@wpnuxt/auth 2.0.0-alpha.1 → 2.0.0-alpha.10

package/dist/module.d.ts

@@ -0,0 +1,7 @@
+import * as _nuxt_schema from '@nuxt/schema';
+import { WPNuxtAuthConfig } from '../dist/runtime/types/index.js';
+export { WPNuxtAuthConfig } from '../dist/runtime/types/index.js';
+
+declare const _default: _nuxt_schema.NuxtModule<WPNuxtAuthConfig, WPNuxtAuthConfig, false>;
+
+export { _default as default };

package/dist/module.json

@@ -1,7 +1,10 @@
 {
   "name": "@wpnuxt/auth",
   "configKey": "wpNuxtAuth",
-  "version": "2.0.0-alpha.0",
+  "compatibility": {
+    "nuxt": ">=3.0.0"
+  },
+  "version": "2.0.0-alpha.10",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/module.mjs

@@ -1,9 +1,106 @@
-import { defineNuxtModule, createResolver, addPlugin, addImports } from '@nuxt/kit';
+import { existsSync, readFileSync, cpSync } from 'node:fs';
+import { join } from 'node:path';
+import { defineNuxtModule, createResolver, addPlugin, addImports, addServerHandler, useLogger } from '@nuxt/kit';
 
+function detectAuthCapabilities(schemaPath) {
+  if (!existsSync(schemaPath)) {
+    return null;
+  }
+  let schemaContent;
+  try {
+    schemaContent = readFileSync(schemaPath, "utf-8");
+  } catch {
+    return null;
+  }
+  if (!schemaContent || schemaContent.length < 100) {
+    return null;
+  }
+  const hasHeadlessLogin = /loginClients\s*[:[(]/.test(schemaContent);
+  const hasPasswordAuth = /\blogin\s*\(/.test(schemaContent) && /LoginInput/.test(schemaContent);
+  const hasRefreshToken = /refreshToken\s*\(/.test(schemaContent);
+  const detectedProviders = [];
+  const enumMatch = schemaContent.match(/enum\s+LoginProviderEnum\s*\{([^}]+)\}/);
+  if (enumMatch?.[1]) {
+    const enumBody = enumMatch[1];
+    const providerMatches = enumBody.match(/\b[A-Z][A-Z0-9_]+\b/g);
+    if (providerMatches) {
+      detectedProviders.push(...providerMatches);
+    }
+  }
+  return {
+    hasHeadlessLogin,
+    hasPasswordAuth,
+    hasRefreshToken,
+    detectedProviders
+  };
+}
+function validateAuthSchema(schemaPath, options = {}) {
+  const capabilities = detectAuthCapabilities(schemaPath);
+  if (capabilities === null) {
+    throw new Error(
+      `[wpnuxt:auth] Cannot validate GraphQL schema - file not found or unreadable.
+
+Schema path: ${schemaPath}
+
+Make sure @wpnuxt/core is loaded before @wpnuxt/auth in your nuxt.config.ts modules,
+and that 'downloadSchema' is enabled (the default).
+
+To fix this, run: pnpm dev:prepare`
+    );
+  }
+  if (!capabilities.hasHeadlessLogin) {
+    throw new Error(
+      `[wpnuxt:auth] Headless Login for WPGraphQL plugin not detected.
+
+The @wpnuxt/auth module requires this WordPress plugin for authentication.
+Your WordPress GraphQL schema is missing the required 'loginClients' query.
+
+To fix this:
+1. Install the plugin: https://github.com/AxeWP/wp-graphql-headless-login
+2. Configure at least one authentication provider in WordPress admin
+3. Run 'pnpm dev:prepare' to refresh the GraphQL schema
+
+To disable @wpnuxt/auth, remove it from your nuxt.config.ts modules.`
+    );
+  }
+  if (options.requirePassword && !capabilities.hasPasswordAuth) {
+    throw new Error(
+      `[wpnuxt:auth] Password authentication not available in GraphQL schema.
+
+The 'login' mutation is missing from your WordPress GraphQL schema.
+Make sure Headless Login for WPGraphQL is properly configured with PASSWORD provider enabled.`
+    );
+  }
+  if (options.requireHeadlessLogin && capabilities.detectedProviders.length === 0) {
+    throw new Error(
+      `[wpnuxt:auth] No OAuth providers detected in GraphQL schema.
+
+Headless Login is installed but no providers are configured.
+Configure OAuth providers (Google, GitHub, etc.) in WordPress admin under:
+GraphQL > Headless Login > Client Settings`
+    );
+  }
+}
+
+const DEFAULT_OAUTH_CONFIG = {
+  enabled: false,
+  clientId: "",
+  clientSecret: "",
+  authorizationEndpoint: "/wp-json/moserver/authorize",
+  tokenEndpoint: "/wp-json/moserver/token",
+  userInfoEndpoint: "/wp-json/moserver/resource",
+  scopes: ["openid", "profile", "email"]
+};
+const DEFAULT_HEADLESS_LOGIN_CONFIG = {
+  enabled: false
+};
 const module$1 = defineNuxtModule({
   meta: {
     name: "@wpnuxt/auth",
-    configKey: "wpNuxtAuth"
+    configKey: "wpNuxtAuth",
+    compatibility: {
+      nuxt: ">=3.0.0"
+    }
   },
   defaults: {
     enabled: true,
@@ -13,13 +110,50 @@ const module$1 = defineNuxtModule({
     refreshTokenMaxAge: 604800,
     redirectOnLogin: "/",
     redirectOnLogout: "/",
-    loginPage: "/login"
+    loginPage: "/login",
+    providers: {
+      password: { enabled: true },
+      oauth: DEFAULT_OAUTH_CONFIG,
+      headlessLogin: DEFAULT_HEADLESS_LOGIN_CONFIG
+    }
   },
   async setup(options, nuxt) {
     if (!options.enabled) {
       return;
     }
     const resolver = createResolver(import.meta.url);
+    const baseDir = nuxt.options.srcDir || nuxt.options.rootDir;
+    const { resolve } = createResolver(baseDir);
+    const wpNuxtConfig = nuxt.options.wpNuxt;
+    const mergedQueriesPath = resolve(wpNuxtConfig?.queries?.mergedOutputFolder || ".queries/");
+    const userQueryPath = resolve(wpNuxtConfig?.queries?.extendFolder || "extend/queries/");
+    const authQueriesPath = resolver.resolve("./runtime/queries");
+    if (existsSync(authQueriesPath)) {
+      cpSync(authQueriesPath, mergedQueriesPath, { recursive: true });
+    }
+    if (existsSync(userQueryPath)) {
+      cpSync(userQueryPath, mergedQueriesPath, { recursive: true });
+    }
+    const oauthConfig = {
+      ...DEFAULT_OAUTH_CONFIG,
+      ...options.providers?.oauth
+    };
+    const headlessLoginConfig = {
+      ...DEFAULT_HEADLESS_LOGIN_CONFIG,
+      ...options.providers?.headlessLogin
+    };
+    const passwordEnabled = options.providers?.password?.enabled ?? true;
+    const oauthEnabled = oauthConfig.enabled && !!oauthConfig.clientId;
+    const headlessLoginEnabled = headlessLoginConfig.enabled ?? false;
+    const nuxtWithFlag = nuxt;
+    if ((passwordEnabled || headlessLoginEnabled) && !nuxtWithFlag._wpnuxtAuthValidated) {
+      nuxtWithFlag._wpnuxtAuthValidated = true;
+      const schemaPath = join(nuxt.options.rootDir, "schema.graphql");
+      validateAuthSchema(schemaPath, {
+        requirePassword: passwordEnabled,
+        requireHeadlessLogin: headlessLoginEnabled
+      });
+    }
     nuxt.options.runtimeConfig.public.wpNuxtAuth = {
       cookieName: options.cookieName,
       refreshCookieName: options.refreshCookieName,
@@ -27,19 +161,73 @@ const module$1 = defineNuxtModule({
       refreshTokenMaxAge: options.refreshTokenMaxAge,
       redirectOnLogin: options.redirectOnLogin,
       redirectOnLogout: options.redirectOnLogout,
-      loginPage: options.loginPage
+      loginPage: options.loginPage,
+      providers: {
+        password: { enabled: passwordEnabled },
+        oauth: {
+          enabled: oauthEnabled,
+          clientId: oauthConfig.clientId,
+          authorizationEndpoint: oauthConfig.authorizationEndpoint,
+          scopes: oauthConfig.scopes
+        },
+        headlessLogin: {
+          enabled: headlessLoginEnabled
+        }
+      }
     };
+    if (oauthEnabled) {
+      nuxt.options.runtimeConfig.wpNuxtAuthOAuth = {
+        clientId: oauthConfig.clientId,
+        clientSecret: oauthConfig.clientSecret,
+        tokenEndpoint: oauthConfig.tokenEndpoint,
+        userInfoEndpoint: oauthConfig.userInfoEndpoint
+      };
+    }
     addPlugin(resolver.resolve("./runtime/plugins/auth"));
     addImports([
       { name: "useWPAuth", from: resolver.resolve("./runtime/composables/useWPAuth") },
       { name: "useWPUser", from: resolver.resolve("./runtime/composables/useWPUser") }
     ]);
+    addServerHandler({
+      route: "/api/_wpnuxt-auth/logout",
+      method: "post",
+      handler: resolver.resolve("./runtime/server/api/auth/logout.post")
+    });
+    if (oauthEnabled) {
+      addServerHandler({
+        route: "/api/_wpnuxt-auth/oauth/authorize",
+        method: "get",
+        handler: resolver.resolve("./runtime/server/api/auth/oauth/authorize.get")
+      });
+      addServerHandler({
+        route: "/api/_wpnuxt-auth/oauth/callback",
+        method: "get",
+        handler: resolver.resolve("./runtime/server/api/auth/oauth/callback.get")
+      });
+    }
+    if (headlessLoginEnabled) {
+      addServerHandler({
+        route: "/api/_wpnuxt-auth/provider/:provider/authorize",
+        method: "get",
+        handler: resolver.resolve("./runtime/server/api/auth/provider/[provider]/authorize.get")
+      });
+      addServerHandler({
+        route: "/api/_wpnuxt-auth/provider/:provider/callback",
+        method: "get",
+        handler: resolver.resolve("./runtime/server/api/auth/provider/[provider]/callback.get")
+      });
+    }
     nuxt.hook("prepare:types", ({ references }) => {
       references.push({
         path: resolver.resolve("./runtime/types/index.ts")
       });
     });
-    console.log("[WPNuxt Auth] Module loaded");
+    const logger = useLogger("wpnuxt:auth");
+    const providers = [];
+    if (passwordEnabled) providers.push("password");
+    if (oauthEnabled) providers.push("oauth");
+    if (headlessLoginEnabled) providers.push("headlessLogin");
+    logger.info(`Module loaded (providers: ${providers.join(", ") || "none"})`);
   }
 });
 

package/dist/runtime/composables/useWPAuth.js

@@ -1,4 +1,5 @@
 import { computed, useState, useCookie, useRuntimeConfig, navigateTo, useGraphqlMutation } from "#imports";
+import { logger } from "../utils/logger.js";
 export function useWPAuth() {
   const config = useRuntimeConfig().public.wpNuxtAuth;
   const authState = useState("wpnuxt-auth", () => ({
@@ -12,11 +13,16 @@ export function useWPAuth() {
     secure: process.env.NODE_ENV === "production",
     sameSite: "lax"
   });
-  const refreshToken = useCookie(config.refreshCookieName, {
+  const refreshTokenCookie = useCookie(config.refreshCookieName, {
     maxAge: config.refreshTokenMaxAge,
     secure: process.env.NODE_ENV === "production",
     sameSite: "lax"
   });
+  const userDataCookie = useCookie("wpnuxt-user", {
+    maxAge: config.tokenMaxAge,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax"
+  });
   async function login(credentials) {
     authState.value.isLoading = true;
     authState.value.error = null;
@@ -31,18 +37,20 @@ export function useWPAuth() {
         authState.value.isLoading = false;
         return { success: false, error: errorMessage };
       }
-      if (data?.login) {
-        authToken.value = data.login.authToken;
-        refreshToken.value = data.login.refreshToken;
-        authState.value.user = data.login.user;
+      const loginData = data;
+      if (loginData?.login) {
+        authToken.value = loginData.login.authToken;
+        refreshTokenCookie.value = loginData.login.refreshToken;
+        userDataCookie.value = JSON.stringify(loginData.login.user);
+        authState.value.user = loginData.login.user;
         authState.value.isAuthenticated = true;
         authState.value.isLoading = false;
         return {
           success: true,
-          user: data.login.user,
+          user: loginData.login.user,
           tokens: {
-            authToken: data.login.authToken,
-            refreshToken: data.login.refreshToken
+            authToken: loginData.login.authToken,
+            refreshToken: loginData.login.refreshToken
           }
         };
       }
@@ -56,8 +64,11 @@ export function useWPAuth() {
     }
   }
   async function logout() {
+    await $fetch("/api/_wpnuxt-auth/logout", { method: "POST" }).catch(() => {
+    });
     authToken.value = null;
-    refreshToken.value = null;
+    refreshTokenCookie.value = null;
+    userDataCookie.value = null;
     authState.value.user = null;
     authState.value.isAuthenticated = false;
     authState.value.error = null;
@@ -66,27 +77,129 @@ export function useWPAuth() {
     }
   }
   async function refresh() {
-    if (!refreshToken.value) {
-      return false;
+    if (!refreshTokenCookie.value) {
+      return { success: false, error: "No refresh token available" };
     }
     try {
-      const { data, errors } = await useGraphqlMutation("RefreshAuthToken", {
-        refreshToken: refreshToken.value
+      const { data, errors } = await useGraphqlMutation("RefreshToken", {
+        refreshToken: refreshTokenCookie.value
       });
-      if (errors?.length || !data?.refreshJwtAuthToken) {
-        await logout();
-        return false;
+      if (errors?.length) {
+        const errorMessage = errors[0]?.message || "Token refresh failed";
+        authToken.value = null;
+        refreshTokenCookie.value = null;
+        userDataCookie.value = null;
+        authState.value.isAuthenticated = false;
+        authState.value.user = null;
+        authState.value.error = errorMessage;
+        return { success: false, error: errorMessage };
       }
-      authToken.value = data.refreshJwtAuthToken.authToken;
-      return true;
-    } catch {
-      await logout();
-      return false;
+      const refreshData = data;
+      if (!refreshData?.refreshToken?.success) {
+        const errorMessage = "Token refresh was not successful";
+        authToken.value = null;
+        refreshTokenCookie.value = null;
+        userDataCookie.value = null;
+        authState.value.isAuthenticated = false;
+        authState.value.user = null;
+        authState.value.error = errorMessage;
+        return { success: false, error: errorMessage };
+      }
+      authToken.value = refreshData.refreshToken.authToken;
+      authState.value.error = null;
+      return { success: true };
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : "Token refresh failed unexpectedly";
+      authToken.value = null;
+      refreshTokenCookie.value = null;
+      userDataCookie.value = null;
+      authState.value.isAuthenticated = false;
+      authState.value.user = null;
+      authState.value.error = errorMessage;
+      return { success: false, error: errorMessage };
     }
   }
   function getToken() {
     return authToken.value || null;
   }
+  function getProviders() {
+    const providers = config.providers;
+    return {
+      password: providers?.password?.enabled ?? true,
+      oauth: providers?.oauth?.enabled ?? false,
+      headlessLogin: providers?.headlessLogin?.enabled ?? false
+    };
+  }
+  async function loginWithOAuth() {
+    const providers = getProviders();
+    if (!providers.oauth) {
+      logger.warn("OAuth is not enabled");
+      return;
+    }
+    await navigateTo("/api/_wpnuxt-auth/oauth/authorize", { external: true });
+  }
+  function hasPasswordAuth() {
+    return getProviders().password;
+  }
+  function hasOAuthAuth() {
+    return getProviders().oauth;
+  }
+  function hasHeadlessLoginAuth() {
+    return getProviders().headlessLogin;
+  }
+  async function fetchHeadlessLoginProviders() {
+    if (!hasHeadlessLoginAuth()) {
+      return [];
+    }
+    try {
+      const runtimeConfig = useRuntimeConfig();
+      const wordpressUrl = runtimeConfig.public.wordpressUrl;
+      const graphqlEndpoint = runtimeConfig.public.wpNuxt?.graphqlEndpoint || "/graphql";
+      if (!wordpressUrl) {
+        logger.warn("WordPress URL not configured");
+        return [];
+      }
+      const response = await $fetch(`${wordpressUrl}${graphqlEndpoint}`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: {
+          query: `
+            query LoginClients {
+              loginClients {
+                name
+                provider
+                authorizationUrl
+                isEnabled
+              }
+            }
+          `
+        }
+      });
+      if (response.errors?.length) {
+        logger.warn("Failed to fetch login clients:", response.errors[0]?.message);
+        return [];
+      }
+      const clients = response.data?.loginClients || [];
+      return clients.filter(
+        (client) => client.isEnabled && client.provider !== "PASSWORD" && client.provider !== "SITETOKEN" && client.authorizationUrl
+      ).map((client) => ({
+        name: client.name,
+        provider: client.provider,
+        authorizationUrl: client.authorizationUrl,
+        isEnabled: client.isEnabled
+      }));
+    } catch (error) {
+      logger.warn("Failed to fetch login providers:", error);
+      return [];
+    }
+  }
+  async function loginWithProvider(provider) {
+    if (!hasHeadlessLoginAuth()) {
+      logger.warn("Headless Login is not enabled");
+      return;
+    }
+    await navigateTo(`/api/_wpnuxt-auth/provider/${provider.toLowerCase()}/authorize`, { external: true });
+  }
   return {
     // State
     state: authState,
@@ -96,8 +209,15 @@ export function useWPAuth() {
     error: computed(() => authState.value.error),
     // Methods
     login,
+    loginWithOAuth,
+    loginWithProvider,
     logout,
     refresh,
-    getToken
+    getToken,
+    getProviders,
+    hasPasswordAuth,
+    hasOAuthAuth,
+    hasHeadlessLoginAuth,
+    fetchHeadlessLoginProviders
   };
 }

package/dist/runtime/composables/useWPUser.js

@@ -8,12 +8,13 @@ export function useWPUser() {
     errorState.value = null;
     try {
       const { data, errors } = await useGraphqlQuery("Viewer");
+      const viewerData = data;
       if (errors?.length) {
         errorState.value = errors[0]?.message || "Failed to fetch user";
         loadingState.value = false;
         return null;
       }
-      userState.value = data?.viewer || null;
+      userState.value = viewerData?.viewer || null;
       loadingState.value = false;
       return userState.value;
     } catch (error) {

package/dist/runtime/plugins/auth.js

@@ -11,8 +11,18 @@ export default defineNuxtPlugin({
       error: null
     }));
     const authToken = useCookie(config.cookieName);
+    const headlessLoginUserCookie = useCookie("wpnuxt-user");
+    const oauthUserCookie = useCookie("wpnuxt-oauth-user");
     if (authToken.value) {
       authState.value.isAuthenticated = true;
+      const userCookieValue = headlessLoginUserCookie.value || oauthUserCookie.value;
+      if (userCookieValue) {
+        try {
+          const userData = typeof userCookieValue === "string" ? JSON.parse(userCookieValue) : userCookieValue;
+          authState.value.user = userData;
+        } catch {
+        }
+      }
     }
     authState.value.isLoading = false;
   }

package/dist/runtime/queries/Auth.gql

@@ -1,8 +1,17 @@
-# Login mutation for WPGraphQL JWT Authentication
+# Login with username and password
+# Requires: Headless Login for WPGraphQL plugin
 mutation Login($username: String!, $password: String!) {
-  login(input: { username: $username, password: $password }) {
+  login(input: {
+    provider: PASSWORD
+    credentials: {
+      username: $username
+      password: $password
+    }
+  }) {
     authToken
+    authTokenExpiration
     refreshToken
+    refreshTokenExpiration
     user {
       id
       databaseId
@@ -23,9 +32,106 @@ mutation Login($username: String!, $password: String!) {
   }
 }
 
-# Refresh auth token mutation
-mutation RefreshAuthToken($refreshToken: String!) {
-  refreshJwtAuthToken(input: { jwtRefreshToken: $refreshToken }) {
+# Refresh authentication token
+mutation RefreshToken($refreshToken: String!) {
+  refreshToken(input: { refreshToken: $refreshToken }) {
     authToken
+    authTokenExpiration
+    success
+  }
+}
+
+# Register a new user (requires user registration to be enabled in WordPress)
+mutation RegisterUser($username: String!, $email: String!, $password: String!) {
+  registerUser(input: { username: $username, email: $email, password: $password }) {
+    user {
+      id
+      databaseId
+      username
+      email
+      name
+    }
+  }
+}
+
+# Update the current user's profile
+mutation UpdateUser($id: ID!, $firstName: String, $lastName: String, $nickname: String, $description: String) {
+  updateUser(input: { id: $id, firstName: $firstName, lastName: $lastName, nickname: $nickname, description: $description }) {
+    user {
+      id
+      databaseId
+      username
+      email
+      firstName
+      lastName
+      nickname
+      name
+      description
+    }
+  }
+}
+
+# Send password reset email
+mutation SendPasswordResetEmail($username: String!) {
+  sendPasswordResetEmail(input: { username: $username }) {
+    success
+  }
+}
+
+# Reset password with key from email
+mutation ResetUserPassword($key: String!, $login: String!, $password: String!) {
+  resetUserPassword(input: { key: $key, login: $login, password: $password }) {
+    user {
+      id
+      databaseId
+      username
+      email
+    }
+  }
+}
+
+# Get available login clients/providers from Headless Login for WPGraphQL
+query LoginClients {
+  loginClients {
+    name
+    provider
+    authorizationUrl
+    isEnabled
+  }
+}
+
+# Login with an OAuth provider (Google, GitHub, etc.) using authorization code
+# Requires: Headless Login for WPGraphQL plugin with provider configured
+mutation LoginWithProvider($provider: LoginProviderEnum!, $code: String!, $state: String) {
+  login(input: {
+    provider: $provider
+    oauthResponse: {
+      code: $code
+      state: $state
+    }
+  }) {
+    authToken
+    authTokenExpiration
+    refreshToken
+    refreshTokenExpiration
+    user {
+      id
+      databaseId
+      name
+      email
+      firstName
+      lastName
+      username
+      nickname
+      description
+      avatar {
+        url
+      }
+      roles {
+        nodes {
+          name
+        }
+      }
+    }
   }
 }

package/dist/runtime/queries/Viewer.gql

@@ -0,0 +1,26 @@
+query Viewer {
+  viewer {
+    id
+    databaseId
+    userId
+    username
+    email
+    firstName
+    lastName
+    name
+    nickname
+    description
+    locale
+    url
+    uri
+    avatar {
+      url
+    }
+    roles {
+      nodes {
+        name
+      }
+    }
+    capabilities
+  }
+}

package/dist/runtime/queries/fragments/GeneralSettings.fragment.gql

@@ -0,0 +1,11 @@
+fragment GeneralSettings on GeneralSettings {
+  title
+  description
+  url
+  dateFormat
+  language
+  startOfWeek
+  timezone
+  timeFormat
+  email
+}

package/dist/runtime/server/api/auth/logout.post.js

@@ -0,0 +1,18 @@
+import { defineEventHandler, deleteCookie } from "h3";
+import { useRuntimeConfig } from "#imports";
+export default defineEventHandler((event) => {
+  const config = useRuntimeConfig().public.wpNuxtAuth;
+  deleteCookie(event, config.cookieName, {
+    path: "/"
+  });
+  deleteCookie(event, config.refreshCookieName, {
+    path: "/"
+  });
+  deleteCookie(event, "wpnuxt-oauth-user", {
+    path: "/"
+  });
+  deleteCookie(event, "wpnuxt-oauth-state", {
+    path: "/"
+  });
+  return { success: true };
+});

package/dist/runtime/server/api/auth/oauth/authorize.get.js

@@ -0,0 +1,42 @@
+import { defineEventHandler, setCookie, getRequestURL, setResponseStatus, setResponseHeader, createError } from "h3";
+import { useRuntimeConfig } from "#imports";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const publicConfig = config.public.wpNuxtAuth;
+  const wordpressUrl = config.public.wordpressUrl;
+  if (!wordpressUrl) {
+    throw createError({
+      statusCode: 500,
+      message: "[wpnuxt:auth] WordPress URL not configured"
+    });
+  }
+  if (!publicConfig.providers.oauth.enabled) {
+    throw createError({
+      statusCode: 403,
+      message: "[wpnuxt:auth] OAuth authentication is not enabled"
+    });
+  }
+  const state = crypto.randomUUID();
+  setCookie(event, "wpnuxt-oauth-state", state, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    maxAge: 600,
+    // 10 minutes
+    path: "/"
+  });
+  const requestUrl = getRequestURL(event);
+  const callbackUrl = `${requestUrl.origin}/api/_wpnuxt-auth/oauth/callback`;
+  const authUrl = new URL(
+    publicConfig.providers.oauth.authorizationEndpoint,
+    wordpressUrl
+  );
+  authUrl.searchParams.set("response_type", "code");
+  authUrl.searchParams.set("client_id", publicConfig.providers.oauth.clientId);
+  authUrl.searchParams.set("redirect_uri", callbackUrl);
+  authUrl.searchParams.set("state", state);
+  authUrl.searchParams.set("scope", publicConfig.providers.oauth.scopes.join(" "));
+  setResponseStatus(event, 302);
+  setResponseHeader(event, "Location", authUrl.toString());
+  return "";
+});

package/dist/runtime/server/api/auth/oauth/callback.get.js

@@ -0,0 +1,106 @@
+import { defineEventHandler, getQuery, getCookie, setCookie, deleteCookie, sendRedirect, createError, getRequestURL } from "h3";
+import { useRuntimeConfig } from "#imports";
+import { logger } from "../../../utils/logger.js";
+export default defineEventHandler(async (event) => {
+  const query = getQuery(event);
+  const config = useRuntimeConfig();
+  const publicConfig = config.public.wpNuxtAuth;
+  const privateConfig = config.wpNuxtAuthOAuth;
+  const wordpressUrl = config.public.wordpressUrl;
+  if (!wordpressUrl) {
+    throw createError({ statusCode: 500, message: "WordPress URL not configured" });
+  }
+  if (!privateConfig) {
+    throw createError({ statusCode: 500, message: "OAuth not configured" });
+  }
+  if (query.error) {
+    const errorDesc = query.error_description || query.error;
+    throw createError({ statusCode: 400, message: `OAuth error: ${errorDesc}` });
+  }
+  const code = query.code;
+  if (!code) {
+    throw createError({ statusCode: 400, message: "Missing authorization code" });
+  }
+  const state = query.state;
+  const storedState = getCookie(event, "wpnuxt-oauth-state");
+  if (!state || state !== storedState) {
+    throw createError({ statusCode: 400, message: "Invalid state parameter" });
+  }
+  deleteCookie(event, "wpnuxt-oauth-state");
+  const requestUrl = getRequestURL(event);
+  const callbackUrl = `${requestUrl.origin}/api/_wpnuxt-auth/oauth/callback`;
+  const tokenUrl = new URL(privateConfig.tokenEndpoint, wordpressUrl);
+  const tokenResponse = await $fetch(tokenUrl.toString(), {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: callbackUrl,
+      client_id: privateConfig.clientId,
+      client_secret: privateConfig.clientSecret
+    }).toString()
+  }).catch((error) => {
+    logger.error("Token exchange failed:", error);
+    throw createError({ statusCode: 500, message: "Failed to exchange authorization code" });
+  });
+  if (!tokenResponse.access_token) {
+    throw createError({ statusCode: 500, message: "No access token received" });
+  }
+  const userInfoUrl = new URL(privateConfig.userInfoEndpoint, wordpressUrl);
+  const userInfo = await $fetch(userInfoUrl.toString(), {
+    headers: {
+      Authorization: `Bearer ${tokenResponse.access_token}`
+    }
+  }).catch((error) => {
+    logger.error("User info fetch failed:", error);
+    return null;
+  });
+  const isProduction = process.env.NODE_ENV === "production";
+  setCookie(event, publicConfig.cookieName, tokenResponse.access_token, {
+    httpOnly: true,
+    secure: isProduction,
+    sameSite: "lax",
+    maxAge: tokenResponse.expires_in || publicConfig.tokenMaxAge,
+    path: "/"
+  });
+  if (tokenResponse.refresh_token) {
+    setCookie(event, publicConfig.refreshCookieName, tokenResponse.refresh_token, {
+      httpOnly: true,
+      secure: isProduction,
+      sameSite: "lax",
+      maxAge: publicConfig.refreshTokenMaxAge,
+      path: "/"
+    });
+  }
+  if (userInfo) {
+    const userId = userInfo.sub || userInfo.id || userInfo.ID;
+    const firstName = userInfo.given_name || userInfo.first_name || "";
+    const lastName = userInfo.family_name || userInfo.last_name || "";
+    const displayName = userInfo.name || userInfo.display_name || `${firstName} ${lastName}`.trim();
+    const username = userInfo.preferred_username || userInfo.username || userInfo.user_login || userInfo.nickname;
+    const avatarUrl = userInfo.picture || userInfo.avatar_url;
+    const userData = {
+      id: userId?.toString() || "",
+      databaseId: typeof userId === "number" ? userId : Number.parseInt(userId?.toString() || "0", 10),
+      email: userInfo.email,
+      name: displayName,
+      firstName,
+      lastName,
+      username,
+      nickname: userInfo.nickname,
+      avatar: avatarUrl ? { url: avatarUrl } : void 0
+    };
+    setCookie(event, "wpnuxt-oauth-user", JSON.stringify(userData), {
+      httpOnly: false,
+      // Client needs to read this
+      secure: isProduction,
+      sameSite: "lax",
+      maxAge: tokenResponse.expires_in || publicConfig.tokenMaxAge,
+      path: "/"
+    });
+  }
+  return sendRedirect(event, publicConfig.redirectOnLogin);
+});

package/dist/runtime/server/api/auth/provider/[provider]/authorize.get.js

@@ -0,0 +1,82 @@
+import { defineEventHandler, getRouterParam, setCookie, sendRedirect, createError, getRequestURL } from "h3";
+import { useRuntimeConfig } from "#imports";
+import { logger } from "../../../../utils/logger.js";
+export default defineEventHandler(async (event) => {
+  const provider = getRouterParam(event, "provider");
+  if (!provider) {
+    throw createError({ statusCode: 400, message: "Missing provider parameter" });
+  }
+  const config = useRuntimeConfig();
+  const wordpressUrl = config.public.wordpressUrl;
+  const wpNuxtConfig = config.public.wpNuxt;
+  const graphqlEndpoint = wpNuxtConfig?.graphqlEndpoint || "/graphql";
+  if (!wordpressUrl) {
+    throw createError({ statusCode: 500, message: "WordPress URL not configured" });
+  }
+  const graphqlUrl = `${wordpressUrl}${graphqlEndpoint}`;
+  const response = await $fetch(graphqlUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: {
+      query: `
+        query LoginClients {
+          loginClients {
+            name
+            provider
+            authorizationUrl
+            isEnabled
+          }
+        }
+      `
+    }
+  }).catch((error) => {
+    logger.error("Failed to fetch login clients:", error);
+    throw createError({ statusCode: 500, message: "Failed to fetch login providers from WordPress" });
+  });
+  if (response.errors?.length) {
+    logger.error("GraphQL errors:", response.errors);
+    throw createError({ statusCode: 500, message: response.errors[0]?.message || "GraphQL error" });
+  }
+  const loginClients = response.data?.loginClients || [];
+  const providerUpperCase = provider.toUpperCase();
+  const loginClient = loginClients.find(
+    (client) => client.provider === providerUpperCase && client.isEnabled
+  );
+  if (!loginClient) {
+    throw createError({
+      statusCode: 404,
+      message: `Provider '${provider}' not found or not enabled. Available providers: ${loginClients.filter((c) => c.isEnabled).map((c) => c.name).join(", ")}`
+    });
+  }
+  if (!loginClient.authorizationUrl) {
+    throw createError({
+      statusCode: 500,
+      message: `Provider '${provider}' does not have an authorization URL configured`
+    });
+  }
+  const state = crypto.randomUUID();
+  const isProduction = process.env.NODE_ENV === "production";
+  setCookie(event, "wpnuxt-headless-login-state", state, {
+    httpOnly: true,
+    secure: isProduction,
+    sameSite: "lax",
+    maxAge: 600,
+    // 10 minutes
+    path: "/"
+  });
+  setCookie(event, "wpnuxt-headless-login-provider", providerUpperCase, {
+    httpOnly: true,
+    secure: isProduction,
+    sameSite: "lax",
+    maxAge: 600,
+    path: "/"
+  });
+  const authUrl = new URL(loginClient.authorizationUrl);
+  authUrl.searchParams.set("state", state);
+  const requestUrl = getRequestURL(event);
+  const callbackUrl = `${requestUrl.origin}/api/_wpnuxt-auth/provider/${provider}/callback`;
+  authUrl.searchParams.set("redirect_uri", callbackUrl);
+  return sendRedirect(event, authUrl.toString());
+});

package/dist/runtime/server/api/auth/provider/[provider]/callback.get.js

@@ -0,0 +1,136 @@
+import { defineEventHandler, getQuery, getRouterParam, getCookie, setCookie, deleteCookie, sendRedirect, createError } from "h3";
+import { useRuntimeConfig } from "#imports";
+import { logger } from "../../../../utils/logger.js";
+export default defineEventHandler(async (event) => {
+  const query = getQuery(event);
+  const routeProvider = getRouterParam(event, "provider");
+  const config = useRuntimeConfig();
+  const publicConfig = config.public.wpNuxtAuth;
+  const wordpressUrl = config.public.wordpressUrl;
+  const wpNuxtConfig = config.public.wpNuxt;
+  const graphqlEndpoint = wpNuxtConfig?.graphqlEndpoint || "/graphql";
+  if (!wordpressUrl) {
+    throw createError({ statusCode: 500, message: "WordPress URL not configured" });
+  }
+  if (query.error) {
+    const errorDesc = query.error_description || query.error;
+    throw createError({ statusCode: 400, message: `OAuth error: ${errorDesc}` });
+  }
+  const code = query.code;
+  if (!code) {
+    throw createError({ statusCode: 400, message: "Missing authorization code" });
+  }
+  const state = query.state;
+  const storedState = getCookie(event, "wpnuxt-headless-login-state");
+  if (!state || state !== storedState) {
+    throw createError({ statusCode: 400, message: "Invalid state parameter" });
+  }
+  const storedProvider = getCookie(event, "wpnuxt-headless-login-provider");
+  const provider = storedProvider || routeProvider?.toUpperCase();
+  if (!provider) {
+    throw createError({ statusCode: 400, message: "Missing provider information" });
+  }
+  deleteCookie(event, "wpnuxt-headless-login-state");
+  deleteCookie(event, "wpnuxt-headless-login-provider");
+  const graphqlUrl = `${wordpressUrl}${graphqlEndpoint}`;
+  const response = await $fetch(graphqlUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: {
+      query: `
+        mutation LoginWithProvider($provider: LoginProviderEnum!, $code: String!, $state: String) {
+          login(input: {
+            provider: $provider
+            oauthResponse: {
+              code: $code
+              state: $state
+            }
+          }) {
+            authToken
+            authTokenExpiration
+            refreshToken
+            refreshTokenExpiration
+            user {
+              id
+              databaseId
+              name
+              email
+              firstName
+              lastName
+              username
+              nickname
+              description
+              avatar {
+                url
+              }
+              roles {
+                nodes {
+                  name
+                }
+              }
+            }
+          }
+        }
+      `,
+      variables: {
+        provider,
+        code,
+        state
+      }
+    }
+  }).catch((error) => {
+    logger.error("Login mutation failed:", error);
+    throw createError({ statusCode: 500, message: "Failed to authenticate with WordPress" });
+  });
+  if (response.errors?.length) {
+    logger.error("GraphQL errors:", response.errors);
+    throw createError({ statusCode: 400, message: response.errors[0]?.message || "Authentication failed" });
+  }
+  const loginData = response.data?.login;
+  if (!loginData?.authToken) {
+    throw createError({ statusCode: 500, message: "No auth token received from WordPress" });
+  }
+  const isProduction = process.env.NODE_ENV === "production";
+  setCookie(event, publicConfig.cookieName, loginData.authToken, {
+    httpOnly: true,
+    secure: isProduction,
+    sameSite: "lax",
+    maxAge: publicConfig.tokenMaxAge,
+    path: "/"
+  });
+  if (loginData.refreshToken) {
+    setCookie(event, publicConfig.refreshCookieName, loginData.refreshToken, {
+      httpOnly: true,
+      secure: isProduction,
+      sameSite: "lax",
+      maxAge: publicConfig.refreshTokenMaxAge,
+      path: "/"
+    });
+  }
+  if (loginData.user) {
+    const userData = {
+      id: loginData.user.id,
+      databaseId: loginData.user.databaseId,
+      email: loginData.user.email,
+      name: loginData.user.name,
+      firstName: loginData.user.firstName,
+      lastName: loginData.user.lastName,
+      username: loginData.user.username,
+      nickname: loginData.user.nickname,
+      description: loginData.user.description,
+      avatar: loginData.user.avatar,
+      roles: loginData.user.roles
+    };
+    setCookie(event, "wpnuxt-user", JSON.stringify(userData), {
+      httpOnly: false,
+      // Client needs to read this for hydration
+      secure: isProduction,
+      sameSite: "lax",
+      maxAge: publicConfig.tokenMaxAge,
+      path: "/"
+    });
+  }
+  return sendRedirect(event, publicConfig.redirectOnLogin);
+});

package/dist/runtime/server/utils/logger.js

@@ -0,0 +1,2 @@
+import { consola } from "consola";
+export const logger = consola.withTag("wpnuxt:auth");

package/dist/runtime/types/nuxt-schema.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Stub for nuxt/schema types
+ * Used during module development when Nuxt types aren't available
+ */
+
+export interface PublicRuntimeConfig {
+  [key: string]: unknown
+}
+
+export interface RuntimeConfig {
+  public: PublicRuntimeConfig
+  [key: string]: unknown
+}
+
+export interface NuxtConfig {
+  runtimeConfig?: RuntimeConfig
+  [key: string]: unknown
+}

package/dist/runtime/types/stub.d.ts

@@ -0,0 +1,98 @@
+/**
+ * Type stubs for Nuxt-generated imports.
+ * These are used during module development when .nuxt folder doesn't exist.
+ * Actual types are generated at runtime in consuming applications.
+ */
+
+import type { ComputedRef, Ref } from 'vue'
+import type { NuxtApp } from 'nuxt/app'
+
+// Navigation options
+interface NavigateToOptions {
+  replace?: boolean
+  redirectCode?: number
+  external?: boolean
+}
+
+// Cookie options
+interface CookieOptions {
+  maxAge?: number
+  expires?: Date
+  path?: string
+  domain?: string
+  secure?: boolean
+  sameSite?: 'strict' | 'lax' | 'none'
+}
+
+// OAuth public config (without secrets)
+interface OAuthPublicConfig {
+  enabled: boolean
+  clientId: string
+  authorizationEndpoint: string
+  scopes: string[]
+}
+
+// Headless Login public config
+interface HeadlessLoginPublicConfig {
+  enabled: boolean
+}
+
+// Public providers config (without secrets)
+interface AuthProvidersPublic {
+  password: { enabled: boolean }
+  oauth: OAuthPublicConfig
+  headlessLogin: HeadlessLoginPublicConfig
+}
+
+// WPNuxt Auth public config interface
+interface WPNuxtAuthPublicConfig {
+  cookieName: string
+  refreshCookieName: string
+  tokenMaxAge: number
+  refreshTokenMaxAge: number
+  redirectOnLogin: string
+  redirectOnLogout: string
+  loginPage: string
+  providers: AuthProvidersPublic
+}
+
+// Runtime config interface
+interface RuntimeConfig {
+  public: {
+    wpNuxtAuth: WPNuxtAuthPublicConfig
+    wordpressUrl?: string
+    [key: string]: unknown
+  }
+  wpNuxtAuth?: WPNuxtAuthPublicConfig
+  [key: string]: unknown
+}
+
+// Nuxt plugin with name
+interface NuxtPluginConfig {
+  name?: string
+  enforce?: 'pre' | 'post'
+  setup?: (nuxtApp: NuxtApp) => void | Promise<void>
+}
+
+// Stub for #imports - Vue reactivity
+export function computed<T>(getter: () => T): ComputedRef<T>
+
+// Stub for #imports - Nuxt
+export function defineNuxtPlugin(plugin: NuxtPluginConfig | ((nuxtApp: NuxtApp) => void | Promise<void>)): unknown
+export function navigateTo(to: string | { path: string }, options?: NavigateToOptions): Promise<void>
+export function useCookie<T = string>(name: string, options?: CookieOptions): Ref<T | null>
+export function useRuntimeConfig(): RuntimeConfig
+export function useState<T = unknown>(key: string, init?: () => T): Ref<T>
+
+// Stub for #imports - nuxt-graphql-middleware
+export function useGraphqlMutation<T = unknown>(
+  name: string,
+  variables?: Record<string, unknown>,
+  options?: Record<string, unknown>
+): Promise<{ data: T | null, error: Error | null }>
+
+export function useGraphqlQuery<T = unknown>(
+  name: string,
+  params?: Record<string, unknown>,
+  options?: Record<string, unknown>
+): { data: Ref<T | null>, pending: Ref<boolean>, error: Ref<Error | null> }

package/dist/runtime/utils/logger.js

@@ -0,0 +1,2 @@
+import { consola } from "consola";
+export const logger = consola.withTag("wpnuxt:auth");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wpnuxt/auth",
-  "version": "2.0.0-alpha.1",
+  "version": "2.0.0-alpha.10",
   "description": "Authentication module for WPNuxt using WPGraphQL JWT",
   "keywords": [
     "nuxt",
@@ -34,22 +34,26 @@
     "access": "public"
   },
   "dependencies": {
-    "@nuxt/kit": "4.2.2"
+    "@nuxt/kit": "4.3.0"
   },
   "devDependencies": {
     "@nuxt/module-builder": "^1.0.2",
-    "@nuxt/schema": "4.2.2",
-    "@types/node": "^25.0.3",
-    "nuxt": "4.2.2",
-    "vue-tsc": "^3.2.1"
+    "@nuxt/schema": "4.3.0",
+    "@nuxt/test-utils": "^3.23.0",
+    "@types/node": "^25.2.1",
+    "nuxt": "4.3.0",
+    "vitest": "^4.0.18",
+    "vue-tsc": "^3.2.3"
   },
   "peerDependencies": {
     "nuxt": "^4.0.0",
-    "@wpnuxt/core": "2.0.0-alpha.1"
+    "@wpnuxt/core": "2.0.0-alpha.10"
   },
   "scripts": {
     "build": "nuxt-module-build build",
-    "dev:prepare": "nuxt-module-build build --stub && nuxt-module-build prepare",
+    "dev:prepare": "nuxt-module-build build --stub",
+    "test": "vitest run",
+    "test:watch": "vitest watch",
     "typecheck": "vue-tsc --noEmit",
     "clean": "rm -rf dist .nuxt node_modules"
   }