@mastra/auth-workos 1.5.4 → 1.6.0-alpha.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +34 -0
- package/dist/auth-provider.d.ts +8 -1
- package/dist/auth-provider.d.ts.map +1 -1
- package/dist/index.cjs +38 -15
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +38 -15
- package/dist/index.js.map +1 -1
- package/package.json +5 -5
package/dist/index.js
CHANGED
|
@@ -414,28 +414,51 @@ var MastraAuthWorkos = class extends MastraAuthProvider {
|
|
|
414
414
|
/**
|
|
415
415
|
* Handle the OAuth callback from WorkOS.
|
|
416
416
|
*
|
|
417
|
-
* Uses
|
|
417
|
+
* Uses WorkOS SDK's authenticateWithCode directly instead of AuthKit's handleCallback.
|
|
418
|
+
* AuthKit's handleCallback requires PKCE cookies that must be set during getLoginUrl()
|
|
419
|
+
* and read during handleCallback(), but our ISSOProvider interface separates these
|
|
420
|
+
* calls across different requests without cookie propagation.
|
|
421
|
+
*
|
|
422
|
+
* This approach was the original implementation before commit 6e4d4f5cf3 introduced
|
|
423
|
+
* a regression by switching to AuthKit's handleCallback with dummy Request/Response
|
|
424
|
+
* objects that couldn't provide the required PKCE cookies.
|
|
418
425
|
*/
|
|
419
426
|
async handleCallback(code, _state) {
|
|
420
|
-
const
|
|
421
|
-
|
|
422
|
-
|
|
423
|
-
|
|
424
|
-
// Dummy response to get headers
|
|
425
|
-
{ code, state: _state }
|
|
426
|
-
);
|
|
427
|
+
const authResponse = await this.workos.userManagement.authenticateWithCode({
|
|
428
|
+
clientId: this.clientId,
|
|
429
|
+
code
|
|
430
|
+
});
|
|
427
431
|
const user = {
|
|
428
|
-
...mapWorkOSUserToEEUser(
|
|
429
|
-
workosId:
|
|
430
|
-
organizationId:
|
|
432
|
+
...mapWorkOSUserToEEUser(authResponse.user),
|
|
433
|
+
workosId: authResponse.user.id,
|
|
434
|
+
organizationId: authResponse.organizationId
|
|
435
|
+
};
|
|
436
|
+
const sessionData = {
|
|
437
|
+
accessToken: authResponse.accessToken,
|
|
438
|
+
refreshToken: authResponse.refreshToken,
|
|
439
|
+
user: authResponse.user,
|
|
440
|
+
organizationId: authResponse.organizationId,
|
|
441
|
+
impersonator: authResponse.impersonator
|
|
431
442
|
};
|
|
432
|
-
const
|
|
433
|
-
const
|
|
443
|
+
const cookiePassword = this.config.cookiePassword;
|
|
444
|
+
const cookieName = this.config.cookieName ?? "wos_session";
|
|
445
|
+
let cookies;
|
|
446
|
+
if (cookiePassword) {
|
|
447
|
+
const encryptedSession = await sessionEncryption.sealData(sessionData, { password: cookiePassword });
|
|
448
|
+
const cookieOptions = [
|
|
449
|
+
`${cookieName}=${encryptedSession}`,
|
|
450
|
+
"Path=/",
|
|
451
|
+
"HttpOnly",
|
|
452
|
+
`SameSite=${this.config.cookieSameSite ?? "Lax"}`,
|
|
453
|
+
process.env["NODE_ENV"] === "production" ? "Secure" : ""
|
|
454
|
+
].filter(Boolean).join("; ");
|
|
455
|
+
cookies = [cookieOptions];
|
|
456
|
+
}
|
|
434
457
|
return {
|
|
435
458
|
user,
|
|
436
459
|
tokens: {
|
|
437
|
-
accessToken:
|
|
438
|
-
refreshToken:
|
|
460
|
+
accessToken: authResponse.accessToken,
|
|
461
|
+
refreshToken: authResponse.refreshToken
|
|
439
462
|
},
|
|
440
463
|
cookies
|
|
441
464
|
};
|