@zshn-dev/auth-server 0.2.0

package/README.md

@@ -0,0 +1,152 @@
+# @your-scope/auth-server
+
+> GitHub OAuth + JWT authentication middleware for Express.
+
+> **Note:** `@your-scope` is a placeholder — replace it with your actual npm scope.
+
+---
+
+## Installation
+
+```bash
+npm install @your-scope/auth-server
+```
+
+---
+
+## Quick Start
+
+```ts
+import express from 'express';
+import { createAuthRouter, verifyJwt } from '@your-scope/auth-server';
+
+const config = {
+  clientId: process.env.GITHUB_CLIENT_ID!,
+  clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+  jwtSecret: process.env.JWT_SECRET!,
+  callbackUrl: 'http://localhost:3000/auth/github/callback',
+  afterLoginUrl: 'http://localhost:4200/auth/callback',
+};
+
+const app = express();
+
+// Mount the auth router at /auth
+app.use('/auth', createAuthRouter(config));
+
+// Protect routes with JWT middleware
+app.get('/api/me', verifyJwt(config), (req, res) => {
+  res.json({ user: req.user });
+});
+
+app.listen(3000, () => console.log('Server running on http://localhost:3000'));
+```
+
+After a successful login, GitHub redirects to `callbackUrl`, which exchanges the OAuth code for a JWT and then redirects the user to:
+
+```
+<afterLoginUrl>?token=<jwt>
+```
+
+---
+
+## API Reference
+
+### `createAuthRouter(config: AuthServerConfig): Router`
+
+Returns an Express `Router`. Mount it at `/auth`:
+
+```ts
+app.use('/auth', createAuthRouter(config));
+```
+
+**Routes:**
+
+| Method | Path              | Description                                                              |
+| ------ | ----------------- | ------------------------------------------------------------------------ |
+| GET    | `/github`         | Redirects the user to the GitHub OAuth authorization page                |
+| GET    | `/github/callback`| Exchanges the OAuth code for a JWT; redirects to `afterLoginUrl?token=…` |
+
+---
+
+### `AuthServerConfig`
+
+| Property          | Type                                            | Required | Default        | Description                                                    |
+| ----------------- | ----------------------------------------------- | -------- | -------------- | -------------------------------------------------------------- |
+| `clientId`        | `string`                                        | ✅        | —              | GitHub OAuth App client ID                                     |
+| `clientSecret`    | `string`                                        | ✅        | —              | GitHub OAuth App client secret                                 |
+| `jwtSecret`       | `string`                                        | ✅        | —              | Secret used to sign/verify JWTs — **must be 32+ characters**  |
+| `callbackUrl`     | `string`                                        | ✅        | —              | Full URL GitHub redirects to after authorization               |
+| `afterLoginUrl`   | `string`                                        | ✅        | —              | URL of your frontend app; receives `?token=<jwt>` on success  |
+| `transformUser`   | `(profile: GitHubProfile) => Partial<User>`     | ❌        | —              | Optional hook to customize the JWT payload from the GitHub profile |
+| `stateCookieName` | `string`                                        | ❌        | `oauth_state`  | Name of the cookie used to store the OAuth CSRF state value   |
+
+---
+
+### `verifyJwt(config: AuthServerConfig): RequestHandler`
+
+Returns an Express middleware that validates a JWT on every request.
+
+- Reads the `Authorization: Bearer <token>` header
+- Verifies the token against `config.jwtSecret`
+- Sets `req.user` (typed as `JwtPayload`) on success
+- Returns `401 Unauthorized` if the token is missing, invalid, or expired
+
+```ts
+app.get('/api/profile', verifyJwt(config), (req, res) => {
+  res.json(req.user);
+});
+```
+
+---
+
+## `transformUser` Hook
+
+Use `transformUser` to control which fields from the GitHub profile are included in the JWT payload:
+
+```ts
+import { createAuthRouter, GitHubProfile } from '@your-scope/auth-server';
+
+app.use('/auth', createAuthRouter({
+  ...config,
+  transformUser: (profile: GitHubProfile) => ({
+    id: profile.id,
+    login: profile.login,
+    name: profile.name,
+    avatarUrl: profile.avatar_url,
+    email: profile.email,
+  }),
+}));
+```
+
+The returned object is merged into the JWT payload and later available on `req.user`.
+
+---
+
+## Environment Variables
+
+Never hardcode secrets. Use a `.env` file (via [dotenv](https://github.com/motdotla/dotenv)) or your deployment platform's secret management:
+
+```env
+GITHUB_CLIENT_ID=your_github_client_id
+GITHUB_CLIENT_SECRET=your_github_client_secret
+# Must be at least 32 characters
+JWT_SECRET=a_very_long_random_secret_at_least_32_chars
+```
+
+```ts
+import 'dotenv/config';
+
+const config = {
+  clientId: process.env.GITHUB_CLIENT_ID!,
+  clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+  jwtSecret: process.env.JWT_SECRET!,
+  callbackUrl: process.env.CALLBACK_URL ?? 'http://localhost:3000/auth/github/callback',
+  afterLoginUrl: process.env.AFTER_LOGIN_URL ?? 'http://localhost:4200/auth/callback',
+};
+```
+
+Add `.env` to your `.gitignore` to avoid committing secrets:
+
+```
+.env
+```

package/dist/__tests__/crypto.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=crypto.test.d.ts.map

package/dist/__tests__/crypto.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/crypto.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/crypto.test.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const crypto_js_1 = require("../utils/crypto.js");
+(0, vitest_1.describe)('generateState', () => {
+    (0, vitest_1.it)('returns a 64-character lowercase hex string', () => {
+        const state = (0, crypto_js_1.generateState)();
+        (0, vitest_1.expect)(state).toMatch(/^[0-9a-f]{64}$/);
+    });
+    (0, vitest_1.it)('returns a different value on each call', () => {
+        const a = (0, crypto_js_1.generateState)();
+        const b = (0, crypto_js_1.generateState)();
+        (0, vitest_1.expect)(a).not.toBe(b);
+    });
+});
+//# sourceMappingURL=crypto.test.js.map

package/dist/__tests__/crypto.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.test.js","sourceRoot":"","sources":["../../src/__tests__/crypto.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,kDAAmD;AAEnD,IAAA,iBAAQ,EAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,IAAA,WAAE,EAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,KAAK,GAAG,IAAA,yBAAa,GAAE,CAAC;QAC9B,IAAA,eAAM,EAAC,KAAK,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,CAAC,GAAG,IAAA,yBAAa,GAAE,CAAC;QAC1B,MAAM,CAAC,GAAG,IAAA,yBAAa,GAAE,CAAC;QAC1B,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/jwt.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=jwt.test.d.ts.map

package/dist/__tests__/jwt.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/jwt.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/jwt.test.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const jwt_js_1 = require("../utils/jwt.js");
+const SECRET = 'a-test-secret-that-is-at-least-32-characters-long';
+const USER = {
+    id: '42',
+    email: 'user@example.com',
+    name: 'Test User',
+    avatar_url: 'https://example.com/avatar.png',
+};
+(0, vitest_1.describe)('signJwt', () => {
+    (0, vitest_1.it)('returns a three-part JWT string', () => {
+        const token = (0, jwt_js_1.signJwt)(USER, SECRET);
+        const parts = token.split('.');
+        (0, vitest_1.expect)(parts).toHaveLength(3);
+    });
+    (0, vitest_1.it)('embeds the user payload in the token', () => {
+        const token = (0, jwt_js_1.signJwt)(USER, SECRET);
+        const payload = JSON.parse(Buffer.from(token.split('.')[1], 'base64').toString());
+        (0, vitest_1.expect)(payload.id).toBe('42');
+        (0, vitest_1.expect)(payload.email).toBe('user@example.com');
+    });
+});
+(0, vitest_1.describe)('verifyJwtToken', () => {
+    (0, vitest_1.it)('round-trips: verify returns the original user payload', () => {
+        const token = (0, jwt_js_1.signJwt)(USER, SECRET);
+        const payload = (0, jwt_js_1.verifyJwtToken)(token, SECRET);
+        (0, vitest_1.expect)(payload.id).toBe(USER.id);
+        (0, vitest_1.expect)(payload.email).toBe(USER.email);
+        (0, vitest_1.expect)(payload.name).toBe(USER.name);
+    });
+    (0, vitest_1.it)('throws when the secret is wrong', () => {
+        const token = (0, jwt_js_1.signJwt)(USER, SECRET);
+        (0, vitest_1.expect)(() => (0, jwt_js_1.verifyJwtToken)(token, 'wrong-secret')).toThrow();
+    });
+    (0, vitest_1.it)('throws for a malformed token', () => {
+        (0, vitest_1.expect)(() => (0, jwt_js_1.verifyJwtToken)('not.a.token', SECRET)).toThrow();
+    });
+});
+//# sourceMappingURL=jwt.test.js.map

package/dist/__tests__/jwt.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.test.js","sourceRoot":"","sources":["../../src/__tests__/jwt.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,4CAA0D;AAE1D,MAAM,MAAM,GAAG,mDAAmD,CAAC;AACnE,MAAM,IAAI,GAAG;IACX,EAAE,EAAE,IAAI;IACR,KAAK,EAAE,kBAAkB;IACzB,IAAI,EAAE,WAAW;IACjB,UAAU,EAAE,gCAAgC;CAC7C,CAAC;AAEF,IAAA,iBAAQ,EAAC,SAAS,EAAE,GAAG,EAAE;IACvB,IAAA,WAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,KAAK,GAAG,IAAA,gBAAO,EAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACpC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAA,eAAM,EAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,KAAK,GAAG,IAAA,gBAAO,EAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACpC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QAClF,IAAA,eAAM,EAAC,OAAO,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9B,IAAA,eAAM,EAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,IAAA,WAAE,EAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,KAAK,GAAG,IAAA,gBAAO,EAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACpC,MAAM,OAAO,GAAG,IAAA,uBAAc,EAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC9C,IAAA,eAAM,EAAC,OAAO,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjC,IAAA,eAAM,EAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACvC,IAAA,eAAM,EAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,KAAK,GAAG,IAAA,gBAAO,EAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACpC,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,uBAAc,EAAC,KAAK,EAAE,cAAc,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,uBAAc,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IAChE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/sanitize.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=sanitize.test.d.ts.map

package/dist/__tests__/sanitize.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/sanitize.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/sanitize.test.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const sanitize_js_1 = require("../utils/sanitize.js");
+(0, vitest_1.describe)('isSafeUrl', () => {
+    (0, vitest_1.it)('accepts http URLs', () => {
+        (0, vitest_1.expect)((0, sanitize_js_1.isSafeUrl)('http://localhost:3000')).toBe(true);
+    });
+    (0, vitest_1.it)('accepts https URLs', () => {
+        (0, vitest_1.expect)((0, sanitize_js_1.isSafeUrl)('https://example.com/callback')).toBe(true);
+    });
+    (0, vitest_1.it)('rejects javascript: protocol', () => {
+        (0, vitest_1.expect)((0, sanitize_js_1.isSafeUrl)('javascript:alert(1)')).toBe(false);
+    });
+    (0, vitest_1.it)('rejects ftp: protocol', () => {
+        (0, vitest_1.expect)((0, sanitize_js_1.isSafeUrl)('ftp://example.com')).toBe(false);
+    });
+    (0, vitest_1.it)('rejects plain strings that are not URLs', () => {
+        (0, vitest_1.expect)((0, sanitize_js_1.isSafeUrl)('not-a-url')).toBe(false);
+        (0, vitest_1.expect)((0, sanitize_js_1.isSafeUrl)('')).toBe(false);
+    });
+});
+(0, vitest_1.describe)('assertConfig', () => {
+    (0, vitest_1.it)('does not throw when condition is true', () => {
+        (0, vitest_1.expect)(() => (0, sanitize_js_1.assertConfig)(true, 'should not throw')).not.toThrow();
+    });
+    (0, vitest_1.it)('throws an Error with the given message when condition is false', () => {
+        (0, vitest_1.expect)(() => (0, sanitize_js_1.assertConfig)(false, 'clientId is required')).toThrowError('[auth-server] Invalid config: clientId is required');
+    });
+});
+//# sourceMappingURL=sanitize.test.js.map

package/dist/__tests__/sanitize.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize.test.js","sourceRoot":"","sources":["../../src/__tests__/sanitize.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,sDAA+D;AAE/D,IAAA,iBAAQ,EAAC,WAAW,EAAE,GAAG,EAAE;IACzB,IAAA,WAAE,EAAC,mBAAmB,EAAE,GAAG,EAAE;QAC3B,IAAA,eAAM,EAAC,IAAA,uBAAS,EAAC,uBAAuB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,oBAAoB,EAAE,GAAG,EAAE;QAC5B,IAAA,eAAM,EAAC,IAAA,uBAAS,EAAC,8BAA8B,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,IAAA,eAAM,EAAC,IAAA,uBAAS,EAAC,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uBAAuB,EAAE,GAAG,EAAE;QAC/B,IAAA,eAAM,EAAC,IAAA,uBAAS,EAAC,mBAAmB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,IAAA,eAAM,EAAC,IAAA,uBAAS,EAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3C,IAAA,eAAM,EAAC,IAAA,uBAAS,EAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,IAAA,WAAE,EAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAY,EAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,gEAAgE,EAAE,GAAG,EAAE;QACxE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAY,EAAC,KAAK,EAAE,sBAAsB,CAAC,CAAC,CAAC,YAAY,CACpE,oDAAoD,CACrD,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,30 @@
+import { Router, RequestHandler } from 'express';
+import { AuthServerConfig } from './types.js';
+import { JwtPayload } from './middleware/verify-jwt.js';
+export type { JwtPayload };
+declare global {
+    namespace Express {
+        interface Request {
+            user?: JwtPayload;
+        }
+    }
+}
+/**
+ * Creates an Express Router that handles the GitHub OAuth flow.
+ *
+ * Mount it at a path like `/auth`:
+ * ```ts
+ * app.use('/auth', createAuthRouter({ ... }));
+ * ```
+ *
+ * Routes provided:
+ * - `GET /github`           — redirects to GitHub's authorization page
+ * - `GET /github/callback`  — handles the OAuth callback, signs a JWT, and redirects to the Angular app
+ */
+export declare function createAuthRouter(config: AuthServerConfig): Router;
+/**
+ * Express middleware that validates a Bearer JWT and attaches the decoded payload to `req.user`.
+ * Returns 401 if the token is missing, malformed, or expired.
+ */
+export declare function verifyJwt(config: Pick<AuthServerConfig, 'jwtSecret'>): RequestHandler;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAEjD,OAAO,EAAE,gBAAgB,EAAQ,MAAM,YAAY,CAAC;AAKpD,OAAO,EAA6B,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAInF,YAAY,EAAE,UAAU,EAAE,CAAC;AAE3B,OAAO,CAAC,MAAM,CAAC;IAEb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE,UAAU,CAAC;SACnB;KACF;CACF;AAUD;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAoDjE;AAED;;;GAGG;AACH,wBAAgB,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,gBAAgB,EAAE,WAAW,CAAC,GAAG,cAAc,CAErF"}

package/dist/index.js

@@ -0,0 +1,85 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuthRouter = createAuthRouter;
+exports.verifyJwt = verifyJwt;
+const express_1 = require("express");
+const cookie_parser_1 = __importDefault(require("cookie-parser"));
+const crypto_js_1 = require("./utils/crypto.js");
+const jwt_js_1 = require("./utils/jwt.js");
+const sanitize_js_1 = require("./utils/sanitize.js");
+const github_js_1 = require("./providers/github.js");
+const verify_jwt_js_1 = require("./middleware/verify-jwt.js");
+function validateConfig(config) {
+    (0, sanitize_js_1.assertConfig)(!!config.clientId, 'clientId is required');
+    (0, sanitize_js_1.assertConfig)(!!config.clientSecret, 'clientSecret is required');
+    (0, sanitize_js_1.assertConfig)(!!config.jwtSecret && config.jwtSecret.length >= 32, 'jwtSecret must be at least 32 characters');
+    (0, sanitize_js_1.assertConfig)((0, sanitize_js_1.isSafeUrl)(config.callbackUrl), 'callbackUrl must be a valid http/https URL');
+    (0, sanitize_js_1.assertConfig)((0, sanitize_js_1.isSafeUrl)(config.afterLoginUrl), 'afterLoginUrl must be a valid http/https URL');
+}
+/**
+ * Creates an Express Router that handles the GitHub OAuth flow.
+ *
+ * Mount it at a path like `/auth`:
+ * ```ts
+ * app.use('/auth', createAuthRouter({ ... }));
+ * ```
+ *
+ * Routes provided:
+ * - `GET /github`           — redirects to GitHub's authorization page
+ * - `GET /github/callback`  — handles the OAuth callback, signs a JWT, and redirects to the Angular app
+ */
+function createAuthRouter(config) {
+    validateConfig(config);
+    const stateCookieName = config.stateCookieName ?? 'oauth_state';
+    const router = (0, express_1.Router)();
+    router.use((0, cookie_parser_1.default)());
+    // Step 1: redirect to GitHub
+    router.get('/github', (_req, res) => {
+        const state = (0, crypto_js_1.generateState)();
+        res.cookie(stateCookieName, state, { httpOnly: true, sameSite: 'lax', maxAge: 10 * 60 * 1000 });
+        res.redirect((0, github_js_1.buildAuthUrl)(config.clientId, state, config.callbackUrl));
+    });
+    // Step 2: handle callback
+    router.get('/github/callback', async (req, res) => {
+        const { code, state } = req.query;
+        const savedState = req.cookies[stateCookieName];
+        if (!code || !state || state !== savedState) {
+            res.status(400).send('Invalid OAuth state');
+            return;
+        }
+        res.clearCookie(stateCookieName);
+        try {
+            const accessToken = await (0, github_js_1.exchangeCode)(config.clientId, config.clientSecret, code);
+            const profile = await (0, github_js_1.fetchGitHubUser)(accessToken);
+            const baseUser = {
+                id: String(profile.id),
+                email: profile.email ?? '',
+                name: profile.name ?? profile.login,
+                avatar_url: profile.avatar_url,
+            };
+            const user = config.transformUser
+                ? { ...baseUser, ...config.transformUser(profile) }
+                : baseUser;
+            const token = (0, jwt_js_1.signJwt)(user, config.jwtSecret);
+            const redirectUrl = new URL(config.afterLoginUrl);
+            redirectUrl.searchParams.set('token', token);
+            res.redirect(redirectUrl.toString());
+        }
+        catch (err) {
+            console.error('[auth-server] OAuth callback error:', err);
+            res.status(500).send('Authentication failed');
+        }
+    });
+    return router;
+}
+/**
+ * Express middleware that validates a Bearer JWT and attaches the decoded payload to `req.user`.
+ * Returns 401 if the token is missing, malformed, or expired.
+ */
+function verifyJwt(config) {
+    return (0, verify_jwt_js_1.createVerifyJwtMiddleware)(config.jwtSecret);
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;AA0CA,4CAoDC;AAMD,8BAEC;AAtGD,qCAAiD;AACjD,kEAAyC;AAEzC,iDAAkD;AAClD,2CAAyC;AACzC,qDAA8D;AAC9D,qDAAoF;AACpF,8DAAmF;AAenF,SAAS,cAAc,CAAC,MAAwB;IAC9C,IAAA,0BAAY,EAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,EAAE,sBAAsB,CAAC,CAAC;IACxD,IAAA,0BAAY,EAAC,CAAC,CAAC,MAAM,CAAC,YAAY,EAAE,0BAA0B,CAAC,CAAC;IAChE,IAAA,0BAAY,EAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,CAAC,MAAM,IAAI,EAAE,EAAE,0CAA0C,CAAC,CAAC;IAC9G,IAAA,0BAAY,EAAC,IAAA,uBAAS,EAAC,MAAM,CAAC,WAAW,CAAC,EAAE,4CAA4C,CAAC,CAAC;IAC1F,IAAA,0BAAY,EAAC,IAAA,uBAAS,EAAC,MAAM,CAAC,aAAa,CAAC,EAAE,8CAA8C,CAAC,CAAC;AAChG,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAgB,gBAAgB,CAAC,MAAwB;IACvD,cAAc,CAAC,MAAM,CAAC,CAAC;IAEvB,MAAM,eAAe,GAAG,MAAM,CAAC,eAAe,IAAI,aAAa,CAAC;IAChE,MAAM,MAAM,GAAG,IAAA,gBAAM,GAAE,CAAC;IACxB,MAAM,CAAC,GAAG,CAAC,IAAA,uBAAY,GAAE,CAAC,CAAC;IAE3B,6BAA6B;IAC7B,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QAClC,MAAM,KAAK,GAAG,IAAA,yBAAa,GAAE,CAAC;QAC9B,GAAG,CAAC,MAAM,CAAC,eAAe,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC;QAChG,GAAG,CAAC,QAAQ,CAAC,IAAA,wBAAY,EAAC,MAAM,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,0BAA0B;IAC1B,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAChD,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC,KAA0C,CAAC;QACvE,MAAM,UAAU,GAAI,GAAG,CAAC,OAAkC,CAAC,eAAe,CAAC,CAAC;QAE5E,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC;YAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;YAC5C,OAAO;QACT,CAAC;QAED,GAAG,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC;QAEjC,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,IAAA,wBAAY,EAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;YACnF,MAAM,OAAO,GAAG,MAAM,IAAA,2BAAe,EAAC,WAAW,CAAC,CAAC;YAEnD,MAAM,QAAQ,GAAS;gBACrB,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;gBACtB,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,EAAE;gBAC1B,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,KAAK;gBACnC,UAAU,EAAE,OAAO,CAAC,UAAU;aAC/B,CAAC;YAEF,MAAM,IAAI,GAAS,MAAM,CAAC,aAAa;gBACrC,CAAC,CAAC,EAAE,GAAG,QAAQ,EAAE,GAAG,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,EAAE;gBACnD,CAAC,CAAC,QAAQ,CAAC;YAEb,MAAM,KAAK,GAAG,IAAA,gBAAO,EAAC,IAAI,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;YAC9C,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YAClD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YAC7C,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,qCAAqC,EAAE,GAAG,CAAC,CAAC;YAC1D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,SAAgB,SAAS,CAAC,MAA2C;IACnE,OAAO,IAAA,yCAAyB,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AACrD,CAAC"}

package/dist/middleware/verify-jwt.d.ts

@@ -0,0 +1,12 @@
+import { RequestHandler } from 'express';
+import { JwtPayload } from '../utils/jwt.js';
+export type { JwtPayload };
+declare global {
+    namespace Express {
+        interface Request {
+            user?: JwtPayload;
+        }
+    }
+}
+export declare function createVerifyJwtMiddleware(jwtSecret: string): RequestHandler;
+//# sourceMappingURL=verify-jwt.d.ts.map

package/dist/middleware/verify-jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-jwt.d.ts","sourceRoot":"","sources":["../../src/middleware/verify-jwt.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAkB,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAE7D,YAAY,EAAE,UAAU,EAAE,CAAC;AAE3B,OAAO,CAAC,MAAM,CAAC;IAEb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE,UAAU,CAAC;SACnB;KACF;CACF;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,MAAM,GAAG,cAAc,CAc3E"}

package/dist/middleware/verify-jwt.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createVerifyJwtMiddleware = createVerifyJwtMiddleware;
+const jwt_js_1 = require("../utils/jwt.js");
+function createVerifyJwtMiddleware(jwtSecret) {
+    return (req, res, next) => {
+        const authHeader = req.headers['authorization'];
+        if (!authHeader?.startsWith('Bearer ')) {
+            res.status(401).json({ error: 'Missing or invalid Authorization header' });
+            return;
+        }
+        try {
+            req.user = (0, jwt_js_1.verifyJwtToken)(authHeader.slice(7), jwtSecret);
+            next();
+        }
+        catch {
+            res.status(401).json({ error: 'Invalid or expired token' });
+        }
+    };
+}
+//# sourceMappingURL=verify-jwt.js.map

package/dist/middleware/verify-jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-jwt.js","sourceRoot":"","sources":["../../src/middleware/verify-jwt.ts"],"names":[],"mappings":";;AAcA,8DAcC;AA3BD,4CAA6D;AAa7D,SAAgB,yBAAyB,CAAC,SAAiB;IACzD,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACxB,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAChD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACvC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yCAAyC,EAAE,CAAC,CAAC;YAC3E,OAAO;QACT,CAAC;QACD,IAAI,CAAC;YACH,GAAG,CAAC,IAAI,GAAG,IAAA,uBAAc,EAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;YAC1D,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/providers/github.d.ts

@@ -0,0 +1,5 @@
+import { GitHubProfile } from '../types.js';
+export declare function buildAuthUrl(clientId: string, state: string, callbackUrl: string): string;
+export declare function exchangeCode(clientId: string, clientSecret: string, code: string): Promise<string>;
+export declare function fetchGitHubUser(accessToken: string): Promise<GitHubProfile>;
+//# sourceMappingURL=github.d.ts.map

package/dist/providers/github.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../src/providers/github.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAK5C,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,CAQzF;AAED,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,MAAM,CAAC,CAWjB;AAED,wBAAsB,eAAe,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAyBjF"}

package/dist/providers/github.js

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildAuthUrl = buildAuthUrl;
+exports.exchangeCode = exchangeCode;
+exports.fetchGitHubUser = fetchGitHubUser;
+const GITHUB_API = 'https://api.github.com';
+const GITHUB_OAUTH = 'https://github.com';
+function buildAuthUrl(clientId, state, callbackUrl) {
+    const params = new URLSearchParams({
+        client_id: clientId,
+        redirect_uri: callbackUrl,
+        scope: 'read:user user:email',
+        state,
+    });
+    return `${GITHUB_OAUTH}/login/oauth/authorize?${params}`;
+}
+async function exchangeCode(clientId, clientSecret, code) {
+    const res = await fetch(`${GITHUB_OAUTH}/login/oauth/access_token`, {
+        method: 'POST',
+        headers: { Accept: 'application/json', 'Content-Type': 'application/json' },
+        body: JSON.stringify({ client_id: clientId, client_secret: clientSecret, code }),
+    });
+    const data = (await res.json());
+    if (!data.access_token) {
+        throw new Error(`GitHub token exchange failed: ${data.error ?? 'unknown error'}`);
+    }
+    return data.access_token;
+}
+async function fetchGitHubUser(accessToken) {
+    const headers = {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: 'application/vnd.github+json',
+        'X-GitHub-Api-Version': '2022-11-28',
+    };
+    const [profileRes, emailsRes] = await Promise.all([
+        fetch(`${GITHUB_API}/user`, { headers }),
+        fetch(`${GITHUB_API}/user/emails`, { headers }),
+    ]);
+    const profile = (await profileRes.json());
+    if (!profile.email) {
+        const emails = (await emailsRes.json());
+        const primary = emails.find((e) => e.primary && e.verified);
+        profile.email = primary?.email ?? null;
+    }
+    return profile;
+}
+//# sourceMappingURL=github.js.map

package/dist/providers/github.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.js","sourceRoot":"","sources":["../../src/providers/github.ts"],"names":[],"mappings":";;AAKA,oCAQC;AAED,oCAeC;AAED,0CAyBC;AAvDD,MAAM,UAAU,GAAG,wBAAwB,CAAC;AAC5C,MAAM,YAAY,GAAG,oBAAoB,CAAC;AAE1C,SAAgB,YAAY,CAAC,QAAgB,EAAE,KAAa,EAAE,WAAmB;IAC/E,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,SAAS,EAAE,QAAQ;QACnB,YAAY,EAAE,WAAW;QACzB,KAAK,EAAE,sBAAsB;QAC7B,KAAK;KACN,CAAC,CAAC;IACH,OAAO,GAAG,YAAY,0BAA0B,MAAM,EAAE,CAAC;AAC3D,CAAC;AAEM,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,YAAoB,EACpB,IAAY;IAEZ,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,YAAY,2BAA2B,EAAE;QAClE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC3E,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE,aAAa,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;KACjF,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA8C,CAAC;IAC7E,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,iCAAiC,IAAI,CAAC,KAAK,IAAI,eAAe,EAAE,CAAC,CAAC;IACpF,CAAC;IACD,OAAO,IAAI,CAAC,YAAY,CAAC;AAC3B,CAAC;AAEM,KAAK,UAAU,eAAe,CAAC,WAAmB;IACvD,MAAM,OAAO,GAAG;QACd,aAAa,EAAE,UAAU,WAAW,EAAE;QACtC,MAAM,EAAE,6BAA6B;QACrC,sBAAsB,EAAE,YAAY;KACrC,CAAC;IAEF,MAAM,CAAC,UAAU,EAAE,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAChD,KAAK,CAAC,GAAG,UAAU,OAAO,EAAE,EAAE,OAAO,EAAE,CAAC;QACxC,KAAK,CAAC,GAAG,UAAU,cAAc,EAAE,EAAE,OAAO,EAAE,CAAC;KAChD,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,CAAC,MAAM,UAAU,CAAC,IAAI,EAAE,CAAkB,CAAC;IAE3D,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,CAAC,MAAM,SAAS,CAAC,IAAI,EAAE,CAIpC,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC5D,OAAO,CAAC,KAAK,GAAG,OAAO,EAAE,KAAK,IAAI,IAAI,CAAC;IACzC,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,32 @@
+export interface AuthServerConfig {
+    /** GitHub OAuth client ID */
+    clientId: string;
+    /** GitHub OAuth client secret */
+    clientSecret: string;
+    /** JWT signing secret */
+    jwtSecret: string;
+    /** URL to redirect to after successful login (e.g. http://localhost:4200/auth/callback) */
+    callbackUrl: string;
+    /** URL the Angular app sends users back to after the OAuth callback completes */
+    afterLoginUrl: string;
+    /** Optional: transform the raw GitHub profile before it is signed into the JWT */
+    transformUser?: (profile: GitHubProfile) => Partial<User>;
+    /** Cookie name used for the CSRF state param (default: "oauth_state") */
+    stateCookieName?: string;
+}
+export interface GitHubProfile {
+    id: number;
+    login: string;
+    name: string | null;
+    email: string | null;
+    avatar_url: string;
+}
+/** Normalised user stored in the JWT */
+export interface User {
+    id: string;
+    email: string;
+    name: string;
+    avatar_url: string;
+    [key: string]: unknown;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,gBAAgB;IAC/B,6BAA6B;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,iCAAiC;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,2FAA2F;IAC3F,WAAW,EAAE,MAAM,CAAC;IACpB,iFAAiF;IACjF,aAAa,EAAE,MAAM,CAAC;IACtB,kFAAkF;IAClF,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,aAAa,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1D,yEAAyE;IACzE,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,wCAAwC;AACxC,MAAM,WAAW,IAAI;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB"}

package/dist/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/dist/utils/crypto.d.ts

@@ -0,0 +1,3 @@
+/** Generate a cryptographically-random state string for CSRF protection */
+export declare function generateState(): string;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/utils/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/utils/crypto.ts"],"names":[],"mappings":"AAEA,2EAA2E;AAC3E,wBAAgB,aAAa,IAAI,MAAM,CAEtC"}

package/dist/utils/crypto.js

@@ -0,0 +1,42 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateState = generateState;
+const crypto = __importStar(require("crypto"));
+/** Generate a cryptographically-random state string for CSRF protection */
+function generateState() {
+    return crypto.randomBytes(32).toString('hex');
+}
+//# sourceMappingURL=crypto.js.map

package/dist/utils/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/utils/crypto.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGA,sCAEC;AALD,+CAAiC;AAEjC,2EAA2E;AAC3E,SAAgB,aAAa;IAC3B,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAChD,CAAC"}

package/dist/utils/jwt.d.ts

@@ -0,0 +1,8 @@
+import { User } from '../types.js';
+export interface JwtPayload extends User {
+    iat?: number;
+    exp?: number;
+}
+export declare function signJwt(user: User, secret: string, expiresIn?: string): string;
+export declare function verifyJwtToken(token: string, secret: string): JwtPayload;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/utils/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../src/utils/jwt.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAEnC,MAAM,WAAW,UAAW,SAAQ,IAAI;IACtC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,wBAAgB,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,SAAO,GAAG,MAAM,CAE5E;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,UAAU,CAExE"}

package/dist/utils/jwt.js

@@ -0,0 +1,15 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signJwt = signJwt;
+exports.verifyJwtToken = verifyJwtToken;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+function signJwt(user, secret, expiresIn = '7d') {
+    return jsonwebtoken_1.default.sign(user, secret, { expiresIn });
+}
+function verifyJwtToken(token, secret) {
+    return jsonwebtoken_1.default.verify(token, secret);
+}
+//# sourceMappingURL=jwt.js.map

package/dist/utils/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../src/utils/jwt.ts"],"names":[],"mappings":";;;;;AAQA,0BAEC;AAED,wCAEC;AAdD,gEAA+B;AAQ/B,SAAgB,OAAO,CAAC,IAAU,EAAE,MAAc,EAAE,SAAS,GAAG,IAAI;IAClE,OAAO,sBAAG,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,SAAS,EAAqB,CAAC,CAAC;AAClE,CAAC;AAED,SAAgB,cAAc,CAAC,KAAa,EAAE,MAAc;IAC1D,OAAO,sBAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAe,CAAC;AACjD,CAAC"}

package/dist/utils/sanitize.d.ts

@@ -0,0 +1,4 @@
+/** Validate that a string is a safe URL (http/https only, no javascript: etc.) */
+export declare function isSafeUrl(value: string): boolean;
+export declare function assertConfig(condition: boolean, message: string): void;
+//# sourceMappingURL=sanitize.d.ts.map

package/dist/utils/sanitize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/utils/sanitize.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAOhD;AAED,wBAAgB,YAAY,CAAC,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI,CAItE"}

package/dist/utils/sanitize.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isSafeUrl = isSafeUrl;
+exports.assertConfig = assertConfig;
+/** Validate that a string is a safe URL (http/https only, no javascript: etc.) */
+function isSafeUrl(value) {
+    try {
+        const url = new URL(value);
+        return url.protocol === 'http:' || url.protocol === 'https:';
+    }
+    catch {
+        return false;
+    }
+}
+function assertConfig(condition, message) {
+    if (!condition) {
+        throw new Error(`[auth-server] Invalid config: ${message}`);
+    }
+}
+//# sourceMappingURL=sanitize.js.map

package/dist/utils/sanitize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../src/utils/sanitize.ts"],"names":[],"mappings":";;AACA,8BAOC;AAED,oCAIC;AAdD,kFAAkF;AAClF,SAAgB,SAAS,CAAC,KAAa;IACrC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QAC3B,OAAO,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAgB,YAAY,CAAC,SAAkB,EAAE,OAAe;IAC9D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,iCAAiC,OAAO,EAAE,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC"}

package/package.json

@@ -0,0 +1,43 @@
+{
+  "name": "@zshn-dev/auth-server",
+  "version": "0.2.0",
+  "description": "Angular-first auth server SDK — Express router for GitHub OAuth",
+  "keywords": [
+    "github",
+    "oauth",
+    "jwt",
+    "express",
+    "angular",
+    "auth"
+  ],
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/zshn-dev/ngx-gh-auth.git",
+    "directory": "packages/auth-server"
+  },
+  "homepage": "https://github.com/zshn-dev/ngx-gh-auth#readme",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "dev": "tsc -p tsconfig.json --watch",
+    "test": "vitest run"
+  },
+  "dependencies": {
+    "cookie-parser": "^1.4.7",
+    "express": "^4.21.2",
+    "jsonwebtoken": "^9.0.2"
+  },
+  "devDependencies": {
+    "@types/cookie-parser": "^1.4.8",
+    "@types/express": "^5.0.1",
+    "@types/jsonwebtoken": "^9.0.9",
+    "@types/node": "^22.15.0",
+    "typescript": "~5.9.2",
+    "vitest": "^4.0.8"
+  }
+}