@workos-inc/authkit-nextjs 0.4.2 → 0.5.1

package/README.md

@@ -65,8 +65,8 @@ import { authkitMiddleware } from '@workos-inc/authkit-nextjs';
 export default authkitMiddleware();
 
 // Match against pages that require auth
-// Leave this out if you want auth on every page in your application
-export const config = { matcher: ['/admin'] };
+// Leave this out if you want auth on every resource (including images, css etc.)
+export const config = { matcher: ['/', '/admin'] };
 ```
 
 ## Usage
@@ -77,16 +77,28 @@ For pages where you want to display a signed-in and signed-out view, use `getUse
 
 ```jsx
 import Link from 'next/link';
-import { getSignInUrl, getUser, signOut } from '@workos-inc/authkit-nextjs';
+import { getSignInUrl, getSignUpUrl, getUser, signOut } from '@workos-inc/authkit-nextjs';
 
 export default async function HomePage() {
   // Retrieves the user from the session or returns `null` if no user is signed in
   const { user } = await getUser();
 
-  // Get the URL to redirect the user to AuthKit to sign in
-  const signInUrl = await getSignInUrl();
+  if (!user) {
+    // Get the URL to redirect the user to AuthKit to sign in
+    const signInUrl = await getSignInUrl();
 
-  return user ? (
+    // Get the URL to redirect the user to AuthKit to sign up
+    const signUpUrl = await getSignUpUrl();
+
+    return (
+      <>
+        <Link href={signInUrl}>Log in</Link>
+        <Link href={signUpUrl}>Sign Up</Link>
+      </>
+    );
+  }
+
+  return (
     <form
       action={async () => {
         'use server';
@@ -96,8 +108,6 @@ export default async function HomePage() {
       <p>Welcome back {user?.firstName && `, ${user?.firstName}`}</p>
       <button type="submit">Sign out</button>
     </form>
-  ) : (
-    <Link href={signInUrl}>Sign in</Link>
   );
 }
 ```
@@ -112,6 +122,29 @@ const { user } = await getUser({ ensureSignedIn: true });
 
 Enabling `ensureSignedIn` will redirect users to AuthKit if they attempt to access the page without being authenticated.
 
+### Middleware auth
+
+The default behavior of this library is to request authentication via the `getUser` method on a per-page basis. There are some use cases where you don't want to call `getUser` (e.g. you don't need user data for your page) or if you'd prefer a "secure by default" approach where every route defined in your middleware matcher is protected unless specified otherwise. In those cases you can opt-in to use middleware auth instead:
+
+```ts
+import { authkitMiddleware } from '@workos-inc/authkit-nextjs';
+
+export default authkitMiddleware({
+  middlewareAuth: {
+    enabled: true,
+    unauthenticatedPaths: ['/', '/about'],
+  },
+});
+
+// Match against pages that require auth
+// Leave this out if you want auth on every resource (including images, css etc.)
+export const config = { matcher: ['/', '/admin/:path*', '/about'] };
+```
+
+In the above example the `/admin` page will require a user to be signed in, whereas `/` and `/about` can be accessed without signing in.
+
+`unauthenticatedPaths` uses the same glob logic as the [Next.js matcher](https://nextjs.org/docs/pages/building-your-application/routing/middleware#matcher).
+
 ### Signing out
 
 Use the `signOut` method to sign out the current logged in user and redirect to your app's homepage. The homepage redirect is set in your WorkOS dashboard settings under "Redirect".
@@ -143,3 +176,9 @@ import { authkitMiddleware } from '@workos-inc/authkit-nextjs';
 
 export default authkitMiddleware({ debug: true });
 ```
+
+### Troubleshooting
+
+#### NEXT_REDIRECT error when using try/catch blocks
+
+Wrapping a `getUser({ ensureSignedIn: true })` call in a try/catch block will cause a `NEXT_REDIRECT` error. This is because `getUser` will attempt to redirect the user to AuthKit if no session is detected and redirects in Next must be [called outside a try/catch](https://nextjs.org/docs/app/building-your-application/data-fetching/server-actions-and-mutations#redirecting).

package/dist/cjs/auth.d.ts

@@ -1,3 +1,4 @@
 declare function getSignInUrl(): Promise<string>;
+declare function getSignUpUrl(): Promise<string>;
 declare function signOut(): Promise<void>;
-export { getSignInUrl, signOut };
+export { getSignInUrl, getSignUpUrl, signOut };

package/dist/cjs/auth.js

@@ -1,14 +1,18 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.signOut = exports.getSignInUrl = void 0;
+exports.signOut = exports.getSignUpUrl = exports.getSignInUrl = void 0;
 const get_authorization_url_js_1 = require("./get-authorization-url.js");
 const headers_1 = require("next/headers");
 const cookie_js_1 = require("./cookie.js");
 const session_js_1 = require("./session.js");
 async function getSignInUrl() {
-    return (0, get_authorization_url_js_1.getAuthorizationUrl)();
+    return (0, get_authorization_url_js_1.getAuthorizationUrl)({ screenHint: 'sign-in' });
 }
 exports.getSignInUrl = getSignInUrl;
+async function getSignUpUrl() {
+    return (0, get_authorization_url_js_1.getAuthorizationUrl)({ screenHint: 'sign-up' });
+}
+exports.getSignUpUrl = getSignUpUrl;
 async function signOut() {
     (0, headers_1.cookies)().delete(cookie_js_1.cookieName);
     await (0, session_js_1.terminateSession)();

package/dist/cjs/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/auth.ts"],"names":[],"mappings":";;;AAAA,yEAAiE;AACjE,0CAAuC;AACvC,2CAAyC;AACzC,6CAAgD;AAEhD,KAAK,UAAU,YAAY;IACzB,OAAO,IAAA,8CAAmB,GAAE,CAAC;AAC/B,CAAC;AAOQ,oCAAY;AALrB,KAAK,UAAU,OAAO;IACpB,IAAA,iBAAO,GAAE,CAAC,MAAM,CAAC,sBAAU,CAAC,CAAC;IAC7B,MAAM,IAAA,6BAAgB,GAAE,CAAC;AAC3B,CAAC;AAEsB,0BAAO"}
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/auth.ts"],"names":[],"mappings":";;;AAAA,yEAAiE;AACjE,0CAAuC;AACvC,2CAAyC;AACzC,6CAAgD;AAEhD,KAAK,UAAU,YAAY;IACzB,OAAO,IAAA,8CAAmB,EAAC,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC,CAAC;AACxD,CAAC;AAWQ,oCAAY;AATrB,KAAK,UAAU,YAAY;IACzB,OAAO,IAAA,8CAAmB,EAAC,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC,CAAC;AACxD,CAAC;AAOsB,oCAAY;AALnC,KAAK,UAAU,OAAO;IACpB,IAAA,iBAAO,GAAE,CAAC,MAAM,CAAC,sBAAU,CAAC,CAAC;IAC7B,MAAM,IAAA,6BAAgB,GAAE,CAAC;AAC3B,CAAC;AAEoC,0BAAO"}

package/dist/cjs/cookie.js

@@ -1,12 +1,15 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.cookieOptions = exports.cookieName = void 0;
+const env_variables_js_1 = require("./env-variables.js");
+const redirectUrl = new URL(env_variables_js_1.WORKOS_REDIRECT_URI);
+const isSecureProtocol = redirectUrl.protocol === 'https:';
 const cookieName = 'wos-session';
 exports.cookieName = cookieName;
 const cookieOptions = {
     path: '/',
     httpOnly: true,
-    secure: true,
+    secure: isSecureProtocol,
     sameSite: 'lax',
 };
 exports.cookieOptions = cookieOptions;

package/dist/cjs/cookie.js.map

@@ -1 +1 @@
-{"version":3,"file":"cookie.js","sourceRoot":"","sources":["../../src/cookie.ts"],"names":[],"mappings":";;;AAAA,MAAM,UAAU,GAAG,aAAa,CAAC;AAQxB,gCAAU;AAPnB,MAAM,aAAa,GAAG;IACpB,IAAI,EAAE,GAAG;IACT,QAAQ,EAAE,IAAI;IACd,MAAM,EAAE,IAAI;IACZ,QAAQ,EAAE,KAAc;CACzB,CAAC;AAEmB,sCAAa"}
+{"version":3,"file":"cookie.js","sourceRoot":"","sources":["../../src/cookie.ts"],"names":[],"mappings":";;;AAAA,yDAAyD;AAEzD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,sCAAmB,CAAC,CAAC;AACjD,MAAM,gBAAgB,GAAG,WAAW,CAAC,QAAQ,KAAK,QAAQ,CAAC;AAE3D,MAAM,UAAU,GAAG,aAAa,CAAC;AAQxB,gCAAU;AAPnB,MAAM,aAAa,GAAG;IACpB,IAAI,EAAE,GAAG;IACT,QAAQ,EAAE,IAAI;IACd,MAAM,EAAE,gBAAgB;IACxB,QAAQ,EAAE,KAAc;CACzB,CAAC;AAEmB,sCAAa"}

package/dist/cjs/get-authorization-url.d.ts

@@ -1,2 +1,3 @@
-declare function getAuthorizationUrl(returnPathname?: string): Promise<string>;
+import { GetAuthURLOptions } from './interfaces.js';
+declare function getAuthorizationUrl(options?: GetAuthURLOptions): Promise<string>;
 export { getAuthorizationUrl };

package/dist/cjs/get-authorization-url.js

@@ -3,12 +3,14 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.getAuthorizationUrl = void 0;
 const workos_js_1 = require("./workos.js");
 const env_variables_js_1 = require("./env-variables.js");
-async function getAuthorizationUrl(returnPathname) {
+async function getAuthorizationUrl(options = {}) {
+    const { returnPathname, screenHint } = options;
     return workos_js_1.workos.userManagement.getAuthorizationUrl({
         provider: 'authkit',
         clientId: env_variables_js_1.WORKOS_CLIENT_ID,
         redirectUri: env_variables_js_1.WORKOS_REDIRECT_URI,
         state: returnPathname ? btoa(JSON.stringify({ returnPathname })) : undefined,
+        screenHint,
     });
 }
 exports.getAuthorizationUrl = getAuthorizationUrl;

package/dist/cjs/get-authorization-url.js.map

@@ -1 +1 @@
-{"version":3,"file":"get-authorization-url.js","sourceRoot":"","sources":["../../src/get-authorization-url.ts"],"names":[],"mappings":";;;AAAA,2CAAqC;AACrC,yDAA2E;AAE3E,KAAK,UAAU,mBAAmB,CAAC,cAAuB;IACxD,OAAO,kBAAM,CAAC,cAAc,CAAC,mBAAmB,CAAC;QAC/C,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,mCAAgB;QAC1B,WAAW,EAAE,sCAAmB;QAChC,KAAK,EAAE,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;KAC7E,CAAC,CAAC;AACL,CAAC;AAEQ,kDAAmB"}
+{"version":3,"file":"get-authorization-url.js","sourceRoot":"","sources":["../../src/get-authorization-url.ts"],"names":[],"mappings":";;;AAAA,2CAAqC;AACrC,yDAA2E;AAG3E,KAAK,UAAU,mBAAmB,CAAC,UAA6B,EAAE;IAChE,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAE/C,OAAO,kBAAM,CAAC,cAAc,CAAC,mBAAmB,CAAC;QAC/C,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,mCAAgB;QAC1B,WAAW,EAAE,sCAAmB;QAChC,KAAK,EAAE,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;QAC5E,UAAU;KACX,CAAC,CAAC;AACL,CAAC;AAEQ,kDAAmB"}

package/dist/cjs/index.d.ts

@@ -1,6 +1,6 @@
 import { handleAuth } from './authkit-callback-route.js';
 import { authkitMiddleware } from './middleware.js';
 import { getUser } from './session.js';
-import { getSignInUrl, signOut } from './auth.js';
+import { getSignInUrl, getSignUpUrl, signOut } from './auth.js';
 import { Impersonation } from './impersonation.js';
-export { handleAuth, authkitMiddleware, getSignInUrl, getUser, signOut, Impersonation, };
+export { handleAuth, authkitMiddleware, getSignInUrl, getSignUpUrl, getUser, signOut, Impersonation, };

package/dist/cjs/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Impersonation = exports.signOut = exports.getUser = exports.getSignInUrl = exports.authkitMiddleware = exports.handleAuth = void 0;
+exports.Impersonation = exports.signOut = exports.getUser = exports.getSignUpUrl = exports.getSignInUrl = exports.authkitMiddleware = exports.handleAuth = void 0;
 const authkit_callback_route_js_1 = require("./authkit-callback-route.js");
 Object.defineProperty(exports, "handleAuth", { enumerable: true, get: function () { return authkit_callback_route_js_1.handleAuth; } });
 const middleware_js_1 = require("./middleware.js");
@@ -9,6 +9,7 @@ const session_js_1 = require("./session.js");
 Object.defineProperty(exports, "getUser", { enumerable: true, get: function () { return session_js_1.getUser; } });
 const auth_js_1 = require("./auth.js");
 Object.defineProperty(exports, "getSignInUrl", { enumerable: true, get: function () { return auth_js_1.getSignInUrl; } });
+Object.defineProperty(exports, "getSignUpUrl", { enumerable: true, get: function () { return auth_js_1.getSignUpUrl; } });
 Object.defineProperty(exports, "signOut", { enumerable: true, get: function () { return auth_js_1.signOut; } });
 const impersonation_js_1 = require("./impersonation.js");
 Object.defineProperty(exports, "Impersonation", { enumerable: true, get: function () { return impersonation_js_1.Impersonation; } });

package/dist/cjs/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,2EAAyD;AAOvD,2FAPO,sCAAU,OAOP;AANZ,mDAAoD;AAQlD,kGARO,iCAAiB,OAQP;AAPnB,6CAAuC;AAUrC,wFAVO,oBAAO,OAUP;AATT,uCAAkD;AAQhD,6FARO,sBAAY,OAQP;AAEZ,wFAVqB,iBAAO,OAUrB;AATT,yDAAmD;AAWjD,8FAXO,gCAAa,OAWP"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,2EAAyD;AAOvD,2FAPO,sCAAU,OAOP;AANZ,mDAAoD;AAQlD,kGARO,iCAAiB,OAQP;AAPnB,6CAAuC;AAWrC,wFAXO,oBAAO,OAWP;AAVT,uCAAgE;AAQ9D,6FARO,sBAAY,OAQP;AACZ,6FATqB,sBAAY,OASrB;AAEZ,wFAXmC,iBAAO,OAWnC;AAVT,yDAAmD;AAYjD,8FAZO,gCAAa,OAYP"}

package/dist/cjs/interfaces.d.ts

@@ -31,3 +31,15 @@ export interface AccessToken {
     org_id?: string;
     role?: string;
 }
+export interface GetAuthURLOptions {
+    screenHint?: 'sign-up' | 'sign-in';
+    returnPathname?: string;
+}
+export interface AuthkitMiddlewareAuth {
+    enabled: boolean;
+    unauthenticatedPaths: string[];
+}
+export interface AuthkitMiddlewareOptions {
+    debug?: boolean;
+    middlewareAuth?: AuthkitMiddlewareAuth;
+}

package/dist/cjs/middleware.d.ts

@@ -1,6 +1,3 @@
 import { NextMiddleware } from 'next/server';
-interface AuthkitMiddlewareOptions {
-    debug?: boolean;
-}
-export declare function authkitMiddleware({ debug }?: AuthkitMiddlewareOptions): NextMiddleware;
-export {};
+import { AuthkitMiddlewareOptions } from './interfaces.js';
+export declare function authkitMiddleware({ debug, middlewareAuth, }?: AuthkitMiddlewareOptions): NextMiddleware;

package/dist/cjs/middleware.js

@@ -2,9 +2,9 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.authkitMiddleware = void 0;
 const session_js_1 = require("./session.js");
-function authkitMiddleware({ debug = false } = {}) {
+function authkitMiddleware({ debug = false, middlewareAuth = { enabled: false, unauthenticatedPaths: [] }, } = {}) {
     return function (request) {
-        return (0, session_js_1.updateSession)(request, debug);
+        return (0, session_js_1.updateSession)(request, debug, middlewareAuth);
     };
 }
 exports.authkitMiddleware = authkitMiddleware;

package/dist/cjs/middleware.js.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/middleware.ts"],"names":[],"mappings":";;;AACA,6CAA6C;AAM7C,SAAgB,iBAAiB,CAAC,EAAE,KAAK,GAAG,KAAK,KAA+B,EAAE;IAChF,OAAO,UAAU,OAAO;QACtB,OAAO,IAAA,0BAAa,EAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACvC,CAAC,CAAC;AACJ,CAAC;AAJD,8CAIC"}
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/middleware.ts"],"names":[],"mappings":";;;AACA,6CAA6C;AAG7C,SAAgB,iBAAiB,CAAC,EAChC,KAAK,GAAG,KAAK,EACb,cAAc,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,EAAE,EAAE,MACjC,EAAE;IAC9B,OAAO,UAAU,OAAO;QACtB,OAAO,IAAA,0BAAa,EAAC,OAAO,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC;IACvD,CAAC,CAAC;AACJ,CAAC;AAPD,8CAOC"}

package/dist/cjs/session.d.ts

@@ -1,7 +1,7 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { NoUserInfo, Session, UserInfo } from './interfaces.js';
+import { AuthkitMiddlewareAuth, NoUserInfo, Session, UserInfo } from './interfaces.js';
 declare function encryptSession(session: Session): Promise<string>;
-declare function updateSession(request: NextRequest, debug: boolean): Promise<NextResponse<unknown>>;
+declare function updateSession(request: NextRequest, debug: boolean, middlewareAuth: AuthkitMiddlewareAuth): Promise<NextResponse<unknown>>;
 declare function getUser(options?: {
     ensureSignedIn: false;
 }): Promise<UserInfo | NoUserInfo>;

package/dist/cjs/session.js

@@ -10,6 +10,7 @@ const cookie_js_1 = require("./cookie.js");
 const workos_js_1 = require("./workos.js");
 const env_variables_js_1 = require("./env-variables.js");
 const get_authorization_url_js_1 = require("./get-authorization-url.js");
+const path_to_regexp_1 = require("path-to-regexp");
 const sessionHeaderName = 'x-workos-session';
 const middlewareHeaderName = 'x-workos-middleware';
 const JWKS = (0, jose_1.createRemoteJWKSet)(new URL(workos_js_1.workos.userManagement.getJwksUrl(env_variables_js_1.WORKOS_CLIENT_ID)));
@@ -17,7 +18,7 @@ async function encryptSession(session) {
     return (0, iron_session_1.sealData)(session, { password: env_variables_js_1.WORKOS_COOKIE_PASSWORD });
 }
 exports.encryptSession = encryptSession;
-async function updateSession(request, debug) {
+async function updateSession(request, debug, middlewareAuth) {
     const session = await getSessionFromCookie();
     const newRequestHeaders = new Headers(request.headers);
     // We store the current request url in a custom header, so we can always have access to it
@@ -27,6 +28,16 @@ async function updateSession(request, debug) {
     // Record that the request was routed through the middleware so we can check later for DX purposes
     newRequestHeaders.set(middlewareHeaderName, 'true');
     newRequestHeaders.delete(sessionHeaderName);
+    const matchedPaths = middlewareAuth.unauthenticatedPaths.filter((pathGlob) => {
+        const pathRegex = getMiddlewareAuthPathRegex(pathGlob);
+        return pathRegex.exec(request.nextUrl.pathname);
+    });
+    // If the user is logged out and this path isn't on the allowlist for logged out paths, redirect to AuthKit.
+    if (middlewareAuth.enabled && matchedPaths.length === 0 && !session) {
+        if (debug)
+            console.log('Unauthenticated user on protected route, redirecting to AuthKit');
+        return server_1.NextResponse.redirect(await (0, get_authorization_url_js_1.getAuthorizationUrl)({ returnPathname: new URL(request.url).pathname }));
+    }
     // If no session, just continue
     if (!session) {
         return server_1.NextResponse.next({
@@ -78,6 +89,21 @@ async function updateSession(request, debug) {
     }
 }
 exports.updateSession = updateSession;
+function getMiddlewareAuthPathRegex(pathGlob) {
+    let regex;
+    try {
+        // Redirect URI is only used to construct the URL
+        const url = new URL(pathGlob, env_variables_js_1.WORKOS_REDIRECT_URI);
+        const path = `${url.pathname}${url.hash || ''}`;
+        const tokens = (0, path_to_regexp_1.parse)(path);
+        regex = (0, path_to_regexp_1.tokensToRegexp)(tokens).source;
+        return new RegExp(regex);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        throw new Error(`Error parsing routes for middleware auth. Reason: ${message}`);
+    }
+}
 async function getUser({ ensureSignedIn = false } = {}) {
     const hasMiddleware = Boolean((0, headers_1.headers)().get(middlewareHeaderName));
     if (!hasMiddleware) {
@@ -88,7 +114,7 @@ async function getUser({ ensureSignedIn = false } = {}) {
         if (ensureSignedIn) {
             const url = (0, headers_1.headers)().get('x-url');
             const returnPathname = url ? new URL(url).pathname : undefined;
-            (0, navigation_1.redirect)(await (0, get_authorization_url_js_1.getAuthorizationUrl)(returnPathname));
+            (0, navigation_1.redirect)(await (0, get_authorization_url_js_1.getAuthorizationUrl)({ returnPathname }));
         }
         return { user: null };
     }

package/dist/cjs/session.js.map

@@ -1 +1 @@
-{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/session.ts"],"names":[],"mappings":";;;AAAA,gDAA2C;AAC3C,0CAAgD;AAChD,wCAAwD;AACxD,+BAAgE;AAChE,+CAAoD;AACpD,2CAAwD;AACxD,2CAAqC;AACrC,yDAA8E;AAC9E,yEAAiE;AAGjE,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAC7C,MAAM,oBAAoB,GAAG,qBAAqB,CAAC;AAEnD,MAAM,IAAI,GAAG,IAAA,yBAAkB,EAAC,IAAI,GAAG,CAAC,kBAAM,CAAC,cAAc,CAAC,UAAU,CAAC,mCAAgB,CAAC,CAAC,CAAC,CAAC;AAE7F,KAAK,UAAU,cAAc,CAAC,OAAgB;IAC5C,OAAO,IAAA,uBAAQ,EAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,yCAAsB,EAAE,CAAC,CAAC;AACjE,CAAC;AA2IQ,wCAAc;AAzIvB,KAAK,UAAU,aAAa,CAAC,OAAoB,EAAE,KAAc;IAC/D,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAC7C,MAAM,iBAAiB,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAEvD,0FAA0F;IAC1F,qGAAqG;IACrG,gFAAgF;IAChF,iBAAiB,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAE5C,kGAAkG;IAClG,iBAAiB,CAAC,GAAG,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAEpD,iBAAiB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAE5C,+BAA+B;IAC/B,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,qBAAY,CAAC,IAAI,CAAC;YACvB,OAAO,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE;SACxC,CAAC,CAAC;IACL,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAErE,IAAI,eAAe,EAAE,CAAC;QACpB,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QAC3C,wEAAwE;QACxE,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,sBAAU,CAAE,CAAC,KAAK,CAAC,CAAC;QAC3E,OAAO,qBAAY,CAAC,IAAI,CAAC;YACvB,OAAO,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE;SACxC,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC;QACH,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,qCAAqC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;QAEpF,kHAAkH;QAClH,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,GAAG,MAAM,kBAAM,CAAC,cAAc,CAAC,4BAA4B,CAAC;YAC7F,QAAQ,EAAE,mCAAgB;YAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;SACnC,CAAC,CAAC;QAEH,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,YAAY,CAAC,CAAC;QAE5D,qDAAqD;QACrD,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC;YAC5C,WAAW;YACX,YAAY;YACZ,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,YAAY,EAAE,OAAO,CAAC,YAAY;SACnC,CAAC,CAAC;QAEH,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;QAE3D,MAAM,QAAQ,GAAG,qBAAY,CAAC,IAAI,CAAC;YACjC,OAAO,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE;SACxC,CAAC,CAAC;QACH,oBAAoB;QACpB,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAU,EAAE,gBAAgB,EAAE,yBAAa,CAAC,CAAC;QAClE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC,CAAC,CAAC;QACrC,MAAM,QAAQ,GAAG,qBAAY,CAAC,IAAI,CAAC;YACjC,OAAO,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE;SACxC,CAAC,CAAC;QACH,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,sBAAU,CAAC,CAAC;QACpC,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC;AAsEwB,sCAAa;AAhEtC,KAAK,UAAU,OAAO,CAAC,EAAE,cAAc,GAAG,KAAK,EAAE,GAAG,EAAE;IACpD,MAAM,aAAa,GAAG,OAAO,CAAC,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC;IAEnE,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,mNAAmN,CACpN,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAC7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,GAAG,GAAG,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACnC,MAAM,cAAc,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;YAC/D,IAAA,qBAAQ,EAAC,MAAM,IAAA,8CAAmB,EAAC,cAAc,CAAC,CAAC,CAAC;QACtD,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,GAAG,IAAA,gBAAS,EAAc,OAAO,CAAC,WAAW,CAAC,CAAC;IAErG,OAAO;QACL,SAAS;QACT,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,cAAc;QACd,IAAI;QACJ,YAAY,EAAE,OAAO,CAAC,YAAY;KACnC,CAAC;AACJ,CAAC;AAoCuC,0BAAO;AAlC/C,KAAK,UAAU,gBAAgB;IAC7B,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,OAAO,EAAE,CAAC;IACtC,IAAI,SAAS,EAAE,CAAC;QACd,IAAA,qBAAQ,EAAC,kBAAM,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;IAC9D,CAAC;IACD,IAAA,qBAAQ,EAAC,GAAG,CAAC,CAAC;AAChB,CAAC;AA4BgD,4CAAgB;AA1BjE,KAAK,UAAU,iBAAiB,CAAC,WAAmB;IAClD,IAAI,CAAC;QACH,MAAM,IAAA,gBAAS,EAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,2BAA2B,EAAE,CAAC,CAAC,CAAC;QAC7C,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB;IACjC,MAAM,MAAM,GAAG,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,sBAAU,CAAC,CAAC;IACzC,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,IAAA,yBAAU,EAAU,MAAM,CAAC,KAAK,EAAE;YACvC,QAAQ,EAAE,yCAAsB;SACjC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB;IACjC,MAAM,UAAU,GAAG,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACpD,IAAI,CAAC,UAAU;QAAE,OAAO;IAExB,OAAO,IAAA,yBAAU,EAAU,UAAU,EAAE,EAAE,QAAQ,EAAE,yCAAsB,EAAE,CAAC,CAAC;AAC/E,CAAC"}
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/session.ts"],"names":[],"mappings":";;;AAAA,gDAA2C;AAC3C,0CAAgD;AAChD,wCAAwD;AACxD,+BAAgE;AAChE,+CAAoD;AACpD,2CAAwD;AACxD,2CAAqC;AACrC,yDAAmG;AACnG,yEAAiE;AAGjE,mDAAuD;AAEvD,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAC7C,MAAM,oBAAoB,GAAG,qBAAqB,CAAC;AAEnD,MAAM,IAAI,GAAG,IAAA,yBAAkB,EAAC,IAAI,GAAG,CAAC,kBAAM,CAAC,cAAc,CAAC,UAAU,CAAC,mCAAgB,CAAC,CAAC,CAAC,CAAC;AAE7F,KAAK,UAAU,cAAc,CAAC,OAAgB;IAC5C,OAAO,IAAA,uBAAQ,EAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,yCAAsB,EAAE,CAAC,CAAC;AACjE,CAAC;AA0KQ,wCAAc;AAxKvB,KAAK,UAAU,aAAa,CAAC,OAAoB,EAAE,KAAc,EAAE,cAAqC;IACtG,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAC7C,MAAM,iBAAiB,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAEvD,0FAA0F;IAC1F,qGAAqG;IACrG,gFAAgF;IAChF,iBAAiB,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAE5C,kGAAkG;IAClG,iBAAiB,CAAC,GAAG,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAEpD,iBAAiB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAE5C,MAAM,YAAY,GAAa,cAAc,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,EAAE;QACrF,MAAM,SAAS,GAAG,0BAA0B,CAAC,QAAQ,CAAC,CAAC;QAEvD,OAAO,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,4GAA4G;IAC5G,IAAI,cAAc,CAAC,OAAO,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QACpE,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC;QAC1F,OAAO,qBAAY,CAAC,QAAQ,CAAC,MAAM,IAAA,8CAAmB,EAAC,EAAE,cAAc,EAAE,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;IAC7G,CAAC;IAED,+BAA+B;IAC/B,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,qBAAY,CAAC,IAAI,CAAC;YACvB,OAAO,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE;SACxC,CAAC,CAAC;IACL,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAErE,IAAI,eAAe,EAAE,CAAC;QACpB,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QAC3C,wEAAwE;QACxE,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,sBAAU,CAAE,CAAC,KAAK,CAAC,CAAC;QAC3E,OAAO,qBAAY,CAAC,IAAI,CAAC;YACvB,OAAO,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE;SACxC,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC;QACH,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,qCAAqC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;QAEpF,kHAAkH;QAClH,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,GAAG,MAAM,kBAAM,CAAC,cAAc,CAAC,4BAA4B,CAAC;YAC7F,QAAQ,EAAE,mCAAgB;YAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;SACnC,CAAC,CAAC;QAEH,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,YAAY,CAAC,CAAC;QAE5D,qDAAqD;QACrD,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC;YAC5C,WAAW;YACX,YAAY;YACZ,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,YAAY,EAAE,OAAO,CAAC,YAAY;SACnC,CAAC,CAAC;QAEH,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;QAE3D,MAAM,QAAQ,GAAG,qBAAY,CAAC,IAAI,CAAC;YACjC,OAAO,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE;SACxC,CAAC,CAAC;QACH,oBAAoB;QACpB,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAU,EAAE,gBAAgB,EAAE,yBAAa,CAAC,CAAC;QAClE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC,CAAC,CAAC;QACrC,MAAM,QAAQ,GAAG,qBAAY,CAAC,IAAI,CAAC;YACjC,OAAO,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE;SACxC,CAAC,CAAC;QACH,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,sBAAU,CAAC,CAAC;QACpC,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC;AAyFwB,sCAAa;AAvFtC,SAAS,0BAA0B,CAAC,QAAgB;IAClD,IAAI,KAAa,CAAC;IAElB,IAAI,CAAC;QACH,iDAAiD;QACjD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,sCAAmB,CAAC,CAAC;QACnD,MAAM,IAAI,GAAG,GAAG,GAAG,CAAC,QAAS,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;QAEjD,MAAM,MAAM,GAAG,IAAA,sBAAK,EAAC,IAAI,CAAC,CAAC;QAC3B,KAAK,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC;QAEtC,OAAO,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAEjE,MAAM,IAAI,KAAK,CAAC,qDAAqD,OAAO,EAAE,CAAC,CAAC;IAClF,CAAC;AACH,CAAC;AAMD,KAAK,UAAU,OAAO,CAAC,EAAE,cAAc,GAAG,KAAK,EAAE,GAAG,EAAE;IACpD,MAAM,aAAa,GAAG,OAAO,CAAC,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC;IAEnE,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,mNAAmN,CACpN,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAC7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,GAAG,GAAG,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACnC,MAAM,cAAc,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;YAC/D,IAAA,qBAAQ,EAAC,MAAM,IAAA,8CAAmB,EAAC,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC;QAC1D,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,GAAG,IAAA,gBAAS,EAAc,OAAO,CAAC,WAAW,CAAC,CAAC;IAErG,OAAO;QACL,SAAS;QACT,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,cAAc;QACd,IAAI;QACJ,YAAY,EAAE,OAAO,CAAC,YAAY;KACnC,CAAC;AACJ,CAAC;AAoCuC,0BAAO;AAlC/C,KAAK,UAAU,gBAAgB;IAC7B,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,OAAO,EAAE,CAAC;IACtC,IAAI,SAAS,EAAE,CAAC;QACd,IAAA,qBAAQ,EAAC,kBAAM,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;IAC9D,CAAC;IACD,IAAA,qBAAQ,EAAC,GAAG,CAAC,CAAC;AAChB,CAAC;AA4BgD,4CAAgB;AA1BjE,KAAK,UAAU,iBAAiB,CAAC,WAAmB;IAClD,IAAI,CAAC;QACH,MAAM,IAAA,gBAAS,EAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,2BAA2B,EAAE,CAAC,CAAC,CAAC;QAC7C,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB;IACjC,MAAM,MAAM,GAAG,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,sBAAU,CAAC,CAAC;IACzC,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,IAAA,yBAAU,EAAU,MAAM,CAAC,KAAK,EAAE;YACvC,QAAQ,EAAE,yCAAsB;SACjC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB;IACjC,MAAM,UAAU,GAAG,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACpD,IAAI,CAAC,UAAU;QAAE,OAAO;IAExB,OAAO,IAAA,yBAAU,EAAU,UAAU,EAAE,EAAE,QAAQ,EAAE,yCAAsB,EAAE,CAAC,CAAC;AAC/E,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@workos-inc/authkit-nextjs",
-  "version": "0.4.2",
+  "version": "0.5.1",
   "description": "Authentication and session helpers for using WorkOS & AuthKit with Next.js",
   "sideEffects": false,
   "type": "commonjs",
@@ -16,16 +16,15 @@
     "clean": "rm -rf dist",
     "prebuild": "npm run clean",
     "build": "tsc --project tsconfig-cjs.json",
-    "preversion": "npm run build",
-    "postversion": "git push --follow-tags",
     "prepublishOnly": "npm run lint",
     "lint": "eslint \"src/**/*.ts*\"",
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "dependencies": {
-    "@workos-inc/node": "^6.7.0",
+    "@workos-inc/node": "^6.8.0",
     "iron-session": "^8.0.1",
-    "jose": "^5.2.3"
+    "jose": "^5.2.3",
+    "path-to-regexp": "^6.2.2"
   },
   "peerDependencies": {
     "next": "^13.5.4 || ^14.0.3",

package/src/auth.ts

@@ -4,7 +4,11 @@ import { cookieName } from './cookie.js';
 import { terminateSession } from './session.js';
 
 async function getSignInUrl() {
-  return getAuthorizationUrl();
+  return getAuthorizationUrl({ screenHint: 'sign-in' });
+}
+
+async function getSignUpUrl() {
+  return getAuthorizationUrl({ screenHint: 'sign-up' });
 }
 
 async function signOut() {
@@ -12,4 +16,4 @@ async function signOut() {
   await terminateSession();
 }
 
-export { getSignInUrl, signOut };
+export { getSignInUrl, getSignUpUrl, signOut };

package/src/cookie.ts

@@ -1,8 +1,13 @@
+import { WORKOS_REDIRECT_URI } from './env-variables.js';
+
+const redirectUrl = new URL(WORKOS_REDIRECT_URI);
+const isSecureProtocol = redirectUrl.protocol === 'https:';
+
 const cookieName = 'wos-session';
 const cookieOptions = {
   path: '/',
   httpOnly: true,
-  secure: true,
+  secure: isSecureProtocol,
   sameSite: 'lax' as const,
 };
 

package/src/get-authorization-url.ts

@@ -1,12 +1,16 @@
 import { workos } from './workos.js';
 import { WORKOS_CLIENT_ID, WORKOS_REDIRECT_URI } from './env-variables.js';
+import { GetAuthURLOptions } from './interfaces.js';
+
+async function getAuthorizationUrl(options: GetAuthURLOptions = {}) {
+  const { returnPathname, screenHint } = options;
 
-async function getAuthorizationUrl(returnPathname?: string) {
   return workos.userManagement.getAuthorizationUrl({
     provider: 'authkit',
     clientId: WORKOS_CLIENT_ID,
     redirectUri: WORKOS_REDIRECT_URI,
     state: returnPathname ? btoa(JSON.stringify({ returnPathname })) : undefined,
+    screenHint,
   });
 }
 

package/src/index.ts

@@ -1,7 +1,7 @@
 import { handleAuth } from './authkit-callback-route.js';
 import { authkitMiddleware } from './middleware.js';
 import { getUser } from './session.js';
-import { getSignInUrl, signOut } from './auth.js';
+import { getSignInUrl, getSignUpUrl, signOut } from './auth.js';
 import { Impersonation } from './impersonation.js';
 
 export {
@@ -10,6 +10,7 @@ export {
   authkitMiddleware,
   //
   getSignInUrl,
+  getSignUpUrl,
   getUser,
   signOut,
   //

package/src/interfaces.ts

@@ -35,3 +35,18 @@ export interface AccessToken {
   org_id?: string;
   role?: string;
 }
+
+export interface GetAuthURLOptions {
+  screenHint?: 'sign-up' | 'sign-in';
+  returnPathname?: string;
+}
+
+export interface AuthkitMiddlewareAuth {
+  enabled: boolean;
+  unauthenticatedPaths: string[];
+}
+
+export interface AuthkitMiddlewareOptions {
+  debug?: boolean;
+  middlewareAuth?: AuthkitMiddlewareAuth;
+}

package/src/middleware.ts

@@ -1,12 +1,12 @@
 import { NextMiddleware } from 'next/server';
 import { updateSession } from './session.js';
+import { AuthkitMiddlewareOptions } from './interfaces.js';
 
-interface AuthkitMiddlewareOptions {
-  debug?: boolean;
-}
-
-export function authkitMiddleware({ debug = false }: AuthkitMiddlewareOptions = {}): NextMiddleware {
+export function authkitMiddleware({
+  debug = false,
+  middlewareAuth = { enabled: false, unauthenticatedPaths: [] },
+}: AuthkitMiddlewareOptions = {}): NextMiddleware {
   return function (request) {
-    return updateSession(request, debug);
+    return updateSession(request, debug, middlewareAuth);
   };
 }

package/src/session.ts

@@ -5,9 +5,11 @@ import { jwtVerify, createRemoteJWKSet, decodeJwt } from 'jose';
 import { sealData, unsealData } from 'iron-session';
 import { cookieName, cookieOptions } from './cookie.js';
 import { workos } from './workos.js';
-import { WORKOS_CLIENT_ID, WORKOS_COOKIE_PASSWORD } from './env-variables.js';
+import { WORKOS_CLIENT_ID, WORKOS_COOKIE_PASSWORD, WORKOS_REDIRECT_URI } from './env-variables.js';
 import { getAuthorizationUrl } from './get-authorization-url.js';
-import { AccessToken, NoUserInfo, Session, UserInfo } from './interfaces.js';
+import { AccessToken, AuthkitMiddlewareAuth, NoUserInfo, Session, UserInfo } from './interfaces.js';
+
+import { parse, tokensToRegexp } from 'path-to-regexp';
 
 const sessionHeaderName = 'x-workos-session';
 const middlewareHeaderName = 'x-workos-middleware';
@@ -18,7 +20,7 @@ async function encryptSession(session: Session) {
   return sealData(session, { password: WORKOS_COOKIE_PASSWORD });
 }
 
-async function updateSession(request: NextRequest, debug: boolean) {
+async function updateSession(request: NextRequest, debug: boolean, middlewareAuth: AuthkitMiddlewareAuth) {
   const session = await getSessionFromCookie();
   const newRequestHeaders = new Headers(request.headers);
 
@@ -32,6 +34,18 @@ async function updateSession(request: NextRequest, debug: boolean) {
 
   newRequestHeaders.delete(sessionHeaderName);
 
+  const matchedPaths: string[] = middlewareAuth.unauthenticatedPaths.filter((pathGlob) => {
+    const pathRegex = getMiddlewareAuthPathRegex(pathGlob);
+
+    return pathRegex.exec(request.nextUrl.pathname);
+  });
+
+  // If the user is logged out and this path isn't on the allowlist for logged out paths, redirect to AuthKit.
+  if (middlewareAuth.enabled && matchedPaths.length === 0 && !session) {
+    if (debug) console.log('Unauthenticated user on protected route, redirecting to AuthKit');
+    return NextResponse.redirect(await getAuthorizationUrl({ returnPathname: new URL(request.url).pathname }));
+  }
+
   // If no session, just continue
   if (!session) {
     return NextResponse.next({
@@ -87,6 +101,25 @@ async function updateSession(request: NextRequest, debug: boolean) {
   }
 }
 
+function getMiddlewareAuthPathRegex(pathGlob: string) {
+  let regex: string;
+
+  try {
+    // Redirect URI is only used to construct the URL
+    const url = new URL(pathGlob, WORKOS_REDIRECT_URI);
+    const path = `${url.pathname!}${url.hash || ''}`;
+
+    const tokens = parse(path);
+    regex = tokensToRegexp(tokens).source;
+
+    return new RegExp(regex);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+
+    throw new Error(`Error parsing routes for middleware auth. Reason: ${message}`);
+  }
+}
+
 async function getUser(options?: { ensureSignedIn: false }): Promise<UserInfo | NoUserInfo>;
 
 async function getUser(options: { ensureSignedIn: true }): Promise<UserInfo>;
@@ -105,7 +138,7 @@ async function getUser({ ensureSignedIn = false } = {}) {
     if (ensureSignedIn) {
       const url = headers().get('x-url');
       const returnPathname = url ? new URL(url).pathname : undefined;
-      redirect(await getAuthorizationUrl(returnPathname));
+      redirect(await getAuthorizationUrl({ returnPathname }));
     }
     return { user: null };
   }