tiennm99/llmapikey
1
0
Fork 0
mirror of https://github.com/tiennm99/llmapikey.git synced 2026-06-17 04:48:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
559bac81040f46bb400e1cfbc0b5100ec0dc292d
llmapikey/lib/auth/github-oauth.js
T
tiennm99 559bac8104 feat(auth): replace Supabase Auth with app-native GitHub OAuth 
Self-contained GitHub OAuth (Arctic) with a stateless HS256 signed-cookie
session (jose); Supabase is downgraded to the Postgres host only.

- Origin-derived callback (no redirect-uri env); read:user scope; access
  token read once at callback and discarded (no token storage).
- CSRF via single-use state cookie; open-redirect guard on next.
- getCurrentGithubIdentity() now reads the session cookie, preserving the
  numeric provider_id identity contract for admin/dashboard/mint.
- Remove @supabase/ssr + @supabase/supabase-js, middleware, and the
  supabase-dependent rls test; delete lib/supabase clients.
2026-06-14 12:19:40 +07:00

34 lines
1.2 KiB
JavaScript
Raw Blame History

import "server-only";
import { GitHub } from "arctic";
/**
* GitHub OAuth scopes. `read:user` is enough to read the public profile
* (`id` + `login`) at the callback; no email scope, no token storage.
*/
export const GITHUB_SCOPES = ["read:user"];
/**
* Build the Arctic GitHub OAuth client.
*
* Redirect URI is derived from the request `origin` (`${origin}/auth/callback`),
* so no callback env is needed. GitHub validates this against the OAuth App's
* registered callback, so requests reaching the app on a non-registered host
* (e.g. a Vercel deployment-hash URL) will fail at GitHub — link only the
* canonical domain. Login and callback MUST pass the same origin so the
* `redirect_uri` matches across the authorize + token-exchange steps.
*
* @param {string} origin Request origin, e.g. `https://llmapikey.vercel.app`.
* @returns {import('arctic').GitHub}
*/
export function getGithubOAuth(origin) {
const clientId = process.env.GITHUB_OAUTH_CLIENT_ID;
const clientSecret = process.env.GITHUB_OAUTH_CLIENT_SECRET;
if (!clientId || !clientSecret) {
throw new Error(
"Missing GITHUB_OAUTH_CLIENT_ID / GITHUB_OAUTH_CLIENT_SECRET",
);
}
return new GitHub(clientId, clientSecret, `${origin}/auth/callback`);
}
Reference in New Issue View Git Blame Copy Permalink