@hazeljs/oauth 0.2.0-beta.49

package/LICENSE

@@ -0,0 +1,192 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   Copyright 2024 HazelJS Team
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+---
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+   Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+   stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+   that You distribute, all copyright, patent, trademark, and
+   attribution notices from the Source form of the Work,
+   excluding those notices that do not pertain to any part of
+   the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+   distribution, then any Derivative Works that You distribute must
+   include a readable copy of the attribution notices contained
+   within such NOTICE file, excluding those notices that do not
+   pertain to any part of the Derivative Works, in at least one
+   of the following places: within a NOTICE text file distributed
+   as part of the Derivative Works; within the Source form or
+   documentation, if provided along with the Derivative Works; or,
+   within a display generated by the Derivative Works, if and
+   wherever such third-party notices normally appear. The contents
+   of the NOTICE file are for informational purposes only and
+   do not modify the License. You may add Your own attribution
+   notices within Derivative Works that You distribute, alongside
+   or as an addendum to the NOTICE text from the Work, provided
+   that such additional attribution notices cannot be construed
+   as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS

package/README.md

@@ -0,0 +1,200 @@
+# @hazeljs/oauth
+
+**"Sign in with Google" in 5 minutes.**
+
+Google, Microsoft, GitHub, Facebook, Twitter — one config, ready-made routes. PKCE, user profiles, JWT integration. Built on [Arctic](https://arcticjs.dev) — 50+ providers available if you need more.
+
+[![npm version](https://img.shields.io/npm/v/@hazeljs/oauth.svg)](https://www.npmjs.com/package/@hazeljs/oauth)
+[![npm downloads](https://img.shields.io/npm/dm/@hazeljs/oauth)](https://www.npmjs.com/package/@hazeljs/oauth)
+[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)
+
+## Features
+
+- **Multi-Provider** — Google, Microsoft Entra ID, GitHub, Facebook, Twitter
+- **PKCE Support** — Automatic for Google, Microsoft, Twitter
+- **User Profile** — Fetches id, email, name, picture from provider APIs
+- **Ready-Made Routes** — Optional `/auth/:provider` and `/auth/:provider/callback`
+- **JWT Integration** — Use with `@hazeljs/auth` for session tokens
+
+## Installation
+
+```bash
+npm install @hazeljs/oauth
+```
+
+Or with the HazelJS CLI:
+
+```bash
+hazel add oauth
+```
+
+## Quick Start
+
+### 1. Configure Providers
+
+```typescript
+import { HazelModule } from '@hazeljs/core';
+import { OAuthModule } from '@hazeljs/oauth';
+
+@HazelModule({
+  imports: [
+    OAuthModule.forRoot({
+      providers: {
+        google: {
+          clientId: process.env.GOOGLE_CLIENT_ID!,
+          clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+          redirectUri: process.env.OAUTH_REDIRECT_URI!,
+        },
+        github: {
+          clientId: process.env.GITHUB_CLIENT_ID!,
+          clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+          redirectUri: process.env.OAUTH_REDIRECT_URI!,
+        },
+      },
+    }),
+  ],
+})
+export class AppModule {}
+```
+
+### 2. Use Built-in Routes
+
+The `OAuthController` provides:
+
+- **GET /auth/:provider** — Redirects to provider (google, microsoft, github, facebook, twitter)
+- **GET /auth/:provider/callback** — Handles callback, returns `{ accessToken, user }`
+
+Example: User visits `/auth/google` → authenticates → callback returns tokens and profile.
+
+### 3. Custom Flow with OAuthService
+
+```typescript
+import { OAuthService } from '@hazeljs/oauth';
+
+@Injectable()
+export class AuthController {
+  constructor(private oauth: OAuthService) {}
+
+  @Get('login/:provider')
+  login(@Param('provider') provider: string, @Res() res: Response) {
+    const { url, state, codeVerifier } = this.oauth.getAuthorizationUrl(provider);
+    // Store state + codeVerifier in cookies
+    res.redirect(url);
+  }
+
+  @Get('callback')
+  async callback(@Query() q: { code: string; state: string }, @Req() req: Request) {
+    const { codeVerifier } = getFromCookies(req);
+    const result = await this.oauth.handleCallback(
+      'google', q.code, q.state, codeVerifier
+    );
+    // result: { accessToken, refreshToken?, expiresAt?, user }
+    return result;
+  }
+}
+```
+
+## Supported Providers
+
+| Provider | PKCE | Default Scopes |
+|----------|------|----------------|
+| Google | Yes | openid, profile, email |
+| Microsoft | Yes | openid, profile, email |
+| GitHub | No | user:email |
+| Facebook | No | email, public_profile |
+| Twitter | Yes | users.read, tweet.read |
+
+## Configuration
+
+### Microsoft (optional tenant)
+
+```typescript
+microsoft: {
+  clientId: '...',
+  clientSecret: '...',
+  redirectUri: '...',
+  tenant: 'common', // or your Azure AD tenant ID
+}
+```
+
+### Twitter (optional client secret)
+
+```typescript
+twitter: {
+  clientId: '...',
+  redirectUri: '...',
+  clientSecret: null, // for public clients (PKCE-only)
+}
+```
+
+### Custom Scopes
+
+```typescript
+OAuthModule.forRoot({
+  providers: { google: {...} },
+  defaultScopes: {
+    google: ['openid', 'profile', 'email', 'https://www.googleapis.com/auth/calendar'],
+  },
+});
+```
+
+## Integration with @hazeljs/auth
+
+After OAuth callback, create a user and issue JWT:
+
+```typescript
+import { JwtService } from '@hazeljs/auth';
+import { OAuthService } from '@hazeljs/oauth';
+
+async handleOAuthCallback(provider: string, code: string, state: string, codeVerifier?: string) {
+  const { user, accessToken } = await this.oauth.handleCallback(provider, code, state, codeVerifier);
+  const dbUser = await this.upsertUser(user);
+  const jwt = this.jwt.sign({ sub: dbUser.id, email: dbUser.email });
+  return { user: dbUser, accessToken: jwt };
+}
+```
+
+## Environment Variables
+
+```env
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+MICROSOFT_CLIENT_ID=
+MICROSOFT_CLIENT_SECRET=
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+FACEBOOK_CLIENT_ID=
+FACEBOOK_CLIENT_SECRET=
+TWITTER_CLIENT_ID=
+TWITTER_CLIENT_SECRET=
+OAUTH_REDIRECT_URI=http://localhost:3000/auth/google/callback
+```
+
+## API Reference
+
+### OAuthService
+
+- `getAuthorizationUrl(provider, state?, scopes?)` — Returns `{ url, state, codeVerifier? }`
+- `handleCallback(provider, code, state, codeVerifier?)` — Returns `{ accessToken, refreshToken?, expiresAt?, user }`
+- `validateState(received, stored)` — CSRF check
+- `generateState()` — Cryptographically secure state
+
+### OAuthStateGuard
+
+Validates the `state` parameter on callback. Expects `oauth_stored_state` on the request.
+
+## Testing
+
+```bash
+npm test
+```
+
+## Links
+
+- [Documentation](https://hazeljs.com/docs/packages/oauth)
+- [GitHub](https://github.com/hazel-js/hazeljs)
+- [Arctic](https://arcticjs.dev)
+
+## License
+
+Apache 2.0 © [HazelJS](https://hazeljs.com)

package/dist/guards/oauth-state.guard.d.ts

@@ -0,0 +1,15 @@
+import { type CanActivate, type ExecutionContext } from '@hazeljs/core';
+import { OAuthService } from '../oauth.service';
+/**
+ * Guard that validates the OAuth state parameter against a stored value.
+ * Use when handling the OAuth callback to prevent CSRF attacks.
+ *
+ * Expects storedState to be provided via request (e.g., from cookie or session).
+ * Set oauth_state and oauth_code_verifier (for PKCE) before redirecting to provider.
+ */
+export declare class OAuthStateGuard implements CanActivate {
+    private readonly oauthService;
+    constructor(oauthService: OAuthService);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+//# sourceMappingURL=oauth-state.guard.d.ts.map

package/dist/guards/oauth-state.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-state.guard.d.ts","sourceRoot":"","sources":["../../src/guards/oauth-state.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,KAAK,WAAW,EAChB,KAAK,gBAAgB,EAEtB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAEhD;;;;;;GAMG;AACH,qBACa,eAAgB,YAAW,WAAW;IACrC,OAAO,CAAC,QAAQ,CAAC,YAAY;gBAAZ,YAAY,EAAE,YAAY;IAEjD,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CAmB/D"}

package/dist/guards/oauth-state.guard.js

@@ -0,0 +1,43 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthStateGuard = void 0;
+const core_1 = require("@hazeljs/core");
+const oauth_service_1 = require("../oauth.service");
+/**
+ * Guard that validates the OAuth state parameter against a stored value.
+ * Use when handling the OAuth callback to prevent CSRF attacks.
+ *
+ * Expects storedState to be provided via request (e.g., from cookie or session).
+ * Set oauth_state and oauth_code_verifier (for PKCE) before redirecting to provider.
+ */
+let OAuthStateGuard = class OAuthStateGuard {
+    constructor(oauthService) {
+        this.oauthService = oauthService;
+    }
+    async canActivate(context) {
+        const request = context.switchToHttp().getRequest();
+        const receivedState = request.query?.state ?? request.body?.state;
+        const storedState = request.oauth_stored_state;
+        if (!receivedState || !storedState) {
+            throw new core_1.UnauthorizedError('Missing OAuth state');
+        }
+        if (!this.oauthService.validateState(receivedState, storedState)) {
+            throw new core_1.UnauthorizedError('Invalid OAuth state');
+        }
+        return true;
+    }
+};
+exports.OAuthStateGuard = OAuthStateGuard;
+exports.OAuthStateGuard = OAuthStateGuard = __decorate([
+    (0, core_1.Injectable)(),
+    __metadata("design:paramtypes", [oauth_service_1.OAuthService])
+], OAuthStateGuard);

package/dist/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * @hazeljs/oauth - OAuth 2.0 social login for HazelJS
+ *
+ * Supports Google, Microsoft Entra ID, and GitHub.
+ * Built on Arctic - 50+ providers available.
+ */
+export { OAuthModule } from './oauth.module';
+export { OAuthService } from './oauth.service';
+export { OAuthController } from './oauth.controller';
+export { OAuthStateGuard } from './guards/oauth-state.guard';
+export type { OAuthModuleOptions, OAuthProvidersConfig, OAuthCallbackResult, OAuthAuthorizationResult, OAuthUser, SupportedProvider, GoogleProviderConfig, MicrosoftProviderConfig, GitHubProviderConfig, FacebookProviderConfig, TwitterProviderConfig, } from './providers/provider.types';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,YAAY,EACV,kBAAkB,EAClB,oBAAoB,EACpB,mBAAmB,EACnB,wBAAwB,EACxB,SAAS,EACT,iBAAiB,EACjB,oBAAoB,EACpB,uBAAuB,EACvB,oBAAoB,EACpB,sBAAsB,EACtB,qBAAqB,GACtB,MAAM,4BAA4B,CAAC"}

package/dist/index.js

@@ -0,0 +1,17 @@
+"use strict";
+/**
+ * @hazeljs/oauth - OAuth 2.0 social login for HazelJS
+ *
+ * Supports Google, Microsoft Entra ID, and GitHub.
+ * Built on Arctic - 50+ providers available.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthStateGuard = exports.OAuthController = exports.OAuthService = exports.OAuthModule = void 0;
+var oauth_module_1 = require("./oauth.module");
+Object.defineProperty(exports, "OAuthModule", { enumerable: true, get: function () { return oauth_module_1.OAuthModule; } });
+var oauth_service_1 = require("./oauth.service");
+Object.defineProperty(exports, "OAuthService", { enumerable: true, get: function () { return oauth_service_1.OAuthService; } });
+var oauth_controller_1 = require("./oauth.controller");
+Object.defineProperty(exports, "OAuthController", { enumerable: true, get: function () { return oauth_controller_1.OAuthController; } });
+var oauth_state_guard_1 = require("./guards/oauth-state.guard");
+Object.defineProperty(exports, "OAuthStateGuard", { enumerable: true, get: function () { return oauth_state_guard_1.OAuthStateGuard; } });

package/dist/oauth.controller.d.ts

@@ -0,0 +1,29 @@
+import { type Response } from '@hazeljs/core';
+import { OAuthService } from './oauth.service';
+/**
+ * Optional controller that provides OAuth routes.
+ * Register in your app if you want ready-made /auth/:provider and /auth/:provider/callback routes.
+ */
+export declare class OAuthController {
+    private readonly oauthService;
+    constructor(oauthService: OAuthService);
+    /**
+     * GET /auth/:provider - Redirects user to OAuth provider.
+     * Sets state and codeVerifier (for PKCE) in cookies.
+     */
+    login(provider: string, res: Response): Promise<void>;
+    /**
+     * GET /auth/:provider/callback - Handles OAuth callback.
+     * Returns JSON with accessToken, user. Use successRedirect/errorRedirect query params for redirects.
+     */
+    callback(provider: string, query: {
+        code?: string;
+        state?: string;
+        successRedirect?: string;
+        errorRedirect?: string;
+    }, req: {
+        headers?: Record<string, string | string[] | undefined>;
+    }, res: Response): Promise<void>;
+    private redirectOrJson;
+}
+//# sourceMappingURL=oauth.controller.d.ts.map

package/dist/oauth.controller.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.controller.d.ts","sourceRoot":"","sources":["../src/oauth.controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAA2C,KAAK,QAAQ,EAAE,MAAM,eAAe,CAAC;AACvF,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAmB/C;;;GAGG;AACH,qBACa,eAAe;IACd,OAAO,CAAC,QAAQ,CAAC,YAAY;gBAAZ,YAAY,EAAE,YAAY;IAEvD;;;OAGG;IAEG,KAAK,CAAoB,QAAQ,EAAE,MAAM,EAAS,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAkBrF;;;OAGG;IAEG,QAAQ,CACO,QAAQ,EAAE,MAAM,EAEnC,KAAK,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,eAAe,CAAC,EAAE,MAAM,CAAC;QAAC,aAAa,CAAC,EAAE,MAAM,CAAA;KAAE,EACnF,GAAG,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAA;KAAE,EAChE,GAAG,EAAE,QAAQ,GACnB,OAAO,CAAC,IAAI,CAAC;IA2ChB,OAAO,CAAC,cAAc;CAgBvB"}

package/dist/oauth.controller.js

@@ -0,0 +1,134 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthController = void 0;
+const core_1 = require("@hazeljs/core");
+const oauth_service_1 = require("./oauth.service");
+const STATE_COOKIE = 'oauth_state';
+const CODE_VERIFIER_COOKIE = 'oauth_code_verifier';
+const COOKIE_MAX_AGE = 60 * 10; // 10 minutes
+const COOKIE_OPTS = `Path=/; HttpOnly; SameSite=Lax; Max-Age=${COOKIE_MAX_AGE}`;
+function getCookie(req, name) {
+    const h = req?.headers?.['cookie'];
+    const cookieHeader = Array.isArray(h) ? h[0] : h;
+    if (typeof cookieHeader !== 'string')
+        return undefined;
+    const part = cookieHeader.split(';').find((c) => c.trim().startsWith(`${name}=`));
+    return part?.split('=')[1]?.trim();
+}
+/**
+ * Optional controller that provides OAuth routes.
+ * Register in your app if you want ready-made /auth/:provider and /auth/:provider/callback routes.
+ */
+let OAuthController = class OAuthController {
+    constructor(oauthService) {
+        this.oauthService = oauthService;
+    }
+    /**
+     * GET /auth/:provider - Redirects user to OAuth provider.
+     * Sets state and codeVerifier (for PKCE) in cookies.
+     */
+    async login(provider, res) {
+        const p = provider.toLowerCase();
+        if (!['google', 'microsoft', 'github', 'facebook', 'twitter'].includes(p)) {
+            res.status(400).json({ error: 'Invalid provider' });
+            return;
+        }
+        const { url, state, codeVerifier } = this.oauthService.getAuthorizationUrl(p);
+        const cookies = [`${STATE_COOKIE}=${state}; ${COOKIE_OPTS}`];
+        if (codeVerifier) {
+            cookies.push(`${CODE_VERIFIER_COOKIE}=${codeVerifier}; ${COOKIE_OPTS}`);
+        }
+        res.setHeader('Set-Cookie', cookies);
+        res.status(302);
+        res.setHeader('Location', url);
+        res.end();
+    }
+    /**
+     * GET /auth/:provider/callback - Handles OAuth callback.
+     * Returns JSON with accessToken, user. Use successRedirect/errorRedirect query params for redirects.
+     */
+    async callback(provider, query, req, res) {
+        const p = provider.toLowerCase();
+        if (!['google', 'microsoft', 'github', 'facebook', 'twitter'].includes(p)) {
+            res.status(400).json({ error: 'Invalid provider' });
+            return;
+        }
+        const code = query?.code;
+        if (!code) {
+            this.redirectOrJson(res, 400, query.errorRedirect, { error: 'Missing authorization code' });
+            return;
+        }
+        const storedState = getCookie(req, STATE_COOKIE);
+        const codeVerifier = getCookie(req, CODE_VERIFIER_COOKIE);
+        res.setHeader('Set-Cookie', [
+            `${STATE_COOKIE}=; Path=/; HttpOnly; Max-Age=0`,
+            `${CODE_VERIFIER_COOKIE}=; Path=/; HttpOnly; Max-Age=0`,
+        ]);
+        if (!storedState || query.state !== storedState) {
+            this.redirectOrJson(res, 400, query.errorRedirect, { error: 'Invalid state' });
+            return;
+        }
+        try {
+            const result = await this.oauthService.handleCallback(p, code, storedState, codeVerifier);
+            if (query.successRedirect) {
+                res.status(302);
+                res.setHeader('Location', query.successRedirect);
+                res.end();
+                return;
+            }
+            res.status(200).json(result);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : 'OAuth callback failed';
+            this.redirectOrJson(res, 401, query.errorRedirect, { error: message });
+        }
+    }
+    redirectOrJson(res, status, errorRedirect, json) {
+        if (errorRedirect) {
+            const url = new URL(errorRedirect);
+            if (json?.error)
+                url.searchParams.set('error', json.error);
+            res.status(302);
+            res.setHeader('Location', url.toString());
+            res.end();
+        }
+        else if (json) {
+            res.status(status).json(json);
+        }
+    }
+};
+exports.OAuthController = OAuthController;
+__decorate([
+    (0, core_1.Get)('/:provider'),
+    __param(0, (0, core_1.Param)('provider')),
+    __param(1, (0, core_1.Res)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String, Object]),
+    __metadata("design:returntype", Promise)
+], OAuthController.prototype, "login", null);
+__decorate([
+    (0, core_1.Get)('/:provider/callback'),
+    __param(0, (0, core_1.Param)('provider')),
+    __param(1, (0, core_1.Query)()),
+    __param(2, (0, core_1.Req)()),
+    __param(3, (0, core_1.Res)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String, Object, Object, Object]),
+    __metadata("design:returntype", Promise)
+], OAuthController.prototype, "callback", null);
+exports.OAuthController = OAuthController = __decorate([
+    (0, core_1.Controller)('/auth'),
+    __metadata("design:paramtypes", [oauth_service_1.OAuthService])
+], OAuthController);

package/dist/oauth.module.d.ts

@@ -0,0 +1,5 @@
+import type { OAuthModuleOptions } from './providers/provider.types';
+export declare class OAuthModule {
+    static forRoot(options: OAuthModuleOptions): typeof OAuthModule;
+}
+//# sourceMappingURL=oauth.module.d.ts.map

package/dist/oauth.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.module.d.ts","sourceRoot":"","sources":["../src/oauth.module.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAErE,qBAKa,WAAW;IACtB,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,kBAAkB,GAAG,OAAO,WAAW;CAIhE"}