1.1.1

README.md

@@ -4,54 +4,97 @@ Astro integration that injects OIDC login/callback/logout routes, a middleware t
 
 ## Install
 
+```sh
 npm install @resuely/astro-oidc-rp
+```
 
 ## Usage (astro.config.mjs)
 
+```js
 import { defineConfig } from "astro/config";
 import resuelyOidc from "@resuely/astro-oidc-rp";
 
 export default defineConfig({
   integrations: [
     resuelyOidc({
-      issuer: "https://your-idp",
-      clientId: "YOUR_CLIENT_ID",
-      cookie: { signingSecret: process.env.OIDC_SIGNING_SECRET! },
+      issuer: { env: "OIDC_ISSUER", fallback: "https://your-idp" },
+      clientId: { env: "OIDC_CLIENT_ID" },
+      cookie: { signingSecret: { env: "OIDC_SIGNING_SECRET" } },
       protected: ["/app/*", "/me"],
     }),
   ],
 });
+```
 
-- Injected routes:
-  - Login: /login
-  - Callback: /oidc/callback
-  - Logout: /logout
+Injected routes (defaults):
+
+- Login: `/login`
+- Callback: `/oidc/callback`
+- Logout: `/logout`
+- Logout callback: `/logout/callback`
 
 ## Options
-- issuer: string (required)
-- clientId: string (required)
-- scopes?: string (default: "openid email profile")
-- routes?: { login?: string; callback?: string; logout?: string }
-- redirectUri?: { mode: "infer-from-request" } | { absolute: string }
-- cookie?: { name?: string; sameSite?: "Lax"|"Strict"|"None"; secure?: boolean; domain?: string; path?: string; signingSecret: string; maxAgeSec?: number }
-- protected?: string[] patterns
+
+```ts
+issuer: { env: string; fallback?: string }; // required
+clientId: { env: string; fallback?: string }; // required
+scopes?: string; // default: "openid email profile"
+routes?: {
+  login?: string;
+  callback?: string;
+  logout?: string;
+  logoutCallback?: string;
+};
+redirectUri?: { mode: "infer-from-request" } | { absolute: string };
+cookie: {
+  name?: string;
+  sameSite?: "Lax" | "Strict" | "None";
+  secure?: boolean;
+  domain?: string;
+  path?: string;
+  signingSecret: { env: string };
+  maxAgeSec?: number;
+};
+protected?: string[]; // path patterns
+```
 
 ## Types: Astro.locals
 Enable type augmentation by referencing the package export:
 
-- Add to your tsconfig.json: { "compilerOptions": { "types": ["@resuely/astro-oidc-rp/astro-locals"] } }
+Add to your `tsconfig.json`:
 
-Then `locals.user` is typed as `{ sub: string; email?: string } | null | undefined`.
+```json
+{
+  "compilerOptions": {
+    "types": ["@resuely/astro-oidc-rp/astro-locals"]
+  }
+}
+```
+
+Then `Astro.locals.user` is typed as:
+
+```ts
+{ sub: string; email?: string } | null | undefined
+```
 
 ## Security notes
 - Always provide a strong `cookie.signingSecret`.
-- In production, cookies are `Secure` by default.
+- Cookies are `Secure` by default; for local HTTP development you may need `cookie.secure: false`.
 - The init cookie used during login is short-lived (5 minutes) and set `HttpOnly` + `SameSite=Lax`.
 
 ## Build & Publish
 
-- Build: npm run build
-- Publish to npm: npm publish --access public
+Build:
+
+```sh
+npm run build
+```
+
+Publish:
+
+```sh
+npm publish --access public
+```
 
 ## License
 MIT

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "@resuely/astro-oidc-rp",
-  "version": "0.1.0",
+  "version": "1.1.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@resuely/astro-oidc-rp",
-      "version": "0.1.0",
+      "version": "1.1.1",
       "license": "MIT",
       "dependencies": {
         "jose": "^5.0.0"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@resuely/astro-oidc-rp",
-  "version": "1.0.0",
+  "version": "1.1.1",
   "description": "Astro integration providing OIDC relying-party routes, middleware, and types.",
   "type": "module",
   "main": "dist/index.js",
@@ -26,8 +26,8 @@
     "typescript": "^5.0.0"
   },
   "scripts": {
-    "build": "tsup src/index.ts src/runtime.ts src/middleware.ts src/routes/login.ts src/routes/callback.ts src/routes/logout.ts src/lib/*.ts --dts --format esm --clean --sourcemap --out-dir dist",
-    "dev": "tsup --watch src/index.ts src/runtime.ts src/middleware.ts src/routes/login.ts src/routes/callback.ts src/routes/logout.ts src/lib/*.ts --dts --format esm --out-dir dist",
+    "build": "tsup",
+    "dev": "tsup --watch",
     "postbuild": "mkdir -p dist/types && cp -R types/*.d.ts dist/types/ || true",
     "prepublishOnly": "npm run build"
   },

src/index.ts

@@ -1,66 +1,94 @@
 import type { AstroIntegration } from "astro";
 import { fileURLToPath } from "node:url";
 
+export type EnvString = {
+  env: string;
+  fallback?: string;
+};
+
+export type RequiredSecret = {
+  env: string;
+};
+
 export type OidcIntegrationOptions = {
-  issuer: string;
-  clientId: string;
+  issuer: EnvString;
+  clientId: EnvString;
   scopes?: string; // default "openid email profile"
-  routes?: { login?: string; callback?: string; logout?: string }; // defaults: /login, /oidc/callback, /logout
+  routes?: {
+    login?: string;
+    callback?: string;
+    logout?: string;
+    logoutCallback?: string;
+  }; // defaults: /login, /oidc/callback, /logout, /logout/callback
   redirectUri?: { mode: "infer-from-request" } | { absolute: string };
-  cookie?: {
+  cookie: {
     name?: string;
     sameSite?: "Lax" | "Strict" | "None";
     secure?: boolean;
     domain?: string;
     path?: string;
-    signingSecret: string;
+    signingSecret: RequiredSecret;
     maxAgeSec?: number;
   };
   protected?: string[]; // patterns to guard, e.g., ["/app/*", "/me"]
 };
 
-export type OidcResolvedOptions = Required<
-  Pick<OidcIntegrationOptions, "issuer" | "clientId">
-> & {
+export type OidcInjectedOptions = {
+  issuerEnv: string;
+  issuerFallback?: string;
+  clientIdEnv: string;
+  clientIdFallback?: string;
   scopes: string;
-  routes: { login: string; callback: string; logout: string };
+  routes: { login: string; callback: string; logout: string; logoutCallback: string };
   redirectUri: { mode: "infer-from-request" } | { absolute: string };
-  cookie: Required<
-    Pick<
-      NonNullable<OidcIntegrationOptions["cookie"]>,
-      "name" | "sameSite" | "secure" | "path" | "signingSecret"
-    >
-  > & {
+  cookie: {
+    name: string;
+    sameSite: "Lax" | "Strict" | "None";
+    secure: boolean;
+    path: string;
+    signingSecretEnv: string;
     domain?: string;
     maxAgeSec?: number;
   };
   protected: string[];
 };
 
-function resolveOptions(user: OidcIntegrationOptions): OidcResolvedOptions {
+function requireEnvName(name: string, label: string): string {
+  if (typeof name !== "string" || name.trim().length === 0)
+    throw new Error(`@resuely/astro-oidc-rp: ${label} must be a non-empty string`);
+  return name;
+}
+
+function resolveOptions(user: OidcIntegrationOptions): OidcInjectedOptions {
   const routes = {
     login: user.routes?.login ?? "/login",
     callback: user.routes?.callback ?? "/oidc/callback",
     logout: user.routes?.logout ?? "/logout",
+    logoutCallback:
+      user.routes?.logoutCallback ?? `${user.routes?.logout ?? "/logout"}/callback`,
   };
   const cookie = {
     name: user.cookie?.name ?? "oidc_session",
     sameSite: user.cookie?.sameSite ?? "Lax",
     secure: user.cookie?.secure ?? true,
     path: user.cookie?.path ?? "/",
-    signingSecret: user.cookie?.signingSecret ?? "",
+    signingSecretEnv: requireEnvName(
+      user.cookie?.signingSecret?.env,
+      "cookie.signingSecret.env",
+    ),
     domain: user.cookie?.domain,
     maxAgeSec: user.cookie?.maxAgeSec,
   };
-  if (!user.issuer)
-    throw new Error("@resuely/astro-oidc-rp: 'issuer' is required");
-  if (!user.clientId)
-    throw new Error("@resuely/astro-oidc-rp: 'clientId' is required");
-  if (!cookie.signingSecret)
-    throw new Error("@resuely/astro-oidc-rp: cookie.signingSecret is required");
+
   return {
-    issuer: user.issuer,
-    clientId: user.clientId,
+    issuerEnv: requireEnvName(user.issuer.env, "issuer.env"),
+    issuerFallback:
+      typeof user.issuer.fallback === "string" ? user.issuer.fallback : undefined,
+    clientIdEnv: requireEnvName(user.clientId.env, "clientId.env"),
+    clientIdFallback:
+      typeof user.clientId.fallback === "string"
+        ? user.clientId.fallback
+        : undefined,
     scopes: user.scopes ?? "openid email profile",
     routes,
     redirectUri: user.redirectUri ?? { mode: "infer-from-request" },
@@ -105,8 +133,11 @@ export default function resuelyOidc(
           pattern: resolved.routes.logout,
           entrypoint: fileURLToPath(new URL("./routes/logout.js", import.meta.url)),
         });
+        injectRoute({
+          pattern: resolved.routes.logoutCallback,
+          entrypoint: fileURLToPath(new URL("./routes/logout.js", import.meta.url)),
+        });
       },
     },
   };
 }
-

src/lib/sign.ts

@@ -40,7 +40,7 @@ export async function signPayload(
   return `${payloadB64u}.${sigB64u}`;
 }
 
-export async function verifyAndDecode<T = any>(
+export async function verifyAndDecode<T = unknown>(
   token: string,
   secret: string,
 ): Promise<{ valid: boolean; payload?: T }> {

src/middleware.ts

@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "astro";
-import { options } from "./runtime.js";
+import { getOptions } from "./runtime.js";
 import { verifyAndDecode } from "./lib/sign.js";
 
 function parseCookies(cookieHeader: string | null): Record<string, string> {
@@ -21,6 +21,11 @@ function escapeRegex(str: string): string {
 }
 
 function globToRegExp(pattern: string): RegExp {
+  if (pattern.endsWith("/*")) {
+    const base = pattern.slice(0, -2);
+    const baseEscaped = escapeRegex(base);
+    return new RegExp(`^${baseEscaped}(?:/.*)?$`);
+  }
   const escaped = pattern.split("*").map(escapeRegex).join(".*");
   return new RegExp(`^${escaped}$`);
 }
@@ -31,18 +36,24 @@ function isProtected(pathname: string, patterns: string[]): boolean {
 
 export const onRequest: MiddlewareHandler = async (context, next) => {
   const { request, locals, url } = context;
+  const options = getOptions();
   const cookieName = options.cookie.name;
   const cookies = parseCookies(request.headers.get("cookie"));
   const token = cookies[cookieName];
 
   locals.user = null;
   if (token) {
-    const res = await verifyAndDecode<{ sub: string; email?: string }>(
-      token,
-      options.cookie.signingSecret,
-    );
+    const res = await verifyAndDecode<{
+      sub: string;
+      email?: string;
+      firstName?: string;
+    }>(token, options.cookie.signingSecret);
     if (res.valid && res.payload && typeof res.payload.sub === "string") {
-      locals.user = { sub: res.payload.sub, email: res.payload.email };
+      locals.user = {
+        sub: res.payload.sub,
+        email: res.payload.email,
+        firstName: res.payload.firstName,
+      };
     }
   }
 

src/routes/callback.ts

@@ -1,9 +1,16 @@
 import type { APIContext } from "astro";
-import { options } from "../runtime.js";
+import { getOptions } from "../runtime.js";
 import { clearCookie, serializeCookie } from "../lib/cookies.js";
 import { signPayload } from "../lib/sign.js";
 import { createRemoteJWKSet, jwtVerify } from "jose";
 
+type InitCookie = {
+  state: string;
+  nonce: string;
+  verifier: string;
+  returnTo?: string;
+};
+
 async function discover(issuer: string) {
   const res = await fetch(
     new URL("/.well-known/openid-configuration", issuer).toString(),
@@ -15,13 +22,66 @@ async function discover(issuer: string) {
   };
 }
 
-function inferRedirectUri(reqUrl: URL): string {
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null;
+}
+
+function escapeRegex(str: string): string {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+function parseInitCookie(
+  cookieHeader: string,
+  initCookieName: string,
+): InitCookie | null {
+  const match = cookieHeader.match(
+    new RegExp(`${escapeRegex(initCookieName)}=([^;]+)`),
+  );
+  const raw = match?.[1];
+  if (!raw) return null;
+  let decoded: string;
+  try {
+    decoded = decodeURIComponent(raw);
+  } catch {
+    return null;
+  }
+
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(decoded);
+  } catch {
+    return null;
+  }
+
+  if (!isRecord(parsed)) return null;
+  if (
+    typeof parsed.state !== "string" ||
+    typeof parsed.nonce !== "string" ||
+    typeof parsed.verifier !== "string"
+  ) {
+    return null;
+  }
+
+  const returnTo = typeof parsed.returnTo === "string" ? parsed.returnTo : undefined;
+  return {
+    state: parsed.state,
+    nonce: parsed.nonce,
+    verifier: parsed.verifier,
+    returnTo,
+  };
+}
+
+function inferRedirectUri(
+  options: ReturnType<typeof getOptions>,
+  reqUrl: URL,
+): string {
   if ("absolute" in options.redirectUri) return options.redirectUri.absolute;
   const u = new URL(options.routes.callback, reqUrl);
   return u.toString();
 }
 
 export async function GET(ctx: APIContext) {
+  const options = getOptions();
   const { url, request } = ctx;
   const code = url.searchParams.get("code");
   const state = url.searchParams.get("state");
@@ -31,20 +91,12 @@ export async function GET(ctx: APIContext) {
 
   const initCookieName = `${options.cookie.name}_init`;
   const cookieHeader = request.headers.get("cookie") || "";
-  const init = (() => {
-    const match = cookieHeader.match(new RegExp(`${initCookieName}=([^;]+)`));
-    if (!match) return null as any;
-    try {
-      return JSON.parse(decodeURIComponent(match[1]));
-    } catch {
-      return null as any;
-    }
-  })();
+  const init = parseInitCookie(cookieHeader, initCookieName);
 
   if (!init || init.state !== state)
     return new Response("Invalid state", { status: 400 });
 
-  const redirectUri = inferRedirectUri(url);
+  const redirectUri = inferRedirectUri(options, url);
   const disco = await discover(options.issuer);
 
   const form = new URLSearchParams({
@@ -62,8 +114,11 @@ export async function GET(ctx: APIContext) {
   });
   if (!tokenRes.ok)
     return new Response("Token exchange failed", { status: 400 });
-  const token = await tokenRes.json();
-  const idToken = token.id_token as string | undefined;
+  const tokenJson: unknown = await tokenRes.json();
+  const idToken =
+    isRecord(tokenJson) && typeof tokenJson.id_token === "string"
+      ? tokenJson.id_token
+      : undefined;
   if (!idToken) return new Response("Missing id_token", { status: 400 });
 
   const jwks = createRemoteJWKSet(new URL(disco.jwks_uri));
@@ -72,9 +127,13 @@ export async function GET(ctx: APIContext) {
     audience: options.clientId,
   });
 
+  const givenName =
+    typeof payload["given_name"] === "string" ? payload["given_name"] : undefined;
+
   const session = {
     sub: String(payload.sub),
     email: typeof payload.email === "string" ? payload.email : undefined,
+    firstName: givenName,
   };
   const signed = await signPayload(session, options.cookie.signingSecret);
 
@@ -91,7 +150,7 @@ export async function GET(ctx: APIContext) {
     domain: options.cookie.domain,
   });
 
-  const returnTo = typeof init.return_to === "string" ? init.return_to : "/";
+  const returnTo = typeof init.returnTo === "string" ? init.returnTo : "/";
   const location = new URL(returnTo, url).toString();
 
   const headers = new Headers();

src/routes/login.ts

@@ -1,5 +1,5 @@
 import type { APIContext } from "astro";
-import { options } from "../runtime.js";
+import { getOptions } from "../runtime.js";
 import {
   generateCodeVerifier,
   codeChallengeS256,
@@ -18,13 +18,17 @@ async function discover(issuer: string) {
   };
 }
 
-function inferRedirectUri(reqUrl: URL): string {
+function inferRedirectUri(
+  options: ReturnType<typeof getOptions>,
+  reqUrl: URL,
+): string {
   if ("absolute" in options.redirectUri) return options.redirectUri.absolute;
   const u = new URL(options.routes.callback, reqUrl);
   return u.toString();
 }
 
 export async function GET(ctx: APIContext) {
+  const options = getOptions();
   const { url } = ctx;
   const verifier = generateCodeVerifier();
   const challenge = await codeChallengeS256(verifier);
@@ -37,7 +41,7 @@ export async function GET(ctx: APIContext) {
     state,
     nonce,
     verifier,
-    return_to: returnTo,
+    returnTo,
   });
   const initCookieName = `${options.cookie.name}_init`;
   const cookie = serializeCookie(initCookieName, initPayload, {
@@ -50,7 +54,7 @@ export async function GET(ctx: APIContext) {
   });
 
   const disco = await discover(options.issuer);
-  const redirectUri = inferRedirectUri(url);
+  const redirectUri = inferRedirectUri(options, url);
   const authorize = new URL(disco.authorization_endpoint);
   authorize.searchParams.set("client_id", options.clientId);
   authorize.searchParams.set("redirect_uri", redirectUri);

src/routes/logout.ts

@@ -1,6 +1,7 @@
 import type { APIContext } from "astro";
-import { options } from "../runtime.js";
-import { clearCookie } from "../lib/cookies.js";
+import { getOptions } from "../runtime.js";
+import { clearCookie, serializeCookie } from "../lib/cookies.js";
+import { generateState } from "../lib/pkce.js";
 
 async function discover(issuer: string) {
   const res = await fetch(
@@ -12,34 +13,173 @@ async function discover(issuer: string) {
   };
 }
 
-function inferPostLogoutRedirectUri(reqUrl: URL): string {
-  if ("absolute" in options.redirectUri) return options.redirectUri.absolute;
-  // Default to site root
-  const u = new URL("/", reqUrl);
+type LogoutCookie = {
+  state: string;
+  returnTo?: string;
+};
+
+function parseCookies(cookieHeader: string | null): Record<string, string> {
+  const out: Record<string, string> = {};
+  if (!cookieHeader) return out;
+  for (const part of cookieHeader.split(/;\s*/)) {
+    const idx = part.indexOf("=");
+    if (idx === -1) continue;
+    const name = decodeURIComponent(part.slice(0, idx));
+    const val = decodeURIComponent(part.slice(idx + 1));
+    out[name] = val;
+  }
+  return out;
+}
+
+function safeReturnTo(reqUrl: URL, returnTo: string | undefined): string {
+  if (!returnTo) return "/";
+  try {
+    const target = new URL(returnTo, reqUrl);
+    if (target.origin !== reqUrl.origin) return "/";
+    return target.toString();
+  } catch {
+    return "/";
+  }
+}
+
+function escapeRegex(str: string): string {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+function globToRegExp(pattern: string): RegExp {
+  if (pattern.endsWith("/*")) {
+    const base = pattern.slice(0, -2);
+    const baseEscaped = escapeRegex(base);
+    return new RegExp(`^${baseEscaped}(?:/.*)?$`);
+  }
+  const escaped = pattern.split("*").map(escapeRegex).join(".*");
+  return new RegExp(`^${escaped}$`);
+}
+
+function isProtected(pathname: string, patterns: string[]): boolean {
+  return patterns.some((p) => globToRegExp(p).test(pathname));
+}
+
+function finalizePostLogoutReturnTo(
+  options: ReturnType<typeof getOptions>,
+  reqUrl: URL,
+  returnTo: string | undefined,
+): string {
+  const safe = safeReturnTo(reqUrl, returnTo);
+  try {
+    const u = new URL(safe, reqUrl);
+    if (isProtected(u.pathname, options.protected)) return new URL("/", reqUrl).toString();
+    return u.toString();
+  } catch {
+    return new URL("/", reqUrl).toString();
+  }
+}
+
+function inferPostLogoutRedirectUri(
+  options: ReturnType<typeof getOptions>,
+  reqUrl: URL,
+): string {
+  const u = new URL(options.routes.logoutCallback, reqUrl);
   return u.toString();
 }
 
+function parseLogoutCookie(raw: string): LogoutCookie | null {
+  let decoded: string;
+  try {
+    decoded = decodeURIComponent(raw);
+  } catch {
+    return null;
+  }
+
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(decoded);
+  } catch {
+    return null;
+  }
+
+  if (!parsed || typeof parsed !== "object") return null;
+  if (!("state" in parsed) || typeof parsed.state !== "string") return null;
+  const returnTo =
+    "returnTo" in parsed && typeof parsed.returnTo === "string"
+      ? parsed.returnTo
+      : undefined;
+  return { state: parsed.state, returnTo };
+}
+
 export async function GET(ctx: APIContext) {
+  const options = getOptions();
   const { url } = ctx;
+
+  const isCallback = url.pathname === options.routes.logoutCallback;
+  const logoutCookieName = `${options.cookie.name}_logout`;
+
+  if (isCallback) {
+    const state = url.searchParams.get("state") || "";
+    const cookies = parseCookies(ctx.request.headers.get("cookie"));
+    const cookie = cookies[logoutCookieName];
+    const parsed = cookie ? parseLogoutCookie(cookie) : null;
+
+    const ok = parsed && parsed.state === state;
+    const location = ok
+      ? finalizePostLogoutReturnTo(options, url, parsed.returnTo)
+      : "/";
+
+    const headers = new Headers();
+    headers.set("Location", location);
+    headers.append(
+      "Set-Cookie",
+      clearCookie(options.cookie.name, {
+        path: options.cookie.path,
+        domain: options.cookie.domain,
+      }),
+    );
+    headers.append(
+      "Set-Cookie",
+      clearCookie(logoutCookieName, {
+        path: options.cookie.path,
+        domain: options.cookie.domain,
+      }),
+    );
+
+    return new Response(null, { status: 303, headers });
+  }
+
   const disco = await discover(options.issuer);
   const endSession =
     disco.end_session_endpoint || new URL("/logout", options.issuer).toString();
 
-  const postLogout = inferPostLogoutRedirectUri(url);
+  const state = generateState();
+  const returnTo = finalizePostLogoutReturnTo(
+    options,
+    url,
+    url.searchParams.get("return_to") || undefined,
+  );
+  const cookieValue = JSON.stringify({ state, returnTo });
+  const setLogout = serializeCookie(logoutCookieName, cookieValue, {
+    path: options.cookie.path,
+    domain: options.cookie.domain,
+    sameSite: "Lax",
+    secure: options.cookie.secure,
+    httpOnly: true,
+    maxAge: 5 * 60,
+  });
+
+  const postLogout = inferPostLogoutRedirectUri(options, url);
   const redirect = new URL(endSession);
   redirect.searchParams.set("client_id", options.clientId);
   redirect.searchParams.set("post_logout_redirect_uri", postLogout);
+  redirect.searchParams.set("state", state);
 
   const clear = clearCookie(options.cookie.name, {
     path: options.cookie.path,
     domain: options.cookie.domain,
   });
 
-  return new Response(null, {
-    status: 303,
-    headers: {
-      Location: redirect.toString(),
-      "Set-Cookie": clear,
-    },
-  });
+  const headers = new Headers();
+  headers.set("Location", redirect.toString());
+  headers.append("Set-Cookie", clear);
+  headers.append("Set-Cookie", setLogout);
+
+  return new Response(null, { status: 303, headers });
 }

src/runtime.ts

@@ -1,11 +1,86 @@
-import type { OidcResolvedOptions } from "./index.js";
+import type { OidcInjectedOptions } from "./index.js";
+import { getSecret } from "astro:env/server";
 
 // This constant is provided via Vite define by the integration during astro:config:setup
 // eslint-disable-next-line @typescript-eslint/no-unused-vars
-declare const __RESUELY_OIDC_OPTIONS: OidcResolvedOptions;
+declare const __RESUELY_OIDC_OPTIONS: OidcInjectedOptions;
 
-export const options: OidcResolvedOptions = (
-  typeof __RESUELY_OIDC_OPTIONS !== "undefined"
-    ? __RESUELY_OIDC_OPTIONS
-    : (undefined as any)
-) as OidcResolvedOptions;
+export type OidcRuntimeOptions = {
+  issuer: string;
+  clientId: string;
+  scopes: string;
+  routes: { login: string; callback: string; logout: string; logoutCallback: string };
+  redirectUri: { mode: "infer-from-request" } | { absolute: string };
+  cookie: {
+    name: string;
+    sameSite: "Lax" | "Strict" | "None";
+    secure: boolean;
+    domain?: string;
+    path: string;
+    signingSecret: string;
+    maxAgeSec?: number;
+  };
+  protected: string[];
+};
+
+function getInjected(): OidcInjectedOptions {
+  if (typeof __RESUELY_OIDC_OPTIONS === "undefined") {
+    throw new Error(
+      "@resuely/astro-oidc-rp: missing injected options; is the integration configured?",
+    );
+  }
+  return __RESUELY_OIDC_OPTIONS;
+}
+
+function readEnv(name: string): string | undefined {
+  const v = getSecret(name);
+  if (typeof v !== "string") return undefined;
+  if (v.trim().length === 0) return undefined;
+  return v;
+}
+
+function requireEnv(name: string): string {
+  const v = readEnv(name);
+  if (typeof v === "string") return v;
+  throw new Error(`@resuely/astro-oidc-rp: missing env var ${name}`);
+}
+
+let cached: OidcRuntimeOptions | null = null;
+
+export function getOptions(): OidcRuntimeOptions {
+  if (cached) return cached;
+
+  const injected = getInjected();
+
+  const issuer = readEnv(injected.issuerEnv) ?? injected.issuerFallback;
+  if (!issuer)
+    throw new Error(
+      `@resuely/astro-oidc-rp: missing env var ${injected.issuerEnv}`,
+    );
+
+  const clientId = readEnv(injected.clientIdEnv) ?? injected.clientIdFallback;
+  if (!clientId)
+    throw new Error(
+      `@resuely/astro-oidc-rp: missing env var ${injected.clientIdEnv}`,
+    );
+
+  cached = {
+    issuer,
+    clientId,
+    scopes: injected.scopes,
+    routes: injected.routes,
+    redirectUri: injected.redirectUri,
+    cookie: {
+      name: injected.cookie.name,
+      sameSite: injected.cookie.sameSite,
+      secure: injected.cookie.secure,
+      domain: injected.cookie.domain,
+      path: injected.cookie.path,
+      signingSecret: requireEnv(injected.cookie.signingSecretEnv),
+      maxAgeSec: injected.cookie.maxAgeSec,
+    },
+    protected: injected.protected,
+  };
+
+  return cached;
+}

tsconfig.json

@@ -12,7 +12,7 @@
     "sourceMap": true,
     "outDir": "dist",
     "lib": ["ES2020", "DOM"],
-    "types": ["node"]
+    "types": ["node", "astro/client"]
   },
   "include": ["src", "types"],
   "exclude": ["dist", "node_modules"]

tsup.config.ts

@@ -0,0 +1,21 @@
+import { defineConfig } from "tsup";
+
+export default defineConfig({
+  entry: [
+    "src/index.ts",
+    "src/runtime.ts",
+    "src/middleware.ts",
+    "src/routes/login.ts",
+    "src/routes/callback.ts",
+    "src/routes/logout.ts",
+    "src/lib/cookies.ts",
+    "src/lib/pkce.ts",
+    "src/lib/sign.ts",
+  ],
+  format: ["esm"],
+  dts: true,
+  sourcemap: true,
+  clean: true,
+  outDir: "dist",
+  external: ["astro:env/server"],
+});

types/astro.locals.d.ts

@@ -1,7 +1,7 @@
 declare global {
   namespace App {
     interface Locals {
-      user?: { sub: string; email?: string } | null;
+      user?: { sub: string; email?: string; firstName?: string } | null;
     }
   }
 }