peta-auth 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Jason Miller
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,256 @@
+# peta-auth
+
+Encrypted cookie sessions for Bun — with first-class adapters for **Hono**, **ElysiaJS**, and **Nuxt**.
+
+Uses `iron-webcrypto` (AES-256-CBC + HMAC-SHA256) to seal session data into stateless, signed-and-encrypted cookies. No server-side storage needed.
+
+Inspired by [iron-session](https://github.com/vvo/iron-session) and [nuxt-auth-utils](https://github.com/atinux/nuxt-auth-utils).
+
+```bash
+bun add peta-auth
+```
+
+Install only the framework adapters you need:
+
+```bash
+bun add hono           # for peta-auth/hono
+bun add elysia         # for peta-auth/elysia
+# Nuxt already includes h3 — just add peta-auth
+```
+
+---
+
+## Quick start
+
+### Hono
+
+```ts
+import { Hono } from 'hono'
+import { session } from 'peta-auth/hono'
+
+const app = new Hono()
+
+app.use('*', session({
+  password: process.env.SESSION_SECRET!,
+  cookieName: 'my-session',
+}))
+
+app.get('/profile', (c) => {
+  const s = c.var.session
+  if (!s.user) return c.json({ error: 'unauthorized' }, 401)
+  return c.json(s.user)
+})
+
+app.post('/login', async (c) => {
+  const { name } = await c.req.json()
+  Object.assign(c.var.session, { user: { name }, loggedInAt: Date.now() })
+  await c.var.session.save()
+  return c.json({ ok: true })
+})
+
+app.post('/logout', (c) => {
+  c.var.session.destroy()
+  return c.json({ ok: true })
+})
+```
+
+Run with `bun run file.ts` — Bun auto-starts the server.
+
+### ElysiaJS
+
+```ts
+import { Elysia } from 'elysia'
+import { session } from 'peta-auth/elysia'
+
+new Elysia()
+  .use(session({
+    password: process.env.SESSION_SECRET!,
+    cookieName: 'my-session',
+  }))
+  .get('/profile', ({ session: s }) =>
+    !s.user ? Response.json({ error: 'unauthorized' }, { status: 401 })
+            : Response.json(s.user))
+  .post('/login', async ({ session: s, body }: any) => {
+    s.user = { name: body.name }
+    await s.save()
+    return Response.json({ ok: true })
+  })
+  .post('/logout', ({ session: s }) => {
+    s.destroy()
+    return Response.json({ ok: true })
+  })
+  .listen(3000)
+```
+
+### Nuxt
+
+```ts
+// server/api/profile.get.ts
+import { useSession } from 'peta-auth/nuxt'
+
+export default defineEventHandler(async (event) => {
+  const session = await useSession(event, {
+    password: process.env.NUXT_SESSION_PASSWORD!,
+    cookieName: 'nuxt-session',
+  })
+  if (!session.user) throw createError({ statusCode: 401 })
+  return session.user
+})
+```
+
+```ts
+// server/api/login.post.ts
+import { useSession } from 'peta-auth/nuxt'
+
+export default defineEventHandler(async (event) => {
+  const session = await useSession(event, {
+    password: process.env.NUXT_SESSION_PASSWORD!,
+    cookieName: 'nuxt-session',
+  })
+  const body = await readBody(event)
+  Object.assign(session, { user: body, loggedInAt: Date.now() })
+  await session.save()
+  return { ok: true }
+})
+```
+
+Set `NUXT_SESSION_PASSWORD` in your `.env`.
+
+---
+
+## API
+
+### `session` middleware (framework adapters)
+
+Each adapter exports a `session(options)` function that reads the session from the incoming cookie and attaches it to the framework's context.
+
+```ts
+session({
+  password: process.env.SESSION_SECRET!, // required, at least 32 chars
+  cookieName: 'my-session',              // required
+  ttl: 60 * 60 * 24 * 14,                // optional, default 14 days
+  cookieOptions: { httpOnly: true, secure: true, sameSite: 'lax', path: '/' },
+})
+```
+
+Password rotation is supported via object syntax:
+
+```ts
+session({ password: { 1: 'old-pw', 2: 'new-pw' }, cookieName: 'my-session' })
+// new cookies use key 2, old cookies still decrypt with key 1
+```
+
+### Session object
+
+```ts
+interface IronSession {
+  save(): Promise<void>         // seal & write the cookie
+  destroy(): void               // clear data & expire the cookie
+  updateConfig(opts): void      // change options for this request
+  [key: string]: unknown        // your data
+}
+```
+
+### Low-level
+
+```ts
+import { createSessionFromAdapter, sealData, unsealData } from 'peta-auth'
+import { hashPassword, verifyPassword } from 'peta-auth'
+```
+
+- **`createSessionFromAdapter(adapter, options)`** — takes a `SessionAdapter` (`{ getCookie, setCookie }`). Used internally by all framework adapters.
+- **`sealData(data, { password, ttl? })` / `unsealData<T>(seal, { password, ttl? })`** — encrypt/decrypt arbitrary data.
+- **`hashPassword(password, { cost? })` / `verifyPassword(hash, password)`** — bcrypt hashing via `bcryptjs`. Default cost: 10.
+
+---
+
+## OAuth
+
+```ts
+import { defineOAuthGitHubEventHandler } from 'peta-auth/oauth/github'
+import { defineOAuthGoogleEventHandler } from 'peta-auth/oauth/google'
+```
+
+Each returns a `(request: Request) => Promise<Response>` handler — framework-agnostic.
+
+```ts
+import { defineOAuthGitHubEventHandler } from 'peta-auth/oauth/github'
+import { session } from 'peta-auth/hono'
+
+const app = new Hono()
+app.use('*', session({ password: process.env.SESSION_SECRET!, cookieName: 'my-session' }))
+
+const githubHandler = defineOAuthGitHubEventHandler({
+  config: {
+    clientId: process.env.GITHUB_CLIENT_ID!,
+    clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+  },
+  async onSuccess({ user, tokens }) {
+    // The user is authenticated — redirect back to your app.
+    // To create a session, use the `request` parameter:
+    // onSuccess({ user, tokens, request })
+    return new Response(null, { status: 302, headers: { Location: '/' } })
+  },
+})
+
+app.get('/auth/github', async (c) => githubHandler(c.req.raw))
+```
+
+Requires env vars: `PETA_OAUTH_GITHUB_CLIENT_ID`, `PETA_OAUTH_GITHUB_CLIENT_SECRET` (or `PETA_OAUTH_GOOGLE_*`).
+
+The `onSuccess` callback receives `request: Request` — create a session from the raw request inside the handler:
+
+```ts
+import { createSessionFromAdapter } from 'peta-auth'
+import { parse } from 'cookie'
+
+async onSuccess({ user, tokens, request }) {
+  const res = new Response(null, { status: 302, headers: { Location: '/' } })
+  const session = await createSessionFromAdapter({
+    getCookie: (name) => parse(request.headers.get('cookie') ?? '')[name],
+    setCookie: (v) => res.headers.append('Set-Cookie', v),
+  }, { password: process.env.SESSION_SECRET!, cookieName: 'my-session' })
+  session.user = { id: user.id, login: user.login }
+  await session.save()
+  return res
+}
+```
+
+---
+
+## Examples
+
+Full runnable examples in [`examples/`](./examples). All work with zero config (demo password fallback built in):
+
+```bash
+bun run examples/hono-basic.ts        # Hono — session CRUD, views counter
+bun run examples/elysia-basic.ts      # Elysia — session CRUD, views counter
+bun run examples/password-auth.ts     # Hono — signup + login with bcrypt
+bun run examples/oauth-github.ts      # Hono — GitHub OAuth
+bun run examples/oauth-google.ts      # Hono — Google OAuth (PKCE)
+bun run examples/elysia-password.ts   # Elysia — signup + login with bcrypt
+bun run examples/elysia-oauth-github.ts # Elysia — GitHub OAuth
+bun run examples/elysia-oauth-google.ts # Elysia — Google OAuth (PKCE)
+cd examples/nuxt                      # Nuxt — server routes with useSession
+```
+
+---
+
+## How it works
+
+Session data is serialized, encrypted with AES-256-CBC, integrity-protected with HMAC-SHA256, and stored in a single cookie. The session is **stateless** — no database, no Redis, no server-side storage.
+
+- `session.save()` — seals the current data into the cookie
+- `session.destroy()` — clears data and expires the cookie
+- Multiple mutations can be made before `save()` — only one seal operation
+- Cookie size limit of 4096 bytes applies (throws if exceeded)
+
+---
+
+## Scripts
+
+```bash
+bun test            # 43 tests across 9 files
+bun run build       # tsdown → dist/ (16 files, 24 kB)
+bun run prepublish  # build + publish
+```

package/dist/elysia.d.mts

@@ -0,0 +1,38 @@
+import { r as SessionOptions, t as IronSession } from "./session-DYH_m3lO.mjs";
+import { Elysia } from "elysia";
+
+//#region src/elysia.d.ts
+declare function session(options: SessionOptions): Elysia<"", {
+  decorator: {};
+  store: {};
+  derive: {};
+  resolve: {};
+}, {
+  typebox: {};
+  error: {};
+}, {
+  schema: {};
+  standaloneSchema: {};
+  macro: {};
+  macroFn: {};
+  parser: {};
+  response: {};
+}, {}, {
+  derive: {
+    readonly session: Record<string, unknown> & IronSession;
+  };
+  resolve: {};
+  schema: {};
+  standaloneSchema: {};
+  response: import("elysia").ExtractErrorFromHandle<{
+    readonly session: Record<string, unknown> & IronSession;
+  }>;
+}, {
+  derive: {};
+  resolve: {};
+  schema: {};
+  standaloneSchema: {};
+  response: {};
+}>;
+//#endregion
+export { session };

package/dist/elysia.mjs

@@ -0,0 +1,17 @@
+import { t as createSessionFromAdapter } from "./session-DSwf3XPH.mjs";
+import { parse } from "cookie";
+import { Elysia } from "elysia";
+//#region src/elysia.ts
+function session(options) {
+	return new Elysia({ name: "peta-auth" }).derive({ as: "scoped" }, async ({ headers: reqHeaders, set }) => {
+		const cookieStr = reqHeaders instanceof Headers ? reqHeaders.get("cookie") ?? "" : reqHeaders.cookie ?? "";
+		return { session: await createSessionFromAdapter({
+			getCookie: (name) => parse(cookieStr)[name],
+			setCookie: (v) => {
+				set.headers["Set-Cookie"] = v;
+			}
+		}, options) };
+	});
+}
+//#endregion
+export { session };

package/dist/hono.d.mts

@@ -0,0 +1,12 @@
+import { r as SessionOptions, t as IronSession } from "./session-DYH_m3lO.mjs";
+import { MiddlewareHandler } from "hono";
+
+//#region src/hono.d.ts
+declare module 'hono' {
+  interface ContextVariableMap {
+    session: IronSession;
+  }
+}
+declare function session(options: SessionOptions): MiddlewareHandler;
+//#endregion
+export { session };

package/dist/hono.mjs

@@ -0,0 +1,15 @@
+import { t as createSessionFromAdapter } from "./session-DSwf3XPH.mjs";
+import { parse } from "cookie";
+import { createMiddleware } from "hono/factory";
+//#region src/hono.ts
+function session(options) {
+	return createMiddleware(async (c, next) => {
+		c.set("session", await createSessionFromAdapter({
+			getCookie: (name) => parse(c.req.header("cookie") ?? "")[name],
+			setCookie: (v) => c.res.headers.append("Set-Cookie", v)
+		}, options));
+		await next();
+	});
+}
+//#endregion
+export { session };

package/dist/index.d.mts

@@ -0,0 +1,10 @@
+import { a as Password, i as createSessionFromAdapter, n as SessionAdapter, o as sealData, r as SessionOptions, s as unsealData, t as IronSession } from "./session-DYH_m3lO.mjs";
+
+//#region src/password.d.ts
+interface HashOptions {
+  cost?: number;
+}
+declare function hashPassword(password: string, options?: HashOptions): Promise<string>;
+declare function verifyPassword(hash: string, password: string): Promise<boolean>;
+//#endregion
+export { type IronSession, type Password, type SessionAdapter, type SessionOptions, createSessionFromAdapter, hashPassword, sealData, unsealData, verifyPassword };

package/dist/index.mjs

@@ -0,0 +1,11 @@
+import { n as sealData, r as unsealData, t as createSessionFromAdapter } from "./session-DSwf3XPH.mjs";
+import { compareSync, genSaltSync, hashSync } from "bcryptjs";
+//#region src/password.ts
+async function hashPassword(password, options = {}) {
+	return hashSync(password, genSaltSync(options.cost ?? 10));
+}
+async function verifyPassword(hash, password) {
+	return compareSync(password, hash);
+}
+//#endregion
+export { createSessionFromAdapter, hashPassword, sealData, unsealData, verifyPassword };

package/dist/nuxt.d.mts

@@ -0,0 +1,7 @@
+import { r as SessionOptions, t as IronSession } from "./session-DYH_m3lO.mjs";
+import { H3Event } from "h3";
+
+//#region src/nuxt.d.ts
+declare function useSession(event: H3Event, options: SessionOptions): Promise<IronSession>;
+//#endregion
+export { useSession };

package/dist/nuxt.mjs

@@ -0,0 +1,18 @@
+import { t as createSessionFromAdapter } from "./session-DSwf3XPH.mjs";
+import { appendHeader, getCookie } from "h3";
+//#region src/nuxt.ts
+function useSession(event, options) {
+	const password = options.password ?? process.env.NUXT_SESSION_PASSWORD;
+	if (!password) throw new Error("peta-auth/nuxt: NUXT_SESSION_PASSWORD is required");
+	return createSessionFromAdapter({
+		getCookie: (name) => getCookie(event, name),
+		setCookie: (value) => appendHeader(event, "Set-Cookie", value)
+	}, {
+		password,
+		cookieName: options?.cookieName ?? "nuxt-session",
+		ttl: options?.ttl,
+		cookieOptions: options?.cookieOptions
+	});
+}
+//#endregion
+export { useSession };

package/dist/oauth/github.d.mts

@@ -0,0 +1,37 @@
+//#region src/oauth/github.d.ts
+interface OAuthGitHubConfig {
+  clientId?: string;
+  clientSecret?: string;
+  scope?: string[];
+  emailRequired?: boolean;
+  authorizationURL?: string;
+  tokenURL?: string;
+  apiURL?: string;
+  authorizationParams?: Record<string, string>;
+  redirectURL?: string;
+}
+interface GitHubUser {
+  login: string;
+  id: number;
+  node_id: string;
+  avatar_url: string;
+  name: string;
+  email: string | null;
+  email_verified?: boolean;
+}
+interface GitHubTokens {
+  access_token: string;
+  scope: string;
+  token_type: string;
+}
+declare function defineOAuthGitHubEventHandler(options: {
+  config?: OAuthGitHubConfig;
+  onSuccess: (event: {
+    user: GitHubUser;
+    tokens: GitHubTokens;
+    request: Request;
+  }) => Response | Promise<Response>;
+  onError?: (error: Error) => Response | Promise<Response>;
+}): (request: Request) => Promise<Response>;
+//#endregion
+export { OAuthGitHubConfig, defineOAuthGitHubEventHandler };

package/dist/oauth/github.mjs

@@ -0,0 +1,92 @@
+import { getOAuthRedirectURL, handleAccessTokenError, handleInvalidState, handleMissingConfiguration, handleState, redirect, requestAccessToken } from "./index.mjs";
+//#region src/oauth/github.ts
+function resolveGitHubConfig(config) {
+	return {
+		authorizationURL: config.authorizationURL ?? "https://github.com/login/oauth/authorize",
+		tokenURL: config.tokenURL ?? "https://github.com/login/oauth/access_token",
+		apiURL: config.apiURL ?? "https://api.github.com",
+		clientId: config.clientId ?? process.env.PETA_OAUTH_GITHUB_CLIENT_ID ?? "",
+		clientSecret: config.clientSecret ?? process.env.PETA_OAUTH_GITHUB_CLIENT_SECRET ?? "",
+		scope: config.scope ?? [],
+		emailRequired: config.emailRequired ?? false,
+		authorizationParams: config.authorizationParams ?? {},
+		redirectURL: config.redirectURL
+	};
+}
+function defineOAuthGitHubEventHandler(options) {
+	const { config: userConfig = {}, onSuccess, onError } = options;
+	return async (request) => {
+		const config = resolveGitHubConfig(userConfig);
+		const url = new URL(request.url);
+		const queryCode = url.searchParams.get("code");
+		const queryError = url.searchParams.get("error");
+		const queryState = url.searchParams.get("state");
+		if (queryError) {
+			const err = /* @__PURE__ */ new Error(`GitHub login failed: ${queryError}`);
+			if (onError) return onError(err);
+			return new Response(JSON.stringify({ error: err.message }), {
+				status: 401,
+				headers: { "Content-Type": "application/json" }
+			});
+		}
+		if (!config.clientId || !config.clientSecret) {
+			const missing = [];
+			if (!config.clientId) missing.push("clientId");
+			if (!config.clientSecret) missing.push("clientSecret");
+			return handleMissingConfiguration("github", missing, onError);
+		}
+		const redirectURL = config.redirectURL || getOAuthRedirectURL(request);
+		const state = handleState(request);
+		if (!queryCode) {
+			if (config.emailRequired && !config.scope.includes("user:email")) config.scope.push("user:email");
+			const authUrl = new URL(config.authorizationURL);
+			authUrl.searchParams.set("client_id", config.clientId);
+			authUrl.searchParams.set("redirect_uri", redirectURL);
+			authUrl.searchParams.set("scope", config.scope.join(" "));
+			authUrl.searchParams.set("state", state.state ?? "");
+			for (const [k, v] of Object.entries(config.authorizationParams)) authUrl.searchParams.set(k, v);
+			return redirect(authUrl.toString(), state.setCookie);
+		}
+		if (!queryState || queryState !== state.expectedState) return handleInvalidState("github", onError);
+		const tokens = await requestAccessToken(config.tokenURL, { body: {
+			grant_type: "authorization_code",
+			client_id: config.clientId,
+			client_secret: config.clientSecret,
+			redirect_uri: redirectURL,
+			code: queryCode
+		} });
+		const tokensRecord = tokens;
+		if (tokensRecord.error) return handleAccessTokenError("github", tokensRecord, onError);
+		const accessToken = tokens.access_token;
+		const userResponse = await fetch(`${config.apiURL}/user`, { headers: {
+			"User-Agent": `GitHub-OAuth-${config.clientId}`,
+			Authorization: `token ${accessToken}`
+		} });
+		if (!userResponse.ok) {
+			const err = /* @__PURE__ */ new Error(`GitHub user fetch failed: ${userResponse.status}`);
+			if (onError) return onError(err);
+			throw err;
+		}
+		const user = await userResponse.json();
+		if (!user.email && config.emailRequired) {
+			const emailsResponse = await fetch(`${config.apiURL}/user/emails`, { headers: {
+				"User-Agent": `GitHub-OAuth-${config.clientId}`,
+				Authorization: `token ${accessToken}`
+			} });
+			if (emailsResponse.ok) {
+				const primaryEmail = (await emailsResponse.json()).find((e) => e.primary);
+				if (primaryEmail) {
+					user.email = primaryEmail.email;
+					user.email_verified = primaryEmail.verified;
+				}
+			}
+		}
+		return onSuccess({
+			user,
+			tokens,
+			request
+		});
+	};
+}
+//#endregion
+export { defineOAuthGitHubEventHandler };

package/dist/oauth/google.d.mts

@@ -0,0 +1,39 @@
+//#region src/oauth/google.d.ts
+interface OAuthGoogleConfig {
+  clientId?: string;
+  clientSecret?: string;
+  scope?: string[];
+  authorizationURL?: string;
+  tokenURL?: string;
+  userInfoURL?: string;
+  authorizationParams?: Record<string, string>;
+  redirectURL?: string;
+}
+interface GoogleUser {
+  sub: string;
+  name: string;
+  given_name: string;
+  family_name: string;
+  picture: string;
+  email: string;
+  email_verified: boolean;
+  locale: string;
+}
+interface GoogleTokens {
+  access_token: string;
+  id_token: string;
+  scope: string;
+  token_type: string;
+  expires_in: number;
+}
+declare function defineOAuthGoogleEventHandler(options: {
+  config?: OAuthGoogleConfig;
+  onSuccess: (event: {
+    user: GoogleUser;
+    tokens: GoogleTokens;
+    request: Request;
+  }) => Response | Promise<Response>;
+  onError?: (error: Error) => Response | Promise<Response>;
+}): (request: Request) => Promise<Response>;
+//#endregion
+export { OAuthGoogleConfig, defineOAuthGoogleEventHandler };

package/dist/oauth/google.mjs

@@ -0,0 +1,84 @@
+import { getOAuthRedirectURL, handleAccessTokenError, handleInvalidState, handleMissingConfiguration, handlePKCE, handleState, redirect, requestAccessToken } from "./index.mjs";
+//#region src/oauth/google.ts
+function resolveGoogleConfig(config) {
+	return {
+		authorizationURL: config.authorizationURL ?? "https://accounts.google.com/o/oauth2/v2/auth",
+		tokenURL: config.tokenURL ?? "https://oauth2.googleapis.com/token",
+		userInfoURL: config.userInfoURL ?? "https://www.googleapis.com/oauth2/v3/userinfo",
+		clientId: config.clientId ?? process.env.PETA_OAUTH_GOOGLE_CLIENT_ID ?? "",
+		clientSecret: config.clientSecret ?? process.env.PETA_OAUTH_GOOGLE_CLIENT_SECRET ?? "",
+		scope: config.scope ?? [
+			"openid",
+			"email",
+			"profile"
+		],
+		authorizationParams: config.authorizationParams ?? {},
+		redirectURL: config.redirectURL
+	};
+}
+function defineOAuthGoogleEventHandler(options) {
+	const { config: userConfig = {}, onSuccess, onError } = options;
+	return async (request) => {
+		const config = resolveGoogleConfig(userConfig);
+		const url = new URL(request.url);
+		const queryCode = url.searchParams.get("code");
+		const queryError = url.searchParams.get("error");
+		const queryState = url.searchParams.get("state");
+		if (queryError) {
+			const err = /* @__PURE__ */ new Error(`Google login failed: ${queryError}`);
+			if (onError) return onError(err);
+			return new Response(JSON.stringify({ error: err.message }), {
+				status: 401,
+				headers: { "Content-Type": "application/json" }
+			});
+		}
+		if (!config.clientId || !config.clientSecret) {
+			const missing = [];
+			if (!config.clientId) missing.push("clientId");
+			if (!config.clientSecret) missing.push("clientSecret");
+			return handleMissingConfiguration("google", missing, onError);
+		}
+		const redirectURL = config.redirectURL || getOAuthRedirectURL(request);
+		const state = handleState(request);
+		const pkce = await handlePKCE(request);
+		if (!queryCode) {
+			const authUrl = new URL(config.authorizationURL);
+			authUrl.searchParams.set("client_id", config.clientId);
+			authUrl.searchParams.set("redirect_uri", redirectURL);
+			authUrl.searchParams.set("scope", config.scope.join(" "));
+			authUrl.searchParams.set("response_type", "code");
+			authUrl.searchParams.set("state", state.state ?? "");
+			if (pkce.codeChallenge) {
+				authUrl.searchParams.set("code_challenge", pkce.codeChallenge);
+				authUrl.searchParams.set("code_challenge_method", pkce.codeChallengeMethod ?? "S256");
+			}
+			for (const [k, v] of Object.entries(config.authorizationParams)) authUrl.searchParams.set(k, v);
+			const cookies = [state.setCookie, pkce.setCookie].filter(Boolean).join("; ");
+			return redirect(authUrl.toString(), cookies || void 0);
+		}
+		if (!queryState || queryState !== state.expectedState) return handleInvalidState("google", onError);
+		const tokens = await requestAccessToken(config.tokenURL, { body: {
+			grant_type: "authorization_code",
+			client_id: config.clientId,
+			client_secret: config.clientSecret,
+			redirect_uri: redirectURL,
+			code: queryCode,
+			code_verifier: pkce.codeVerifier
+		} });
+		const tokensRecord = tokens;
+		if (tokensRecord.error) return handleAccessTokenError("google", tokensRecord, onError);
+		const userResponse = await fetch(config.userInfoURL, { headers: { Authorization: `Bearer ${tokens.access_token}` } });
+		if (!userResponse.ok) {
+			const err = /* @__PURE__ */ new Error(`Google user fetch failed: ${userResponse.status}`);
+			if (onError) return onError(err);
+			throw err;
+		}
+		return onSuccess({
+			user: await userResponse.json(),
+			tokens,
+			request
+		});
+	};
+}
+//#endregion
+export { defineOAuthGoogleEventHandler };

package/dist/oauth/index.d.mts

@@ -0,0 +1,25 @@
+//#region src/oauth/index.d.ts
+declare function getOAuthRedirectURL(request: Request): string;
+declare function handlePKCE(request: Request): Promise<{
+  codeChallenge?: string;
+  codeChallengeMethod?: string;
+  codeVerifier?: string;
+  setCookie?: string;
+}>;
+declare function handleState(request: Request): {
+  state?: string;
+  expectedState?: string;
+  setCookie?: string;
+};
+interface RequestAccessTokenOptions {
+  body?: Record<string, string | undefined>;
+  params?: Record<string, string | undefined>;
+  headers?: Record<string, string>;
+}
+declare function requestAccessToken<T = unknown>(url: string, options: RequestAccessTokenOptions): Promise<T>;
+declare function redirect(url: string, cookie?: string): Response;
+declare function handleMissingConfiguration(provider: string, missingKeys: string[], onError?: (err: Error) => Response | Promise<Response>): Response | Promise<Response>;
+declare function handleAccessTokenError(provider: string, errorData: Record<string, string>, onError?: (err: Error) => Response | Promise<Response>): Response | Promise<Response>;
+declare function handleInvalidState(provider: string, onError?: (err: Error) => Response | Promise<Response>): Response | Promise<Response>;
+//#endregion
+export { RequestAccessTokenOptions, getOAuthRedirectURL, handleAccessTokenError, handleInvalidState, handleMissingConfiguration, handlePKCE, handleState, redirect, requestAccessToken };

package/dist/oauth/index.mjs

@@ -0,0 +1,103 @@
+import { parse, serialize } from "cookie";
+//#region src/oauth/index.ts
+const isDevelopment = process.env.NODE_ENV === "development";
+const OAUTH_COOKIE_MAX_AGE = 600;
+function encodeBase64Url(input) {
+	return btoa(String.fromCharCode(...input)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function getRandomBytes(size = 32) {
+	return crypto.getRandomValues(new Uint8Array(size));
+}
+function oauthCookieOptions(maxAge) {
+	return {
+		path: "/",
+		httpOnly: true,
+		sameSite: "lax",
+		secure: !isDevelopment,
+		maxAge
+	};
+}
+function getOAuthRedirectURL(request) {
+	const url = new URL(request.url);
+	return `${url.protocol}//${url.host}${url.pathname}`;
+}
+async function handlePKCE(request) {
+	const code = new URL(request.url).searchParams.get("code");
+	const cookies = parse(request.headers.get("cookie") ?? "");
+	if (code) return { codeVerifier: cookies["peta-auth-pkce"] };
+	const verifier = encodeBase64Url(getRandomBytes(32));
+	const encoder = new TextEncoder();
+	return {
+		codeChallenge: encodeBase64Url(new Uint8Array(await crypto.subtle.digest("SHA-256", encoder.encode(verifier)))),
+		codeChallengeMethod: "S256",
+		setCookie: serialize("peta-auth-pkce", verifier, oauthCookieOptions(OAUTH_COOKIE_MAX_AGE))
+	};
+}
+function handleState(request) {
+	const queryState = new URL(request.url).searchParams.get("state");
+	const cookies = parse(request.headers.get("cookie") ?? "");
+	if (queryState) return {
+		state: queryState,
+		expectedState: cookies["peta-auth-state"]
+	};
+	const state = encodeBase64Url(getRandomBytes(8));
+	return {
+		state,
+		setCookie: serialize("peta-auth-state", state, oauthCookieOptions(OAUTH_COOKIE_MAX_AGE))
+	};
+}
+async function requestAccessToken(url, options) {
+	const headers = {
+		"Content-Type": "application/x-www-form-urlencoded",
+		...options.headers
+	};
+	const bodyParams = options.body ?? options.params ?? {};
+	const body = new URLSearchParams();
+	for (const [key, value] of Object.entries(bodyParams)) if (value !== void 0) body.append(key, value);
+	const response = await fetch(url, {
+		method: "POST",
+		headers,
+		body: body.toString()
+	});
+	if (!response.ok) {
+		if (response.status === 401) return response.json();
+		throw new Error(`OAuth token request failed: ${response.status} ${response.statusText}`);
+	}
+	return response.json();
+}
+function redirect(url, cookie) {
+	const headers = new Headers({ Location: url });
+	if (cookie) headers.append("Set-Cookie", cookie);
+	return new Response(null, {
+		status: 302,
+		headers
+	});
+}
+function handleMissingConfiguration(provider, missingKeys, onError) {
+	const envVars = missingKeys.map((k) => `PETA_OAUTH_${provider.toUpperCase()}_${k.replace(/([A-Z])/g, "_$1").toUpperCase()}`);
+	const err = /* @__PURE__ */ new Error(`Missing ${envVars.join(" or ")} env ${missingKeys.length > 1 ? "variables" : "variable"}.`);
+	if (onError) return onError(err);
+	return new Response(JSON.stringify({ error: err.message }), {
+		status: 500,
+		headers: { "Content-Type": "application/json" }
+	});
+}
+function handleAccessTokenError(provider, errorData, onError) {
+	const message = `${provider} login failed: ${errorData.error_description || errorData.error || "Unknown error"}`;
+	const err = new Error(message);
+	if (onError) return onError(err);
+	return new Response(JSON.stringify({ error: err.message }), {
+		status: 401,
+		headers: { "Content-Type": "application/json" }
+	});
+}
+function handleInvalidState(provider, onError) {
+	const err = /* @__PURE__ */ new Error(`${provider} login failed: state mismatch`);
+	if (onError) return onError(err);
+	return new Response(JSON.stringify({ error: err.message }), {
+		status: 500,
+		headers: { "Content-Type": "application/json" }
+	});
+}
+//#endregion
+export { getOAuthRedirectURL, handleAccessTokenError, handleInvalidState, handleMissingConfiguration, handlePKCE, handleState, redirect, requestAccessToken };

package/dist/session-DSwf3XPH.mjs

@@ -0,0 +1,119 @@
+import { defaults, seal, unseal } from "iron-webcrypto";
+import { serialize } from "cookie";
+//#region src/crypto.ts
+const fourteenDays = 336 * 3600;
+const currentMajorVersion = 2;
+const versionDelimiter = "~";
+function normalizePassword(password) {
+	return typeof password === "string" ? { 1: password } : password;
+}
+function parseSeal(seal) {
+	const idx = seal.lastIndexOf(versionDelimiter);
+	if (idx === -1) return {
+		sealWithoutVersion: seal,
+		tokenVersion: null
+	};
+	return {
+		sealWithoutVersion: seal.slice(0, idx),
+		tokenVersion: parseInt(seal.slice(idx + 1), 10) || null
+	};
+}
+function createSealData(webcrypto) {
+	return async function sealData(data, { password, ttl = fourteenDays }) {
+		const map = normalizePassword(password);
+		const id = Math.max(...Object.keys(map).map(Number)).toString();
+		const pw = map[id];
+		return `${await seal(webcrypto, data, {
+			id,
+			secret: pw
+		}, {
+			...defaults,
+			ttl: ttl * 1e3
+		})}${versionDelimiter}${currentMajorVersion}`;
+	};
+}
+function createUnsealData(webcrypto) {
+	return async function unsealData(seal, { password, ttl = fourteenDays }) {
+		const map = normalizePassword(password);
+		const { sealWithoutVersion, tokenVersion } = parseSeal(seal);
+		try {
+			const data = await unseal(webcrypto, sealWithoutVersion, map, {
+				...defaults,
+				ttl: ttl * 1e3
+			}) ?? {};
+			if (tokenVersion === 2) return data;
+			const d = data;
+			return { ...d.persistent ? d.persistent : {} };
+		} catch (err) {
+			if (err instanceof Error && /^(Expired seal|Bad hmac value|Cannot find password|Incorrect number of sealed components)/.test(err.message)) return {};
+			throw err;
+		}
+	};
+}
+function getCrypto() {
+	return globalThis.crypto;
+}
+const sealData = createSealData(getCrypto());
+const unsealData = createUnsealData(getCrypto());
+//#endregion
+//#region src/session.ts
+const timestampSkewSec = 60;
+const defaults$1 = {
+	ttl: 336 * 3600,
+	cookieOptions: {
+		httpOnly: true,
+		secure: true,
+		sameSite: "lax",
+		path: "/"
+	}
+};
+function computeMaxAge(ttl) {
+	if (ttl === 0) return 2147483647;
+	return ttl - timestampSkewSec;
+}
+function resolveConfig(opts) {
+	const ttl = opts.ttl ?? defaults$1.ttl;
+	const cookieOptions = {
+		...defaults$1.cookieOptions,
+		...opts.cookieOptions
+	};
+	if (!("maxAge" in (opts.cookieOptions ?? {}))) cookieOptions.maxAge = computeMaxAge(ttl);
+	const passwordsMap = typeof opts.password === "string" ? { 1: opts.password } : opts.password;
+	for (const pw of Object.values(passwordsMap)) if (pw.length < 32) throw new Error("peta-auth: password must be at least 32 characters");
+	return {
+		ttl,
+		cookieName: opts.cookieName,
+		password: opts.password,
+		cookieOptions
+	};
+}
+async function createSessionFromAdapter(adapter, options) {
+	let config = resolveConfig(options);
+	const seal = adapter.getCookie(config.cookieName);
+	const session = seal ? await unsealData(seal, {
+		password: config.password,
+		ttl: config.ttl
+	}) : {};
+	session.save = async () => {
+		const s = await sealData(session, {
+			password: config.password,
+			ttl: config.ttl
+		});
+		const cookieValue = serialize(config.cookieName, s, config.cookieOptions);
+		if (cookieValue.length > 4096) throw new Error(`peta-auth: cookie too large (${cookieValue.length} bytes)`);
+		adapter.setCookie(cookieValue);
+	};
+	session.destroy = () => {
+		for (const key of Object.keys(session)) if (key !== "save" && key !== "destroy" && key !== "updateConfig") delete session[key];
+		adapter.setCookie(serialize(config.cookieName, "", {
+			...config.cookieOptions,
+			maxAge: 0
+		}));
+	};
+	session.updateConfig = (opts) => {
+		config = resolveConfig(opts);
+	};
+	return session;
+}
+//#endregion
+export { sealData as n, unsealData as r, createSessionFromAdapter as t };

package/dist/session-DYH_m3lO.d.mts

@@ -0,0 +1,40 @@
+import { SerializeOptions } from "cookie";
+
+//#region src/crypto.d.ts
+type PasswordsMap = Record<string, string>;
+type Password = PasswordsMap | string;
+declare const sealData: (data: unknown, {
+  password,
+  ttl
+}: {
+  password: Password;
+  ttl?: number;
+}) => Promise<string>;
+declare const unsealData: <T>(seal: string, {
+  password,
+  ttl
+}: {
+  password: Password;
+  ttl?: number;
+}) => Promise<T>;
+//#endregion
+//#region src/session.d.ts
+interface SessionOptions {
+  password: Password;
+  cookieName: string;
+  ttl?: number;
+  cookieOptions?: Omit<SerializeOptions, 'encode'>;
+}
+interface IronSession {
+  save(): Promise<void>;
+  destroy(): void;
+  updateConfig(options: SessionOptions): void;
+  [key: string]: unknown;
+}
+interface SessionAdapter {
+  getCookie(name: string): string | undefined;
+  setCookie(cookie: string): void;
+}
+declare function createSessionFromAdapter<T extends Record<string, unknown> = Record<string, unknown>>(adapter: SessionAdapter, options: SessionOptions): Promise<T & IronSession>;
+//#endregion
+export { Password as a, createSessionFromAdapter as i, SessionAdapter as n, sealData as o, SessionOptions as r, unsealData as s, IronSession as t };

package/package.json

@@ -0,0 +1,76 @@
+{
+  "name": "peta-auth",
+  "version": "0.1.0",
+  "description": "Encrypted cookie sessions for Bun — Hono, ElysiaJS & Nuxt adapters",
+  "type": "module",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.mts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.mts",
+      "import": "./dist/index.mjs"
+    },
+    "./hono": {
+      "types": "./dist/hono.d.mts",
+      "import": "./dist/hono.mjs"
+    },
+    "./elysia": {
+      "types": "./dist/elysia.d.mts",
+      "import": "./dist/elysia.mjs"
+    },
+    "./nuxt": {
+      "types": "./dist/nuxt.d.mts",
+      "import": "./dist/nuxt.mjs"
+    },
+    "./oauth/github": {
+      "types": "./dist/oauth/github.d.mts",
+      "import": "./dist/oauth/github.mjs"
+    },
+    "./oauth/google": {
+      "types": "./dist/oauth/google.d.mts",
+      "import": "./dist/oauth/google.mjs"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsdown",
+    "lint": "biome check --write .",
+    "lint:ci": "biome ci .",
+    "prepublish": "bun run build",
+    "test": "bun test"
+  },
+  "dependencies": {
+    "bcryptjs": "^3.0.3",
+    "cookie": "^1.0.2",
+    "iron-webcrypto": "^1.2.1"
+  },
+  "peerDependencies": {
+    "elysia": ">=1.0.0",
+    "h3": ">=1.15.0",
+    "hono": ">=4.0.0",
+    "typescript": "^5.0.0"
+  },
+  "peerDependenciesMeta": {
+    "elysia": {
+      "optional": true
+    },
+    "h3": {
+      "optional": true
+    },
+    "hono": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@biomejs/biome": "^2.4.16",
+    "@types/bcryptjs": "^3.0.0",
+    "@types/bun": "latest",
+    "elysia": "latest",
+    "h3": "latest",
+    "hono": "latest",
+    "tsdown": "latest",
+    "typescript": "^5.0.0"
+  }
+}