@imtbl/auth-next-server 2.12.7-alpha.1 → 2.12.7-alpha.11

package/src/config.ts

@@ -3,10 +3,13 @@
 // @ts-ignore - Type exists in next-auth v5 but TS resolver may use stale types
 import type { NextAuthConfig } from 'next-auth';
 import CredentialsImport from 'next-auth/providers/credentials';
+import { encode as encodeImport } from 'next-auth/jwt';
 import type { ImmutableAuthConfig, ImmutableTokenData, UserInfoResponse } from './types';
 import { isTokenExpired, refreshAccessToken, extractZkEvmFromIdToken } from './refresh';
 import {
   DEFAULT_AUTH_DOMAIN,
+  DEFAULT_REDIRECT_URI_PATH,
+  DEFAULT_SANDBOX_CLIENT_ID,
   IMMUTABLE_PROVIDER_ID,
   DEFAULT_SESSION_MAX_AGE_SECONDS,
 } from './constants';
@@ -15,6 +18,8 @@ import {
 // may be nested under a 'default' property
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 const Credentials = ((CredentialsImport as any).default || CredentialsImport) as typeof CredentialsImport;
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const defaultJwtEncode = ((encodeImport as any).default || encodeImport) as typeof encodeImport;
 
 /**
  * Validate tokens by calling the userinfo endpoint.
@@ -52,26 +57,73 @@ async function validateTokens(
 }
 
 /**
- * Create Auth.js v5 configuration for Immutable authentication
+ * Resolve redirect URI for zero-config mode.
+ * Uses __NEXT_PRIVATE_ORIGIN when available (Next.js internal), otherwise path-only.
+ */
+function resolveDefaultRedirectUri(): string {
+  // eslint-disable-next-line no-underscore-dangle -- Next.js internal env var
+  const origin = process.env.__NEXT_PRIVATE_ORIGIN;
+  if (origin) {
+    return new URL(DEFAULT_REDIRECT_URI_PATH, origin).href;
+  }
+  return DEFAULT_REDIRECT_URI_PATH;
+}
+
+/**
+ * Create Auth.js v5 configuration for Immutable authentication.
+ *
+ * Policy: provide nothing → full sandbox config; provide config → provide everything.
+ * - Zero config: sandbox clientId, auto-derived redirectUri. No conflicts.
+ * - With config: clientId and redirectUri required. Pass full config to avoid conflicts.
+ *
+ * @param config - Optional. When omitted, uses sandbox defaults. When provided, clientId and redirectUri are required.
+ *
+ * @example
+ * ```typescript
+ * // Zero config - sandbox, only AUTH_SECRET required in .env
+ * import NextAuth from "next-auth";
+ * import { createAuthConfig } from "@imtbl/auth-next-server";
+ *
+ * export const { handlers, auth, signIn, signOut } = NextAuth(createAuthConfig());
+ * ```
  *
  * @example
  * ```typescript
- * // lib/auth.ts
+ * // With config - provide clientId and redirectUri (and optionally audience, scope, authenticationDomain)
  * import NextAuth from "next-auth";
  * import { createAuthConfig } from "@imtbl/auth-next-server";
  *
- * const config = {
+ * export const { handlers, auth, signIn, signOut } = NextAuth(createAuthConfig({
  *   clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
  *   redirectUri: `${process.env.NEXT_PUBLIC_BASE_URL}/callback`,
- * };
- *
- * export const { handlers, auth, signIn, signOut } = NextAuth(createAuthConfig(config));
+ * }));
  * ```
  */
-export function createAuthConfig(config: ImmutableAuthConfig): NextAuthConfig {
-  const authDomain = config.authenticationDomain || DEFAULT_AUTH_DOMAIN;
+export function createAuthConfig(config?: ImmutableAuthConfig): NextAuthConfig {
+  const resolvedConfig: ImmutableAuthConfig = config ?? {
+    clientId: DEFAULT_SANDBOX_CLIENT_ID,
+    redirectUri: resolveDefaultRedirectUri(),
+  };
+  const authDomain = resolvedConfig.authenticationDomain || DEFAULT_AUTH_DOMAIN;
 
   return {
+    // Custom jwt.encode: strip idToken from the cookie to reduce size and avoid
+    // CloudFront 413 "Request Entity Too Large" errors. The idToken (~1-2 KB) is
+    // still available in session responses (after sign-in or token refresh) because
+    // the session callback runs BEFORE encode. All data extracted FROM idToken
+    // (email, nickname, zkEvm) remains in the cookie as separate fields.
+    // On the client, idToken is persisted in localStorage by @imtbl/auth-next-client.
+    jwt: {
+      async encode(params) {
+        const { token, ...rest } = params;
+        if (token) {
+          const { idToken, ...cookieToken } = token as Record<string, unknown>;
+          return defaultJwtEncode({ ...rest, token: cookieToken });
+        }
+        return defaultJwtEncode(params);
+      },
+    },
+
     providers: [
       Credentials({
         id: IMMUTABLE_PROVIDER_ID,
@@ -154,35 +206,84 @@ export function createAuthConfig(config: ImmutableAuthConfig): NextAuthConfig {
       async jwt({
         token, user, trigger, session: sessionUpdate,
       }: any) {
-        // Initial sign in - store all token data
-        if (user) {
-          return {
-            ...token,
-            sub: user.sub,
-            email: user.email,
-            nickname: user.nickname,
-            accessToken: user.accessToken,
-            refreshToken: user.refreshToken,
-            idToken: user.idToken,
-            accessTokenExpires: user.accessTokenExpires,
-            zkEvm: user.zkEvm,
-          };
-        }
+        try {
+          // Initial sign in - store all token data
+          if (user) {
+            return {
+              ...token,
+              sub: user.sub,
+              email: user.email,
+              nickname: user.nickname,
+              accessToken: user.accessToken,
+              refreshToken: user.refreshToken,
+              idToken: user.idToken,
+              accessTokenExpires: user.accessTokenExpires,
+              zkEvm: user.zkEvm,
+            };
+          }
 
-        // Handle session update (for client-side token sync or forceRefresh)
-        // When client-side Auth refreshes tokens via TOKEN_REFRESHED event,
-        // it calls updateSession() which triggers this callback with the new tokens.
-        // We clear any stale error (e.g., TokenExpired) on successful update.
-        if (trigger === 'update' && sessionUpdate) {
-          const update = sessionUpdate as Record<string, unknown>;
+          // Handle session update (for client-side token sync or forceRefresh)
+          // When client-side Auth refreshes tokens via TOKEN_REFRESHED event,
+          // it calls updateSession() which triggers this callback with the new tokens.
+          // We clear any stale error (e.g., TokenExpired) on successful update.
+          if (trigger === 'update' && sessionUpdate) {
+            const update = sessionUpdate as Record<string, unknown>;
 
-          // If forceRefresh is requested, perform server-side token refresh
-          // This is used after zkEVM registration to get updated claims from IDP
-          if (update.forceRefresh && token.refreshToken) {
+            // If forceRefresh is requested, perform server-side token refresh
+            // This is used after zkEVM registration to get updated claims from IDP
+            if (update.forceRefresh && token.refreshToken) {
+              try {
+                const refreshed = await refreshAccessToken(
+                  token.refreshToken as string,
+                  resolvedConfig.clientId,
+                  authDomain,
+                );
+                // Extract zkEvm claims from the refreshed idToken
+                const zkEvm = extractZkEvmFromIdToken(refreshed.idToken);
+                return {
+                  ...token,
+                  accessToken: refreshed.accessToken,
+                  refreshToken: refreshed.refreshToken,
+                  idToken: refreshed.idToken,
+                  accessTokenExpires: refreshed.accessTokenExpires,
+                  zkEvm: zkEvm ?? token.zkEvm, // Keep existing zkEvm if not in new token
+                  error: undefined,
+                };
+              } catch (error) {
+                // eslint-disable-next-line no-console
+                console.error('[auth-next-server] Force refresh failed:', error);
+                return {
+                  ...token,
+                  error: 'RefreshTokenError',
+                };
+              }
+            }
+
+            // Standard session update - merge provided values
+            return {
+              ...token,
+              ...(update.accessToken ? { accessToken: update.accessToken } : {}),
+              ...(update.refreshToken ? { refreshToken: update.refreshToken } : {}),
+              ...(update.idToken ? { idToken: update.idToken } : {}),
+              ...(update.accessTokenExpires ? { accessTokenExpires: update.accessTokenExpires } : {}),
+              ...(update.zkEvm ? { zkEvm: update.zkEvm } : {}),
+              // Clear any stale error when valid tokens are synced from client-side
+              error: undefined,
+            };
+          }
+
+          // Return token if not expired
+          if (!isTokenExpired(token.accessTokenExpires as number)) {
+            return token;
+          }
+
+          // Token expired - attempt server-side refresh
+          // This ensures clients always get fresh tokens from session callbacks
+          if (token.refreshToken) {
             try {
               const refreshed = await refreshAccessToken(
                 token.refreshToken as string,
-                config.clientId,
+                resolvedConfig.clientId,
                 authDomain,
               );
               // Extract zkEvm claims from the refreshed idToken
@@ -194,11 +295,11 @@ export function createAuthConfig(config: ImmutableAuthConfig): NextAuthConfig {
                 idToken: refreshed.idToken,
                 accessTokenExpires: refreshed.accessTokenExpires,
                 zkEvm: zkEvm ?? token.zkEvm, // Keep existing zkEvm if not in new token
-                error: undefined,
+                error: undefined, // Clear any previous error
               };
             } catch (error) {
               // eslint-disable-next-line no-console
-              console.error('[auth-next-server] Force refresh failed:', error);
+              console.error('[auth-next-server] Token refresh failed:', error);
               return {
                 ...token,
                 error: 'RefreshTokenError',
@@ -206,79 +307,42 @@ export function createAuthConfig(config: ImmutableAuthConfig): NextAuthConfig {
             }
           }
 
-          // Standard session update - merge provided values
+          // No refresh token available
           return {
             ...token,
-            ...(update.accessToken ? { accessToken: update.accessToken } : {}),
-            ...(update.refreshToken ? { refreshToken: update.refreshToken } : {}),
-            ...(update.idToken ? { idToken: update.idToken } : {}),
-            ...(update.accessTokenExpires ? { accessTokenExpires: update.accessTokenExpires } : {}),
-            ...(update.zkEvm ? { zkEvm: update.zkEvm } : {}),
-            // Clear any stale error when valid tokens are synced from client-side
-            error: undefined,
+            error: 'TokenExpired',
           };
+        } catch (error) {
+          // eslint-disable-next-line no-console
+          console.error('[auth-next-server] JWT callback error:', error);
+          throw error;
         }
-
-        // Return token if not expired
-        if (!isTokenExpired(token.accessTokenExpires as number)) {
-          return token;
-        }
-
-        // Token expired - attempt server-side refresh
-        // This ensures clients always get fresh tokens from session callbacks
-        if (token.refreshToken) {
-          try {
-            const refreshed = await refreshAccessToken(
-              token.refreshToken as string,
-              config.clientId,
-              authDomain,
-            );
-            // Extract zkEvm claims from the refreshed idToken
-            const zkEvm = extractZkEvmFromIdToken(refreshed.idToken);
-            return {
-              ...token,
-              accessToken: refreshed.accessToken,
-              refreshToken: refreshed.refreshToken,
-              idToken: refreshed.idToken,
-              accessTokenExpires: refreshed.accessTokenExpires,
-              zkEvm: zkEvm ?? token.zkEvm, // Keep existing zkEvm if not in new token
-              error: undefined, // Clear any previous error
-            };
-          } catch (error) {
-            // eslint-disable-next-line no-console
-            console.error('[auth-next-server] Token refresh failed:', error);
-            return {
-              ...token,
-              error: 'RefreshTokenError',
-            };
-          }
-        }
-
-        // No refresh token available
-        return {
-          ...token,
-          error: 'TokenExpired',
-        };
       },
 
       // eslint-disable-next-line @typescript-eslint/no-explicit-any
       async session({ session, token }: any) {
-        // Expose token data to the session
-        return {
-          ...session,
-          user: {
-            ...session.user,
-            sub: token.sub as string,
-            email: token.email as string | undefined,
-            nickname: token.nickname as string | undefined,
-          },
-          accessToken: token.accessToken as string,
-          refreshToken: token.refreshToken as string | undefined,
-          idToken: token.idToken as string | undefined,
-          accessTokenExpires: token.accessTokenExpires as number,
-          zkEvm: token.zkEvm,
-          ...(token.error && { error: token.error as string }),
-        };
+        try {
+          // Expose token data to the session
+          return {
+            ...session,
+            user: {
+              ...session.user,
+              sub: token.sub as string,
+              email: token.email as string | undefined,
+              nickname: token.nickname as string | undefined,
+            },
+            accessToken: token.accessToken as string,
+            refreshToken: token.refreshToken as string | undefined,
+            idToken: token.idToken as string | undefined,
+            accessTokenExpires: token.accessTokenExpires as number,
+            zkEvm: token.zkEvm,
+            ...(token.error && { error: token.error as string }),
+          };
+        } catch (error) {
+          // eslint-disable-next-line no-console
+          console.error('[auth-next-server] Session callback error:', error);
+          throw error;
+        }
       },
     },
 

package/src/constants.ts

@@ -44,8 +44,29 @@ export const DEFAULT_TOKEN_EXPIRY_MS = DEFAULT_TOKEN_EXPIRY_SECONDS * 1000;
  */
 export const TOKEN_EXPIRY_BUFFER_SECONDS = 60;
 
+/**
+ * Buffer time in milliseconds before token expiry to trigger refresh.
+ * Used by auth-next-client for client-side refresh timing.
+ */
+export const TOKEN_EXPIRY_BUFFER_MS = TOKEN_EXPIRY_BUFFER_SECONDS * 1000;
+
 /**
  * Default session max age in seconds (365 days)
  * This is how long the NextAuth session cookie will be valid
  */
 export const DEFAULT_SESSION_MAX_AGE_SECONDS = 365 * 24 * 60 * 60;
+
+/**
+ * Sandbox client ID for auth-next zero-config.
+ */
+export const DEFAULT_SANDBOX_CLIENT_ID = 'mjtCL8mt06BtbxSkp2vbrYStKWnXVZfo';
+
+/**
+ * Default redirect URI path for sandbox zero-config.
+ */
+export const DEFAULT_REDIRECT_URI_PATH = '/callback';
+
+/**
+ * Default logout redirect URI path
+ */
+export const DEFAULT_LOGOUT_REDIRECT_URI_PATH = '/';

package/src/index.ts

@@ -45,6 +45,18 @@ export {
   type RefreshedTokens,
   type ZkEvmData,
 } from './refresh';
+export {
+  DEFAULT_AUTH_DOMAIN,
+  DEFAULT_AUDIENCE,
+  DEFAULT_SCOPE,
+  IMMUTABLE_PROVIDER_ID,
+  DEFAULT_NEXTAUTH_BASE_PATH,
+  DEFAULT_SANDBOX_CLIENT_ID,
+  DEFAULT_REDIRECT_URI_PATH,
+  DEFAULT_LOGOUT_REDIRECT_URI_PATH,
+  DEFAULT_TOKEN_EXPIRY_MS,
+  TOKEN_EXPIRY_BUFFER_MS,
+} from './constants';
 
 // ============================================================================
 // Type exports