@workos-inc/authkit-nextjs 2.10.0 → 2.11.1

package/dist/esm/types/workos.d.ts

@@ -1,5 +1,5 @@
 import { WorkOS } from '@workos-inc/node';
-export declare const VERSION = "2.10.0";
+export declare const VERSION = "2.11.1";
 /**
  * Create a WorkOS instance with the provided API key and options.
  * If an instance already exists, it returns the existing instance.

package/dist/esm/utils.js

@@ -1,4 +1,14 @@
 import { NextResponse } from 'next/server';
+/**
+ * Sets cache prevention headers to prevent CDN/proxy caching.
+ * @param headers - The Headers object to set the cache prevention headers on.
+ */
+export function setCachePreventionHeaders(headers) {
+    headers.set('Cache-Control', 'private, no-cache, no-store, must-revalidate, max-age=0');
+    headers.set('Pragma', 'no-cache');
+    headers.set('Expires', '0');
+    headers.set('x-middleware-cache', 'no-cache');
+}
 export function redirectWithFallback(redirectUri, headers) {
     const newHeaders = headers ? new Headers(headers) : new Headers();
     newHeaders.set('Location', redirectUri);

package/dist/esm/utils.js.map

@@ -1 +1 @@
-{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../src/utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,MAAM,UAAU,oBAAoB,CAAC,WAAmB,EAAE,OAAiB;IACzE,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,OAAO,EAAE,CAAC;IAClE,UAAU,CAAC,GAAG,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IAExC,mEAAmE;IACnE,iCAAiC;IACjC,OAAO,CAAA,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,QAAQ;QAC3B,CAAC,CAAC,YAAY,CAAC,QAAQ,CAAC,WAAW,EAAE,EAAE,OAAO,EAAE,CAAC;QACjD,CAAC,CAAC,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC;AAC/D,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,SAA8D;IACtG,mEAAmE;IACnE,iCAAiC;IACjC,OAAO,CAAA,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,IAAI;QACvB,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QAC/C,CAAC,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE;YACtC,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;SAChD,CAAC,CAAC;AACT,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,IAAI,CAAI,EAAW;IACjC,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,IAAI,MAAS,CAAC;IACd,OAAO,GAAG,EAAE;QACV,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,GAAG,EAAE,EAAE,CAAC;YACd,MAAM,GAAG,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC;AACJ,CAAC"}
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../src/utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C;;;GAGG;AACH,MAAM,UAAU,yBAAyB,CAAC,OAAgB;IACxD,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,yDAAyD,CAAC,CAAC;IACxF,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IAClC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IAC5B,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,UAAU,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,WAAmB,EAAE,OAAiB;IACzE,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,OAAO,EAAE,CAAC;IAClE,UAAU,CAAC,GAAG,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IAExC,mEAAmE;IACnE,iCAAiC;IACjC,OAAO,CAAA,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,QAAQ;QAC3B,CAAC,CAAC,YAAY,CAAC,QAAQ,CAAC,WAAW,EAAE,EAAE,OAAO,EAAE,CAAC;QACjD,CAAC,CAAC,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC;AAC/D,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,SAA8D;IACtG,mEAAmE;IACnE,iCAAiC;IACjC,OAAO,CAAA,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,IAAI;QACvB,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QAC/C,CAAC,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE;YACtC,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;SAChD,CAAC,CAAC;AACT,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,IAAI,CAAI,EAAW;IACjC,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,IAAI,MAAS,CAAC;IACd,OAAO,GAAG,EAAE;QACV,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,GAAG,EAAE,EAAE,CAAC;YACd,MAAM,GAAG,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC;AACJ,CAAC"}

package/dist/esm/validate-api-key.js

@@ -0,0 +1,17 @@
+'use server';
+import { getWorkOS } from './workos.js';
+import { headers } from 'next/headers';
+export async function validateApiKey() {
+    var _a;
+    const headersList = await headers();
+    const authorizationHeader = headersList.get('authorization');
+    if (!authorizationHeader) {
+        return { apiKey: null };
+    }
+    const value = (_a = authorizationHeader.match(/Bearer\s+(.*)/i)) === null || _a === void 0 ? void 0 : _a[1];
+    if (!value) {
+        return { apiKey: null };
+    }
+    return getWorkOS().apiKeys.validateApiKey({ value });
+}
+//# sourceMappingURL=validate-api-key.js.map

package/dist/esm/validate-api-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-api-key.js","sourceRoot":"","sources":["../../src/validate-api-key.ts"],"names":[],"mappings":"AAAA,YAAY,CAAC;AAEb,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAEvC,MAAM,CAAC,KAAK,UAAU,cAAc;;IAClC,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,mBAAmB,GAAG,WAAW,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAC7D,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzB,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IAC1B,CAAC;IAED,MAAM,KAAK,GAAG,MAAA,mBAAmB,CAAC,KAAK,CAAC,gBAAgB,CAAC,0CAAG,CAAC,CAAC,CAAC;IAC/D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IAC1B,CAAC;IAED,OAAO,SAAS,EAAE,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;AACvD,CAAC"}

package/dist/esm/workos.js

@@ -1,7 +1,7 @@
 import { WorkOS } from '@workos-inc/node';
 import { WORKOS_API_HOSTNAME, WORKOS_API_KEY, WORKOS_API_HTTPS, WORKOS_API_PORT } from './env-variables.js';
 import { lazy } from './utils.js';
-export const VERSION = '2.10.0';
+export const VERSION = '2.11.1';
 const options = {
     apiHostname: WORKOS_API_HOSTNAME,
     https: WORKOS_API_HTTPS ? WORKOS_API_HTTPS === 'true' : true,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@workos-inc/authkit-nextjs",
-  "version": "2.10.0",
+  "version": "2.11.1",
   "description": "Authentication and session helpers for using WorkOS & AuthKit with Next.js",
   "sideEffects": false,
   "type": "module",
@@ -35,13 +35,13 @@
     "type-check": "tsc --project tsconfig.json --noEmit"
   },
   "dependencies": {
-    "@workos-inc/node": "^7.67.0",
+    "@workos-inc/node": "^7.72.0",
     "iron-session": "^8.0.1",
     "jose": "^5.2.3",
     "path-to-regexp": "^6.2.2"
   },
   "peerDependencies": {
-    "next": "^13.5.9 || ^14.2.26 || ^15.2.3",
+    "next": "^13.5.9 || ^14.2.26 || ^15.2.3 || ^16",
     "react": "^18.0 || ^19.0.0",
     "react-dom": "^18.0 || ^19.0.0"
   },
@@ -57,7 +57,7 @@
     "eslint-plugin-require-extensions": "^0.1.3",
     "jest": "^29.7.0",
     "jest-environment-jsdom": "^29.7.0",
-    "next": "^15.0.1",
+    "next": "^16.0.1",
     "prettier": "^3.3.3",
     "ts-jest": "^29.2.5",
     "ts-node": "^10.9.2",

package/src/auth.ts

@@ -10,6 +10,16 @@ import { getAuthorizationUrl } from './get-authorization-url.js';
 import type { AccessToken, SwitchToOrganizationOptions, UserInfo } from './interfaces.js';
 import { getSessionFromCookie, refreshSession, withAuth } from './session.js';
 import { getWorkOS } from './workos.js';
+
+/**
+ * A wrapper around revalidateTag to provide compatibility with previous versions.
+ * @param tag The tag to revalidate.
+ */
+function revalidateTagCompat(tag: string): void {
+  const fn = revalidateTag as (tag: string, profile: string) => void;
+  return fn(tag, 'max');
+}
+
 export async function getSignInUrl({
   organizationId,
   loginHint,
@@ -111,7 +121,7 @@ export async function switchToOrganization(
       break;
     case 'tag':
       for (const tag of revalidationTags) {
-        revalidateTag(tag);
+        revalidateTagCompat(tag);
       }
       break;
   }

package/src/authkit-callback-route.spec.ts

@@ -36,6 +36,7 @@ describe('authkit-callback-route', () => {
       lastSignInAt: '2024-01-01T00:00:00Z',
       externalId: null,
       metadata: {},
+      locale: null,
     },
     oauthTokens: {
       accessToken: 'access123',

package/src/authkit-callback-route.ts

@@ -2,9 +2,14 @@ import { NextRequest } from 'next/server';
 import { WORKOS_CLIENT_ID } from './env-variables.js';
 import { HandleAuthOptions } from './interfaces.js';
 import { saveSession } from './session.js';
-import { errorResponseWithFallback, redirectWithFallback } from './utils.js';
+import { errorResponseWithFallback, redirectWithFallback, setCachePreventionHeaders } from './utils.js';
 import { getWorkOS } from './workos.js';
 
+function preventCaching(headers: Headers): void {
+  headers.set('Vary', 'Cookie');
+  setCachePreventionHeaders(headers);
+}
+
 function handleState(state: string | null) {
   let returnPathname: string | undefined = undefined;
   let userState: string | undefined;
@@ -90,6 +95,7 @@ export function handleAuth(options: HandleAuthOptions = {}) {
         // Fall back to standard Response if NextResponse is not available.
         // This is to support Next.js 13.
         const response = redirectWithFallback(url.toString());
+        preventCaching(response.headers);
 
         if (!accessToken || !refreshToken) throw new Error('response is missing tokens');
 
@@ -116,23 +122,28 @@ export function handleAuth(options: HandleAuthOptions = {}) {
 
         console.error(errorRes);
 
-        return errorResponse(request, error);
+        return await errorResponse(request, error);
       }
     }
 
-    return errorResponse(request);
+    return await errorResponse(request);
   };
 
-  function errorResponse(request: NextRequest, error?: unknown) {
+  async function errorResponse(request: NextRequest, error?: unknown) {
     if (onError) {
-      return onError({ error, request });
+      const response = await onError({ error, request });
+      preventCaching(response.headers);
+      return response;
     }
 
-    return errorResponseWithFallback({
+    const response = errorResponseWithFallback({
       error: {
         message: 'Something went wrong',
         description: "Couldn't sign in. If you are not sure what happened, please contact your organization admin.",
       },
     });
+
+    preventCaching(response.headers);
+    return response;
   }
 }

package/src/components/impersonation.spec.tsx

@@ -27,19 +27,6 @@ describe('Impersonation', () => {
       impersonator: null,
       user: { id: '123', email: 'user@example.com' },
       organizationId: null,
-      loading: false,
-    });
-
-    const { container } = render(<Impersonation />);
-    expect(container).toBeEmptyDOMElement();
-  });
-
-  it('should return null if loading', () => {
-    (useAuth as jest.Mock).mockReturnValue({
-      impersonator: { email: 'admin@example.com' },
-      user: { id: '123', email: 'user@example.com' },
-      organizationId: null,
-      loading: true,
     });
 
     const { container } = render(<Impersonation />);
@@ -51,7 +38,6 @@ describe('Impersonation', () => {
       impersonator: { email: 'admin@example.com' },
       user: { id: '123', email: 'user@example.com' },
       organizationId: null,
-      loading: false,
     });
 
     const { container } = render(<Impersonation />);
@@ -63,7 +49,6 @@ describe('Impersonation', () => {
       impersonator: { email: 'admin@example.com' },
       user: { id: '123', email: 'user@example.com' },
       organizationId: 'org_123',
-      loading: false,
     });
 
     (getOrganizationAction as jest.Mock).mockResolvedValue({
@@ -83,7 +68,6 @@ describe('Impersonation', () => {
       impersonator: { email: 'admin@example.com' },
       user: { id: '123', email: 'user@example.com' },
       organizationId: null,
-      loading: false,
     });
 
     const { container } = render(<Impersonation />);
@@ -96,7 +80,6 @@ describe('Impersonation', () => {
       impersonator: { email: 'admin@example.com' },
       user: { id: '123', email: 'user@example.com' },
       organizationId: null,
-      loading: false,
     });
 
     const { container } = render(<Impersonation side="top" />);
@@ -109,7 +92,6 @@ describe('Impersonation', () => {
       impersonator: { email: 'admin@example.com' },
       user: { id: '123', email: 'user@example.com' },
       organizationId: null,
-      loading: false,
     });
 
     const customStyle = { backgroundColor: 'red' };
@@ -123,12 +105,146 @@ describe('Impersonation', () => {
       impersonator: { email: 'admin@example.com' },
       user: { id: '123', email: 'user@example.com' },
       organizationId: null,
-      loading: false,
     });
 
     render(<Impersonation />);
     const stopButton = await screen.findByText('Stop');
     stopButton.click();
-    expect(handleSignOutAction).toHaveBeenCalled();
+    expect(handleSignOutAction).toHaveBeenCalledWith({});
+  });
+
+  it('should pass returnTo prop to handleSignOutAction when provided', async () => {
+    (useAuth as jest.Mock).mockReturnValue({
+      impersonator: { email: 'admin@example.com' },
+      user: { id: '123', email: 'user@example.com' },
+      organizationId: null,
+      loading: false,
+    });
+
+    const returnTo = '/dashboard';
+    render(<Impersonation returnTo={returnTo} />);
+    const stopButton = await screen.findByText('Stop');
+    stopButton.click();
+    expect(handleSignOutAction).toHaveBeenCalledWith({ returnTo });
+  });
+
+  it('should not call getOrganizationAction when organizationId is not provided', () => {
+    (useAuth as jest.Mock).mockReturnValue({
+      impersonator: { email: 'admin@example.com' },
+      user: { id: '123', email: 'user@example.com' },
+      organizationId: null,
+    });
+
+    render(<Impersonation />);
+    expect(getOrganizationAction).not.toHaveBeenCalled();
+  });
+
+  it('should not call getOrganizationAction when impersonator is not present', () => {
+    (useAuth as jest.Mock).mockReturnValue({
+      impersonator: null,
+      user: { id: '123', email: 'user@example.com' },
+      organizationId: 'org_123',
+    });
+
+    render(<Impersonation />);
+    expect(getOrganizationAction).not.toHaveBeenCalled();
+  });
+
+  it('should not call getOrganizationAction when user is not present', () => {
+    (useAuth as jest.Mock).mockReturnValue({
+      impersonator: { email: 'admin@example.com' },
+      user: null,
+      organizationId: 'org_123',
+    });
+
+    render(<Impersonation />);
+    expect(getOrganizationAction).not.toHaveBeenCalled();
+  });
+
+  it('should not call getOrganizationAction again when organization is already loaded with same ID', async () => {
+    const mockOrg = {
+      id: 'org_123',
+      name: 'Test Org',
+    };
+
+    (getOrganizationAction as jest.Mock).mockResolvedValue(mockOrg);
+
+    const { rerender } = await act(async () => {
+      (useAuth as jest.Mock).mockReturnValue({
+        impersonator: { email: 'admin@example.com' },
+        user: { id: '123', email: 'user@example.com' },
+        organizationId: 'org_123',
+      });
+
+      return render(<Impersonation />);
+    });
+
+    // Wait for the initial call to complete
+    await act(async () => {
+      await new Promise((resolve) => setTimeout(resolve, 0));
+    });
+
+    expect(getOrganizationAction).toHaveBeenCalledTimes(1);
+
+    // Rerender with the same organizationId
+    await act(async () => {
+      (useAuth as jest.Mock).mockReturnValue({
+        impersonator: { email: 'admin@example.com' },
+        user: { id: '123', email: 'user@example.com' },
+        organizationId: 'org_123',
+      });
+
+      rerender(<Impersonation />);
+    });
+
+    // Should still be called only once
+    expect(getOrganizationAction).toHaveBeenCalledTimes(1);
+  });
+
+  it('should call getOrganizationAction again when organizationId changes', async () => {
+    const mockOrg1 = {
+      id: 'org_123',
+      name: 'Test Org 1',
+    };
+
+    const mockOrg2 = {
+      id: 'org_456',
+      name: 'Test Org 2',
+    };
+
+    (getOrganizationAction as jest.Mock).mockResolvedValueOnce(mockOrg1).mockResolvedValueOnce(mockOrg2);
+
+    const { rerender } = await act(async () => {
+      (useAuth as jest.Mock).mockReturnValue({
+        impersonator: { email: 'admin@example.com' },
+        user: { id: '123', email: 'user@example.com' },
+        organizationId: 'org_123',
+      });
+
+      return render(<Impersonation />);
+    });
+
+    // Wait for the initial call to complete
+    await act(async () => {
+      await new Promise((resolve) => setTimeout(resolve, 0));
+    });
+
+    expect(getOrganizationAction).toHaveBeenCalledTimes(1);
+    expect(getOrganizationAction).toHaveBeenCalledWith('org_123');
+
+    // Rerender with a different organizationId
+    await act(async () => {
+      (useAuth as jest.Mock).mockReturnValue({
+        impersonator: { email: 'admin@example.com' },
+        user: { id: '123', email: 'user@example.com' },
+        organizationId: 'org_456',
+      });
+
+      rerender(<Impersonation />);
+    });
+
+    // Should be called again with the new ID
+    expect(getOrganizationAction).toHaveBeenCalledTimes(2);
+    expect(getOrganizationAction).toHaveBeenCalledWith('org_456');
   });
 });

package/src/components/impersonation.tsx

@@ -9,19 +9,21 @@ import { useAuth } from './authkit-provider.js';
 
 interface ImpersonationProps extends React.ComponentPropsWithoutRef<'div'> {
   side?: 'top' | 'bottom';
+  returnTo?: string;
 }
 
-export function Impersonation({ side = 'bottom', ...props }: ImpersonationProps) {
-  const { user, impersonator, organizationId, loading } = useAuth();
+export function Impersonation({ side = 'bottom', returnTo, ...props }: ImpersonationProps) {
+  const { user, impersonator, organizationId } = useAuth();
 
   const [organization, setOrganization] = React.useState<Organization | null>(null);
 
   React.useEffect(() => {
-    if (!organizationId) return;
+    if (!organizationId || !impersonator || !user) return;
+    if (organization && organization.id === organizationId) return;
     getOrganizationAction(organizationId).then(setOrganization);
-  }, [organizationId]);
+  }, [organizationId, impersonator, user]);
 
-  if (loading || !impersonator || !user) return null;
+  if (!impersonator || !user) return null;
 
   return (
     <div
@@ -78,7 +80,7 @@ export function Impersonation({ side = 'bottom', ...props }: ImpersonationProps)
         <form
           onSubmit={async (event) => {
             event.preventDefault();
-            await handleSignOutAction();
+            await handleSignOutAction({ returnTo });
           }}
           style={{
             display: 'flex',

package/src/index.ts

@@ -2,6 +2,7 @@ import { getSignInUrl, getSignUpUrl, signOut, switchToOrganization } from './aut
 import { handleAuth } from './authkit-callback-route.js';
 import { authkit, authkitMiddleware } from './middleware.js';
 import { getTokenClaims, refreshSession, saveSession, withAuth } from './session.js';
+import { validateApiKey } from './validate-api-key.js';
 import { getWorkOS } from './workos.js';
 
 export * from './interfaces.js';
@@ -19,4 +20,5 @@ export {
   switchToOrganization,
   withAuth,
   getTokenClaims,
+  validateApiKey,
 };

package/src/session.spec.ts

@@ -116,7 +116,7 @@ describe('session.ts', () => {
       await expect(async () => {
         await withAuth();
       }).rejects.toThrow(
-        "You are calling 'withAuth' on https://example.com/ that isn’t covered by the AuthKit middleware. Make sure it is running on all paths you are calling 'withAuth' from by updating your middleware config in 'middleware.(js|ts)'.",
+        /You are calling 'withAuth' on https:\/\/example\.com\/ that isn't covered by the AuthKit middleware/,
       );
     });
 
@@ -126,9 +126,7 @@ describe('session.ts', () => {
 
       await expect(async () => {
         await withAuth({ ensureSignedIn: true });
-      }).rejects.toThrow(
-        "You are calling 'withAuth' on a route that isn’t covered by the AuthKit middleware. Make sure it is running on all paths you are calling 'withAuth' from by updating your middleware config in 'middleware.(js|ts)'.",
-      );
+      }).rejects.toThrow(/You are calling 'withAuth' on a route that isn't covered by the AuthKit middleware/);
     });
 
     it('should throw an error if the URL is not found in the headers', async () => {

package/src/session.ts

@@ -21,7 +21,7 @@ import { getWorkOS } from './workos.js';
 
 import type { AuthenticationResponse } from '@workos-inc/node';
 import { parse, tokensToRegexp } from 'path-to-regexp';
-import { lazy, redirectWithFallback } from './utils.js';
+import { lazy, redirectWithFallback, setCachePreventionHeaders } from './utils.js';
 
 const sessionHeaderName = 'x-workos-session';
 const middlewareHeaderName = 'x-workos-middleware';
@@ -30,6 +30,49 @@ const jwtCookieName = 'workos-access-token';
 
 const JWKS = lazy(() => createRemoteJWKSet(new URL(getWorkOS().userManagement.getJwksUrl(WORKOS_CLIENT_ID))));
 
+/**
+ * Applies cache security headers with Vary header deduplication.
+ * Only applies headers if the request is authenticated (has session, cookie, or Authorization header).
+ * Used in middleware where existing Vary headers may already be present.
+ * @param headers - The Headers object to set the cache security headers on.
+ * @param request - The NextRequest object to check for authentication.
+ * @param sessionData - Optional session data to check for authentication.
+ */
+function applyCacheSecurityHeaders(
+  headers: Headers,
+  request: NextRequest,
+  sessionData?: { accessToken?: string } | Session,
+): void {
+  const cookieName = WORKOS_COOKIE_NAME || 'wos-session';
+
+  // Only apply cache headers for authenticated requests
+  if (!sessionData?.accessToken && !request.cookies.has(cookieName) && !request.headers.has('authorization')) {
+    return;
+  }
+
+  const varyValues = new Set<string>(['cookie']);
+  if (request.headers.has('authorization')) {
+    varyValues.add('authorization');
+  }
+
+  const currentVary = headers.get('Vary');
+  if (currentVary) {
+    currentVary.split(',').forEach((v) => {
+      const trimmed = v.trim().toLowerCase();
+      if (trimmed) varyValues.add(trimmed);
+    });
+  }
+
+  headers.set(
+    'Vary',
+    Array.from(varyValues)
+      .map((v) => v.charAt(0).toUpperCase() + v.slice(1))
+      .join(', '),
+  );
+
+  setCachePreventionHeaders(headers);
+}
+
 /**
  * Determines if a request is for an initial document load (not API/RSC/prefetch)
  */
@@ -120,7 +163,33 @@ async function updateSessionMiddleware(
     headers.set(signUpPathsHeaderName, signUpPaths.join(','));
   }
 
+  applyCacheSecurityHeaders(headers, request, session);
+
+  // Create a new request with modified headers (for page handlers)
+  const requestHeaders = new Headers(request.headers);
+  requestHeaders.set(middlewareHeaderName, headers.get(middlewareHeaderName)!);
+  requestHeaders.set('x-url', headers.get('x-url')!);
+  if (headers.has('x-redirect-uri')) {
+    requestHeaders.set('x-redirect-uri', headers.get('x-redirect-uri')!);
+  }
+  if (headers.has(signUpPathsHeaderName)) {
+    requestHeaders.set(signUpPathsHeaderName, headers.get(signUpPathsHeaderName)!);
+  }
+
+  // Pass session to page handlers via request header
+  // This ensures handlers see refreshed sessions immediately (before Set-Cookie reaches browser)
+  const sessionHeader = headers.get(sessionHeaderName);
+  if (sessionHeader) {
+    requestHeaders.set(sessionHeaderName, sessionHeader);
+  }
+
+  // Remove session header from response headers to prevent leakage
+  headers.delete(sessionHeaderName);
+
   return NextResponse.next({
+    request: {
+      headers: requestHeaders,
+    },
     headers,
   });
 }
@@ -172,6 +241,8 @@ async function updateSession(
 
   const cookieName = WORKOS_COOKIE_NAME || 'wos-session';
 
+  applyCacheSecurityHeaders(newRequestHeaders, request, session);
+
   if (hasValidSession) {
     newRequestHeaders.set(sessionHeaderName, request.cookies.get(cookieName)!.value);
 
@@ -488,7 +559,7 @@ async function getSessionFromHeader(): Promise<Session | undefined> {
   if (!hasMiddleware) {
     const url = headersList.get('x-url');
     throw new Error(
-      `You are calling 'withAuth' on ${url ?? 'a route'} that isn’t covered by the AuthKit middleware. Make sure it is running on all paths you are calling 'withAuth' from by updating your middleware config in 'middleware.(js|ts)'.`,
+      `You are calling 'withAuth' on ${url ?? 'a route'} that isn't covered by the AuthKit middleware. Make sure it is running on all paths you are calling 'withAuth' from by updating your middleware config in 'middleware.(js|ts)'.`,
     );
   }
 

package/src/test-helpers.ts

@@ -45,6 +45,7 @@ export async function generateSession(overrides: Partial<User> = {}) {
     lastSignInAt: '2024-01-01T00:00:00Z',
     externalId: null,
     metadata: {},
+    locale: null,
     ...overrides,
   } satisfies User;
 

package/src/utils.ts

@@ -1,5 +1,16 @@
 import { NextResponse } from 'next/server';
 
+/**
+ * Sets cache prevention headers to prevent CDN/proxy caching.
+ * @param headers - The Headers object to set the cache prevention headers on.
+ */
+export function setCachePreventionHeaders(headers: Headers): void {
+  headers.set('Cache-Control', 'private, no-cache, no-store, must-revalidate, max-age=0');
+  headers.set('Pragma', 'no-cache');
+  headers.set('Expires', '0');
+  headers.set('x-middleware-cache', 'no-cache');
+}
+
 export function redirectWithFallback(redirectUri: string, headers?: Headers) {
   const newHeaders = headers ? new Headers(headers) : new Headers();
   newHeaders.set('Location', redirectUri);