github providers

Author: DexterStorey

CHANGELOG.md

@@ -1,3 +1,4 @@
+- [2025-02-13] [github providers](https://github.com/RubricLab/auth/commit/e98d787af8ac54d174fddd8c5938b960d5d72462)
 - [2025-02-07] [expire sessions after 30 days](https://github.com/RubricLab/auth/commit/bcb4a8bf8a3601afffb2ad1ecef21061850e24db)
 - [2025-02-07] [prisma adapter, type exports](https://github.com/RubricLab/auth/commit/ea24d4a2a5f7ec464eba3da5c2be96c9e2bf09af)
 - [2025-02-06] [expire stale auth requests](https://github.com/RubricLab/auth/commit/117d98f5f01aa195f3a29edd8c238fbc61782a90)

lib/index.ts

@@ -13,6 +13,11 @@ export {
 	createGoogleAuthorizationProvider
 } from './providers/google'
 
+export {
+	createGithubAuthenticationProvider,
+	createGithubAuthorizationProvider
+} from './providers/github'
+
 export { createResendMagicLinkAuthenticationProvider } from './providers/resend'
 
 export { prismaAdapter } from './providers/prisma'

lib/providers/github.ts

@@ -0,0 +1,207 @@
+import { createOauth2AuthenticationProvider, createOauth2AuthorizationProvider } from '../utils'
+
+// GitHub OAuth Scopes
+// Reference: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps
+export type GitHubScope =
+	// User scopes
+	| 'read:user'
+	| 'user'
+	| 'user:email'
+	| 'user:follow'
+	// Repository scopes
+	| 'repo'
+	| 'repo:status'
+	| 'repo:deployment'
+	| 'public_repo'
+	| 'repo:invite'
+	// Notifications and discussions
+	| 'notifications'
+	// Gists and snippets
+	| 'gist'
+	// Organization scopes
+	| 'read:org'
+	| 'admin:org'
+	| 'write:org'
+	// Projects
+	| 'project'
+	// Packages
+	| 'read:packages'
+	| 'write:packages'
+	| 'delete:packages'
+	// Workflows and Actions
+	| 'workflow'
+
+interface GitHubEmail {
+	email: string
+	primary: boolean
+	verified: boolean
+	visibility: string | null
+}
+
+export const createGithubAuthenticationProvider = ({
+	githubClientId,
+	githubClientSecret
+}: {
+	githubClientId: string
+	githubClientSecret: string
+}) =>
+	createOauth2AuthenticationProvider({
+		getAuthenticationUrl: async ({ redirectUri, state }) => {
+			const url = new URL('https://github.com/login/oauth/authorize')
+
+			url.searchParams.set('client_id', githubClientId)
+			url.searchParams.set('redirect_uri', redirectUri)
+			url.searchParams.set('state', state)
+			url.searchParams.set('access_type', 'offline')
+			url.searchParams.set('scope', (['read:user', 'user:email'] satisfies GitHubScope[]).join(' '))
+
+			return url
+		},
+		getToken: async ({ code, redirectUri }) => {
+			const response = await fetch('https://github.com/login/oauth/access_token', {
+				method: 'POST',
+				headers: {
+					'Content-Type': 'application/json',
+					Accept: 'application/json'
+				},
+				body: JSON.stringify({
+					client_id: githubClientId,
+					client_secret: githubClientSecret,
+					code,
+					redirect_uri: redirectUri
+				})
+			})
+
+			const data = await response.json()
+
+			if (!response.ok || data.error) {
+				console.error('Token exchange failed:', data)
+				throw new Error(`Failed to get token: ${data.error_description || data.error}`)
+			}
+
+			return {
+				accessToken: data.access_token,
+				refreshToken: '', // GitHub doesn't provide refresh tokens
+				expiresAt: new Date(Date.now() + 1000 * 60 * 365) // GitHub tokens don't expire by default
+			}
+		},
+		getUser: async ({ accessToken }) => {
+			const response = await fetch('https://api.github.com/user', {
+				headers: {
+					Authorization: `Bearer ${accessToken}`,
+					Accept: 'application/vnd.github.v3+json'
+				}
+			})
+
+			const data = await response.json()
+
+			if (!response.ok) {
+				console.error('Failed to get user:', data)
+				throw new Error(`Failed to get user: ${data.message}`)
+			}
+
+			const emailResponse = await fetch('https://api.github.com/user/emails', {
+				headers: {
+					Authorization: `Bearer ${accessToken}`,
+					Accept: 'application/vnd.github.v3+json'
+				}
+			})
+
+			const emails = (await emailResponse.json()) as GitHubEmail[]
+			const primaryEmail = emails.find(email => email.primary)?.email || data.email
+
+			return {
+				accountId: data.id.toString(),
+				email: primaryEmail
+			}
+		},
+		refreshToken: async ({ refreshToken }) => {
+			// GitHub's OAuth tokens don't expire by default
+			throw new Error('GitHub OAuth tokens do not support refreshing')
+		}
+	})
+
+export const createGithubAuthorizationProvider = ({
+	githubClientId,
+	githubClientSecret,
+	scopes
+}: {
+	githubClientId: string
+	githubClientSecret: string
+	scopes: GitHubScope[]
+}) =>
+	createOauth2AuthorizationProvider({
+		getAuthorizationUrl: async ({ redirectUri, state }) => {
+			const url = new URL('https://github.com/login/oauth/authorize')
+
+			url.searchParams.set('client_id', githubClientId)
+			url.searchParams.set('redirect_uri', redirectUri)
+			url.searchParams.set('state', state)
+			url.searchParams.set('scope', scopes.join(' '))
+
+			return url
+		},
+		getToken: async ({ code, redirectUri }) => {
+			const response = await fetch('https://github.com/login/oauth/access_token', {
+				method: 'POST',
+				headers: {
+					'Content-Type': 'application/json',
+					Accept: 'application/json'
+				},
+				body: JSON.stringify({
+					client_id: githubClientId,
+					client_secret: githubClientSecret,
+					code,
+					redirect_uri: redirectUri
+				})
+			})
+
+			const data = await response.json()
+
+			if (!response.ok || data.error) {
+				console.error('Token exchange failed:', data)
+				throw new Error(`Failed to get token: ${data.error_description || data.error}`)
+			}
+
+			return {
+				accessToken: data.access_token,
+				refreshToken: '', // GitHub doesn't provide refresh tokens
+				expiresAt: new Date(Date.now() + 1000 * 60 * 365) // GitHub tokens don't expire by default
+			}
+		},
+		getUser: async ({ accessToken }) => {
+			const response = await fetch('https://api.github.com/user', {
+				headers: {
+					Authorization: `Bearer ${accessToken}`,
+					Accept: 'application/vnd.github.v3+json'
+				}
+			})
+
+			const data = await response.json()
+
+			if (!response.ok) {
+				console.error('Failed to get user:', data)
+				throw new Error(`Failed to get user: ${data.message}`)
+			}
+
+			// Get user's email if it's not public
+			const emailResponse = await fetch('https://api.github.com/user/emails', {
+				headers: {
+					Authorization: `Bearer ${accessToken}`,
+					Accept: 'application/vnd.github.v3+json'
+				}
+			})
+
+			const emails = (await emailResponse.json()) as GitHubEmail[]
+			const primaryEmail = emails.find(email => email.primary)?.email || data.email
+
+			return {
+				accountId: data.id.toString(),
+				email: primaryEmail
+			}
+		},
+		refreshToken: async ({ refreshToken }) => {
+			// GitHub's OAuth tokens don't expire by default
+			throw new Error('GitHub OAuth tokens do not support refreshing')
+		}
+	})

lib/providers/google.ts

@@ -1,5 +1,27 @@
 import { createOauth2AuthenticationProvider, createOauth2AuthorizationProvider } from '../utils'
 
+// Google OAuth Scopes
+// Reference: https://developers.google.com/identity/protocols/oauth2/scopes
+export type GoogleScope =
+	// User info scopes
+	| 'https://www.googleapis.com/auth/userinfo.profile'
+	| 'https://www.googleapis.com/auth/userinfo.email'
+	// Gmail scopes
+	| 'https://www.googleapis.com/auth/gmail.readonly'
+	| 'https://www.googleapis.com/auth/gmail.modify'
+	| 'https://www.googleapis.com/auth/gmail.compose'
+	| 'https://www.googleapis.com/auth/gmail.send'
+	| 'https://www.googleapis.com/auth/gmail.full'
+	// Drive scopes
+	| 'https://www.googleapis.com/auth/drive.readonly'
+	| 'https://www.googleapis.com/auth/drive.file'
+	| 'https://www.googleapis.com/auth/drive'
+	| 'https://www.googleapis.com/auth/drive.appdata'
+	// Calendar scopes
+	| 'https://www.googleapis.com/auth/calendar.readonly'
+	| 'https://www.googleapis.com/auth/calendar.events'
+	| 'https://www.googleapis.com/auth/calendar'
+
 export const createGoogleAuthenticationProvider = ({
 	googleClientId,
 	googleClientSecret
@@ -16,7 +38,12 @@ export const createGoogleAuthenticationProvider = ({
 			url.searchParams.set('response_type', 'code')
 			url.searchParams.set(
 				'scope',
-				'https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile'
+				(
+					[
+						'https://www.googleapis.com/auth/userinfo.email',
+						'https://www.googleapis.com/auth/userinfo.profile'
+					] satisfies GoogleScope[]
+				).join(' ')
 			)
 			url.searchParams.set('state', state)
 			url.searchParams.set('access_type', 'offline')
@@ -100,7 +127,7 @@ export const createGoogleAuthorizationProvider = ({
 }: {
 	googleClientId: string
 	googleClientSecret: string
-	scopes: string[]
+	scopes: GoogleScope[]
 }) =>
 	createOauth2AuthorizationProvider({
 		getAuthorizationUrl: async ({ redirectUri, state }) => {

package.json

@@ -10,7 +10,7 @@
     "lint:fix": "bun x biome check --fix --unsafe . && bun x biome lint --write --unsafe ."
   },
   "name": "@rubriclab/auth",
-  "version": "0.0.26",
+  "version": "0.0.27",
   "main": "lib/index.ts",
   "dependencies": {
     "@rubriclab/config": "*",