Add User Authentication to a Fastify API

Problem/Feature Description

A B2B SaaS startup is building an internal analytics dashboard using Fastify as the backend API framework. The dashboard needs user authentication via the company's existing identity provider (IdP), which supports OAuth 2.0. The engineering lead has decided that users should log in through the IdP using a browser-based flow, and that the backend should issue short-lived access tokens that can be refreshed without requiring the user to log in again.

The security team has raised concerns about previous implementations in other company projects that stored tokens insecurely and used outdated OAuth flows. They specifically want this implementation to follow current OAuth 2.0 security best practices for browser-based applications, and to use JWT validation that properly verifies the token's origin and intended audience, not just its signature.

The backend must expose at minimum:

• A login redirect endpoint that starts the OAuth flow
• A callback endpoint that exchanges the authorization code for tokens
• A protected route /api/me that returns the authenticated user's subject identifier
• A token refresh endpoint or mechanism

The IdP's base URL is available as the environment variable AUTH_SERVER_URL. The client ID and secret are in CLIENT_ID and CLIENT_SECRET. The callback URL is http://localhost:3000/auth/callback. The expected token issuer is in EXPECTED_ISSUER and the expected audience is in EXPECTED_AUDIENCE.

Output Specification

Produce the following files:

• src/plugins/oauth.ts — Fastify plugin registering the OAuth 2.0 provider
• src/hooks/verifyToken.ts — request hook that validates JWT tokens on protected routes
• src/routes/auth.ts — route handlers for login callback, logout, and token refresh
• src/routes/api.ts — protected API routes including /api/me
• package.json — listing all required dependencies
• README.md — brief description of the authentication flow and how to run the server