@workos-inc/authkit-nextjs 0.17.2 → 1.0.0

package/src/components/authkit-provider.tsx

@@ -0,0 +1,169 @@
+'use client';
+
+import React, { createContext, ReactNode, useContext, useEffect, useState } from 'react';
+import { checkSessionAction, getAuthAction, refreshAuthAction } from '../actions.js';
+import type { Impersonator, User } from '@workos-inc/node';
+
+type AuthContextType = {
+  user: User | null;
+  sessionId: string | undefined;
+  organizationId: string | undefined;
+  role: string | undefined;
+  permissions: string[] | undefined;
+  entitlements: string[] | undefined;
+  impersonator: Impersonator | undefined;
+  accessToken: string | undefined;
+  loading: boolean;
+  getAuth: (options?: { ensureSignedIn?: boolean }) => Promise<void>;
+  refreshAuth: (options?: { ensureSignedIn?: boolean; organizationId?: string }) => Promise<void | { error: string }>;
+};
+
+const AuthContext = createContext<AuthContextType | undefined>(undefined);
+
+interface AuthKitProviderProps {
+  children: ReactNode;
+  /**
+   * Customize what happens when a session is expired. By default,the entire page will be reloaded.
+   * You can also pass this as `false` to disable the expired session checks.
+   */
+  onSessionExpired?: false | (() => void);
+}
+
+export const AuthKitProvider = ({ children, onSessionExpired }: AuthKitProviderProps) => {
+  const [user, setUser] = useState<User | null>(null);
+  const [sessionId, setSessionId] = useState<string | undefined>(undefined);
+  const [organizationId, setOrganizationId] = useState<string | undefined>(undefined);
+  const [role, setRole] = useState<string | undefined>(undefined);
+  const [permissions, setPermissions] = useState<string[] | undefined>(undefined);
+  const [entitlements, setEntitlements] = useState<string[] | undefined>(undefined);
+  const [impersonator, setImpersonator] = useState<Impersonator | undefined>(undefined);
+  const [accessToken, setAccessToken] = useState<string | undefined>(undefined);
+  const [loading, setLoading] = useState(true);
+
+  const getAuth = async ({ ensureSignedIn = false }: { ensureSignedIn?: boolean } = {}) => {
+    try {
+      const auth = await getAuthAction(ensureSignedIn);
+      setUser(auth.user);
+      setSessionId(auth.sessionId);
+      setOrganizationId(auth.organizationId);
+      setRole(auth.role);
+      setPermissions(auth.permissions);
+      setEntitlements(auth.entitlements);
+      setImpersonator(auth.impersonator);
+      setAccessToken(auth.accessToken);
+    } catch (error) {
+      setUser(null);
+      setSessionId(undefined);
+      setOrganizationId(undefined);
+      setRole(undefined);
+      setPermissions(undefined);
+      setEntitlements(undefined);
+      setImpersonator(undefined);
+      setAccessToken(undefined);
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  const refreshAuth = async ({
+    ensureSignedIn = false,
+    organizationId,
+  }: { ensureSignedIn?: boolean; organizationId?: string } = {}) => {
+    try {
+      setLoading(true);
+      const auth = await refreshAuthAction({ ensureSignedIn, organizationId });
+
+      setUser(auth.user);
+      setSessionId(auth.sessionId);
+      setOrganizationId(auth.organizationId);
+      setRole(auth.role);
+      setPermissions(auth.permissions);
+      setEntitlements(auth.entitlements);
+      setImpersonator(auth.impersonator);
+      setAccessToken(auth.accessToken);
+    } catch (error) {
+      return error instanceof Error ? { error: error.message } : { error: String(error) };
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  useEffect(() => {
+    getAuth();
+
+    // Return early if the session expired checks are disabled.
+    if (onSessionExpired === false) {
+      return;
+    }
+
+    let visibilityChangedCalled = false;
+
+    const handleVisibilityChange = async () => {
+      if (visibilityChangedCalled) {
+        return;
+      }
+
+      // In the case where we're using middleware auth mode, a user that has signed out in a different tab
+      // will run into an issue if they attempt to hit a server action in the original tab.
+      // This will force a refresh of the page in that case, which will redirect them to the sign-in page.
+      if (document.visibilityState === 'visible') {
+        visibilityChangedCalled = true;
+
+        try {
+          const hasSession = await checkSessionAction();
+          if (!hasSession) {
+            throw new Error('Session expired');
+          }
+        } catch (error) {
+          // 'Failed to fetch' is the error we are looking for if the action fails
+          // If any other error happens, for other reasons, we should not reload the page
+          if (error instanceof Error && error.message.includes('Failed to fetch')) {
+            if (onSessionExpired) {
+              onSessionExpired();
+            } else {
+              window.location.reload();
+            }
+          }
+        } finally {
+          visibilityChangedCalled = false;
+        }
+      }
+    };
+
+    window.addEventListener('visibilitychange', handleVisibilityChange);
+    window.addEventListener('focus', handleVisibilityChange);
+
+    return () => {
+      window.removeEventListener('focus', handleVisibilityChange);
+      window.removeEventListener('visibilitychange', handleVisibilityChange);
+    };
+  }, [onSessionExpired]);
+
+  return (
+    <AuthContext.Provider
+      value={{
+        user,
+        sessionId,
+        organizationId,
+        role,
+        permissions,
+        entitlements,
+        impersonator,
+        accessToken,
+        loading,
+        getAuth,
+        refreshAuth,
+      }}
+    >
+      {children}
+    </AuthContext.Provider>
+  );
+};
+
+export function useAuth() {
+  const context = useContext(AuthContext);
+  if (!context) {
+    throw new Error('useAuth must be used within an AuthKitProvider');
+  }
+  return context;
+}

package/src/{impersonation.tsx → components/impersonation.tsx}

@@ -1,20 +1,27 @@
+'use client';
+
 import * as React from 'react';
-import { withAuth } from './session.js';
-import { workos } from './workos.js';
 import { Button } from './button.js';
 import { MinMaxButton } from './min-max-button.js';
-import { handleSignOutAction } from './actions.js';
+import { getOrganizationAction, handleSignOutAction } from '../actions.js';
+import type { Organization } from '@workos-inc/node';
+import { useAuth } from './authkit-provider.js';
 
 interface ImpersonationProps extends React.ComponentPropsWithoutRef<'div'> {
   side?: 'top' | 'bottom';
 }
 
-export async function Impersonation({ side = 'bottom', ...props }: ImpersonationProps) {
-  const { impersonator, user, organizationId } = await withAuth();
+export function Impersonation({ side = 'bottom', ...props }: ImpersonationProps) {
+  const { user, impersonator, organizationId, loading } = useAuth();
+
+  const [organization, setOrganization] = React.useState<Organization | null>(null);
 
-  if (!impersonator) return null;
+  React.useEffect(() => {
+    if (!organizationId) return;
+    getOrganizationAction(organizationId).then(setOrganization);
+  }, [organizationId]);
 
-  const organization = organizationId ? await workos.organizations.getOrganization(organizationId) : null;
+  if (loading || !impersonator || !user) return null;
 
   return (
     <div

package/src/components/index.ts

@@ -0,0 +1,4 @@
+import { Impersonation } from './impersonation.js';
+import { AuthKitProvider, useAuth } from './authkit-provider.js';
+
+export { Impersonation, AuthKitProvider, useAuth };

package/src/env-variables.ts

@@ -1,15 +1,20 @@
+/* istanbul ignore file */
+
 function getEnvVariable(name: string): string | undefined {
   return process.env[name];
 }
 
+// Optional env variables
 const WORKOS_API_HOSTNAME = getEnvVariable('WORKOS_API_HOSTNAME');
 const WORKOS_API_HTTPS = getEnvVariable('WORKOS_API_HTTPS');
-const WORKOS_API_KEY = getEnvVariable('WORKOS_API_KEY') ?? '';
 const WORKOS_API_PORT = getEnvVariable('WORKOS_API_PORT');
-const WORKOS_CLIENT_ID = getEnvVariable('WORKOS_CLIENT_ID') ?? '';
 const WORKOS_COOKIE_DOMAIN = getEnvVariable('WORKOS_COOKIE_DOMAIN');
 const WORKOS_COOKIE_MAX_AGE = getEnvVariable('WORKOS_COOKIE_MAX_AGE');
 const WORKOS_COOKIE_NAME = getEnvVariable('WORKOS_COOKIE_NAME');
+
+// Required env variables
+const WORKOS_API_KEY = getEnvVariable('WORKOS_API_KEY') ?? '';
+const WORKOS_CLIENT_ID = getEnvVariable('WORKOS_CLIENT_ID') ?? '';
 const WORKOS_COOKIE_PASSWORD = getEnvVariable('WORKOS_COOKIE_PASSWORD') ?? '';
 const WORKOS_REDIRECT_URI = process.env.NEXT_PUBLIC_WORKOS_REDIRECT_URI ?? '';
 

package/src/index.ts

@@ -1,22 +1,17 @@
 import { handleAuth } from './authkit-callback-route.js';
-import { authkitMiddleware } from './middleware.js';
-import { withAuth, refreshSession, getSession } from './session.js';
+import { authkit, authkitMiddleware } from './middleware.js';
+import { withAuth, refreshSession } from './session.js';
 import { getSignInUrl, getSignUpUrl, signOut } from './auth.js';
-import { Impersonation } from './impersonation.js';
-import { AuthKitProvider } from './authkit-provider.js';
 
 export {
   handleAuth,
   //
   authkitMiddleware,
-  getSession,
+  authkit,
   //
   getSignInUrl,
   getSignUpUrl,
   withAuth,
   refreshSession,
   signOut,
-  //
-  Impersonation,
-  AuthKitProvider,
 };

package/src/interfaces.ts

@@ -37,6 +37,7 @@ export interface NoUserInfo {
   organizationId?: undefined;
   role?: undefined;
   permissions?: undefined;
+  entitlements?: undefined;
   impersonator?: undefined;
   accessToken?: undefined;
 }
@@ -68,6 +69,18 @@ export interface AuthkitMiddlewareOptions {
   signUpPaths?: string[];
 }
 
+export interface AuthkitOptions {
+  debug?: boolean;
+  redirectUri?: string;
+  screenHint?: 'sign-up' | 'sign-in';
+}
+
+export interface AuthkitResponse {
+  session: UserInfo | NoUserInfo;
+  headers: Headers;
+  authorizationUrl?: string;
+}
+
 export interface CookieOptions {
   path: '/';
   httpOnly: true;

package/src/middleware.ts

@@ -1,6 +1,6 @@
-import { NextMiddleware } from 'next/server';
-import { updateSession } from './session.js';
-import { AuthkitMiddlewareOptions } from './interfaces.js';
+import { NextMiddleware, NextRequest } from 'next/server';
+import { updateSessionMiddleware, updateSession } from './session.js';
+import { AuthkitMiddlewareOptions, AuthkitOptions, AuthkitResponse } from './interfaces.js';
 import { WORKOS_REDIRECT_URI } from './env-variables.js';
 
 export function authkitMiddleware({
@@ -10,6 +10,10 @@ export function authkitMiddleware({
   signUpPaths = [],
 }: AuthkitMiddlewareOptions = {}): NextMiddleware {
   return function (request) {
-    return updateSession(request, debug, middlewareAuth, redirectUri, signUpPaths);
+    return updateSessionMiddleware(request, debug, middlewareAuth, redirectUri, signUpPaths);
   };
 }
+
+export async function authkit(request: NextRequest, options: AuthkitOptions = {}): Promise<AuthkitResponse> {
+  return await updateSession(request, options);
+}

package/src/session.ts

@@ -9,14 +9,21 @@ import { getCookieOptions } from './cookie.js';
 import { workos } from './workos.js';
 import { WORKOS_CLIENT_ID, WORKOS_COOKIE_PASSWORD, WORKOS_COOKIE_NAME, WORKOS_REDIRECT_URI } from './env-variables.js';
 import { getAuthorizationUrl } from './get-authorization-url.js';
-import { AccessToken, AuthkitMiddlewareAuth, NoUserInfo, Session, UserInfo } from './interfaces.js';
+import {
+  AccessToken,
+  AuthkitMiddlewareAuth,
+  AuthkitOptions,
+  AuthkitResponse,
+  NoUserInfo,
+  Session,
+  UserInfo,
+} from './interfaces.js';
 
 import { parse, tokensToRegexp } from 'path-to-regexp';
 import { redirectWithFallback } from './utils.js';
 
 const sessionHeaderName = 'x-workos-session';
 const middlewareHeaderName = 'x-workos-middleware';
-const redirectUriHeaderName = 'x-redirect-uri';
 const signUpPathsHeaderName = 'x-sign-up-paths';
 
 const JWKS = createRemoteJWKSet(new URL(workos.userManagement.getJwksUrl(WORKOS_CLIENT_ID)));
@@ -28,7 +35,7 @@ async function encryptSession(session: Session) {
   });
 }
 
-async function updateSession(
+async function updateSessionMiddleware(
   request: NextRequest,
   debug: boolean,
   middlewareAuth: AuthkitMiddlewareAuth,
@@ -45,34 +52,14 @@ async function updateSession(
     );
   }
 
-  const session = await getSessionFromCookie();
-  const newRequestHeaders = new Headers(request.headers);
-
-  // We store the current request url in a custom header, so we can always have access to it
-  // This is because on hard navigations we don't have access to `next-url` but need to get the current
-  // `pathname` to be able to return the users where they came from before sign-in
-  newRequestHeaders.set('x-url', request.url);
-
-  // Record that the request was routed through the middleware so we can check later for DX purposes
-  newRequestHeaders.set(middlewareHeaderName, 'true');
-
-  // Record the sign up paths so we can use it later
-  if (signUpPaths.length > 0) {
-    newRequestHeaders.set(signUpPathsHeaderName, signUpPaths.join(','));
-  }
-
   let url;
 
-  // If the redirect URI is set, store it in the headers so we can use it later
   if (redirectUri) {
-    newRequestHeaders.set(redirectUriHeaderName, redirectUri);
     url = new URL(redirectUri);
   } else {
     url = new URL(WORKOS_REDIRECT_URI);
   }
 
-  newRequestHeaders.delete(sessionHeaderName);
-
   if (
     middlewareAuth.enabled &&
     url.pathname === request.nextUrl.pathname &&
@@ -94,81 +81,131 @@ async function updateSession(
     return pathRegex.exec(request.nextUrl.pathname);
   });
 
-  // If the user is logged out and this path isn't on the allowlist for logged out paths, redirect to AuthKit.
-  if (middlewareAuth.enabled && matchedPaths.length === 0 && !session) {
-    if (debug) console.log(`Unauthenticated user on protected route ${request.url}, redirecting to AuthKit`);
+  const { session, headers, authorizationUrl } = await updateSession(request, {
+    debug,
+    redirectUri,
+    screenHint: getScreenHint(signUpPaths, request.nextUrl.pathname),
+  });
 
-    const redirectTo = await getAuthorizationUrl({
-      returnPathname: getReturnPathname(request.url),
-      redirectUri: redirectUri,
-      screenHint: getScreenHint(signUpPaths, request.nextUrl.pathname),
-    });
+  // If the user is logged out and this path isn't on the allowlist for logged out paths, redirect to AuthKit.
+  if (middlewareAuth.enabled && matchedPaths.length === 0 && !session.user) {
+    if (debug) {
+      console.log(`Unauthenticated user on protected route ${request.url}, redirecting to AuthKit`);
+    }
 
-    return redirectWithFallback(redirectTo);
+    return redirectWithFallback(authorizationUrl as string);
   }
 
-  // If no session, just continue
-  if (!session) {
-    return NextResponse.next({
-      request: { headers: newRequestHeaders },
-    });
+  // Record the sign up paths so we can use them later
+  if (signUpPaths.length > 0) {
+    headers.set(signUpPathsHeaderName, signUpPaths.join(','));
   }
 
-  const hasValidSession = await verifyAccessToken(session.accessToken);
-  const cookieName = WORKOS_COOKIE_NAME || 'wos-session';
+  return NextResponse.next({
+    request: { headers },
+  });
+}
 
-  const nextCookies = await cookies();
+async function updateSession(
+  request: NextRequest,
+  options: AuthkitOptions = { debug: false },
+): Promise<AuthkitResponse> {
+  const session = await getSessionFromCookie();
 
-  if (hasValidSession) {
-    if (debug) console.log('Session is valid');
-    // set the x-workos-session header according to the current cookie value
-    newRequestHeaders.set(sessionHeaderName, nextCookies.get(cookieName)!.value);
-    return NextResponse.next({
-      request: { headers: newRequestHeaders },
-    });
-  }
+  const newRequestHeaders = new Headers(request.headers);
 
-  try {
-    if (debug) console.log(`Session invalid. Refreshing access token that ends in ${session.accessToken.slice(-10)}`);
+  // Record that the request was routed through the middleware so we can check later for DX purposes
+  newRequestHeaders.set(middlewareHeaderName, 'true');
 
-    const { org_id: organizationId } = decodeJwt<AccessToken>(session.accessToken);
+  // We store the current request url in a custom header, so we can always have access to it
+  // This is because on hard navigations we don't have access to `next-url` but need to get the current
+  // `pathname` to be able to return the users where they came from before sign-in
+  newRequestHeaders.set('x-url', request.url);
 
-    // If the session is invalid (i.e. the access token has expired) attempt to re-authenticate with the refresh token
-    const { accessToken, refreshToken, user, impersonator } = await workos.userManagement.authenticateWithRefreshToken({
-      clientId: WORKOS_CLIENT_ID,
-      refreshToken: session.refreshToken,
-      organizationId,
-    });
+  newRequestHeaders.delete(sessionHeaderName);
 
-    if (debug) console.log(`Refresh successful. New access token ends in ${accessToken.slice(-10)}`);
+  if (!session) {
+    if (options.debug) {
+      console.log('No session found from cookie');
+    }
 
-    // Encrypt session with new access and refresh tokens
-    const encryptedSession = await encryptSession({
-      accessToken,
-      refreshToken,
-      user,
-      impersonator,
-    });
+    return {
+      session: { user: null },
+      headers: newRequestHeaders,
+      authorizationUrl: await getAuthorizationUrl({
+        returnPathname: getReturnPathname(request.url),
+        redirectUri: options.redirectUri || WORKOS_REDIRECT_URI,
+        screenHint: options.screenHint,
+      }),
+    };
+  }
 
-    newRequestHeaders.set(sessionHeaderName, encryptedSession);
+  const hasValidSession = await verifyAccessToken(session.accessToken);
 
-    const response = NextResponse.next({
-      request: { headers: newRequestHeaders },
-    });
-    // update the cookie
-    response.cookies.set(cookieName, encryptedSession, getCookieOptions(redirectUri));
-    return response;
-  } catch (e) {
-    if (debug) console.log('Failed to refresh. Deleting cookie and redirecting.', e);
+  const cookieName = WORKOS_COOKIE_NAME || 'wos-session';
+  const nextCookies = await cookies();
 
-    nextCookies.delete(cookieName);
+  if (!hasValidSession) {
+    if (options.debug) {
+      console.log(`Session invalid. Refreshing access token that ends in ${session.accessToken.slice(-10)}`);
+    }
+
+    try {
+      const newSession = await refreshSession({
+        ensureSignedIn: false,
+      });
+
+      if (options.debug) {
+        console.log('Session successfully refreshed');
+      }
+
+      newRequestHeaders.set(sessionHeaderName, nextCookies.get(cookieName)!.value);
+
+      return {
+        session: newSession,
+        headers: newRequestHeaders,
+      };
+    } catch (e) {
+      if (options.debug) {
+        console.log('Failed to refresh. Deleting cookie.', e);
+      }
+
+      const nextCookies = await cookies();
+      nextCookies.delete(cookieName);
+
+      return {
+        session: { user: null },
+        headers: newRequestHeaders,
+        authorizationUrl: await getAuthorizationUrl({
+          returnPathname: getReturnPathname(request.url),
+        }),
+      };
+    }
   }
 
-  // If we get here, the session is invalid and the user needs to sign in again.
-  // We redirect to the current URL which will trigger the middleware again.
-  // This is outside of the above block because you cannot redirect in Next.js
-  // from inside a try/catch block.
-  return redirectWithFallback(request.url);
+  newRequestHeaders.set(sessionHeaderName, nextCookies.get(cookieName)!.value);
+
+  const {
+    sid: sessionId,
+    org_id: organizationId,
+    role,
+    permissions,
+    entitlements,
+  } = decodeJwt<AccessToken>(session.accessToken);
+
+  return {
+    session: {
+      sessionId,
+      user: session.user,
+      organizationId,
+      role,
+      permissions,
+      entitlements,
+      impersonator: session.impersonator,
+      accessToken: session.accessToken,
+    },
+    headers: newRequestHeaders,
+  };
 }
 
 async function refreshSession(options: {
@@ -194,12 +231,21 @@ async function refreshSession({
 
   const { org_id: organizationIdFromAccessToken } = decodeJwt<AccessToken>(session.accessToken);
 
-  const { accessToken, refreshToken, user, impersonator } = await workos.userManagement.authenticateWithRefreshToken({
-    clientId: WORKOS_CLIENT_ID,
-    refreshToken: session.refreshToken,
-    organizationId: nextOrganizationId ?? organizationIdFromAccessToken,
-  });
+  let refreshResult;
 
+  try {
+    refreshResult = await workos.userManagement.authenticateWithRefreshToken({
+      clientId: WORKOS_CLIENT_ID,
+      refreshToken: session.refreshToken,
+      organizationId: nextOrganizationId ?? organizationIdFromAccessToken,
+    });
+  } catch (error) {
+    throw new Error(`Failed to refresh session: ${error instanceof Error ? error.message : String(error)}`, {
+      cause: error,
+    });
+  }
+
+  const { accessToken, refreshToken, user, impersonator } = refreshResult;
   // Encrypt session with new access and refresh tokens
   const encryptedSession = await encryptSession({
     accessToken,
@@ -273,9 +319,8 @@ async function redirectToSignIn() {
 }
 
 async function withAuth(options?: { ensureSignedIn: false }): Promise<UserInfo | NoUserInfo>;
-// @ts-expect-error - TS complains about the overload signature when we have more than 2 optional properties
 async function withAuth(options: { ensureSignedIn: true }): Promise<UserInfo>;
-async function withAuth({ ensureSignedIn = false } = {}) {
+async function withAuth({ ensureSignedIn = false } = {}): Promise<UserInfo | NoUserInfo> {
   const session = await getSessionFromHeader();
 
   if (!session) {
@@ -323,50 +368,18 @@ async function verifyAccessToken(accessToken: string) {
   }
 }
 
-async function getSessionFromCookie(response?: NextResponse) {
+async function getSessionFromCookie() {
   const cookieName = WORKOS_COOKIE_NAME || 'wos-session';
   const nextCookies = await cookies();
-  const cookie = response ? response.cookies.get(cookieName) : nextCookies.get(cookieName);
+  const cookie = nextCookies.get(cookieName);
 
   if (cookie) {
-    return unsealData<Session>(cookie.value ?? cookie, {
+    return unsealData<Session>(cookie.value, {
       password: WORKOS_COOKIE_PASSWORD,
     });
   }
 }
 
-/**
- * Retrieves the session from the cookie. Meant for use in the middleware, for client side use `withAuth` instead.
- *
- * @returns UserInfo | NoUserInfo
- */
-async function getSession(response?: NextResponse) {
-  const session = await getSessionFromCookie(response);
-
-  if (!session) return { user: null };
-
-  if (await verifyAccessToken(session.accessToken)) {
-    const {
-      sid: sessionId,
-      org_id: organizationId,
-      role,
-      permissions,
-      entitlements,
-    } = decodeJwt<AccessToken>(session.accessToken);
-
-    return {
-      sessionId,
-      user: session.user,
-      organizationId,
-      role,
-      permissions,
-      entitlements,
-      impersonator: session.impersonator,
-      accessToken: session.accessToken,
-    };
-  }
-}
-
 async function getSessionFromHeader(): Promise<Session | undefined> {
   const headersList = await headers();
   const hasMiddleware = Boolean(headersList.get(middlewareHeaderName));
@@ -374,7 +387,7 @@ async function getSessionFromHeader(): Promise<Session | undefined> {
   if (!hasMiddleware) {
     const url = headersList.get('x-url');
     throw new Error(
-      `You are calling 'withAuth' on ${url} that isn’t covered by the AuthKit middleware. Make sure it is running on all paths you are calling 'withAuth' from by updating your middleware config in 'middleware.(js|ts)'.`,
+      `You are calling 'withAuth' on ${url ?? 'a route'} that isn’t covered by the AuthKit middleware. Make sure it is running on all paths you are calling 'withAuth' from by updating your middleware config in 'middleware.(js|ts)'.`,
     );
   }
 
@@ -401,4 +414,4 @@ function getScreenHint(signUpPaths: string[] | undefined, pathname: string) {
   return screenHintPaths.length > 0 ? 'sign-up' : 'sign-in';
 }
 
-export { encryptSession, withAuth, refreshSession, terminateSession, updateSession, getSession };
+export { encryptSession, withAuth, refreshSession, terminateSession, updateSessionMiddleware, updateSession };

package/src/workos.ts

@@ -1,7 +1,7 @@
 import { WorkOS } from '@workos-inc/node';
 import { WORKOS_API_HOSTNAME, WORKOS_API_KEY, WORKOS_API_HTTPS, WORKOS_API_PORT } from './env-variables.js';
 
-export const VERSION = '0.17.2';
+export const VERSION = '1.0.0';
 
 const options = {
   apiHostname: WORKOS_API_HOSTNAME,