@zitadel/astro-auth 1.2.0

package/dist/client.js

@@ -0,0 +1,157 @@
+// src/client.ts
+async function __getCsrfToken(prefix) {
+  const res = await fetch(`${prefix}/csrf`, {
+    method: "GET",
+    credentials: "same-origin",
+    headers: {
+      Accept: "application/json",
+      "X-Requested-With": "XMLHttpRequest"
+    },
+    cache: "no-store"
+  });
+  if (!res.ok) {
+    throw new Error(`Failed to fetch CSRF token (${res.status})`);
+  }
+  const json = await res.json().catch(() => {
+    throw new Error("CSRF endpoint returned non-JSON response");
+  });
+  const token = json?.csrfToken;
+  if (typeof token !== "string" || token.length === 0) {
+    throw new Error("Missing or invalid CSRF token");
+  }
+  return token;
+}
+function __normalizePathOnly(href) {
+  try {
+    const u = new URL(href, window.location.origin);
+    if (u.origin !== window.location.origin) {
+      return window.location.pathname + window.location.search + window.location.hash;
+    }
+    return u.pathname + u.search + u.hash;
+  } catch {
+    return window.location.pathname + window.location.search + window.location.hash;
+  }
+}
+function __safeRedirect(target, fallbackPathOnly) {
+  if (!target) return fallbackPathOnly;
+  try {
+    const u = new URL(target, window.location.origin);
+    if (u.origin !== window.location.origin) return fallbackPathOnly;
+    return u.href;
+  } catch {
+    return fallbackPathOnly;
+  }
+}
+async function signIn(providerId, options, authorizationParams) {
+  const initialCallbackUrl = options?.callbackUrl ?? window.location.href;
+  const redirect = options?.redirect ?? true;
+  const callbackUrl = __normalizePathOnly(initialCallbackUrl);
+  const prefix = options?.prefix ?? "/api/auth";
+  const { prefix: _p, callbackUrl: _c, redirect: _r, ...opts } = options ?? {};
+  const isCredentials = providerId === "credentials";
+  const isEmail = providerId === "email";
+  const isSupportingReturn = isCredentials || isEmail;
+  const signInUrl = isCredentials ? `${prefix}/callback/${providerId}` : `${prefix}/signin/${providerId}`;
+  if (!isSupportingReturn) {
+    const csrfToken2 = await __getCsrfToken(prefix);
+    const action = new URL(signInUrl, window.location.origin);
+    if (authorizationParams) {
+      for (const [k, v] of Object.entries(authorizationParams)) {
+        action.searchParams.set(k, v);
+      }
+    }
+    const form = document.createElement("form");
+    form.method = "POST";
+    form.action = action.pathname + action.search;
+    form.style.display = "none";
+    const fields = {
+      csrfToken: csrfToken2,
+      callbackUrl,
+      ...Object.fromEntries(
+        Object.entries(opts).map(([k, v]) => [k, String(v)])
+      )
+    };
+    for (const [name, value] of Object.entries(fields)) {
+      const input = document.createElement("input");
+      input.type = "hidden";
+      input.name = name;
+      input.value = value;
+      form.appendChild(input);
+    }
+    document.body.appendChild(form);
+    form.submit();
+    return;
+  }
+  const signInUrlWithParams = (() => {
+    const url = new URL(signInUrl, window.location.origin);
+    if (authorizationParams) {
+      for (const [k, v] of Object.entries(authorizationParams)) {
+        url.searchParams.set(k, v);
+      }
+    }
+    return url.pathname + url.search;
+  })();
+  const csrfToken = await __getCsrfToken(prefix);
+  const res = await fetch(signInUrlWithParams, {
+    method: "post",
+    credentials: "same-origin",
+    cache: "no-store",
+    headers: {
+      Accept: "application/json",
+      "Content-Type": "application/x-www-form-urlencoded",
+      "X-Auth-Return-Redirect": "1",
+      "X-Requested-With": "XMLHttpRequest"
+    },
+    body: new URLSearchParams({
+      ...opts,
+      csrfToken,
+      callbackUrl
+    })
+  });
+  const data = await res.clone().json().catch(() => ({}));
+  const error = data.url ? new URL(data.url).searchParams.get("error") : null;
+  if (redirect !== false || !isSupportingReturn || !error) {
+    const candidate = data.url ?? (res.redirected ? res.url : void 0);
+    const target = __safeRedirect(candidate, callbackUrl);
+    window.location.assign(target);
+    if (target && target.includes("#")) {
+      window.location.reload();
+    }
+    return;
+  } else {
+    return res;
+  }
+}
+async function signOut(options) {
+  const initialCallbackUrl = options?.callbackUrl ?? window.location.href;
+  const prefix = options?.prefix ?? "/api/auth";
+  const callbackUrl = __normalizePathOnly(initialCallbackUrl);
+  const csrfToken = await __getCsrfToken(prefix);
+  const res = await fetch(`${prefix}/signout`, {
+    method: "post",
+    credentials: "same-origin",
+    cache: "no-store",
+    headers: {
+      Accept: "application/json",
+      "Content-Type": "application/x-www-form-urlencoded",
+      "X-Auth-Return-Redirect": "1",
+      "X-Requested-With": "XMLHttpRequest"
+    },
+    body: new URLSearchParams({
+      csrfToken,
+      callbackUrl
+    })
+  });
+  const data = await res.json().catch(() => ({}));
+  const candidate = data.url ?? (res.redirected ? res.url : void 0);
+  const url = __safeRedirect(candidate, callbackUrl);
+  window.location.assign(url);
+  if (url.includes("#")) {
+    window.location.reload();
+  }
+}
+export {
+  signIn,
+  signOut
+};
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/client.ts"],"sourcesContent":["import type {\n  AstroSignInOptions,\n  AstroSignOutParams,\n  LiteralUnion,\n  SignInAuthorizationParams,\n} from './types.js';\n\nasync function __getCsrfToken(prefix: string): Promise<string> {\n  const res = await fetch(`${prefix}/csrf`, {\n    method: 'GET',\n    credentials: 'same-origin',\n    headers: {\n      Accept: 'application/json',\n      'X-Requested-With': 'XMLHttpRequest',\n    },\n    cache: 'no-store',\n  });\n  if (!res.ok) {\n    throw new Error(`Failed to fetch CSRF token (${res.status})`);\n  }\n  const json: unknown = await res.json().catch(() => {\n    throw new Error('CSRF endpoint returned non-JSON response');\n  });\n  const token = (json as { csrfToken?: string })?.csrfToken;\n  if (typeof token !== 'string' || token.length === 0) {\n    throw new Error('Missing or invalid CSRF token');\n  }\n  return token;\n}\n\nfunction __normalizePathOnly(href: string): string {\n  try {\n    const u = new URL(href, window.location.origin);\n    if (u.origin !== window.location.origin) {\n      return (\n        window.location.pathname + window.location.search + window.location.hash\n      );\n    }\n    return u.pathname + u.search + u.hash;\n  } catch {\n    return (\n      window.location.pathname + window.location.search + window.location.hash\n    );\n  }\n}\n\nfunction __safeRedirect(\n  target: string | null | undefined,\n  fallbackPathOnly: string,\n): string {\n  if (!target) return fallbackPathOnly;\n  try {\n    const u = new URL(target, window.location.origin);\n    if (u.origin !== window.location.origin) return fallbackPathOnly;\n    return u.href;\n  } catch {\n    return fallbackPathOnly;\n  }\n}\n\n/**\n * Initiates a sign-in flow with the specified authentication provider.\n *\n * This function handles authentication for different provider types using\n * the appropriate mechanism for each. OAuth providers require browser form\n * submission to properly handle redirect chains, while credential-based\n * providers can use fetch for JSON responses.\n *\n * @typeParam P - The provider identifier type for type-safe provider names\n * @param providerId - The authentication provider identifier (e.g., 'github',\n *                     'google', 'credentials')\n * @param options - Configuration options for the sign-in flow\n * @param authorizationParams - Additional OAuth authorization parameters to\n *                              pass to the provider\n * @returns Promise that resolves to Response for credential providers when\n *          redirect is false and an error occurs, otherwise void\n *\n * @remarks\n * **Why Different Mechanisms for Different Providers:**\n *\n * OAuth Providers (github, google, etc.):\n * - Auth.js responds with a 302 redirect to the OAuth provider's login page\n * - Using `fetch()` causes the browser to follow redirects in JS context\n * - The OAuth provider expects a real browser navigation, not XHR\n * - Result: fetch completes but no visible navigation occurs\n * - Solution: Use real form submission to let browser handle redirects\n *\n * Credential/Email Providers:\n * - Auth.js responds with JSON containing success/error information\n * - These providers need to return Response objects for error handling\n * - Using `fetch()` allows access to response data and conditional redirects\n * - Result: Can detect errors and optionally suppress redirect\n * - Solution: Use fetch with JSON response handling\n *\n * **Security Considerations:**\n * - All requests include CSRF token protection\n * - Callback URLs are normalized to prevent open redirect attacks\n * - Only same-origin URLs are allowed for redirects\n *\n * **Browser Compatibility:**\n * - Form submission approach works in all browsers including those that\n *   restrict fetch() behavior for cross-origin redirects\n * - Hash-based navigation triggers explicit reload for proper routing\n *\n * @example OAuth Provider Sign-In\n * ```ts\n * // Triggers form submission and browser navigation to GitHub\n * await signIn('github')\n * ```\n *\n * @example OAuth with Custom Callback\n * ```ts\n * await signIn('google', {\n *   callbackUrl: '/dashboard'\n * })\n * ```\n *\n * @example OAuth with Authorization Parameters\n * ```ts\n * await signIn('google', undefined, {\n *   prompt: 'consent',\n *   login_hint: 'user@example.com'\n * })\n * ```\n *\n * @example Credential Provider with Error Handling\n * ```ts\n * const response = await signIn('credentials', {\n *   redirect: false\n * }, {\n *   username: 'user',\n *   password: 'pass'\n * })\n *\n * if (response) {\n *   const data = await response.json()\n *   if (data.error) {\n *     console.error('Sign in failed:', data.error)\n *   }\n * }\n * ```\n *\n * @public\n */\nexport async function signIn<P extends string | undefined = undefined>(\n  providerId?: LiteralUnion<P extends string ? P | string : string>,\n  options?: AstroSignInOptions,\n  authorizationParams?: SignInAuthorizationParams,\n): Promise<Response | void> {\n  const initialCallbackUrl = options?.callbackUrl ?? window.location.href;\n  const redirect = options?.redirect ?? true;\n\n  const callbackUrl = __normalizePathOnly(initialCallbackUrl);\n\n  const prefix = options?.prefix ?? '/api/auth';\n  // eslint-disable-next-line @typescript-eslint/no-unused-vars\n  const { prefix: _p, callbackUrl: _c, redirect: _r, ...opts } = options ?? {};\n\n  const isCredentials = providerId === 'credentials';\n  const isEmail = providerId === 'email';\n  const isSupportingReturn = isCredentials || isEmail;\n\n  const signInUrl = isCredentials\n    ? `${prefix}/callback/${providerId}`\n    : `${prefix}/signin/${providerId}`;\n\n  // ========================================================================\n  // OAuth Provider Flow: Use Form Submission\n  // ========================================================================\n  // OAuth providers (GitHub, Google, etc.) require browser navigation to\n  // follow the 302 redirect chain to the provider's authorization page.\n  // Using fetch() keeps the redirect in JavaScript context, preventing the\n  // actual navigation from occurring. Form submission allows the browser to\n  // handle the redirect naturally.\n  if (!isSupportingReturn) {\n    const csrfToken: string = await __getCsrfToken(prefix);\n\n    // Build the form action URL with authorization parameters\n    const action = new URL(signInUrl, window.location.origin);\n    if (authorizationParams) {\n      for (const [k, v] of Object.entries(authorizationParams)) {\n        action.searchParams.set(k, v);\n      }\n    }\n\n    // Create a hidden form to submit the authentication request\n    const form = document.createElement('form');\n    form.method = 'POST';\n    form.action = action.pathname + action.search;\n    form.style.display = 'none';\n\n    // Add required fields for Auth.js\n    const fields: Record<string, string> = {\n      csrfToken,\n      callbackUrl,\n      ...Object.fromEntries(\n        Object.entries(opts).map(([k, v]) => [k, String(v)]),\n      ),\n    };\n\n    for (const [name, value] of Object.entries(fields)) {\n      const input = document.createElement('input');\n      input.type = 'hidden';\n      input.name = name;\n      input.value = value;\n      form.appendChild(input);\n    }\n\n    document.body.appendChild(form);\n    form.submit();\n    return;\n  }\n\n  // ========================================================================\n  // Credential/Email Provider Flow: Use Fetch\n  // ========================================================================\n  // Credential and email providers return JSON responses that may contain\n  // error information. Using fetch() allows us to inspect the response and\n  // conditionally handle redirects based on the redirect option and error\n  // state. This enables the redirect: false pattern for error handling.\n\n  const signInUrlWithParams = (() => {\n    const url = new URL(signInUrl, window.location.origin);\n    if (authorizationParams) {\n      for (const [k, v] of Object.entries(authorizationParams)) {\n        url.searchParams.set(k, v);\n      }\n    }\n    return url.pathname + url.search;\n  })();\n\n  const csrfToken: string = await __getCsrfToken(prefix);\n\n  const res = await fetch(signInUrlWithParams, {\n    method: 'post',\n    credentials: 'same-origin',\n    cache: 'no-store',\n    headers: {\n      Accept: 'application/json',\n      'Content-Type': 'application/x-www-form-urlencoded',\n      'X-Auth-Return-Redirect': '1',\n      'X-Requested-With': 'XMLHttpRequest',\n    },\n    body: new URLSearchParams({\n      ...opts,\n      csrfToken,\n      callbackUrl,\n    }),\n  });\n\n  const data: { url?: string } = await res\n    .clone()\n    .json()\n    .catch(() => ({}));\n  const error = data.url ? new URL(data.url).searchParams.get('error') : null;\n\n  // Redirect unless explicitly disabled and an error occurred\n  if (redirect !== false || !isSupportingReturn || !error) {\n    const candidate = data.url ?? (res.redirected ? res.url : undefined);\n    const target = __safeRedirect(candidate, callbackUrl);\n    window.location.assign(target);\n\n    // Force reload for hash-based navigation\n    if (target && target.includes('#')) {\n      window.location.reload();\n    }\n    return;\n  } else {\n    // Return response for error handling when redirect is false\n    return res;\n  }\n}\n\nexport async function signOut(options?: AstroSignOutParams): Promise<void> {\n  const initialCallbackUrl = options?.callbackUrl ?? window.location.href;\n  const prefix = options?.prefix ?? '/api/auth';\n\n  const callbackUrl = __normalizePathOnly(initialCallbackUrl);\n\n  const csrfToken: string = await __getCsrfToken(prefix);\n\n  const res = await fetch(`${prefix}/signout`, {\n    method: 'post',\n    credentials: 'same-origin',\n    cache: 'no-store',\n    headers: {\n      Accept: 'application/json',\n      'Content-Type': 'application/x-www-form-urlencoded',\n      'X-Auth-Return-Redirect': '1',\n      'X-Requested-With': 'XMLHttpRequest',\n    },\n    body: new URLSearchParams({\n      csrfToken,\n      callbackUrl,\n    }),\n  });\n\n  const data: { url?: string } = await res.json().catch(() => ({}));\n  const candidate = data.url ?? (res.redirected ? res.url : undefined);\n  const url = __safeRedirect(candidate, callbackUrl);\n\n  window.location.assign(url);\n\n  if (url.includes('#')) {\n    window.location.reload();\n  }\n}\n"],"mappings":";AAOA,eAAe,eAAe,QAAiC;AAC7D,QAAM,MAAM,MAAM,MAAM,GAAG,MAAM,SAAS;AAAA,IACxC,QAAQ;AAAA,IACR,aAAa;AAAA,IACb,SAAS;AAAA,MACP,QAAQ;AAAA,MACR,oBAAoB;AAAA,IACtB;AAAA,IACA,OAAO;AAAA,EACT,CAAC;AACD,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,IAAI,MAAM,+BAA+B,IAAI,MAAM,GAAG;AAAA,EAC9D;AACA,QAAM,OAAgB,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM;AACjD,UAAM,IAAI,MAAM,0CAA0C;AAAA,EAC5D,CAAC;AACD,QAAM,QAAS,MAAiC;AAChD,MAAI,OAAO,UAAU,YAAY,MAAM,WAAW,GAAG;AACnD,UAAM,IAAI,MAAM,+BAA+B;AAAA,EACjD;AACA,SAAO;AACT;AAEA,SAAS,oBAAoB,MAAsB;AACjD,MAAI;AACF,UAAM,IAAI,IAAI,IAAI,MAAM,OAAO,SAAS,MAAM;AAC9C,QAAI,EAAE,WAAW,OAAO,SAAS,QAAQ;AACvC,aACE,OAAO,SAAS,WAAW,OAAO,SAAS,SAAS,OAAO,SAAS;AAAA,IAExE;AACA,WAAO,EAAE,WAAW,EAAE,SAAS,EAAE;AAAA,EACnC,QAAQ;AACN,WACE,OAAO,SAAS,WAAW,OAAO,SAAS,SAAS,OAAO,SAAS;AAAA,EAExE;AACF;AAEA,SAAS,eACP,QACA,kBACQ;AACR,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI;AACF,UAAM,IAAI,IAAI,IAAI,QAAQ,OAAO,SAAS,MAAM;AAChD,QAAI,EAAE,WAAW,OAAO,SAAS,OAAQ,QAAO;AAChD,WAAO,EAAE;AAAA,EACX,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAsFA,eAAsB,OACpB,YACA,SACA,qBAC0B;AAC1B,QAAM,qBAAqB,SAAS,eAAe,OAAO,SAAS;AACnE,QAAM,WAAW,SAAS,YAAY;AAEtC,QAAM,cAAc,oBAAoB,kBAAkB;AAE1D,QAAM,SAAS,SAAS,UAAU;AAElC,QAAM,EAAE,QAAQ,IAAI,aAAa,IAAI,UAAU,IAAI,GAAG,KAAK,IAAI,WAAW,CAAC;AAE3E,QAAM,gBAAgB,eAAe;AACrC,QAAM,UAAU,eAAe;AAC/B,QAAM,qBAAqB,iBAAiB;AAE5C,QAAM,YAAY,gBACd,GAAG,MAAM,aAAa,UAAU,KAChC,GAAG,MAAM,WAAW,UAAU;AAUlC,MAAI,CAAC,oBAAoB;AACvB,UAAMA,aAAoB,MAAM,eAAe,MAAM;AAGrD,UAAM,SAAS,IAAI,IAAI,WAAW,OAAO,SAAS,MAAM;AACxD,QAAI,qBAAqB;AACvB,iBAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,mBAAmB,GAAG;AACxD,eAAO,aAAa,IAAI,GAAG,CAAC;AAAA,MAC9B;AAAA,IACF;AAGA,UAAM,OAAO,SAAS,cAAc,MAAM;AAC1C,SAAK,SAAS;AACd,SAAK,SAAS,OAAO,WAAW,OAAO;AACvC,SAAK,MAAM,UAAU;AAGrB,UAAM,SAAiC;AAAA,MACrC,WAAAA;AAAA,MACA;AAAA,MACA,GAAG,OAAO;AAAA,QACR,OAAO,QAAQ,IAAI,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;AAAA,MACrD;AAAA,IACF;AAEA,eAAW,CAAC,MAAM,KAAK,KAAK,OAAO,QAAQ,MAAM,GAAG;AAClD,YAAM,QAAQ,SAAS,cAAc,OAAO;AAC5C,YAAM,OAAO;AACb,YAAM,OAAO;AACb,YAAM,QAAQ;AACd,WAAK,YAAY,KAAK;AAAA,IACxB;AAEA,aAAS,KAAK,YAAY,IAAI;AAC9B,SAAK,OAAO;AACZ;AAAA,EACF;AAUA,QAAM,uBAAuB,MAAM;AACjC,UAAM,MAAM,IAAI,IAAI,WAAW,OAAO,SAAS,MAAM;AACrD,QAAI,qBAAqB;AACvB,iBAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,mBAAmB,GAAG;AACxD,YAAI,aAAa,IAAI,GAAG,CAAC;AAAA,MAC3B;AAAA,IACF;AACA,WAAO,IAAI,WAAW,IAAI;AAAA,EAC5B,GAAG;AAEH,QAAM,YAAoB,MAAM,eAAe,MAAM;AAErD,QAAM,MAAM,MAAM,MAAM,qBAAqB;AAAA,IAC3C,QAAQ;AAAA,IACR,aAAa;AAAA,IACb,OAAO;AAAA,IACP,SAAS;AAAA,MACP,QAAQ;AAAA,MACR,gBAAgB;AAAA,MAChB,0BAA0B;AAAA,MAC1B,oBAAoB;AAAA,IACtB;AAAA,IACA,MAAM,IAAI,gBAAgB;AAAA,MACxB,GAAG;AAAA,MACH;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH,CAAC;AAED,QAAM,OAAyB,MAAM,IAClC,MAAM,EACN,KAAK,EACL,MAAM,OAAO,CAAC,EAAE;AACnB,QAAM,QAAQ,KAAK,MAAM,IAAI,IAAI,KAAK,GAAG,EAAE,aAAa,IAAI,OAAO,IAAI;AAGvE,MAAI,aAAa,SAAS,CAAC,sBAAsB,CAAC,OAAO;AACvD,UAAM,YAAY,KAAK,QAAQ,IAAI,aAAa,IAAI,MAAM;AAC1D,UAAM,SAAS,eAAe,WAAW,WAAW;AACpD,WAAO,SAAS,OAAO,MAAM;AAG7B,QAAI,UAAU,OAAO,SAAS,GAAG,GAAG;AAClC,aAAO,SAAS,OAAO;AAAA,IACzB;AACA;AAAA,EACF,OAAO;AAEL,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,QAAQ,SAA6C;AACzE,QAAM,qBAAqB,SAAS,eAAe,OAAO,SAAS;AACnE,QAAM,SAAS,SAAS,UAAU;AAElC,QAAM,cAAc,oBAAoB,kBAAkB;AAE1D,QAAM,YAAoB,MAAM,eAAe,MAAM;AAErD,QAAM,MAAM,MAAM,MAAM,GAAG,MAAM,YAAY;AAAA,IAC3C,QAAQ;AAAA,IACR,aAAa;AAAA,IACb,OAAO;AAAA,IACP,SAAS;AAAA,MACP,QAAQ;AAAA,MACR,gBAAgB;AAAA,MAChB,0BAA0B;AAAA,MAC1B,oBAAoB;AAAA,IACtB;AAAA,IACA,MAAM,IAAI,gBAAgB;AAAA,MACxB;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH,CAAC;AAED,QAAM,OAAyB,MAAM,IAAI,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AAChE,QAAM,YAAY,KAAK,QAAQ,IAAI,aAAa,IAAI,MAAM;AAC1D,QAAM,MAAM,eAAe,WAAW,WAAW;AAEjD,SAAO,SAAS,OAAO,GAAG;AAE1B,MAAI,IAAI,SAAS,GAAG,GAAG;AACrB,WAAO,SAAS,OAAO;AAAA,EACzB;AACF;","names":["csrfToken"]}

package/dist/components/Auth.astro

@@ -0,0 +1,38 @@
+---
+import { getSession } from '../server.js';
+import { type FullAuthConfig } from '../config.js';
+import authDefaultConfig from 'auth:config';
+
+/**
+ * Props for the Session component.
+ *
+ * Allows overriding the authentication configuration for retrieving
+ * session data.
+ */
+interface Props {
+  /**
+   * Optional authentication configuration override.
+   *
+   * If not provided, uses the default configuration from the
+   * auth:config virtual module.
+   */
+  authConfig?: FullAuthConfig;
+}
+
+const { authConfig = authDefaultConfig } = Astro.props as Props;
+
+// Retrieve the current session using the provided or default auth config
+let session = await getSession(Astro.request, authConfig);
+---
+
+<!--
+  Render the default slot with session data passed as an argument.
+  This allows child components to access session information.
+
+  Note: Slots are rendered by Astro's template engine. User-provided
+  content is automatically escaped. Do not use set:html with user data
+  to prevent XSS vulnerabilities.
+-->
+<div>
+  <Fragment set:html={Astro.slots.render('default', [session])} />
+</div>

package/dist/components/SignIn.astro

@@ -0,0 +1,133 @@
+---
+import type { HTMLAttributes } from 'astro/types';
+import type {
+  BuiltInProviders,
+  SignInOptions,
+  SignInAuthorizationParams,
+} from '../types.js';
+
+/**
+ * Props for the SignIn component.
+ *
+ * Extends standard HTML button attributes with authentication-specific
+ * options for configuring the sign-in behavior.
+ */
+interface Props extends HTMLAttributes<'button'> {
+  /**
+   * The authentication provider to sign in with.
+   *
+   * Can be a built-in provider (e.g., 'google', 'github') or a custom
+   * provider identifier.
+   */
+  provider?: BuiltInProviders | string;
+
+  /**
+   * Additional options to pass to the signIn function.
+   *
+   * These options control the sign-in behavior, such as redirect URLs
+   * and callback handling.
+   */
+  options?: SignInOptions;
+
+  /**
+   * Authorization parameters to pass to the authentication provider.
+   *
+   * These are provider-specific parameters that customize the
+   * authentication flow.
+   */
+  authParams?: SignInAuthorizationParams;
+}
+
+// Generate a unique identifier for this component instance to avoid
+// conflicts when multiple SignIn buttons are present on the same page
+const key = crypto.randomUUID();
+
+// noinspection JSUnusedGlobalSymbols
+const { provider, options, authParams, ...attrs } = Astro.props;
+attrs.class = `signin-button ${attrs.class ?? ''}`;
+---
+
+<button
+  {...attrs}
+  data-signin-key={key}
+  data-signin-provider={provider}
+  data-signin-options={options ? JSON.stringify(options) : undefined}
+  data-signin-auth-params={authParams ? JSON.stringify(authParams) : undefined}
+>
+  <slot />
+</button>
+
+<script>
+  import { signIn } from '../client.js';
+
+  function initializeSignInButton(button: Element) {
+    if (button instanceof HTMLElement && !button.dataset.signinInitialized) {
+      button.dataset.signinInitialized = 'true';
+
+      button.addEventListener(
+        'click',
+        () => {
+          const provider = button.dataset.signinProvider;
+
+          // Guard JSON parsing to prevent errors from malformed data
+          let options;
+          let authParams;
+
+          try {
+            options = button.dataset.signinOptions
+              ? JSON.parse(button.dataset.signinOptions)
+              : undefined;
+          } catch (e) {
+            console.warn('[astro-auth] Invalid signin options JSON:', e);
+            options = undefined;
+          }
+
+          try {
+            authParams = button.dataset.signinAuthParams
+              ? JSON.parse(button.dataset.signinAuthParams)
+              : undefined;
+          } catch (e) {
+            console.warn('[astro-auth] Invalid signin authParams JSON:', e);
+            authParams = undefined;
+          }
+
+          signIn(provider, options, authParams);
+        },
+        { passive: true, capture: true },
+      );
+    }
+  }
+
+  document
+    .querySelectorAll('[data-signin-key]')
+    .forEach(initializeSignInButton);
+
+  const observer = new MutationObserver((mutations) => {
+    mutations.forEach((mutation) => {
+      mutation.addedNodes.forEach((node) => {
+        if (node instanceof HTMLElement) {
+          if (node.hasAttribute('data-signin-key')) {
+            initializeSignInButton(node);
+          }
+          node
+            .querySelectorAll('[data-signin-key]')
+            .forEach(initializeSignInButton);
+        }
+      });
+    });
+  });
+
+  observer.observe(document.body, { childList: true, subtree: true });
+
+  // Clean up observer when page becomes hidden or before unload
+  const cleanup = () => {
+    observer.disconnect();
+  };
+
+  window.addEventListener('beforeunload', cleanup);
+  document.addEventListener('visibilitychange', () => {
+    if (document.hidden) {
+      cleanup();
+    }
+  });
+</script>

package/dist/components/SignOut.astro

@@ -0,0 +1,99 @@
+---
+import type { HTMLAttributes } from 'astro/types';
+import type { SignOutParams } from '../types.js';
+
+/**
+ * Props for the SignOut component.
+ *
+ * Extends standard HTML button attributes with authentication-specific
+ * options for configuring the sign-out behavior.
+ */
+interface Props extends HTMLAttributes<'button'> {
+  /**
+   * Optional parameters to pass to the signOut function.
+   *
+   * These parameters control the sign-out behavior, such as redirect
+   * URLs and callback handling.
+   */
+  params?: SignOutParams;
+}
+
+// Generate a unique identifier for this component instance to avoid
+// conflicts when multiple SignOut buttons are present on the same page
+const key = crypto.randomUUID();
+
+// noinspection JSUnusedGlobalSymbols
+const { params, ...attrs } = Astro.props;
+attrs.class = `signout-button ${attrs.class ?? ''}`;
+---
+
+<button
+  {...attrs}
+  data-signout-key={key}
+  data-signout-params={params ? JSON.stringify(params) : undefined}
+>
+  <slot />
+</button>
+
+<script>
+  import { signOut } from '../client.js';
+
+  function initializeSignOutButton(button: Element) {
+    if (button instanceof HTMLElement && !button.dataset.signoutInitialized) {
+      button.dataset.signoutInitialized = 'true';
+
+      button.addEventListener(
+        'click',
+        () => {
+          // Guard JSON parsing to prevent errors from malformed data
+          let params;
+
+          try {
+            params = button.dataset.signoutParams
+              ? JSON.parse(button.dataset.signoutParams)
+              : undefined;
+          } catch (e) {
+            console.warn('[astro-auth] Invalid signout params JSON:', e);
+            params = undefined;
+          }
+
+          signOut(params);
+        },
+        { passive: true, capture: true },
+      );
+    }
+  }
+
+  document
+    .querySelectorAll('[data-signout-key]')
+    .forEach(initializeSignOutButton);
+
+  const observer = new MutationObserver((mutations) => {
+    mutations.forEach((mutation) => {
+      mutation.addedNodes.forEach((node) => {
+        if (node instanceof HTMLElement) {
+          if (node.hasAttribute('data-signout-key')) {
+            initializeSignOutButton(node);
+          }
+          node
+            .querySelectorAll('[data-signout-key]')
+            .forEach(initializeSignOutButton);
+        }
+      });
+    });
+  });
+
+  observer.observe(document.body, { childList: true, subtree: true });
+
+  // Clean up observer when page becomes hidden or before unload
+  const cleanup = () => {
+    observer.disconnect();
+  };
+
+  window.addEventListener('beforeunload', cleanup);
+  document.addEventListener('visibilitychange', () => {
+    if (document.hidden) {
+      cleanup();
+    }
+  });
+</script>

package/dist/components/index.d.ts

@@ -0,0 +1,9 @@
+import { AstroComponentFactory } from 'astro/runtime/server/index.js';
+
+declare const Auth: AstroComponentFactory;
+// noinspection JSUnusedGlobalSymbols
+declare const SignIn: AstroComponentFactory;
+// noinspection JSUnusedGlobalSymbols
+declare const SignOut: AstroComponentFactory;
+
+export { Auth, SignIn, SignOut };

package/dist/components/index.js

@@ -0,0 +1,10 @@
+// src/components/index.ts
+import { default as default2 } from "./Auth.astro";
+import { default as default3 } from "./SignIn.astro";
+import { default as default4 } from "./SignOut.astro";
+export {
+  default2 as Auth,
+  default3 as SignIn,
+  default4 as SignOut
+};
+//# sourceMappingURL=index.js.map

package/dist/components/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/components/index.ts"],"sourcesContent":["/**\n * Re-exports Astro components for authentication UI.\n *\n * These components provide pre-built UI elements for sign-in, sign-out,\n * and session management in Astro applications.\n *\n * @public\n */\n\n// Component exports are consumed by end users importing from the package.\n// IDEs cannot detect usage across package boundaries, resulting in false\n// positive unused export warnings.\n// noinspection JSUnusedGlobalSymbols\nexport { default as Auth } from './Auth.astro';\n// noinspection JSUnusedGlobalSymbols\nexport { default as SignIn } from './SignIn.astro';\n// noinspection JSUnusedGlobalSymbols\nexport { default as SignOut } from './SignOut.astro';\n"],"mappings":";AAaA,SAAoB,WAAXA,gBAAuB;AAEhC,SAAoB,WAAXA,gBAAyB;AAElC,SAAoB,WAAXA,gBAA0B;","names":["default"]}

package/dist/config-lAdfi49m.d.ts

@@ -0,0 +1,104 @@
+import { AuthConfig } from '@auth/core/types';
+
+/**
+ * Configuration options specific to the Astro integration.
+ *
+ * @public
+ */
+interface AstroIntegrationOptions {
+    /**
+     * Base path for authentication routes.
+     *
+     * @defaultValue '/api/auth'
+     *
+     * @example
+     * ```js
+     * authAstro({ prefix: '/auth' })
+     * // Routes will be available at /auth/signin, /auth/signout, etc.
+     * ```
+     */
+    prefix?: string;
+    /**
+     * Whether the integration should automatically inject authentication
+     * endpoints.
+     *
+     * Set to `false` if you want to manually define authentication routes.
+     *
+     * @defaultValue true
+     */
+    injectEndpoints?: boolean;
+    /**
+     * Path to the authentication configuration file.
+     *
+     * @defaultValue './auth.config'
+     *
+     * @example
+     * ```js
+     * authAstro({ configFile: './config/authentication.ts' })
+     * ```
+     */
+    configFile?: string;
+}
+/**
+ * Complete authentication configuration merging Astro-specific options
+ * with Auth.js core configuration.
+ *
+ * @public
+ */
+interface FullAuthConfig extends AstroIntegrationOptions, Omit<AuthConfig, 'raw'> {
+}
+/**
+ * Environment variables structure used by Auth.js configuration.
+ *
+ * @public
+ */
+interface AuthEnvVars {
+    AUTH_SECRET?: string;
+    AUTH_TRUST_HOST?: string;
+    VERCEL?: string;
+    CF_PAGES?: string;
+    NODE_ENV?: string;
+}
+/**
+ * Helper function to define authentication configuration with type safety.
+ *
+ * This function applies default values and reads environment variables to
+ * provide a complete configuration object. Environment variables are only
+ * used as fallbacks when values are not explicitly provided in the config.
+ *
+ * Environment variables read (in order of precedence for `trustHost`):
+ * - `config.trustHost`: Explicit config value (highest priority)
+ * - `AUTH_TRUST_HOST`: Whether to trust the X-Forwarded-Host header ("1"/"true"/"yes"/"on")
+ * - `VERCEL`: Automatically set by Vercel (any truthy value enables trustHost)
+ * - `CF_PAGES`: Automatically set by Cloudflare Pages (any truthy value enables trustHost)
+ * - `NODE_ENV`: Node environment (trustHost enabled if not 'production')
+ *
+ * For `secret`:
+ * - `config.secret`: Explicit config value (highest priority)
+ * - `AUTH_SECRET`: Environment variable fallback
+ *
+ * @param config - Authentication configuration object
+ * @param envOverride - Optional environment variables for testing
+ * @returns Configuration with defaults applied
+ *
+ * @example
+ * ```ts
+ * import { defineConfig } from 'astro-auth'
+ * import GitHub from '@auth/core/providers/github'
+ *
+ * export default defineConfig({
+ *   providers: [
+ *     GitHub({
+ *       clientId: process.env.GITHUB_ID,
+ *       clientSecret: process.env.GITHUB_SECRET
+ *     })
+ *   ],
+ *   secret: process.env.AUTH_SECRET
+ * })
+ * ```
+ *
+ * @public
+ */
+declare const defineConfig: (config: Readonly<FullAuthConfig>, envOverride?: AuthEnvVars) => FullAuthConfig;
+
+export { type AstroIntegrationOptions as A, type FullAuthConfig as F, type AuthEnvVars as a, defineConfig as d };

package/dist/index.d.ts

@@ -0,0 +1,27 @@
+import { AstroIntegration } from 'astro';
+import { A as AstroIntegrationOptions } from './config-lAdfi49m.js';
+export { a as AuthEnvVars, F as FullAuthConfig, d as defineConfig } from './config-lAdfi49m.js';
+import '@auth/core/types';
+
+/**
+ * Creates an Astro integration for authentication using Auth.js.
+ *
+ * This integration handles:
+ * - Virtual module configuration for auth settings
+ * - Automatic route injection for authentication endpoints
+ * - Vite configuration for proper module resolution
+ *
+ * @param config - Configuration options for the integration
+ * @returns Configured Astro integration
+ * @throws {Error} When no adapter is configured (server-side rendering is required).
+ *
+ * @remarks
+ * This integration requires server-side rendering. Ensure you have
+ * configured an Astro adapter (e.g., `@astrojs/node`, `@astrojs/vercel`)
+ * in your Astro config.
+ *
+ * @public
+ */
+declare const _default: (config?: AstroIntegrationOptions) => AstroIntegration;
+
+export { AstroIntegrationOptions, _default as default };