@aws-amplify/adapter-nextjs 1.1.6 → 1.1.7-s-auth.30d0cd2.0

package/dist/esm/oauth/utils/initOAuthFlow.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"initOAuthFlow.mjs","sources":["../../../../src/oauth/utils/initOAuthFlow.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { cognitoHostedUIIdentityProviderMap, createKeyValueStorageFromCookieStorageAdapter, generateCodeVerifier, generateState, } from 'aws-amplify/adapter-core';\nimport { NextResponse } from 'next/server.js';\nimport { urlSafeEncode } from '@aws-amplify/core/internals/utils';\nimport { DefaultOAuthStore } from '@aws-amplify/auth/cognito';\nimport { createCookieStorageAdapterFromNextServerContext } from '../../utils/createCookieStorageAdapterFromNextServerContext';\nimport { getRedirectUrl } from './getRedirectUrl';\nexport const initOAuthFlow = async ({ request, customState, cognitoUserPoolConfig, oAuthConfig, setAuthCookieOptions, }) => {\n    const { searchParams } = request.nextUrl;\n    const specifiedProvider = searchParams.get('provider');\n    const provider = getProvider(specifiedProvider);\n    const randomState = generateState();\n    const state = customState\n        ? `${randomState}-${urlSafeEncode(customState)}`\n        : randomState;\n    const scope = oAuthConfig.scopes.join(' ');\n    const redirectUrlSearchParams = new URLSearchParams({\n        redirect_uri: getRedirectUrl(origin, oAuthConfig),\n        response_type: oAuthConfig.responseType,\n        client_id: cognitoUserPoolConfig.userPoolClientId,\n        identity_provider: provider,\n        scope,\n        state,\n    });\n    let peckKey;\n    if (oAuthConfig.responseType === 'code') {\n        const { value, method, toCodeChallenge } = generateCodeVerifier(128);\n        peckKey = value;\n        redirectUrlSearchParams.append('code_challenge', toCodeChallenge());\n        redirectUrlSearchParams.append('code_challenge_method', method);\n    }\n    const redirectUrl = new URL(`https://${oAuthConfig.domain}/oauth2/authorize?${redirectUrlSearchParams.toString()}`);\n    const response = NextResponse.redirect(redirectUrl);\n    const keyValueStorage = createKeyValueStorageFromCookieStorageAdapter(createCookieStorageAdapterFromNextServerContext({\n        request,\n        response,\n    }), setAuthCookieOptions);\n    const oauthStore = new DefaultOAuthStore(keyValueStorage);\n    oauthStore.setAuthConfig(cognitoUserPoolConfig);\n    oauthStore.storeOAuthState(state);\n    peckKey && oauthStore.storePKCE(peckKey);\n    return response;\n};\nconst getProvider = (provider) => {\n    if (typeof provider === 'string') {\n        return resolveProvider(provider);\n    }\n    return 'COGNITO';\n};\nconst resolveProvider = (provider) => {\n    try {\n        assertAuthProvider(provider);\n        return cognitoHostedUIIdentityProviderMap[provider];\n    }\n    catch (_) {\n        return provider;\n    }\n};\nfunction assertAuthProvider(provider) {\n    if (!['Amazon', 'Apple', 'Facebook', 'Google'].includes(provider)) {\n        throw new Error('No valid provider specified.');\n    }\n}\n"],"names":[],"mappings":";;;;;;;AAAA;AACA;AAOY,MAAC,aAAa,GAAG,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,qBAAqB,EAAE,WAAW,EAAE,oBAAoB,GAAG,KAAK;AAC5H,IAAI,MAAM,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;AAC7C,IAAI,MAAM,iBAAiB,GAAG,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;AAC3D,IAAI,MAAM,QAAQ,GAAG,WAAW,CAAC,iBAAiB,CAAC,CAAC;AACpD,IAAI,MAAM,WAAW,GAAG,aAAa,EAAE,CAAC;AACxC,IAAI,MAAM,KAAK,GAAG,WAAW;AAC7B,UAAU,CAAC,EAAE,WAAW,CAAC,CAAC,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC,CAAC;AACxD,UAAU,WAAW,CAAC;AACtB,IAAI,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/C,IAAI,MAAM,uBAAuB,GAAG,IAAI,eAAe,CAAC;AACxD,QAAQ,YAAY,EAAE,cAAc,CAAC,MAAM,EAAE,WAAW,CAAC;AACzD,QAAQ,aAAa,EAAE,WAAW,CAAC,YAAY;AAC/C,QAAQ,SAAS,EAAE,qBAAqB,CAAC,gBAAgB;AACzD,QAAQ,iBAAiB,EAAE,QAAQ;AACnC,QAAQ,KAAK;AACb,QAAQ,KAAK;AACb,KAAK,CAAC,CAAC;AACP,IAAI,IAAI,OAAO,CAAC;AAChB,IAAI,IAAI,WAAW,CAAC,YAAY,KAAK,MAAM,EAAE;AAC7C,QAAQ,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;AAC7E,QAAQ,OAAO,GAAG,KAAK,CAAC;AACxB,QAAQ,uBAAuB,CAAC,MAAM,CAAC,gBAAgB,EAAE,eAAe,EAAE,CAAC,CAAC;AAC5E,QAAQ,uBAAuB,CAAC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;AACxE,KAAK;AACL,IAAI,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,kBAAkB,EAAE,uBAAuB,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC;AACxH,IAAI,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACxD,IAAI,MAAM,eAAe,GAAG,6CAA6C,CAAC,+CAA+C,CAAC;AAC1H,QAAQ,OAAO;AACf,QAAQ,QAAQ;AAChB,KAAK,CAAC,EAAE,oBAAoB,CAAC,CAAC;AAC9B,IAAI,MAAM,UAAU,GAAG,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;AAC9D,IAAI,UAAU,CAAC,aAAa,CAAC,qBAAqB,CAAC,CAAC;AACpD,IAAI,UAAU,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;AACtC,IAAI,OAAO,IAAI,UAAU,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;AAC7C,IAAI,OAAO,QAAQ,CAAC;AACpB,EAAE;AACF,MAAM,WAAW,GAAG,CAAC,QAAQ,KAAK;AAClC,IAAI,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE;AACtC,QAAQ,OAAO,eAAe,CAAC,QAAQ,CAAC,CAAC;AACzC,KAAK;AACL,IAAI,OAAO,SAAS,CAAC;AACrB,CAAC,CAAC;AACF,MAAM,eAAe,GAAG,CAAC,QAAQ,KAAK;AACtC,IAAI,IAAI;AACR,QAAQ,kBAAkB,CAAC,QAAQ,CAAC,CAAC;AACrC,QAAQ,OAAO,kCAAkC,CAAC,QAAQ,CAAC,CAAC;AAC5D,KAAK;AACL,IAAI,OAAO,CAAC,EAAE;AACd,QAAQ,OAAO,QAAQ,CAAC;AACxB,KAAK;AACL,CAAC,CAAC;AACF,SAAS,kBAAkB,CAAC,QAAQ,EAAE;AACtC,IAAI,IAAI,CAAC,CAAC,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE;AACvE,QAAQ,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;AACxD,KAAK;AACL;;;;"}

package/dist/esm/types/NextServer.d.ts

@@ -1,10 +1,13 @@
 import { GetServerSidePropsContext as NextGetServerSidePropsContext } from 'next';
 import { NextRequest, NextResponse } from 'next/server.js';
 import { cookies } from 'next/headers.js';
-import { AmplifyOutputs, LegacyConfig } from 'aws-amplify/adapter-core';
+import { AmplifyOutputs, CookieStorage, LegacyConfig } from 'aws-amplify/adapter-core';
 import { AmplifyServer } from '@aws-amplify/core/internals/adapter-core';
 import { ResourcesConfig } from '@aws-amplify/core';
+import { CreateOAuthRouteHandler, GetOAuthInitiationRoute } from '../oauth/types';
+import { CreateTokenExchangeRouteHandler } from '../auth/types';
 export declare namespace NextServer {
+    type SetCookieOptions = CookieStorage.SetCookieOptions;
     /**
      * This context is normally available in the following:
      *   - Next App Router [middleware](https://nextjs.org/docs/app/building-your-application/routing/middleware)
@@ -54,10 +57,25 @@ export declare namespace NextServer {
     }
     type RunOperationWithContext = <OperationResult>(input: RunWithContextInput<OperationResult>) => Promise<OperationResult>;
     interface CreateServerRunnerInput {
+        /**
+         * The Amplify resources config. Typically imported from `amplify_outputs.json` (Gen2)
+         * or `amplifyconfiguration.json` (Gen1).
+         */
         config: ResourcesConfig | LegacyConfig | AmplifyOutputs;
+        /**
+         * The origin of your Next app.
+         */
+        origin?: string;
+        /**
+         * Configures attributes of Set-Cookie.
+         */
+        setAuthCookieOptions?: SetCookieOptions;
     }
     interface CreateServerRunnerOutput {
         runWithAmplifyServerContext: RunOperationWithContext;
+        createOAuthRouteHandler: CreateOAuthRouteHandler;
+        getOAuthInitiationRoute: GetOAuthInitiationRoute;
+        createTokenExchangeRouteHandler: CreateTokenExchangeRouteHandler;
     }
     type CreateServerRunner = (input: CreateServerRunnerInput) => CreateServerRunnerOutput;
 }

package/dist/esm/utils/createRunWithAmplifyServerContext.d.ts

@@ -1,5 +1,6 @@
 import { ResourcesConfig } from '@aws-amplify/core';
 import { NextServer } from '../types';
-export declare const createRunWithAmplifyServerContext: ({ config: resourcesConfig, }: {
+export declare const createRunWithAmplifyServerContext: ({ config: resourcesConfig, setAuthCookieOptions, }: {
     config: ResourcesConfig;
+    setAuthCookieOptions?: Partial<Pick<import("cookie").CookieSerializeOptions, "domain" | "expires" | "httpOnly" | "maxAge" | "sameSite" | "secure">> | undefined;
 }) => NextServer.RunOperationWithContext;

package/dist/esm/utils/createRunWithAmplifyServerContext.mjs

@@ -4,7 +4,7 @@ import { createCookieStorageAdapterFromNextServerContext } from './createCookieS
 
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-const createRunWithAmplifyServerContext = ({ config: resourcesConfig, }) => {
+const createRunWithAmplifyServerContext = ({ config: resourcesConfig, setAuthCookieOptions, }) => {
     const runWithAmplifyServerContext$1 = async ({ nextServerContext, operation }) => {
         // When the Auth config is presented, attempt to create a Amplify server
         // context with token and credentials provider.
@@ -16,7 +16,7 @@ const createRunWithAmplifyServerContext = ({ config: resourcesConfig, }) => {
             // static rendering uses the same unauthenticated role cross-sever.
             nextServerContext === null
                 ? sharedInMemoryStorage
-                : createKeyValueStorageFromCookieStorageAdapter(createCookieStorageAdapterFromNextServerContext(nextServerContext));
+                : createKeyValueStorageFromCookieStorageAdapter(createCookieStorageAdapterFromNextServerContext(nextServerContext), setAuthCookieOptions);
             const credentialsProvider = createAWSCredentialsAndIdentityIdProvider(resourcesConfig.Auth, keyValueStorage);
             const tokenProvider = createUserPoolsTokenProvider(resourcesConfig.Auth, keyValueStorage);
             return runWithAmplifyServerContext(resourcesConfig, {

package/dist/esm/utils/createRunWithAmplifyServerContext.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"createRunWithAmplifyServerContext.mjs","sources":["../../../src/utils/createRunWithAmplifyServerContext.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { sharedInMemoryStorage } from '@aws-amplify/core';\nimport { createAWSCredentialsAndIdentityIdProvider, createKeyValueStorageFromCookieStorageAdapter, createUserPoolsTokenProvider, runWithAmplifyServerContext as runWithAmplifyServerContextCore, } from 'aws-amplify/adapter-core';\nimport { createCookieStorageAdapterFromNextServerContext } from './createCookieStorageAdapterFromNextServerContext';\nexport const createRunWithAmplifyServerContext = ({ config: resourcesConfig, }) => {\n    const runWithAmplifyServerContext = async ({ nextServerContext, operation }) => {\n        // When the Auth config is presented, attempt to create a Amplify server\n        // context with token and credentials provider.\n        if (resourcesConfig.Auth) {\n            const keyValueStorage = \n            // When `null` is passed as the value of `nextServerContext`, opt-in\n            // unauthenticated role (primarily for static rendering). It's\n            // safe to use the singleton `MemoryKeyValueStorage` here, as the\n            // static rendering uses the same unauthenticated role cross-sever.\n            nextServerContext === null\n                ? sharedInMemoryStorage\n                : createKeyValueStorageFromCookieStorageAdapter(createCookieStorageAdapterFromNextServerContext(nextServerContext));\n            const credentialsProvider = createAWSCredentialsAndIdentityIdProvider(resourcesConfig.Auth, keyValueStorage);\n            const tokenProvider = createUserPoolsTokenProvider(resourcesConfig.Auth, keyValueStorage);\n            return runWithAmplifyServerContextCore(resourcesConfig, {\n                Auth: { credentialsProvider, tokenProvider },\n            }, operation);\n        }\n        // Otherwise it may be the case that auth is not used, e.g. API key.\n        // Omitting the `Auth` in the second parameter.\n        return runWithAmplifyServerContextCore(resourcesConfig, {}, operation);\n    };\n    return runWithAmplifyServerContext;\n};\n"],"names":["runWithAmplifyServerContext","runWithAmplifyServerContextCore"],"mappings":";;;;AAAA;AACA;AAIY,MAAC,iCAAiC,GAAG,CAAC,EAAE,MAAM,EAAE,eAAe,GAAG,KAAK;AACnF,IAAI,MAAMA,6BAA2B,GAAG,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,KAAK;AACpF;AACA;AACA,QAAQ,IAAI,eAAe,CAAC,IAAI,EAAE;AAClC,YAAY,MAAM,eAAe;AACjC;AACA;AACA;AACA;AACA,YAAY,iBAAiB,KAAK,IAAI;AACtC,kBAAkB,qBAAqB;AACvC,kBAAkB,6CAA6C,CAAC,+CAA+C,CAAC,iBAAiB,CAAC,CAAC,CAAC;AACpI,YAAY,MAAM,mBAAmB,GAAG,yCAAyC,CAAC,eAAe,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AACzH,YAAY,MAAM,aAAa,GAAG,4BAA4B,CAAC,eAAe,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AACtG,YAAY,OAAOC,2BAA+B,CAAC,eAAe,EAAE;AACpE,gBAAgB,IAAI,EAAE,EAAE,mBAAmB,EAAE,aAAa,EAAE;AAC5D,aAAa,EAAE,SAAS,CAAC,CAAC;AAC1B,SAAS;AACT;AACA;AACA,QAAQ,OAAOA,2BAA+B,CAAC,eAAe,EAAE,EAAE,EAAE,SAAS,CAAC,CAAC;AAC/E,KAAK,CAAC;AACN,IAAI,OAAOD,6BAA2B,CAAC;AACvC;;;;"}
+{"version":3,"file":"createRunWithAmplifyServerContext.mjs","sources":["../../../src/utils/createRunWithAmplifyServerContext.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { sharedInMemoryStorage } from '@aws-amplify/core';\nimport { createAWSCredentialsAndIdentityIdProvider, createKeyValueStorageFromCookieStorageAdapter, createUserPoolsTokenProvider, runWithAmplifyServerContext as runWithAmplifyServerContextCore, } from 'aws-amplify/adapter-core';\nimport { createCookieStorageAdapterFromNextServerContext } from './createCookieStorageAdapterFromNextServerContext';\nexport const createRunWithAmplifyServerContext = ({ config: resourcesConfig, setAuthCookieOptions, }) => {\n    const runWithAmplifyServerContext = async ({ nextServerContext, operation }) => {\n        // When the Auth config is presented, attempt to create a Amplify server\n        // context with token and credentials provider.\n        if (resourcesConfig.Auth) {\n            const keyValueStorage = \n            // When `null` is passed as the value of `nextServerContext`, opt-in\n            // unauthenticated role (primarily for static rendering). It's\n            // safe to use the singleton `MemoryKeyValueStorage` here, as the\n            // static rendering uses the same unauthenticated role cross-sever.\n            nextServerContext === null\n                ? sharedInMemoryStorage\n                : createKeyValueStorageFromCookieStorageAdapter(createCookieStorageAdapterFromNextServerContext(nextServerContext), setAuthCookieOptions);\n            const credentialsProvider = createAWSCredentialsAndIdentityIdProvider(resourcesConfig.Auth, keyValueStorage);\n            const tokenProvider = createUserPoolsTokenProvider(resourcesConfig.Auth, keyValueStorage);\n            return runWithAmplifyServerContextCore(resourcesConfig, {\n                Auth: { credentialsProvider, tokenProvider },\n            }, operation);\n        }\n        // Otherwise it may be the case that auth is not used, e.g. API key.\n        // Omitting the `Auth` in the second parameter.\n        return runWithAmplifyServerContextCore(resourcesConfig, {}, operation);\n    };\n    return runWithAmplifyServerContext;\n};\n"],"names":["runWithAmplifyServerContext","runWithAmplifyServerContextCore"],"mappings":";;;;AAAA;AACA;AAIY,MAAC,iCAAiC,GAAG,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,oBAAoB,GAAG,KAAK;AACzG,IAAI,MAAMA,6BAA2B,GAAG,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,KAAK;AACpF;AACA;AACA,QAAQ,IAAI,eAAe,CAAC,IAAI,EAAE;AAClC,YAAY,MAAM,eAAe;AACjC;AACA;AACA;AACA;AACA,YAAY,iBAAiB,KAAK,IAAI;AACtC,kBAAkB,qBAAqB;AACvC,kBAAkB,6CAA6C,CAAC,+CAA+C,CAAC,iBAAiB,CAAC,EAAE,oBAAoB,CAAC,CAAC;AAC1J,YAAY,MAAM,mBAAmB,GAAG,yCAAyC,CAAC,eAAe,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AACzH,YAAY,MAAM,aAAa,GAAG,4BAA4B,CAAC,eAAe,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AACtG,YAAY,OAAOC,2BAA+B,CAAC,eAAe,EAAE;AACpE,gBAAgB,IAAI,EAAE,EAAE,mBAAmB,EAAE,aAAa,EAAE;AAC5D,aAAa,EAAE,SAAS,CAAC,CAAC;AAC1B,SAAS;AACT;AACA;AACA,QAAQ,OAAOA,2BAA+B,CAAC,eAAe,EAAE,EAAE,EAAE,SAAS,CAAC,CAAC;AAC/E,KAAK,CAAC;AACN,IAAI,OAAOD,6BAA2B,CAAC;AACvC;;;;"}

package/package.json

@@ -1,74 +1,80 @@
 {
-	"author": "Amazon Web Services",
-	"name": "@aws-amplify/adapter-nextjs",
-	"version": "1.1.6",
-	"description": "The adapter for the supporting of using Amplify APIs in Next.js.",
-	"peerDependencies": {
-		"aws-amplify": "^6.0.7",
-		"next": ">=13.5.0 <15.0.0"
-	},
-	"dependencies": {
-		"cookie": "0.5.0"
-	},
-	"devDependencies": {
-		"@types/cookie": "0.5.1",
-		"@types/node": "^20.3.1",
-		"@types/react": "^18.2.13",
-		"@types/react-dom": "^18.2.6",
-		"aws-amplify": "6.3.0",
-		"jest-fetch-mock": "3.0.3",
-		"next": ">= 13.5.0 < 15.0.0",
-		"typescript": "5.0.2"
-	},
-	"publishConfig": {
-		"access": "public"
-	},
-	"bugs": {
-		"url": "https://github.com/aws/aws-amplify/issues"
-	},
-	"exports": {
-		".": {
-			"types": "./dist/esm/index.d.ts",
-			"import": "./dist/esm/index.mjs",
-			"require": "./dist/cjs/index.js"
-		},
-		"./api": {
-			"types": "./dist/esm/api/index.d.ts",
-			"import": "./dist/esm/api/index.mjs",
-			"require": "./dist/cjs/api/index.js"
-		},
-		"./data": {
-			"types": "./dist/esm/api/index.d.ts",
-			"import": "./dist/esm/api/index.mjs",
-			"require": "./dist/cjs/api/index.js"
-		},
-		"./package.json": "./package.json"
-	},
-	"files": [
-		"dist/cjs",
-		"dist/esm",
-		"src",
-		"api",
-		"data"
-	],
-	"homepage": "https://aws-amplify.github.io/",
-	"license": "Apache-2.0",
-	"main": "./dist/cjs/index.js",
-	"module": "./dist/esm/index.mjs",
-	"typings": "./dist/esm/index.d.ts",
-	"sideEffects": false,
-	"scripts": {
-		"build": "npm run clean && npm run build:esm-cjs",
-		"build-with-test": "npm test && npm run build",
-		"build:esm-cjs": "rollup --forceExit -c rollup.config.mjs",
-		"build:watch": "npm run build:esm-cjs -- --watch",
-		"clean": "npm run clean:size && rimraf dist",
-		"clean:size": "rimraf dual-publish-tmp tmp*",
-		"format": "echo \"Not implemented\"",
-		"lint": "eslint '**/*.{ts,tsx}' && npm run ts-coverage",
-		"lint:fix": "eslint '**/*.{ts,tsx}' --fix",
-		"test": "npm run lint && jest -w 1 --coverage --logHeapUsage",
-		"ts-coverage": "typescript-coverage-report -p ./tsconfig.build.json -t 90.31"
-	},
-	"gitHead": "3283f520db9a28b317b261f08ad0ad33b5957441"
+  "author": "Amazon Web Services",
+  "name": "@aws-amplify/adapter-nextjs",
+  "version": "1.1.7-s-auth.30d0cd2.0+30d0cd2",
+  "description": "The adapter for the supporting of using Amplify APIs in Next.js.",
+  "peerDependencies": {
+    "aws-amplify": "6.3.1-s-auth.30d0cd2.0+30d0cd2",
+    "next": ">=14.2.3 <15.0.0"
+  },
+  "dependencies": {
+    "client-only": "0.0.1",
+    "cookie": "0.5.0"
+  },
+  "devDependencies": {
+    "@types/cookie": "0.5.1",
+    "@types/node": "^20.3.1",
+    "@types/react": "^18.2.13",
+    "@types/react-dom": "^18.2.6",
+    "aws-amplify": "6.3.1-s-auth.30d0cd2.0+30d0cd2",
+    "jest-fetch-mock": "3.0.3",
+    "next": ">=14.2.3 <15.0.0",
+    "typescript": "5.0.2"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "bugs": {
+    "url": "https://github.com/aws/aws-amplify/issues"
+  },
+  "exports": {
+    ".": {
+      "types": "./dist/esm/index.d.ts",
+      "import": "./dist/esm/index.mjs",
+      "require": "./dist/cjs/index.js"
+    },
+    "./api": {
+      "types": "./dist/esm/api/index.d.ts",
+      "import": "./dist/esm/api/index.mjs",
+      "require": "./dist/cjs/api/index.js"
+    },
+    "./data": {
+      "types": "./dist/esm/api/index.d.ts",
+      "import": "./dist/esm/api/index.mjs",
+      "require": "./dist/cjs/api/index.js"
+    },
+    "./client": {
+      "types": "./dist/esm/client/index.d.ts",
+      "import": "./dist/esm/client/index.mjs",
+      "require": "./dist/cjs/client/index.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "files": [
+    "dist/cjs",
+    "dist/esm",
+    "src",
+    "api",
+    "data"
+  ],
+  "homepage": "https://aws-amplify.github.io/",
+  "license": "Apache-2.0",
+  "main": "./dist/cjs/index.js",
+  "module": "./dist/esm/index.mjs",
+  "typings": "./dist/esm/index.d.ts",
+  "sideEffects": false,
+  "scripts": {
+    "build": "npm run clean && npm run build:esm-cjs",
+    "build-with-test": "npm test && npm run build",
+    "build:esm-cjs": "rollup --forceExit -c rollup.config.mjs",
+    "build:watch": "npm run build:esm-cjs -- --watch",
+    "clean": "npm run clean:size && rimraf dist",
+    "clean:size": "rimraf dual-publish-tmp tmp*",
+    "format": "echo \"Not implemented\"",
+    "lint": "eslint '**/*.{ts,tsx}' && npm run ts-coverage",
+    "lint:fix": "eslint '**/*.{ts,tsx}' --fix",
+    "test": "echo 'no-op'",
+    "ts-coverage": "typescript-coverage-report -p ./tsconfig.build.json -t 90.31"
+  },
+  "gitHead": "30d0cd2b2221a9b825760000a7dbc2bce6b9ff64"
 }

package/src/api/createServerRunnerForAPI.ts

@@ -9,7 +9,13 @@ import { NextServer } from '../types';
 
 export const createServerRunnerForAPI = ({
 	config,
-}: NextServer.CreateServerRunnerInput): NextServer.CreateServerRunnerOutput & {
+}: Omit<NextServer.CreateServerRunnerInput, 'origin'>): Omit<
+	NextServer.CreateServerRunnerOutput,
+	| 'createOAuthRouteHandler'
+	| 'getOAuthInitiationRoute'
+	| 'createTokenExchangeRouteHandler'
+	| 'origin'
+> & {
 	resourcesConfig: ResourcesConfig;
 } => {
 	const amplifyConfig = parseAmplifyConfig(config);

package/src/auth/createTokenExchangeRouteHandlerFactory.ts

@@ -0,0 +1,70 @@
+import { NextRequest } from 'next/server.js';
+import { cookies } from 'next/headers.js';
+import { fetchAuthSession } from 'aws-amplify/auth/server';
+
+import { createRunWithAmplifyServerContext } from '../utils';
+
+import {
+	CreateTokenExchangeRouteHandlerFactory,
+	CreateTokenExchangeRouteHandlerInput,
+} from './types';
+
+export const createTokenExchangeRouteHandlerFactory: CreateTokenExchangeRouteHandlerFactory =
+	input => {
+		const runWithAmplifyServerContext =
+			createRunWithAmplifyServerContext(input);
+
+		const handleRequest = async (
+			_: NextRequest,
+			__: CreateTokenExchangeRouteHandlerInput,
+		) => {
+			const { origin } = input;
+
+			if (!origin) {
+				throw new Error(
+					'`origin` parameter is required when using `getOAuthInitiationRoute`.',
+				);
+			}
+
+			const userSession = await runWithAmplifyServerContext({
+				nextServerContext: { cookies },
+				operation: contextSpec => fetchAuthSession(contextSpec),
+			});
+
+			const clockDrift = cookies()
+				.getAll()
+				.find(cookie => cookie.name.endsWith('.clockDrift'))?.value;
+
+			return new Response(
+				JSON.stringify({
+					...userSession,
+					tokens: {
+						accessToken: userSession.tokens?.accessToken.toString(),
+						idToken: userSession.tokens?.idToken?.toString(),
+					},
+					username: userSession.tokens?.accessToken.payload.username,
+					clockDrift,
+					userSession,
+				}),
+				{
+					headers: {
+						'content-type': 'application/json',
+						'Access-Control-Allow-Origin': origin,
+						'Access-Control-Allow-Methods': 'POST',
+					},
+				},
+			);
+		};
+
+		return handlerInput => ({
+			async POST(request) {
+				try {
+					return await handleRequest(request, handlerInput);
+				} catch (error) {
+					const { onError } = handlerInput;
+
+					onError(error as Error);
+				}
+			},
+		});
+	};

package/src/auth/httpOnlyCookieBasedAuthProviders/createHttpOnlyCookieBasedAuthProviders.ts

@@ -0,0 +1,57 @@
+import { LibraryOptions, sharedInMemoryStorage } from '@aws-amplify/core';
+import { runInBrowserContext } from '@aws-amplify/core/internals/utils';
+import {
+	cognitoCredentialsProvider,
+	cognitoUserPoolsTokenProvider,
+} from 'aws-amplify/auth/cognito';
+
+export const createHttpOnlyCookieBasedAuthProviders = ({
+	authTokenExchangeRoute,
+}: {
+	authTokenExchangeRoute: string;
+}): LibraryOptions['Auth'] => {
+	cognitoUserPoolsTokenProvider.setKeyValueStorage(sharedInMemoryStorage);
+
+	runInBrowserContext(() => {
+		refreshSession({
+			authTokenExchangeRoute,
+			tokenProvider: cognitoUserPoolsTokenProvider,
+			credentialsProvider: cognitoCredentialsProvider,
+		});
+	});
+
+	return {
+		tokenProvider: cognitoUserPoolsTokenProvider,
+		credentialsProvider: cognitoCredentialsProvider,
+	};
+};
+
+const refreshSession = async ({
+	authTokenExchangeRoute,
+	tokenProvider,
+	credentialsProvider,
+}: {
+	authTokenExchangeRoute: string;
+	tokenProvider: typeof cognitoUserPoolsTokenProvider;
+	credentialsProvider: typeof cognitoCredentialsProvider;
+}) => {
+	const response = await fetch(authTokenExchangeRoute, { method: 'POST' });
+	const session = await response.json();
+
+	tokenProvider.tokenOrchestrator.setTokens({
+		tokens: {
+			accessToken: session.tokens.accessToken,
+			idToken: session.tokens.idToken,
+			clockDrift: session.clockDrift,
+			username: session.username,
+		},
+	});
+
+	credentialsProvider.setIdentityIdCredentials(
+		{
+			credentials: session.credentials,
+			identityId: session.identityId,
+		},
+		session.tokens.idToken,
+	);
+};

package/src/auth/httpOnlyCookieBasedAuthProviders/index.ts

@@ -0,0 +1,3 @@
+import 'client-only';
+
+export { createHttpOnlyCookieBasedAuthProviders } from './createHttpOnlyCookieBasedAuthProviders';

package/src/auth/types.ts

@@ -0,0 +1,26 @@
+import { ResourcesConfig } from 'aws-amplify';
+import { NextRequest } from 'next/server';
+
+import { NextServer } from '../types';
+
+interface CreateTokenExchangeRouteHandlerFactoryInput {
+	config: ResourcesConfig;
+	origin?: string;
+	setAuthCookieOptions?: NextServer.SetCookieOptions;
+}
+
+interface CreateOAuthRouteHandlerOutput {
+	POST(request: NextRequest): Promise<Response | void>;
+}
+
+export interface CreateTokenExchangeRouteHandlerInput {
+	onError(error: Error): void;
+}
+
+export type CreateTokenExchangeRouteHandler = (
+	input: CreateTokenExchangeRouteHandlerInput,
+) => CreateOAuthRouteHandlerOutput;
+
+export type CreateTokenExchangeRouteHandlerFactory = (
+	input: CreateTokenExchangeRouteHandlerFactoryInput,
+) => CreateTokenExchangeRouteHandler;

package/src/client/index.ts

@@ -0,0 +1 @@
+export { createHttpOnlyCookieBasedAuthProviders } from '../auth/httpOnlyCookieBasedAuthProviders';

package/src/createServerRunner.ts

@@ -6,6 +6,9 @@ import { parseAmplifyConfig } from '@aws-amplify/core/internals/utils';
 
 import { createRunWithAmplifyServerContext } from './utils';
 import { NextServer } from './types';
+import { createOAuthRouteHandlerFactory } from './oauth';
+import { createTokenExchangeRouteHandlerFactory } from './auth/createTokenExchangeRouteHandlerFactory';
+import { createGetOAuthInitiationRouteFactory } from './oauth/createGetOAuthInitiationRouteFactory';
 
 /**
  * Creates the `runWithAmplifyServerContext` function to run Amplify server side APIs in an isolated request context.
@@ -27,12 +30,28 @@ import { NextServer } from './types';
  */
 export const createServerRunner: NextServer.CreateServerRunner = ({
 	config,
+	origin,
+	setAuthCookieOptions,
 }) => {
 	const amplifyConfig = parseAmplifyConfig(config);
 
 	return {
 		runWithAmplifyServerContext: createRunWithAmplifyServerContext({
 			config: amplifyConfig,
+			setAuthCookieOptions,
+		}),
+		createOAuthRouteHandler: createOAuthRouteHandlerFactory({
+			config: amplifyConfig,
+			setAuthCookieOptions,
+		}),
+		getOAuthInitiationRoute: createGetOAuthInitiationRouteFactory({
+			config: amplifyConfig,
+			origin,
+		}),
+		createTokenExchangeRouteHandler: createTokenExchangeRouteHandlerFactory({
+			config: amplifyConfig,
+			origin,
+			setAuthCookieOptions,
 		}),
 	};
 };

package/src/oauth/createGetOAuthInitiationRouteFactory.ts

@@ -0,0 +1,35 @@
+import {
+	assertOAuthConfig,
+	assertTokenProviderConfig,
+} from '@aws-amplify/core/internals/utils';
+
+import {
+	CreateGetOAuthInitiationRouteFactory,
+	GetOAuthInitiationRoute,
+} from './types';
+import { getRedirectUrl } from './utils/getRedirectUrl';
+
+export const createGetOAuthInitiationRouteFactory: CreateGetOAuthInitiationRouteFactory =
+	({ config: resourcesConfig, origin }) => {
+		const getOAuthInitiationRoute: GetOAuthInitiationRoute = input => {
+			assertTokenProviderConfig(resourcesConfig.Auth?.Cognito);
+			assertOAuthConfig(resourcesConfig.Auth.Cognito);
+
+			const { Cognito: cognitoUserPoolConfig } = resourcesConfig.Auth;
+			if (!origin) {
+				throw new Error(
+					'`origin` parameter is required when using `getOAuthInitiationRoute`.',
+				);
+			}
+
+			const redirectUrl = getRedirectUrl(
+				origin,
+				cognitoUserPoolConfig.loginWith.oauth,
+			);
+			const { provider } = input;
+
+			return `${redirectUrl}?init=true&provider=${provider}`;
+		};
+
+		return getOAuthInitiationRoute;
+	};

package/src/oauth/createOAuthRouteHandlerFactory.ts

@@ -0,0 +1,77 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import {
+	assertOAuthConfig,
+	assertTokenProviderConfig,
+} from '@aws-amplify/core/internals/utils';
+import { NextRequest } from 'next/server';
+import { AuthError } from '@aws-amplify/auth';
+
+import {
+	CreateOAuthRouteHandler,
+	CreateOAuthRouteHandlerFactory,
+	CreateOAuthRouteHandlerInput,
+} from './types';
+import { initOAuthFlow } from './utils/initOAuthFlow';
+import { completeOAuthFlow } from './utils/completeOAuthFlow';
+
+export const createOAuthRouteHandlerFactory: CreateOAuthRouteHandlerFactory = ({
+	config: resourcesConfig,
+	origin,
+	setAuthCookieOptions,
+}): CreateOAuthRouteHandler => {
+	const handleRequest = async (
+		request: NextRequest,
+		{
+			customState,
+			redirectOnAuthComplete,
+			onError,
+		}: CreateOAuthRouteHandlerInput,
+	): Promise<Response | void> => {
+		if (!origin) throw new Error('Origin is not provided');
+		assertTokenProviderConfig(resourcesConfig.Auth?.Cognito);
+		assertOAuthConfig(resourcesConfig.Auth.Cognito);
+
+		const { Cognito: cognitoUserPoolConfig } = resourcesConfig.Auth;
+		const { searchParams } = request.nextUrl;
+
+		// when request url has `init` query param - initiate oauth flow
+		if (searchParams.has('init')) {
+			return initOAuthFlow({
+				origin,
+				setAuthCookieOptions,
+				request,
+				customState,
+				cognitoUserPoolConfig,
+				oAuthConfig: cognitoUserPoolConfig.loginWith.oauth,
+			});
+		}
+
+		if (searchParams.has('code') && searchParams.has('state')) {
+			return completeOAuthFlow({
+				origin,
+				request,
+				redirectOnComplete: redirectOnAuthComplete,
+				setAuthCookieOptions,
+				customState,
+				cognitoUserPoolConfig,
+				oAuthConfig: cognitoUserPoolConfig.loginWith.oauth,
+			});
+		}
+
+		onError(new Error('Invalid point (update me)'));
+	};
+
+	return handlerInput => ({
+		async GET(request) {
+			try {
+				return await handleRequest(request, handlerInput);
+			} catch (error) {
+				const { onError } = handlerInput;
+
+				onError(error as AuthError);
+			}
+		},
+	});
+};

package/src/oauth/index.ts

@@ -0,0 +1,4 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+export { createOAuthRouteHandlerFactory } from './createOAuthRouteHandlerFactory';

package/src/oauth/types.ts

@@ -0,0 +1,60 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { AuthError, AuthProvider } from '@aws-amplify/auth';
+import { ResourcesConfig } from 'aws-amplify';
+import { NextRequest } from 'next/server';
+
+import { NextServer } from '../types';
+
+export interface CreateOAuthRouteHandlerInput {
+	/** A custom state identifying an OAuth flow. */
+	customState?: string;
+
+	/** The path to redirect to when an OAuth flow completes. */
+	redirectOnAuthComplete: string;
+
+	/**
+	 * A callback function to be called with a {@link AuthError} object that thrown
+	 * from an inflight OAuth flow when error occurs. You need to return a
+	 * {@link Response} object to redirect end user away from the API route
+	 * you set up, for example, redirect back to the sign in page by
+	 * `return NextResponse.redirect('/sign-in')`.
+	 */
+	onError(error: AuthError): void;
+}
+
+interface CreateOAuthRouteHandlerOutput {
+	GET(request: NextRequest): Promise<Response | void>;
+}
+
+export type CreateOAuthRouteHandler = (
+	input: CreateOAuthRouteHandlerInput,
+) => CreateOAuthRouteHandlerOutput;
+
+interface CreateOAuthRouteHandlerFactoryInput {
+	config: ResourcesConfig;
+	origin?: string;
+	setAuthCookieOptions?: NextServer.SetCookieOptions;
+}
+
+export type CreateOAuthRouteHandlerFactory = (
+	input: CreateOAuthRouteHandlerFactoryInput,
+) => CreateOAuthRouteHandler;
+
+export type GetOAuthInitiationRoute = (input: {
+	provider:
+		| AuthProvider
+		| {
+				custom: string;
+		  };
+}) => string;
+
+interface CreateGetOAuthInitiationRouteFactoryInput {
+	config: ResourcesConfig;
+	origin?: string;
+}
+
+export type CreateGetOAuthInitiationRouteFactory = (
+	input: CreateGetOAuthInitiationRouteFactoryInput,
+) => GetOAuthInitiationRoute;