tea-software/secure-socialite

Secure, stateless OAuth state handling for Laravel Socialite

Maintainers

Details

github.com/phuchautea/secure-socialite

Source

Issues

Installs: 1

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 1

Forks: 0

Open Issues: 0

v1.0.0 2025-05-06 08:17 UTC

Requires

MIT 5d71276c5b18db6b9e3102439c57e97896306ca9

  • TEA Software <contact.woop@teasoftware.asia>

This package is auto-updated.

Last update: 2025-06-06 08:26:33 UTC

README

Secure, stateless OAuth state handling for Laravel Socialite with enhanced security features.

Description

SecureSocialite provides a robust solution for handling OAuth authentication in Laravel applications using Socialite. It implements secure, encrypted state parameters with automatic expiration and domain whitelisting for callbacks, helping protect your application against CSRF and redirection attacks.

Installation

You can install the package via Composer:

composer require tea-software/secure-socialite

The package will automatically register its service provider if you're using Laravel's package auto-discovery.

Configuration

Publish the configuration file:

php artisan vendor:publish --provider="SecureSocialite\SecureSocialiteServiceProvider" --tag="config"

This will create a config/secure-socialite.php file with the following contents:

<?php

return [
    'whitelist' => [
        'localhost',
        'localhost:3000',
        'yourapp.com',
    ],
];

Update the whitelist array to include all domains that are allowed to receive OAuth callbacks. This helps prevent open redirect vulnerabilities.

Usage

SecureSocialite provides a secure way to handle OAuth authentication flows with Laravel Socialite.

Basic Example

// Frontend code (JavaScript/Vue/React)
const redirect = encodeURIComponent('https://yourapp.com/auth/callback');
window.location.href = `/auth/social/redirect?provider=google&redirect=${redirect}&nonce=optional_nonce`;

The package handles the OAuth flow with the following security features:

  1. State parameters are stored securely with encryption
  2. Automatic expiration of state tokens (5 minutes)
  3. Domain whitelisting for callbacks
  4. Stateless implementation for better horizontal scaling

Routes

The package automatically registers the following routes:

  • GET /auth/social/redirect - Initiates the OAuth flow
  • GET /auth/social/callback - Handles the OAuth callback

Requirements

  • PHP 8.0+
  • Laravel 8.x or higher

License

The MIT License (MIT). Please see License File for more information.