Skip to content

thomasbuilds/start-oauth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
.github/workflows
.github/workflows
 
 
src
src
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
package.json
package.json
 
 
pnpm-lock.yaml
pnpm-lock.yaml
 
 

Repository files navigation

Banner

Version Downloads Stars Discord

Lightweight and Secure OAuth2 for SolidStart — Access the name, email, and when available image of authenticated users. For extended usage, the provider name and access token are included in the oauth object.

Supported Providers: Amazon, Discord, GitHub, Google, LinkedIn, Microsoft, Spotify, X, and Yahoo

Installation

Add start-oauth as a dependency

# use preferred package manager
npm add start-oauth

Configuration

Create a catch-all API route at routes/api/oauth/[...oauth].ts

import OAuth from "start-oauth";
import { redirect } from "@solidjs/router";

export const GET = OAuth({
  password: process.env.PASSWORD!, // openssl rand -hex 32
  discord: {
    id: process.env.DISCORD_ID!,
    secret: process.env.DISCORD_SECRET!
  },
  google: {
    id: process.env.GOOGLE_ID!,
    secret: process.env.GOOGLE_SECRET!
  },
  async handler({ name, email, image, oauth }, redirectTo) {
    // add your logic (e.g. database call, session creation)
    // const session = await getSession();
    // await session.update({ name, email, image });

    return redirect(
      // only allow internal redirects
      redirectTo?.startsWith("/") && !redirectTo.startsWith("//")
        ? redirectTo
        : "/defaultPage"
    );
  }
});

In your OAuth provider's dashboard, set the redirect URIs

  • Development: http://localhost:3000/api/oauth/[provider]
  • Production: https://your-domain.com/api/oauth/[provider]

Usage

// for example in routes/login.tsx
import { useOAuthLogin } from "start-oauth";

export default function Login() {
  const login = useOAuthLogin();

  return (
    <div>
      <a href={login("discord")} rel="external">
        Sign in with Discord
      </a>
      <a href={login("google")} rel="external">
        Sign in with Google
      </a>
    </div>
  );
}
  • To specify a post-login destination, append ?redirect=/dashboard to the login URL—this value is passed as the redirectTo parameter to your handler.
  • On authentication failure, users are redirected to the login page with ?error=<reason> for custom error handling.

Example

See start-oauth in action with the SolidStart with-auth example

# using npm
npm create solid@latest -- -st with-auth
# using pnpm
pnpm create solid@latest -st with-auth
# using bun
bun create solid@latest --s --t with-auth

Security Features

  • Stateless PKCE with SHA-256 code challenges
  • AES-256-GCM encryption for state parameters to prevent tampering
  • Timeout-protected HTTP requests to avoid hanging connections
  • Strict validation of fallback URLs to prevent open redirects

About

Lightweight and Secure OAuth2 for SolidStart

www.npmjs.com/package/start-oauth

Topics

api oauth2 crypto solidjs solid-router solidstart

Resources

Readme

License

MIT license

Contributing

Contributing
Activity

Stars

13 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages