@setzkasten-cms/astro-admin 0.6.0 → 0.8.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@setzkasten-cms/astro-admin",
-  "version": "0.6.0",
+  "version": "0.8.0",
   "description": "Setzkasten Admin-UI, Init-Wizard und Adoptions-Pipeline für Astro",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE",
@@ -21,6 +21,8 @@
     "headless-cms"
   ],
   "exports": {
+    "./auth-setzkasten-login": "./src/api-routes/auth-setzkasten-login.ts",
+    "./global-config": "./src/api-routes/global-config.ts",
     "./auth-login": "./src/api-routes/auth-login.ts",
     "./auth-callback": "./src/api-routes/auth-callback.ts",
     "./auth-logout": "./src/api-routes/auth-logout.ts",
@@ -44,6 +46,11 @@
     "./section-commit-pending": "./src/api-routes/section-commit-pending.ts",
     "./section-delete": "./src/api-routes/section-delete.ts",
     "./section-duplicate": "./src/api-routes/section-duplicate.ts",
+    "./updater-register": "./src/api-routes/updater-register.ts",
+    "./updater-check": "./src/api-routes/updater-check.ts",
+    "./updater-transfer": "./src/api-routes/updater-transfer.ts",
+    "./updater-unbind": "./src/api-routes/updater-unbind.ts",
+    "./editors": "./src/api-routes/editors.ts",
     "./admin-page": "./src/admin-page.astro"
   },
   "devDependencies": {
@@ -51,11 +58,11 @@
   },
   "dependencies": {
     "@astrojs/compiler": "^3.0.0",
-    "@setzkasten-cms/auth": "0.6.0",
-    "@setzkasten-cms/catalog": "0.6.0",
-    "@setzkasten-cms/core": "0.6.0",
-    "@setzkasten-cms/ui": "0.6.0",
-    "@setzkasten-cms/github-adapter": "0.6.0"
+    "@setzkasten-cms/auth": "0.8.0",
+    "@setzkasten-cms/catalog": "0.8.0",
+    "@setzkasten-cms/core": "0.8.0",
+    "@setzkasten-cms/github-adapter": "0.8.0",
+    "@setzkasten-cms/ui": "0.8.0"
   },
   "peerDependencies": {
     "astro": "^5.0.0",

package/src/admin-page.astro

@@ -69,10 +69,7 @@
         try {
           const injected = (globalThis as any).__SETZKASTEN_CONFIG__ ?? {}
 
-          const providers: Array<'github' | 'google'> = []
-          if (injected.hasGitHub) providers.push('github')
-          if (injected.hasGoogle) providers.push('google')
-          if (providers.length === 0) providers.push('github')
+          const providers: Array<'github' | 'google'> = ['github']
 
           // Fetch the full user config from server
           let userConfig: any = null
@@ -81,12 +78,15 @@
             if (res.ok) userConfig = await res.json()
           } catch {}
 
-          const skConfig = userConfig ?? {
+          // providers is always derived from injected flags (license-aware),
+          // so we override auth.providers regardless of what userConfig says.
+          const skConfig = {
             storage: { kind: 'github' as const },
-            auth: { providers },
             theme: {},
             products: {},
             collections: {},
+            ...(userConfig ?? {}),
+            auth: { ...(userConfig?.auth ?? {}), providers },
           }
 
           // Storage params come from the config API (server-injected via SSR)
@@ -111,7 +111,7 @@
             repo,
             branch,
             assetsPath,
-            publicUrlPrefix: '/images',
+            // publicUrlPrefix is auto-derived from assetsPath by ProxyAssetStore
           })
 
           const auth = {
@@ -131,6 +131,7 @@
               createElement(AdminApp)
             )
           )
+
         } catch (error) {
           console.error('[setzkasten] Boot failed:', error)
           root.innerHTML = `

package/src/api-routes/__tests__/commit-trailers.test.ts

@@ -0,0 +1,69 @@
+/**
+ * Tests for commit message trailer helpers.
+ * @vitest-environment node
+ */
+
+import { describe, it, expect } from 'vitest'
+import { withTrailers, SETZKASTEN_CO_AUTHOR } from '../_commit-trailers'
+
+describe('SETZKASTEN_CO_AUTHOR', () => {
+  it('is a valid Co-authored-by trailer', () => {
+    expect(SETZKASTEN_CO_AUTHOR).toMatch(/^Co-authored-by: .+ <.+>$/)
+  })
+})
+
+describe('withTrailers', () => {
+  it('appends the Setzkasten co-author trailer to any message', () => {
+    const result = withTrailers('content: update hero section on index')
+    expect(result).toContain(SETZKASTEN_CO_AUTHOR)
+  })
+
+  it('separates the trailer block with a blank line', () => {
+    const result = withTrailers('content: update hero section on index')
+    expect(result).toContain('\n\n')
+    const [body, trailers] = result.split('\n\n')
+    expect(body).toBe('content: update hero section on index')
+    expect(trailers).toContain('Co-authored-by:')
+  })
+
+  it('does not add editor trailer when editorEmail is not provided', () => {
+    const result = withTrailers('chore: something')
+    const lines = result.split('\n').filter(l => l.startsWith('Co-authored-by:'))
+    expect(lines).toHaveLength(1)
+    expect(lines[0]).toBe(SETZKASTEN_CO_AUTHOR)
+  })
+
+  it('does not add editor trailer when editorEmail is null', () => {
+    const result = withTrailers('chore: something', null)
+    const lines = result.split('\n').filter(l => l.startsWith('Co-authored-by:'))
+    expect(lines).toHaveLength(1)
+  })
+
+  it('adds editor Co-authored-by when editorEmail is provided', () => {
+    const result = withTrailers('content: update', 'jane.doe@example.com')
+    const lines = result.split('\n').filter(l => l.startsWith('Co-authored-by:'))
+    expect(lines).toHaveLength(2)
+    expect(lines[1]).toContain('jane.doe@example.com')
+  })
+
+  it('derives a readable name from the editor email local-part', () => {
+    const result = withTrailers('content: update', 'jane.doe@example.com')
+    expect(result).toContain('Co-authored-by: Jane Doe <jane.doe@example.com>')
+  })
+
+  it('handles hyphen-separated names in email', () => {
+    const result = withTrailers('content: update', 'anna-lena@example.com')
+    expect(result).toContain('Co-authored-by: Anna Lena <anna-lena@example.com>')
+  })
+
+  it('handles underscore-separated names in email', () => {
+    const result = withTrailers('content: update', 'max_mustermann@example.com')
+    expect(result).toContain('Co-authored-by: Max Mustermann <max_mustermann@example.com>')
+  })
+
+  it('preserves the original message as the first line', () => {
+    const msg = 'content: add new section on about'
+    const result = withTrailers(msg, 'editor@example.com')
+    expect(result.startsWith(msg)).toBe(true)
+  })
+})

package/src/api-routes/__tests__/github-cache.test.ts

@@ -0,0 +1,100 @@
+/**
+ * Tests for the GitHub file read cache.
+ * @vitest-environment node
+ */
+
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import { cachedFetch, invalidateCache } from '../_github-cache'
+
+beforeEach(() => {
+  invalidateCache('test-key')
+  vi.useRealTimers()
+})
+
+describe('cachedFetch', () => {
+  it('calls fetcher on first access (cache miss)', async () => {
+    const fetcher = vi.fn().mockResolvedValue('data-v1')
+    const result = await cachedFetch('test-key', 60_000, fetcher)
+    expect(result).toBe('data-v1')
+    expect(fetcher).toHaveBeenCalledOnce()
+  })
+
+  it('returns cached value without calling fetcher again (cache hit)', async () => {
+    const fetcher = vi.fn().mockResolvedValue('data-v1')
+    await cachedFetch('test-key', 60_000, fetcher)
+    const result = await cachedFetch('test-key', 60_000, fetcher)
+    expect(result).toBe('data-v1')
+    expect(fetcher).toHaveBeenCalledOnce()
+  })
+
+  it('re-fetches after TTL expires', async () => {
+    vi.useFakeTimers()
+    const fetcher = vi.fn().mockResolvedValue('data-v1')
+    await cachedFetch('test-key', 1_000, fetcher)
+
+    vi.advanceTimersByTime(1_001)
+    fetcher.mockResolvedValue('data-v2')
+    const result = await cachedFetch('test-key', 1_000, fetcher)
+
+    expect(result).toBe('data-v2')
+    expect(fetcher).toHaveBeenCalledTimes(2)
+  })
+
+  it('returns stale value on fetch error (stale-on-error)', async () => {
+    vi.useFakeTimers()
+    const fetcher = vi.fn().mockResolvedValue('data-v1')
+    await cachedFetch('test-key', 1_000, fetcher)
+
+    vi.advanceTimersByTime(1_001)
+    fetcher.mockRejectedValue(new Error('GitHub API down'))
+    const result = await cachedFetch('test-key', 1_000, fetcher)
+
+    expect(result).toBe('data-v1')
+  })
+
+  it('throws when fetcher fails and no stale value exists', async () => {
+    const fetcher = vi.fn().mockRejectedValue(new Error('GitHub API down'))
+    await expect(cachedFetch('test-key', 60_000, fetcher)).rejects.toThrow('GitHub API down')
+  })
+
+  it('caches null values (file not found is a valid result)', async () => {
+    const fetcher = vi.fn().mockResolvedValue(null)
+    await cachedFetch('test-key', 60_000, fetcher)
+    const result = await cachedFetch('test-key', 60_000, fetcher)
+    expect(result).toBeNull()
+    expect(fetcher).toHaveBeenCalledOnce()
+  })
+
+  it('uses separate cache entries per key', async () => {
+    invalidateCache('key-a')
+    invalidateCache('key-b')
+    const fetcherA = vi.fn().mockResolvedValue('a')
+    const fetcherB = vi.fn().mockResolvedValue('b')
+    const [a, b] = await Promise.all([
+      cachedFetch('key-a', 60_000, fetcherA),
+      cachedFetch('key-b', 60_000, fetcherB),
+    ])
+    expect(a).toBe('a')
+    expect(b).toBe('b')
+    invalidateCache('key-a')
+    invalidateCache('key-b')
+  })
+})
+
+describe('invalidateCache', () => {
+  it('forces re-fetch after invalidation', async () => {
+    const fetcher = vi.fn().mockResolvedValue('data-v1')
+    await cachedFetch('test-key', 60_000, fetcher)
+
+    invalidateCache('test-key')
+    fetcher.mockResolvedValue('data-v2')
+    const result = await cachedFetch('test-key', 60_000, fetcher)
+
+    expect(result).toBe('data-v2')
+    expect(fetcher).toHaveBeenCalledTimes(2)
+  })
+
+  it('is a no-op for unknown keys', () => {
+    expect(() => invalidateCache('nonexistent-key')).not.toThrow()
+  })
+})

package/src/api-routes/__tests__/pages.test.ts

@@ -0,0 +1,72 @@
+/**
+ * Tests for the pages API route resolver.
+ *
+ * The pages endpoint must work in API-route context (serverless) where
+ * `page-ssr` injectScript does NOT run and globalThis.__SETZKASTEN_PAGES__
+ * is undefined. The fix is a Vite build-time define (__SETZKASTEN_PAGES__)
+ * that is always available in compiled modules.
+ *
+ * In the test environment the Vite define is not applied, so we test the
+ * globalThis fallback path — which is what we'd use in a cold-start serverless
+ * invocation before the define was introduced.
+ *
+ * @vitest-environment node
+ */
+
+import { describe, it, expect, beforeEach, afterEach } from 'vitest'
+import { resolvePages } from '../pages'
+
+interface PageInfo {
+  path: string
+  pageKey: string
+  label: string
+  hasConfig: boolean
+}
+
+const SAMPLE_PAGES: PageInfo[] = [
+  { path: '/', pageKey: 'index', label: 'Startseite', hasConfig: true },
+  { path: '/impressum', pageKey: 'impressum', label: 'Impressum', hasConfig: false },
+]
+
+beforeEach(() => {
+  delete (globalThis as Record<string, unknown>).__SETZKASTEN_PAGES__
+})
+
+afterEach(() => {
+  delete (globalThis as Record<string, unknown>).__SETZKASTEN_PAGES__
+})
+
+describe('resolvePages', () => {
+  it('returns empty array when globalThis.__SETZKASTEN_PAGES__ is not set', () => {
+    expect(resolvePages()).toEqual([])
+  })
+
+  it('reads pages from globalThis.__SETZKASTEN_PAGES__', () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_PAGES__ = SAMPLE_PAGES
+    expect(resolvePages()).toEqual(SAMPLE_PAGES)
+  })
+
+  it('returns all page fields (path, pageKey, label, hasConfig)', () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_PAGES__ = SAMPLE_PAGES
+    const result = resolvePages()
+    expect(result[0]).toHaveProperty('path', '/')
+    expect(result[0]).toHaveProperty('pageKey', 'index')
+    expect(result[0]).toHaveProperty('label', 'Startseite')
+    expect(result[0]).toHaveProperty('hasConfig', true)
+  })
+
+  it('returns empty array when globalThis.__SETZKASTEN_PAGES__ is explicitly empty', () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_PAGES__ = []
+    expect(resolvePages()).toEqual([])
+  })
+
+  it('handles multiple pages including nested paths', () => {
+    const pages: PageInfo[] = [
+      { path: '/', pageKey: 'index', label: 'Startseite', hasConfig: true },
+      { path: '/docs/architecture', pageKey: 'docs/architecture', label: 'Architecture', hasConfig: false },
+    ]
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_PAGES__ = pages
+    expect(resolvePages()).toHaveLength(2)
+    expect(resolvePages()[1]!.pageKey).toBe('docs/architecture')
+  })
+})

package/src/api-routes/_auth-guard.ts

@@ -0,0 +1,32 @@
+import { canEditPage } from '@setzkasten-cms/auth'
+import type { AuthSession, SetzKastenConfig } from '@setzkasten-cms/core'
+
+/**
+ * Parses the raw session cookie value.
+ * Returns null if missing or invalid.
+ */
+export function parseSession(raw: string | undefined): AuthSession | null {
+  if (!raw) return null
+  try {
+    return JSON.parse(raw) as AuthSession
+  } catch {
+    return null
+  }
+}
+
+/**
+ * Returns a 403 Response if the session user may NOT edit the given page.
+ * Returns null (= allowed) otherwise.
+ *
+ * Admins always pass. Editors are checked against config.auth.editors.
+ */
+export function guardPageAccess(
+  session: AuthSession | null,
+  pageKey: string,
+  fullConfig: SetzKastenConfig | undefined,
+): Response | null {
+  if (!session) return new Response('Unauthorized', { status: 401 })
+  if (!fullConfig) return null // no config = no restrictions
+  if (canEditPage(session, pageKey, fullConfig)) return null
+  return new Response('Forbidden: you do not have access to this page', { status: 403 })
+}

package/src/api-routes/_commit-trailers.ts

@@ -0,0 +1,16 @@
+export const SETZKASTEN_CO_AUTHOR = 'Co-authored-by: Setzkasten <setzkasten@setzkasten.dev>'
+
+/**
+ * Appends git commit trailers to a commit message.
+ * Always includes the Setzkasten co-author; optionally includes the editor.
+ */
+export function withTrailers(message: string, editorEmail?: string | null): string {
+  const trailers = [SETZKASTEN_CO_AUTHOR]
+  if (editorEmail) {
+    const name = editorEmail.split('@')[0]!
+      .replace(/[._-]+/g, ' ')
+      .replace(/\b\w/g, c => c.toUpperCase())
+    trailers.push(`Co-authored-by: ${name} <${editorEmail}>`)
+  }
+  return `${message}\n\n${trailers.join('\n')}`
+}

package/src/api-routes/_github-cache.ts

@@ -0,0 +1,32 @@
+interface CacheEntry<T> {
+  value: T
+  fetchedAt: number
+}
+
+const cache = new Map<string, CacheEntry<unknown>>()
+
+export async function cachedFetch<T>(
+  key: string,
+  ttlMs: number,
+  fetcher: () => Promise<T>,
+): Promise<T> {
+  const entry = cache.get(key) as CacheEntry<T> | undefined
+  const now = Date.now()
+
+  if (entry !== undefined && now - entry.fetchedAt < ttlMs) {
+    return entry.value
+  }
+
+  try {
+    const value = await fetcher()
+    cache.set(key, { value, fetchedAt: now })
+    return value
+  } catch (err) {
+    if (entry !== undefined) return entry.value
+    throw err
+  }
+}
+
+export function invalidateCache(key: string): void {
+  cache.delete(key)
+}

package/src/api-routes/auth-callback.ts

@@ -1,11 +1,9 @@
 import type { APIRoute } from 'astro'
 import { createGitHubAuth } from '@setzkasten-cms/auth'
-import { createGoogleAuth } from '@setzkasten-cms/auth'
 
 /**
- * OAuth callback handler.
- * Receives the authorization code from GitHub/Google, exchanges it for a
- * session via the auth adapter, and sets a signed session cookie.
+ * GitHub OAuth callback handler.
+ * Google uses the GIS flow (POST /api/setzkasten/auth/google) — no callback needed there.
  */
 export const GET: APIRoute = async ({ request, url, cookies, redirect }) => {
   const code = url.searchParams.get('code')
@@ -15,91 +13,62 @@ export const GET: APIRoute = async ({ request, url, cookies, redirect }) => {
     return new Response('Missing authorization code', { status: 400 })
   }
 
-  // Parse stored state (may contain provider info)
   const storedRaw = cookies.get('setzkasten_oauth_state')?.value
   let storedState: string | undefined
-  let provider = 'github'
+
   if (storedRaw) {
     try {
-      const parsed = JSON.parse(storedRaw)
-      storedState = parsed.state
-      provider = parsed.provider ?? 'github'
+      storedState = JSON.parse(storedRaw).state
     } catch {
       storedState = storedRaw
     }
   }
 
-  // CSRF: verify state matches stored state
-  if (state && storedState && state !== storedState) {
+  if (!storedState || state !== storedState) {
     return new Response('Invalid state parameter', { status: 400 })
   }
 
-  // Clear the state cookie
   cookies.delete('setzkasten_oauth_state', { path: '/' })
 
   const config = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
     | { adminPath: string }
     | undefined
-
   const adminPath = config?.adminPath ?? '/admin'
 
-  // On Vercel, url.origin may resolve to localhost. Use the Host header instead.
   const host = request.headers.get('x-forwarded-host') ?? request.headers.get('host') ?? url.host
   const protocol = request.headers.get('x-forwarded-proto') ?? (url.protocol === 'https:' ? 'https' : 'http')
-  const origin = `${protocol}://${host}`
-  const redirectUri = `${origin}/api/setzkasten/auth/callback`
+  const redirectUri = `${protocol}://${host}/api/setzkasten/auth/callback`
 
-  // Read allowed emails from env (comma-separated)
   const allowedEmailsRaw = import.meta.env.SETZKASTEN_ALLOWED_EMAILS ?? process.env.SETZKASTEN_ALLOWED_EMAILS ?? ''
   const allowedEmails = allowedEmailsRaw
     ? allowedEmailsRaw.split(',').map((e: string) => e.trim())
     : undefined
 
-  try {
-    let sessionResult
+  const auth = createGitHubAuth({
+    clientId: import.meta.env.GITHUB_CLIENT_ID ?? process.env.GITHUB_CLIENT_ID ?? '',
+    clientSecret: import.meta.env.GITHUB_CLIENT_SECRET ?? process.env.GITHUB_CLIENT_SECRET ?? '',
+    redirectUri,
+    allowedEmails,
+  })
 
-    if (provider === 'google') {
-      const auth = createGoogleAuth({
-        clientId: import.meta.env.GOOGLE_CLIENT_ID ?? process.env.GOOGLE_CLIENT_ID ?? '',
-        clientSecret: import.meta.env.GOOGLE_CLIENT_SECRET ?? process.env.GOOGLE_CLIENT_SECRET ?? '',
-        redirectUri,
-        allowedEmails,
-      })
-      sessionResult = await auth.handleCallback(code, 'google')
-    } else {
-      const auth = createGitHubAuth({
-        clientId: import.meta.env.GITHUB_CLIENT_ID ?? process.env.GITHUB_CLIENT_ID ?? '',
-        clientSecret: import.meta.env.GITHUB_CLIENT_SECRET ?? process.env.GITHUB_CLIENT_SECRET ?? '',
-        redirectUri,
-        allowedEmails,
-      })
-      sessionResult = await auth.handleCallback(code, 'github')
-    }
+  try {
+    const sessionResult = await auth.handleCallback(code)
 
     if (!sessionResult.ok) {
-      console.error('[setzkasten] Auth failed:', sessionResult.error.message)
       return new Response(`Authentication failed: ${sessionResult.error.message}`, { status: 403 })
     }
 
     const session = sessionResult.value
-
-    // Set session cookie with user info (HMAC-signed in production)
-    const sessionPayload = JSON.stringify({
-      user: session.user,
-      expiresAt: session.expiresAt,
-    })
-
-    cookies.set('setzkasten_session', sessionPayload, {
+    cookies.set('setzkasten_session', JSON.stringify({ user: session.user, expiresAt: session.expiresAt }), {
       httpOnly: true,
       secure: import.meta.env.PROD,
       sameSite: 'lax',
       path: '/',
-      maxAge: 60 * 60 * 24 * 7, // 7 days
+      maxAge: 60 * 60 * 24 * 7,
     })
 
     return redirect(adminPath)
-  } catch (error) {
-    console.error('[setzkasten] Auth callback error:', error)
+  } catch {
     return new Response('Authentication failed', { status: 500 })
   }
 }

package/src/api-routes/auth-login.ts

@@ -1,87 +1,40 @@
 import type { APIRoute } from 'astro'
 import { createGitHubAuth } from '@setzkasten-cms/auth'
-import { createGoogleAuth } from '@setzkasten-cms/auth'
 
 /**
- * Login initiation – redirects the user to the chosen OAuth provider.
+ * Login initiation – redirects the user to GitHub OAuth.
+ * Google uses GIS (POST /api/setzkasten/auth/google) instead of this redirect flow.
  *
- * GET /api/setzkasten/auth/login?provider=github|google
+ * GET /api/setzkasten/auth/login?provider=github
  */
 export const GET: APIRoute = async ({ request, url, cookies, redirect }) => {
-  const provider = url.searchParams.get('provider') ?? 'github'
-
   const config = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
-    | { adminPath: string; hasGitHub: boolean; hasGoogle: boolean }
+    | { adminPath: string }
     | undefined
 
-  const adminPath = config?.adminPath ?? '/admin'
-
   // On Vercel, url.origin may resolve to localhost. Use the Host header instead.
   const host = request.headers.get('x-forwarded-host') ?? request.headers.get('host') ?? url.host
   const protocol = request.headers.get('x-forwarded-proto') ?? (url.protocol === 'https:' ? 'https' : 'http')
   const origin = `${protocol}://${host}`
   const redirectUri = `${origin}/api/setzkasten/auth/callback`
 
-  let loginUrl: string
-
-  if (provider === 'google') {
-    const googleClientId = import.meta.env.GOOGLE_CLIENT_ID ?? process.env.GOOGLE_CLIENT_ID ?? ''
-    const googleClientSecret = import.meta.env.GOOGLE_CLIENT_SECRET ?? process.env.GOOGLE_CLIENT_SECRET ?? ''
-
-    if (!googleClientId || !googleClientSecret) {
-      return new Response('Google OAuth not configured', { status: 500 })
-    }
-
-    const auth = createGoogleAuth({
-      clientId: googleClientId,
-      clientSecret: googleClientSecret,
-      redirectUri,
-    })
+  const ghClientId = import.meta.env.GITHUB_CLIENT_ID ?? process.env.GITHUB_CLIENT_ID ?? ''
+  const ghClientSecret = import.meta.env.GITHUB_CLIENT_SECRET ?? process.env.GITHUB_CLIENT_SECRET ?? ''
 
-    loginUrl = auth.getLoginUrl('google')
-
-    // Store the PKCE code verifier in a cookie for the callback
-    // Arctic generates it internally – we extract it from the URL
-    const urlObj = new URL(loginUrl)
-    const state = urlObj.searchParams.get('state')
-    if (state) {
-      cookies.set('setzkasten_oauth_state', JSON.stringify({ state, provider: 'google' }), {
-        httpOnly: true,
-        secure: true,
-        sameSite: 'lax',
-        path: '/',
-        maxAge: 600, // 10 min
-      })
-    }
-  } else {
-    // Default: GitHub
-    const ghClientId = import.meta.env.GITHUB_CLIENT_ID ?? process.env.GITHUB_CLIENT_ID ?? ''
-    const ghClientSecret = import.meta.env.GITHUB_CLIENT_SECRET ?? process.env.GITHUB_CLIENT_SECRET ?? ''
-
-    if (!ghClientId || !ghClientSecret) {
-      return new Response('GitHub OAuth not configured', { status: 500 })
-    }
-
-    const auth = createGitHubAuth({
-      clientId: ghClientId,
-      clientSecret: ghClientSecret,
-      redirectUri,
-    })
+  if (!ghClientId || !ghClientSecret) {
+    return new Response('GitHub OAuth not configured', { status: 500 })
+  }
 
-    loginUrl = auth.getLoginUrl('github')
+  const auth = createGitHubAuth({ clientId: ghClientId, clientSecret: ghClientSecret, redirectUri })
+  const { url: loginUrl, state } = auth.getLoginUrl()
 
-    const urlObj = new URL(loginUrl)
-    const state = urlObj.searchParams.get('state')
-    if (state) {
-      cookies.set('setzkasten_oauth_state', JSON.stringify({ state, provider: 'github' }), {
-        httpOnly: true,
-        secure: true,
-        sameSite: 'lax',
-        path: '/',
-        maxAge: 600,
-      })
-    }
-  }
+  cookies.set('setzkasten_oauth_state', JSON.stringify({ state, provider: 'github' }), {
+    httpOnly: true,
+    secure: true,
+    sameSite: 'lax',
+    path: '/',
+    maxAge: 600,
+  })
 
   return redirect(loginUrl)
 }