{"id":34933218,"url":"https://github.com/zigster64/oauth.zig","last_synced_at":"2026-05-23T06:05:11.632Z","repository":{"id":251198128,"uuid":"835236228","full_name":"zigster64/oauth.zig","owner":"zigster64","description":"http.zig helper lib to implement oauth2 ","archived":false,"fork":false,"pushed_at":"2024-08-16T07:52:21.000Z","size":66,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-29T17:25:54.985Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"CSS","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zigster64.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-29T12:36:46.000Z","updated_at":"2024-08-16T07:52:24.000Z","dependencies_parsed_at":"2024-08-13T16:48:04.328Z","dependency_job_id":null,"html_url":"https://github.com/zigster64/oauth.zig","commit_stats":null,"previous_names":["zigster64/oauth.zig"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/zigster64/oauth.zig","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zigster64%2Foauth.zig","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zigster64%2Foauth.zig/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zigster64%2Foauth.zig/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zigster64%2Foauth.zig/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zigster64","download_url":"https://codeload.github.com/zigster64/oauth.zig/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zigster64%2Foauth.zig/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33384606,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-23T04:15:53.637Z","status":"ssl_error","status_checked_at":"2026-05-23T04:15:53.242Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-12-26T17:31:30.862Z","updated_at":"2026-05-23T06:05:11.592Z","avatar_url":"https://github.com/zigster64.png","language":"CSS","funding_links":[],"categories":[],"sub_categories":[],"readme":"# oauth.zig #\n\nhttp.zig helper app implementing oauth2 with Microsoft auth endpoints\n\nThis is proof of concept for doing automatic session management with a http.zig backend, using HTMX\n\nYou will need an app registered with the Microsoft auth backend, and have access to the client id and secrets\n\nredirect back to whatever you are running here - ie localhost:8080\n\nIf there is enough interest, I might convert this into a session library that sits on top of http.zig. \n\n# Auth Flow and Security #\n\n\n- User hits a protected route\n- Middleware checks if session cookie set, if so - validate it, and render the route as per normal\n\nif not authorized :\n\n- generate an anonymous session with a unique ID, and capture the client IP address and requested URL. Anon sessions have a TTL of 30 seconds\n- returns HTML content to render a login link (3rd party auth server), with a ref to our anon SESSION_ID\n- User clicks on the link, does their authentication, and it redirects back to our app at /zauth?code=....\u0026state=SESSION_ID\n- Our app collects the auth code, and calls the 3rd party service to exchange it for a token, AND a refresh token\n- Our app decodes the 3rd party token (without signature verification), and creates a new active session\n- Our app bundles the SESSION_ID, username, email, IP address, etc into a struct, and digitally signs it with our own JWT_SECRET\n- Our app sets the signed / encoded token as a http-only cookie on the browser, and redirects them to the original URL\n\nSo what we end up with is backend middleware that automatically intercepts hits on protected routes, and presents a login button\nif the user is not authenicated.\n\nIf the user correctly logs in via 3rd party, the same middleware manages session creation, and redirects to the original URL.\n\nUsing Sessions gives us the control to manage and track who the active users are and what they are doing (in the DB)\n\nUsing http-only cookies rather than authorization headers means nothing fancy to do in the HTMX frontend to propogate the session, and cant access the cookie from the JS console\n\nEncoding the SESSION_ID + user details in a JWT, and signing it means that an attacker cannot simply alter the session details to hack a new session\n\n\n## Optional - IP Address Stamping ## \n\nThe Original IP address of the anon client is encoded into the signed cookie as well - so an attacker that captured the session cookie would not be able \nto replay it unless they also managed to spoof the original client's IP address.\n\nSo if the user is say - on mobile internet and roaming from one hotspot to another - their session will invalidate as soon as they jump hotspots / get a new IP. \n\nThis is wanted for the target application in this case, but might be overkill for your needs. Adjust accordingly.\n\n\n\n# Env #\n\nYou will need to configure the following values in a file called `.env` \n\n- AUTH_URL\n- CLIENT_ID\n- REDIRECT_URL\n- SCOPE\n- CLIENT_SECRET\n\nin addition, will need to set\n\n- JWT_SECRET\n\nTo a secret for us to sign our own outgoing JWT that we create\n\n\nIf you dont have the `.env` file present, then `bun backend` wont build\n\n# Using Bun for dev #\n\n`bun install`\n\nsets up tailwind / daisy UI etc\n\n`bun tailwind` runs a watcher on the CSS, and generates tailwind output on the fly\n\n`bun backend` runs a watcher on the Zig code, recompiles and relaunches on demand\n\n# Just plain build #\n\n`zig build`\n\n`zig build run`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzigster64%2Foauth.zig","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzigster64%2Foauth.zig","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzigster64%2Foauth.zig/lists"}