@mastra/auth-workos 1.5.5-alpha.0 → 1.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +38 -0
- package/dist/auth-provider.d.ts +8 -1
- package/dist/auth-provider.d.ts.map +1 -1
- package/dist/index.cjs +38 -15
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +38 -15
- package/dist/index.js.map +1 -1
- package/package.json +5 -5
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,43 @@
|
|
|
1
1
|
# @mastra/auth-workos
|
|
2
2
|
|
|
3
|
+
## 1.6.0
|
|
4
|
+
|
|
5
|
+
### Minor Changes
|
|
6
|
+
|
|
7
|
+
- Random bump ([#18178](https://github.com/mastra-ai/mastra/pull/18178))
|
|
8
|
+
|
|
9
|
+
### Patch Changes
|
|
10
|
+
|
|
11
|
+
- Fix WorkOS OAuth login failing with "PKCE verifier cookie missing" error. SSO login now works correctly for both single auth and dual auth configurations. ([#18035](https://github.com/mastra-ai/mastra/pull/18035))
|
|
12
|
+
|
|
13
|
+
- Updated dependencies [[`7c0d868`](https://github.com/mastra-ai/mastra/commit/7c0d868d97d0fdbc04c14d0166dbf44d4c5a4a62), [`d9d2273`](https://github.com/mastra-ai/mastra/commit/d9d2273c702690c9a26eab2aebea879701d4355a), [`b04369d`](https://github.com/mastra-ai/mastra/commit/b04369d6b167c698ef103981171a8bf92808e756), [`8f3c262`](https://github.com/mastra-ai/mastra/commit/8f3c262587b335588a02d96b17fd6aca34c885b3)]:
|
|
14
|
+
- @mastra/core@1.45.0
|
|
15
|
+
- @mastra/auth@1.1.0
|
|
16
|
+
|
|
17
|
+
## 1.6.0-alpha.0
|
|
18
|
+
|
|
19
|
+
### Minor Changes
|
|
20
|
+
|
|
21
|
+
- Random bump ([#18178](https://github.com/mastra-ai/mastra/pull/18178))
|
|
22
|
+
|
|
23
|
+
### Patch Changes
|
|
24
|
+
|
|
25
|
+
- Fix WorkOS OAuth login failing with "PKCE verifier cookie missing" error. SSO login now works correctly for both single auth and dual auth configurations. ([#18035](https://github.com/mastra-ai/mastra/pull/18035))
|
|
26
|
+
|
|
27
|
+
- Updated dependencies [[`7c0d868`](https://github.com/mastra-ai/mastra/commit/7c0d868d97d0fdbc04c14d0166dbf44d4c5a4a62), [`d9d2273`](https://github.com/mastra-ai/mastra/commit/d9d2273c702690c9a26eab2aebea879701d4355a), [`b04369d`](https://github.com/mastra-ai/mastra/commit/b04369d6b167c698ef103981171a8bf92808e756), [`8f3c262`](https://github.com/mastra-ai/mastra/commit/8f3c262587b335588a02d96b17fd6aca34c885b3)]:
|
|
28
|
+
- @mastra/core@1.45.0-alpha.0
|
|
29
|
+
- @mastra/auth@1.1.0-alpha.0
|
|
30
|
+
|
|
31
|
+
## 1.5.5
|
|
32
|
+
|
|
33
|
+
### Patch Changes
|
|
34
|
+
|
|
35
|
+
- Security remediation for the 2026-06-17 "easy-day-js" supply-chain incident. Patch bump to publish clean versions and move the `latest` dist-tag forward, superseding the compromised versions that declared the malicious `easy-day-js` dependency. ([#18056](https://github.com/mastra-ai/mastra/pull/18056))
|
|
36
|
+
|
|
37
|
+
- Updated dependencies [[`339c57c`](https://github.com/mastra-ai/mastra/commit/339c57c5b2c6dbe75a125e138228e0556528976f), [`1dd4117`](https://github.com/mastra-ai/mastra/commit/1dd4117dcbd8e031ede9f0489436bfbc6f0315b8), [`2b11d1f`](https://github.com/mastra-ai/mastra/commit/2b11d1f6ac7024c5dd2b2dd12a48a956ac9d63bd), [`77a2351`](https://github.com/mastra-ai/mastra/commit/77a2351ee79296e360bce822cb3391f7cfd6489d), [`b7dff0a`](https://github.com/mastra-ai/mastra/commit/b7dff0a3d1022eb6868f48dc40a2b1febd5c277f), [`02087e1`](https://github.com/mastra-ai/mastra/commit/02087e1fbc54aa07f3071f7a200df1bf5be601a8), [`49af8df`](https://github.com/mastra-ai/mastra/commit/49af8df589c4ff71a5015a4553b377b32704b691), [`30ce559`](https://github.com/mastra-ai/mastra/commit/30ce55902ecf819b8ab8697398dd68b108228063), [`c241b92`](https://github.com/mastra-ai/mastra/commit/c241b929dc8c8d6a7b7219c99ed13ac1f3124a77), [`7d6ff70`](https://github.com/mastra-ai/mastra/commit/7d6ff708727297a0526ca0e26e93eeb5bbaaa187), [`ab975d4`](https://github.com/mastra-ai/mastra/commit/ab975d4dd9488752f05bda7afa03166d207e3e2a), [`9d6aa1b`](https://github.com/mastra-ai/mastra/commit/9d6aa1bae407e2afa6a089abc2a6accbbcb287b8)]:
|
|
38
|
+
- @mastra/core@1.44.0
|
|
39
|
+
- @mastra/auth@1.0.3
|
|
40
|
+
|
|
3
41
|
## 1.5.5-alpha.0
|
|
4
42
|
|
|
5
43
|
### Patch Changes
|
package/dist/auth-provider.d.ts
CHANGED
|
@@ -87,7 +87,14 @@ export declare class MastraAuthWorkos extends MastraAuthProvider<WorkOSUser> imp
|
|
|
87
87
|
/**
|
|
88
88
|
* Handle the OAuth callback from WorkOS.
|
|
89
89
|
*
|
|
90
|
-
* Uses
|
|
90
|
+
* Uses WorkOS SDK's authenticateWithCode directly instead of AuthKit's handleCallback.
|
|
91
|
+
* AuthKit's handleCallback requires PKCE cookies that must be set during getLoginUrl()
|
|
92
|
+
* and read during handleCallback(), but our ISSOProvider interface separates these
|
|
93
|
+
* calls across different requests without cookie propagation.
|
|
94
|
+
*
|
|
95
|
+
* This approach was the original implementation before commit 6e4d4f5cf3 introduced
|
|
96
|
+
* a regression by switching to AuthKit's handleCallback with dummy Request/Response
|
|
97
|
+
* objects that couldn't provide the required PKCE cookies.
|
|
91
98
|
*/
|
|
92
99
|
handleCallback(code: string, _state: string): Promise<SSOCallbackResult<EEUser>>;
|
|
93
100
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth-provider.d.ts","sourceRoot":"","sources":["../src/auth-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EACV,aAAa,EACb,YAAY,EACZ,gBAAgB,EAChB,OAAO,EACP,iBAAiB,EACjB,cAAc,EACf,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAEnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAqB,MAAM,yBAAyB,CAAC;AACzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAErC,KAAK,eAAe,GAAG;IACrB,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CAC1C,CAAC;AAEF,KAAK,iBAAiB,GAAG,OAAO,GAAG,eAAe,CAAC;AAWnD,OAAO,KAAK,EAAE,UAAU,EAAE,uBAAuB,EAAE,MAAM,YAAY,CAAC;AAWtE;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,gBACX,SAAQ,kBAAkB,CAAC,UAAU,CACrC,YAAW,aAAa,CAAC,MAAM,CAAC,EAAE,YAAY,CAAC,MAAM,CAAC,EAAE,gBAAgB,CAAC,OAAO,CAAC;IAEjF,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC;IACzB,SAAS,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC3B,SAAS,CAAC,WAAW,EAAE,MAAM,CAAC;IAC9B,SAAS,CAAC,SAAS,EAAE,uBAAuB,CAAC,KAAK,CAAC,CAAC;IACpD,SAAS,CAAC,WAAW,EAAE,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACtD,SAAS,CAAC,MAAM,EAAE,aAAa,CAAC;IAChC,SAAS,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACpC,SAAS,CAAC,cAAc,EAAE,OAAO,CAAC;IAClC,SAAS,CAAC,eAAe,CAAC,EAAE,uBAAuB,CAAC,WAAW,CAAC,CAAC;IACjE,SAAS,CAAC,mBAAmB,CAAC,EAAE,uBAAuB,CAAC,qBAAqB,CAAC,CAAC;IAC/E,SAAS,CAAC,eAAe,EAAE,QAAQ,CAAC,MAAM,EAAE,sBAAsB,EAAE,CAAC,CAAC;gBAE1D,OAAO,CAAC,EAAE,uBAAuB;IA+E7C;;;;;OAKG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAgF9F;;OAEG;IACG,aAAa,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC;IAQvD;;OAEG;IACG,cAAc,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAyC9D;;OAEG;IACG,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAYzD;;OAEG;IACH,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;YAIzB,cAAc;YAoBd,yBAAyB;IAiBvC,OAAO,CAAC,iCAAiC;IAIzC,OAAO,CAAC,qBAAqB;IA6C7B,OAAO,CAAC,sBAAsB;IAmB9B,OAAO,CAAC,mBAAmB;IA+B3B,OAAO,CAAC,YAAY;IAoBpB;;OAEG;IACH,WAAW,CAAC,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM;IA8BvD
|
|
1
|
+
{"version":3,"file":"auth-provider.d.ts","sourceRoot":"","sources":["../src/auth-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EACV,aAAa,EACb,YAAY,EACZ,gBAAgB,EAChB,OAAO,EACP,iBAAiB,EACjB,cAAc,EACf,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAEnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAqB,MAAM,yBAAyB,CAAC;AACzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAErC,KAAK,eAAe,GAAG;IACrB,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CAC1C,CAAC;AAEF,KAAK,iBAAiB,GAAG,OAAO,GAAG,eAAe,CAAC;AAWnD,OAAO,KAAK,EAAE,UAAU,EAAE,uBAAuB,EAAE,MAAM,YAAY,CAAC;AAWtE;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,gBACX,SAAQ,kBAAkB,CAAC,UAAU,CACrC,YAAW,aAAa,CAAC,MAAM,CAAC,EAAE,YAAY,CAAC,MAAM,CAAC,EAAE,gBAAgB,CAAC,OAAO,CAAC;IAEjF,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC;IACzB,SAAS,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC3B,SAAS,CAAC,WAAW,EAAE,MAAM,CAAC;IAC9B,SAAS,CAAC,SAAS,EAAE,uBAAuB,CAAC,KAAK,CAAC,CAAC;IACpD,SAAS,CAAC,WAAW,EAAE,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACtD,SAAS,CAAC,MAAM,EAAE,aAAa,CAAC;IAChC,SAAS,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACpC,SAAS,CAAC,cAAc,EAAE,OAAO,CAAC;IAClC,SAAS,CAAC,eAAe,CAAC,EAAE,uBAAuB,CAAC,WAAW,CAAC,CAAC;IACjE,SAAS,CAAC,mBAAmB,CAAC,EAAE,uBAAuB,CAAC,qBAAqB,CAAC,CAAC;IAC/E,SAAS,CAAC,eAAe,EAAE,QAAQ,CAAC,MAAM,EAAE,sBAAsB,EAAE,CAAC,CAAC;gBAE1D,OAAO,CAAC,EAAE,uBAAuB;IA+E7C;;;;;OAKG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAgF9F;;OAEG;IACG,aAAa,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC;IAQvD;;OAEG;IACG,cAAc,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAyC9D;;OAEG;IACG,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAYzD;;OAEG;IACH,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;YAIzB,cAAc;YAoBd,yBAAyB;IAiBvC,OAAO,CAAC,iCAAiC;IAIzC,OAAO,CAAC,qBAAqB;IA6C7B,OAAO,CAAC,sBAAsB;IAmB9B,OAAO,CAAC,mBAAmB;IA+B3B,OAAO,CAAC,YAAY;IAoBpB;;OAEG;IACH,WAAW,CAAC,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM;IA8BvD;;;;;;;;;;;OAWG;IACG,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAoDtF;;;;;;;OAOG;IACG,YAAY,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAiClF;;OAEG;IACH,oBAAoB,IAAI,cAAc;IAyBtC;;;;;OAKG;IACG,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC;IAczF;;;;OAIG;IACG,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAMlE;;OAEG;IACG,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKvD;;OAEG;IACG,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAKjE;;OAEG;IACH,uBAAuB,CAAC,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI;IAMzD;;OAEG;IACH,iBAAiB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAU3D;;OAEG;IACH,sBAAsB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAShD;;OAEG;IACH,SAAS,IAAI,MAAM;IAInB;;OAEG;IACH,cAAc,IAAI,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC;IAIhD;;OAEG;IACH,WAAW,IAAI,MAAM;IAIrB;;OAEG;IACH,cAAc,IAAI,MAAM;CAGzB"}
|
package/dist/index.cjs
CHANGED
|
@@ -416,28 +416,51 @@ var MastraAuthWorkos = class extends server.MastraAuthProvider {
|
|
|
416
416
|
/**
|
|
417
417
|
* Handle the OAuth callback from WorkOS.
|
|
418
418
|
*
|
|
419
|
-
* Uses
|
|
419
|
+
* Uses WorkOS SDK's authenticateWithCode directly instead of AuthKit's handleCallback.
|
|
420
|
+
* AuthKit's handleCallback requires PKCE cookies that must be set during getLoginUrl()
|
|
421
|
+
* and read during handleCallback(), but our ISSOProvider interface separates these
|
|
422
|
+
* calls across different requests without cookie propagation.
|
|
423
|
+
*
|
|
424
|
+
* This approach was the original implementation before commit 6e4d4f5cf3 introduced
|
|
425
|
+
* a regression by switching to AuthKit's handleCallback with dummy Request/Response
|
|
426
|
+
* objects that couldn't provide the required PKCE cookies.
|
|
420
427
|
*/
|
|
421
428
|
async handleCallback(code, _state) {
|
|
422
|
-
const
|
|
423
|
-
|
|
424
|
-
|
|
425
|
-
|
|
426
|
-
// Dummy response to get headers
|
|
427
|
-
{ code, state: _state }
|
|
428
|
-
);
|
|
429
|
+
const authResponse = await this.workos.userManagement.authenticateWithCode({
|
|
430
|
+
clientId: this.clientId,
|
|
431
|
+
code
|
|
432
|
+
});
|
|
429
433
|
const user = {
|
|
430
|
-
...mapWorkOSUserToEEUser(
|
|
431
|
-
workosId:
|
|
432
|
-
organizationId:
|
|
434
|
+
...mapWorkOSUserToEEUser(authResponse.user),
|
|
435
|
+
workosId: authResponse.user.id,
|
|
436
|
+
organizationId: authResponse.organizationId
|
|
437
|
+
};
|
|
438
|
+
const sessionData = {
|
|
439
|
+
accessToken: authResponse.accessToken,
|
|
440
|
+
refreshToken: authResponse.refreshToken,
|
|
441
|
+
user: authResponse.user,
|
|
442
|
+
organizationId: authResponse.organizationId,
|
|
443
|
+
impersonator: authResponse.impersonator
|
|
433
444
|
};
|
|
434
|
-
const
|
|
435
|
-
const
|
|
445
|
+
const cookiePassword = this.config.cookiePassword;
|
|
446
|
+
const cookieName = this.config.cookieName ?? "wos_session";
|
|
447
|
+
let cookies;
|
|
448
|
+
if (cookiePassword) {
|
|
449
|
+
const encryptedSession = await authkitSession.sessionEncryption.sealData(sessionData, { password: cookiePassword });
|
|
450
|
+
const cookieOptions = [
|
|
451
|
+
`${cookieName}=${encryptedSession}`,
|
|
452
|
+
"Path=/",
|
|
453
|
+
"HttpOnly",
|
|
454
|
+
`SameSite=${this.config.cookieSameSite ?? "Lax"}`,
|
|
455
|
+
process.env["NODE_ENV"] === "production" ? "Secure" : ""
|
|
456
|
+
].filter(Boolean).join("; ");
|
|
457
|
+
cookies = [cookieOptions];
|
|
458
|
+
}
|
|
436
459
|
return {
|
|
437
460
|
user,
|
|
438
461
|
tokens: {
|
|
439
|
-
accessToken:
|
|
440
|
-
refreshToken:
|
|
462
|
+
accessToken: authResponse.accessToken,
|
|
463
|
+
refreshToken: authResponse.refreshToken
|
|
441
464
|
},
|
|
442
465
|
cookies
|
|
443
466
|
};
|