peta-auth 0.1.3 → 0.2.1

package/dist/oauth/github.mjs

@@ -1,92 +1,83 @@
-import { getOAuthRedirectURL, handleAccessTokenError, handleInvalidState, handleMissingConfiguration, handleState, redirect, requestAccessToken } from "./index.mjs";
+import { t as defineOAuthHandler } from "../utils-CKT3C1Lq.mjs";
 //#region src/oauth/github.ts
-function resolveGitHubConfig(config) {
-	return {
-		authorizationURL: config.authorizationURL ?? "https://github.com/login/oauth/authorize",
-		tokenURL: config.tokenURL ?? "https://github.com/login/oauth/access_token",
-		apiURL: config.apiURL ?? "https://api.github.com",
-		clientId: config.clientId ?? process.env.PETA_OAUTH_GITHUB_CLIENT_ID ?? "",
-		clientSecret: config.clientSecret ?? process.env.PETA_OAUTH_GITHUB_CLIENT_SECRET ?? "",
-		scope: config.scope ?? [],
-		emailRequired: config.emailRequired ?? false,
-		authorizationParams: config.authorizationParams ?? {},
-		redirectURL: config.redirectURL
-	};
-}
-function defineOAuthGitHubEventHandler(options) {
-	const { config: userConfig = {}, onSuccess, onError } = options;
-	return async (request) => {
-		const config = resolveGitHubConfig(userConfig);
-		const url = new URL(request.url);
-		const queryCode = url.searchParams.get("code");
-		const queryError = url.searchParams.get("error");
-		const queryState = url.searchParams.get("state");
-		if (queryError) {
-			const err = /* @__PURE__ */ new Error(`GitHub login failed: ${queryError}`);
-			if (onError) return onError(err);
-			return new Response(JSON.stringify({ error: err.message }), {
-				status: 401,
-				headers: { "Content-Type": "application/json" }
-			});
-		}
-		if (!config.clientId || !config.clientSecret) {
-			const missing = [];
-			if (!config.clientId) missing.push("clientId");
-			if (!config.clientSecret) missing.push("clientSecret");
-			return handleMissingConfiguration("github", missing, onError);
-		}
-		const redirectURL = config.redirectURL || getOAuthRedirectURL(request);
-		const state = handleState(request);
-		if (!queryCode) {
-			if (config.emailRequired && !config.scope.includes("user:email")) config.scope.push("user:email");
-			const authUrl = new URL(config.authorizationURL);
-			authUrl.searchParams.set("client_id", config.clientId);
-			authUrl.searchParams.set("redirect_uri", redirectURL);
-			authUrl.searchParams.set("scope", config.scope.join(" "));
-			authUrl.searchParams.set("state", state.state ?? "");
-			for (const [k, v] of Object.entries(config.authorizationParams)) authUrl.searchParams.set(k, v);
-			return redirect(authUrl.toString(), state.setCookie);
-		}
-		if (!queryState || queryState !== state.expectedState) return handleInvalidState("github", onError);
-		const tokens = await requestAccessToken(config.tokenURL, { body: {
+const githubProvider = {
+	name: "github",
+	resolveConfig(config) {
+		const c = config;
+		return {
+			authorizationURL: c.authorizationURL ?? "https://github.com/login/oauth/authorize",
+			tokenURL: c.tokenURL ?? "https://github.com/login/oauth/access_token",
+			apiURL: c.apiURL ?? "https://api.github.com",
+			clientId: c.clientId ?? process.env.PETA_OAUTH_GITHUB_CLIENT_ID ?? "",
+			clientSecret: c.clientSecret ?? process.env.PETA_OAUTH_GITHUB_CLIENT_SECRET ?? "",
+			scope: c.scope ?? [],
+			emailRequired: c.emailRequired ?? false,
+			authorizationParams: c.authorizationParams ?? {},
+			redirectURL: c.redirectURL
+		};
+	},
+	buildAuthUrl(config, redirectURL, state, _pkce) {
+		const c = config;
+		if (c.emailRequired && !c.scope.includes("user:email")) c.scope.push("user:email");
+		const authUrl = new URL(c.authorizationURL);
+		authUrl.searchParams.set("client_id", c.clientId);
+		authUrl.searchParams.set("redirect_uri", redirectURL);
+		authUrl.searchParams.set("scope", c.scope.join(" "));
+		authUrl.searchParams.set("state", state.state ?? "");
+		for (const [key, value] of Object.entries(c.authorizationParams)) authUrl.searchParams.set(key, value);
+		return {
+			url: authUrl.toString(),
+			cookies: state.setCookie
+		};
+	},
+	requestTokenBody(config, redirectURL, code, _pkce) {
+		return {
 			grant_type: "authorization_code",
 			client_id: config.clientId,
 			client_secret: config.clientSecret,
 			redirect_uri: redirectURL,
-			code: queryCode
-		} });
-		const tokensRecord = tokens;
-		if (tokensRecord.error) return handleAccessTokenError("github", tokensRecord, onError);
+			code
+		};
+	},
+	async fetchUser(config, tokens, _request) {
+		const c = config;
 		const accessToken = tokens.access_token;
-		const userResponse = await fetch(`${config.apiURL}/user`, { headers: {
-			"User-Agent": `GitHub-OAuth-${config.clientId}`,
+		const userResponse = await fetch(`${c.apiURL}/user`, { headers: {
+			"User-Agent": `GitHub-OAuth-${c.clientId}`,
 			Authorization: `token ${accessToken}`
 		} });
-		if (!userResponse.ok) {
-			const err = /* @__PURE__ */ new Error(`GitHub user fetch failed: ${userResponse.status}`);
-			if (onError) return onError(err);
-			throw err;
-		}
+		if (!userResponse.ok) throw new Error(`GitHub user fetch failed: ${userResponse.status}`);
 		const user = await userResponse.json();
-		if (!user.email && config.emailRequired) {
-			const emailsResponse = await fetch(`${config.apiURL}/user/emails`, { headers: {
-				"User-Agent": `GitHub-OAuth-${config.clientId}`,
+		if (!user.email && c.emailRequired) {
+			const emailsResponse = await fetch(`${c.apiURL}/user/emails`, { headers: {
+				"User-Agent": `GitHub-OAuth-${c.clientId}`,
 				Authorization: `token ${accessToken}`
 			} });
 			if (emailsResponse.ok) {
-				const primaryEmail = (await emailsResponse.json()).find((e) => e.primary);
+				const primaryEmail = (await emailsResponse.json()).find((entry) => entry.primary);
 				if (primaryEmail) {
 					user.email = primaryEmail.email;
 					user.email_verified = primaryEmail.verified;
 				}
 			}
 		}
-		return onSuccess({
-			user,
-			tokens,
-			request
-		});
-	};
+		return user;
+	}
+};
+/**
+* Define a GitHub OAuth event handler.
+*
+* @example
+* ```ts
+* const handle = defineOAuthGitHubEventHandler({
+*   onSuccess: async ({ user, tokens }) =>
+*     new Response(`Welcome ${user.login}!`),
+* })
+* serve(handle)
+* ```
+*/
+function defineOAuthGitHubEventHandler(options) {
+	return defineOAuthHandler(githubProvider, options);
 }
 //#endregion
 export { defineOAuthGitHubEventHandler };

package/dist/oauth/google.d.mts

@@ -1,4 +1,5 @@
 //#region src/oauth/google.d.ts
+/** Configuration for Google OAuth. */
 interface OAuthGoogleConfig {
   clientId?: string;
   clientSecret?: string;
@@ -9,6 +10,13 @@ interface OAuthGoogleConfig {
   authorizationParams?: Record<string, string>;
   redirectURL?: string;
 }
+interface GoogleTokens {
+  access_token: string;
+  id_token: string;
+  scope: string;
+  token_type: string;
+  expires_in: number;
+}
 interface GoogleUser {
   sub: string;
   name: string;
@@ -19,13 +27,18 @@ interface GoogleUser {
   email_verified: boolean;
   locale: string;
 }
-interface GoogleTokens {
-  access_token: string;
-  id_token: string;
-  scope: string;
-  token_type: string;
-  expires_in: number;
-}
+/**
+ * Define a Google OAuth event handler.
+ *
+ * @example
+ * ```ts
+ * const handle = defineOAuthGoogleEventHandler({
+ *   onSuccess: async ({ user }) =>
+ *     new Response(`Welcome ${user.name}!`),
+ * })
+ * serve(handle)
+ * ```
+ */
 declare function defineOAuthGoogleEventHandler(options: {
   config?: OAuthGoogleConfig;
   onSuccess: (event: {

package/dist/oauth/google.mjs

@@ -1,84 +1,74 @@
-import { getOAuthRedirectURL, handleAccessTokenError, handleInvalidState, handleMissingConfiguration, handlePKCE, handleState, redirect, requestAccessToken } from "./index.mjs";
+import { t as defineOAuthHandler } from "../utils-CKT3C1Lq.mjs";
 //#region src/oauth/google.ts
-function resolveGoogleConfig(config) {
-	return {
-		authorizationURL: config.authorizationURL ?? "https://accounts.google.com/o/oauth2/v2/auth",
-		tokenURL: config.tokenURL ?? "https://oauth2.googleapis.com/token",
-		userInfoURL: config.userInfoURL ?? "https://www.googleapis.com/oauth2/v3/userinfo",
-		clientId: config.clientId ?? process.env.PETA_OAUTH_GOOGLE_CLIENT_ID ?? "",
-		clientSecret: config.clientSecret ?? process.env.PETA_OAUTH_GOOGLE_CLIENT_SECRET ?? "",
-		scope: config.scope ?? [
-			"openid",
-			"email",
-			"profile"
-		],
-		authorizationParams: config.authorizationParams ?? {},
-		redirectURL: config.redirectURL
-	};
-}
-function defineOAuthGoogleEventHandler(options) {
-	const { config: userConfig = {}, onSuccess, onError } = options;
-	return async (request) => {
-		const config = resolveGoogleConfig(userConfig);
-		const url = new URL(request.url);
-		const queryCode = url.searchParams.get("code");
-		const queryError = url.searchParams.get("error");
-		const queryState = url.searchParams.get("state");
-		if (queryError) {
-			const err = /* @__PURE__ */ new Error(`Google login failed: ${queryError}`);
-			if (onError) return onError(err);
-			return new Response(JSON.stringify({ error: err.message }), {
-				status: 401,
-				headers: { "Content-Type": "application/json" }
-			});
-		}
-		if (!config.clientId || !config.clientSecret) {
-			const missing = [];
-			if (!config.clientId) missing.push("clientId");
-			if (!config.clientSecret) missing.push("clientSecret");
-			return handleMissingConfiguration("google", missing, onError);
+const googleProvider = {
+	name: "google",
+	resolveConfig(config) {
+		const c = config;
+		return {
+			authorizationURL: c.authorizationURL ?? "https://accounts.google.com/o/oauth2/v2/auth",
+			tokenURL: c.tokenURL ?? "https://oauth2.googleapis.com/token",
+			userInfoURL: c.userInfoURL ?? "https://www.googleapis.com/oauth2/v3/userinfo",
+			clientId: c.clientId ?? process.env.PETA_OAUTH_GOOGLE_CLIENT_ID ?? "",
+			clientSecret: c.clientSecret ?? process.env.PETA_OAUTH_GOOGLE_CLIENT_SECRET ?? "",
+			scope: c.scope ?? [
+				"openid",
+				"email",
+				"profile"
+			],
+			authorizationParams: c.authorizationParams ?? {},
+			redirectURL: c.redirectURL
+		};
+	},
+	buildAuthUrl(config, redirectURL, state, pkce) {
+		const c = config;
+		const authUrl = new URL(c.authorizationURL);
+		authUrl.searchParams.set("client_id", c.clientId);
+		authUrl.searchParams.set("redirect_uri", redirectURL);
+		authUrl.searchParams.set("scope", c.scope.join(" "));
+		authUrl.searchParams.set("response_type", "code");
+		authUrl.searchParams.set("state", state.state ?? "");
+		if (pkce.codeChallenge) {
+			authUrl.searchParams.set("code_challenge", pkce.codeChallenge);
+			authUrl.searchParams.set("code_challenge_method", pkce.codeChallengeMethod ?? "S256");
 		}
-		const redirectURL = config.redirectURL || getOAuthRedirectURL(request);
-		const state = handleState(request);
-		const pkce = await handlePKCE(request);
-		if (!queryCode) {
-			const authUrl = new URL(config.authorizationURL);
-			authUrl.searchParams.set("client_id", config.clientId);
-			authUrl.searchParams.set("redirect_uri", redirectURL);
-			authUrl.searchParams.set("scope", config.scope.join(" "));
-			authUrl.searchParams.set("response_type", "code");
-			authUrl.searchParams.set("state", state.state ?? "");
-			if (pkce.codeChallenge) {
-				authUrl.searchParams.set("code_challenge", pkce.codeChallenge);
-				authUrl.searchParams.set("code_challenge_method", pkce.codeChallengeMethod ?? "S256");
-			}
-			for (const [k, v] of Object.entries(config.authorizationParams)) authUrl.searchParams.set(k, v);
-			const cookies = [state.setCookie, pkce.setCookie].filter(Boolean).join("; ");
-			return redirect(authUrl.toString(), cookies || void 0);
-		}
-		if (!queryState || queryState !== state.expectedState) return handleInvalidState("google", onError);
-		const tokens = await requestAccessToken(config.tokenURL, { body: {
+		for (const [key, value] of Object.entries(c.authorizationParams)) authUrl.searchParams.set(key, value);
+		const cookies = [state.setCookie, pkce.setCookie].filter(Boolean).join("; ");
+		return {
+			url: authUrl.toString(),
+			cookies: cookies || void 0
+		};
+	},
+	requestTokenBody(config, redirectURL, code, pkce) {
+		return {
 			grant_type: "authorization_code",
 			client_id: config.clientId,
 			client_secret: config.clientSecret,
 			redirect_uri: redirectURL,
-			code: queryCode,
-			code_verifier: pkce.codeVerifier
-		} });
-		const tokensRecord = tokens;
-		if (tokensRecord.error) return handleAccessTokenError("google", tokensRecord, onError);
-		const userResponse = await fetch(config.userInfoURL, { headers: { Authorization: `Bearer ${tokens.access_token}` } });
-		if (!userResponse.ok) {
-			const err = /* @__PURE__ */ new Error(`Google user fetch failed: ${userResponse.status}`);
-			if (onError) return onError(err);
-			throw err;
-		}
-		return onSuccess({
-			user: await userResponse.json(),
-			tokens,
-			request
-		});
-	};
+			code,
+			code_verifier: pkce.codeVerifier ?? ""
+		};
+	},
+	async fetchUser(config, tokens, _request) {
+		const userURL = config.userInfoURL ?? "https://www.googleapis.com/oauth2/v3/userinfo";
+		const userResponse = await fetch(userURL, { headers: { Authorization: `Bearer ${tokens.access_token}` } });
+		if (!userResponse.ok) throw new Error(`Google user fetch failed: ${userResponse.status}`);
+		return userResponse.json();
+	}
+};
+/**
+* Define a Google OAuth event handler.
+*
+* @example
+* ```ts
+* const handle = defineOAuthGoogleEventHandler({
+*   onSuccess: async ({ user }) =>
+*     new Response(`Welcome ${user.name}!`),
+* })
+* serve(handle)
+* ```
+*/
+function defineOAuthGoogleEventHandler(options) {
+	return defineOAuthHandler(googleProvider, options);
 }
 //#endregion
 export { defineOAuthGoogleEventHandler };

package/dist/session-0bF8_7Ui.d.mts

@@ -0,0 +1,53 @@
+import { t as Password } from "./crypto-DR-ETdLZ.mjs";
+import { SerializeOptions } from "cookie";
+
+//#region src/session.d.ts
+/** Options for creating a cookie session. */
+interface SessionOptions {
+  /** Password(s) used to encrypt the session cookie. */
+  password: Password;
+  /** Name of the cookie. */
+  cookieName: string;
+  /** Session lifetime in seconds (default 14 days). */
+  timeToLive?: number;
+  /** Extra cookie serialization options. */
+  cookieOptions?: Omit<SerializeOptions, "encode">;
+}
+/** A session instance returned by {@link createSessionFromAdapter}. */
+interface IronSession {
+  /** Persist the session to the response cookie. */
+  save(): Promise<void>;
+  /** Clear the session cookie. */
+  destroy(): void;
+  /** Update session config at runtime. */
+  updateConfig(options: SessionOptions): void;
+  /** Arbitrary session data keys. */
+  [key: string]: unknown;
+}
+/** An adapter between the framework and the session cookie store. */
+interface SessionAdapter {
+  /** Read a cookie by name from the incoming request. */
+  getCookie(name: string): string | undefined;
+  /** Set a cookie on the outgoing response. */
+  setCookie(cookie: string): void;
+}
+/**
+ * Create a session from a framework adapter.
+ *
+ * Reads the session cookie (if present), hydrates the data, and
+ * returns a session object with {@link IronSession.save},
+ * {@link IronSession.destroy}, and {@link IronSession.updateConfig}.
+ *
+ * @example
+ * ```ts
+ * const session = await createSessionFromAdapter(adapter, {
+ *   password: "my-32-char-password...",
+ *   cookieName: "my-session",
+ * })
+ * session.userId = 42
+ * await session.save()
+ * ```
+ */
+declare function createSessionFromAdapter<T extends Record<string, unknown> = Record<string, unknown>>(adapter: SessionAdapter, options: SessionOptions): Promise<T & IronSession>;
+//#endregion
+export { createSessionFromAdapter as i, SessionAdapter as n, SessionOptions as r, IronSession as t };

package/dist/session-BGCQ1Z1Q.mjs

@@ -0,0 +1,87 @@
+import { n as sealData, r as unsealData, t as normalizePassword } from "./crypto-WcFV83Nz.mjs";
+import { t as PetaAuthError } from "./errors-DxJ-WUJL.mjs";
+import { serialize } from "cookie";
+//#region src/session.ts
+const TIMESTAMP_SKEW_SECONDS = 60;
+const DEFAULTS = {
+	timeToLive: 336 * 3600,
+	cookieOptions: {
+		httpOnly: true,
+		sameSite: "lax",
+		path: "/"
+	}
+};
+function computeMaxAge(timeToLive) {
+	if (timeToLive === 0) return 2147483647;
+	return timeToLive - TIMESTAMP_SKEW_SECONDS;
+}
+/** Check whether a session has any user data keys beyond the built-in methods. */
+function sessionHasData(session, key) {
+	if (key) return !!session[key];
+	return Object.keys(session).some((k) => k !== "save" && k !== "destroy" && k !== "updateConfig");
+}
+/** @internal */
+function resolveConfig(options) {
+	const timeToLive = options.timeToLive ?? DEFAULTS.timeToLive;
+	const cookieOptions = {
+		...DEFAULTS.cookieOptions,
+		secure: process.env.NODE_ENV !== "development",
+		...options.cookieOptions
+	};
+	if (!("maxAge" in (options.cookieOptions ?? {}))) cookieOptions.maxAge = computeMaxAge(timeToLive);
+	const passwordsMap = normalizePassword(options.password);
+	for (const secret of Object.values(passwordsMap)) if (secret.length < 32) throw new PetaAuthError("PASSWORD_TOO_SHORT", "peta-auth: password must be at least 32 characters");
+	return {
+		timeToLive,
+		cookieName: options.cookieName,
+		password: options.password,
+		cookieOptions
+	};
+}
+/**
+* Create a session from a framework adapter.
+*
+* Reads the session cookie (if present), hydrates the data, and
+* returns a session object with {@link IronSession.save},
+* {@link IronSession.destroy}, and {@link IronSession.updateConfig}.
+*
+* @example
+* ```ts
+* const session = await createSessionFromAdapter(adapter, {
+*   password: "my-32-char-password...",
+*   cookieName: "my-session",
+* })
+* session.userId = 42
+* await session.save()
+* ```
+*/
+async function createSessionFromAdapter(adapter, options) {
+	let config = resolveConfig(options);
+	const seal = adapter.getCookie(config.cookieName);
+	const session = seal ? await unsealData(seal, {
+		password: config.password,
+		ttl: config.timeToLive
+	}) : {};
+	session.save = async () => {
+		const s = await sealData(session, {
+			password: config.password,
+			ttl: config.timeToLive
+		});
+		const cookieValue = serialize(config.cookieName, s, config.cookieOptions);
+		if (cookieValue.length > 4096) throw new PetaAuthError("COOKIE_TOO_LARGE", `peta-auth: cookie too large (${cookieValue.length} bytes)`);
+		adapter.setCookie(cookieValue);
+	};
+	session.destroy = () => {
+		for (const key of Object.keys(session)) if (key !== "save" && key !== "destroy" && key !== "updateConfig") delete session[key];
+		adapter.setCookie(serialize(config.cookieName, "", {
+			...config.cookieOptions,
+			maxAge: 0
+		}));
+	};
+	session.updateConfig = (updatedOptions) => {
+		config = resolveConfig(updatedOptions);
+	};
+	return session;
+}
+//#endregion
+export { sessionHasData as n, createSessionFromAdapter as t };

package/dist/utils-CKT3C1Lq.mjs

@@ -0,0 +1,174 @@
+import { constantTimeEqual } from "./csrf.mjs";
+import { t as PetaAuthError } from "./errors-DxJ-WUJL.mjs";
+import { parse, serialize } from "cookie";
+//#region src/oauth/utils.ts
+const IS_DEVELOPMENT = process.env.NODE_ENV === "development";
+const OAUTH_COOKIE_MAX_AGE = 600;
+function encodeBase64Url(input) {
+	return btoa(String.fromCharCode(...input)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function getRandomBytes(size = 32) {
+	return crypto.getRandomValues(new Uint8Array(size));
+}
+function oauthCookieOptions(maxAge) {
+	return {
+		path: "/",
+		httpOnly: true,
+		sameSite: "lax",
+		secure: !IS_DEVELOPMENT,
+		maxAge
+	};
+}
+/**
+* Extract the OAuth redirect URL from a request.
+*/
+function getOAuthRedirectURL(request) {
+	const url = new URL(request.url);
+	return `${url.protocol}//${url.host}${url.pathname}`;
+}
+/**
+* Handle PKCE (Proof Key for Code Exchange) for OAuth flows.
+*
+* On the initial redirect leg it generates a code verifier + challenge.
+* On the callback leg it extracts the stored verifier from the cookie.
+*/
+async function handlePKCE(request) {
+	const code = new URL(request.url).searchParams.get("code");
+	const cookies = parse(request.headers.get("cookie") ?? "");
+	if (code) return { codeVerifier: cookies["peta-auth-pkce"] };
+	const verifier = encodeBase64Url(getRandomBytes(32));
+	const encoder = new TextEncoder();
+	return {
+		codeChallenge: encodeBase64Url(new Uint8Array(await crypto.subtle.digest("SHA-256", encoder.encode(verifier)))),
+		codeChallengeMethod: "S256",
+		setCookie: serialize("peta-auth-pkce", verifier, oauthCookieOptions(OAUTH_COOKIE_MAX_AGE))
+	};
+}
+/**
+* Handle OAuth state parameter for CSRF protection.
+*/
+function handleState(request) {
+	const queryState = new URL(request.url).searchParams.get("state");
+	const cookies = parse(request.headers.get("cookie") ?? "");
+	if (queryState) return {
+		state: queryState,
+		expectedState: cookies["peta-auth-state"]
+	};
+	const state = encodeBase64Url(getRandomBytes(8));
+	return {
+		state,
+		setCookie: serialize("peta-auth-state", state, oauthCookieOptions(OAUTH_COOKIE_MAX_AGE))
+	};
+}
+/**
+* Exchange an authorization code for an access token.
+*/
+async function requestAccessToken(url, options) {
+	const headers = {
+		"Content-Type": "application/x-www-form-urlencoded",
+		...options.headers
+	};
+	const bodyParams = options.body ?? options.params ?? {};
+	const body = new URLSearchParams();
+	for (const [key, value] of Object.entries(bodyParams)) if (value !== void 0) body.append(key, value);
+	const response = await fetch(url, {
+		method: "POST",
+		headers,
+		body: body.toString()
+	});
+	if (!response.ok) {
+		if (response.status === 401) return response.json();
+		throw new PetaAuthError("OAUTH_TOKEN_FAILED", `OAuth token request failed: ${response.status} ${response.statusText}`);
+	}
+	return response.json();
+}
+/**
+* Create a 302 redirect response, optionally with a cookie.
+*/
+function redirect(url, cookie) {
+	const headers = new Headers({ Location: url });
+	if (cookie) headers.append("Set-Cookie", cookie);
+	return new Response(null, {
+		status: 302,
+		headers
+	});
+}
+/**
+* Create a JSON error response with the given status code.
+*/
+function jsonError(error, status) {
+	return new Response(JSON.stringify({ error: error.message }), {
+		status,
+		headers: { "Content-Type": "application/json" }
+	});
+}
+/**
+* Handle missing OAuth configuration.
+*/
+function handleMissingConfiguration(provider, missingKeys, onError) {
+	const envVars = missingKeys.map((key) => `PETA_OAUTH_${provider.toUpperCase()}_${key.replace(/([A-Z])/g, "_$1").toUpperCase()}`);
+	const error = /* @__PURE__ */ new Error(`Missing ${envVars.join(" or ")} env ${missingKeys.length > 1 ? "variables" : "variable"}.`);
+	if (onError) return onError(error);
+	return jsonError(error, 500);
+}
+/**
+* Handle OAuth access token errors.
+*/
+function handleAccessTokenError(provider, errorData, onError) {
+	const message = `${provider} login failed: ${errorData.error_description || errorData.error || "Unknown error"}`;
+	const error = new Error(message);
+	if (onError) return onError(error);
+	return jsonError(error, 401);
+}
+/**
+* Define an OAuth event handler using a provider-specific config.
+*
+* Handles the shared OAuth flow (redirect, callback, token exchange, user fetch)
+* while delegating provider-specific behavior to the config callbacks.
+*/
+function defineOAuthHandler(provider, options) {
+	const { config: userConfig = {}, onSuccess, onError } = options;
+	return async (request) => {
+		const config = provider.resolveConfig(userConfig);
+		const url = new URL(request.url);
+		const queryCode = url.searchParams.get("code");
+		const queryError = url.searchParams.get("error");
+		const queryState = url.searchParams.get("state");
+		if (queryError) {
+			const error = /* @__PURE__ */ new Error(`${provider.name} login failed: ${queryError}`);
+			if (onError) return onError(error);
+			return jsonError(error, 401);
+		}
+		if (!config.clientId || !config.clientSecret) {
+			const missing = [];
+			if (!config.clientId) missing.push("clientId");
+			if (!config.clientSecret) missing.push("clientSecret");
+			return handleMissingConfiguration(provider.name, missing, onError);
+		}
+		const redirectURL = config.redirectURL || getOAuthRedirectURL(request);
+		const state = handleState(request);
+		const pkce = await handlePKCE(request);
+		if (!queryCode) {
+			const { url: authUrl, cookies } = provider.buildAuthUrl(config, redirectURL, state, pkce);
+			return redirect(authUrl, cookies);
+		}
+		if (!queryState || !state.expectedState || !constantTimeEqual(queryState, state.expectedState)) return handleInvalidState(provider.name, onError);
+		const tokens = await requestAccessToken(config.tokenURL, { body: provider.requestTokenBody(config, redirectURL, queryCode, pkce) });
+		if (tokens.error) return handleAccessTokenError(provider.name, tokens, onError);
+		return onSuccess({
+			user: await provider.fetchUser(config, tokens, request),
+			tokens,
+			request
+		});
+	};
+}
+/**
+* Handle OAuth state mismatch.
+*/
+function handleInvalidState(provider, onError) {
+	const error = /* @__PURE__ */ new Error(`${provider} login failed: state mismatch`);
+	if (onError) return onError(error);
+	return jsonError(error, 500);
+}
+//#endregion
+export { defineOAuthHandler as t };