@soapjs/soap-auth 0.4.4 → 1.0.1

package/README.md

@@ -1,174 +1,335 @@
-# SoapAuth - Modular Authentication Solution
+# SoapAuth
 
-SoapAuth is a flexible library for handling authentication and identity management. It allows you to easily implement various authentication strategies such as JWT, OAuth2, Basic Auth, Local Auth, API Key, and more. As part of the **@soapjs** ecosystem, it can be easily extended with additional components like **soap**, **soap-express**, and **soap-cli**.
+Authentication strategies, session handling, MFA, and token helpers for the SoapJS ecosystem.
+
+`@soapjs/soap-auth` provides composable authentication primitives for HTTP and socket applications. It includes JWT, local credentials, basic auth, API key auth, built-in OAuth2 social providers, sessions, roles, rate limiting, account lockout, password helpers, MFA/TOTP, PKCE, and JWKS verification.
+
+The package does not depend on Passport or provider SDKs. Built-in and configurable OAuth2 strategies use platform `fetch` plus user-provided mapping callbacks, so applications can start quickly and still replace any part of the auth flow with their own implementation.
 
 ## Installation
+
 ```sh
-npm install @soapjs/soap-auth
+npm install @soapjs/soap-auth @soapjs/soap
 ```
 
-## Key Features
-- **Supports multiple authentication strategies** (JWT, OAuth2, API Key, Basic, Local, Hybrid OAuth2).
-- **Works with both HTTP and WebSocket protocols.**
-- **Manages sessions, MFA, roles, account locks, and rate limiting.**
-- **Easy configuration and extendability.**
-- **Integration with frameworks like Express, NestJS, etc.**
+## Requirements
+
+- Node.js 24.17.0 or newer
+- `@soapjs/soap` 0.14 or newer
+
+## Quick Start
+
+```ts
+import { createJwtAuthConfig, SoapAuth } from "@soapjs/soap-auth";
+
+const auth = await SoapAuth.create({
+  http: {
+    jwt: createJwtAuthConfig({
+      accessSecret: process.env.JWT_ACCESS_SECRET!,
+      refreshSecret: process.env.JWT_REFRESH_SECRET!,
+      user: {
+        fetchUser: async (payload) => users.findById((payload as any).id),
+      },
+    }),
+  },
+});
+
+const result = await auth.getHttpStrategy("jwt").authenticate(context);
+```
 
----
+## Recipes
 
-## Basic Usage
-```typescript
-import { SoapAuth, JwtStrategy } from "@soapjs/soap-auth";
+Recipes are framework-neutral config helpers. They return plain SoapAuth config objects and do not import Express, Passport, provider SDKs, or any other adapter library.
 
-const auth = new SoapAuth();
-auth.addStrategy(new JwtStrategy({ secret: "super-secret-key" }), "jwt", "http");
-// ...
-const result = await auth.getHttpStrategy<JwtStrategy>("jwt").authenticate(request);
-console.log(result.user);
+```ts
+import {
+  createApiKeyAuthConfig,
+  createHybridOAuth2ProviderConfig,
+  createJwtAuthConfig,
+  createLocalAuthConfig,
+  createOAuth2ProviderConfig,
+  oauth2ProviderEndpoints,
+} from "@soapjs/soap-auth";
 ```
 
----
+Available recipes:
 
-## Supported Authentication Strategies
+- `createJwtAuthConfig(...)`
+- `createLocalAuthConfig(...)`
+- `createBasicAuthConfig(...)`
+- `createApiKeyAuthConfig(...)`
+- `createOAuth2ProviderConfig(...)`
+- `createHybridOAuth2ProviderConfig(...)`
+- `oauth2ProviderEndpoints.auth0(...)`
+- `oauth2ProviderEndpoints.keycloak(...)`
+- `oauth2ProviderEndpoints.discord()`
+- `oauth2ProviderEndpoints.google()`
+- `oauth2ProviderEndpoints.github()`
+- `oauth2ProviderEndpoints.facebook()`
 
-SoapAuth supports multiple authentication strategies. Below is a description and example configuration for each.
+Recipes are also available from `@soapjs/soap-auth/recipes`.
 
-### **JWT Strategy** *(Token-based authentication)*
-```typescript
-import { JwtStrategy } from "@soapjs/soap-auth";
+Type-only subpath imports are supported for TypeScript projects using classic
+`moduleResolution: node`:
 
-auth.addStrategy(new JwtStrategy({
-  secret: "your-secret-key",
-  accessToken: {
-    expiresIn: "1h",
-  },
-  refreshToken: {
-    expiresIn: "7d",
-  },
-}), "jwt", "http");
+```ts
+import type { StorageContext } from "@soapjs/soap-auth/types";
+import type { CookieOptions } from "@soapjs/soap-auth/recipes";
 ```
 
-### **OAuth2 Strategy** *(OAuth 2.0 authentication)*
-```typescript
-import { OAuth2Strategy } from "@soapjs/soap-auth";
-
-auth.addStrategy(new OAuth2Strategy({
-  clientId: "your-client-id",
-  clientSecret: "your-client-secret",
-  redirectUri: "https://your-app.com/callback",
-  endpoints: {
-    authorizationUrl: "https://auth.server.com/auth",
-    tokenUrl: "https://auth.server.com/token",
+## Factory Configuration
+
+`SoapAuth.create()` registers built-in strategies from config:
+
+- `http.jwt` as `jwt`
+- `http.local` as `local`
+- `http.basic` as `basic`
+- `http.apiKey` as `api-key`
+- `http.oauth2.google` as `google`
+- `http.oauth2.github` as `github`
+- `http.oauth2.facebook` as `facebook`
+- any other `http.oauth2.<name>` with OAuth2 endpoints as `<name>`
+- any `http.hybridOAuth2.<name>` with OAuth2 endpoints as `<name>`
+- `socket.jwt` as `jwt`
+- `socket.apiKey` as `api-key`
+
+Custom strategies can be registered through `http.custom`, `socket.custom`, or manually with `addStrategy(strategy, name, category)`.
+
+## Local Credentials
+
+```ts
+import { createLocalAuthConfig } from "@soapjs/soap-auth";
+
+const auth = await SoapAuth.create({
+  http: {
+    local: createLocalAuthConfig({
+      credentials: {
+        extractCredentials: (ctx: any) => ({
+          identifier: ctx.body.email,
+          password: ctx.body.password,
+        }),
+        verifyCredentials: async (identifier, password) =>
+          users.verifyPassword(identifier, password),
+      },
+      user: {
+        fetchUser: async (identifier) => users.findByEmail(String(identifier)),
+      },
+      basePath: "/auth",
+    }),
   },
-}), "oauth2", "http");
+});
 ```
 
-### **API Key Strategy** *(Key-based authentication)*
-```typescript
-import { ApiKeyStrategy } from "@soapjs/soap-auth";
+## API Key
 
-auth.addStrategy(new ApiKeyStrategy({
-  extractApiKey: (ctx) => ctx.headers["x-api-key"],
-  retrieveUserByApiKey: async (key) => {
-    return mockDatabase.findUserByApiKey(key);
+```ts
+import { createApiKeyAuthConfig } from "@soapjs/soap-auth";
+
+const auth = await SoapAuth.create({
+  http: {
+    apiKey: createApiKeyAuthConfig({
+      keyType: "long-term",
+      extractApiKey: (ctx: any) => ctx.headers["x-api-key"] ?? null,
+      retrieveUserByApiKey: async (apiKey) => apiKeys.findUser(apiKey),
+      isApiKeyExpired: async (apiKey) => apiKeys.isExpired(apiKey),
+      trackApiKeyUsage: async (apiKey) => apiKeys.touch(apiKey),
+    }),
   },
-}), "apikey", "http");
+});
 ```
 
-### **Basic Auth Strategy** *(Username & Password authentication)*
-```typescript
-import { BasicStrategy } from "@soapjs/soap-auth";
+## Sessions
+
+```ts
+import { MemorySessionStore, SoapAuth } from "@soapjs/soap-auth";
 
-auth.addStrategy(new BasicStrategy({
-  extractCredentials: (ctx) => {
-    return { identifier: ctx.body.username, password: ctx.body.password };
+const auth = await SoapAuth.create({
+  session: {
+    secret: process.env.SESSION_SECRET!,
+    store: new MemorySessionStore(),
+    getSessionId: (ctx: any) =>
+      ctx.cookies?.SESSIONID ?? ctx.headers?.["x-session-id"] ?? null,
   },
-  verifyCredentials: async (id, pass) => {
-    return mockDatabase.verifyUser(id, pass);
+  http: {
+    local: localConfig,
   },
-}), "basic", "http");
+});
 ```
 
-### **Local Strategy** *(Custom authentication logic)*
-```typescript
-import { LocalStrategy } from "@soapjs/soap-auth";
+`MemorySessionStore` is useful for tests and local development. Production applications should provide a durable `SessionStore` backed by a database, Redis, or another shared storage system.
+
+## OAuth2 Providers
 
-auth.addStrategy(new LocalStrategy({
-  extractCredentials: (ctx) => ({ identifier: ctx.query.email, password: ctx.query.pass }),
-  verifyCredentials: async (id, pass) => {
-    return mockDatabase.verifyUser(id, pass);
+```ts
+const auth = await SoapAuth.create({
+  http: {
+    oauth2: {
+      google: {
+        clientId: process.env.GOOGLE_CLIENT_ID!,
+        clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+        redirectUri: "https://example.com/auth/google/callback",
+      },
+      github: {
+        clientId: process.env.GITHUB_CLIENT_ID!,
+        clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+        redirectUri: "https://example.com/auth/github/callback",
+      },
+    },
   },
-}), "local", "http");
+});
 ```
 
-### **Hybrid OAuth2 Strategy** *(Combination of multiple authentication methods)*
-```typescript
-import { HybridOAuth2Strategy } from "@soapjs/soap-auth";
-
-auth.addStrategy(new HybridOAuth2Strategy({
-  clientId: "your-client-id",
-  clientSecret: "your-client-secret",
-  oauth2: {
-    endpoints: {
-      authorizationUrl: "https://oauth.provider.com/auth",
-      tokenUrl: "https://oauth.provider.com/token",
+Providers with standard OAuth2/OIDC endpoints can use configurable OAuth2. Providers with unusual token exchange, user lookup, or redirect requirements can be implemented as a subclass of `OAuth2Strategy` or `HttpOAuth2Strategy` and registered through `http.custom`.
+
+## Configurable OAuth2 Providers
+
+Most OAuth2/OIDC providers do not need a custom class. Provide the endpoints and a profile mapper:
+
+```ts
+import { createOAuth2ProviderConfig } from "@soapjs/soap-auth";
+
+const auth = await SoapAuth.create({
+  http: {
+    oauth2: {
+      auth0: createOAuth2ProviderConfig({
+        provider: "auth0",
+        clientId: process.env.AUTH0_CLIENT_ID!,
+        clientSecret: process.env.AUTH0_CLIENT_SECRET!,
+        redirectUri: "https://example.com/auth/auth0/callback",
+        presetOptions: { domain: "tenant.auth0.com" },
+        user: {
+          fetchUser: async () => null,
+          validateUser: async (profile: any) => ({
+            id: profile.sub,
+            email: profile.email,
+            username: profile.nickname ?? profile.name,
+            picture: profile.picture,
+          }),
+        },
+      }),
     },
   },
-}), "hybrid-oauth2", "http");
+});
 ```
 
----
+For providers without a `userinfo` endpoint, implement `user.fetchUser(accessToken)` and return your application user directly.
 
-## Configuration & Extensions
-### Role Management
-```typescript
-role: {
-  authorizeByRoles: async (user, roles) => roles.includes(user.role),
-  roles: ["admin", "user"]
-}
-```
-### Multi-Factor Authentication (MFA)
-```typescript
-mfa: {
-  isMfaRequired: (user) => user.requiresMfa,
-  validateMfaCode: async (user, code) => mockDatabase.checkMfaCode(user, code),
+OAuth2 `state.persistence` and `nonce.persistence` callbacks receive the
+current auth context:
+
+```ts
+state: {
+  persistence: {
+    store: async (state, context, metadata) => {
+      await context.storeInCookie?.(state, { name: metadata?.key ?? "state" });
+    },
+    read: async (context, key) => context.getFromCookie?.(key ?? "state") ?? null,
+    remove: async (context, key) => {
+      await context.removeFromCookie?.(key ?? "state");
+    },
+  },
 }
 ```
-### Account Locking after Failed Logins
-```typescript
-lock: {
-  isAccountLocked: async (account) => mockDatabase.isLocked(account),
-  lockAccount: async (account) => mockDatabase.lock(account),
-}
+
+This lets HTTP adapters such as `soap-express` persist OAuth state and nonce in
+cookies, sessions, or request-scoped storage without global state.
+
+## Configurable Hybrid OAuth2
+
+Hybrid OAuth2 tries existing JWT/session auth first, then falls back to OAuth2. This is useful when browser users log in through OAuth2 but API clients can keep using JWT.
+
+```ts
+import { createHybridOAuth2ProviderConfig } from "@soapjs/soap-auth";
+
+const auth = await SoapAuth.create({
+  session: sessionConfig,
+  http: {
+    jwt: jwtConfig,
+    hybridOAuth2: {
+      enterprise: createHybridOAuth2ProviderConfig({
+        provider: "enterprise",
+        clientId: process.env.IDP_CLIENT_ID!,
+        clientSecret: process.env.IDP_CLIENT_SECRET!,
+        redirectUri: "https://example.com/auth/enterprise/callback",
+        endpoints: {
+          authorizationUrl: "https://idp.example.com/authorize",
+          tokenUrl: "https://idp.example.com/token",
+          userInfoUrl: "https://idp.example.com/userinfo",
+        },
+        user: {
+          fetchUser: async () => null,
+          validateUser: async (profile: any) => ({
+            id: profile.sub,
+            email: profile.email,
+          }),
+        },
+      }),
+    },
+  },
+});
 ```
-### Rate Limiting
-```typescript
-rateLimit: {
-  checkRateLimit: async (ctx) => false, // No limits
-}
+
+## Custom Strategies
+
+When the built-in config is not enough, implement `AuthStrategy` directly:
+
+```ts
+const auth = await SoapAuth.create({
+  http: {
+    custom: {
+      internal: {
+        async authenticate(ctx: any) {
+          const user = await internalAuth.verify(ctx.headers.authorization);
+          return user ? { user } : null;
+        },
+      },
+    },
+  },
+});
 ```
 
----
+No external strategy package is required; custom strategies only need an `authenticate(context)` method.
+
+## MFA, Roles, Rate Limits, and Lockout
+
+Shared controls can be attached to credential strategies:
+
+```ts
+const localConfig = {
+  credentials,
+  user,
+  routes,
+  mfa: {
+    isMfaRequired: (user: any) => user.mfaEnabled,
+    extractMfaCode: (ctx: any) => ctx.body.mfaCode,
+    validateMfaCode: async (user: any, code: string) =>
+      mfa.verify(user.id, code),
+  },
+  role: {
+    roles: ["admin"],
+    authorizeByRoles: async (user: any, roles: string[]) =>
+      roles.includes(user.role),
+  },
+  rateLimit: {
+    checkRateLimit: async (ctx: any) => rateLimiter.isLimited(ctx.ip),
+    incrementRequestCount: async (ctx: any) => rateLimiter.increment(ctx.ip),
+  },
+};
+```
 
-## FAQ
-**How to report an issue?**  
-Open an issue on GitHub.  
+## Release Checks
 
-**How to extend `soap-auth` with custom strategies?**  
-You can create your own class extending `BaseAuthStrategy` and implementing `authenticate()`.  
+Before publishing:
 
----
-## Issues
-If you encounter any issues, please feel free to report them [here](https://github.com/soapjs/soap/issues/new/choose).
+```sh
+npm run test:unit
+npm run build
+npm pack --dry-run
+npm audit --omit=dev
+```
 
-## Contact
-For any questions, collaboration interests, or support needs, you can contact us through the following:
+The package publishes compiled CommonJS output from `build/` and TypeScript declarations.
 
-- Official:
-  - Website: http://docs.soapjs.com
-- Radoslaw Kamysz:
-  - Email: [radoslaw.kamysz@gmail.com](mailto:radoslaw.kamysz@gmail.com)
-  - Warpcast: [@k4mr4ad](https://warpcast.com/k4mr4ad)
-  - Twitter: [@radoslawkamysz](https://x.com/radoslawkamysz)
 ## License
-SoapAuth is licensed under the MIT License.
+
+MIT

package/build/index.d.ts

@@ -2,6 +2,7 @@ export * from "./session";
 export * from "./services";
 export * from "./strategies";
 export * from "./tools";
+export * from "./recipes";
 export * from "./errors";
 export * from "./types";
 export * from "./soap-auth";

package/build/index.js

@@ -18,6 +18,7 @@ __exportStar(require("./session"), exports);
 __exportStar(require("./services"), exports);
 __exportStar(require("./strategies"), exports);
 __exportStar(require("./tools"), exports);
+__exportStar(require("./recipes"), exports);
 __exportStar(require("./errors"), exports);
 __exportStar(require("./types"), exports);
 __exportStar(require("./soap-auth"), exports);

package/build/recipes/auth-config.recipes.d.ts

@@ -0,0 +1,40 @@
+import { ApiKeyStrategyConfig } from "../strategies/api-key/api-key.types";
+import { BasicStrategyConfig } from "../strategies/basic/basic.types";
+import { JwtConfig } from "../strategies/jwt/jwt.types";
+import { LocalStrategyConfig } from "../strategies/local/local.types";
+import { OAuth2ProviderConfig } from "../strategies/oauth2/oauth2.types";
+import { Auth0PresetOptions, FacebookPresetOptions, KeycloakPresetOptions, OAuth2ProviderPreset } from "./oauth2-presets";
+import { AuthRouteConfig, TokenIssuerConfig, UserConfig } from "../types";
+import { OAuth2Endpoints } from "../strategies/oauth2/oauth2.types";
+type RouteOverrides = Partial<Record<string, Partial<AuthRouteConfig>>>;
+export interface JwtAuthRecipeOptions<TContext = unknown, TUser = unknown> extends Omit<Partial<JwtConfig<TContext, TUser>>, "accessToken" | "refreshToken" | "routes"> {
+    accessSecret: string;
+    refreshSecret?: string;
+    accessToken?: Partial<TokenIssuerConfig<TContext>>;
+    refreshToken?: Partial<TokenIssuerConfig<TContext>>;
+    user?: UserConfig<TUser>;
+    routes?: RouteOverrides;
+}
+export declare function createJwtAuthConfig<TContext = unknown, TUser = unknown>(options: JwtAuthRecipeOptions<TContext, TUser>): JwtConfig<TContext, TUser>;
+export interface LocalAuthRecipeOptions<TContext = unknown, TUser = unknown> extends Omit<LocalStrategyConfig<TContext, TUser>, "routes"> {
+    basePath?: string;
+    routes?: RouteOverrides;
+}
+export declare function createLocalAuthConfig<TContext = unknown, TUser = unknown>(options: LocalAuthRecipeOptions<TContext, TUser>): LocalStrategyConfig<TContext, TUser>;
+export interface BasicAuthRecipeOptions<TContext = unknown, TUser = unknown> extends Omit<BasicStrategyConfig<TContext, TUser>, "routes"> {
+    basePath?: string;
+    routes?: RouteOverrides;
+}
+export declare function createBasicAuthConfig<TContext = unknown, TUser = unknown>(options: BasicAuthRecipeOptions<TContext, TUser>): BasicStrategyConfig<TContext, TUser>;
+export interface ApiKeyAuthRecipeOptions<TContext = unknown, TUser = unknown> extends ApiKeyStrategyConfig<TContext, TUser> {
+}
+export declare function createApiKeyAuthConfig<TContext = unknown, TUser = unknown>(options: ApiKeyAuthRecipeOptions<TContext, TUser>): ApiKeyStrategyConfig<TContext, TUser>;
+export interface OAuth2AuthRecipeOptions<TUser = unknown> extends Omit<OAuth2ProviderConfig<any, TUser>, "endpoints" | "routes"> {
+    provider: OAuth2ProviderPreset | string;
+    endpoints?: OAuth2Endpoints;
+    presetOptions?: Auth0PresetOptions | KeycloakPresetOptions | FacebookPresetOptions;
+    routes?: RouteOverrides;
+}
+export declare function createOAuth2ProviderConfig<TUser = unknown>(options: OAuth2AuthRecipeOptions<TUser>): OAuth2ProviderConfig<any, TUser>;
+export declare function createHybridOAuth2ProviderConfig<TUser = unknown>(options: OAuth2AuthRecipeOptions<TUser>): OAuth2ProviderConfig<any, TUser>;
+export {};

package/build/recipes/auth-config.recipes.js

@@ -0,0 +1,135 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createHybridOAuth2ProviderConfig = exports.createOAuth2ProviderConfig = exports.createApiKeyAuthConfig = exports.createBasicAuthConfig = exports.createLocalAuthConfig = exports.createJwtAuthConfig = void 0;
+const oauth2_presets_1 = require("./oauth2-presets");
+function route(path, method, override) {
+    return {
+        path: override?.path ?? path,
+        method: override?.method ?? method,
+    };
+}
+function credentialRoutes(basePath, overrides = {}) {
+    return {
+        login: route(`${basePath}/login`, "POST", overrides.login),
+        logout: route(`${basePath}/logout`, "POST", overrides.logout),
+        resetPassword: overrides.resetPassword
+            ? route(`${basePath}/password/reset`, "POST", overrides.resetPassword)
+            : undefined,
+        changePassword: overrides.changePassword
+            ? route(`${basePath}/password/change`, "POST", overrides.changePassword)
+            : undefined,
+        requestPasswordReset: overrides.requestPasswordReset
+            ? route(`${basePath}/password/reset/request`, "POST", overrides.requestPasswordReset)
+            : undefined,
+    };
+}
+function oauthRoutes(basePath, overrides = {}) {
+    return {
+        login: route(basePath, "GET", overrides.login),
+        callback: route(`${basePath}/callback`, "GET", overrides.callback),
+        logout: overrides.logout
+            ? route(`${basePath}/logout`, "POST", overrides.logout)
+            : undefined,
+        refresh: overrides.refresh
+            ? route(`${basePath}/refresh`, "POST", overrides.refresh)
+            : undefined,
+        revoke: overrides.revoke
+            ? route(`${basePath}/revoke`, "POST", overrides.revoke)
+            : undefined,
+    };
+}
+function createJwtAuthConfig(options) {
+    const { accessSecret, refreshSecret, accessToken, refreshToken, routes, ...config } = options;
+    return {
+        ...config,
+        user: options.user,
+        accessToken: {
+            issuer: {
+                secretKey: accessSecret,
+                options: {
+                    expiresIn: "15m",
+                    ...(accessToken?.options ?? {}),
+                },
+                buildPayload: accessToken?.buildPayload,
+            },
+            verifier: { options: {} },
+        },
+        refreshToken: refreshSecret
+            ? {
+                issuer: {
+                    secretKey: refreshSecret,
+                    options: {
+                        expiresIn: "7d",
+                        ...(refreshToken?.options ?? {}),
+                    },
+                    buildPayload: refreshToken?.buildPayload,
+                },
+                verifier: { options: {} },
+            }
+            : undefined,
+        routes: {
+            login: route("/auth/jwt/login", "POST", routes?.login),
+            logout: route("/auth/jwt/logout", "POST", routes?.logout),
+            refresh: route("/auth/jwt/refresh", "POST", routes?.refresh),
+        },
+    };
+}
+exports.createJwtAuthConfig = createJwtAuthConfig;
+function createLocalAuthConfig(options) {
+    const { basePath, routes, ...config } = options;
+    return {
+        ...config,
+        routes: credentialRoutes(basePath ?? "/auth/local", routes),
+    };
+}
+exports.createLocalAuthConfig = createLocalAuthConfig;
+function createBasicAuthConfig(options) {
+    const { basePath, routes, ...config } = options;
+    return {
+        ...config,
+        routes: credentialRoutes(basePath ?? "/auth/basic", routes),
+    };
+}
+exports.createBasicAuthConfig = createBasicAuthConfig;
+function createApiKeyAuthConfig(options) {
+    return {
+        keyType: "long-term",
+        ...options,
+    };
+}
+exports.createApiKeyAuthConfig = createApiKeyAuthConfig;
+function resolveOAuth2Endpoints(options) {
+    if (options.endpoints) {
+        return options.endpoints;
+    }
+    switch (options.provider) {
+        case "auth0":
+            return oauth2_presets_1.oauth2ProviderEndpoints.auth0(options.presetOptions);
+        case "keycloak":
+            return oauth2_presets_1.oauth2ProviderEndpoints.keycloak(options.presetOptions);
+        case "google":
+            return oauth2_presets_1.oauth2ProviderEndpoints.google();
+        case "github":
+            return oauth2_presets_1.oauth2ProviderEndpoints.github();
+        case "facebook":
+            return oauth2_presets_1.oauth2ProviderEndpoints.facebook(options.presetOptions);
+        case "discord":
+            return oauth2_presets_1.oauth2ProviderEndpoints.discord();
+        default:
+            throw new Error(`OAuth2 provider "${options.provider}" requires explicit endpoints.`);
+    }
+}
+function createOAuth2ProviderConfig(options) {
+    const { provider, endpoints, presetOptions, routes, ...config } = options;
+    return {
+        ...config,
+        grantType: options.grantType ?? "authorization_code",
+        endpoints: resolveOAuth2Endpoints(options),
+        routes: oauthRoutes(`/auth/${provider}`, routes),
+    };
+}
+exports.createOAuth2ProviderConfig = createOAuth2ProviderConfig;
+function createHybridOAuth2ProviderConfig(options) {
+    return createOAuth2ProviderConfig(options);
+}
+exports.createHybridOAuth2ProviderConfig = createHybridOAuth2ProviderConfig;

package/build/recipes/http-context.helpers.d.ts

@@ -0,0 +1,13 @@
+export interface CookieOptions {
+    httpOnly?: boolean;
+    secure?: boolean;
+    sameSite?: "strict" | "lax" | "none" | "Strict" | "Lax" | "None";
+    maxAge?: number;
+    path?: string;
+    domain?: string;
+}
+export declare function extractBearerToken(context: any): string | undefined;
+export declare function setBearerToken(context: any, token: string): void;
+export declare function getCookie(context: any, name: string): string | undefined;
+export declare function setCookie(context: any, name: string, value: string, options?: CookieOptions): void;
+export declare function redirect(context: any, url: string, status?: number): void;