@workos-inc/authkit-nextjs 0.4.0

package/dist/cjs/min-max-button.js

@@ -0,0 +1,15 @@
+"use strict";
+'use client';
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MinMaxButton = void 0;
+const tslib_1 = require("tslib");
+const React = tslib_1.__importStar(require("react"));
+const button_js_1 = require("./button.js");
+function MinMaxButton({ children, minimizedValue }) {
+    return (React.createElement(button_js_1.Button, { onClick: () => {
+            const root = document.querySelector('[data-workos-impersonation-root]');
+            root === null || root === void 0 ? void 0 : root.style.setProperty('--wi-minimized', minimizedValue);
+        }, style: { padding: 0, width: '1.714em' } }, children));
+}
+exports.MinMaxButton = MinMaxButton;
+//# sourceMappingURL=min-max-button.js.map

package/dist/cjs/min-max-button.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"min-max-button.js","sourceRoot":"","sources":["../../src/min-max-button.tsx"],"names":[],"mappings":";AAAA,YAAY,CAAC;;;;AAEb,qDAA+B;AAC/B,2CAAqC;AAOrC,SAAgB,YAAY,CAAC,EAAE,QAAQ,EAAE,cAAc,EAAqB;IAC1E,OAAO,CACL,oBAAC,kBAAM,IACL,OAAO,EAAE,GAAG,EAAE;YACZ,MAAM,IAAI,GAAG,QAAQ,CAAC,aAAa,CAAC,kCAAkC,CAAuB,CAAC;YAC9F,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,KAAK,CAAC,WAAW,CAAC,gBAAgB,EAAE,cAAc,CAAC,CAAC;QAC5D,CAAC,EACD,KAAK,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,IAEtC,QAAQ,CACF,CACV,CAAC;AACJ,CAAC;AAZD,oCAYC"}

package/dist/cjs/session.d.ts

@@ -0,0 +1,12 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { NoUserInfo, Session, UserInfo } from './interfaces.js';
+declare function encryptSession(session: Session): Promise<string>;
+declare function updateSession(request: NextRequest, debug: boolean): Promise<NextResponse<unknown>>;
+declare function getUser(options?: {
+    ensureSignedIn: false;
+}): Promise<UserInfo | NoUserInfo>;
+declare function getUser(options: {
+    ensureSignedIn: true;
+}): Promise<UserInfo>;
+declare function terminateSession(): Promise<void>;
+export { encryptSession, updateSession, getUser, terminateSession };

package/dist/cjs/session.js

@@ -0,0 +1,123 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.terminateSession = exports.getUser = exports.updateSession = exports.encryptSession = void 0;
+const navigation_1 = require("next/navigation");
+const headers_1 = require("next/headers");
+const server_1 = require("next/server");
+const jose_1 = require("jose");
+const iron_session_1 = require("iron-session");
+const cookie_js_1 = require("./cookie.js");
+const workos_js_1 = require("./workos.js");
+const env_variables_js_1 = require("./env-variables.js");
+const get_authorization_url_js_1 = require("./get-authorization-url.js");
+const sessionHeaderName = 'x-workos-session';
+const JWKS = (0, jose_1.createRemoteJWKSet)(new URL(workos_js_1.workos.userManagement.getJwksUrl(env_variables_js_1.WORKOS_CLIENT_ID)));
+async function encryptSession(session) {
+    return (0, iron_session_1.sealData)(session, { password: env_variables_js_1.WORKOS_COOKIE_PASSWORD });
+}
+exports.encryptSession = encryptSession;
+async function updateSession(request, debug) {
+    const session = await getSessionFromCookie();
+    // If no session, just continue
+    if (!session) {
+        return server_1.NextResponse.next();
+    }
+    const hasValidSession = await verifyAccessToken(session.accessToken);
+    const newRequestHeaders = new Headers(request.headers);
+    if (hasValidSession) {
+        if (debug)
+            console.log('Session is valid');
+        // set the x-workos-session header according to the current cookie value
+        newRequestHeaders.set(sessionHeaderName, (0, headers_1.cookies)().get(cookie_js_1.cookieName).value);
+        return server_1.NextResponse.next({
+            headers: newRequestHeaders,
+        });
+    }
+    try {
+        if (debug)
+            console.log('Session invalid. Attempting refresh', session.refreshToken);
+        // If the session is invalid (i.e. the access token has expired) attempt to re-authenticate with the refresh token
+        const { accessToken, refreshToken } = await workos_js_1.workos.userManagement.authenticateWithRefreshToken({
+            clientId: env_variables_js_1.WORKOS_CLIENT_ID,
+            refreshToken: session.refreshToken,
+        });
+        if (debug)
+            console.log('Refresh successful:', refreshToken);
+        // Encrypt session with new access and refresh tokens
+        const encryptedSession = await encryptSession({
+            accessToken,
+            refreshToken,
+            user: session.user,
+            impersonator: session.impersonator,
+        });
+        newRequestHeaders.set(sessionHeaderName, encryptedSession);
+        const response = server_1.NextResponse.next({
+            request: {
+                headers: newRequestHeaders,
+            },
+        });
+        // update the cookie
+        response.cookies.set(cookie_js_1.cookieName, encryptedSession, cookie_js_1.cookieOptions);
+        return response;
+    }
+    catch (e) {
+        console.warn('Failed to refresh', e);
+        const response = server_1.NextResponse.next();
+        response.cookies.delete(cookie_js_1.cookieName);
+        return response;
+    }
+}
+exports.updateSession = updateSession;
+async function getUser({ ensureSignedIn = false } = {}) {
+    var _a;
+    const session = await getSessionFromHeader();
+    if (!session) {
+        if (ensureSignedIn) {
+            const returnPathname = (_a = (0, headers_1.headers)().get('next-url')) !== null && _a !== void 0 ? _a : undefined;
+            (0, navigation_1.redirect)(await (0, get_authorization_url_js_1.getAuthorizationUrl)(returnPathname));
+        }
+        return { user: null };
+    }
+    const { sid: sessionId, org_id: organizationId, role } = (0, jose_1.decodeJwt)(session.accessToken);
+    return {
+        sessionId,
+        user: session.user,
+        organizationId,
+        role,
+        impersonator: session.impersonator,
+    };
+}
+exports.getUser = getUser;
+async function terminateSession() {
+    const { sessionId } = await getUser();
+    if (sessionId) {
+        (0, navigation_1.redirect)(workos_js_1.workos.userManagement.getLogoutUrl({ sessionId }));
+    }
+    (0, navigation_1.redirect)('/');
+}
+exports.terminateSession = terminateSession;
+async function verifyAccessToken(accessToken) {
+    try {
+        await (0, jose_1.jwtVerify)(accessToken, JWKS);
+        return true;
+    }
+    catch (e) {
+        console.warn('Failed to verify session:', e);
+        return false;
+    }
+}
+async function getSessionFromCookie() {
+    const cookie = (0, headers_1.cookies)().get(cookie_js_1.cookieName);
+    if (cookie) {
+        return (0, iron_session_1.unsealData)(cookie.value, {
+            password: env_variables_js_1.WORKOS_COOKIE_PASSWORD,
+        });
+    }
+}
+async function getSessionFromHeader() {
+    const authHeader = (0, headers_1.headers)().get(sessionHeaderName);
+    if (!authHeader)
+        return;
+    return (0, iron_session_1.unsealData)(authHeader, { password: env_variables_js_1.WORKOS_COOKIE_PASSWORD });
+}
+//# sourceMappingURL=session.js.map

package/dist/cjs/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/session.ts"],"names":[],"mappings":";;;AAAA,gDAA2C;AAC3C,0CAAgD;AAChD,wCAAwD;AACxD,+BAAgE;AAChE,+CAAoD;AACpD,2CAAwD;AACxD,2CAAqC;AACrC,yDAA8E;AAC9E,yEAAiE;AAGjE,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAE7C,MAAM,IAAI,GAAG,IAAA,yBAAkB,EAAC,IAAI,GAAG,CAAC,kBAAM,CAAC,cAAc,CAAC,UAAU,CAAC,mCAAgB,CAAC,CAAC,CAAC,CAAC;AAE7F,KAAK,UAAU,cAAc,CAAC,OAAgB;IAC5C,OAAO,IAAA,uBAAQ,EAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,yCAAsB,EAAE,CAAC,CAAC;AACjE,CAAC;AAuHQ,wCAAc;AArHvB,KAAK,UAAU,aAAa,CAAC,OAAoB,EAAE,KAAc;IAC/D,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAE7C,+BAA+B;IAC/B,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,qBAAY,CAAC,IAAI,EAAE,CAAC;IAC7B,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAErE,MAAM,iBAAiB,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAEvD,IAAI,eAAe,EAAE,CAAC;QACpB,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QAC3C,wEAAwE;QACxE,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,sBAAU,CAAE,CAAC,KAAK,CAAC,CAAC;QAC3E,OAAO,qBAAY,CAAC,IAAI,CAAC;YACvB,OAAO,EAAE,iBAAiB;SAC3B,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC;QACH,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,qCAAqC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;QAEpF,kHAAkH;QAClH,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,GAAG,MAAM,kBAAM,CAAC,cAAc,CAAC,4BAA4B,CAAC;YAC7F,QAAQ,EAAE,mCAAgB;YAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;SACnC,CAAC,CAAC;QAEH,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,YAAY,CAAC,CAAC;QAE5D,qDAAqD;QACrD,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC;YAC5C,WAAW;YACX,YAAY;YACZ,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,YAAY,EAAE,OAAO,CAAC,YAAY;SACnC,CAAC,CAAC;QAEH,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;QAE3D,MAAM,QAAQ,GAAG,qBAAY,CAAC,IAAI,CAAC;YACjC,OAAO,EAAE;gBACP,OAAO,EAAE,iBAAiB;aAC3B;SACF,CAAC,CAAC;QACH,oBAAoB;QACpB,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAU,EAAE,gBAAgB,EAAE,yBAAa,CAAC,CAAC;QAClE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC,CAAC,CAAC;QACrC,MAAM,QAAQ,GAAG,qBAAY,CAAC,IAAI,EAAE,CAAC;QACrC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,sBAAU,CAAC,CAAC;QACpC,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC;AA6DwB,sCAAa;AAvDtC,KAAK,UAAU,OAAO,CAAC,EAAE,cAAc,GAAG,KAAK,EAAE,GAAG,EAAE;;IACpD,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAC7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,cAAc,GAAG,MAAA,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,UAAU,CAAC,mCAAI,SAAS,CAAC;YAC9D,IAAA,qBAAQ,EAAC,MAAM,IAAA,8CAAmB,EAAC,cAAc,CAAC,CAAC,CAAC;QACtD,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,GAAG,IAAA,gBAAS,EAAc,OAAO,CAAC,WAAW,CAAC,CAAC;IAErG,OAAO;QACL,SAAS;QACT,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,cAAc;QACd,IAAI;QACJ,YAAY,EAAE,OAAO,CAAC,YAAY;KACnC,CAAC;AACJ,CAAC;AAoCuC,0BAAO;AAlC/C,KAAK,UAAU,gBAAgB;IAC7B,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,OAAO,EAAE,CAAC;IACtC,IAAI,SAAS,EAAE,CAAC;QACd,IAAA,qBAAQ,EAAC,kBAAM,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;IAC9D,CAAC;IACD,IAAA,qBAAQ,EAAC,GAAG,CAAC,CAAC;AAChB,CAAC;AA4BgD,4CAAgB;AA1BjE,KAAK,UAAU,iBAAiB,CAAC,WAAmB;IAClD,IAAI,CAAC;QACH,MAAM,IAAA,gBAAS,EAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,2BAA2B,EAAE,CAAC,CAAC,CAAC;QAC7C,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB;IACjC,MAAM,MAAM,GAAG,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,sBAAU,CAAC,CAAC;IACzC,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,IAAA,yBAAU,EAAU,MAAM,CAAC,KAAK,EAAE;YACvC,QAAQ,EAAE,yCAAsB;SACjC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB;IACjC,MAAM,UAAU,GAAG,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACpD,IAAI,CAAC,UAAU;QAAE,OAAO;IAExB,OAAO,IAAA,yBAAU,EAAU,UAAU,EAAE,EAAE,QAAQ,EAAE,yCAAsB,EAAE,CAAC,CAAC;AAC/E,CAAC"}

package/dist/cjs/workos.d.ts

@@ -0,0 +1,3 @@
+import WorkOS from '@workos-inc/node';
+declare const workos: WorkOS;
+export { workos };

package/dist/cjs/workos.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.workos = void 0;
+const tslib_1 = require("tslib");
+const node_1 = tslib_1.__importDefault(require("@workos-inc/node"));
+const env_variables_js_1 = require("./env-variables.js");
+// Initialize the WorkOS client
+const workos = new node_1.default(env_variables_js_1.WORKOS_API_KEY);
+exports.workos = workos;
+//# sourceMappingURL=workos.js.map

package/dist/cjs/workos.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"workos.js","sourceRoot":"","sources":["../../src/workos.ts"],"names":[],"mappings":";;;;AAAA,oEAAsC;AACtC,yDAAoD;AAEpD,+BAA+B;AAC/B,MAAM,MAAM,GAAG,IAAI,cAAM,CAAC,iCAAc,CAAC,CAAC;AAEjC,wBAAM"}

package/package.json

@@ -0,0 +1,55 @@
+{
+  "name": "@workos-inc/authkit-nextjs",
+  "version": "0.4.0",
+  "description": "Authentication and session helpers for using WorkOS & AuthKit with Next.js",
+  "sideEffects": false,
+  "type": "commonjs",
+  "main": "./dist/cjs/index.js",
+  "types": "./dist/cjs/index.d.ts",
+  "files": [
+    "dist",
+    "src",
+    "LICENSE",
+    "README.md"
+  ],
+  "scripts": {
+    "clean": "rm -rf dist",
+    "prebuild": "npm run clean",
+    "build": "tsc --project tsconfig-cjs.json",
+    "preversion": "npm run build",
+    "postversion": "git push --follow-tags",
+    "prepublishOnly": "npm run lint",
+    "lint": "eslint \"src/**/*.ts*\"",
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "dependencies": {
+    "@workos-inc/node": "^6.7.0",
+    "iron-session": "^8.0.1",
+    "jose": "^5.2.3"
+  },
+  "peerDependencies": {
+    "next": "^13.5.4 || ^14.0.3",
+    "react": "^18.0",
+    "react-dom": "^18.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.11.28",
+    "@types/react": "18.2.67",
+    "@types/react-dom": "18.2.22",
+    "eslint": "^8.29.0",
+    "eslint-config-prettier": "^9.1.0",
+    "eslint-plugin-require-extensions": "^0.1.3",
+    "next": "^14.1.3",
+    "typescript": "5.4.2",
+    "typescript-eslint": "^7.2.0"
+  },
+  "license": "MIT",
+  "homepage": "https://github.com/workos/authkit-nextjs#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/workos/authkit-nextjs.git"
+  },
+  "bugs": {
+    "url": "https://github.com/workos/authkit-nextjs/issues"
+  }
+}

package/src/auth.ts

@@ -0,0 +1,15 @@
+import { getAuthorizationUrl } from './get-authorization-url.js';
+import { cookies } from 'next/headers';
+import { cookieName } from './cookie.js';
+import { terminateSession } from './session.js';
+
+async function getSignInUrl() {
+  return getAuthorizationUrl();
+}
+
+async function signOut() {
+  cookies().delete(cookieName);
+  await terminateSession();
+}
+
+export { getSignInUrl, signOut };

package/src/authkit-callback-route.ts

@@ -0,0 +1,69 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { cookies } from 'next/headers';
+import { workos } from './workos.js';
+import { WORKOS_CLIENT_ID } from './env-variables.js';
+import { encryptSession } from './session.js';
+import { cookieName, cookieOptions } from './cookie.js';
+import { HandleAuthOptions } from './interfaces.js';
+
+export function handleAuth(options: HandleAuthOptions = {}) {
+  const { returnPathname: returnPathnameOption = '/' } = options;
+
+  return async function GET(request: NextRequest) {
+    const code = request.nextUrl.searchParams.get('code');
+    const state = request.nextUrl.searchParams.get('state');
+    const returnPathname = state ? JSON.parse(atob(state)).returnPathname : null;
+
+    if (code) {
+      try {
+        // Use the code returned to us by AuthKit and authenticate the user with WorkOS
+        const { accessToken, refreshToken, user, impersonator } = await workos.userManagement.authenticateWithCode({
+          clientId: WORKOS_CLIENT_ID,
+          code,
+        });
+
+        const url = request.nextUrl.clone();
+
+        // Cleanup params
+        url.searchParams.delete('code');
+        url.searchParams.delete('state');
+
+        // Redirect to the requested path and store the session
+        url.pathname = returnPathname ?? returnPathnameOption;
+
+        const response = NextResponse.redirect(url);
+
+        if (!accessToken || !refreshToken) throw new Error('response is missing tokens');
+
+        // The refreshToken should never be accesible publicly, hence why we encrypt it in the cookie session
+        // Alternatively you could persist the refresh token in a backend database
+        const session = await encryptSession({ accessToken, refreshToken, user, impersonator });
+        cookies().set(cookieName, session, cookieOptions);
+
+        return response;
+      } catch (error) {
+        const errorRes = {
+          error: error instanceof Error ? error.message : String(error),
+        };
+
+        console.error(errorRes);
+
+        return errorResponse();
+      }
+    }
+
+    return errorResponse();
+  };
+
+  function errorResponse() {
+    return NextResponse.json(
+      {
+        error: {
+          message: 'Something went wrong',
+          description: 'Couldn’t sign in. If you are not sure what happened, please contact your organization admin.',
+        },
+      },
+      { status: 500 },
+    );
+  }
+}

package/src/button.tsx

@@ -0,0 +1,32 @@
+import * as React from 'react';
+
+const Button = React.forwardRef<HTMLButtonElement, React.ComponentPropsWithoutRef<'button'>>((props, forwardedRef) => {
+  return (
+    <button
+      ref={forwardedRef}
+      type="button"
+      {...props}
+      style={{
+        display: 'inline-flex',
+        alignItems: 'center',
+        justifyContent: 'center',
+        flexShrink: 0,
+        height: '1.714em',
+        padding: '0 0.6em',
+
+        fontFamily: 'inherit',
+        fontSize: 'inherit',
+        borderRadius: 'min(max(calc(var(--wi-s) * 0.6), 1px), 7px)',
+        border: 'none',
+        backgroundColor: 'var(--wi-c)',
+        color: 'white',
+
+        ...props.style,
+      }}
+    />
+  );
+});
+
+Button.displayName = 'Button';
+
+export { Button };

package/src/cookie.ts

@@ -0,0 +1,9 @@
+const cookieName = 'wos-session';
+const cookieOptions = {
+  path: '/',
+  httpOnly: true,
+  secure: true,
+  sameSite: 'lax' as const,
+};
+
+export { cookieName, cookieOptions };

package/src/env-variables.ts

@@ -0,0 +1,18 @@
+function getEnvVariable(name: string) {
+  const envVariable = process.env[name];
+  if (!envVariable) {
+    throw new Error(`${name} environment variable is not set`);
+  }
+  return envVariable;
+}
+
+const WORKOS_CLIENT_ID = getEnvVariable('WORKOS_CLIENT_ID');
+const WORKOS_API_KEY = getEnvVariable('WORKOS_API_KEY');
+const WORKOS_REDIRECT_URI = getEnvVariable('WORKOS_REDIRECT_URI');
+const WORKOS_COOKIE_PASSWORD = getEnvVariable('WORKOS_COOKIE_PASSWORD');
+
+if (WORKOS_COOKIE_PASSWORD.length < 32) {
+  throw new Error('WORKOS_COOKIE_PASSWORD must be at least 32 characters long');
+}
+
+export { WORKOS_CLIENT_ID, WORKOS_API_KEY, WORKOS_REDIRECT_URI, WORKOS_COOKIE_PASSWORD };

package/src/get-authorization-url.ts

@@ -0,0 +1,13 @@
+import { workos } from './workos.js';
+import { WORKOS_CLIENT_ID, WORKOS_REDIRECT_URI } from './env-variables.js';
+
+async function getAuthorizationUrl(returnPathname?: string) {
+  return workos.userManagement.getAuthorizationUrl({
+    provider: 'authkit',
+    clientId: WORKOS_CLIENT_ID,
+    redirectUri: WORKOS_REDIRECT_URI,
+    state: returnPathname ? btoa(JSON.stringify({ returnPathname })) : undefined,
+  });
+}
+
+export { getAuthorizationUrl };

package/src/impersonation.tsx

@@ -0,0 +1,157 @@
+import * as React from 'react';
+import { getUser } from './session.js';
+import { signOut } from './auth.js';
+import { workos } from './workos.js';
+import { Button } from './button.js';
+import { MinMaxButton } from './min-max-button.js';
+
+interface ImpersonationProps extends React.ComponentPropsWithoutRef<'div'> {
+  side?: 'top' | 'bottom';
+}
+
+export async function Impersonation({ side = 'bottom', ...props }: ImpersonationProps) {
+  const { impersonator, user, organizationId } = await getUser();
+
+  if (!impersonator) return null;
+
+  const organization = organizationId ? await workos.organizations.getOrganization(organizationId) : null;
+
+  return (
+    <div
+      {...props}
+      data-workos-impersonation-root=""
+      style={{
+        'position': 'fixed',
+        'inset': 0,
+        'pointerEvents': 'none',
+        'zIndex': 9999,
+
+        // short properties with defaults for authoring convenience
+        '--wi-minimized': '0',
+        '--wi-s': 'min(max(var(--workos-impersonation-size, 4px), 2px), 15px)',
+        '--wi-bgc': 'var(--workos-impersonation-background-color, #fce654)',
+        '--wi-c': 'var(--workos-impersonation-color, #1a1600)',
+        '--wi-bc': 'var(--workos-impersonation-border-color, #e0c36c)',
+        '--wi-bw': 'var(--workos-impersonation-border-width, 1px)',
+
+        ...props.style,
+      }}
+    >
+      <div
+        style={{
+          '--wi-frame-size': 'calc(var(--wi-s) * (1 - var(--wi-minimized)) + var(--wi-minimized) * var(--wi-bw) * -1)',
+          'position': 'absolute',
+          'inset': 'calc(var(--wi-frame-size) * -1)',
+          'borderRadius': 'calc(var(--wi-frame-size) * 3)',
+          'boxShadow': `
+						inset 0 0 0 calc(var(--wi-frame-size) * 2) var(--wi-bgc),
+						inset 0 0 0 calc(var(--wi-frame-size) * 2 + var(--wi-bw)) var(--wi-bc)
+					`,
+          'transition': 'all 500ms cubic-bezier(0.16, 1, 0.3, 1)',
+        }}
+      />
+
+      <div
+        style={{
+          display: 'flex',
+          justifyContent: 'center',
+
+          position: 'fixed',
+          left: 0,
+          right: 0,
+          ...(side === 'top' && { top: 'var(--wi-s)' }),
+          ...(side === 'bottom' && { bottom: 'var(--wi-s)' }),
+
+          fontFamily:
+            "system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, 'Open Sans', 'Helvetica Neue', sans-serif",
+          fontSize: 'calc(12px + var(--wi-s) * 0.5)',
+          lineHeight: '1.4',
+        }}
+      >
+        <form
+          action={async () => {
+            'use server';
+            await signOut();
+          }}
+          style={{
+            display: 'flex',
+            alignItems: 'baseline',
+            paddingLeft: 'var(--wi-s)',
+            paddingRight: 'var(--wi-s)',
+
+            position: 'relative',
+            marginLeft: 'calc(var(--wi-s) * 2)',
+            marginRight: 'calc(var(--wi-s) * 2)',
+
+            pointerEvents: 'auto',
+            backgroundColor: 'var(--wi-bgc)',
+            borderStyle: 'solid',
+            borderColor: 'var(--wi-bc)',
+            borderLeftWidth: 'var(--wi-bw)',
+            borderRightWidth: 'var(--wi-bw)',
+
+            transition: 'all 500ms cubic-bezier(0.16, 1, 0.3, 1)',
+            transform: `translateX(calc(var(--wi-minimized) * (var(--wi-s) * 10 - 5%)))`,
+            opacity: 'calc(1 - var(--wi-minimized))',
+            zIndex: 'calc(1 - var(--wi-minimized))',
+
+            ...(side === 'top' && {
+              paddingTop: 0,
+              paddingBottom: 'var(--wi-s)',
+              borderTopWidth: 0,
+              borderBottomWidth: 'var(--wi-bw)',
+              borderBottomLeftRadius: 'var(--wi-s)',
+              borderBottomRightRadius: 'var(--wi-s)',
+            }),
+
+            ...(side === 'bottom' && {
+              paddingTop: 'var(--wi-s)',
+              paddingBottom: 0,
+              borderTopWidth: 'var(--wi-bw)',
+              borderBottomWidth: 0,
+              borderTopLeftRadius: 'var(--wi-s)',
+              borderTopRightRadius: 'var(--wi-s)',
+            }),
+          }}
+        >
+          <p style={{ all: 'unset', color: 'var(--wi-c)', textWrap: 'balance', marginLeft: 'var(--wi-s)' }}>
+            You are impersonating <b>{user.email}</b>{' '}
+            {organization !== null && (
+              <>
+                within the <b>{organization.name}</b> organization
+              </>
+            )}
+          </p>
+          <Button type="submit" style={{ marginLeft: 'calc(var(--wi-s) * 2)', marginRight: 'var(--wi-s)' }}>
+            Stop
+          </Button>
+          <MinMaxButton minimizedValue="1">{side === 'top' ? '↗' : '↘'}</MinMaxButton>
+        </form>
+
+        <div
+          style={{
+            padding: 'var(--wi-s)',
+
+            position: 'fixed',
+            right: 'var(--wi-s)',
+
+            pointerEvents: 'auto',
+            backgroundColor: 'var(--wi-bgc)',
+            border: 'var(--wi-bw) solid var(--wi-bc)',
+            borderRadius: 'var(--wi-s)',
+
+            transition: 'all 500ms cubic-bezier(0.16, 1, 0.3, 1)',
+            transform: 'translateX(calc((1 - var(--wi-minimized)) * var(--wi-s) * -5))',
+            opacity: 'var(--wi-minimized)',
+            zIndex: 'var(--wi-minimized)',
+
+            ...(side === 'top' && { top: 'var(--wi-s)' }),
+            ...(side === 'bottom' && { bottom: 'var(--wi-s)' }),
+          }}
+        >
+          <MinMaxButton minimizedValue="0">{side === 'top' ? '↙' : '↖'}</MinMaxButton>
+        </div>
+      </div>
+    </div>
+  );
+}

package/src/index.ts

@@ -0,0 +1,17 @@
+import { handleAuth } from './authkit-callback-route.js';
+import { authkitMiddleware } from './middleware.js';
+import { getUser } from './session.js';
+import { getSignInUrl, signOut } from './auth.js';
+import { Impersonation } from './impersonation.js';
+
+export {
+  handleAuth,
+  //
+  authkitMiddleware,
+  //
+  getSignInUrl,
+  getUser,
+  signOut,
+  //
+  Impersonation,
+};

package/src/interfaces.ts

@@ -0,0 +1,37 @@
+import { User } from '@workos-inc/node';
+
+export interface HandleAuthOptions {
+  returnPathname?: string;
+}
+
+export interface Impersonator {
+  email: string;
+  reason: string | null;
+}
+export interface Session {
+  accessToken: string;
+  refreshToken: string;
+  user: User;
+  impersonator?: Impersonator;
+}
+
+export interface UserInfo {
+  user: User;
+  sessionId: string;
+  organizationId?: string;
+  role?: string;
+  impersonator?: Impersonator;
+}
+export interface NoUserInfo {
+  user: null;
+  sessionId?: undefined;
+  organizationId?: undefined;
+  role?: undefined;
+  impersonator?: undefined;
+}
+
+export interface AccessToken {
+  sid: string;
+  org_id?: string;
+  role?: string;
+}

package/src/middleware.ts

@@ -0,0 +1,12 @@
+import { NextMiddleware } from 'next/server';
+import { updateSession } from './session.js';
+
+interface AuthkitMiddlewareOptions {
+  debug?: boolean;
+}
+
+export function authkitMiddleware({ debug = false }: AuthkitMiddlewareOptions = {}): NextMiddleware {
+  return function (request) {
+    return updateSession(request, debug);
+  };
+}

package/src/min-max-button.tsx

@@ -0,0 +1,23 @@
+'use client';
+
+import * as React from 'react';
+import { Button } from './button.js';
+
+interface MinMaxButtonProps {
+  children?: React.ReactNode;
+  minimizedValue: '0' | '1';
+}
+
+export function MinMaxButton({ children, minimizedValue }: MinMaxButtonProps) {
+  return (
+    <Button
+      onClick={() => {
+        const root = document.querySelector('[data-workos-impersonation-root]') as HTMLElement | null;
+        root?.style.setProperty('--wi-minimized', minimizedValue);
+      }}
+      style={{ padding: 0, width: '1.714em' }}
+    >
+      {children}
+    </Button>
+  );
+}