@workos-inc/authkit-nextjs 0.5.3 → 0.6.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +35 -0
- package/dist/cjs/cookie.d.ts +1 -0
- package/dist/cjs/cookie.js +4 -0
- package/dist/cjs/cookie.js.map +1 -1
- package/dist/cjs/env-variables.d.ts +5 -1
- package/dist/cjs/env-variables.js +12 -1
- package/dist/cjs/env-variables.js.map +1 -1
- package/dist/cjs/interfaces.d.ts +2 -0
- package/dist/cjs/session.js +22 -8
- package/dist/cjs/session.js.map +1 -1
- package/dist/cjs/workos.js +6 -1
- package/dist/cjs/workos.js.map +1 -1
- package/package.json +1 -1
- package/src/cookie.ts +5 -1
- package/src/env-variables.ts +19 -2
- package/src/interfaces.ts +2 -0
- package/src/session.ts +29 -12
- package/src/workos.ts +9 -2
package/README.md
CHANGED
|
@@ -35,6 +35,17 @@ openssl rand -base64 24
|
|
|
35
35
|
|
|
36
36
|
To use the `signOut` method, you'll need to set your app's homepage in your WorkOS dashboard settings under "Redirects".
|
|
37
37
|
|
|
38
|
+
### Optional configuration
|
|
39
|
+
|
|
40
|
+
Certain environment variables are optional and can be used to debug or configure cookie settings.
|
|
41
|
+
|
|
42
|
+
```sh
|
|
43
|
+
WORKOS_COOKIE_MAX_AGE='600' # maximum age of the cookie in seconds. Defaults to 31 days
|
|
44
|
+
WORKOS_API_HOSTNAME='api.workos.com' # base WorkOS API URL
|
|
45
|
+
WORKOS_API_HTTPS=true # whether to use HTTPS in API calls
|
|
46
|
+
WORKOS_API_PORT=3000 # port to use for API calls
|
|
47
|
+
```
|
|
48
|
+
|
|
38
49
|
## Setup
|
|
39
50
|
|
|
40
51
|
### Callback route
|
|
@@ -167,6 +178,30 @@ export default function App() {
|
|
|
167
178
|
}
|
|
168
179
|
```
|
|
169
180
|
|
|
181
|
+
### Get the access token
|
|
182
|
+
|
|
183
|
+
Sometimes it is useful to obtain the access token directly, for instance to make API requests to another service.
|
|
184
|
+
|
|
185
|
+
```jsx
|
|
186
|
+
import { getUser } from '@workos-inc/authkit-nextjs';
|
|
187
|
+
|
|
188
|
+
export default async function HomePage() {
|
|
189
|
+
const { accessToken } = await getUser();
|
|
190
|
+
|
|
191
|
+
if (!accessToken) {
|
|
192
|
+
return <div>Not signed in</div>;
|
|
193
|
+
}
|
|
194
|
+
|
|
195
|
+
const serviceData = await fetch('/api/path', {
|
|
196
|
+
headers: {
|
|
197
|
+
Authorization: `Bearer ${accessToken}`,
|
|
198
|
+
},
|
|
199
|
+
});
|
|
200
|
+
|
|
201
|
+
return <div>{serviceData}</div>;
|
|
202
|
+
}
|
|
203
|
+
```
|
|
204
|
+
|
|
170
205
|
### Debugging
|
|
171
206
|
|
|
172
207
|
To enable debug logs, initialize the middleware with the debug flag enabled.
|
package/dist/cjs/cookie.d.ts
CHANGED
package/dist/cjs/cookie.js
CHANGED
|
@@ -11,6 +11,10 @@ const cookieOptions = {
|
|
|
11
11
|
httpOnly: true,
|
|
12
12
|
secure: isSecureProtocol,
|
|
13
13
|
sameSite: 'lax',
|
|
14
|
+
// Defaults to 400 days, the maximum allowed by Chrome
|
|
15
|
+
// It's fine to have a long cookie expiry date as the access/refresh tokens
|
|
16
|
+
// act as the actual time-limited aspects of the session.
|
|
17
|
+
maxAge: env_variables_js_1.WORKOS_COOKIE_MAX_AGE ? parseInt(env_variables_js_1.WORKOS_COOKIE_MAX_AGE, 10) : 60 * 60 * 24 * 400,
|
|
14
18
|
};
|
|
15
19
|
exports.cookieOptions = cookieOptions;
|
|
16
20
|
//# sourceMappingURL=cookie.js.map
|
package/dist/cjs/cookie.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cookie.js","sourceRoot":"","sources":["../../src/cookie.ts"],"names":[],"mappings":";;;AAAA,
|
|
1
|
+
{"version":3,"file":"cookie.js","sourceRoot":"","sources":["../../src/cookie.ts"],"names":[],"mappings":";;;AAAA,yDAAgF;AAEhF,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,sCAAmB,CAAC,CAAC;AACjD,MAAM,gBAAgB,GAAG,WAAW,CAAC,QAAQ,KAAK,QAAQ,CAAC;AAE3D,MAAM,UAAU,GAAG,aAAa,CAAC;AAYxB,gCAAU;AAXnB,MAAM,aAAa,GAAG;IACpB,IAAI,EAAE,GAAG;IACT,QAAQ,EAAE,IAAI;IACd,MAAM,EAAE,gBAAgB;IACxB,QAAQ,EAAE,KAAc;IACxB,sDAAsD;IACtD,2EAA2E;IAC3E,yDAAyD;IACzD,MAAM,EAAE,wCAAqB,CAAC,CAAC,CAAC,QAAQ,CAAC,wCAAqB,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG;CACzF,CAAC;AAEmB,sCAAa"}
|
|
@@ -2,4 +2,8 @@ declare const WORKOS_CLIENT_ID: string;
|
|
|
2
2
|
declare const WORKOS_API_KEY: string;
|
|
3
3
|
declare const WORKOS_REDIRECT_URI: string;
|
|
4
4
|
declare const WORKOS_COOKIE_PASSWORD: string;
|
|
5
|
-
|
|
5
|
+
declare const WORKOS_API_HOSTNAME: string | undefined;
|
|
6
|
+
declare const WORKOS_API_HTTPS: string | undefined;
|
|
7
|
+
declare const WORKOS_API_PORT: string | undefined;
|
|
8
|
+
declare const WORKOS_COOKIE_MAX_AGE: string | undefined;
|
|
9
|
+
export { WORKOS_CLIENT_ID, WORKOS_API_KEY, WORKOS_REDIRECT_URI, WORKOS_COOKIE_PASSWORD, WORKOS_API_HOSTNAME, WORKOS_API_HTTPS, WORKOS_API_PORT, WORKOS_COOKIE_MAX_AGE, };
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.WORKOS_COOKIE_PASSWORD = exports.WORKOS_REDIRECT_URI = exports.WORKOS_API_KEY = exports.WORKOS_CLIENT_ID = void 0;
|
|
3
|
+
exports.WORKOS_COOKIE_MAX_AGE = exports.WORKOS_API_PORT = exports.WORKOS_API_HTTPS = exports.WORKOS_API_HOSTNAME = exports.WORKOS_COOKIE_PASSWORD = exports.WORKOS_REDIRECT_URI = exports.WORKOS_API_KEY = exports.WORKOS_CLIENT_ID = void 0;
|
|
4
4
|
function getEnvVariable(name) {
|
|
5
5
|
const envVariable = process.env[name];
|
|
6
6
|
if (!envVariable) {
|
|
@@ -8,6 +8,9 @@ function getEnvVariable(name) {
|
|
|
8
8
|
}
|
|
9
9
|
return envVariable;
|
|
10
10
|
}
|
|
11
|
+
function getOptionalEnvVariable(name) {
|
|
12
|
+
return process.env[name];
|
|
13
|
+
}
|
|
11
14
|
const WORKOS_CLIENT_ID = getEnvVariable('WORKOS_CLIENT_ID');
|
|
12
15
|
exports.WORKOS_CLIENT_ID = WORKOS_CLIENT_ID;
|
|
13
16
|
const WORKOS_API_KEY = getEnvVariable('WORKOS_API_KEY');
|
|
@@ -16,6 +19,14 @@ const WORKOS_REDIRECT_URI = getEnvVariable('WORKOS_REDIRECT_URI');
|
|
|
16
19
|
exports.WORKOS_REDIRECT_URI = WORKOS_REDIRECT_URI;
|
|
17
20
|
const WORKOS_COOKIE_PASSWORD = getEnvVariable('WORKOS_COOKIE_PASSWORD');
|
|
18
21
|
exports.WORKOS_COOKIE_PASSWORD = WORKOS_COOKIE_PASSWORD;
|
|
22
|
+
const WORKOS_API_HOSTNAME = getOptionalEnvVariable('WORKOS_API_HOSTNAME');
|
|
23
|
+
exports.WORKOS_API_HOSTNAME = WORKOS_API_HOSTNAME;
|
|
24
|
+
const WORKOS_API_HTTPS = getOptionalEnvVariable('WORKOS_API_HTTPS');
|
|
25
|
+
exports.WORKOS_API_HTTPS = WORKOS_API_HTTPS;
|
|
26
|
+
const WORKOS_API_PORT = getOptionalEnvVariable('WORKOS_API_PORT');
|
|
27
|
+
exports.WORKOS_API_PORT = WORKOS_API_PORT;
|
|
28
|
+
const WORKOS_COOKIE_MAX_AGE = getOptionalEnvVariable('WORKOS_COOKIE_MAX_AGE');
|
|
29
|
+
exports.WORKOS_COOKIE_MAX_AGE = WORKOS_COOKIE_MAX_AGE;
|
|
19
30
|
if (WORKOS_COOKIE_PASSWORD.length < 32) {
|
|
20
31
|
throw new Error('WORKOS_COOKIE_PASSWORD must be at least 32 characters long');
|
|
21
32
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"env-variables.js","sourceRoot":"","sources":["../../src/env-variables.ts"],"names":[],"mappings":";;;AAAA,SAAS,cAAc,CAAC,IAAY;IAClC,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACtC,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,kCAAkC,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,MAAM,gBAAgB,GAAG,cAAc,CAAC,kBAAkB,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"env-variables.js","sourceRoot":"","sources":["../../src/env-variables.ts"],"names":[],"mappings":";;;AAAA,SAAS,cAAc,CAAC,IAAY;IAClC,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACtC,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,kCAAkC,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,SAAS,sBAAsB,CAAC,IAAY;IAC1C,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,gBAAgB,GAAG,cAAc,CAAC,kBAAkB,CAAC,CAAC;AAc1D,4CAAgB;AAblB,MAAM,cAAc,GAAG,cAAc,CAAC,gBAAgB,CAAC,CAAC;AActD,wCAAc;AAbhB,MAAM,mBAAmB,GAAG,cAAc,CAAC,qBAAqB,CAAC,CAAC;AAchE,kDAAmB;AAbrB,MAAM,sBAAsB,GAAG,cAAc,CAAC,wBAAwB,CAAC,CAAC;AActE,wDAAsB;AAbxB,MAAM,mBAAmB,GAAG,sBAAsB,CAAC,qBAAqB,CAAC,CAAC;AAcxE,kDAAmB;AAbrB,MAAM,gBAAgB,GAAG,sBAAsB,CAAC,kBAAkB,CAAC,CAAC;AAclE,4CAAgB;AAblB,MAAM,eAAe,GAAG,sBAAsB,CAAC,iBAAiB,CAAC,CAAC;AAchE,0CAAe;AAbjB,MAAM,qBAAqB,GAAG,sBAAsB,CAAC,uBAAuB,CAAC,CAAC;AAc5E,sDAAqB;AAZvB,IAAI,sBAAsB,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;IACvC,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;AAChF,CAAC"}
|
package/dist/cjs/interfaces.d.ts
CHANGED
|
@@ -18,6 +18,7 @@ export interface UserInfo {
|
|
|
18
18
|
organizationId?: string;
|
|
19
19
|
role?: string;
|
|
20
20
|
impersonator?: Impersonator;
|
|
21
|
+
accessToken: string;
|
|
21
22
|
}
|
|
22
23
|
export interface NoUserInfo {
|
|
23
24
|
user: null;
|
|
@@ -25,6 +26,7 @@ export interface NoUserInfo {
|
|
|
25
26
|
organizationId?: undefined;
|
|
26
27
|
role?: undefined;
|
|
27
28
|
impersonator?: undefined;
|
|
29
|
+
accessToken?: undefined;
|
|
28
30
|
}
|
|
29
31
|
export interface AccessToken {
|
|
30
32
|
sid: string;
|
package/dist/cjs/session.js
CHANGED
|
@@ -28,6 +28,19 @@ async function updateSession(request, debug, middlewareAuth) {
|
|
|
28
28
|
// Record that the request was routed through the middleware so we can check later for DX purposes
|
|
29
29
|
newRequestHeaders.set(middlewareHeaderName, 'true');
|
|
30
30
|
newRequestHeaders.delete(sessionHeaderName);
|
|
31
|
+
const url = new URL(env_variables_js_1.WORKOS_REDIRECT_URI);
|
|
32
|
+
if (middlewareAuth.enabled &&
|
|
33
|
+
url.pathname === request.nextUrl.pathname &&
|
|
34
|
+
!middlewareAuth.unauthenticatedPaths.includes(url.pathname)) {
|
|
35
|
+
// In the case where:
|
|
36
|
+
// - We're using middleware auth mode
|
|
37
|
+
// - The redirect URI is in the middleware matcher
|
|
38
|
+
// - The redirect URI isn't in the unauthenticatedPaths array
|
|
39
|
+
//
|
|
40
|
+
// then we would get stuck in a login loop due to the redirect happening before the session is set.
|
|
41
|
+
// It's likely that the user accidentally forgot to add the path to unauthenticatedPaths, so we add it here.
|
|
42
|
+
middlewareAuth.unauthenticatedPaths.push(url.pathname);
|
|
43
|
+
}
|
|
31
44
|
const matchedPaths = middlewareAuth.unauthenticatedPaths.filter((pathGlob) => {
|
|
32
45
|
const pathRegex = getMiddlewareAuthPathRegex(pathGlob);
|
|
33
46
|
return pathRegex.exec(request.nextUrl.pathname);
|
|
@@ -80,7 +93,8 @@ async function updateSession(request, debug, middlewareAuth) {
|
|
|
80
93
|
return response;
|
|
81
94
|
}
|
|
82
95
|
catch (e) {
|
|
83
|
-
|
|
96
|
+
if (debug)
|
|
97
|
+
console.log('Failed to refresh. Deleting cookie and redirecting.', e);
|
|
84
98
|
const response = server_1.NextResponse.next({
|
|
85
99
|
request: { headers: newRequestHeaders },
|
|
86
100
|
});
|
|
@@ -105,11 +119,7 @@ function getMiddlewareAuthPathRegex(pathGlob) {
|
|
|
105
119
|
}
|
|
106
120
|
}
|
|
107
121
|
async function getUser({ ensureSignedIn = false } = {}) {
|
|
108
|
-
const
|
|
109
|
-
if (!hasMiddleware) {
|
|
110
|
-
throw new Error('You are calling `getUser` on a path that isn’t covered by the AuthKit middleware. Make sure it is running on all paths you are calling `getUser` from by updating your middleware config in `middleware.(js|ts)`.');
|
|
111
|
-
}
|
|
112
|
-
const session = await getSessionFromHeader();
|
|
122
|
+
const session = await getSessionFromHeader('getUser');
|
|
113
123
|
if (!session) {
|
|
114
124
|
if (ensureSignedIn) {
|
|
115
125
|
const url = (0, headers_1.headers)().get('x-url');
|
|
@@ -125,6 +135,7 @@ async function getUser({ ensureSignedIn = false } = {}) {
|
|
|
125
135
|
organizationId,
|
|
126
136
|
role,
|
|
127
137
|
impersonator: session.impersonator,
|
|
138
|
+
accessToken: session.accessToken,
|
|
128
139
|
};
|
|
129
140
|
}
|
|
130
141
|
exports.getUser = getUser;
|
|
@@ -142,7 +153,6 @@ async function verifyAccessToken(accessToken) {
|
|
|
142
153
|
return true;
|
|
143
154
|
}
|
|
144
155
|
catch (e) {
|
|
145
|
-
console.warn('Failed to verify session:', e);
|
|
146
156
|
return false;
|
|
147
157
|
}
|
|
148
158
|
}
|
|
@@ -154,7 +164,11 @@ async function getSessionFromCookie() {
|
|
|
154
164
|
});
|
|
155
165
|
}
|
|
156
166
|
}
|
|
157
|
-
async function getSessionFromHeader() {
|
|
167
|
+
async function getSessionFromHeader(caller) {
|
|
168
|
+
const hasMiddleware = Boolean((0, headers_1.headers)().get(middlewareHeaderName));
|
|
169
|
+
if (!hasMiddleware) {
|
|
170
|
+
throw new Error(`You are calling \`${caller}\` on a path that isn’t covered by the AuthKit middleware. Make sure it is running on all paths you are calling \`${caller}\` from by updating your middleware config in \`middleware.(js|ts)\`.`);
|
|
171
|
+
}
|
|
158
172
|
const authHeader = (0, headers_1.headers)().get(sessionHeaderName);
|
|
159
173
|
if (!authHeader)
|
|
160
174
|
return;
|
package/dist/cjs/session.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/session.ts"],"names":[],"mappings":";;;AAAA,gDAA2C;AAC3C,0CAAgD;AAChD,wCAAwD;AACxD,+BAAgE;AAChE,+CAAoD;AACpD,2CAAwD;AACxD,2CAAqC;AACrC,yDAAmG;AACnG,yEAAiE;AAGjE,mDAAuD;AAEvD,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAC7C,MAAM,oBAAoB,GAAG,qBAAqB,CAAC;AAEnD,MAAM,IAAI,GAAG,IAAA,yBAAkB,EAAC,IAAI,GAAG,CAAC,kBAAM,CAAC,cAAc,CAAC,UAAU,CAAC,mCAAgB,CAAC,CAAC,CAAC,CAAC;AAE7F,KAAK,UAAU,cAAc,CAAC,OAAgB;IAC5C,OAAO,IAAA,uBAAQ,EAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,yCAAsB,EAAE,CAAC,CAAC;AACjE,CAAC;
|
|
1
|
+
{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/session.ts"],"names":[],"mappings":";;;AAAA,gDAA2C;AAC3C,0CAAgD;AAChD,wCAAwD;AACxD,+BAAgE;AAChE,+CAAoD;AACpD,2CAAwD;AACxD,2CAAqC;AACrC,yDAAmG;AACnG,yEAAiE;AAGjE,mDAAuD;AAEvD,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAC7C,MAAM,oBAAoB,GAAG,qBAAqB,CAAC;AAEnD,MAAM,IAAI,GAAG,IAAA,yBAAkB,EAAC,IAAI,GAAG,CAAC,kBAAM,CAAC,cAAc,CAAC,UAAU,CAAC,mCAAgB,CAAC,CAAC,CAAC,CAAC;AAE7F,KAAK,UAAU,cAAc,CAAC,OAAgB;IAC5C,OAAO,IAAA,uBAAQ,EAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,yCAAsB,EAAE,CAAC,CAAC;AACjE,CAAC;AA2LQ,wCAAc;AAzLvB,KAAK,UAAU,aAAa,CAAC,OAAoB,EAAE,KAAc,EAAE,cAAqC;IACtG,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAC7C,MAAM,iBAAiB,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAEvD,0FAA0F;IAC1F,qGAAqG;IACrG,gFAAgF;IAChF,iBAAiB,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAE5C,kGAAkG;IAClG,iBAAiB,CAAC,GAAG,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAEpD,iBAAiB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAE5C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,sCAAmB,CAAC,CAAC;IAEzC,IACE,cAAc,CAAC,OAAO;QACtB,GAAG,CAAC,QAAQ,KAAK,OAAO,CAAC,OAAO,CAAC,QAAQ;QACzC,CAAC,cAAc,CAAC,oBAAoB,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAC3D,CAAC;QACD,qBAAqB;QACrB,qCAAqC;QACrC,kDAAkD;QAClD,6DAA6D;QAC7D,EAAE;QACF,mGAAmG;QACnG,4GAA4G;QAC5G,cAAc,CAAC,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,YAAY,GAAa,cAAc,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,EAAE;QACrF,MAAM,SAAS,GAAG,0BAA0B,CAAC,QAAQ,CAAC,CAAC;QAEvD,OAAO,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,4GAA4G;IAC5G,IAAI,cAAc,CAAC,OAAO,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QACpE,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC;QAC1F,OAAO,qBAAY,CAAC,QAAQ,CAAC,MAAM,IAAA,8CAAmB,EAAC,EAAE,cAAc,EAAE,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;IAC7G,CAAC;IAED,+BAA+B;IAC/B,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,qBAAY,CAAC,IAAI,CAAC;YACvB,OAAO,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE;SACxC,CAAC,CAAC;IACL,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAErE,IAAI,eAAe,EAAE,CAAC;QACpB,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QAC3C,wEAAwE;QACxE,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,sBAAU,CAAE,CAAC,KAAK,CAAC,CAAC;QAC3E,OAAO,qBAAY,CAAC,IAAI,CAAC;YACvB,OAAO,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE;SACxC,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC;QACH,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,qCAAqC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;QAEpF,kHAAkH;QAClH,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,GAAG,MAAM,kBAAM,CAAC,cAAc,CAAC,4BAA4B,CAAC;YAC7F,QAAQ,EAAE,mCAAgB;YAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;SACnC,CAAC,CAAC;QAEH,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,YAAY,CAAC,CAAC;QAE5D,qDAAqD;QACrD,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC;YAC5C,WAAW;YACX,YAAY;YACZ,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,YAAY,EAAE,OAAO,CAAC,YAAY;SACnC,CAAC,CAAC;QAEH,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;QAE3D,MAAM,QAAQ,GAAG,qBAAY,CAAC,IAAI,CAAC;YACjC,OAAO,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE;SACxC,CAAC,CAAC;QACH,oBAAoB;QACpB,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAU,EAAE,gBAAgB,EAAE,yBAAa,CAAC,CAAC;QAClE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,qDAAqD,EAAE,CAAC,CAAC,CAAC;QACjF,MAAM,QAAQ,GAAG,qBAAY,CAAC,IAAI,CAAC;YACjC,OAAO,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE;SACxC,CAAC,CAAC;QACH,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,sBAAU,CAAC,CAAC;QACpC,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC;AAyFwB,sCAAa;AAvFtC,SAAS,0BAA0B,CAAC,QAAgB;IAClD,IAAI,KAAa,CAAC;IAElB,IAAI,CAAC;QACH,iDAAiD;QACjD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,sCAAmB,CAAC,CAAC;QACnD,MAAM,IAAI,GAAG,GAAG,GAAG,CAAC,QAAS,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;QAEjD,MAAM,MAAM,GAAG,IAAA,sBAAK,EAAC,IAAI,CAAC,CAAC;QAC3B,KAAK,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC;QAEtC,OAAO,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAEjE,MAAM,IAAI,KAAK,CAAC,qDAAqD,OAAO,EAAE,CAAC,CAAC;IAClF,CAAC;AACH,CAAC;AAMD,KAAK,UAAU,OAAO,CAAC,EAAE,cAAc,GAAG,KAAK,EAAE,GAAG,EAAE;IACpD,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,SAAS,CAAC,CAAC;IACtD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,GAAG,GAAG,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACnC,MAAM,cAAc,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;YAC/D,IAAA,qBAAQ,EAAC,MAAM,IAAA,8CAAmB,EAAC,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC;QAC1D,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,GAAG,IAAA,gBAAS,EAAc,OAAO,CAAC,WAAW,CAAC,CAAC;IAErG,OAAO;QACL,SAAS;QACT,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,cAAc;QACd,IAAI;QACJ,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,WAAW,EAAE,OAAO,CAAC,WAAW;KACjC,CAAC;AACJ,CAAC;AA2CuC,0BAAO;AAzC/C,KAAK,UAAU,gBAAgB;IAC7B,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,OAAO,EAAE,CAAC;IACtC,IAAI,SAAS,EAAE,CAAC;QACd,IAAA,qBAAQ,EAAC,kBAAM,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;IAC9D,CAAC;IACD,IAAA,qBAAQ,EAAC,GAAG,CAAC,CAAC;AAChB,CAAC;AAmCgD,4CAAgB;AAjCjE,KAAK,UAAU,iBAAiB,CAAC,WAAmB;IAClD,IAAI,CAAC;QACH,MAAM,IAAA,gBAAS,EAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB;IACjC,MAAM,MAAM,GAAG,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,sBAAU,CAAC,CAAC;IACzC,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,IAAA,yBAAU,EAAU,MAAM,CAAC,KAAK,EAAE;YACvC,QAAQ,EAAE,yCAAsB;SACjC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB,CAAC,MAAc;IAChD,MAAM,aAAa,GAAG,OAAO,CAAC,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC;IAEnE,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,qBAAqB,MAAM,qHAAqH,MAAM,uEAAuE,CAC9N,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,IAAA,iBAAO,GAAE,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACpD,IAAI,CAAC,UAAU;QAAE,OAAO;IAExB,OAAO,IAAA,yBAAU,EAAU,UAAU,EAAE,EAAE,QAAQ,EAAE,yCAAsB,EAAE,CAAC,CAAC;AAC/E,CAAC"}
|
package/dist/cjs/workos.js
CHANGED
|
@@ -4,7 +4,12 @@ exports.workos = void 0;
|
|
|
4
4
|
const tslib_1 = require("tslib");
|
|
5
5
|
const node_1 = tslib_1.__importDefault(require("@workos-inc/node"));
|
|
6
6
|
const env_variables_js_1 = require("./env-variables.js");
|
|
7
|
+
const options = {
|
|
8
|
+
apiHostname: env_variables_js_1.WORKOS_API_HOSTNAME,
|
|
9
|
+
https: env_variables_js_1.WORKOS_API_HTTPS ? env_variables_js_1.WORKOS_API_HTTPS === 'true' : true,
|
|
10
|
+
port: env_variables_js_1.WORKOS_API_PORT ? parseInt(env_variables_js_1.WORKOS_API_PORT) : undefined,
|
|
11
|
+
};
|
|
7
12
|
// Initialize the WorkOS client
|
|
8
|
-
const workos = new node_1.default(env_variables_js_1.WORKOS_API_KEY);
|
|
13
|
+
const workos = new node_1.default(env_variables_js_1.WORKOS_API_KEY, options);
|
|
9
14
|
exports.workos = workos;
|
|
10
15
|
//# sourceMappingURL=workos.js.map
|
package/dist/cjs/workos.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"workos.js","sourceRoot":"","sources":["../../src/workos.ts"],"names":[],"mappings":";;;;AAAA,oEAAsC;AACtC,
|
|
1
|
+
{"version":3,"file":"workos.js","sourceRoot":"","sources":["../../src/workos.ts"],"names":[],"mappings":";;;;AAAA,oEAAsC;AACtC,yDAA4G;AAG5G,MAAM,OAAO,GAAG;IACd,WAAW,EAAE,sCAAmB;IAChC,KAAK,EAAE,mCAAgB,CAAC,CAAC,CAAC,mCAAgB,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI;IAC5D,IAAI,EAAE,kCAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,kCAAe,CAAC,CAAC,CAAC,CAAC,SAAS;CAC9D,CAAC;AAEF,+BAA+B;AAC/B,MAAM,MAAM,GAAG,IAAI,cAAM,CAAC,iCAAc,EAAE,OAAO,CAAC,CAAC;AAE1C,wBAAM"}
|
package/package.json
CHANGED
package/src/cookie.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { WORKOS_REDIRECT_URI } from './env-variables.js';
|
|
1
|
+
import { WORKOS_REDIRECT_URI, WORKOS_COOKIE_MAX_AGE } from './env-variables.js';
|
|
2
2
|
|
|
3
3
|
const redirectUrl = new URL(WORKOS_REDIRECT_URI);
|
|
4
4
|
const isSecureProtocol = redirectUrl.protocol === 'https:';
|
|
@@ -9,6 +9,10 @@ const cookieOptions = {
|
|
|
9
9
|
httpOnly: true,
|
|
10
10
|
secure: isSecureProtocol,
|
|
11
11
|
sameSite: 'lax' as const,
|
|
12
|
+
// Defaults to 400 days, the maximum allowed by Chrome
|
|
13
|
+
// It's fine to have a long cookie expiry date as the access/refresh tokens
|
|
14
|
+
// act as the actual time-limited aspects of the session.
|
|
15
|
+
maxAge: WORKOS_COOKIE_MAX_AGE ? parseInt(WORKOS_COOKIE_MAX_AGE, 10) : 60 * 60 * 24 * 400,
|
|
12
16
|
};
|
|
13
17
|
|
|
14
18
|
export { cookieName, cookieOptions };
|
package/src/env-variables.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
function getEnvVariable(name: string) {
|
|
1
|
+
function getEnvVariable(name: string): string {
|
|
2
2
|
const envVariable = process.env[name];
|
|
3
3
|
if (!envVariable) {
|
|
4
4
|
throw new Error(`${name} environment variable is not set`);
|
|
@@ -6,13 +6,30 @@ function getEnvVariable(name: string) {
|
|
|
6
6
|
return envVariable;
|
|
7
7
|
}
|
|
8
8
|
|
|
9
|
+
function getOptionalEnvVariable(name: string): string | undefined {
|
|
10
|
+
return process.env[name];
|
|
11
|
+
}
|
|
12
|
+
|
|
9
13
|
const WORKOS_CLIENT_ID = getEnvVariable('WORKOS_CLIENT_ID');
|
|
10
14
|
const WORKOS_API_KEY = getEnvVariable('WORKOS_API_KEY');
|
|
11
15
|
const WORKOS_REDIRECT_URI = getEnvVariable('WORKOS_REDIRECT_URI');
|
|
12
16
|
const WORKOS_COOKIE_PASSWORD = getEnvVariable('WORKOS_COOKIE_PASSWORD');
|
|
17
|
+
const WORKOS_API_HOSTNAME = getOptionalEnvVariable('WORKOS_API_HOSTNAME');
|
|
18
|
+
const WORKOS_API_HTTPS = getOptionalEnvVariable('WORKOS_API_HTTPS');
|
|
19
|
+
const WORKOS_API_PORT = getOptionalEnvVariable('WORKOS_API_PORT');
|
|
20
|
+
const WORKOS_COOKIE_MAX_AGE = getOptionalEnvVariable('WORKOS_COOKIE_MAX_AGE');
|
|
13
21
|
|
|
14
22
|
if (WORKOS_COOKIE_PASSWORD.length < 32) {
|
|
15
23
|
throw new Error('WORKOS_COOKIE_PASSWORD must be at least 32 characters long');
|
|
16
24
|
}
|
|
17
25
|
|
|
18
|
-
export {
|
|
26
|
+
export {
|
|
27
|
+
WORKOS_CLIENT_ID,
|
|
28
|
+
WORKOS_API_KEY,
|
|
29
|
+
WORKOS_REDIRECT_URI,
|
|
30
|
+
WORKOS_COOKIE_PASSWORD,
|
|
31
|
+
WORKOS_API_HOSTNAME,
|
|
32
|
+
WORKOS_API_HTTPS,
|
|
33
|
+
WORKOS_API_PORT,
|
|
34
|
+
WORKOS_COOKIE_MAX_AGE,
|
|
35
|
+
};
|
package/src/interfaces.ts
CHANGED
|
@@ -21,6 +21,7 @@ export interface UserInfo {
|
|
|
21
21
|
organizationId?: string;
|
|
22
22
|
role?: string;
|
|
23
23
|
impersonator?: Impersonator;
|
|
24
|
+
accessToken: string;
|
|
24
25
|
}
|
|
25
26
|
export interface NoUserInfo {
|
|
26
27
|
user: null;
|
|
@@ -28,6 +29,7 @@ export interface NoUserInfo {
|
|
|
28
29
|
organizationId?: undefined;
|
|
29
30
|
role?: undefined;
|
|
30
31
|
impersonator?: undefined;
|
|
32
|
+
accessToken?: undefined;
|
|
31
33
|
}
|
|
32
34
|
|
|
33
35
|
export interface AccessToken {
|
package/src/session.ts
CHANGED
|
@@ -34,6 +34,23 @@ async function updateSession(request: NextRequest, debug: boolean, middlewareAut
|
|
|
34
34
|
|
|
35
35
|
newRequestHeaders.delete(sessionHeaderName);
|
|
36
36
|
|
|
37
|
+
const url = new URL(WORKOS_REDIRECT_URI);
|
|
38
|
+
|
|
39
|
+
if (
|
|
40
|
+
middlewareAuth.enabled &&
|
|
41
|
+
url.pathname === request.nextUrl.pathname &&
|
|
42
|
+
!middlewareAuth.unauthenticatedPaths.includes(url.pathname)
|
|
43
|
+
) {
|
|
44
|
+
// In the case where:
|
|
45
|
+
// - We're using middleware auth mode
|
|
46
|
+
// - The redirect URI is in the middleware matcher
|
|
47
|
+
// - The redirect URI isn't in the unauthenticatedPaths array
|
|
48
|
+
//
|
|
49
|
+
// then we would get stuck in a login loop due to the redirect happening before the session is set.
|
|
50
|
+
// It's likely that the user accidentally forgot to add the path to unauthenticatedPaths, so we add it here.
|
|
51
|
+
middlewareAuth.unauthenticatedPaths.push(url.pathname);
|
|
52
|
+
}
|
|
53
|
+
|
|
37
54
|
const matchedPaths: string[] = middlewareAuth.unauthenticatedPaths.filter((pathGlob) => {
|
|
38
55
|
const pathRegex = getMiddlewareAuthPathRegex(pathGlob);
|
|
39
56
|
|
|
@@ -92,7 +109,7 @@ async function updateSession(request: NextRequest, debug: boolean, middlewareAut
|
|
|
92
109
|
response.cookies.set(cookieName, encryptedSession, cookieOptions);
|
|
93
110
|
return response;
|
|
94
111
|
} catch (e) {
|
|
95
|
-
console.
|
|
112
|
+
if (debug) console.log('Failed to refresh. Deleting cookie and redirecting.', e);
|
|
96
113
|
const response = NextResponse.next({
|
|
97
114
|
request: { headers: newRequestHeaders },
|
|
98
115
|
});
|
|
@@ -125,15 +142,7 @@ async function getUser(options?: { ensureSignedIn: false }): Promise<UserInfo |
|
|
|
125
142
|
async function getUser(options: { ensureSignedIn: true }): Promise<UserInfo>;
|
|
126
143
|
|
|
127
144
|
async function getUser({ ensureSignedIn = false } = {}) {
|
|
128
|
-
const
|
|
129
|
-
|
|
130
|
-
if (!hasMiddleware) {
|
|
131
|
-
throw new Error(
|
|
132
|
-
'You are calling `getUser` on a path that isn’t covered by the AuthKit middleware. Make sure it is running on all paths you are calling `getUser` from by updating your middleware config in `middleware.(js|ts)`.',
|
|
133
|
-
);
|
|
134
|
-
}
|
|
135
|
-
|
|
136
|
-
const session = await getSessionFromHeader();
|
|
145
|
+
const session = await getSessionFromHeader('getUser');
|
|
137
146
|
if (!session) {
|
|
138
147
|
if (ensureSignedIn) {
|
|
139
148
|
const url = headers().get('x-url');
|
|
@@ -151,6 +160,7 @@ async function getUser({ ensureSignedIn = false } = {}) {
|
|
|
151
160
|
organizationId,
|
|
152
161
|
role,
|
|
153
162
|
impersonator: session.impersonator,
|
|
163
|
+
accessToken: session.accessToken,
|
|
154
164
|
};
|
|
155
165
|
}
|
|
156
166
|
|
|
@@ -167,7 +177,6 @@ async function verifyAccessToken(accessToken: string) {
|
|
|
167
177
|
await jwtVerify(accessToken, JWKS);
|
|
168
178
|
return true;
|
|
169
179
|
} catch (e) {
|
|
170
|
-
console.warn('Failed to verify session:', e);
|
|
171
180
|
return false;
|
|
172
181
|
}
|
|
173
182
|
}
|
|
@@ -181,7 +190,15 @@ async function getSessionFromCookie() {
|
|
|
181
190
|
}
|
|
182
191
|
}
|
|
183
192
|
|
|
184
|
-
async function getSessionFromHeader(): Promise<Session | undefined> {
|
|
193
|
+
async function getSessionFromHeader(caller: string): Promise<Session | undefined> {
|
|
194
|
+
const hasMiddleware = Boolean(headers().get(middlewareHeaderName));
|
|
195
|
+
|
|
196
|
+
if (!hasMiddleware) {
|
|
197
|
+
throw new Error(
|
|
198
|
+
`You are calling \`${caller}\` on a path that isn’t covered by the AuthKit middleware. Make sure it is running on all paths you are calling \`${caller}\` from by updating your middleware config in \`middleware.(js|ts)\`.`,
|
|
199
|
+
);
|
|
200
|
+
}
|
|
201
|
+
|
|
185
202
|
const authHeader = headers().get(sessionHeaderName);
|
|
186
203
|
if (!authHeader) return;
|
|
187
204
|
|
package/src/workos.ts
CHANGED
|
@@ -1,7 +1,14 @@
|
|
|
1
1
|
import WorkOS from '@workos-inc/node';
|
|
2
|
-
import { WORKOS_API_KEY } from './env-variables.js';
|
|
2
|
+
import { WORKOS_API_HOSTNAME, WORKOS_API_HTTPS, WORKOS_API_KEY, WORKOS_API_PORT } from './env-variables.js';
|
|
3
|
+
|
|
4
|
+
|
|
5
|
+
const options = {
|
|
6
|
+
apiHostname: WORKOS_API_HOSTNAME,
|
|
7
|
+
https: WORKOS_API_HTTPS ? WORKOS_API_HTTPS === 'true' : true,
|
|
8
|
+
port: WORKOS_API_PORT ? parseInt(WORKOS_API_PORT) : undefined,
|
|
9
|
+
};
|
|
3
10
|
|
|
4
11
|
// Initialize the WorkOS client
|
|
5
|
-
const workos = new WorkOS(WORKOS_API_KEY);
|
|
12
|
+
const workos = new WorkOS(WORKOS_API_KEY, options);
|
|
6
13
|
|
|
7
14
|
export { workos };
|