個人
OAuth2 をゼロから実装
ライブラリを使わず、Google・GitHub・Microsoft の OAuth2 / OIDC ログインをゼロから実装。フローのすべてのステップを可視化。
TypeScriptNext.jsNestJSOAuth2Security
Overview
An educational, production-shaped implementation of OAuth2 / OIDC sign-in built without authentication libraries — so every step of the flow is visible, including the parts a library would normally hide.
What I built
- Full OAuth2 / OIDC flow for three providers: Google, GitHub, and Microsoft
- State-based CSRF protection on the authorization request
- Session management with short-lived (15-min) access JWTs and 7-day
rotating refresh tokens stored in
httpOnlycookies - Refresh-token reuse detection to catch stolen-token replay
- Defense in depth — hashed token storage at rest, an explicit CORS allowlist, and live user lookup
Stack
Next.js (App Router) frontend · NestJS backend · TypeScript end-to-end.
Why it's interesting
Most apps treat OAuth as a black box. This project unpacks it — the token lifecycle, CSRF state, and refresh rotation are all implemented by hand, which makes the security trade-offs explicit rather than hidden behind a dependency.