first commit

README.md

@@ -0,0 +1,57 @@
+# @resuely/astro-oidc-rp
+
+Astro integration that injects OIDC login/callback/logout routes, a middleware that sets `Astro.locals.user`, and type augmentation.
+
+## Install
+
+npm install @resuely/astro-oidc-rp
+
+## Usage (astro.config.mjs)
+
+import { defineConfig } from "astro/config";
+import resuelyOidc from "@resuely/astro-oidc-rp";
+
+export default defineConfig({
+  integrations: [
+    resuelyOidc({
+      issuer: "https://your-idp",
+      clientId: "YOUR_CLIENT_ID",
+      cookie: { signingSecret: process.env.OIDC_SIGNING_SECRET! },
+      protected: ["/app/*", "/me"],
+    }),
+  ],
+});
+
+- Injected routes:
+  - Login: /login
+  - Callback: /oidc/callback
+  - Logout: /logout
+
+## Options
+- issuer: string (required)
+- clientId: string (required)
+- scopes?: string (default: "openid email profile")
+- routes?: { login?: string; callback?: string; logout?: string }
+- redirectUri?: { mode: "infer-from-request" } | { absolute: string }
+- cookie?: { name?: string; sameSite?: "Lax"|"Strict"|"None"; secure?: boolean; domain?: string; path?: string; signingSecret: string; maxAgeSec?: number }
+- protected?: string[] patterns
+
+## Types: Astro.locals
+Enable type augmentation by referencing the package export:
+
+- Add to your tsconfig.json: { "compilerOptions": { "types": ["@resuely/astro-oidc-rp/astro-locals"] } }
+
+Then `locals.user` is typed as `{ sub: string; email?: string } | null | undefined`.
+
+## Security notes
+- Always provide a strong `cookie.signingSecret`.
+- In production, cookies are `Secure` by default.
+- The init cookie used during login is short-lived (5 minutes) and set `HttpOnly` + `SameSite=Lax`.
+
+## Build & Publish
+
+- Build: npm run build
+- Publish to npm: npm publish --access public
+
+## License
+MIT