Repository files navigation

Protect a static website hosted on Vercel behind GitHub authentication.

yarn add vercel-github-oauth-proxy

import{createLambdaProxyAuthHandler}from"vercel-github-oauth-proxy"exportdefaultcreateLambdaProxyAuthHandler(config)

config.cryptoSecret

This is used to sign cookies.

config.staticDir

The output directory of the static website.

config.githubOrgName

The GitHub organization users need to be part of in order to be able to sign in.

You cannot use your personal GitHub account for this, you need an organization.

config.githubClientIdconfig.githubClientSecret

The id/secret pair of your GitHub OAuth app.

Create a new OAuth app athttps://github.com/organizations/{config.githubOrgName}/settings/applications/new

config.githubOrgAdminToken

Create a token withread:org permission athttps://github.com/settings/tokens.

The reason you need a token is that private org memberships can only bedetermined by making an authenticated API request.

We could requestread:org scope during the OAuth flow and then use each user'saccess token to determine org membership, but using this method means the useradditionally needs to request org access during or after the login flow andrequires an org admin to confirm. This makes this approach inconvenient for boththe users and the admin.

Therefore we're using a separate org admin token to verify membership duringlogin (org admins can see all users).

{"version":2,"routes": [{"src":"/(.*)","dest":"/api/index.ts" }],"functions": {"api/index.ts": {"includeFiles":"static/**"    }  }}

This routes all traffic through the lambda endpoint.

AdaptincludeFiles to your public output folder. Including these files isrequired because the static website needs to be deployed as part of the lambdafunction, not the default build. See also these docs:

• functions
• size limits.

If you have an existingbuild script, rename it tovercel-build to buildyour website as part of the lambda build instead of the normal build.

Make sure to not keep thebuild script as it would result in duplicate work ormay break deployment entirely. For more information seecustom-build-step-for-node-js.

{"scripts": {"vercel-build":"your website build command"  }}

To develop locally, run

yarn vercel dev

When developing locally, you'll need to update your GitHub OAuth app's redirectURL tohttp://localhost:3000.