@workos-inc/authkit-nextjs 0.10.1 → 0.11.1

package/dist/{cjs → esm}/session.js

@@ -1,24 +1,22 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.updateSession = exports.terminateSession = exports.refreshSession = exports.getUser = exports.encryptSession = void 0;
-const navigation_1 = require("next/navigation");
-const headers_1 = require("next/headers");
-const server_1 = require("next/server");
-const jose_1 = require("jose");
-const iron_session_1 = require("iron-session");
-const cookie_js_1 = require("./cookie.js");
-const workos_js_1 = require("./workos.js");
-const env_variables_js_1 = require("./env-variables.js");
-const get_authorization_url_js_1 = require("./get-authorization-url.js");
-const path_to_regexp_1 = require("path-to-regexp");
+'use server';
+import { redirect } from 'next/navigation';
+import { cookies, headers } from 'next/headers';
+import { NextResponse } from 'next/server';
+import { jwtVerify, createRemoteJWKSet, decodeJwt } from 'jose';
+import { sealData, unsealData } from 'iron-session';
+import { cookieOptions } from './cookie.js';
+import { workos } from './workos.js';
+import { WORKOS_CLIENT_ID, WORKOS_COOKIE_PASSWORD, WORKOS_COOKIE_NAME, WORKOS_REDIRECT_URI } from './env-variables.js';
+import { getAuthorizationUrl } from './get-authorization-url.js';
+import { parse, tokensToRegexp } from 'path-to-regexp';
 const sessionHeaderName = 'x-workos-session';
 const middlewareHeaderName = 'x-workos-middleware';
-const JWKS = (0, jose_1.createRemoteJWKSet)(new URL(workos_js_1.workos.userManagement.getJwksUrl(env_variables_js_1.WORKOS_CLIENT_ID)));
+const redirectUriHeaderName = 'x-redirect-uri';
+const JWKS = createRemoteJWKSet(new URL(workos.userManagement.getJwksUrl(WORKOS_CLIENT_ID)));
 async function encryptSession(session) {
-    return (0, iron_session_1.sealData)(session, { password: env_variables_js_1.WORKOS_COOKIE_PASSWORD });
+    return sealData(session, { password: WORKOS_COOKIE_PASSWORD });
 }
-exports.encryptSession = encryptSession;
-async function updateSession(request, debug, middlewareAuth) {
+async function updateSession(request, debug, middlewareAuth, redirectUri) {
     const session = await getSessionFromCookie();
     const newRequestHeaders = new Headers(request.headers);
     // We store the current request url in a custom header, so we can always have access to it
@@ -27,8 +25,12 @@ async function updateSession(request, debug, middlewareAuth) {
     newRequestHeaders.set('x-url', request.url);
     // Record that the request was routed through the middleware so we can check later for DX purposes
     newRequestHeaders.set(middlewareHeaderName, 'true');
+    // If the redirect URI is set, store it in the headers so we can use it later
+    if (redirectUri) {
+        newRequestHeaders.set(redirectUriHeaderName, redirectUri);
+    }
     newRequestHeaders.delete(sessionHeaderName);
-    const url = new URL(env_variables_js_1.WORKOS_REDIRECT_URI);
+    const url = new URL(WORKOS_REDIRECT_URI);
     if (middlewareAuth.enabled &&
         url.pathname === request.nextUrl.pathname &&
         !middlewareAuth.unauthenticatedPaths.includes(url.pathname)) {
@@ -49,31 +51,32 @@ async function updateSession(request, debug, middlewareAuth) {
     if (middlewareAuth.enabled && matchedPaths.length === 0 && !session) {
         if (debug)
             console.log('Unauthenticated user on protected route, redirecting to AuthKit');
-        return server_1.NextResponse.redirect(await (0, get_authorization_url_js_1.getAuthorizationUrl)({ returnPathname: getReturnPathname(request.url) }));
+        return NextResponse.redirect(await getAuthorizationUrl({ returnPathname: getReturnPathname(request.url) }));
     }
     // If no session, just continue
     if (!session) {
-        return server_1.NextResponse.next({
+        return NextResponse.next({
             request: { headers: newRequestHeaders },
         });
     }
     const hasValidSession = await verifyAccessToken(session.accessToken);
+    const cookieName = WORKOS_COOKIE_NAME || 'wos-session';
     if (hasValidSession) {
         if (debug)
             console.log('Session is valid');
         // set the x-workos-session header according to the current cookie value
-        newRequestHeaders.set(sessionHeaderName, (0, headers_1.cookies)().get(cookie_js_1.cookieName).value);
-        return server_1.NextResponse.next({
+        newRequestHeaders.set(sessionHeaderName, cookies().get(cookieName).value);
+        return NextResponse.next({
             request: { headers: newRequestHeaders },
         });
     }
     try {
         if (debug)
             console.log('Session invalid. Attempting refresh', session.refreshToken);
-        const { org_id: organizationId } = (0, jose_1.decodeJwt)(session.accessToken);
+        const { org_id: organizationId } = decodeJwt(session.accessToken);
         // If the session is invalid (i.e. the access token has expired) attempt to re-authenticate with the refresh token
-        const { accessToken, refreshToken, user, impersonator } = await workos_js_1.workos.userManagement.authenticateWithRefreshToken({
-            clientId: env_variables_js_1.WORKOS_CLIENT_ID,
+        const { accessToken, refreshToken, user, impersonator } = await workos.userManagement.authenticateWithRefreshToken({
+            clientId: WORKOS_CLIENT_ID,
             refreshToken: session.refreshToken,
             organizationId,
         });
@@ -87,24 +90,23 @@ async function updateSession(request, debug, middlewareAuth) {
             impersonator,
         });
         newRequestHeaders.set(sessionHeaderName, encryptedSession);
-        const response = server_1.NextResponse.next({
+        const response = NextResponse.next({
             request: { headers: newRequestHeaders },
         });
         // update the cookie
-        response.cookies.set(cookie_js_1.cookieName, encryptedSession, cookie_js_1.cookieOptions);
+        response.cookies.set(cookieName, encryptedSession, cookieOptions);
         return response;
     }
     catch (e) {
         if (debug)
             console.log('Failed to refresh. Deleting cookie and redirecting.', e);
-        const response = server_1.NextResponse.next({
+        const response = NextResponse.next({
             request: { headers: newRequestHeaders },
         });
-        response.cookies.delete(cookie_js_1.cookieName);
+        response.cookies.delete(cookieName);
         return response;
     }
 }
-exports.updateSession = updateSession;
 async function refreshSession({ organizationId: nextOrganizationId, ensureSignedIn = false, } = {}) {
     const session = await getSessionFromCookie();
     if (!session) {
@@ -113,9 +115,9 @@ async function refreshSession({ organizationId: nextOrganizationId, ensureSigned
         }
         return { user: null };
     }
-    const { org_id: organizationIdFromAccessToken } = (0, jose_1.decodeJwt)(session.accessToken);
-    const { accessToken, refreshToken, user, impersonator } = await workos_js_1.workos.userManagement.authenticateWithRefreshToken({
-        clientId: env_variables_js_1.WORKOS_CLIENT_ID,
+    const { org_id: organizationIdFromAccessToken } = decodeJwt(session.accessToken);
+    const { accessToken, refreshToken, user, impersonator } = await workos.userManagement.authenticateWithRefreshToken({
+        clientId: WORKOS_CLIENT_ID,
         refreshToken: session.refreshToken,
         organizationId: nextOrganizationId !== null && nextOrganizationId !== void 0 ? nextOrganizationId : organizationIdFromAccessToken,
     });
@@ -126,8 +128,9 @@ async function refreshSession({ organizationId: nextOrganizationId, ensureSigned
         user,
         impersonator,
     });
-    (0, headers_1.cookies)().set(cookie_js_1.cookieName, encryptedSession, cookie_js_1.cookieOptions);
-    const { sid: sessionId, org_id: organizationId, role, permissions } = (0, jose_1.decodeJwt)(accessToken);
+    const cookieName = WORKOS_COOKIE_NAME || 'wos-session';
+    cookies().set(cookieName, encryptedSession, cookieOptions);
+    const { sid: sessionId, org_id: organizationId, role, permissions } = decodeJwt(accessToken);
     return {
         sessionId,
         user: session.user,
@@ -138,15 +141,14 @@ async function refreshSession({ organizationId: nextOrganizationId, ensureSigned
         accessToken: session.accessToken,
     };
 }
-exports.refreshSession = refreshSession;
 function getMiddlewareAuthPathRegex(pathGlob) {
     let regex;
     try {
         // Redirect URI is only used to construct the URL
-        const url = new URL(pathGlob, env_variables_js_1.WORKOS_REDIRECT_URI);
+        const url = new URL(pathGlob, WORKOS_REDIRECT_URI);
         const path = `${url.pathname}${url.hash || ''}`;
-        const tokens = (0, path_to_regexp_1.parse)(path);
-        regex = (0, path_to_regexp_1.tokensToRegexp)(tokens).source;
+        const tokens = parse(path);
+        regex = tokensToRegexp(tokens).source;
         return new RegExp(regex);
     }
     catch (err) {
@@ -155,19 +157,19 @@ function getMiddlewareAuthPathRegex(pathGlob) {
     }
 }
 async function redirectToSignIn() {
-    const url = (0, headers_1.headers)().get('x-url');
+    const url = headers().get('x-url');
     const returnPathname = url ? getReturnPathname(url) : undefined;
-    (0, navigation_1.redirect)(await (0, get_authorization_url_js_1.getAuthorizationUrl)({ returnPathname }));
+    redirect(await getAuthorizationUrl({ returnPathname }));
 }
-async function getUser({ ensureSignedIn = false } = {}) {
-    const session = await getSessionFromHeader('getUser');
+async function withAuth({ ensureSignedIn = false } = {}) {
+    const session = await getSessionFromHeader();
     if (!session) {
         if (ensureSignedIn) {
             await redirectToSignIn();
         }
         return { user: null };
     }
-    const { sid: sessionId, org_id: organizationId, role, permissions } = (0, jose_1.decodeJwt)(session.accessToken);
+    const { sid: sessionId, org_id: organizationId, role, permissions } = decodeJwt(session.accessToken);
     return {
         sessionId,
         user: session.user,
@@ -178,44 +180,66 @@ async function getUser({ ensureSignedIn = false } = {}) {
         accessToken: session.accessToken,
     };
 }
-exports.getUser = getUser;
 async function terminateSession() {
-    const { sessionId } = await getUser();
+    const { sessionId } = await withAuth();
     if (sessionId) {
-        (0, navigation_1.redirect)(workos_js_1.workos.userManagement.getLogoutUrl({ sessionId }));
+        redirect(workos.userManagement.getLogoutUrl({ sessionId }));
     }
-    (0, navigation_1.redirect)('/');
+    redirect('/');
 }
-exports.terminateSession = terminateSession;
 async function verifyAccessToken(accessToken) {
     try {
-        await (0, jose_1.jwtVerify)(accessToken, JWKS);
+        await jwtVerify(accessToken, JWKS);
         return true;
     }
     catch (e) {
         return false;
     }
 }
-async function getSessionFromCookie() {
-    const cookie = (0, headers_1.cookies)().get(cookie_js_1.cookieName);
+async function getSessionFromCookie(response) {
+    const cookieName = WORKOS_COOKIE_NAME || 'wos-session';
+    const cookie = response ? response.cookies.get(cookieName) : cookies().get(cookieName);
     if (cookie) {
-        return (0, iron_session_1.unsealData)(cookie.value, {
-            password: env_variables_js_1.WORKOS_COOKIE_PASSWORD,
+        return unsealData(cookie.value, {
+            password: WORKOS_COOKIE_PASSWORD,
         });
     }
 }
-async function getSessionFromHeader(caller) {
-    const hasMiddleware = Boolean((0, headers_1.headers)().get(middlewareHeaderName));
+/**
+ * Retrieves the session from the cookie. Meant for use in the middleware, for client side use `withAuth` instead.
+ *
+ * @returns Session | undefined
+ */
+async function getSession(response) {
+    const session = await getSessionFromCookie(response);
+    if (!session)
+        return;
+    if (await verifyAccessToken(session.accessToken)) {
+        const { sid: sessionId, org_id: organizationId, role, permissions } = decodeJwt(session.accessToken);
+        return {
+            sessionId,
+            user: session.user,
+            organizationId,
+            role,
+            permissions,
+            impersonator: session.impersonator,
+            accessToken: session.accessToken,
+        };
+    }
+}
+async function getSessionFromHeader() {
+    const hasMiddleware = Boolean(headers().get(middlewareHeaderName));
     if (!hasMiddleware) {
-        throw new Error(`You are calling \`${caller}\` on a path that isn’t covered by the AuthKit middleware. Make sure it is running on all paths you are calling \`${caller}\` from by updating your middleware config in \`middleware.(js|ts)\`.`);
+        throw new Error("You are calling 'withAuth' on a path that isn’t covered by the AuthKit middleware. Make sure it is running on all paths you are calling `${caller}` from by updating your middleware config in `middleware.(js|ts)`.");
     }
-    const authHeader = (0, headers_1.headers)().get(sessionHeaderName);
+    const authHeader = headers().get(sessionHeaderName);
     if (!authHeader)
         return;
-    return (0, iron_session_1.unsealData)(authHeader, { password: env_variables_js_1.WORKOS_COOKIE_PASSWORD });
+    return unsealData(authHeader, { password: WORKOS_COOKIE_PASSWORD });
 }
 function getReturnPathname(url) {
     const newUrl = new URL(url);
     return `${newUrl.pathname}${newUrl.searchParams.size > 0 ? '?' + newUrl.searchParams.toString() : ''}`;
 }
+export { encryptSession, withAuth, refreshSession, terminateSession, updateSession, getSession };
 //# sourceMappingURL=session.js.map

package/dist/esm/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/session.ts"],"names":[],"mappings":"AAAA,YAAY,CAAC;AAEb,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAe,YAAY,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,SAAS,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAChE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACvH,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAGjE,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEvD,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAC7C,MAAM,oBAAoB,GAAG,qBAAqB,CAAC;AACnD,MAAM,qBAAqB,GAAG,gBAAgB,CAAC;AAE/C,MAAM,IAAI,GAAG,kBAAkB,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,cAAc,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC;AAE7F,KAAK,UAAU,cAAc,CAAC,OAAgB;IAC5C,OAAO,QAAQ,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,sBAAsB,EAAE,CAAC,CAAC;AACjE,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,OAAoB,EACpB,KAAc,EACd,cAAqC,EACrC,WAAmB;IAEnB,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAC7C,MAAM,iBAAiB,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAEvD,0FAA0F;IAC1F,qGAAqG;IACrG,gFAAgF;IAChF,iBAAiB,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAE5C,kGAAkG;IAClG,iBAAiB,CAAC,GAAG,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAEpD,6EAA6E;IAC7E,IAAI,WAAW,EAAE,CAAC;QAChB,iBAAiB,CAAC,GAAG,CAAC,qBAAqB,EAAE,WAAW,CAAC,CAAC;IAC5D,CAAC;IAED,iBAAiB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAE5C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAEzC,IACE,cAAc,CAAC,OAAO;QACtB,GAAG,CAAC,QAAQ,KAAK,OAAO,CAAC,OAAO,CAAC,QAAQ;QACzC,CAAC,cAAc,CAAC,oBAAoB,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAC3D,CAAC;QACD,qBAAqB;QACrB,qCAAqC;QACrC,kDAAkD;QAClD,6DAA6D;QAC7D,EAAE;QACF,mGAAmG;QACnG,4GAA4G;QAC5G,cAAc,CAAC,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,YAAY,GAAa,cAAc,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,EAAE;QACrF,MAAM,SAAS,GAAG,0BAA0B,CAAC,QAAQ,CAAC,CAAC;QAEvD,OAAO,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,4GAA4G;IAC5G,IAAI,cAAc,CAAC,OAAO,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QACpE,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC;QAE1F,OAAO,YAAY,CAAC,QAAQ,CAAC,MAAM,mBAAmB,CAAC,EAAE,cAAc,EAAE,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;IAC9G,CAAC;IAED,+BAA+B;IAC/B,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,YAAY,CAAC,IAAI,CAAC;YACvB,OAAO,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE;SACxC,CAAC,CAAC;IACL,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IACrE,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IAEvD,IAAI,eAAe,EAAE,CAAC;QACpB,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QAC3C,wEAAwE;QACxE,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,UAAU,CAAE,CAAC,KAAK,CAAC,CAAC;QAC3E,OAAO,YAAY,CAAC,IAAI,CAAC;YACvB,OAAO,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE;SACxC,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC;QACH,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,qCAAqC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;QAEpF,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;QAE/E,kHAAkH;QAClH,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,4BAA4B,CAAC;YACjH,QAAQ,EAAE,gBAAgB;YAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,cAAc;SACf,CAAC,CAAC;QAEH,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,YAAY,CAAC,CAAC;QAE5D,qDAAqD;QACrD,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC;YAC5C,WAAW;YACX,YAAY;YACZ,IAAI;YACJ,YAAY;SACb,CAAC,CAAC;QAEH,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;QAE3D,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC;YACjC,OAAO,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE;SACxC,CAAC,CAAC;QACH,oBAAoB;QACpB,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,gBAAgB,EAAE,aAAa,CAAC,CAAC;QAClE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,qDAAqD,EAAE,CAAC,CAAC,CAAC;QACjF,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC;YACjC,OAAO,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE;SACxC,CAAC,CAAC;QACH,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QACpC,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC;AAOD,KAAK,UAAU,cAAc,CAAC,EAC5B,cAAc,EAAE,kBAAkB,EAClC,cAAc,GAAG,KAAK,MAIpB,EAAE;IACJ,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAC7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,gBAAgB,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,6BAA6B,EAAE,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;IAE9F,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,4BAA4B,CAAC;QACjH,QAAQ,EAAE,gBAAgB;QAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,cAAc,EAAE,kBAAkB,aAAlB,kBAAkB,cAAlB,kBAAkB,GAAI,6BAA6B;KACpE,CAAC,CAAC;IAEH,qDAAqD;IACrD,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC;QAC5C,WAAW;QACX,YAAY;QACZ,IAAI;QACJ,YAAY;KACb,CAAC,CAAC;IAEH,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IACvD,OAAO,EAAE,CAAC,GAAG,CAAC,UAAU,EAAE,gBAAgB,EAAE,aAAa,CAAC,CAAC;IAE3D,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,SAAS,CAAc,WAAW,CAAC,CAAC;IAE1G,OAAO;QACL,SAAS;QACT,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,cAAc;QACd,IAAI;QACJ,WAAW;QACX,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,WAAW,EAAE,OAAO,CAAC,WAAW;KACjC,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,QAAgB;IAClD,IAAI,KAAa,CAAC;IAElB,IAAI,CAAC;QACH,iDAAiD;QACjD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,mBAAmB,CAAC,CAAC;QACnD,MAAM,IAAI,GAAG,GAAG,GAAG,CAAC,QAAS,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;QAEjD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3B,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;QAEtC,OAAO,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAEjE,MAAM,IAAI,KAAK,CAAC,qDAAqD,OAAO,EAAE,CAAC,CAAC;IAClF,CAAC;AACH,CAAC;AAED,KAAK,UAAU,gBAAgB;IAC7B,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACnC,MAAM,cAAc,GAAG,GAAG,CAAC,CAAC,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAEhE,QAAQ,CAAC,MAAM,mBAAmB,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC;AAC1D,CAAC;AAID,KAAK,UAAU,QAAQ,CAAC,EAAE,cAAc,GAAG,KAAK,EAAE,GAAG,EAAE;IACrD,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAE7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,gBAAgB,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;IAElH,OAAO;QACL,SAAS;QACT,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,cAAc;QACd,IAAI;QACJ,WAAW;QACX,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,WAAW,EAAE,OAAO,CAAC,WAAW;KACjC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gBAAgB;IAC7B,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,QAAQ,EAAE,CAAC;IACvC,IAAI,SAAS,EAAE,CAAC;QACd,QAAQ,CAAC,MAAM,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;IAC9D,CAAC;IACD,QAAQ,CAAC,GAAG,CAAC,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,WAAmB;IAClD,IAAI,CAAC;QACH,MAAM,SAAS,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB,CAAC,QAAuB;IACzD,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IACvD,MAAM,MAAM,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAEvF,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,UAAU,CAAU,MAAM,CAAC,KAAK,EAAE;YACvC,QAAQ,EAAE,sBAAsB;SACjC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,UAAU,CAAC,QAAuB;IAC/C,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,QAAQ,CAAC,CAAC;IAErD,IAAI,CAAC,OAAO;QAAE,OAAO;IAErB,IAAI,MAAM,iBAAiB,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QACjD,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;QAElH,OAAO;YACL,SAAS;YACT,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,cAAc;YACd,IAAI;YACJ,WAAW;YACX,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,WAAW,EAAE,OAAO,CAAC,WAAW;SACjC,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB;IACjC,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC;IAEnE,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,sNAAsN,CACvN,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,OAAO,EAAE,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACpD,IAAI,CAAC,UAAU;QAAE,OAAO;IAExB,OAAO,UAAU,CAAU,UAAU,EAAE,EAAE,QAAQ,EAAE,sBAAsB,EAAE,CAAC,CAAC;AAC/E,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW;IACpC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IAE5B,OAAO,GAAG,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,YAAY,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,MAAM,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;AACzG,CAAC;AAED,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,cAAc,EAAE,gBAAgB,EAAE,aAAa,EAAE,UAAU,EAAE,CAAC"}

package/dist/{cjs → esm}/workos.d.ts

@@ -1,4 +1,4 @@
 import { WorkOS } from '@workos-inc/node';
-export declare const VERSION = "0.10.1";
+export declare const VERSION = "0.11.1";
 declare const workos: WorkOS;
 export { workos };

package/dist/esm/workos.js

@@ -0,0 +1,16 @@
+import { WorkOS } from '@workos-inc/node';
+import { WORKOS_API_HOSTNAME, WORKOS_API_KEY, WORKOS_API_HTTPS, WORKOS_API_PORT } from './env-variables.js';
+export const VERSION = '0.11.1';
+const options = {
+    apiHostname: WORKOS_API_HOSTNAME,
+    https: WORKOS_API_HTTPS ? WORKOS_API_HTTPS === 'true' : true,
+    port: WORKOS_API_PORT ? parseInt(WORKOS_API_PORT) : undefined,
+    appInfo: {
+        name: 'authkit/nextjs',
+        version: VERSION,
+    },
+};
+// Initialize the WorkOS client
+const workos = new WorkOS(WORKOS_API_KEY, options);
+export { workos };
+//# sourceMappingURL=workos.js.map

package/dist/esm/workos.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"workos.js","sourceRoot":"","sources":["../../src/workos.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAE5G,MAAM,CAAC,MAAM,OAAO,GAAG,QAAQ,CAAC;AAEhC,MAAM,OAAO,GAAG;IACd,WAAW,EAAE,mBAAmB;IAChC,KAAK,EAAE,gBAAgB,CAAC,CAAC,CAAC,gBAAgB,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI;IAC5D,IAAI,EAAE,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,SAAS;IAC7D,OAAO,EAAE;QACP,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,OAAO;KACjB;CACF,CAAC;AAEF,+BAA+B;AAC/B,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;AAEnD,OAAO,EAAE,MAAM,EAAE,CAAC"}

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "@workos-inc/authkit-nextjs",
-  "version": "0.10.1",
+  "version": "0.11.1",
   "description": "Authentication and session helpers for using WorkOS & AuthKit with Next.js",
   "sideEffects": false,
-  "type": "commonjs",
-  "main": "./dist/cjs/index.js",
-  "types": "./dist/cjs/index.d.ts",
+  "type": "module",
+  "main": "./dist/esm/index.js",
+  "types": "./dist/esm/index.d.ts",
   "files": [
     "dist",
     "src",
@@ -15,13 +15,13 @@
   "scripts": {
     "clean": "rm -rf dist",
     "prebuild": "npm run clean",
-    "build": "tsc --project tsconfig-cjs.json",
+    "build": "tsc --project tsconfig.json",
     "prepublishOnly": "npm run lint",
     "lint": "eslint \"src/**/*.ts*\"",
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "dependencies": {
-    "@workos-inc/node": "7.21.0",
+    "@workos-inc/node": "7.26.0",
     "iron-session": "^8.0.1",
     "jose": "^5.2.3",
     "path-to-regexp": "^6.2.2"

package/src/auth.ts

@@ -1,7 +1,9 @@
+'use server';
+
 import { getAuthorizationUrl } from './get-authorization-url.js';
 import { cookies } from 'next/headers';
-import { cookieName } from './cookie.js';
 import { terminateSession } from './session.js';
+import { WORKOS_COOKIE_NAME } from './env-variables.js';
 
 async function getSignInUrl({ organizationId }: { organizationId?: string } = {}) {
   return getAuthorizationUrl({ organizationId, screenHint: 'sign-in' });
@@ -12,6 +14,7 @@ async function getSignUpUrl() {
 }
 
 async function signOut() {
+  const cookieName = WORKOS_COOKIE_NAME || 'wos-session';
   cookies().delete(cookieName);
   await terminateSession();
 }

package/src/authkit-callback-route.ts

@@ -1,9 +1,9 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { cookies } from 'next/headers';
 import { workos } from './workos.js';
-import { WORKOS_CLIENT_ID } from './env-variables.js';
+import { WORKOS_CLIENT_ID, WORKOS_COOKIE_NAME } from './env-variables.js';
 import { encryptSession } from './session.js';
-import { cookieName, cookieOptions } from './cookie.js';
+import { cookieOptions } from './cookie.js';
 import { HandleAuthOptions } from './interfaces.js';
 
 export function handleAuth(options: HandleAuthOptions = {}) {
@@ -50,6 +50,8 @@ export function handleAuth(options: HandleAuthOptions = {}) {
         // The refreshToken should never be accesible publicly, hence why we encrypt it in the cookie session
         // Alternatively you could persist the refresh token in a backend database
         const session = await encryptSession({ accessToken, refreshToken, user, impersonator });
+        const cookieName = WORKOS_COOKIE_NAME || 'wos-session';
+
         cookies().set(cookieName, session, cookieOptions);
 
         return response;

package/src/{provider.tsx → authkit-provider.tsx}

@@ -12,7 +12,7 @@ interface AuthKitProviderProps {
   onSessionExpired?: false | (() => void);
 }
 
-export const AuthKitProvider = ({ children, onSessionExpired = false }: AuthKitProviderProps) => {
+export const AuthKitProvider = ({ children, onSessionExpired }: AuthKitProviderProps) => {
   React.useEffect(() => {
     // Return early if the session expired checks are disabled.
     if (onSessionExpired === false) {
@@ -38,10 +38,14 @@ export const AuthKitProvider = ({ children, onSessionExpired = false }: AuthKitP
             throw new Error('Session expired');
           }
         } catch (error) {
-          if (onSessionExpired) {
-            onSessionExpired();
-          } else {
-            window.location.reload();
+          // 'Failed to fetch' is the error we are looking for if the action fails
+          // If any other error happens, for other reasons, we should not reload the page
+          if (error instanceof Error && error.message.includes('Failed to fetch')) {
+            if (onSessionExpired) {
+              onSessionExpired();
+            } else {
+              window.location.reload();
+            }
           }
         } finally {
           visibilityChangedCalled = false;

package/src/cookie.ts

@@ -3,7 +3,6 @@ import { WORKOS_REDIRECT_URI, WORKOS_COOKIE_MAX_AGE, WORKOS_COOKIE_DOMAIN } from
 const redirectUrl = new URL(WORKOS_REDIRECT_URI);
 const isSecureProtocol = redirectUrl.protocol === 'https:';
 
-const cookieName = 'wos-session';
 const cookieOptions = {
   path: '/',
   httpOnly: true,
@@ -16,4 +15,4 @@ const cookieOptions = {
   domain: WORKOS_COOKIE_DOMAIN,
 };
 
-export { cookieName, cookieOptions };
+export { cookieOptions };

package/src/env-variables.ts

@@ -1,37 +1,27 @@
-function getEnvVariable(name: string): string {
-  const envVariable = process.env[name];
-  if (!envVariable) {
-    throw new Error(`${name} environment variable is not set`);
-  }
-  return envVariable;
-}
-
-function getOptionalEnvVariable(name: string): string | undefined {
+function getEnvVariable(name: string): string | undefined {
   return process.env[name];
 }
 
-const WORKOS_CLIENT_ID = getEnvVariable('WORKOS_CLIENT_ID');
-const WORKOS_API_KEY = getEnvVariable('WORKOS_API_KEY');
-const WORKOS_REDIRECT_URI = getEnvVariable('WORKOS_REDIRECT_URI');
-const WORKOS_COOKIE_PASSWORD = getEnvVariable('WORKOS_COOKIE_PASSWORD');
-const WORKOS_API_HOSTNAME = getOptionalEnvVariable('WORKOS_API_HOSTNAME');
-const WORKOS_API_HTTPS = getOptionalEnvVariable('WORKOS_API_HTTPS');
-const WORKOS_API_PORT = getOptionalEnvVariable('WORKOS_API_PORT');
-const WORKOS_COOKIE_DOMAIN = getOptionalEnvVariable('WORKOS_COOKIE_DOMAIN');
-const WORKOS_COOKIE_MAX_AGE = getOptionalEnvVariable('WORKOS_COOKIE_MAX_AGE');
-
-if (WORKOS_COOKIE_PASSWORD.length < 32) {
-  throw new Error('WORKOS_COOKIE_PASSWORD must be at least 32 characters long');
-}
+const WORKOS_API_HOSTNAME = getEnvVariable('WORKOS_API_HOSTNAME');
+const WORKOS_API_HTTPS = getEnvVariable('WORKOS_API_HTTPS');
+const WORKOS_API_KEY = getEnvVariable('WORKOS_API_KEY') ?? '';
+const WORKOS_API_PORT = getEnvVariable('WORKOS_API_PORT');
+const WORKOS_CLIENT_ID = getEnvVariable('WORKOS_CLIENT_ID') ?? '';
+const WORKOS_COOKIE_DOMAIN = getEnvVariable('WORKOS_COOKIE_DOMAIN');
+const WORKOS_COOKIE_MAX_AGE = getEnvVariable('WORKOS_COOKIE_MAX_AGE');
+const WORKOS_COOKIE_NAME = getEnvVariable('WORKOS_COOKIE_NAME');
+const WORKOS_COOKIE_PASSWORD = getEnvVariable('WORKOS_COOKIE_PASSWORD') ?? '';
+const WORKOS_REDIRECT_URI = process.env.NEXT_PUBLIC_WORKOS_REDIRECT_URI ?? '';
 
 export {
-  WORKOS_CLIENT_ID,
-  WORKOS_API_KEY,
-  WORKOS_REDIRECT_URI,
-  WORKOS_COOKIE_PASSWORD,
   WORKOS_API_HOSTNAME,
   WORKOS_API_HTTPS,
+  WORKOS_API_KEY,
   WORKOS_API_PORT,
+  WORKOS_CLIENT_ID,
   WORKOS_COOKIE_DOMAIN,
   WORKOS_COOKIE_MAX_AGE,
+  WORKOS_COOKIE_NAME,
+  WORKOS_COOKIE_PASSWORD,
+  WORKOS_REDIRECT_URI,
 };

package/src/get-authorization-url.ts

@@ -1,14 +1,17 @@
 import { workos } from './workos.js';
 import { WORKOS_CLIENT_ID, WORKOS_REDIRECT_URI } from './env-variables.js';
 import { GetAuthURLOptions } from './interfaces.js';
+import { headers } from 'next/headers';
 
 async function getAuthorizationUrl(options: GetAuthURLOptions = {}) {
   const { returnPathname, screenHint, organizationId } = options;
 
+  const redirectUri = headers().get('x-redirect-uri');
+
   return workos.userManagement.getAuthorizationUrl({
     provider: 'authkit',
     clientId: WORKOS_CLIENT_ID,
-    redirectUri: WORKOS_REDIRECT_URI,
+    redirectUri: redirectUri ?? WORKOS_REDIRECT_URI,
     state: returnPathname ? btoa(JSON.stringify({ returnPathname })) : undefined,
     screenHint,
     organizationId,

package/src/impersonation.tsx

@@ -1,5 +1,5 @@
 import * as React from 'react';
-import { getUser } from './session.js';
+import { withAuth } from './session.js';
 import { signOut } from './auth.js';
 import { workos } from './workos.js';
 import { Button } from './button.js';
@@ -10,7 +10,7 @@ interface ImpersonationProps extends React.ComponentPropsWithoutRef<'div'> {
 }
 
 export async function Impersonation({ side = 'bottom', ...props }: ImpersonationProps) {
-  const { impersonator, user, organizationId } = await getUser();
+  const { impersonator, user, organizationId } = await withAuth();
 
   if (!impersonator) return null;
 

package/src/index.ts

@@ -1,18 +1,19 @@
 import { handleAuth } from './authkit-callback-route.js';
 import { authkitMiddleware } from './middleware.js';
-import { getUser, refreshSession } from './session.js';
+import { withAuth, refreshSession, getSession } from './session.js';
 import { getSignInUrl, getSignUpUrl, signOut } from './auth.js';
 import { Impersonation } from './impersonation.js';
-import { AuthKitProvider } from './provider.js';
+import { AuthKitProvider } from './authkit-provider.js';
 
 export {
   handleAuth,
   //
   authkitMiddleware,
+  getSession,
   //
   getSignInUrl,
   getSignUpUrl,
-  getUser,
+  withAuth,
   refreshSession,
   signOut,
   //

package/src/interfaces.ts

@@ -44,6 +44,7 @@ export interface GetAuthURLOptions {
   screenHint?: 'sign-up' | 'sign-in';
   returnPathname?: string;
   organizationId?: string;
+  redirectUri?: string;
 }
 
 export interface AuthkitMiddlewareAuth {
@@ -54,4 +55,5 @@ export interface AuthkitMiddlewareAuth {
 export interface AuthkitMiddlewareOptions {
   debug?: boolean;
   middlewareAuth?: AuthkitMiddlewareAuth;
+  redirectUri?: string;
 }

package/src/middleware.ts

@@ -5,8 +5,9 @@ import { AuthkitMiddlewareOptions } from './interfaces.js';
 export function authkitMiddleware({
   debug = false,
   middlewareAuth = { enabled: false, unauthenticatedPaths: [] },
+  redirectUri = '',
 }: AuthkitMiddlewareOptions = {}): NextMiddleware {
   return function (request) {
-    return updateSession(request, debug, middlewareAuth);
+    return updateSession(request, debug, middlewareAuth, redirectUri);
   };
 }