoogleProvider_1 = require("./providers/GoogleProvider");
+Object.defineProperty(exports, "GoogleProvider", { enumerable: true, get: function () { return GoogleProvider_1.GoogleProvider; } });
+var OAuthProviderBase_1 = require("./providers/OAuthProviderBase");
+Object.defineProperty(exports, "OAuthProviderBase", { enumerable: true, get: function () { return OAuthProviderBase_1.OAuthProviderBase; } });
+var ProviderRegistry_1 = require("./providers/ProviderRegistry");
+Object.defineProperty(exports, "getProvider", { enumerable: true, get: function () { return ProviderRegistry_1.getProvider; } });
+// Repositories
+var OAuthSessionRepo_1 = require("./repos/OAuthSessionRepo");
+Object.defineProperty(exports, "OAuthSessionRepo", { enumerable: true, get: function () { return __importDefault(OAuthSessionRepo_1).default; } });
+var OAuthConnectionRepo_1 = require("./repos/OAuthConnectionRepo");
+Object.defineProperty(exports, "OAuthConnectionRepo", { enumerable: true, get: function () { return __importDefault(OAuthConnectionRepo_1).default; } });
+// Utilities (for advanced use cases)
+var encryption_utils_1 = require("./utils/encryption-utils");
+Object.defineProperty(exports, "encryptToken", { enumerable: true, get: function () { return encryption_utils_1.encryptToken; } });
+Object.defineProperty(exports, "decryptToken", { enumerable: true, get: function () { return encryption_utils_1.decryptToken; } });
+Object.defineProperty(exports, "validateEncryptionSecret", { enumerable: true, get: function () { return encryption_utils_1.validateEncryptionSecret; } });
+var state_utils_1 = require("./utils/state-utils");
+Object.defineProperty(exports, "generateState", { enumerable: true, get: function () { return state_utils_1.generateState; } });
+Object.defineProperty(exports, "validateState", { enumerable: true, get: function () { return state_utils_1.validateState; } });
+var error_utils_1 = require("./utils/error-utils");
+Object.defineProperty(exports, "createOAuthError", { enumerable: true, get: function () { return error_utils_1.createOAuthError; } });
+Object.defineProperty(exports, "handleProviderError", { enumerable: true, get: function () { return error_utils_1.handleProviderError; } });

package/dist/providers/GitHubProvider.d.ts

@@ -0,0 +1,32 @@
+import { OAuthProvider, OAuthTokens, OAuthProfile, AuthorizationUrlParams, TokenExchangeParams, ProviderConfig } from "./OAuthProvider";
+import { OAuthProviderBase } from "./OAuthProviderBase";
+/**
+ * GitHub OAuth 2.0 provider implementation
+ *
+ * Implements OAuth flow for GitHub:
+ * - Authorization URL: https://github.com/login/oauth/authorize
+ * - Token exchange: POST https://github.com/login/oauth/access_token
+ * - User profile: GET https://api.github.com/user
+ *
+ * Default scopes: ['user:email']
+ */
+export declare class GitHubProvider extends OAuthProviderBase implements OAuthProvider {
+    readonly name = "github";
+    private static readonly AUTHORIZATION_URL;
+    private static readonly TOKEN_URL;
+    private static readonly USER_PROFILE_URL;
+    private static readonly DEFAULT_SCOPES;
+    constructor(config: ProviderConfig);
+    /**
+     * Generate GitHub authorization URL
+     */
+    getAuthorizationUrl(params: AuthorizationUrlParams): string;
+    /**
+     * Exchange authorization code for access token
+     */
+    exchangeCodeForToken(params: TokenExchangeParams): Promise<OAuthTokens>;
+    /**
+     * Fetch user profile from GitHub
+     */
+    getUserProfile(accessToken: string): Promise<OAuthProfile>;
+}

package/dist/providers/GitHubProvider.js

@@ -0,0 +1,82 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GitHubProvider = void 0;
+const OAuthProviderBase_1 = require("./OAuthProviderBase");
+/**
+ * GitHub OAuth 2.0 provider implementation
+ *
+ * Implements OAuth flow for GitHub:
+ * - Authorization URL: https://github.com/login/oauth/authorize
+ * - Token exchange: POST https://github.com/login/oauth/access_token
+ * - User profile: GET https://api.github.com/user
+ *
+ * Default scopes: ['user:email']
+ */
+class GitHubProvider extends OAuthProviderBase_1.OAuthProviderBase {
+    constructor(config) {
+        super(config);
+        this.name = "github";
+    }
+    /**
+     * Generate GitHub authorization URL
+     */
+    getAuthorizationUrl(params) {
+        const scopes = params.scope.length > 0 ? params.scope : GitHubProvider.DEFAULT_SCOPES;
+        const queryParams = {
+            client_id: this.config.clientId,
+            redirect_uri: params.redirectUri,
+            state: params.state,
+            scope: scopes.join(" "),
+        };
+        return `${GitHubProvider.AUTHORIZATION_URL}?${this.buildQueryString(queryParams)}`;
+    }
+    /**
+     * Exchange authorization code for access token
+     */
+    async exchangeCodeForToken(params) {
+        const body = this.buildQueryString({
+            client_id: this.config.clientId,
+            client_secret: this.config.clientSecret,
+            code: params.code,
+            redirect_uri: params.redirectUri,
+        });
+        const response = await this.makeHttpRequest(GitHubProvider.TOKEN_URL, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                Accept: "application/json",
+            },
+            body,
+        });
+        return {
+            accessToken: response.access_token,
+            refreshToken: response.refresh_token,
+            scope: response.scope,
+            expiresIn: response.expires_in,
+        };
+    }
+    /**
+     * Fetch user profile from GitHub
+     */
+    async getUserProfile(accessToken) {
+        const response = await this.makeHttpRequest(GitHubProvider.USER_PROFILE_URL, {
+            method: "GET",
+            headers: {
+                Authorization: `Bearer ${accessToken}`,
+                Accept: "application/json",
+            },
+        });
+        return {
+            id: String(response.id),
+            email: response.email,
+            name: response.name,
+            avatarUrl: response.avatar_url,
+            raw: response,
+        };
+    }
+}
+exports.GitHubProvider = GitHubProvider;
+GitHubProvider.AUTHORIZATION_URL = "https://github.com/login/oauth/authorize";
+GitHubProvider.TOKEN_URL = "https://github.com/login/oauth/access_token";
+GitHubProvider.USER_PROFILE_URL = "https://api.github.com/user";
+GitHubProvider.DEFAULT_SCOPES = ["user:email"];

package/dist/providers/GoogleProvider.d.ts

@@ -0,0 +1,32 @@
+import { OAuthProvider, OAuthTokens, OAuthProfile, AuthorizationUrlParams, TokenExchangeParams, ProviderConfig } from "./OAuthProvider";
+import { OAuthProviderBase } from "./OAuthProviderBase";
+/**
+ * Google OAuth 2.0 provider implementation
+ *
+ * Implements OAuth flow for Google:
+ * - Authorization URL: https://accounts.google.com/o/oauth2/v2/auth
+ * - Token exchange: POST https://oauth2.googleapis.com/token
+ * - User profile: GET https://www.googleapis.com/oauth2/v2/userinfo
+ *
+ * Default scopes: ['openid', 'email', 'profile']
+ */
+export declare class GoogleProvider extends OAuthProviderBase implements OAuthProvider {
+    readonly name = "google";
+    private static readonly AUTHORIZATION_URL;
+    private static readonly TOKEN_URL;
+    private static readonly USER_PROFILE_URL;
+    private static readonly DEFAULT_SCOPES;
+    constructor(config: ProviderConfig);
+    /**
+     * Generate Google authorization URL
+     */
+    getAuthorizationUrl(params: AuthorizationUrlParams): string;
+    /**
+     * Exchange authorization code for access token
+     */
+    exchangeCodeForToken(params: TokenExchangeParams): Promise<OAuthTokens>;
+    /**
+     * Fetch user profile from Google
+     */
+    getUserProfile(accessToken: string): Promise<OAuthProfile>;
+}