# @resuely/astro-oidc-rp

Astro integration that injects OIDC login/callback/logout routes, a middleware that sets `Astro.locals.user`, and type augmentation.

## Install

npm install @resuely/astro-oidc-rp

## Usage (astro.config.mjs)

import { defineConfig } from "astro/config";
import resuelyOidc from "@resuely/astro-oidc-rp";

export default defineConfig({
  integrations: [
    resuelyOidc({
      issuer: "https://your-idp",
      clientId: "YOUR_CLIENT_ID",
      cookie: { signingSecret: process.env.OIDC_SIGNING_SECRET! },
      protected: ["/app/*", "/me"],
    }),
  ],
});

- Injected routes:
  - Login: /login
  - Callback: /oidc/callback
  - Logout: /logout

## Options
- issuer: string (required)
- clientId: string (required)
- scopes?: string (default: "openid email profile")
- routes?: { login?: string; callback?: string; logout?: string }
- redirectUri?: { mode: "infer-from-request" } | { absolute: string }
- cookie?: { name?: string; sameSite?: "Lax"|"Strict"|"None"; secure?: boolean; domain?: string; path?: string; signingSecret: string; maxAgeSec?: number }
- protected?: string[] patterns

## Types: Astro.locals
Enable type augmentation by referencing the package export:

- Add to your tsconfig.json: { "compilerOptions": { "types": ["@resuely/astro-oidc-rp/astro-locals"] } }

Then `locals.user` is typed as `{ sub: string; email?: string } | null | undefined`.

## Security notes
- Always provide a strong `cookie.signingSecret`.
- In production, cookies are `Secure` by default.
- The init cookie used during login is short-lived (5 minutes) and set `HttpOnly` + `SameSite=Lax`.

## Build & Publish

- Build: npm run build
- Publish to npm: npm publish --access public

## License
MIT