CtrlK
BlogDocsLog inGet started
Tessl Logo

mcollina/oauth

Implements OAuth 2.0/2.1 authorization flows in Fastify applications — configures authorization code with PKCE, client credentials, device flow, refresh token rotation, JWT validation, and token introspection/revocation endpoints. Use when setting up authentication, authorization, login flows, access tokens, API security, or securing Fastify routes with OAuth; also applies when troubleshooting token validation errors, mismatched redirect URIs, CSRF issues, scope problems, or RFC 6749/6750/7636/8252/8628 compliance questions.

94

1.40x
Quality

95%

Does it follow best practices?

Impact

93%

1.40x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

task.mdevals/scenario-2/

Migrate a Legacy OAuth Integration to Modern Standards

Problem/Feature Description

A company acquired a startup whose web application uses an older OAuth implementation. A security engineer reviewed the code and flagged several concerns. The codebase currently:

  • Uses the implicit flow to obtain access tokens directly in the browser
  • Stores the received token in the browser's local storage for reuse across page loads
  • Validates tokens using a shared symmetric secret

These patterns were acceptable years ago but are now considered insecure or outright deprecated. The engineer needs to rewrite the authentication layer to follow current best practices, replacing the legacy approach with a secure, modern implementation that works in a browser-based Fastify app.

Input Files

The following legacy implementation is provided as a starting point. Extract the files before beginning.

=============== FILE: inputs/legacy-auth.js =============== // Legacy OAuth implementation - to be replaced const express = require('express'); const app = express();

// Old implicit flow: redirect user to get token directly in URL fragment app.get('/login', (req, res) => { const authUrl = https://auth.example.com/authorize? + response_type=token& + client_id=${process.env.CLIENT_ID}& + redirect_uri=${process.env.REDIRECT_URI}; res.redirect(authUrl); });

// Callback that reads token from hash fragment (handled client-side) app.get('/callback', (req, res) => { res.send( <script> const token = window.location.hash.split('access_token=')[1].split('&')[0]; localStorage.setItem('access_token', token); window.location.href = '/'; </script> ); });

// Verify token using shared symmetric secret app.get('/api/me', (req, res) => { const token = req.headers.authorization?.split(' ')[1]; const jwt = require('jsonwebtoken'); try { const payload = jwt.verify(token, process.env.JWT_SECRET); // HS256 symmetric res.json({ sub: payload.sub }); } catch (e) { res.status(401).json({ error: 'invalid_token' }); } });

app.listen(3000); =============== END FILE ===============

Output Specification

Produce a Fastify-based TypeScript rewrite in a src/ directory:

  • src/plugins/oauth.ts — the OAuth plugin
  • src/routes/auth.ts — login and callback routes
  • src/hooks/verifyToken.ts — token verification hook
  • src/notes.md — a brief explanation (3-5 bullet points) of the security issues in the legacy code and how the rewrite addresses them

No need to start a server or connect to a live identity provider. Produce only the source files.

evals

scenario-2

criteria.json

task.md

SKILL.md

tile.json