@setzkasten-cms/auth 0.4.2

package/LICENSE

@@ -0,0 +1,37 @@
+Setzkasten Community License
+
+Copyright (c) 2026 Lilapixel
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to use,
+copy, modify, merge, publish, and distribute the Software, subject to the
+following conditions:
+
+1. The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+2. The Software may not be used for commercial purposes without a separate
+   commercial license from the copyright holder. "Commercial purposes" means
+   any use of the Software that is primarily intended for or directed toward
+   commercial advantage or monetary compensation. This includes, but is not
+   limited to:
+   - Using the Software to manage content for a commercial website or product
+   - Offering the Software as part of a paid service
+   - Using the Software within a for-profit organization
+
+3. Non-commercial use is permitted without restriction. This includes:
+   - Personal projects
+   - Open source projects
+   - Educational and academic use
+   - Non-profit organizations
+
+4. A commercial license ("Enterprise License") may be obtained by contacting
+   Lilapixel at hello@lilapixel.de.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/index.d.ts

@@ -0,0 +1,27 @@
+import { AuthProvider } from '@setzkasten-cms/core';
+export { AuthProvider, AuthSession, AuthUser } from '@setzkasten-cms/core';
+
+interface GitHubOAuthConfig {
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    allowedEmails?: readonly string[];
+}
+/**
+ * GitHub OAuth adapter using Arctic.
+ * Handles the OAuth flow and session management server-side.
+ */
+declare function createGitHubAuth(config: GitHubOAuthConfig): AuthProvider;
+
+interface GoogleOAuthConfig {
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    allowedEmails?: readonly string[];
+}
+/**
+ * Google OAuth adapter using Arctic.
+ */
+declare function createGoogleAuth(config: GoogleOAuthConfig): AuthProvider;
+
+export { type GitHubOAuthConfig, type GoogleOAuthConfig, createGitHubAuth, createGoogleAuth };

package/dist/index.js

@@ -0,0 +1,155 @@
+// src/github-oauth.ts
+import { GitHub } from "arctic";
+import { ok, err, authError } from "@setzkasten-cms/core";
+function createGitHubAuth(config) {
+  const github = new GitHub(config.clientId, config.clientSecret, config.redirectUri);
+  const sessions = /* @__PURE__ */ new Map();
+  return {
+    async getSession() {
+      for (const session of sessions.values()) {
+        if (session.expiresAt > Date.now()) {
+          return ok(session);
+        }
+      }
+      return ok(null);
+    },
+    getLoginUrl() {
+      const state = generateState();
+      const scopes = ["user:email"];
+      const url = github.createAuthorizationURL(state, scopes);
+      return url.toString();
+    },
+    async handleCallback(code) {
+      try {
+        const tokens = await github.validateAuthorizationCode(code);
+        const accessToken = tokens.accessToken();
+        const userResponse = await fetch("https://api.github.com/user", {
+          headers: { Authorization: `Bearer ${accessToken}` }
+        });
+        if (!userResponse.ok) {
+          return err(authError("Failed to fetch GitHub user info"));
+        }
+        const userData = await userResponse.json();
+        let email = userData.email;
+        if (!email) {
+          const emailResponse = await fetch("https://api.github.com/user/emails", {
+            headers: { Authorization: `Bearer ${accessToken}` }
+          });
+          if (emailResponse.ok) {
+            const emails = await emailResponse.json();
+            const primary = emails.find((e) => e.primary && e.verified);
+            email = primary?.email ?? emails[0]?.email ?? null;
+          }
+        }
+        if (!email) {
+          return err(authError("No email found on GitHub account"));
+        }
+        if (config.allowedEmails && !config.allowedEmails.includes(email)) {
+          return err(authError(`Email ${email} is not allowed`));
+        }
+        const user = {
+          id: String(userData.id),
+          email,
+          name: userData.name ?? void 0,
+          avatarUrl: userData.avatar_url,
+          provider: "github"
+        };
+        const session = {
+          user,
+          expiresAt: Date.now() + 7 * 24 * 60 * 60 * 1e3
+          // 7 days
+        };
+        sessions.set(user.id, session);
+        return ok(session);
+      } catch (error) {
+        return err(
+          authError(
+            `GitHub OAuth failed: ${error instanceof Error ? error.message : "Unknown error"}`
+          )
+        );
+      }
+    },
+    async logout() {
+      sessions.clear();
+    }
+  };
+}
+function generateState() {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  return Array.from(array, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+// src/google-oauth.ts
+import { Google } from "arctic";
+import { ok as ok2, err as err2, authError as authError2 } from "@setzkasten-cms/core";
+function createGoogleAuth(config) {
+  const google = new Google(config.clientId, config.clientSecret, config.redirectUri);
+  const sessions = /* @__PURE__ */ new Map();
+  return {
+    async getSession() {
+      for (const session of sessions.values()) {
+        if (session.expiresAt > Date.now()) {
+          return ok2(session);
+        }
+      }
+      return ok2(null);
+    },
+    getLoginUrl() {
+      const state = generateState2();
+      const codeVerifier = generateState2();
+      const scopes = ["openid", "email", "profile"];
+      const url = google.createAuthorizationURL(state, codeVerifier, scopes);
+      return url.toString();
+    },
+    async handleCallback(code) {
+      try {
+        const codeVerifier = "";
+        const tokens = await google.validateAuthorizationCode(code, codeVerifier);
+        const accessToken = tokens.accessToken();
+        const userResponse = await fetch(
+          "https://www.googleapis.com/oauth2/v2/userinfo",
+          { headers: { Authorization: `Bearer ${accessToken}` } }
+        );
+        if (!userResponse.ok) {
+          return err2(authError2("Failed to fetch Google user info"));
+        }
+        const userData = await userResponse.json();
+        if (config.allowedEmails && !config.allowedEmails.includes(userData.email)) {
+          return err2(authError2(`Email ${userData.email} is not allowed`));
+        }
+        const user = {
+          id: userData.id,
+          email: userData.email,
+          name: userData.name,
+          avatarUrl: userData.picture,
+          provider: "google"
+        };
+        const session = {
+          user,
+          expiresAt: Date.now() + 7 * 24 * 60 * 60 * 1e3
+        };
+        sessions.set(user.id, session);
+        return ok2(session);
+      } catch (error) {
+        return err2(
+          authError2(
+            `Google OAuth failed: ${error instanceof Error ? error.message : "Unknown error"}`
+          )
+        );
+      }
+    },
+    async logout() {
+      sessions.clear();
+    }
+  };
+}
+function generateState2() {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  return Array.from(array, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+export {
+  createGitHubAuth,
+  createGoogleAuth
+};

package/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "@setzkasten-cms/auth",
+  "version": "0.4.2",
+  "type": "module",
+  "exports": {
+    ".": {
+      "import": "./src/index.ts",
+      "types": "./src/index.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "src"
+  ],
+  "dependencies": {
+    "arctic": "^3.5.0",
+    "@setzkasten-cms/core": "0.4.2"
+  },
+  "scripts": {
+    "build": "tsup",
+    "typecheck": "tsc --noEmit"
+  }
+}

package/src/github-oauth.ts

@@ -0,0 +1,122 @@
+import { GitHub } from 'arctic'
+import type { AuthProvider, AuthUser, AuthSession } from '@setzkasten-cms/core'
+import { ok, err, authError } from '@setzkasten-cms/core'
+
+export interface GitHubOAuthConfig {
+  clientId: string
+  clientSecret: string
+  redirectUri: string
+  allowedEmails?: readonly string[]
+}
+
+/**
+ * GitHub OAuth adapter using Arctic.
+ * Handles the OAuth flow and session management server-side.
+ */
+export function createGitHubAuth(config: GitHubOAuthConfig): AuthProvider {
+  const github = new GitHub(config.clientId, config.clientSecret, config.redirectUri)
+
+  // In-memory session store (for server-side use in Astro API routes)
+  const sessions = new Map<string, AuthSession>()
+
+  return {
+    async getSession() {
+      // In production, read session from cookie/token
+      // Here we return the first active session for simplicity
+      for (const session of sessions.values()) {
+        if (session.expiresAt > Date.now()) {
+          return ok(session)
+        }
+      }
+      return ok(null)
+    },
+
+    getLoginUrl() {
+      const state = generateState()
+      const scopes = ['user:email']
+      const url = github.createAuthorizationURL(state, scopes)
+      return url.toString()
+    },
+
+    async handleCallback(code: string) {
+      try {
+        const tokens = await github.validateAuthorizationCode(code)
+        const accessToken = tokens.accessToken()
+
+        // Fetch user info from GitHub API
+        const userResponse = await fetch('https://api.github.com/user', {
+          headers: { Authorization: `Bearer ${accessToken}` },
+        })
+
+        if (!userResponse.ok) {
+          return err(authError('Failed to fetch GitHub user info'))
+        }
+
+        const userData = (await userResponse.json()) as {
+          id: number
+          email: string | null
+          name: string | null
+          avatar_url: string
+        }
+
+        // Fetch primary email if not public
+        let email = userData.email
+        if (!email) {
+          const emailResponse = await fetch('https://api.github.com/user/emails', {
+            headers: { Authorization: `Bearer ${accessToken}` },
+          })
+          if (emailResponse.ok) {
+            const emails = (await emailResponse.json()) as Array<{
+              email: string
+              primary: boolean
+              verified: boolean
+            }>
+            const primary = emails.find((e) => e.primary && e.verified)
+            email = primary?.email ?? emails[0]?.email ?? null
+          }
+        }
+
+        if (!email) {
+          return err(authError('No email found on GitHub account'))
+        }
+
+        // Check allowed emails
+        if (config.allowedEmails && !config.allowedEmails.includes(email)) {
+          return err(authError(`Email ${email} is not allowed`))
+        }
+
+        const user: AuthUser = {
+          id: String(userData.id),
+          email,
+          name: userData.name ?? undefined,
+          avatarUrl: userData.avatar_url,
+          provider: 'github',
+        }
+
+        const session: AuthSession = {
+          user,
+          expiresAt: Date.now() + 7 * 24 * 60 * 60 * 1000, // 7 days
+        }
+
+        sessions.set(user.id, session)
+        return ok(session)
+      } catch (error) {
+        return err(
+          authError(
+            `GitHub OAuth failed: ${error instanceof Error ? error.message : 'Unknown error'}`,
+          ),
+        )
+      }
+    },
+
+    async logout() {
+      sessions.clear()
+    },
+  }
+}
+
+function generateState(): string {
+  const array = new Uint8Array(32)
+  crypto.getRandomValues(array)
+  return Array.from(array, (b) => b.toString(16).padStart(2, '0')).join('')
+}

package/src/google-oauth.ts

@@ -0,0 +1,104 @@
+import { Google } from 'arctic'
+import type { AuthProvider, AuthUser, AuthSession } from '@setzkasten-cms/core'
+import { ok, err, authError } from '@setzkasten-cms/core'
+
+export interface GoogleOAuthConfig {
+  clientId: string
+  clientSecret: string
+  redirectUri: string
+  allowedEmails?: readonly string[]
+}
+
+/**
+ * Google OAuth adapter using Arctic.
+ */
+export function createGoogleAuth(config: GoogleOAuthConfig): AuthProvider {
+  const google = new Google(config.clientId, config.clientSecret, config.redirectUri)
+
+  const sessions = new Map<string, AuthSession>()
+
+  return {
+    async getSession() {
+      for (const session of sessions.values()) {
+        if (session.expiresAt > Date.now()) {
+          return ok(session)
+        }
+      }
+      return ok(null)
+    },
+
+    getLoginUrl() {
+      const state = generateState()
+      const codeVerifier = generateState()
+      const scopes = ['openid', 'email', 'profile']
+      const url = google.createAuthorizationURL(state, codeVerifier, scopes)
+      // Store codeVerifier in cookie/session for callback
+      return url.toString()
+    },
+
+    async handleCallback(code: string) {
+      try {
+        // In production, retrieve codeVerifier from cookie/session
+        const codeVerifier = '' // TODO: retrieve from session
+        const tokens = await google.validateAuthorizationCode(code, codeVerifier)
+        const accessToken = tokens.accessToken()
+
+        // Fetch user info from Google
+        const userResponse = await fetch(
+          'https://www.googleapis.com/oauth2/v2/userinfo',
+          { headers: { Authorization: `Bearer ${accessToken}` } },
+        )
+
+        if (!userResponse.ok) {
+          return err(authError('Failed to fetch Google user info'))
+        }
+
+        const userData = (await userResponse.json()) as {
+          id: string
+          email: string
+          name: string
+          picture: string
+        }
+
+        if (
+          config.allowedEmails &&
+          !config.allowedEmails.includes(userData.email)
+        ) {
+          return err(authError(`Email ${userData.email} is not allowed`))
+        }
+
+        const user: AuthUser = {
+          id: userData.id,
+          email: userData.email,
+          name: userData.name,
+          avatarUrl: userData.picture,
+          provider: 'google',
+        }
+
+        const session: AuthSession = {
+          user,
+          expiresAt: Date.now() + 7 * 24 * 60 * 60 * 1000,
+        }
+
+        sessions.set(user.id, session)
+        return ok(session)
+      } catch (error) {
+        return err(
+          authError(
+            `Google OAuth failed: ${error instanceof Error ? error.message : 'Unknown error'}`,
+          ),
+        )
+      }
+    },
+
+    async logout() {
+      sessions.clear()
+    },
+  }
+}
+
+function generateState(): string {
+  const array = new Uint8Array(32)
+  crypto.getRandomValues(array)
+  return Array.from(array, (b) => b.toString(16).padStart(2, '0')).join('')
+}

package/src/index.ts

@@ -0,0 +1,15 @@
+/**
+ * @setzkasten-cms/auth – Authentication adapters
+ *
+ * MVP: GitHub OAuth + Google OAuth via Arctic
+ * Auth determines WHO can access the CMS.
+ * Repo commits use a separate GitHub App token.
+ */
+
+export type { AuthProvider, AuthUser, AuthSession } from '@setzkasten-cms/core'
+
+export { createGitHubAuth } from './github-oauth'
+export type { GitHubOAuthConfig } from './github-oauth'
+
+export { createGoogleAuth } from './google-oauth'
+export type { GoogleOAuthConfig } from './google-oauth'