{"id":44787927,"url":"https://github.com/zitadel/astro-auth","last_synced_at":"2026-02-28T04:48:11.268Z","repository":{"id":321746459,"uuid":"1036675620","full_name":"zitadel/astro-auth","owner":"zitadel","description":"A comprehensive Auth.js plugin for Astro that enables OAuth/OIDC and credential-based authentication.","archived":false,"fork":false,"pushed_at":"2026-02-27T04:02:28.000Z","size":1149,"stargazers_count":4,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-27T08:56:54.924Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zitadel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-08-12T12:26:32.000Z","updated_at":"2026-02-27T04:02:32.000Z","dependencies_parsed_at":"2025-10-31T10:11:29.336Z","dependency_job_id":"453f64b4-833a-430a-83b6-c308b2c0c164","html_url":"https://github.com/zitadel/astro-auth","commit_stats":null,"previous_names":["mridang/auth-astro","mridang/astro-auth","zitadel/astro-auth"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/zitadel/astro-auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zitadel%2Fastro-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zitadel%2Fastro-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zitadel%2Fastro-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zitadel%2Fastro-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zitadel","download_url":"https://codeload.github.com/zitadel/astro-auth/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zitadel%2Fastro-auth/sbom","scorecard":{"id":1242990,"data":{"date":"2026-02-05T06:12:55Z","repo":{"name":"github.com/zitadel/astro-auth","commit":"6cfcf9d9d6fc23d9b1d3bbfae22228f2b24e6436"},"scorecard":{"version":"v5.1.1","commit":"cd152cb6742c5b8f2f3d2b5193b41d9c50905198"},"score":5.3,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/29 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#packaging"}},{"name":"Maintained","score":6,"reason":"8 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#maintained"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dependency-update-tool"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dangerous-workflow"}},{"name":"Pinned-Dependencies","score":8,"reason":"dependency not pinned by hash detected -- score normalized to 8","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/commitlint.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/zitadel/astro-auth/commitlint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linting.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/zitadel/astro-auth/linting.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/zitadel/astro-auth/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/zitadel/astro-auth/test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/zitadel/astro-auth/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/typecheck.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/zitadel/astro-auth/typecheck.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unused.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/zitadel/astro-auth/unused.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/unused.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/zitadel/astro-auth/unused.yml/main?enable=pin","Info:  15 out of  19 GitHub-owned GitHubAction dependencies pinned","Info:  14 out of  18 third-party GitHubAction dependencies pinned","Info:   4 out of   4 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/commitlint.yml:16","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/commitlint.yml:17","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/linting.yml:24","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:16","Info: jobLevel 'contents' permission set to 'read': .github/workflows/unused.yml:16","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/unused.yml:17","Info: topLevel 'contents' permission set to 'read': .github/workflows/commitlint.yml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/depcheck.yml:7","Info: topLevel 'contents' permission set to 'read': .github/workflows/linting.yml:19","Warn: topLevel 'contents' permission set to 'write': .github/workflows/pipeline.yml:7","Info: topLevel 'actions' permission set to 'read': .github/workflows/pipeline.yml:8","Warn: topLevel 'checks' permission set to 'write': .github/workflows/pipeline.yml:9","Warn: no topLevel permission defined: .github/workflows/qodana.yml:1","Info: topLevel 'checks' permission set to 'read': .github/workflows/release.yml:13","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:10","Warn: topLevel 'packages' permission set to 'write': .github/workflows/release.yml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:9","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/typecheck.yml:15","Info: topLevel 'contents' permission set to 'read': .github/workflows/unused.yml:11"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#cii-best-practices"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v1.1.0 not signed: https://api.github.com/repos/zitadel/astro-auth/releases/283217052","Warn: release artifact v1.0.0 not signed: https://api.github.com/repos/zitadel/astro-auth/releases/260501752","Warn: release artifact v1.1.0 does not have provenance: https://api.github.com/repos/zitadel/astro-auth/releases/283217052","Warn: release artifact v1.0.0 does not have provenance: https://api.github.com/repos/zitadel/astro-auth/releases/260501752"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#signed-releases"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#branch-protection"}},{"name":"SAST","score":10,"reason":"SAST tool detected","details":["Info: SAST configuration detected: Qodana","Warn: 0 commits out of 2 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#sast"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#fuzzing"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#security-policy"}},{"name":"CI-Tests","score":10,"reason":"2 out of 2 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#ci-tests"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#vulnerabilities"}},{"name":"Contributors","score":10,"reason":"project has 8 contributing companies or organizations","details":["Info: found contributions from: astrolicious, catppuccin, duxcore, expressive-code, pragma, withastro, withstudiocms, withtrinity"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#contributors"}}]},"last_synced_at":"2026-02-05T21:40:07.351Z","repository_id":321746459,"created_at":"2026-02-05T21:40:07.351Z","updated_at":"2026-02-05T21:40:07.351Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29924863,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-27T19:37:42.220Z","status":"online","status_checked_at":"2026-02-28T02:00:07.010Z","response_time":90,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-16T10:42:39.095Z","updated_at":"2026-02-28T04:48:11.262Z","avatar_url":"https://github.com/zitadel.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Astro Auth.js\n\nAn [Astro](https://astro.build/) integration for [Auth.js](https://authjs.dev/)\nthat provides seamless authentication with multiple providers, session\nmanagement, and UI primitives that feel natural in Astro.\n\nThis integration brings the power and flexibility of Auth.js to Astro\napplications with full TypeScript support, SSR-friendly HTTP handling,\nand Astro-native patterns including integrations, endpoints, and components.\n\n### Why?\n\nModern web applications require robust, secure, and flexible authentication\nsystems. While Auth.js provides excellent authentication capabilities,\nintegrating it with Astro applications requires careful consideration of\nframework patterns, server-side rendering, and TypeScript integration.\n\nHowever, a direct integration isn't always straightforward. Different types\nof applications or deployment scenarios might warrant different approaches:\n\n- **Framework Integration:** Auth.js operates at the HTTP level, while Astro\n  uses integrations, endpoints, and components. A proper integration should bridge this\n  gap by providing Astro-native primitives for authentication and authorization\n  while maintaining the full Auth.js ecosystem compatibility.\n- **HTTP Request Handling:** Astro’s server output and adapters (Node, Vercel, etc.)\n  require clean request handling and route injection. Teams need a unified approach that\n  maintains performance while providing seamless Auth.js integration.\n- **Session and Request Lifecycle:** Proper session handling in Astro requires\n  SSR-friendly utilities and components that work across server-rendered pages\n  and client interactions.\n- **Route Protection \u0026 UI:** Many applications need fine-grained authorization\n  beyond simple authentication. This calls for cohesive building blocks: server utilities,\n  client helpers, and drop-in UI components.\n\nThis integration, `@zitadel/astro-auth`, aims to provide the flexibility to\nhandle such scenarios. It allows you to leverage the full Auth.js ecosystem\nwhile maintaining Astro best practices, ultimately leading to a more\neffective and less burdensome authentication implementation.\n\n## Installation\n\nInstall using NPM by using the following command:\n\n```sh\nnpm install @zitadel/astro-auth @auth/core\n```\n\n## Usage\n\nTo use this integration, add the `@zitadel/astro-auth` integration to your Astro application.\nThe integration provides authentication infrastructure with configurable\nendpoints, SSR utilities, and components.\n\nYou'll need to configure it with your Auth.js providers and options. The\nintegration will then be available throughout your application via Astro’s\nintegration system.\n\nFirst, add the integration to your Astro config:\n\n```ts\n// astro.config.mjs\nimport { defineConfig } from 'astro/config';\nimport authAstro from '@zitadel/astro-auth';\n\nexport default defineConfig({\n  output: 'server',\n  integrations: [\n    authAstro({\n      // Optional:\n      // prefix: '/api/auth',\n      // configFile: './auth.config.ts'\n    }),\n  ],\n});\n```\n\n```ts\n// auth.config.ts\nimport { defineConfig } from '@zitadel/astro-auth';\nimport Google from '@auth/core/providers/google';\n\nexport default defineConfig({\n  providers: [\n    Google({\n      clientId: process.env.GOOGLE_CLIENT_ID,\n      clientSecret: process.env.GOOGLE_CLIENT_SECRET,\n    }),\n  ],\n  secret: process.env.AUTH_SECRET,\n  trustHost: true,\n});\n```\n\n#### Using the Authentication System\n\nThe integration provides several functions and hooks for handling\nauthentication:\n\n**Functions and Hooks:**\n\n- `getSession(request, config?)`: Retrieves the current Auth.js session (SSR)\n- `\u003cAuth\u003e`: Render-prop component that provides the current session to children\n- `\u003cSignIn provider=\"...\"\u003e`: Drop-in button component for starting sign-in\n- `\u003cSignOut\u003e`: Drop-in button component for signing out\n- `signIn(provider, options?, authParams?)`: Client helper for programmatic sign-in\n- `signOut(options?)`: Client helper for programmatic sign-out\n\n**Basic Usage:**\n\n```astro\n---\n// src/pages/index.astro\nimport { getSession } from '@zitadel/astro-auth/server';\nimport type { Session } from '@auth/core/types';\n\nconst session = await getSession(Astro.request);\n---\n\n\u003chtml\u003e\n  \u003cbody\u003e\n    {session ? (\n      \u003c\u003e\n        \u003cp\u003eWelcome {session.user?.name}\u003c/p\u003e\n        \u003ca href=\"/api/auth/signout\"\u003eSign out\u003c/a\u003e\n      \u003c/\u003e\n    ) : (\n      \u003ca href=\"/api/auth/signin\"\u003eSign in\u003c/a\u003e\n    )}\n  \u003c/body\u003e\n\u003c/html\u003e\n```\n\nPrefer using components? Use the built-ins for a richer experience:\n\n```astro\n---\n// src/pages/index.astro\nimport type { Session } from '@auth/core/types';\nimport { Auth, SignIn, SignOut } from '@zitadel/astro-auth/components';\n---\n\n\u003cAuth\u003e\n  {(session: Session | null) =\u003e (\n    \u003c\u003e\n      {session ? (\n        \u003c\u003e\n          \u003cSignOut\u003eSign out\u003c/SignOut\u003e\n          \u003cp\u003eLogged in as {session.user?.name}\u003c/p\u003e\n        \u003c/\u003e\n      ) : (\n        \u003cSignIn provider=\"github\"\u003eSign in with GitHub\u003c/SignIn\u003e\n      )}\n    \u003c/\u003e\n  )}\n\u003c/Auth\u003e\n```\n\nPrefer client helpers? Use inline script tags:\n\n```html\n---\n---\n\n\u003chtml\u003e\n  \u003cbody\u003e\n    \u003cbutton id=\"login\"\u003eLogin\u003c/button\u003e\n    \u003cbutton id=\"logout\"\u003eLogout\u003c/button\u003e\n\n    \u003cscript\u003e\n      const { signIn, signOut } = await import(\"@zitadel/astro-auth/client\");\n      document.querySelector(\"#login\").onclick = () =\u003e signIn(\"github\");\n      document.querySelector(\"#logout\").onclick = () =\u003e signOut();\n    \u003c/script\u003e\n  \u003c/body\u003e\n\u003c/html\u003e\n```\n\n##### Example: Advanced Configuration with Multiple Providers\n\nThis example shows how to use the integration with multiple Auth.js\nproviders and custom session configuration:\n\n```ts\n// auth.config.ts\nimport { defineConfig } from '@zitadel/astro-auth';\nimport Google from '@auth/core/providers/google';\nimport GitHub from '@auth/core/providers/github';\n\nexport default defineConfig({\n  providers: [\n    Google({\n      clientId: process.env.GOOGLE_CLIENT_ID,\n      clientSecret: process.env.GOOGLE_CLIENT_SECRET,\n    }),\n    GitHub({\n      clientId: process.env.GITHUB_CLIENT_ID,\n      clientSecret: process.env.GITHUB_CLIENT_SECRET,\n    }),\n  ],\n  secret: process.env.AUTH_SECRET,\n  trustHost: true,\n  session: {\n    strategy: 'jwt',\n    maxAge: 30 * 24 * 60 * 60, // 30 days\n  },\n  callbacks: {\n    async jwt({ token, user }) {\n      if (user) (token as any).roles = (user as any).roles;\n      return token;\n    },\n    async session({ session, token }) {\n      (session.user as any).roles = (token as any).roles as\n        | string[]\n        | undefined;\n      return session;\n    },\n  },\n});\n```\n\n## Known Issues\n\n- **SSR \u0026 Adapter Required:** The integration requires Astro’s server output\n  with an adapter (e.g., `@astrojs/node`, Vercel, etc.). Ensure `output: 'server'`\n  is set and an adapter is configured in `astro.config.mjs`.\n- **Environment Configuration:** The integration relies on `AUTH_SECRET` and,\n  in many hosting scenarios, `AUTH_TRUST_HOST`. Ensure these are correctly set\n  in your environment for production.\n- **Callback URLs:** OAuth providers must be configured with the correct\n  callback URL: `[origin]/api/auth/callback/[provider]` (or your custom `prefix`).\n- **Type Augmentation:** If you attach additional properties (e.g., roles) to\n  the Auth.js user object, extend your app’s types accordingly so consumers of\n  `session.user` remain type-safe.\n- **Redirect Semantics:** OAuth providers expect real browser navigations during\n  sign-in. The client helpers handle this for you—avoid manual `fetch()` calls\n  to provider endpoints unless you know you need credential/email flows.\n\n## Useful links\n\n- **[Auth.js](https://authjs.dev/):** The authentication library that this\n  integration is built upon.\n- **[Astro](https://astro.build/):** The framework this integration targets.\n- **[Auth.js Providers](https://authjs.dev/getting-started/providers):**\n  Complete list of supported authentication providers.\n\n## Contributing\n\nIf you have suggestions for how this integration could be improved, or\nwant to report a bug, open an issue - we'd love all and any\ncontributions.\n\n## License\n\nApache-2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzitadel%2Fastro-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzitadel%2Fastro-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzitadel%2Fastro-auth/lists"}