remove toWebRequest and make the package accept nitro event

[cobraprojects]

Summary by CodeRabbit

• New Features

  • Social auth now accepts broader "request-like" inputs (framework event objects or normalized request shapes), improving direct compatibility with Nuxt/Next/SvelteKit.

• Bug Fixes / Behavior

  • Server auth routes now pass native framework events directly into the social auth helpers (removing prior local conversion step).

• Documentation

  • Expanded social login guide with provider install notes, route shape, redirect/callback helpers, and framework examples.

• Tests

  • Added tests for event-object compatibility and environment-specific URL/header handling.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dc89365d-43ec-4a8f-8a79-aaf3cd9a2a59

📥 Commits

Reviewing files that changed from the base of the PR and between be62dbb and eb4cf5e.

📒 Files selected for processing (2)

• packages/auth-social/src/index.ts
• packages/auth-social/tests/package.test.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/auth-social/src/index.ts
• packages/auth-social/tests/package.test.ts

---

📝 Walkthrough

Walkthrough

The PR expands auth-social to accept flexible "request-like" inputs (framework events, header maps, or Requests), adds normalization helpers, updates exported signatures to accept the new types, adjusts Nuxt routes to pass H3 events directly, adds tests asserting the new input shapes, and expands social-login docs with route and helper examples.

Changes

Framework-Agnostic Social Auth Inputs

Layer / File(s)	Summary
Request input types & normalization packages/auth-social/src/index.ts (lines 46–80, 144–292)	Adds SocialRequestHeaders, SocialRequestLike, SocialRequestInput types plus type-guards and normalization helpers that extract method, URL, and an allowlist of headers and build a concrete Request, including forwarded-host/proto base reconstruction and env-based validation for relative URLs.
Auth API signature updates & callsites packages/auth-social/src/index.ts (lines 122–123, 611–612, 682–683), apps/blog-nuxt/server/routes/auth/*.{get,callback.get}.ts	Changes SocialAuthFacade.redirect/callback and exported redirect/callback to accept SocialRequestInput; each function now calls the normalizer before continuing unchanged OAuth/state-store flows. Nuxt route handlers for GitHub/Google now pass the H3 event directly (removed toWebRequest).
Nuxt helper removal apps/blog-nuxt/server/lib/request.ts	Removes toWebRequest helper that previously converted H3 events to Web Request objects.
Tests validating shapes & behavior packages/auth-social/tests/package.test.ts (lines 1–1, 12, 304–433)	Adds compile-time expectTypeOf assertions that SocialAuthFacade methods accept Nuxt-style events, plus runtime tests exercising redirect/callback with event-shaped inputs and coverage of relative-URL handling across dev/prod with/without forwarded headers.
Documentation & examples apps/docs/docs/auth/social-login.md (lines 28–440)	Expands the social-login doc: multi-provider install guidance, explicit “Route Shape” section, new “Redirect Helper” and “Callback Helper” docs, and framework examples (Nuxt, SvelteKit, Next) showing direct event pass-through and callback result shapes.

Sequence Diagram

sequenceDiagram
    actor Client
    participant NuxtRoute as Nuxt Route Handler
    participant AuthLib as auth-social Library
    participant Normalizer as Request Normalizer
    participant OAuth as OAuth Provider

    Client->>NuxtRoute: GET /auth/{provider}
    NuxtRoute->>AuthLib: redirect(provider, H3Event)
    AuthLib->>Normalizer: normalizeSocialRequest(H3Event)
    Normalizer->>Normalizer: extract method / url / headers
    Normalizer-->>AuthLib: Request
    AuthLib->>OAuth: build authorization URL / state
    OAuth-->>AuthLib: authorization URL
    AuthLib-->>NuxtRoute: HTTP 302 redirect
    NuxtRoute-->>Client: Redirect to provider

    Client->>NuxtRoute: GET /auth/{provider}/callback?code=...
    NuxtRoute->>AuthLib: callback(provider, H3Event)
    AuthLib->>Normalizer: normalizeSocialRequest(H3Event)
    Normalizer-->>AuthLib: Request
    AuthLib->>OAuth: exchange code -> token/profile
    OAuth-->>AuthLib: profile & token
    AuthLib-->>NuxtRoute: callback result (success/error + local user)
    NuxtRoute->>Client: set session / redirect to app

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• cobraprojects/holo-js#28: Introduced the earlier toWebRequest conversion for Nuxt routes that this PR removes in favor of native request-like inputs.
• cobraprojects/holo-js#32: Related effort to make auth entrypoints accept framework event shapes; touches similar normalization concerns.
• cobraprojects/holo-js#35: Mirrors the pattern of broadening auth functions to accept request-like inputs for other providers/flows.

Poem

🐰 I hopped through headers, urls, and code,

No more wrappers on the road.
H3 events now pass along—so neat—
Auth flows hum with no more feat.
A rabbit claps at signing-in complete.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.26% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: removing the toWebRequest utility and extending the package to accept Nitro events directly.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch remove-toWebRequest-from-nuxt-social-auth

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

packages/auth-social/src/index.ts (2)

157-164: 💤 Low value

Consider documenting the known headers limitation.

When the input header object only provides a get method, appendKnownHeaders only extracts a hardcoded list of known headers (authorization, cookie, host, x-forwarded-host, x-forwarded-proto). This means any other headers present in the original request won't be included in the normalized Request.

This is likely acceptable for OAuth flows (which primarily need these headers), but documenting this limitation would help future maintainers understand why this approach was chosen.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/auth-social/src/index.ts` around lines 157 - 164, The function
appendKnownHeaders only copies a hardcoded set of header names (authorization,
cookie, host, x-forwarded-host, x-forwarded-proto) from an input object that
exposes only a get method, so other headers on the original request are
intentionally not propagated; update documentation/comments near the
appendKnownHeaders function (and its signature using Headers and input.get) to
explicitly state this limitation, why it's acceptable for OAuth flows, and note
that additional headers will be ignored unless the implementation is changed to
accept a full header map or iterator.

---

243-257: 💤 Low value

Consider security implications of URL reconstruction fallbacks.

When the URL cannot be parsed directly, the code reconstructs it from headers with fallbacks to 'http' protocol and 'localhost' host. In production environments behind proxies, missing x-forwarded-proto and x-forwarded-host headers could result in incorrect URLs being constructed.

While these fallbacks are reasonable for development, consider whether it's safer to throw an error when critical headers are missing in production scenarios, rather than silently falling back to potentially incorrect values.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/auth-social/src/index.ts` around lines 243 - 257, getRequestLikeUrl
currently falls back to 'http' and 'localhost' when headers are missing; update
it to validate critical forwarded headers in production: inside
getRequestLikeUrl (and where it reads headers.get('x-forwarded-proto') and
headers.get('x-forwarded-host')), detect production mode (e.g.
process.env.NODE_ENV === 'production' or a new config flag like
requireForwardedHeaders) and if in production and either header is missing,
throw a clear error instead of silently defaulting; preserve the existing header
fallbacks only for non-production/dev mode and update any tests that assume the
old default behavior to cover both dev fallback and production error paths.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@packages/auth-social/src/index.ts`:
- Around line 157-164: The function appendKnownHeaders only copies a hardcoded
set of header names (authorization, cookie, host, x-forwarded-host,
x-forwarded-proto) from an input object that exposes only a get method, so other
headers on the original request are intentionally not propagated; update
documentation/comments near the appendKnownHeaders function (and its signature
using Headers and input.get) to explicitly state this limitation, why it's
acceptable for OAuth flows, and note that additional headers will be ignored
unless the implementation is changed to accept a full header map or iterator.
- Around line 243-257: getRequestLikeUrl currently falls back to 'http' and
'localhost' when headers are missing; update it to validate critical forwarded
headers in production: inside getRequestLikeUrl (and where it reads
headers.get('x-forwarded-proto') and headers.get('x-forwarded-host')), detect
production mode (e.g. process.env.NODE_ENV === 'production' or a new config flag
like requireForwardedHeaders) and if in production and either header is missing,
throw a clear error instead of silently defaulting; preserve the existing header
fallbacks only for non-production/dev mode and update any tests that assume the
old default behavior to cover both dev fallback and production error paths.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4c4eb67a-c743-4ae6-9aa2-3a1b4013abca

📥 Commits

Reviewing files that changed from the base of the PR and between 7d01068 and be62dbb.

📒 Files selected for processing (8)

• apps/blog-nuxt/server/lib/request.ts
• apps/blog-nuxt/server/routes/auth/github.get.ts
• apps/blog-nuxt/server/routes/auth/github/callback.get.ts
• apps/blog-nuxt/server/routes/auth/google.get.ts
• apps/blog-nuxt/server/routes/auth/google/callback.get.ts
• apps/docs/docs/auth/social-login.md
• packages/auth-social/src/index.ts
• packages/auth-social/tests/package.test.ts

💤 Files with no reviewable changes (1)

• apps/blog-nuxt/server/lib/request.ts