Add User Login to the Fastify API

Problem/Feature Description

A small SaaS startup is building a Fastify-based API platform. Currently all endpoints are publicly accessible, but the product team has decided to add user authentication before the public launch. The engineering team has already registered the application with their identity provider (e.g. GitHub OAuth App or a corporate OIDC server) and received a client ID, client secret, and an authorization server URL.

The team wants a clean plugin-based approach that fits naturally into their existing Fastify application structure, so the implementation should be modular and follow Fastify conventions. Security is a priority: the team has been advised to implement the most current best practices for browser-based OAuth clients as defined in current RFCs and security guidelines.

Output Specification

Produce a working TypeScript (or JavaScript) implementation of the OAuth login flow for Fastify with the following files:

• plugins/oauth.ts (or .js) — Fastify plugin that registers the OAuth provider
• routes/auth.ts (or .js) — Route handlers for the login redirect and the callback that exchanges the authorization code for tokens
• package.json — listing the required dependencies

The callback handler must securely handle the received tokens for later use in subsequent authenticated requests, following current security best practices for token storage.

Assume the following environment variables will be available at runtime:

• CLIENT_ID
• CLIENT_SECRET
• AUTH_SERVER (base URL of the authorization server, e.g. https://github.com)
• CALLBACK_URI (the full redirect URI registered with the provider)