Scaffold a Secure OAuth 2.0 Login Flow with Claude

OAuth flows have just enough moving parts that hand-rolling them leads to subtle security mistakes every time. Describe your requirements and let Claude scaffold the full flow correctly from the start.

"Scaffold an OAuth 2.0 login flow for a Laravel + Vue SPA:
- Providers: GitHub and Google (via Laravel Socialite)
- PKCE flow for the SPA frontend — no client secret in the browser
- On callback: upsert user record, issue an API token, redirect with it
- Link multiple providers to the same account by matching email
- Handle token refresh for providers that support it
Add Pest feature tests that mock provider responses for each path."

The mistakes developers make here are the same ones every time: storing the state param in a cookie instead of the session, skipping PKCE for public clients, and not validating the id_token before trusting the payload. Claude knows them and avoids them.

// Claude generates the state verification before exchanging the code
$state = $request->session()->pull('oauth_state');
abort_if($request->state !== $state, 403, 'Invalid OAuth state');

For the account-linking part — which Socialite deliberately leaves to you — Claude generates a findOrCreateFromProvider() method that safely handles the case where an email already exists under a different provider or as a password account.

The Pest tests mock the Socialite driver so you can assert user creation, login, token generation, and duplicate-prevention logic without real HTTP calls.

OAuth is not the place to learn by making mistakes — describe your flow and let Claude handle the security details.