# @resuely/astro-oidc-rp Astro integration that injects OIDC login/callback/logout routes, a middleware that sets `Astro.locals.user`, and type augmentation. ## Install ```sh npm install @resuely/astro-oidc-rp ``` ## Usage (astro.config.mjs) ```js import { defineConfig } from "astro/config"; import resuelyOidc from "@resuely/astro-oidc-rp"; export default defineConfig({ integrations: [ resuelyOidc({ issuer: { env: "OIDC_ISSUER", fallback: "https://your-idp" }, clientId: { env: "OIDC_CLIENT_ID" }, cookie: { signingSecret: { env: "OIDC_SIGNING_SECRET" } }, protected: ["/app/*", "/me"], }), ], }); ``` Injected routes (defaults): - Login: `/login` - Callback: `/oidc/callback` - Logout: `/logout` - Logout callback: `/logout/callback` ## Options ```ts issuer: { env: string; fallback?: string }; // required clientId: { env: string; fallback?: string }; // required scopes?: string; // default: "openid email profile" routes?: { login?: string; callback?: string; logout?: string; logoutCallback?: string; }; redirectUri?: { mode: "infer-from-request" } | { absolute: string }; cookie: { name?: string; sameSite?: "Lax" | "Strict" | "None"; secure?: boolean; domain?: string; path?: string; signingSecret: { env: string }; maxAgeSec?: number; }; protected?: string[]; // path patterns ``` ## Types: Astro.locals Enable type augmentation by referencing the package export: Add to your `tsconfig.json`: ```json { "compilerOptions": { "types": ["@resuely/astro-oidc-rp/astro-locals"] } } ``` Then `Astro.locals.user` is typed as: ```ts { sub: string; email?: string } | null | undefined ``` ## Security notes - Always provide a strong `cookie.signingSecret`. - Cookies are `Secure` by default; for local HTTP development you may need `cookie.secure: false`. - The init cookie used during login is short-lived (5 minutes) and set `HttpOnly` + `SameSite=Lax`. ## Build & Publish Build: ```sh npm run build ``` Publish: ```sh npm publish --access public ``` ## License MIT