@moriajs/auth 0.3.5 → 0.4.0

package/.turbo/turbo-build.log

@@ -1,4 +1,4 @@
 
-> @moriajs/auth@0.3.5 build C:\Codes\node\2026\github\moriajs\packages\auth
+> @moriajs/auth@0.4.0 build C:\Codes\node\2026\github\moriajs\packages\auth
 > tsc
 

package/dist/index.d.ts

@@ -3,9 +3,13 @@
  *
  * Pluggable authentication system for MoriaJS.
  * Default: JWT + httpOnly cookies.
- * Architecture: Provider-based for future OAuth, sessions, etc.
+ * Providers: Google OAuth, GitHub OAuth (built-in).
  */
 import type { FastifyRequest, FastifyReply } from 'fastify';
+import type { OAuthProvider } from './providers/types.js';
+export { googleProvider } from './providers/google.js';
+export { githubProvider } from './providers/github.js';
+export type { OAuthProviderConfig, OAuthProvider } from './providers/types.js';
 /**
  * User payload stored in JWT token.
  * Extend this via TypeScript module augmentation in your app.
@@ -32,6 +36,12 @@ export interface AuthConfig {
     cookiePath?: string;
     /** SameSite cookie attribute (default: 'lax') */
     sameSite?: 'strict' | 'lax' | 'none';
+    /** OAuth providers (Google, GitHub, etc.) */
+    providers?: OAuthProvider[];
+    /** Default redirect after successful OAuth (default: '/') */
+    successRedirect?: string;
+    /** Default redirect after failed OAuth (default: '/') */
+    failureRedirect?: string;
 }
 /**
  * Auth provider interface for pluggable authentication strategies.
@@ -52,12 +62,22 @@ export interface AuthProvider {
  * @example
  * ```ts
  * import { createApp } from '@moriajs/core';
- * import { createAuthPlugin } from '@moriajs/auth';
+ * import { createAuthPlugin, googleProvider, githubProvider } from '@moriajs/auth';
  *
  * const app = await createApp();
  * await app.use(createAuthPlugin({
  *   secret: process.env.JWT_SECRET!,
  *   expiresIn: '24h',
+ *   providers: [
+ *     googleProvider({
+ *       clientId: process.env.GOOGLE_CLIENT_ID!,
+ *       clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+ *     }),
+ *     githubProvider({
+ *       clientId: process.env.GITHUB_CLIENT_ID!,
+ *       clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+ *     }),
+ *   ],
  * }));
  * ```
  */

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAmB,cAAc,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE7E;;;GAGG;AACH,MAAM,WAAW,QAAQ;IACrB,EAAE,EAAE,MAAM,GAAG,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACvB,gCAAgC;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,uCAAuC;IACvC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,uDAAuD;IACvD,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,iCAAiC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iDAAiD;IACjD,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;CACxC;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IACzB,6DAA6D;IAC7D,IAAI,EAAE,MAAM,CAAC;IACb,kEAAkE;IAClE,MAAM,EAAE,CAAC,OAAO,EAAE,cAAc,KAAK,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IAC9D,wCAAwC;IACxC,IAAI,EAAE,CAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,YAAY,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/D,iCAAiC;IACjC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,YAAY,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5E;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,UAAU;;yBAIhB;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE;EAoCjD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,WAAW,CAAC,OAAO,CAAC,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,IACrC,SAAS,cAAc,EAAE,OAAO,YAAY,wBAe7D"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAmB,cAAc,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAI1D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAE/E;;;GAGG;AACH,MAAM,WAAW,QAAQ;IACrB,EAAE,EAAE,MAAM,GAAG,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACvB,gCAAgC;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,uCAAuC;IACvC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,uDAAuD;IACvD,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,iCAAiC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iDAAiD;IACjD,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IACrC,6CAA6C;IAC7C,SAAS,CAAC,EAAE,aAAa,EAAE,CAAC;IAC5B,6DAA6D;IAC7D,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,yDAAyD;IACzD,eAAe,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IACzB,6DAA6D;IAC7D,IAAI,EAAE,MAAM,CAAC;IACb,kEAAkE;IAClE,MAAM,EAAE,CAAC,OAAO,EAAE,cAAc,KAAK,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IAC9D,wCAAwC;IACxC,IAAI,EAAE,CAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,YAAY,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/D,iCAAiC;IACjC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,YAAY,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5E;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,UAAU;;yBAIhB;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE;EA8CjD;AAsFD;;;;;;;;;;GAUG;AACH,wBAAgB,WAAW,CAAC,OAAO,CAAC,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,IACrC,SAAS,cAAc,EAAE,OAAO,YAAY,wBAe7D"}

package/dist/index.js

@@ -3,20 +3,34 @@
  *
  * Pluggable authentication system for MoriaJS.
  * Default: JWT + httpOnly cookies.
- * Architecture: Provider-based for future OAuth, sessions, etc.
+ * Providers: Google OAuth, GitHub OAuth (built-in).
  */
+import crypto from 'node:crypto';
+// ─── Re-exports ──────────────────────────────────────
+export { googleProvider } from './providers/google.js';
+export { githubProvider } from './providers/github.js';
 /**
  * Create the JWT auth plugin for MoriaJS.
  *
  * @example
  * ```ts
  * import { createApp } from '@moriajs/core';
- * import { createAuthPlugin } from '@moriajs/auth';
+ * import { createAuthPlugin, googleProvider, githubProvider } from '@moriajs/auth';
  *
  * const app = await createApp();
  * await app.use(createAuthPlugin({
  *   secret: process.env.JWT_SECRET!,
  *   expiresIn: '24h',
+ *   providers: [
+ *     googleProvider({
+ *       clientId: process.env.GOOGLE_CLIENT_ID!,
+ *       clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+ *     }),
+ *     githubProvider({
+ *       clientId: process.env.GITHUB_CLIENT_ID!,
+ *       clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+ *     }),
+ *   ],
  * }));
  * ```
  */
@@ -43,10 +57,83 @@ export function createAuthPlugin(config) {
             server.decorate('signOut', async (_request, reply) => {
                 reply.header('Set-Cookie', `${config.cookieName ?? 'moria_token'}=; HttpOnly; Path=${config.cookiePath ?? '/'}; Max-Age=0`);
             });
+            // ─── Register OAuth providers ────────────────────
+            if (config.providers && config.providers.length > 0) {
+                registerOAuthRoutes(server, config);
+            }
             server.log.info('@moriajs/auth: JWT auth plugin registered');
+            if (config.providers?.length) {
+                const names = config.providers.map((p) => p.name).join(', ');
+                server.log.info(`@moriajs/auth: OAuth providers registered: ${names}`);
+            }
         },
     };
 }
+/**
+ * Register OAuth redirect + callback routes for each provider.
+ */
+function registerOAuthRoutes(server, config) {
+    for (const provider of config.providers ?? []) {
+        const authPath = `/auth/${provider.name}`;
+        const callbackPath = provider.callbackPath;
+        // GET /auth/:provider → Redirect to OAuth consent screen
+        server.get(authPath, async (request, reply) => {
+            const state = crypto.randomBytes(16).toString('hex');
+            // Store state in a short-lived cookie for CSRF protection
+            reply.header('Set-Cookie', `moria_oauth_state=${state}; HttpOnly; Path=/; Max-Age=600; SameSite=Lax`);
+            // Build the full callback URL from the request
+            const protocol = request.protocol ?? 'http';
+            const host = request.hostname;
+            const fullCallbackUrl = `${protocol}://${host}${callbackPath}`;
+            // Get auth URL and inject the full callback URL
+            let authUrl = provider.getAuthUrl(state);
+            authUrl = authUrl.replace('redirect_uri=', `redirect_uri=${encodeURIComponent(fullCallbackUrl)}`);
+            return reply.redirect(authUrl);
+        });
+        // GET /auth/:provider/callback → Exchange code, issue JWT
+        server.get(callbackPath, async (request, reply) => {
+            const query = request.query;
+            const failureUrl = provider.failureRedirect ?? config.failureRedirect ?? '/';
+            const successUrl = provider.successRedirect ?? config.successRedirect ?? '/';
+            // Check for OAuth errors
+            if (query.error || !query.code) {
+                request.log.warn(`OAuth ${provider.name} error: ${query.error ?? 'no code'}`);
+                return reply.redirect(failureUrl);
+            }
+            // Validate state (CSRF protection)
+            const cookieHeader = request.headers.cookie ?? '';
+            const stateCookie = cookieHeader
+                .split(';')
+                .map((c) => c.trim())
+                .find((c) => c.startsWith('moria_oauth_state='));
+            const savedState = stateCookie?.split('=')[1];
+            if (!savedState || savedState !== query.state) {
+                request.log.warn(`OAuth ${provider.name}: state mismatch`);
+                return reply.redirect(failureUrl);
+            }
+            // Clear state cookie
+            reply.header('Set-Cookie', 'moria_oauth_state=; HttpOnly; Path=/; Max-Age=0');
+            try {
+                // Build full callback URL
+                const protocol = request.protocol ?? 'http';
+                const host = request.hostname;
+                const fullCallbackUrl = `${protocol}://${host}${callbackPath}`;
+                // Exchange code for access token
+                const accessToken = await provider.exchangeCode(query.code, fullCallbackUrl);
+                // Fetch user profile
+                const user = await provider.fetchProfile(accessToken);
+                // Sign JWT and set cookie
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                await server.signIn(user, reply);
+                return reply.redirect(successUrl);
+            }
+            catch (err) {
+                request.log.error(err, `OAuth ${provider.name} callback failed`);
+                return reply.redirect(failureUrl);
+            }
+        });
+    }
+}
 /**
  * Route-level authentication guard.
  * Use as a Fastify preHandler hook.

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AA+CH;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAkB;IAC/C,OAAO;QACH,IAAI,EAAE,eAAe;QACrB,8DAA8D;QAC9D,KAAK,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAmB;YACtC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,CAAC;YAEzC,MAAO,MAA0B,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,EAAE;gBACpD,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,MAAM,EAAE;oBACJ,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,aAAa;oBAC9C,MAAM,EAAE,KAAK;iBAChB;aACJ,CAAC,CAAC;YAEH,wCAAwC;YACxC,MAAM,CAAC,QAAQ,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAc,EAAE,KAAmB,EAAE,EAAE;gBACpE,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CACzB,EAAE,GAAG,IAAI,EAAE,EACX,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI,EAAE,CAC1C,CAAC;gBAEF,KAAK,CAAC,MAAM,CAAC,YAAY,EACrB,GAAG,MAAM,CAAC,UAAU,IAAI,aAAa,IAAI,KAAK,oBAAoB,MAAM,CAAC,UAAU,IAAI,GAAG,cAAc,MAAM,CAAC,QAAQ,IAAI,KAAK,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAClN,EAAE,CACL,CAAC;gBAEF,OAAO,KAAK,CAAC;YACjB,CAAC,CAAC,CAAC;YAEH,wCAAwC;YACxC,MAAM,CAAC,QAAQ,CAAC,SAAS,EAAE,KAAK,EAAE,QAAwB,EAAE,KAAmB,EAAE,EAAE;gBAC/E,KAAK,CAAC,MAAM,CAAC,YAAY,EACrB,GAAG,MAAM,CAAC,UAAU,IAAI,aAAa,qBAAqB,MAAM,CAAC,UAAU,IAAI,GAAG,aAAa,CAClG,CAAC;YACN,CAAC,CAAC,CAAC;YAEF,MAA0B,CAAC,GAAG,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;QACtF,CAAC;KACJ,CAAC;AACN,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,WAAW,CAAC,OAA2B;IACnD,OAAO,KAAK,EAAE,OAAuB,EAAE,KAAmB,EAAE,EAAE;QAC1D,IAAI,CAAC;YACD,8DAA8D;YAC9D,MAAO,OAAe,CAAC,SAAS,EAAE,CAAC;YAEnC,IAAI,OAAO,EAAE,IAAI,EAAE,CAAC;gBAChB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAgB,CAAC;gBACtC,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,EAAE,CAAC;oBAC7B,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;gBAC1D,CAAC;YACL,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;QAC7D,CAAC;IACL,CAAC,CAAC;AACN,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,wDAAwD;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAoDvD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAkB;IAC/C,OAAO;QACH,IAAI,EAAE,eAAe;QACrB,8DAA8D;QAC9D,KAAK,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAmB;YACtC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,CAAC;YAEzC,MAAO,MAA0B,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,EAAE;gBACpD,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,MAAM,EAAE;oBACJ,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,aAAa;oBAC9C,MAAM,EAAE,KAAK;iBAChB;aACJ,CAAC,CAAC;YAEH,wCAAwC;YACxC,MAAM,CAAC,QAAQ,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAc,EAAE,KAAmB,EAAE,EAAE;gBACpE,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CACzB,EAAE,GAAG,IAAI,EAAE,EACX,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI,EAAE,CAC1C,CAAC;gBAEF,KAAK,CAAC,MAAM,CAAC,YAAY,EACrB,GAAG,MAAM,CAAC,UAAU,IAAI,aAAa,IAAI,KAAK,oBAAoB,MAAM,CAAC,UAAU,IAAI,GAAG,cAAc,MAAM,CAAC,QAAQ,IAAI,KAAK,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAClN,EAAE,CACL,CAAC;gBAEF,OAAO,KAAK,CAAC;YACjB,CAAC,CAAC,CAAC;YAEH,wCAAwC;YACxC,MAAM,CAAC,QAAQ,CAAC,SAAS,EAAE,KAAK,EAAE,QAAwB,EAAE,KAAmB,EAAE,EAAE;gBAC/E,KAAK,CAAC,MAAM,CAAC,YAAY,EACrB,GAAG,MAAM,CAAC,UAAU,IAAI,aAAa,qBAAqB,MAAM,CAAC,UAAU,IAAI,GAAG,aAAa,CAClG,CAAC;YACN,CAAC,CAAC,CAAC;YAEH,oDAAoD;YACpD,IAAI,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClD,mBAAmB,CAAC,MAAyB,EAAE,MAAM,CAAC,CAAC;YAC3D,CAAC;YAEA,MAA0B,CAAC,GAAG,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;YAElF,IAAI,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,CAAC;gBAC3B,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC5D,MAA0B,CAAC,GAAG,CAAC,IAAI,CAAC,8CAA8C,KAAK,EAAE,CAAC,CAAC;YAChG,CAAC;QACL,CAAC;KACJ,CAAC;AACN,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAuB,EAAE,MAAkB;IACpE,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,IAAI,EAAE,EAAE,CAAC;QAC5C,MAAM,QAAQ,GAAG,SAAS,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC1C,MAAM,YAAY,GAAG,QAAQ,CAAC,YAAY,CAAC;QAE3C,yDAAyD;QACzD,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;YAC1C,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAErD,0DAA0D;YAC1D,KAAK,CAAC,MAAM,CAAC,YAAY,EACrB,qBAAqB,KAAK,+CAA+C,CAC5E,CAAC;YAEF,+CAA+C;YAC/C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,MAAM,CAAC;YAC5C,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAC;YAC9B,MAAM,eAAe,GAAG,GAAG,QAAQ,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;YAE/D,gDAAgD;YAChD,IAAI,OAAO,GAAG,QAAQ,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YACzC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,eAAe,EAAE,gBAAgB,kBAAkB,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;YAElG,OAAO,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,0DAA0D;QAC1D,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;YAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,KAA0D,CAAC;YACjF,MAAM,UAAU,GAAG,QAAQ,CAAC,eAAe,IAAI,MAAM,CAAC,eAAe,IAAI,GAAG,CAAC;YAC7E,MAAM,UAAU,GAAG,QAAQ,CAAC,eAAe,IAAI,MAAM,CAAC,eAAe,IAAI,GAAG,CAAC;YAE7E,yBAAyB;YACzB,IAAI,KAAK,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;gBAC7B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,QAAQ,CAAC,IAAI,WAAW,KAAK,CAAC,KAAK,IAAI,SAAS,EAAE,CAAC,CAAC;gBAC9E,OAAO,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YACtC,CAAC;YAED,mCAAmC;YACnC,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;YAClD,MAAM,WAAW,GAAG,YAAY;iBAC3B,KAAK,CAAC,GAAG,CAAC;iBACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;iBACpB,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC,CAAC;YACrD,MAAM,UAAU,GAAG,WAAW,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAE9C,IAAI,CAAC,UAAU,IAAI,UAAU,KAAK,KAAK,CAAC,KAAK,EAAE,CAAC;gBAC5C,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,QAAQ,CAAC,IAAI,kBAAkB,CAAC,CAAC;gBAC3D,OAAO,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YACtC,CAAC;YAED,qBAAqB;YACrB,KAAK,CAAC,MAAM,CAAC,YAAY,EACrB,iDAAiD,CACpD,CAAC;YAEF,IAAI,CAAC;gBACD,0BAA0B;gBAC1B,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,MAAM,CAAC;gBAC5C,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAC;gBAC9B,MAAM,eAAe,GAAG,GAAG,QAAQ,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;gBAE/D,iCAAiC;gBACjC,MAAM,WAAW,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,KAAK,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;gBAE7E,qBAAqB;gBACrB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;gBAEtD,0BAA0B;gBAC1B,8DAA8D;gBAC9D,MAAO,MAAc,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;gBAE1C,OAAO,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YACtC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,SAAS,QAAQ,CAAC,IAAI,kBAAkB,CAAC,CAAC;gBACjE,OAAO,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YACtC,CAAC;QACL,CAAC,CAAC,CAAC;IACP,CAAC;AACL,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,WAAW,CAAC,OAA2B;IACnD,OAAO,KAAK,EAAE,OAAuB,EAAE,KAAmB,EAAE,EAAE;QAC1D,IAAI,CAAC;YACD,8DAA8D;YAC9D,MAAO,OAAe,CAAC,SAAS,EAAE,CAAC;YAEnC,IAAI,OAAO,EAAE,IAAI,EAAE,CAAC;gBAChB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAgB,CAAC;gBACtC,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,EAAE,CAAC;oBAC7B,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;gBAC1D,CAAC;YACL,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;QAC7D,CAAC;IACL,CAAC,CAAC;AACN,CAAC"}

package/dist/providers/github.d.ts

@@ -0,0 +1,27 @@
+/**
+ * GitHub OAuth2 Provider
+ *
+ * Implements the Authorization Code flow for GitHub.
+ * Uses Node.js built-in fetch — zero additional dependencies.
+ */
+import type { OAuthProviderConfig, OAuthProvider } from './types.js';
+/**
+ * Create a GitHub OAuth provider.
+ *
+ * @example
+ * ```ts
+ * import { createAuthPlugin, githubProvider } from '@moriajs/auth';
+ *
+ * await app.use(createAuthPlugin({
+ *   secret: process.env.JWT_SECRET!,
+ *   providers: [
+ *     githubProvider({
+ *       clientId: process.env.GITHUB_CLIENT_ID!,
+ *       clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+ *     }),
+ *   ],
+ * }));
+ * ```
+ */
+export declare function githubProvider(config: OAuthProviderConfig): OAuthProvider;
+//# sourceMappingURL=github.d.ts.map

package/dist/providers/github.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../src/providers/github.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AASrE;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,mBAAmB,GAAG,aAAa,CAuGzE"}

package/dist/providers/github.js

@@ -0,0 +1,115 @@
+/**
+ * GitHub OAuth2 Provider
+ *
+ * Implements the Authorization Code flow for GitHub.
+ * Uses Node.js built-in fetch — zero additional dependencies.
+ */
+const GITHUB_AUTH_URL = 'https://github.com/login/oauth/authorize';
+const GITHUB_TOKEN_URL = 'https://github.com/login/oauth/access_token';
+const GITHUB_PROFILE_URL = 'https://api.github.com/user';
+const GITHUB_EMAILS_URL = 'https://api.github.com/user/emails';
+const DEFAULT_SCOPES = ['read:user', 'user:email'];
+/**
+ * Create a GitHub OAuth provider.
+ *
+ * @example
+ * ```ts
+ * import { createAuthPlugin, githubProvider } from '@moriajs/auth';
+ *
+ * await app.use(createAuthPlugin({
+ *   secret: process.env.JWT_SECRET!,
+ *   providers: [
+ *     githubProvider({
+ *       clientId: process.env.GITHUB_CLIENT_ID!,
+ *       clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+ *     }),
+ *   ],
+ * }));
+ * ```
+ */
+export function githubProvider(config) {
+    const scopes = config.scopes ?? DEFAULT_SCOPES;
+    const callbackPath = config.callbackUrl ?? '/auth/github/callback';
+    return {
+        name: 'github',
+        callbackPath,
+        successRedirect: config.successRedirect ?? '/',
+        failureRedirect: config.failureRedirect ?? '/',
+        getAuthUrl(state) {
+            const params = new URLSearchParams({
+                client_id: config.clientId,
+                redirect_uri: '', // Will be set at runtime with full URL
+                scope: scopes.join(' '),
+                state,
+            });
+            return `${GITHUB_AUTH_URL}?${params.toString()}`;
+        },
+        async exchangeCode(code, callbackUrl) {
+            const res = await fetch(GITHUB_TOKEN_URL, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    Accept: 'application/json',
+                },
+                body: JSON.stringify({
+                    client_id: config.clientId,
+                    client_secret: config.clientSecret,
+                    code,
+                    redirect_uri: callbackUrl,
+                }),
+            });
+            if (!res.ok) {
+                const error = await res.text();
+                throw new Error(`GitHub token exchange failed: ${error}`);
+            }
+            const data = await res.json();
+            if (data.error) {
+                throw new Error(`GitHub OAuth error: ${data.error}`);
+            }
+            return data.access_token;
+        },
+        async fetchProfile(accessToken) {
+            // Fetch profile
+            const profileRes = await fetch(GITHUB_PROFILE_URL, {
+                headers: {
+                    Authorization: `Bearer ${accessToken}`,
+                    Accept: 'application/vnd.github+json',
+                    'User-Agent': 'MoriaJS',
+                },
+            });
+            if (!profileRes.ok) {
+                throw new Error('Failed to fetch GitHub profile');
+            }
+            const profile = await profileRes.json();
+            // If email is not public, fetch from /user/emails
+            let email = profile.email;
+            if (!email) {
+                try {
+                    const emailsRes = await fetch(GITHUB_EMAILS_URL, {
+                        headers: {
+                            Authorization: `Bearer ${accessToken}`,
+                            Accept: 'application/vnd.github+json',
+                            'User-Agent': 'MoriaJS',
+                        },
+                    });
+                    if (emailsRes.ok) {
+                        const emails = await emailsRes.json();
+                        const primary = emails.find((e) => e.primary && e.verified);
+                        email = primary?.email ?? emails[0]?.email ?? null;
+                    }
+                }
+                catch {
+                    // Email fetch failed, continue without
+                }
+            }
+            return {
+                id: profile.id,
+                email: email ?? undefined,
+                name: profile.name ?? profile.login,
+                avatar: profile.avatar_url,
+                provider: 'github',
+            };
+        },
+    };
+}
+//# sourceMappingURL=github.js.map

package/dist/providers/github.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.js","sourceRoot":"","sources":["../../src/providers/github.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,MAAM,eAAe,GAAG,0CAA0C,CAAC;AACnE,MAAM,gBAAgB,GAAG,6CAA6C,CAAC;AACvE,MAAM,kBAAkB,GAAG,6BAA6B,CAAC;AACzD,MAAM,iBAAiB,GAAG,oCAAoC,CAAC;AAE/D,MAAM,cAAc,GAAG,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;AAEnD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,cAAc,CAAC,MAA2B;IACtD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,cAAc,CAAC;IAC/C,MAAM,YAAY,GAAG,MAAM,CAAC,WAAW,IAAI,uBAAuB,CAAC;IAEnE,OAAO;QACH,IAAI,EAAE,QAAQ;QACd,YAAY;QACZ,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,GAAG;QAC9C,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,GAAG;QAE9C,UAAU,CAAC,KAAa;YACpB,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBAC/B,SAAS,EAAE,MAAM,CAAC,QAAQ;gBAC1B,YAAY,EAAE,EAAE,EAAE,uCAAuC;gBACzD,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;gBACvB,KAAK;aACR,CAAC,CAAC;YACH,OAAO,GAAG,eAAe,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QACrD,CAAC;QAED,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,WAAmB;YAChD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,gBAAgB,EAAE;gBACtC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACL,cAAc,EAAE,kBAAkB;oBAClC,MAAM,EAAE,kBAAkB;iBAC7B;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACjB,SAAS,EAAE,MAAM,CAAC,QAAQ;oBAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;oBAClC,IAAI;oBACJ,YAAY,EAAE,WAAW;iBAC5B,CAAC;aACL,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACV,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBAC/B,MAAM,IAAI,KAAK,CAAC,iCAAiC,KAAK,EAAE,CAAC,CAAC;YAC9D,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA8C,CAAC;YAC1E,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,uBAAuB,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;YACzD,CAAC;YACD,OAAO,IAAI,CAAC,YAAY,CAAC;QAC7B,CAAC;QAED,KAAK,CAAC,YAAY,CAAC,WAAmB;YAClC,gBAAgB;YAChB,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,kBAAkB,EAAE;gBAC/C,OAAO,EAAE;oBACL,aAAa,EAAE,UAAU,WAAW,EAAE;oBACtC,MAAM,EAAE,6BAA6B;oBACrC,YAAY,EAAE,SAAS;iBAC1B;aACJ,CAAC,CAAC;YAEH,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;YACtD,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,EAMpC,CAAC;YAEF,kDAAkD;YAClD,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;YAC1B,IAAI,CAAC,KAAK,EAAE,CAAC;gBACT,IAAI,CAAC;oBACD,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,iBAAiB,EAAE;wBAC7C,OAAO,EAAE;4BACL,aAAa,EAAE,UAAU,WAAW,EAAE;4BACtC,MAAM,EAAE,6BAA6B;4BACrC,YAAY,EAAE,SAAS;yBAC1B;qBACJ,CAAC,CAAC;oBACH,IAAI,SAAS,CAAC,EAAE,EAAE,CAAC;wBACf,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,EAIjC,CAAC;wBACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC;wBAC5D,KAAK,GAAG,OAAO,EAAE,KAAK,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,IAAI,CAAC;oBACvD,CAAC;gBACL,CAAC;gBAAC,MAAM,CAAC;oBACL,uCAAuC;gBAC3C,CAAC;YACL,CAAC;YAED,OAAO;gBACH,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,KAAK,EAAE,KAAK,IAAI,SAAS;gBACzB,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,KAAK;gBACnC,MAAM,EAAE,OAAO,CAAC,UAAU;gBAC1B,QAAQ,EAAE,QAAQ;aACrB,CAAC;QACN,CAAC;KACJ,CAAC;AACN,CAAC"}

package/dist/providers/google.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Google OAuth2 Provider
+ *
+ * Implements the Authorization Code flow for Google.
+ * Uses Node.js built-in fetch — zero additional dependencies.
+ */
+import type { OAuthProviderConfig, OAuthProvider } from './types.js';
+/**
+ * Create a Google OAuth provider.
+ *
+ * @example
+ * ```ts
+ * import { createAuthPlugin, googleProvider } from '@moriajs/auth';
+ *
+ * await app.use(createAuthPlugin({
+ *   secret: process.env.JWT_SECRET!,
+ *   providers: [
+ *     googleProvider({
+ *       clientId: process.env.GOOGLE_CLIENT_ID!,
+ *       clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+ *     }),
+ *   ],
+ * }));
+ * ```
+ */
+export declare function googleProvider(config: OAuthProviderConfig): OAuthProvider;
+//# sourceMappingURL=google.d.ts.map

package/dist/providers/google.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.d.ts","sourceRoot":"","sources":["../../src/providers/google.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAQrE;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,mBAAmB,GAAG,aAAa,CAsEzE"}

package/dist/providers/google.js

@@ -0,0 +1,86 @@
+/**
+ * Google OAuth2 Provider
+ *
+ * Implements the Authorization Code flow for Google.
+ * Uses Node.js built-in fetch — zero additional dependencies.
+ */
+const GOOGLE_AUTH_URL = 'https://accounts.google.com/o/oauth2/v2/auth';
+const GOOGLE_TOKEN_URL = 'https://oauth2.googleapis.com/token';
+const GOOGLE_PROFILE_URL = 'https://www.googleapis.com/oauth2/v2/userinfo';
+const DEFAULT_SCOPES = ['openid', 'email', 'profile'];
+/**
+ * Create a Google OAuth provider.
+ *
+ * @example
+ * ```ts
+ * import { createAuthPlugin, googleProvider } from '@moriajs/auth';
+ *
+ * await app.use(createAuthPlugin({
+ *   secret: process.env.JWT_SECRET!,
+ *   providers: [
+ *     googleProvider({
+ *       clientId: process.env.GOOGLE_CLIENT_ID!,
+ *       clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+ *     }),
+ *   ],
+ * }));
+ * ```
+ */
+export function googleProvider(config) {
+    const scopes = config.scopes ?? DEFAULT_SCOPES;
+    const callbackPath = config.callbackUrl ?? '/auth/google/callback';
+    return {
+        name: 'google',
+        callbackPath,
+        successRedirect: config.successRedirect ?? '/',
+        failureRedirect: config.failureRedirect ?? '/',
+        getAuthUrl(state) {
+            const params = new URLSearchParams({
+                client_id: config.clientId,
+                redirect_uri: '', // Will be set at runtime with full URL
+                response_type: 'code',
+                scope: scopes.join(' '),
+                state,
+                access_type: 'offline',
+                prompt: 'consent',
+            });
+            return `${GOOGLE_AUTH_URL}?${params.toString()}`;
+        },
+        async exchangeCode(code, callbackUrl) {
+            const res = await fetch(GOOGLE_TOKEN_URL, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                body: new URLSearchParams({
+                    code,
+                    client_id: config.clientId,
+                    client_secret: config.clientSecret,
+                    redirect_uri: callbackUrl,
+                    grant_type: 'authorization_code',
+                }).toString(),
+            });
+            if (!res.ok) {
+                const error = await res.text();
+                throw new Error(`Google token exchange failed: ${error}`);
+            }
+            const data = await res.json();
+            return data.access_token;
+        },
+        async fetchProfile(accessToken) {
+            const res = await fetch(GOOGLE_PROFILE_URL, {
+                headers: { Authorization: `Bearer ${accessToken}` },
+            });
+            if (!res.ok) {
+                throw new Error('Failed to fetch Google profile');
+            }
+            const profile = await res.json();
+            return {
+                id: profile.id,
+                email: profile.email,
+                name: profile.name,
+                avatar: profile.picture,
+                provider: 'google',
+            };
+        },
+    };
+}
+//# sourceMappingURL=google.js.map

package/dist/providers/google.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.js","sourceRoot":"","sources":["../../src/providers/google.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,MAAM,eAAe,GAAG,8CAA8C,CAAC;AACvE,MAAM,gBAAgB,GAAG,qCAAqC,CAAC;AAC/D,MAAM,kBAAkB,GAAG,+CAA+C,CAAC;AAE3E,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;AAEtD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,cAAc,CAAC,MAA2B;IACtD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,cAAc,CAAC;IAC/C,MAAM,YAAY,GAAG,MAAM,CAAC,WAAW,IAAI,uBAAuB,CAAC;IAEnE,OAAO;QACH,IAAI,EAAE,QAAQ;QACd,YAAY;QACZ,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,GAAG;QAC9C,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,GAAG;QAE9C,UAAU,CAAC,KAAa;YACpB,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBAC/B,SAAS,EAAE,MAAM,CAAC,QAAQ;gBAC1B,YAAY,EAAE,EAAE,EAAE,uCAAuC;gBACzD,aAAa,EAAE,MAAM;gBACrB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;gBACvB,KAAK;gBACL,WAAW,EAAE,SAAS;gBACtB,MAAM,EAAE,SAAS;aACpB,CAAC,CAAC;YACH,OAAO,GAAG,eAAe,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QACrD,CAAC;QAED,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,WAAmB;YAChD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,gBAAgB,EAAE;gBACtC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAE,IAAI,eAAe,CAAC;oBACtB,IAAI;oBACJ,SAAS,EAAE,MAAM,CAAC,QAAQ;oBAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;oBAClC,YAAY,EAAE,WAAW;oBACzB,UAAU,EAAE,oBAAoB;iBACnC,CAAC,CAAC,QAAQ,EAAE;aAChB,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACV,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBAC/B,MAAM,IAAI,KAAK,CAAC,iCAAiC,KAAK,EAAE,CAAC,CAAC;YAC9D,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA8B,CAAC;YAC1D,OAAO,IAAI,CAAC,YAAY,CAAC;QAC7B,CAAC;QAED,KAAK,CAAC,YAAY,CAAC,WAAmB;YAClC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,kBAAkB,EAAE;gBACxC,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;aACtD,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACV,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;YACtD,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAK7B,CAAC;YAEF,OAAO;gBACH,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,MAAM,EAAE,OAAO,CAAC,OAAO;gBACvB,QAAQ,EAAE,QAAQ;aACrB,CAAC;QACN,CAAC;KACJ,CAAC;AACN,CAAC"}

package/dist/providers/types.d.ts

@@ -0,0 +1,43 @@
+/**
+ * OAuth Provider Types
+ *
+ * Shared types for all OAuth providers in MoriaJS.
+ */
+import type { AuthUser } from '../index.js';
+/**
+ * Configuration for an OAuth provider.
+ */
+export interface OAuthProviderConfig {
+    /** OAuth2 client ID */
+    clientId: string;
+    /** OAuth2 client secret */
+    clientSecret: string;
+    /** Callback URL path (e.g., '/auth/google/callback') */
+    callbackUrl?: string;
+    /** OAuth2 scopes to request */
+    scopes?: string[];
+    /** URL to redirect to after successful auth (default: '/') */
+    successRedirect?: string;
+    /** URL to redirect to after failed auth (default: '/') */
+    failureRedirect?: string;
+}
+/**
+ * An OAuth provider registers redirect + callback routes
+ * and maps external profiles to MoriaJS AuthUser.
+ */
+export interface OAuthProvider {
+    /** Provider name (e.g., 'google', 'github') */
+    name: string;
+    /** Build the authorization redirect URL */
+    getAuthUrl(state: string): string;
+    /** Exchange auth code for access token */
+    exchangeCode(code: string, callbackUrl: string): Promise<string>;
+    /** Fetch user profile using access token */
+    fetchProfile(accessToken: string): Promise<AuthUser>;
+    /** The configured callback URL path */
+    callbackPath: string;
+    /** Redirect paths */
+    successRedirect: string;
+    failureRedirect: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/providers/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/providers/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAE5C;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAChC,uBAAuB;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,2BAA2B;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,wDAAwD;IACxD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,+BAA+B;IAC/B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,8DAA8D;IAC9D,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,0DAA0D;IAC1D,eAAe,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC1B,+CAA+C;IAC/C,IAAI,EAAE,MAAM,CAAC;IACb,2CAA2C;IAC3C,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IAClC,0CAA0C;IAC1C,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACjE,4CAA4C;IAC5C,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IACrD,uCAAuC;IACvC,YAAY,EAAE,MAAM,CAAC;IACrB,qBAAqB;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,MAAM,CAAC;CAC3B"}

package/dist/providers/types.js

@@ -0,0 +1,7 @@
+/**
+ * OAuth Provider Types
+ *
+ * Shared types for all OAuth providers in MoriaJS.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/providers/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/providers/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@moriajs/auth",
-  "version": "0.3.5",
+  "version": "0.4.0",
   "type": "module",
   "description": "MoriaJS auth — JWT + httpOnly cookies, pluggable auth system",
   "main": "./dist/index.js",
@@ -22,7 +22,7 @@
     "fastify": "^5.2.0"
   },
   "peerDependencies": {
-    "@moriajs/core": "0.3.5"
+    "@moriajs/core": "0.4.0"
   },
   "license": "MIT",
   "author": "Guntur-D <guntur.d.npm@gmail.com>",

package/src/index.ts

@@ -3,10 +3,17 @@
  *
  * Pluggable authentication system for MoriaJS.
  * Default: JWT + httpOnly cookies.
- * Architecture: Provider-based for future OAuth, sessions, etc.
+ * Providers: Google OAuth, GitHub OAuth (built-in).
  */
 
 import type { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
+import type { OAuthProvider } from './providers/types.js';
+import crypto from 'node:crypto';
+
+// ─── Re-exports ──────────────────────────────────────
+export { googleProvider } from './providers/google.js';
+export { githubProvider } from './providers/github.js';
+export type { OAuthProviderConfig, OAuthProvider } from './providers/types.js';
 
 /**
  * User payload stored in JWT token.
@@ -35,6 +42,12 @@ export interface AuthConfig {
     cookiePath?: string;
     /** SameSite cookie attribute (default: 'lax') */
     sameSite?: 'strict' | 'lax' | 'none';
+    /** OAuth providers (Google, GitHub, etc.) */
+    providers?: OAuthProvider[];
+    /** Default redirect after successful OAuth (default: '/') */
+    successRedirect?: string;
+    /** Default redirect after failed OAuth (default: '/') */
+    failureRedirect?: string;
 }
 
 /**
@@ -57,12 +70,22 @@ export interface AuthProvider {
  * @example
  * ```ts
  * import { createApp } from '@moriajs/core';
- * import { createAuthPlugin } from '@moriajs/auth';
+ * import { createAuthPlugin, googleProvider, githubProvider } from '@moriajs/auth';
  *
  * const app = await createApp();
  * await app.use(createAuthPlugin({
  *   secret: process.env.JWT_SECRET!,
  *   expiresIn: '24h',
+ *   providers: [
+ *     googleProvider({
+ *       clientId: process.env.GOOGLE_CLIENT_ID!,
+ *       clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+ *     }),
+ *     githubProvider({
+ *       clientId: process.env.GITHUB_CLIENT_ID!,
+ *       clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+ *     }),
+ *   ],
  * }));
  * ```
  */
@@ -103,11 +126,105 @@ export function createAuthPlugin(config: AuthConfig) {
                 );
             });
 
+            // ─── Register OAuth providers ────────────────────
+            if (config.providers && config.providers.length > 0) {
+                registerOAuthRoutes(server as FastifyInstance, config);
+            }
+
             (server as FastifyInstance).log.info('@moriajs/auth: JWT auth plugin registered');
+
+            if (config.providers?.length) {
+                const names = config.providers.map((p) => p.name).join(', ');
+                (server as FastifyInstance).log.info(`@moriajs/auth: OAuth providers registered: ${names}`);
+            }
         },
     };
 }
 
+/**
+ * Register OAuth redirect + callback routes for each provider.
+ */
+function registerOAuthRoutes(server: FastifyInstance, config: AuthConfig) {
+    for (const provider of config.providers ?? []) {
+        const authPath = `/auth/${provider.name}`;
+        const callbackPath = provider.callbackPath;
+
+        // GET /auth/:provider → Redirect to OAuth consent screen
+        server.get(authPath, async (request, reply) => {
+            const state = crypto.randomBytes(16).toString('hex');
+
+            // Store state in a short-lived cookie for CSRF protection
+            reply.header('Set-Cookie',
+                `moria_oauth_state=${state}; HttpOnly; Path=/; Max-Age=600; SameSite=Lax`
+            );
+
+            // Build the full callback URL from the request
+            const protocol = request.protocol ?? 'http';
+            const host = request.hostname;
+            const fullCallbackUrl = `${protocol}://${host}${callbackPath}`;
+
+            // Get auth URL and inject the full callback URL
+            let authUrl = provider.getAuthUrl(state);
+            authUrl = authUrl.replace('redirect_uri=', `redirect_uri=${encodeURIComponent(fullCallbackUrl)}`);
+
+            return reply.redirect(authUrl);
+        });
+
+        // GET /auth/:provider/callback → Exchange code, issue JWT
+        server.get(callbackPath, async (request, reply) => {
+            const query = request.query as { code?: string; state?: string; error?: string };
+            const failureUrl = provider.failureRedirect ?? config.failureRedirect ?? '/';
+            const successUrl = provider.successRedirect ?? config.successRedirect ?? '/';
+
+            // Check for OAuth errors
+            if (query.error || !query.code) {
+                request.log.warn(`OAuth ${provider.name} error: ${query.error ?? 'no code'}`);
+                return reply.redirect(failureUrl);
+            }
+
+            // Validate state (CSRF protection)
+            const cookieHeader = request.headers.cookie ?? '';
+            const stateCookie = cookieHeader
+                .split(';')
+                .map((c) => c.trim())
+                .find((c) => c.startsWith('moria_oauth_state='));
+            const savedState = stateCookie?.split('=')[1];
+
+            if (!savedState || savedState !== query.state) {
+                request.log.warn(`OAuth ${provider.name}: state mismatch`);
+                return reply.redirect(failureUrl);
+            }
+
+            // Clear state cookie
+            reply.header('Set-Cookie',
+                'moria_oauth_state=; HttpOnly; Path=/; Max-Age=0'
+            );
+
+            try {
+                // Build full callback URL
+                const protocol = request.protocol ?? 'http';
+                const host = request.hostname;
+                const fullCallbackUrl = `${protocol}://${host}${callbackPath}`;
+
+                // Exchange code for access token
+                const accessToken = await provider.exchangeCode(query.code, fullCallbackUrl);
+
+                // Fetch user profile
+                const user = await provider.fetchProfile(accessToken);
+
+                // Sign JWT and set cookie
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                await (server as any).signIn(user, reply);
+
+                return reply.redirect(successUrl);
+            } catch (err) {
+                request.log.error(err, `OAuth ${provider.name} callback failed`);
+                return reply.redirect(failureUrl);
+            }
+        });
+    }
+}
+
 /**
  * Route-level authentication guard.
  * Use as a Fastify preHandler hook.

package/src/providers/github.ts

@@ -0,0 +1,139 @@
+/**
+ * GitHub OAuth2 Provider
+ *
+ * Implements the Authorization Code flow for GitHub.
+ * Uses Node.js built-in fetch — zero additional dependencies.
+ */
+
+import type { AuthUser } from '../index.js';
+import type { OAuthProviderConfig, OAuthProvider } from './types.js';
+
+const GITHUB_AUTH_URL = 'https://github.com/login/oauth/authorize';
+const GITHUB_TOKEN_URL = 'https://github.com/login/oauth/access_token';
+const GITHUB_PROFILE_URL = 'https://api.github.com/user';
+const GITHUB_EMAILS_URL = 'https://api.github.com/user/emails';
+
+const DEFAULT_SCOPES = ['read:user', 'user:email'];
+
+/**
+ * Create a GitHub OAuth provider.
+ *
+ * @example
+ * ```ts
+ * import { createAuthPlugin, githubProvider } from '@moriajs/auth';
+ *
+ * await app.use(createAuthPlugin({
+ *   secret: process.env.JWT_SECRET!,
+ *   providers: [
+ *     githubProvider({
+ *       clientId: process.env.GITHUB_CLIENT_ID!,
+ *       clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+ *     }),
+ *   ],
+ * }));
+ * ```
+ */
+export function githubProvider(config: OAuthProviderConfig): OAuthProvider {
+    const scopes = config.scopes ?? DEFAULT_SCOPES;
+    const callbackPath = config.callbackUrl ?? '/auth/github/callback';
+
+    return {
+        name: 'github',
+        callbackPath,
+        successRedirect: config.successRedirect ?? '/',
+        failureRedirect: config.failureRedirect ?? '/',
+
+        getAuthUrl(state: string): string {
+            const params = new URLSearchParams({
+                client_id: config.clientId,
+                redirect_uri: '', // Will be set at runtime with full URL
+                scope: scopes.join(' '),
+                state,
+            });
+            return `${GITHUB_AUTH_URL}?${params.toString()}`;
+        },
+
+        async exchangeCode(code: string, callbackUrl: string): Promise<string> {
+            const res = await fetch(GITHUB_TOKEN_URL, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    Accept: 'application/json',
+                },
+                body: JSON.stringify({
+                    client_id: config.clientId,
+                    client_secret: config.clientSecret,
+                    code,
+                    redirect_uri: callbackUrl,
+                }),
+            });
+
+            if (!res.ok) {
+                const error = await res.text();
+                throw new Error(`GitHub token exchange failed: ${error}`);
+            }
+
+            const data = await res.json() as { access_token: string; error?: string };
+            if (data.error) {
+                throw new Error(`GitHub OAuth error: ${data.error}`);
+            }
+            return data.access_token;
+        },
+
+        async fetchProfile(accessToken: string): Promise<AuthUser> {
+            // Fetch profile
+            const profileRes = await fetch(GITHUB_PROFILE_URL, {
+                headers: {
+                    Authorization: `Bearer ${accessToken}`,
+                    Accept: 'application/vnd.github+json',
+                    'User-Agent': 'MoriaJS',
+                },
+            });
+
+            if (!profileRes.ok) {
+                throw new Error('Failed to fetch GitHub profile');
+            }
+
+            const profile = await profileRes.json() as {
+                id: number;
+                login: string;
+                name: string | null;
+                email: string | null;
+                avatar_url: string;
+            };
+
+            // If email is not public, fetch from /user/emails
+            let email = profile.email;
+            if (!email) {
+                try {
+                    const emailsRes = await fetch(GITHUB_EMAILS_URL, {
+                        headers: {
+                            Authorization: `Bearer ${accessToken}`,
+                            Accept: 'application/vnd.github+json',
+                            'User-Agent': 'MoriaJS',
+                        },
+                    });
+                    if (emailsRes.ok) {
+                        const emails = await emailsRes.json() as Array<{
+                            email: string;
+                            primary: boolean;
+                            verified: boolean;
+                        }>;
+                        const primary = emails.find((e) => e.primary && e.verified);
+                        email = primary?.email ?? emails[0]?.email ?? null;
+                    }
+                } catch {
+                    // Email fetch failed, continue without
+                }
+            }
+
+            return {
+                id: profile.id,
+                email: email ?? undefined,
+                name: profile.name ?? profile.login,
+                avatar: profile.avatar_url,
+                provider: 'github',
+            };
+        },
+    };
+}

package/src/providers/google.ts

@@ -0,0 +1,105 @@
+/**
+ * Google OAuth2 Provider
+ *
+ * Implements the Authorization Code flow for Google.
+ * Uses Node.js built-in fetch — zero additional dependencies.
+ */
+
+import type { AuthUser } from '../index.js';
+import type { OAuthProviderConfig, OAuthProvider } from './types.js';
+
+const GOOGLE_AUTH_URL = 'https://accounts.google.com/o/oauth2/v2/auth';
+const GOOGLE_TOKEN_URL = 'https://oauth2.googleapis.com/token';
+const GOOGLE_PROFILE_URL = 'https://www.googleapis.com/oauth2/v2/userinfo';
+
+const DEFAULT_SCOPES = ['openid', 'email', 'profile'];
+
+/**
+ * Create a Google OAuth provider.
+ *
+ * @example
+ * ```ts
+ * import { createAuthPlugin, googleProvider } from '@moriajs/auth';
+ *
+ * await app.use(createAuthPlugin({
+ *   secret: process.env.JWT_SECRET!,
+ *   providers: [
+ *     googleProvider({
+ *       clientId: process.env.GOOGLE_CLIENT_ID!,
+ *       clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+ *     }),
+ *   ],
+ * }));
+ * ```
+ */
+export function googleProvider(config: OAuthProviderConfig): OAuthProvider {
+    const scopes = config.scopes ?? DEFAULT_SCOPES;
+    const callbackPath = config.callbackUrl ?? '/auth/google/callback';
+
+    return {
+        name: 'google',
+        callbackPath,
+        successRedirect: config.successRedirect ?? '/',
+        failureRedirect: config.failureRedirect ?? '/',
+
+        getAuthUrl(state: string): string {
+            const params = new URLSearchParams({
+                client_id: config.clientId,
+                redirect_uri: '', // Will be set at runtime with full URL
+                response_type: 'code',
+                scope: scopes.join(' '),
+                state,
+                access_type: 'offline',
+                prompt: 'consent',
+            });
+            return `${GOOGLE_AUTH_URL}?${params.toString()}`;
+        },
+
+        async exchangeCode(code: string, callbackUrl: string): Promise<string> {
+            const res = await fetch(GOOGLE_TOKEN_URL, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                body: new URLSearchParams({
+                    code,
+                    client_id: config.clientId,
+                    client_secret: config.clientSecret,
+                    redirect_uri: callbackUrl,
+                    grant_type: 'authorization_code',
+                }).toString(),
+            });
+
+            if (!res.ok) {
+                const error = await res.text();
+                throw new Error(`Google token exchange failed: ${error}`);
+            }
+
+            const data = await res.json() as { access_token: string };
+            return data.access_token;
+        },
+
+        async fetchProfile(accessToken: string): Promise<AuthUser> {
+            const res = await fetch(GOOGLE_PROFILE_URL, {
+                headers: { Authorization: `Bearer ${accessToken}` },
+            });
+
+            if (!res.ok) {
+                throw new Error('Failed to fetch Google profile');
+            }
+
+            const profile = await res.json() as {
+                id: string;
+                email: string;
+                name: string;
+                picture?: string;
+            };
+
+            return {
+                id: profile.id,
+                email: profile.email,
+                name: profile.name,
+                avatar: profile.picture,
+                provider: 'google',
+            };
+        },
+    };
+}

package/src/providers/types.ts

@@ -0,0 +1,45 @@
+/**
+ * OAuth Provider Types
+ *
+ * Shared types for all OAuth providers in MoriaJS.
+ */
+
+import type { AuthUser } from '../index.js';
+
+/**
+ * Configuration for an OAuth provider.
+ */
+export interface OAuthProviderConfig {
+    /** OAuth2 client ID */
+    clientId: string;
+    /** OAuth2 client secret */
+    clientSecret: string;
+    /** Callback URL path (e.g., '/auth/google/callback') */
+    callbackUrl?: string;
+    /** OAuth2 scopes to request */
+    scopes?: string[];
+    /** URL to redirect to after successful auth (default: '/') */
+    successRedirect?: string;
+    /** URL to redirect to after failed auth (default: '/') */
+    failureRedirect?: string;
+}
+
+/**
+ * An OAuth provider registers redirect + callback routes
+ * and maps external profiles to MoriaJS AuthUser.
+ */
+export interface OAuthProvider {
+    /** Provider name (e.g., 'google', 'github') */
+    name: string;
+    /** Build the authorization redirect URL */
+    getAuthUrl(state: string): string;
+    /** Exchange auth code for access token */
+    exchangeCode(code: string, callbackUrl: string): Promise<string>;
+    /** Fetch user profile using access token */
+    fetchProfile(accessToken: string): Promise<AuthUser>;
+    /** The configured callback URL path */
+    callbackPath: string;
+    /** Redirect paths */
+    successRedirect: string;
+    failureRedirect: string;
+}