Security News
The Nightmare Before Deployment
Season’s greetings from Socket, and here’s to a calm end of year: clean dependencies, boring pipelines, no surprises.
By Ahmad Nassri - Dec 16, 2025
vercel-github-oauth-proxy
Advanced tools
vercel-github-oauth-proxy
Protect a static website hosted on Vercel behind GitHub authentication.
▲🔐 Vercel GitHub OAuth Proxy
Protect a static website hosted on Vercel behind GitHub authentication.
Setup
Step 1 — Add the library
yarn add vercel-github-oauth-proxy
Step 2 — Create an API endpoint at /api/index.ts
import { createLambdaProxyAuthHandler } from "vercel-github-oauth-proxy"
export default createLambdaProxyAuthHandler(config)
config.cryptoSecret
This is used to sign cookies.
config.staticDir
The output directory of the static website.
config.githubOrgName
The GitHub org users need to be part of.
config.githubClientId
config.githubClientSecret
The id/secret pair of your GitHub OAuth app.
You can create a new app at https://github.com/organizations/{config.githubOrgName}/settings/applications/new
config.githubOrgAdminToken
Private org memberships can only be determined by making an authenticated API request.
We could request read:org scope during the OAuth flow and then use each user's access token to determine org membership, but using this method means the user additionally needs to request org access during or after the login flow and requires an org admin to confirm. This makes this approach inconvenient for both the users and the admin.
Therefore we're using a separate org admin token to verify membership during login (org admins can see all users).
Step 3 — Create a vercel.json
{
"version": 2,
"routes": [{ "src": "/(.*)", "dest": "/api/index.ts" }],
"functions": {
"api/index.ts": {
"includeFiles": "static/**"
}
}
}
This routes all traffic through the lambda endpoint.
Adapt includeFiles to your public output folder. Including these files is required because the static website needs to be deployed as part of the lambda function, not the default build. See also the function docs and limits.
Step 4 — Build
If you have an existing build script, rename it to vercel-build to build your website as part of the lambda build instead of the normal build.
Make sure to not keep the build script as it would result in duplicate work or may break deployment entirely. For more information see custom-build-step-for-node-js.
{
"scripts": {
"vercel-build": "your website build command"
}
}
Local development
To develop locally, run
yarn vercel dev
When developing locally, you'll need to update your GitHub OAuth app's redirect URL to http://localhost:3000.
FAQs
Protect a static website hosted on Vercel behind GitHub authentication.
The npm package vercel-github-oauth-proxy receives a total of 3 weekly downloads. As such, vercel-github-oauth-proxy popularity was classified as not popular.
We found that vercel-github-oauth-proxy demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 24 Dec 2020
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
Malicious NuGet Package Typosquats Popular .NET Tracing Library to Steal Wallet Passwords
Impostor NuGet package Tracer.Fody.NLog typosquats Tracer.Fody and its author, using homoglyph tricks, and exfiltrates Stratis wallet JSON/passwords to a Russian IP address.
By Kirill Boychenko - Dec 15, 2025
Security News
Deno 2.6 + Socket: Supply Chain Defense In Your CLI
Deno 2.6 introduces deno audit with a new --socket flag that plugs directly into Socket to bring supply chain security checks into the Deno CLI.
By Sarah Gooding - Dec 12, 2025