101 lines
2.0 KiB
Markdown
101 lines
2.0 KiB
Markdown
# @resuely/astro-oidc-rp
|
|
|
|
Astro integration that injects OIDC login/callback/logout routes, a middleware that sets `Astro.locals.user`, and type augmentation.
|
|
|
|
## Install
|
|
|
|
```sh
|
|
npm install @resuely/astro-oidc-rp
|
|
```
|
|
|
|
## Usage (astro.config.mjs)
|
|
|
|
```js
|
|
import { defineConfig } from "astro/config";
|
|
import resuelyOidc from "@resuely/astro-oidc-rp";
|
|
|
|
export default defineConfig({
|
|
integrations: [
|
|
resuelyOidc({
|
|
issuer: { env: "OIDC_ISSUER", fallback: "https://your-idp" },
|
|
clientId: { env: "OIDC_CLIENT_ID" },
|
|
cookie: { signingSecret: { env: "OIDC_SIGNING_SECRET" } },
|
|
protected: ["/app/*", "/me"],
|
|
}),
|
|
],
|
|
});
|
|
```
|
|
|
|
Injected routes (defaults):
|
|
|
|
- Login: `/login`
|
|
- Callback: `/oidc/callback`
|
|
- Logout: `/logout`
|
|
- Logout callback: `/logout/callback`
|
|
|
|
## Options
|
|
|
|
```ts
|
|
issuer: { env: string; fallback?: string }; // required
|
|
clientId: { env: string; fallback?: string }; // required
|
|
scopes?: string; // default: "openid email profile"
|
|
routes?: {
|
|
login?: string;
|
|
callback?: string;
|
|
logout?: string;
|
|
logoutCallback?: string;
|
|
};
|
|
redirectUri?: { mode: "infer-from-request" } | { absolute: string };
|
|
cookie: {
|
|
name?: string;
|
|
sameSite?: "Lax" | "Strict" | "None";
|
|
secure?: boolean;
|
|
domain?: string;
|
|
path?: string;
|
|
signingSecret: { env: string };
|
|
maxAgeSec?: number;
|
|
};
|
|
protected?: string[]; // path patterns
|
|
```
|
|
|
|
## Types: Astro.locals
|
|
Enable type augmentation by referencing the package export:
|
|
|
|
Add to your `tsconfig.json`:
|
|
|
|
```json
|
|
{
|
|
"compilerOptions": {
|
|
"types": ["@resuely/astro-oidc-rp/astro-locals"]
|
|
}
|
|
}
|
|
```
|
|
|
|
Then `Astro.locals.user` is typed as:
|
|
|
|
```ts
|
|
{ sub: string; email?: string } | null | undefined
|
|
```
|
|
|
|
## Security notes
|
|
- Always provide a strong `cookie.signingSecret`.
|
|
- Cookies are `Secure` by default; for local HTTP development you may need `cookie.secure: false`.
|
|
- The init cookie used during login is short-lived (5 minutes) and set `HttpOnly` + `SameSite=Lax`.
|
|
|
|
## Build & Publish
|
|
|
|
Build:
|
|
|
|
```sh
|
|
npm run build
|
|
```
|
|
|
|
Publish:
|
|
|
|
```sh
|
|
npm publish --access public
|
|
```
|
|
|
|
## License
|
|
MIT
|