New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details →
Socket
Book a DemoSign in
Socket
Book a DemoSign in

start-oauth

Package Overview
Dependencies
Maintainers
1
Versions
20
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

start-oauth

Lightweight and Secure OAuth2 for SolidStart

latest
Source
npmnpm
Version
1.3.3
Version published
Maintainers
1
Created
Source

Banner

Version Downloads Stars Discord

Lightweight and Secure OAuth2 for SolidStart — Access the name, email, and when available image of authenticated users. For extended usage, the provider name and access token are included in the oauth object.

Supported Providers: Amazon, Discord, GitHub, Google, LinkedIn, Microsoft, Spotify, X, and Yahoo

Installation

Add start-oauth as a dependency

# use preferred package manager
npm add start-oauth

Configuration

Create a catch-all API route at routes/api/oauth/[...oauth].ts

import OAuth from "start-oauth";
import { redirect } from "@solidjs/router";

export const GET = OAuth({
  password: process.env.PASSWORD!, // openssl rand -hex 32
  discord: {
    id: process.env.DISCORD_ID!,
    secret: process.env.DISCORD_SECRET!
  },
  google: {
    id: process.env.GOOGLE_ID!,
    secret: process.env.GOOGLE_SECRET!
  },
  async handler({ name, email, image, oauth }, redirectTo) {
    // add your logic (e.g. database call, session creation)
    // const session = await getSession();
    // await session.update({ name, email, image });

    return redirect(
      // only allow internal redirects
      redirectTo?.startsWith("/") && !redirectTo.startsWith("//")
        ? redirectTo
        : "/defaultPage"
    );
  }
});

In your OAuth provider's dashboard, set the redirect URIs

  • Development: http://localhost:3000/api/oauth/[provider]
  • Production: https://your-domain.com/api/oauth/[provider]

Usage

// for example in routes/login.tsx
import { useOAuthLogin } from "start-oauth";

export default function Login() {
  const login = useOAuthLogin();

  return (
    <div>
      <a href={login("discord")} rel="external">
        Sign in with Discord
      </a>
      <a href={login("google")} rel="external">
        Sign in with Google
      </a>
    </div>
  );
}
  • To specify a post-login destination, append ?redirect=/dashboard to the login URL—this value is passed as the redirectTo parameter to your handler.
  • On authentication failure, users are redirected to the login page with ?error=<reason> for custom error handling.

Example

See start-oauth in action with the SolidStart with-auth example

# using npm
npm create solid@latest -- -st with-auth

# using pnpm
pnpm create solid@latest -st with-auth

# using bun
bun create solid@latest --s --t with-auth

Security Features

  • Stateless PKCE with SHA-256 code challenges
  • AES-256-GCM encryption for state parameters to prevent tampering
  • Timeout-protected HTTP requests to avoid hanging connections
  • Strict validation of fallback URLs to prevent open redirects

Keywords

api
oauth2
crypto
solidjs
solid-router
solidstart

FAQs

Package last updated on 18 Mar 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign

Security News

Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign

Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.

By Sarah Gooding  -  Apr 03, 2026