CtrlK
BlogDocsLog inGet started
Tessl Logo

mcollina/oauth

Implements OAuth 2.0/2.1 authorization flows in Fastify applications — configures authorization code with PKCE, client credentials, device flow, refresh token rotation, JWT validation, and token introspection/revocation endpoints. Use when setting up authentication, authorization, login flows, access tokens, API security, or securing Fastify routes with OAuth; also applies when troubleshooting token validation errors, mismatched redirect URIs, CSRF issues, scope problems, or RFC 6749/6750/7636/8252/8628 compliance questions.

94

1.40x
Quality

95%

Does it follow best practices?

Impact

93%

1.40x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-2/

{
  "context": "Tests whether the agent correctly identifies and eliminates OAuth anti-patterns: the implicit flow, localStorage token storage, and symmetric HS256 verification — replacing them with authorization code + PKCE, secure cookies, and asymmetric key verification.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Implicit flow removed",
      "description": "Does NOT use response_type=token anywhere in the rewritten code (the implicit flow is eliminated)",
      "max_score": 12
    },
    {
      "name": "Authorization code flow used",
      "description": "Uses response_type=code (authorization code flow) in the rewritten OAuth redirect",
      "max_score": 10
    },
    {
      "name": "PKCE enabled",
      "description": "Sets pkce: 'S256' or otherwise enables PKCE in the Fastify OAuth2 plugin configuration",
      "max_score": 10
    },
    {
      "name": "localStorage eliminated",
      "description": "Does NOT use localStorage.setItem or window.localStorage in any of the output files",
      "max_score": 12
    },
    {
      "name": "HttpOnly cookie",
      "description": "Cookie configuration includes httpOnly: true",
      "max_score": 8
    },
    {
      "name": "Secure cookie",
      "description": "Cookie configuration includes secure: true",
      "max_score": 8
    },
    {
      "name": "SameSite=Strict cookie",
      "description": "Cookie configuration includes sameSite: 'Strict'",
      "max_score": 8
    },
    {
      "name": "HS256 eliminated",
      "description": "Does NOT configure or use HS256 / a symmetric shared secret for JWT verification in the rewrite",
      "max_score": 12
    },
    {
      "name": "Asymmetric algorithm",
      "description": "Uses RS256 or ES256 (asymmetric) for JWT verification in verifyToken.ts",
      "max_score": 10
    },
    {
      "name": "Security notes present",
      "description": "src/notes.md exists and mentions at least 3 of: implicit flow, localStorage, HS256/symmetric, response_type=token, token leakage",
      "max_score": 10
    }
  ]
}

evals

scenario-2

criteria.json

task.md

SKILL.md

tile.json