Name: mcollina/oauth
Rating: 94.47 (1 reviews)
Author: mcollina

mcollina/oauth

Implements OAuth 2.0/2.1 authorization flows in Fastify applications — configures authorization code with PKCE, client credentials, device flow, refresh token rotation, JWT validation, and token introspection/revocation endpoints. Use when setting up authentication, authorization, login flows, access tokens, API security, or securing Fastify routes with OAuth; also applies when troubleshooting token validation errors, mismatched redirect URIs, CSRF issues, scope problems, or RFC 6749/6750/7636/8252/8628 compliance questions.

1.40x

Quality

95%

Does it follow best practices?

Impact

93%

1.40x

Average score across 5 eval scenarios

Securityby

Passed

No known issues

{
  "context": "Tests whether the agent correctly sets up the Fastify OAuth authorization code flow with PKCE, proper state management, correct package choices, and plugin encapsulation using fastify-plugin.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Correct OAuth package",
      "description": "Uses @fastify/oauth2 (not a different OAuth library like passport, grant, or node-oauth)",
      "max_score": 8
    },
    {
      "name": "fastify-plugin wrapper",
      "description": "Plugin is wrapped with fp() from fastify-plugin (i.e., export default fp(async function...))",
      "max_score": 8
    },
    {
      "name": "PKCE method S256",
      "description": "Sets pkce to the string 'S256' in the oauth2 registration options (not 'plain', not omitted)",
      "max_score": 12
    },
    {
      "name": "State generation with randomUUID",
      "description": "generateStateFunction uses crypto.randomUUID() to produce the state value",
      "max_score": 10
    },
    {
      "name": "State stored in session",
      "description": "The generated state value is stored on req.session (e.g. req.session.state = ...)",
      "max_score": 8
    },
    {
      "name": "State validation in checkStateFunction",
      "description": "checkStateFunction compares req.query.state to req.session.state and calls callback with an error on mismatch",
      "max_score": 10
    },
    {
      "name": "HTTPS-only callbackUri",
      "description": "callbackUri reads from CALLBACK_URI env var (or is hardcoded with https://, not http://)",
      "max_score": 8
    },
    {
      "name": "Credentials from env vars",
      "description": "CLIENT_ID and CLIENT_SECRET are read from process.env (not hardcoded)",
      "max_score": 8
    },
    {
      "name": "Correct token exchange method",
      "description": "Uses getAccessTokenFromAuthorizationCodeFlow(request) to exchange the authorization code for tokens",
      "max_score": 10
    },
    {
      "name": "No raw token logging",
      "description": "Does NOT pass tokenResponse (or token.access_token) to console.log, a logger, or any logging call",
      "max_score": 10
    },
    {
      "name": "Session and cookie packages",
      "description": "package.json includes both @fastify/cookie and @fastify/session as dependencies",
      "max_score": 8
    }
  ]
}

evals

scenario-1

scenario-2

scenario-3

criteria.json

task.md

scenario-4

scenario-5

SKILL.md

tile.json

mcollina/oauth

criteria.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}evals/scenario-3/

criteria.jsonevals/scenario-3/