@hazeljs/oauth 0.2.0-alpha.1

package/dist/oauth.controller.js

@@ -0,0 +1,137 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthController = void 0;
+const core_1 = require("@hazeljs/core");
+const oauth_service_1 = require("./oauth.service");
+const STATE_COOKIE = 'oauth_state';
+const CODE_VERIFIER_COOKIE = 'oauth_code_verifier';
+const COOKIE_MAX_AGE = 60 * 10; // 10 minutes
+const COOKIE_OPTS = `Path=/; HttpOnly; SameSite=Lax; Max-Age=${COOKIE_MAX_AGE}`;
+function getCookie(req, name) {
+    const h = req?.headers?.['cookie'];
+    const cookieHeader = Array.isArray(h) ? h[0] : h;
+    if (typeof cookieHeader !== 'string')
+        return undefined;
+    const part = cookieHeader.split(';').find((c) => c.trim().startsWith(`${name}=`));
+    return part?.split('=')[1]?.trim();
+}
+/**
+ * Optional controller that provides OAuth routes.
+ * Register in your app if you want ready-made /auth/:provider and /auth/:provider/callback routes.
+ */
+let OAuthController = class OAuthController {
+    constructor(oauthService) {
+        this.oauthService = oauthService;
+    }
+    /**
+     * GET /auth/:provider - Redirects user to OAuth provider.
+     * Sets state and codeVerifier (for PKCE) in cookies.
+     */
+    async login(provider, res) {
+        const p = provider.toLowerCase();
+        if (!['google', 'microsoft', 'github', 'facebook', 'twitter'].includes(p)) {
+            res.status(400).json({ error: 'Invalid provider' });
+            return;
+        }
+        const { url, state, codeVerifier } = this.oauthService.getAuthorizationUrl(p);
+        const cookies = [`${STATE_COOKIE}=${state}; ${COOKIE_OPTS}`];
+        if (codeVerifier) {
+            cookies.push(`${CODE_VERIFIER_COOKIE}=${codeVerifier}; ${COOKIE_OPTS}`);
+        }
+        res.setHeader('Set-Cookie', cookies);
+        res.status(302);
+        res.setHeader('Location', url);
+        res.end();
+    }
+    /**
+     * GET /auth/:provider/callback - Handles OAuth callback.
+     * Returns JSON with accessToken, user. Use successRedirect/errorRedirect query params for redirects.
+     */
+    async callback(provider, query, req, res) {
+        const p = provider.toLowerCase();
+        if (!['google', 'microsoft', 'github', 'facebook', 'twitter'].includes(p)) {
+            res.status(400).json({ error: 'Invalid provider' });
+            return;
+        }
+        const code = query?.code;
+        if (!code) {
+            this.redirectOrJson(res, 400, query.errorRedirect, { error: 'Missing authorization code' });
+            return;
+        }
+        const storedState = getCookie(req, STATE_COOKIE);
+        const codeVerifier = getCookie(req, CODE_VERIFIER_COOKIE);
+        res.setHeader('Set-Cookie', [
+            `${STATE_COOKIE}=; Path=/; HttpOnly; Max-Age=0`,
+            `${CODE_VERIFIER_COOKIE}=; Path=/; HttpOnly; Max-Age=0`,
+        ]);
+        if (!storedState || query.state !== storedState) {
+            this.redirectOrJson(res, 400, query.errorRedirect, { error: 'Invalid state' });
+            return;
+        }
+        try {
+            const result = await this.oauthService.handleCallback(p, code, storedState, codeVerifier);
+            // Pass through callbackHandler (if configured) so the app can issue a JWT,
+            // look up the user in its own DB, etc. before responding.
+            const response = await this.oauthService.executeCallback(p, result);
+            if (query.successRedirect) {
+                res.status(302);
+                res.setHeader('Location', query.successRedirect);
+                res.end();
+                return;
+            }
+            res.status(200).json(response);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : 'OAuth callback failed';
+            this.redirectOrJson(res, 401, query.errorRedirect, { error: message });
+        }
+    }
+    redirectOrJson(res, status, errorRedirect, json) {
+        if (errorRedirect) {
+            const url = new URL(errorRedirect);
+            if (json?.error)
+                url.searchParams.set('error', json.error);
+            res.status(302);
+            res.setHeader('Location', url.toString());
+            res.end();
+        }
+        else if (json) {
+            res.status(status).json(json);
+        }
+    }
+};
+exports.OAuthController = OAuthController;
+__decorate([
+    (0, core_1.Get)('/:provider'),
+    __param(0, (0, core_1.Param)('provider')),
+    __param(1, (0, core_1.Res)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String, Object]),
+    __metadata("design:returntype", Promise)
+], OAuthController.prototype, "login", null);
+__decorate([
+    (0, core_1.Get)('/:provider/callback'),
+    __param(0, (0, core_1.Param)('provider')),
+    __param(1, (0, core_1.Query)()),
+    __param(2, (0, core_1.Req)()),
+    __param(3, (0, core_1.Res)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String, Object, Object, Object]),
+    __metadata("design:returntype", Promise)
+], OAuthController.prototype, "callback", null);
+exports.OAuthController = OAuthController = __decorate([
+    (0, core_1.Controller)('/auth'),
+    __metadata("design:paramtypes", [oauth_service_1.OAuthService])
+], OAuthController);

package/dist/oauth.module.d.ts

@@ -0,0 +1,5 @@
+import type { OAuthModuleOptions } from './providers/provider.types';
+export declare class OAuthModule {
+    static forRoot(options: OAuthModuleOptions): typeof OAuthModule;
+}
+//# sourceMappingURL=oauth.module.d.ts.map

package/dist/oauth.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.module.d.ts","sourceRoot":"","sources":["../src/oauth.module.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAErE,qBAKa,WAAW;IACtB,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,kBAAkB,GAAG,OAAO,WAAW;CAIhE"}

package/dist/oauth.module.js

@@ -0,0 +1,27 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var OAuthModule_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthModule = void 0;
+const core_1 = require("@hazeljs/core");
+const oauth_controller_1 = require("./oauth.controller");
+const oauth_service_1 = require("./oauth.service");
+let OAuthModule = OAuthModule_1 = class OAuthModule {
+    static forRoot(options) {
+        oauth_service_1.OAuthService.configure(options);
+        return OAuthModule_1;
+    }
+};
+exports.OAuthModule = OAuthModule;
+exports.OAuthModule = OAuthModule = OAuthModule_1 = __decorate([
+    (0, core_1.HazelModule)({
+        controllers: [oauth_controller_1.OAuthController],
+        providers: [oauth_service_1.OAuthService],
+        exports: [oauth_service_1.OAuthService],
+    })
+], OAuthModule);

package/dist/oauth.module.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=oauth.module.test.d.ts.map

package/dist/oauth.module.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.module.test.d.ts","sourceRoot":"","sources":["../src/oauth.module.test.ts"],"names":[],"mappings":""}

package/dist/oauth.module.test.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const oauth_module_1 = require("./oauth.module");
+const oauth_service_1 = require("./oauth.service");
+jest.mock('arctic', () => ({
+    generateState: jest.fn(() => 'state'),
+    generateCodeVerifier: jest.fn(() => 'verifier'),
+    Google: jest.fn().mockImplementation(() => ({
+        createAuthorizationURL: () => new URL('https://accounts.google.com/auth'),
+        validateAuthorizationCode: jest.fn(),
+    })),
+    MicrosoftEntraId: jest.fn(),
+    Twitter: jest.fn(),
+    GitHub: jest.fn(),
+    Facebook: jest.fn(),
+}));
+describe('OAuthModule', () => {
+    const testOptions = {
+        providers: {
+            google: {
+                clientId: 'test-id',
+                clientSecret: 'test-secret',
+                redirectUri: 'https://app.com/callback',
+            },
+        },
+    };
+    beforeEach(() => {
+        oauth_module_1.OAuthModule.forRoot(testOptions);
+    });
+    it('should return OAuthModule from forRoot', () => {
+        const result = oauth_module_1.OAuthModule.forRoot(testOptions);
+        expect(result).toBe(oauth_module_1.OAuthModule);
+    });
+    it('should configure OAuthService when forRoot is called', () => {
+        const service = new oauth_service_1.OAuthService();
+        expect(service).toBeInstanceOf(oauth_service_1.OAuthService);
+        const url = service.getAuthorizationUrl('google');
+        expect(url.url).toBeDefined();
+    });
+});

package/dist/oauth.service.d.ts

@@ -0,0 +1,47 @@
+import type { OAuthModuleOptions, OAuthCallbackResult, OAuthAuthorizationResult, SupportedProvider } from './providers/provider.types';
+export declare class OAuthService {
+    private options;
+    private googleClient;
+    private microsoftClient;
+    private githubClient;
+    private facebookClient;
+    private twitterClient;
+    constructor();
+    private static options;
+    static configure(options: OAuthModuleOptions): void;
+    private static getOptions;
+    private initClients;
+    private getClient;
+    private getDefaultScopes;
+    /**
+     * Get the authorization URL to redirect the user to the OAuth provider.
+     * For PKCE providers (Google, Microsoft), store codeVerifier and pass it to handleCallback.
+     */
+    getAuthorizationUrl(provider: SupportedProvider, state?: string, scopes?: string[]): OAuthAuthorizationResult;
+    /**
+     * Exchange the authorization code for tokens and fetch user profile.
+     * For PKCE providers (Google, Microsoft), codeVerifier is required.
+     */
+    handleCallback(provider: SupportedProvider, code: string, state: string, codeVerifier?: string): Promise<OAuthCallbackResult>;
+    /**
+     * Called by OAuthController after a successful token exchange and user-profile fetch.
+     *
+     * If the module was configured with a `callbackHandler` class, the handler is
+     * resolved from the global DI container and its `handle()` method is invoked.
+     * This is where you look up / create your application user and issue a JWT.
+     *
+     * When no handler is configured the raw OAuthCallbackResult is returned unchanged,
+     * which preserves backwards-compatible behaviour.
+     */
+    executeCallback(provider: SupportedProvider, result: OAuthCallbackResult): Promise<unknown>;
+    /**
+     * Validate that the state matches (CSRF protection).
+     * Use this when handling the callback to ensure the request originated from your app.
+     */
+    validateState(receivedState: string, storedState: string): boolean;
+    /**
+     * Generate a cryptographically secure state value for OAuth.
+     */
+    generateState(): string;
+}
+//# sourceMappingURL=oauth.service.d.ts.map

package/dist/oauth.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.service.d.ts","sourceRoot":"","sources":["../src/oauth.service.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EACV,kBAAkB,EAElB,mBAAmB,EACnB,wBAAwB,EACxB,iBAAiB,EAElB,MAAM,4BAA4B,CAAC;AAIpC,qBACa,YAAY;IACvB,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,YAAY,CAAwD;IAC5E,OAAO,CAAC,eAAe,CAA2D;IAClF,OAAO,CAAC,YAAY,CAAwD;IAC5E,OAAO,CAAC,cAAc,CAA0D;IAChF,OAAO,CAAC,aAAa,CAAyD;;IAO9E,OAAO,CAAC,MAAM,CAAC,OAAO,CAAmC;IAEzD,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,kBAAkB,GAAG,IAAI;IAInD,OAAO,CAAC,MAAM,CAAC,UAAU;IASzB,OAAO,CAAC,WAAW;IAkBnB,OAAO,CAAC,SAAS;IA8BjB,OAAO,CAAC,gBAAgB;IAmBxB;;;OAGG;IACH,mBAAmB,CACjB,QAAQ,EAAE,iBAAiB,EAC3B,KAAK,CAAC,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,MAAM,EAAE,GAChB,wBAAwB;IA2B3B;;;OAGG;IACG,cAAc,CAClB,QAAQ,EAAE,iBAAiB,EAC3B,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,YAAY,CAAC,EAAE,MAAM,GACpB,OAAO,CAAC,mBAAmB,CAAC;IAuF/B;;;;;;;;;OASG;IACG,eAAe,CACnB,QAAQ,EAAE,iBAAiB,EAC3B,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAAC,OAAO,CAAC;IAWnB;;;OAGG;IACH,aAAa,CAAC,aAAa,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO;IAIlE;;OAEG;IACH,aAAa,IAAI,MAAM;CAGxB"}

package/dist/oauth.service.js

@@ -0,0 +1,256 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var OAuthService_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthService = void 0;
+const core_1 = require("@hazeljs/core");
+const arctic = __importStar(require("arctic"));
+const providers_1 = require("./providers");
+const PKCE_PROVIDERS = ['google', 'microsoft', 'twitter'];
+let OAuthService = OAuthService_1 = class OAuthService {
+    constructor() {
+        this.googleClient = null;
+        this.microsoftClient = null;
+        this.githubClient = null;
+        this.facebookClient = null;
+        this.twitterClient = null;
+        this.options = OAuthService_1.getOptions();
+        this.initClients();
+    }
+    static configure(options) {
+        OAuthService_1.options = options;
+    }
+    static getOptions() {
+        if (!OAuthService_1.options) {
+            throw new Error('OAuthModule not configured. Call OAuthModule.forRoot({ providers: {...} }) in your app module.');
+        }
+        return OAuthService_1.options;
+    }
+    initClients() {
+        if (this.options.providers.google) {
+            this.googleClient = (0, providers_1.createGoogleProvider)(this.options.providers.google);
+        }
+        if (this.options.providers.microsoft) {
+            this.microsoftClient = (0, providers_1.createMicrosoftProvider)(this.options.providers.microsoft);
+        }
+        if (this.options.providers.github) {
+            this.githubClient = (0, providers_1.createGitHubProvider)(this.options.providers.github);
+        }
+        if (this.options.providers.facebook) {
+            this.facebookClient = (0, providers_1.createFacebookProvider)(this.options.providers.facebook);
+        }
+        if (this.options.providers.twitter) {
+            this.twitterClient = (0, providers_1.createTwitterProvider)(this.options.providers.twitter);
+        }
+    }
+    getClient(provider) {
+        switch (provider) {
+            case 'google':
+                if (!this.googleClient)
+                    throw new Error('Google OAuth is not configured');
+                return this.googleClient;
+            case 'microsoft':
+                if (!this.microsoftClient)
+                    throw new Error('Microsoft OAuth is not configured');
+                return this.microsoftClient;
+            case 'github':
+                if (!this.githubClient)
+                    throw new Error('GitHub OAuth is not configured');
+                return this.githubClient;
+            case 'facebook':
+                if (!this.facebookClient)
+                    throw new Error('Facebook OAuth is not configured');
+                return this.facebookClient;
+            case 'twitter':
+                if (!this.twitterClient)
+                    throw new Error('Twitter OAuth is not configured');
+                return this.twitterClient;
+            default:
+                throw new Error(`Unsupported provider: ${provider}`);
+        }
+    }
+    getDefaultScopes(provider) {
+        const defaults = this.options.defaultScopes?.[provider];
+        if (defaults)
+            return defaults;
+        switch (provider) {
+            case 'google':
+                return (0, providers_1.getGoogleDefaultScopes)();
+            case 'microsoft':
+                return (0, providers_1.getMicrosoftDefaultScopes)();
+            case 'github':
+                return (0, providers_1.getGitHubDefaultScopes)();
+            case 'facebook':
+                return (0, providers_1.getFacebookDefaultScopes)();
+            case 'twitter':
+                return (0, providers_1.getTwitterDefaultScopes)();
+            default:
+                return [];
+        }
+    }
+    /**
+     * Get the authorization URL to redirect the user to the OAuth provider.
+     * For PKCE providers (Google, Microsoft), store codeVerifier and pass it to handleCallback.
+     */
+    getAuthorizationUrl(provider, state, scopes) {
+        const client = this.getClient(provider);
+        const resolvedState = state || arctic.generateState();
+        const resolvedScopes = scopes ?? this.getDefaultScopes(provider);
+        if (PKCE_PROVIDERS.includes(provider)) {
+            const codeVerifier = arctic.generateCodeVerifier();
+            const url = client.createAuthorizationURL(resolvedState, codeVerifier, resolvedScopes);
+            return {
+                url: url.toString(),
+                state: resolvedState,
+                codeVerifier,
+            };
+        }
+        // GitHub, Facebook - no PKCE
+        const url = client.createAuthorizationURL(resolvedState, resolvedScopes);
+        return {
+            url: url.toString(),
+            state: resolvedState,
+        };
+    }
+    /**
+     * Exchange the authorization code for tokens and fetch user profile.
+     * For PKCE providers (Google, Microsoft), codeVerifier is required.
+     */
+    async handleCallback(provider, code, state, codeVerifier) {
+        const client = this.getClient(provider);
+        const needsPkce = PKCE_PROVIDERS.includes(provider);
+        if (needsPkce && !codeVerifier) {
+            throw new Error(`Provider ${provider} requires codeVerifier (PKCE). Pass the codeVerifier from getAuthorizationUrl.`);
+        }
+        let accessToken;
+        let refreshToken;
+        let expiresAt;
+        try {
+            if (needsPkce && codeVerifier) {
+                const tokens = await client.validateAuthorizationCode(code, codeVerifier);
+                accessToken = tokens.accessToken();
+                refreshToken = tokens.hasRefreshToken() ? tokens.refreshToken() : undefined;
+                expiresAt = tokens.accessTokenExpiresAt();
+            }
+            else {
+                const tokens = await client.validateAuthorizationCode(code);
+                accessToken = tokens.accessToken();
+                refreshToken = tokens.hasRefreshToken() ? tokens.refreshToken() : undefined;
+                expiresAt = tokens.accessTokenExpiresAt();
+            }
+        }
+        catch (e) {
+            if (e instanceof arctic.OAuth2RequestError) {
+                throw new Error(`OAuth token exchange failed: ${e.code} - ${e.description || e.message}`);
+            }
+            if (e instanceof arctic.ArcticFetchError) {
+                const cause = e.cause;
+                throw new Error(`OAuth request failed: ${cause?.message || e.message}`);
+            }
+            throw e;
+        }
+        let user;
+        switch (provider) {
+            case 'google':
+                user = await (0, providers_1.fetchGoogleUser)(accessToken);
+                break;
+            case 'microsoft':
+                user = await (0, providers_1.fetchMicrosoftUser)(accessToken);
+                break;
+            case 'github':
+                user = await (0, providers_1.fetchGitHubUser)(accessToken);
+                break;
+            case 'facebook':
+                user = await (0, providers_1.fetchFacebookUser)(accessToken);
+                break;
+            case 'twitter':
+                user = await (0, providers_1.fetchTwitterUser)(accessToken);
+                break;
+            default:
+                throw new Error(`Unsupported provider: ${provider}`);
+        }
+        return {
+            accessToken,
+            refreshToken,
+            expiresAt,
+            user,
+        };
+    }
+    /**
+     * Called by OAuthController after a successful token exchange and user-profile fetch.
+     *
+     * If the module was configured with a `callbackHandler` class, the handler is
+     * resolved from the global DI container and its `handle()` method is invoked.
+     * This is where you look up / create your application user and issue a JWT.
+     *
+     * When no handler is configured the raw OAuthCallbackResult is returned unchanged,
+     * which preserves backwards-compatible behaviour.
+     */
+    async executeCallback(provider, result) {
+        const handlerClass = OAuthService_1.options?.callbackHandler;
+        if (!handlerClass)
+            return result;
+        const handler = core_1.Container.getInstance().resolve(handlerClass);
+        return handler.handle(result, provider);
+    }
+    /**
+     * Validate that the state matches (CSRF protection).
+     * Use this when handling the callback to ensure the request originated from your app.
+     */
+    validateState(receivedState, storedState) {
+        return receivedState === storedState && receivedState.length > 0;
+    }
+    /**
+     * Generate a cryptographically secure state value for OAuth.
+     */
+    generateState() {
+        return arctic.generateState();
+    }
+};
+exports.OAuthService = OAuthService;
+OAuthService.options = null;
+exports.OAuthService = OAuthService = OAuthService_1 = __decorate([
+    (0, core_1.Service)(),
+    __metadata("design:paramtypes", [])
+], OAuthService);

package/dist/oauth.service.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=oauth.service.test.d.ts.map

package/dist/oauth.service.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.service.test.d.ts","sourceRoot":"","sources":["../src/oauth.service.test.ts"],"names":[],"mappings":""}