@workos-inc/authkit-nextjs 2.13.0 → 2.14.0

package/README.md

@@ -9,7 +9,7 @@ The AuthKit library for Next.js provides convenient helpers for authentication a
 Install the package with:
 
 ```
-npm i @workos-inc/authkit-nextjs
+pnpm i @workos-inc/authkit-nextjs
 ```
 
 or
@@ -159,10 +159,18 @@ export default authkitMiddleware();
 // For Next.js 16+, you can also use: export { default as proxy } from './proxy';
 
 // Match against pages that require auth
-// Leave this out if you want auth on every resource (including images, css etc.)
 export const config = { matcher: ['/', '/admin'] };
 ```
 
+> [!WARNING]
+> Using a catch-all matcher pattern can intercept static assets (CSS, images, fonts), causing styles to break—particularly with Tailwind CSS v4. If you need a broad matcher, exclude Next.js static paths:
+>
+> ```ts
+> export const config = {
+>   matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
+> };
+> ```
+
 The proxy/middleware can be configured with several options.
 
 | Option           | Default     | Description                                                                                                             |
@@ -185,7 +193,6 @@ export default authkitMiddleware({
 });
 
 // Match against pages that require auth
-// Leave this out if you want auth on every resource (including images, css etc.)
 export const config = { matcher: ['/', '/admin'] };
 ```
 

package/dist/esm/types/session.d.ts

@@ -3,7 +3,7 @@ import { NextRequest } from 'next/server';
 import { AuthkitMiddlewareAuth, AuthkitOptions, AuthkitResponse, NoUserInfo, Session, UserInfo } from './interfaces.js';
 import type { AuthenticationResponse } from '@workos-inc/node';
 declare function encryptSession(session: Session): Promise<string>;
-declare function updateSessionMiddleware(request: NextRequest, debug: boolean, middlewareAuth: AuthkitMiddlewareAuth, redirectUri: string, signUpPaths: string[], eagerAuth?: boolean): Promise<import("next/server").NextResponse<unknown>>;
+declare function updateSessionMiddleware(request: NextRequest, debug: boolean, middlewareAuth: AuthkitMiddlewareAuth, redirectUri: string, signUpPaths: string[], eagerAuth?: boolean): Promise<import("next/server.js").NextResponse<unknown>>;
 declare function updateSession(request: NextRequest, options?: AuthkitOptions): Promise<AuthkitResponse>;
 declare function refreshSession(options: {
     organizationId?: string;

package/dist/esm/types/validate-api-key.d.ts

@@ -1 +1 @@
-export declare function validateApiKey(): Promise<import("@workos-inc/node/lib/api-keys/interfaces/validate-api-key.interface.js").ValidateApiKeyResponse>;
+export declare function validateApiKey(): Promise<import("@workos-inc/node").ValidateApiKeyResponse>;

package/dist/esm/types/workos.d.ts

@@ -1,5 +1,5 @@
 import { WorkOS } from '@workos-inc/node';
-export declare const VERSION = "2.13.0";
+export declare const VERSION = "2.14.0";
 /**
  * Create a WorkOS instance with the provided API key and options.
  * If an instance already exists, it returns the existing instance.

package/dist/esm/workos.js

@@ -1,7 +1,7 @@
 import { WorkOS } from '@workos-inc/node';
 import { WORKOS_API_HOSTNAME, WORKOS_API_KEY, WORKOS_API_HTTPS, WORKOS_API_PORT } from './env-variables.js';
 import { lazy } from './utils.js';
-export const VERSION = '2.13.0';
+export const VERSION = '2.14.0';
 const options = {
     apiHostname: WORKOS_API_HOSTNAME,
     https: WORKOS_API_HTTPS ? WORKOS_API_HTTPS === 'true' : true,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@workos-inc/authkit-nextjs",
-  "version": "2.13.0",
+  "version": "2.14.0",
   "description": "Authentication and session helpers for using WorkOS & AuthKit with Next.js",
   "sideEffects": false,
   "type": "module",
@@ -22,20 +22,8 @@
       "import": "./dist/esm/index.js"
     }
   },
-  "scripts": {
-    "clean": "rm -rf dist",
-    "prebuild": "npm run clean",
-    "build": "tsc --project tsconfig.json",
-    "prepublishOnly": "npm run lint",
-    "lint": "eslint \"src/**/*.ts*\"",
-    "test": "jest",
-    "test:watch": "jest --watch",
-    "prettier": "prettier \"src/**/*.{js,ts,tsx}\" --check",
-    "format": "prettier \"src/**/*.{js,ts,tsx}\" --write",
-    "type-check": "tsc --project tsconfig.json --noEmit"
-  },
   "dependencies": {
-    "@workos-inc/node": "^7.72.0",
+    "@workos-inc/node": "^8.2.0",
     "iron-session": "^8.0.1",
     "jose": "^5.2.3",
     "path-to-regexp": "^6.2.2"
@@ -48,21 +36,20 @@
   "devDependencies": {
     "@testing-library/jest-dom": "^6.6.3",
     "@testing-library/react": "^16.0.1",
-    "@types/jest": "^29.5.14",
     "@types/node": "^20.11.28",
     "@types/react": "18.2.67",
     "@types/react-dom": "18.2.22",
+    "@vitest/coverage-v8": "^3.0.0",
     "eslint": "^8.29.0",
     "eslint-config-prettier": "^9.1.0",
     "eslint-plugin-require-extensions": "^0.1.3",
-    "jest": "^29.7.0",
-    "jest-environment-jsdom": "^29.7.0",
+    "jsdom": "^26.0.0",
     "next": "^16.0.10",
     "prettier": "^3.3.3",
-    "ts-jest": "^29.2.5",
-    "ts-node": "^10.9.2",
+    "tslib": "^2.8.1",
     "typescript": "5.4.2",
-    "typescript-eslint": "^7.2.0"
+    "typescript-eslint": "^7.2.0",
+    "vitest": "^3.0.0"
   },
   "license": "MIT",
   "homepage": "https://github.com/workos/authkit-nextjs#readme",
@@ -72,5 +59,17 @@
   },
   "bugs": {
     "url": "https://github.com/workos/authkit-nextjs/issues"
+  },
+  "scripts": {
+    "clean": "rm -rf dist",
+    "prebuild": "pnpm run clean",
+    "build": "tsc --project tsconfig.json",
+    "lint": "eslint \"src/**/*.ts*\"",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "prettier": "prettier \"src/**/*.{js,ts,tsx}\" --check",
+    "format": "prettier \"src/**/*.{js,ts,tsx}\" --write",
+    "typecheck": "tsc --project tsconfig.json --noEmit"
   }
-}
+}

package/src/actions.spec.ts

@@ -12,23 +12,25 @@ import { signOut, switchToOrganization } from './auth.js';
 import { getWorkOS } from '../src/workos.js';
 import { withAuth, refreshSession } from '../src/session.js';
 
-jest.mock('../src/auth.js', () => ({
-  signOut: jest.fn().mockResolvedValue(true),
-  switchToOrganization: jest.fn().mockResolvedValue({ organizationId: 'org_123' }),
+vi.mock('../src/auth.js', () => ({
+  signOut: vi.fn().mockResolvedValue(true),
+  switchToOrganization: vi.fn().mockResolvedValue({ organizationId: 'org_123' }),
 }));
 
-const fakeWorkosInstance = {
-  organizations: {
-    getOrganization: jest.fn().mockResolvedValue({ id: 'org_123', name: 'Test Org' }),
+const { fakeWorkosInstance } = vi.hoisted(() => ({
+  fakeWorkosInstance: {
+    organizations: {
+      getOrganization: vi.fn().mockResolvedValue({ id: 'org_123', name: 'Test Org' }),
+    },
   },
-};
-jest.mock('../src/workos.js', () => ({
-  getWorkOS: jest.fn(() => fakeWorkosInstance),
+}));
+vi.mock('../src/workos.js', () => ({
+  getWorkOS: vi.fn(() => fakeWorkosInstance),
 }));
 
-jest.mock('../src/session.js', () => ({
-  withAuth: jest.fn().mockResolvedValue({ user: 'testUser', accessToken: 'access_token' }),
-  refreshSession: jest.fn().mockResolvedValue({ session: 'newSession', accessToken: 'refreshed_token' }),
+vi.mock('../src/session.js', () => ({
+  withAuth: vi.fn().mockResolvedValue({ user: 'testUser', accessToken: 'access_token' }),
+  refreshSession: vi.fn().mockResolvedValue({ session: 'newSession', accessToken: 'refreshed_token' }),
 }));
 
 describe('actions', () => {

package/src/auth.spec.ts

@@ -1,11 +1,9 @@
-import { describe, it, expect, beforeEach, jest } from '@jest/globals';
-
 import { getSignInUrl, getSignUpUrl, signOut, switchToOrganization } from './auth.js';
 import * as session from './session.js';
 import * as cache from 'next/cache';
 import * as workosModule from './workos.js';
 
-// These are mocked in jest.setup.ts
+// These are mocked in vitest.setup.ts
 import { cookies, headers } from 'next/headers';
 import { redirect } from 'next/navigation';
 import { generateSession, generateTestToken } from './test-helpers.js';
@@ -14,44 +12,44 @@ import { getWorkOS } from './workos.js';
 
 const workos = getWorkOS();
 
-jest.mock('next/cache', () => {
-  const actual = jest.requireActual<typeof cache>('next/cache');
+vi.mock('next/cache', async () => {
+  const actual = await vi.importActual<typeof cache>('next/cache');
   return {
     ...actual,
-    revalidateTag: jest.fn(),
-    revalidatePath: jest.fn(),
+    revalidateTag: vi.fn(),
+    revalidatePath: vi.fn(),
   };
 });
 
 // Create a fake WorkOS instance that will be used only in the "on error" tests
 const fakeWorkosInstance = {
   userManagement: {
-    authenticateWithRefreshToken: jest.fn(),
-    getAuthorizationUrl: jest.fn(),
-    getJwksUrl: jest.fn(() => 'https://api.workos.com/sso/jwks/client_1234567890'),
-    getLogoutUrl: jest.fn(),
+    authenticateWithRefreshToken: vi.fn(),
+    getAuthorizationUrl: vi.fn(),
+    getJwksUrl: vi.fn(() => 'https://api.workos.com/sso/jwks/client_1234567890'),
+    getLogoutUrl: vi.fn(),
   },
 };
 
-const revalidatePath = jest.mocked(cache.revalidatePath);
-const revalidateTag = jest.mocked(cache.revalidateTag);
+const revalidatePath = vi.mocked(cache.revalidatePath);
+const revalidateTag = vi.mocked(cache.revalidateTag);
 // We'll only use these in the "on error" tests
 const authenticateWithRefreshToken = fakeWorkosInstance.userManagement.authenticateWithRefreshToken;
 const getAuthorizationUrl = fakeWorkosInstance.userManagement.getAuthorizationUrl;
 
-jest.mock('../src/session', () => {
-  const actual = jest.requireActual<typeof session>('../src/session');
+vi.mock('../src/session', async () => {
+  const actual = await vi.importActual<typeof session>('../src/session');
 
   return {
     ...actual,
-    refreshSession: jest.fn(actual.refreshSession),
+    refreshSession: vi.fn(actual.refreshSession),
   };
 });
 
 describe('auth.ts', () => {
   beforeEach(async () => {
     // Clear all mocks between tests
-    jest.clearAllMocks();
+    vi.clearAllMocks();
 
     // Reset the cookie store
     const nextCookies = await cookies();
@@ -139,10 +137,10 @@ describe('auth.ts', () => {
         const mockWorkOS = {
           userManagement: fakeWorkosInstance.userManagement,
           // Add minimal properties to satisfy TypeScript
-          createHttpClient: jest.fn(),
-          createWebhookClient: jest.fn(),
-          createActionsClient: jest.fn(),
-          createIronSessionProvider: jest.fn(),
+          createHttpClient: vi.fn(),
+          createWebhookClient: vi.fn(),
+          createActionsClient: vi.fn(),
+          createIronSessionProvider: vi.fn(),
           apiKey: 'test',
           clientId: 'test',
           host: 'test',
@@ -154,12 +152,12 @@ describe('auth.ts', () => {
 
         // Apply the mock for these tests only
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        jest.spyOn(workosModule, 'getWorkOS').mockImplementation(() => mockWorkOS as any);
+        vi.spyOn(workosModule, 'getWorkOS').mockImplementation(() => mockWorkOS as any);
       });
 
       afterEach(() => {
         // Restore all mocks after each test
-        jest.restoreAllMocks();
+        vi.restoreAllMocks();
       });
 
       it('should redirect to sign in when error is "sso_required"', async () => {
@@ -245,9 +243,9 @@ describe('auth.ts', () => {
 
     describe('when given a `returnTo` parameter', () => {
       it('passes the `returnTo` through to the `getLogoutUrl` call', async () => {
-        jest
-          .spyOn(workos.userManagement, 'getLogoutUrl')
-          .mockReturnValue('https://user-management-logout.com/signed-out');
+        vi.spyOn(workos.userManagement, 'getLogoutUrl').mockReturnValue(
+          'https://user-management-logout.com/signed-out',
+        );
         const mockSession = {
           accessToken: await generateTestToken(),
           sessionId: 'session_123',
@@ -306,9 +304,9 @@ describe('auth.ts', () => {
 
         nextCookies.set('wos-session', encryptedSession);
 
-        jest
-          .spyOn(workos.userManagement, 'getLogoutUrl')
-          .mockReturnValue('https://api.workos.com/user_management/sessions/logout?session_id=session_123');
+        vi.spyOn(workos.userManagement, 'getLogoutUrl').mockReturnValue(
+          'https://api.workos.com/user_management/sessions/logout?session_id=session_123',
+        );
 
         await signOut();
 

package/src/authkit-callback-route.spec.ts

@@ -3,19 +3,21 @@ import { handleAuth } from './authkit-callback-route.js';
 import { getSessionFromCookie, saveSession } from './session.js';
 import { NextRequest, NextResponse } from 'next/server';
 
-// Mocked in jest.setup.ts
+// Mocked in vitest.setup.ts
 import { cookies, headers } from 'next/headers';
 
 // Mock dependencies
-const fakeWorkosInstance = {
-  userManagement: {
-    authenticateWithCode: jest.fn(),
-    getJwksUrl: jest.fn(() => 'https://api.workos.com/sso/jwks/client_1234567890'),
+const { fakeWorkosInstance } = vi.hoisted(() => ({
+  fakeWorkosInstance: {
+    userManagement: {
+      authenticateWithCode: vi.fn(),
+      getJwksUrl: vi.fn(() => 'https://api.workos.com/sso/jwks/client_1234567890'),
+    },
   },
-};
+}));
 
-jest.mock('../src/workos', () => ({
-  getWorkOS: jest.fn(() => fakeWorkosInstance),
+vi.mock('../src/workos', () => ({
+  getWorkOS: vi.fn(() => fakeWorkosInstance),
 }));
 
 describe('authkit-callback-route', () => {
@@ -51,12 +53,12 @@ describe('authkit-callback-route', () => {
 
     beforeAll(() => {
       // Silence console.error during tests
-      jest.spyOn(console, 'error').mockImplementation(() => {});
+      vi.spyOn(console, 'error').mockImplementation(() => {});
     });
 
     beforeEach(async () => {
       // Reset all mocks
-      jest.clearAllMocks();
+      vi.clearAllMocks();
 
       // Create a new request with searchParams
       request = new NextRequest(new URL('http://example.com/callback'));
@@ -72,7 +74,7 @@ describe('authkit-callback-route', () => {
     });
 
     it('should handle successful authentication', async () => {
-      jest.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
+      vi.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
 
       // Set up request with code
       request.nextUrl.searchParams.set('code', 'test-code');
@@ -89,7 +91,7 @@ describe('authkit-callback-route', () => {
 
     it('should handle authentication failure', async () => {
       // Mock authentication failure
-      (workos.userManagement.authenticateWithCode as jest.Mock).mockRejectedValue(new Error('Auth failed'));
+      (workos.userManagement.authenticateWithCode as Mock).mockRejectedValue(new Error('Auth failed'));
 
       request.nextUrl.searchParams.set('code', 'invalid-code');
 
@@ -103,7 +105,7 @@ describe('authkit-callback-route', () => {
 
     it('should handle authentication failure if a non-Error object is thrown', async () => {
       // Mock authentication failure
-      jest.mocked(workos.userManagement.authenticateWithCode).mockRejectedValue('Auth failed');
+      vi.mocked(workos.userManagement.authenticateWithCode).mockRejectedValue('Auth failed');
 
       request.nextUrl.searchParams.set('code', 'invalid-code');
 
@@ -117,7 +119,7 @@ describe('authkit-callback-route', () => {
 
     it('should handle authentication failure with custom onError handler', async () => {
       // Mock authentication failure
-      jest.mocked(workos.userManagement.authenticateWithCode).mockRejectedValue('Auth failed');
+      vi.mocked(workos.userManagement.authenticateWithCode).mockRejectedValue('Auth failed');
       request.nextUrl.searchParams.set('code', 'invalid-code');
 
       const handler = handleAuth({
@@ -145,7 +147,7 @@ describe('authkit-callback-route', () => {
     });
 
     it('should respect custom returnPathname', async () => {
-      jest.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
+      vi.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
 
       request.nextUrl.searchParams.set('code', 'test-code');
 
@@ -156,7 +158,7 @@ describe('authkit-callback-route', () => {
     });
 
     it('should handle state parameter with returnPathname', async () => {
-      jest.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
+      vi.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
 
       const state = btoa(JSON.stringify({ returnPathname: '/custom-path' }));
       request.nextUrl.searchParams.set('code', 'test-code');
@@ -169,7 +171,7 @@ describe('authkit-callback-route', () => {
     });
 
     it('should extract custom search params from returnPathname', async () => {
-      jest.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
+      vi.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
 
       const state = btoa(JSON.stringify({ returnPathname: '/custom-path?foo=bar&baz=qux' }));
       request.nextUrl.searchParams.set('code', 'test-code');
@@ -182,7 +184,7 @@ describe('authkit-callback-route', () => {
     });
 
     it('should handle full URL in returnPathname by extracting only the pathname', async () => {
-      jest.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
+      vi.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
 
       const state = btoa(JSON.stringify({ returnPathname: 'https://example.com/invite/k0123456789' }));
       request.nextUrl.searchParams.set('code', 'test-code');
@@ -200,7 +202,7 @@ describe('authkit-callback-route', () => {
       const originalRedirect = NextResponse.redirect;
       (NextResponse as Partial<typeof NextResponse>).redirect = undefined;
 
-      jest.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
+      vi.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
 
       // Set up request with code
       request.nextUrl.searchParams.set('code', 'test-code');
@@ -232,7 +234,7 @@ describe('authkit-callback-route', () => {
     });
 
     it('should use baseURL if provided', async () => {
-      jest.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
+      vi.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
 
       // Set up request with code
       request.nextUrl.searchParams.set('code', 'test-code');
@@ -248,7 +250,7 @@ describe('authkit-callback-route', () => {
         user: { id: 'user_123' },
       };
 
-      (workos.userManagement.authenticateWithCode as jest.Mock).mockResolvedValue(mockAuthResponse);
+      (workos.userManagement.authenticateWithCode as Mock).mockResolvedValue(mockAuthResponse);
 
       // Set up request with code
       request.nextUrl.searchParams.set('code', 'test-code');
@@ -260,12 +262,12 @@ describe('authkit-callback-route', () => {
     });
 
     it('should call onSuccess if provided', async () => {
-      jest.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
+      vi.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
 
       // Set up request with code
       request.nextUrl.searchParams.set('code', 'test-code');
 
-      const onSuccess = jest.fn();
+      const onSuccess = vi.fn();
       const handler = handleAuth({ onSuccess: onSuccess });
       await handler(request);
 
@@ -276,7 +278,7 @@ describe('authkit-callback-route', () => {
 
     it('should allow onSuccess to update session', async () => {
       const newAccessToken = 'new-access-token';
-      jest.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
+      vi.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
 
       // Set up request with code
       request.nextUrl.searchParams.set('code', 'test-code');
@@ -293,7 +295,7 @@ describe('authkit-callback-route', () => {
     });
 
     it('should pass custom state data to onSuccess callback', async () => {
-      jest.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
+      vi.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
 
       // Create state with new format: internal.user
       const internalState = btoa(JSON.stringify({ returnPathname: '/dashboard' }))
@@ -305,7 +307,7 @@ describe('authkit-callback-route', () => {
       request.nextUrl.searchParams.set('code', 'test-code');
       request.nextUrl.searchParams.set('state', state);
 
-      const onSuccess = jest.fn();
+      const onSuccess = vi.fn();
       const handler = handleAuth({ onSuccess });
       await handler(request);
 
@@ -323,7 +325,7 @@ describe('authkit-callback-route', () => {
     });
 
     it('should handle state without custom data', async () => {
-      jest.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
+      vi.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
 
       // State with only returnPathname
       const state = btoa(JSON.stringify({ returnPathname: '/profile' }));
@@ -331,7 +333,7 @@ describe('authkit-callback-route', () => {
       request.nextUrl.searchParams.set('code', 'test-code');
       request.nextUrl.searchParams.set('state', state);
 
-      const onSuccess = jest.fn();
+      const onSuccess = vi.fn();
       const handler = handleAuth({ onSuccess });
       await handler(request);
 
@@ -345,7 +347,7 @@ describe('authkit-callback-route', () => {
     });
 
     it('should handle backward compatibility with old state format', async () => {
-      jest.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
+      vi.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
 
       // Old format: just returnPathname
       const state = btoa(JSON.stringify({ returnPathname: '/old-path' }));