OAuth Login Integration for a Fastify Web App

Problem/Feature Description

Acme Corp is building a customer-facing web application using Fastify (TypeScript). Product management has decided that users will authenticate via the company's existing identity provider (a standard OAuth 2.0/OIDC server running at https://auth.acme.internal). The security team has flagged that the auth implementation must be modern and hardened — they've had incidents in other services where CSRF attacks on the OAuth flow succeeded, and they want that class of vulnerability eliminated.

The application needs a /login endpoint that redirects users to the identity provider, and a /login/callback endpoint that exchanges the authorization code for tokens and stores them in the user session. The client ID and secret are read from environment variables CLIENT_ID, CLIENT_SECRET, AUTH_SERVER, and CALLBACK_URI. The app already has @fastify/session configured on the Fastify instance; you just need to wire up OAuth.

Output Specification

Produce a working TypeScript Fastify plugin and route file that implement the login flow. Specifically:

• plugins/oauth.ts — registers the OAuth2 plugin on the Fastify instance
• routes/auth.ts — defines the /login/callback GET route and a /logout GET route

Also produce:

• package.json listing the runtime dependencies needed
• A brief IMPLEMENTATION_NOTES.md explaining the security choices made in the implementation (anti-CSRF mechanism used, proof-of-possession method chosen, token storage approach)