Skip to content

feat: add @constructive-io/oauth and @constructive-io/csrf packages #644

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pyramation merged 4 commits into from
Jan 22, 2026
Merged

feat: add @constructive-io/oauth and @constructive-io/csrf packages #644

pyramation merged 4 commits into from
Jan 22, 2026

Conversation

@pyramation
Copy link
Contributor

@pyramation pyramation commented Jan 22, 2026
edited by devin-ai-integration bot
Loading

Summary

Adds two new authentication/security packages to the Constructive monorepo:

@constructive-io/csrf - Lightweight CSRF protection for Express applications

  • Token generation with cryptographically secure random bytes
  • Timing-safe token verification to prevent timing attacks
  • Express middleware implementing the double-submit cookie pattern
  • Support for both form submissions and AJAX/fetch requests
  • 22 unit tests

@constructive-io/oauth - Minimal OAuth 2.0 client for social authentication

  • Supports Google, GitHub, Facebook, and LinkedIn providers
  • Core OAuth client for generating authorization URLs, exchanging codes for tokens, and fetching user profiles
  • Express middleware with route handlers for /auth/:provider and /auth/:provider/callback
  • Normalized user profile format across all providers
  • Depends on @constructive-io/csrf for state parameter management
  • 25 unit tests

No external auth library dependencies (no Passport, NextAuth, or Better Auth). As requested, this PR only includes the fetching/middleware logic - no database/SQL integration.

Review & Testing Checklist for Human

  • Verify OAuth provider endpoints are correct - The authorization URLs, token URLs, and userinfo URLs for each provider are hardcoded. Please verify these match current provider documentation (especially LinkedIn which recently changed their API)
  • Test actual OAuth flow with at least one provider - Unit tests only cover URL generation and profile mapping, not the actual token exchange or profile fetching. Recommend testing with Google or GitHub using real credentials
  • Test CSRF middleware integration - Verify the CSRF middleware works correctly with your Express setup (form submissions and AJAX requests)
  • Review Express middleware type compatibility - Both packages use custom request/response type definitions rather than importing from @types/express. Verify this integrates correctly with your Express setup
  • Review cookie security settings - Both packages set cookies with httpOnly: true, sameSite: 'lax', and secure only in production. Confirm these settings match your security requirements

Recommended test plan:

  1. Install both packages in a test Express app
  2. Configure CSRF middleware and verify form/AJAX protection works
  3. Configure OAuth with at least one provider (Google recommended) and complete a full login flow

Notes

  • The GitHub provider has special handling to fetch emails from /user/emails endpoint if email is not returned in the main profile response
  • 47 total unit tests pass (25 OAuth + 22 CSRF)
  • The large diff in pnpm-lock.yaml is formatting changes only (multi-line to single-line resolution objects)

Link to Devin run: https://app.devin.ai/sessions/c1125b60da1f442d98324962c71ca06e
Requested by: @pyramation

@pyramation
feat: add @constructive-io/oauth package for social authentication
e5f70f5 
Implements a minimal OAuth 2.0 client from scratch supporting:
- Google, GitHub, Facebook, and LinkedIn providers
- Authorization URL generation with CSRF state protection
- Token exchange and user profile fetching
- Express middleware for easy integration
- 25 unit tests covering core functionality

No external auth dependencies - uses native fetch for HTTP requests.
@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Jan 22, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@pyramation
chore: update README header and add oauth to CI workflow matrix
3e78034
@pyramation
feat: add @constructive-io/csrf package and refactor oauth to use it
eee9b5b 
- Create new @constructive-io/csrf package with:
  - Token generation and timing-safe verification utilities
  - Express middleware for CSRF protection (forms and AJAX)
  - Double-submit cookie pattern implementation
  - 22 unit tests

- Refactor @constructive-io/oauth to depend on @constructive-io/csrf
  - Reuse token utilities from csrf package
  - Add proper README badges and logo

- Add both packages to CI workflow matrix
@devin-ai-integration devin-ai-integration bot changed the title feat: add @constructive-io/oauth package for social authentication feat: add @constructive-io/oauth and @constructive-io/csrf packages Jan 22, 2026
@pyramation pyramation merged commit 91117ba into main Jan 22, 2026
50 checks passed
@pyramation pyramation deleted the devin/1769064513-oauth-package branch January 22, 2026 11:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pyramation