tempestphp
diff --git a/‎composer.json‎
Lines changed: 16 additions & 1 deletion b/‎composer.json‎
Lines changed: 16 additions & 1 deletion
diff --git a/‎docs/2-features/17-oauth.md‎
Lines changed: 289 additions & 0 deletions b/‎docs/2-features/17-oauth.md‎
Lines changed: 289 additions & 0 deletions
diff --git a/‎packages/auth/composer.json‎
Lines changed: 23 additions & 1 deletion b/‎packages/auth/composer.json‎
Lines changed: 23 additions & 1 deletion
@@ -20,6 +20,7 @@
         "league/commonmark": "^2.7",
         "league/flysystem": "^3.29.1",
         "league/mime-type-detection": "^1.16",
+        "league/oauth2-client": "^2.8",
         "monolog/monolog": "^3.7.0",
         "nette/php-generator": "^4.1.6",
         "nikic/php-parser": "^5.3",
@@ -45,9 +46,11 @@
         "voku/portable-ascii": "^2.0.3"
     },
     "require-dev": {
+        "adam-paterson/oauth2-slack": "^1.1",
         "aws/aws-sdk-php": "^3.338.0",
         "azure-oss/storage-blob-flysystem": "^1.2",
         "carthage-software/mago": "1.0.0-beta.24",
+        "depotwarehouse/oauth2-twitch": "^1.3",
         "guzzlehttp/psr7": "^2.6.1",
         "league/flysystem-aws-s3-v3": "^3.25.1",
         "league/flysystem-ftp": "^3.25.1",
@@ -57,23 +60,34 @@
         "league/flysystem-read-only": "^3.25.1",
         "league/flysystem-sftp-v3": "^3.25.1",
         "league/flysystem-ziparchive": "^3.25.1",
+        "league/oauth2-facebook": "^2.0",
+        "league/oauth2-github": "^3.1",
+        "league/oauth2-google": "^4.0",
+        "league/oauth2-instagram": "^3.0",
+        "league/oauth2-linkedin": "^5.1",
         "masterminds/html5": "^2.9",
         "microsoft/azure-storage-blob": "^1.5",
         "mikey179/vfsstream": "^2.0@dev",
         "nesbot/carbon": "^3.8",
         "nyholm/psr7": "^1.8",
+        "patrickbussmann/oauth2-apple": "^0.3",
         "phpat/phpat": "^0.11.0",
         "phpbench/phpbench": "84.x-dev",
         "phpstan/phpstan": "^2.0",
         "phpunit/phpunit": "^12.2.3",
         "predis/predis": "^3.0.0",
+        "riskio/oauth2-auth0": "^2.4",
+        "smolblog/oauth2-twitter": "^1.0",
         "spatie/phpunit-snapshot-assertions": "^5.1.8",
         "spaze/phpstan-disallowed-calls": "^4.0",
+        "stevenmaguire/oauth2-microsoft": "^2.2",
         "symfony/amazon-mailer": "^7.2.0",
         "symfony/postmark-mailer": "^7.2.6",
         "symplify/monorepo-builder": "^11.2",
         "tempest/blade": "dev-main",
-        "twig/twig": "^3.16"
+        "thenetworg/oauth2-azure": "^2.2",
+        "twig/twig": "^3.16",
+        "wohali/oauth2-discord-new": "^1.2"
     },
     "replace": {
         "tempest/auth": "self.version",
@@ -186,6 +200,7 @@
     },
     "autoload-dev": {
         "psr-4": {
+            "Tempest\\Auth\\Tests\\": "packages/auth/tests",
             "Tempest\\Cache\\Tests\\": "packages/cache/tests",
             "Tempest\\Clock\\Tests\\": "packages/clock/tests",
             "Tempest\\CommandBus\\Tests\\": "packages/command-bus/tests",
 
@@ -0,0 +1,289 @@
+---
+title: OAuth
+description: "Learn how to implement OAuth to authenticate users with many different providers, such as GitHub, Google, Discord, and many others."
+keywords: "Experimental"
+---
+
+## Overview
+
+Tempest provides the ability to authenticate users with many OAuth providers, such as GitHub, Google, Discord, and many others, using the same interface.
+
+This implementation is built on top of the PHP league's [OAuth client](https://github.com/thephpleague/oauth2-client)—a reliable, battle-tested OAuth 2.0 client library.
+
+## Getting started
+
+To get started with OAuth, you will first need to create a configuration file for your desired OAuth provider.
+
+Tempest provides a [different configuration object for each provider](#available-providers). For instance, if you wish to authenticate users with GitHub, you may create a `github.config.php` file returning an instance of {b`Tempest\Auth\OAuth\Config\GitHubOAuthConfig`}:
+
+```php app/Auth/github.config.php
+return new GitHubOAuthConfig(
+    clientId: env('GITHUB_CLIENT_ID'),
+    clientSecret: env('GITHUB_CLIENT_SECRET'),
+    redirectTo: [GitHubOAuthController::class, 'callback'],
+    scopes: ['user:email'],
+);
+```
+
+In this example, the GitHub OAuth credentials are specified in the `.env`, so different credentials can be configured depending on the environment.
+
+Once your OAuth provider is configured, you may interact with it by using the {`Tempest\Auth\OAuth\OAuthClient`} interface. This is usually done through [dependency injection](../1-essentials/05-container.md#injecting-dependencies).
+
+## Implementing the OAuth flow
+
+To implement a complete OAuth flow for your application, you will need two routes.
+
+- The first one will redirect the user to the OAuth provider's authorization page,
+- The second one, which will be redirected to once the user authorizes your application, will fetch the user's information thanks to the code provided by the OAuth provider.
+
+The {b`Tempest\Auth\OAuth\OAuthClient`} interface has the necessary methods to handle both parts of the flow. The following is an example of a complete OAuth flow, including CSRF protection, creating or updating the user, and authenticating them against the application:
+
+```php app/Auth/DiscordOAuthController.php
+use Tempest\Auth\OAuth\OAuthClient;
+
+final readonly class DiscordOAuthController
+{
+    public function __construct(
+        private OAuthClient $oauth,
+        private Session $session,
+        private Authenticator $authenticator,
+    ) {}
+
+    #[Get('/auth/discord')]
+    public function redirect(): Redirect
+    {
+        // Saves a unique token in the user's session
+        $this->session->set('discord:oauth', $this->oauth->getState());
+
+        // Redirects to the OAuth provider's authorization page
+        return new Redirect($this->oauth->getAuthorizationUrl());
+    }
+
+    #[Get('/auth/discord/callback')]
+    public function callback(Request $request): Redirect
+    {
+        // Validates the saved session token to prevent CSRF attacks
+        if ($this->session->get('discord:oauth') !== $request->get('state')) {
+            return new Redirect('/?error=invalid_state');
+        }
+
+        // Fetches the user information from the OAuth provider
+        $discordUser = $this->oauth->fetchUser($request->get('code'));
+
+        // Creates or updates the user in the database
+        $user = query(User::class)->updateOrCreate([
+            'discord_id' => $discordUser->id,
+        ], [
+            'discord_id' => $discordUser->id,
+            'username' => $discordUser->nickname,
+            'email' => $discordUser->email,
+        ]);
+
+        // Finally, authenticates the user in the application
+        $this->authenticator->authenticate($user);
+
+        return new Redirect('/');
+    }
+}
+```
+
+Of course, this example assumes that the database and an [authenticatable model](../2-features/04-authentication.md#authentication) are configured.
+
+### Working with the OAuth user
+
+When an OAuth flow is completed and you call `fetchUser`, you will receive an {b`Tempest\Auth\OAuth\OAuthUser`} object containing the user's information from the OAuth provider:
+
+```php
+$user = $this->oauth->fetchUser($code);
+
+$user->id;         // The unique identifier for the user from the OAuth provider
+$user->email;      // The user's email address
+$user->name;       // The user's name
+$user->nickname;   // The user's nickname/username
+$user->avatar;     // The user's avatar URL
+$user->provider;   // The OAuth provider name
+$user->raw;        // Raw user data from the OAuth provider
+```
+
+As seen in the example above, you can use this information to create or update a user in your database, or to authenticate them directly.
+
+## Configuring a provider
+
+Most providers require only a `clientId`, `clientSecret` and `redirectTo`, but some might need other parameters. A typical configuration looks like the following:
+
+```php app/Auth/github.config.php
+return new GitHubOAuthConfig(
+    clientId: env('GITHUB_CLIENT_ID'),
+    clientSecret: env('GITHUB_CLIENT_SECRET'),
+    redirectTo: [GitHubOAuthController::class, 'callback'],
+    scopes: ['user:email'],
+);
+```
+
+Note that the `redirectTo` accepts a tuple of a controller class and a method name, which will be resolved to the full URL of the route handled by that method. You may also provide an URI path if you prefer.
+
+### Supporting multiple providers
+
+If you need to work with multiple OAuth providers, you may create multiple OAuth configurations using tags. These tags may then be used to resolve the {b`Tempest\Auth\OAuth\OAuthClient`} interface, which will use the corresponding configuration.
+
+It's a good practice to use an enum for the tag:
+
+```php app/Auth/Provider.php
+enum Provider
+{
+    case GITHUB;
+    case GOOGLE;
+    case DISCORD;
+}
+```
+
+```php app/Auth/github.config.php
+return new GitHubOAuthConfig(
+    tag: Provider::GITHUB,
+    clientId: env('GITHUB_CLIENT_ID'),
+    clientSecret: env('GITHUB_CLIENT_SECRET'),
+    redirectTo: [OAuthController::class, 'handleGitHubCallback'],
+    scopes: ['user:email'],
+);
+```
+
+```php app/Auth/google.config.php
+return new GoogleOAuthConfig(
+    tag: Provider::GOOGLE,
+    clientId: env('GOOGLE_CLIENT_ID'),
+    clientSecret: env('GOOGLE_CLIENT_SECRET'),
+    redirectTo: [GoogleOAuthController::class, 'handleGoogleCallback'],
+);
+```
+
+Once you have configured your OAuth providers and your tags, you may inject the {b`Tempest\Auth\OAuth\OAuthClient`} interface using the corresponding tag:
+
+```php app/AuthController.php
+use Tempest\Container\Tag;
+
+final readonly class AuthController
+{
+    public function __construct(
+        #[Tag(OAuthProvider::GITHUB)]
+        private OAuthClient $githubClient,
+        #[Tag(OAuthProvider::GOOGLE)]
+        private OAuthClient $googleClient,
+    ) {}
+
+    #[Get('/auth/github')]
+    public function redirectToGitHub(): Redirect
+    {
+        // ...
+
+        return new Redirect($this->githubClient->getAuthorizationUrl());
+    }
+
+    #[Get('/auth/github/callback')]
+    public function handleGitHubCallback(Request $request): Redirect
+    {
+        $githubUser = $this->githubClient->handleCallback($request->get('code'));
+
+        // ...
+    }
+
+    // Do the same for Google
+}
+```
+
+### Using a generic provider
+
+If you need to implement OAuth with a provider that Tempest doesn't have a specific configuration for, you may use the {b`Tempest\Auth\OAuth\Config\GenericOAuthConfig`}:
+
+```php app/Auth/custom.config.php
+return new GenericOAuthConfig(
+    clientId: env('CUSTOM_CLIENT_ID'),
+    clientSecret: env('CUSTOM_CLIENT_SECRET'),
+    redirectTo: [OAuthController::class, 'handleCallback'],
+    urlAuthorize: 'https://provider.com/oauth/authorize',
+    urlAccessToken: 'https://provider.com/oauth/token',
+    urlResourceOwnerDetails: 'https://provider.com/api/user',
+    scopes: ['read:user'],
+);
+```
+
+### Available providers
+
+Tempest provides a different configuration object for each OAuth provider. Below are the ones that are currently supported:
+
+- **GitHub** authentication using {b`Tempest\Auth\OAuth\Config\GitHubOAuthConfig`},
+- **Google** authentication using {b`Tempest\Auth\OAuth\Config\GoogleOAuthConfig`},
+- **Facebook** authentication using {b`Tempest\Auth\OAuth\Config\FacebookOAuthConfig`},
+- **Discord** authentication using {b`Tempest\Auth\OAuth\Config\DiscordOAuthConfig`},
+- **Instagram** authentication using {b`Tempest\Auth\OAuth\Config\InstagramOAuthConfig`},
+- **LinkedIn** authentication using {b`Tempest\Auth\OAuth\Config\LinkedInOAuthConfig`},
+- **Microsoft** authentication using {b`Tempest\Auth\OAuth\Config\MicrosoftOAuthConfig`},
+- **Slack** authentication using {b`Tempest\Auth\OAuth\Config\SlackOAuthConfig`},
+- **Apple** authentication using {b`Tempest\Auth\OAuth\Config\AppleOAuthConfig`},
+- Any other OAuth platform using {b`Tempest\Auth\OAuth\Config\GenericOAuthConfig`}.
+
+## Testing
+
+By extending {`Tempest\Framework\Testing\IntegrationTest`} from your test case, you gain access to the OAuth testing utilities through the `oauth` property.
+
+These utilities include a way to replace the OAuth client with a testing implementation, as well as a few assertion methods related to OAuth flows.
+
+### Faking an OAuth client
+
+You may generate a fake, testing-only OAuth client by calling the `fake()` method on the `oauth` property. This will replace the OAuth client implementation in the container, and provide useful assertion methods.
+
+```php tests/AuthControllerTest.php
+$oauth = $this->oauth->fake(new OAuthUser(
+    id: 'jon',
+    email: '[email protected]',
+    nickname: 'jondoe',
+));
+```
+
+Below is an example of a complete testing flow for an OAuth authentication:
+
+```php tests/AuthControllerTest.php
+final class OAuthControllerTest extends IntegrationTestCase
+{
+    #[Test]
+    public function ensure_oauth(): void
+    {
+        // We create a fake OAuth client that will return
+        // the specified user when the OAuth flow is completed
+        $oauth = $this->oauth->fake(new OAuthUser(
+            id: 'jon',
+            email: '[email protected]',
+            nickname: 'jondoe',
+        ));
+
+        // We first simulate a call to the endpoint
+        // that redirects to the provider
+        $this->http
+            ->get('/oauth/discord')
+            ->assertRedirect($oauth->lastAuthorizationUrl);
+
+        // We check that the authorization URL was generated,
+        // optionally specifying scopes and options
+        $oauth->assertAuthorizationUrlGenerated();
+
+        // We then simulate the callback from the provider
+        // with a fake code and the expected state
+        $this->http
+            ->get("/oauth/discord/callback?code=some-fake-code&state={$oauth->getState()}")
+            ->assertRedirect('/');
+
+        // We assert that an access token was retrieved
+        // with the same fake code we provided before
+        $oauth->assertUserFetched(code: 'some-fake-code');
+
+        // Finally, we ensure a user was created with the
+        // credentials we specified in the fake OAuth user
+        $user = query(User::class)
+            ->find(discord_id: 'jon')
+            ->first();
+
+        $this->assertInstanceOf(User::class, $user);
+        $this->assertSame('[email protected]', $user->email);
+        $this->assertSame('jondoe', $user->username);
+    }
+}
+```
@@ -5,13 +5,35 @@
         "php": "^8.4",
         "tempest/core": "dev-main",
         "tempest/router": "dev-main",
-        "tempest/database": "dev-main"
+        "tempest/database": "dev-main",
+        "tempest/mapper": "dev-main",
+        "league/oauth2-client": "^2.8"
+    },
+    "require-dev": {
+        "league/oauth2-github": "^3.1",
+        "league/oauth2-google": "^4.0",
+        "league/oauth2-facebook": "^2.0",
+        "league/oauth2-instagram": "^3.0",
+        "league/oauth2-linkedin": "^5.1",
+        "patrickbussmann/oauth2-apple": "^0.3",
+        "stevenmaguire/oauth2-microsoft": "^2.2",
+        "thenetworg/oauth2-azure": "^2.2",
+        "riskio/oauth2-auth0": "^2.4",
+        "adam-paterson/oauth2-slack": "^1.1",
+        "wohali/oauth2-discord-new": "^1.2",
+        "smolblog/oauth2-twitter": "^1.0",
+        "depotwarehouse/oauth2-twitch": "^1.3"
     },
     "autoload": {
         "psr-4": {
             "Tempest\\Auth\\": "src"
         }
     },
+    "autoload-dev": {
+        "psr-4": {
+            "Tempest\\Auth\\Tests\\": "tests"
+        }
+    },
     "license": "MIT",
     "minimum-stability": "dev"
 }