@workos-inc/authkit-nextjs 2.17.0 → 3.0.0

package/src/authkit-callback-route.ts

@@ -1,8 +1,8 @@
 import { NextRequest } from 'next/server';
-import { getCookieOptions } from './cookie.js';
+import { getPKCECookieOptions } from './cookie.js';
 import { WORKOS_CLIENT_ID } from './env-variables.js';
 import { HandleAuthOptions } from './interfaces.js';
-import { PKCE_COOKIE_NAME, getPKCECodeVerifier } from './pkce.js';
+import { PKCE_COOKIE_NAME, getStateFromPKCECookieValue } from './pkce.js';
 import { saveSession } from './session.js';
 import { errorResponseWithFallback, redirectWithFallback, setCachePreventionHeaders } from './utils.js';
 import { getWorkOS } from './workos.js';
@@ -12,37 +12,6 @@ function preventCaching(headers: Headers): void {
   setCachePreventionHeaders(headers);
 }
 
-function handleState(state: string | null) {
-  let returnPathname: string | undefined = undefined;
-  let userState: string | undefined;
-  if (state?.includes('.')) {
-    const [internal, ...rest] = state.split('.');
-    userState = rest.join('.');
-    try {
-      // Reverse URL-safe base64 encoding
-      const decoded = internal.replace(/-/g, '+').replace(/_/g, '/');
-      returnPathname = JSON.parse(atob(decoded)).returnPathname;
-    } catch {
-      // Malformed internal part, ignore it
-    }
-  } else if (state) {
-    try {
-      const decoded = JSON.parse(atob(state));
-      if (decoded.returnPathname) {
-        returnPathname = decoded.returnPathname;
-      } else {
-        userState = state;
-      }
-    } catch {
-      userState = state;
-    }
-  }
-  return {
-    returnPathname,
-    state: userState,
-  };
-}
-
 export function handleAuth(options: HandleAuthOptions = {}) {
   const { returnPathname: returnPathnameOption = '/', baseURL, onSuccess, onError } = options;
 
@@ -56,82 +25,100 @@ export function handleAuth(options: HandleAuthOptions = {}) {
   }
 
   return async function GET(request: NextRequest) {
-    // Fall back to standard URL parsing when nextUrl is not available (e.g., vinext)
-    const requestUrl = request.nextUrl ?? new URL(request.url);
-    const code = requestUrl.searchParams.get('code');
-    const state = requestUrl.searchParams.get('state');
-
-    const { state: customState, returnPathname: returnPathnameState } = handleState(state);
-
-    if (code) {
-      try {
-        const pkceCookie = request.cookies.get(PKCE_COOKIE_NAME);
-        const codeVerifier = await getPKCECodeVerifier(pkceCookie?.value);
-
-        // Use the code returned to us by AuthKit and authenticate the user with WorkOS
-        const { accessToken, refreshToken, user, impersonator, oauthTokens, authenticationMethod, organizationId } =
-          await getWorkOS().userManagement.authenticateWithCode({
-            clientId: WORKOS_CLIENT_ID,
-            code,
-            codeVerifier,
-          });
-
-        // If baseURL is provided, use it instead of request.nextUrl
-        // This is useful if the app is being run in a container like docker where
-        // the hostname can be different from the one in the request
-        const url = baseURL ? new URL(baseURL) : new URL(requestUrl.toString());
-
-        // Cleanup params
-        url.searchParams.delete('code');
-        url.searchParams.delete('state');
-
-        // Redirect to the requested path and store the session
-        const returnPathname = returnPathnameState ?? returnPathnameOption;
-
-        // Extract pathname and search params from returnPathname
-        const parsedReturnUrl = new URL(returnPathname, 'https://placeholder.com');
-        url.pathname = parsedReturnUrl.pathname;
-        url.search = parsedReturnUrl.search;
-
-        // Fall back to standard Response if NextResponse is not available.
-        // This is to support Next.js 13.
-        const response = redirectWithFallback(url.toString());
-        preventCaching(response.headers);
-
-        if (pkceCookie) {
-          response.headers.append('Set-Cookie', `${PKCE_COOKIE_NAME}=; ${getCookieOptions(request.url, true, true)}`);
-        }
-
-        if (!accessToken || !refreshToken) throw new Error('response is missing tokens');
-
-        await saveSession({ accessToken, refreshToken, user, impersonator }, request);
-
-        if (onSuccess) {
-          await onSuccess({
-            accessToken,
-            refreshToken,
-            user,
-            impersonator,
-            oauthTokens,
-            authenticationMethod,
-            organizationId,
-            state: customState,
-          });
-        }
-
-        return response;
-      } catch (error) {
-        const errorRes = {
-          error: error instanceof Error ? error.message : String(error),
-        };
-
-        console.error(errorRes);
-
-        return await errorResponse(request, error);
+    // Always delete the PKCE cookie after handling the callback, regardless of success or error
+    // to avoid stale cookies affecting future auth attempts & prevent replays
+    const deleteCookie = `${PKCE_COOKIE_NAME}=; ${getPKCECookieOptions(request.url, true, true)}`;
+
+    // We want to catch any & all errors and respond the same way
+    // Firstly, by destroying the 1-use PKCE cookie to prevent replay attacks
+    // or stale cookies affecting future auth attempts
+    try {
+      // Fall back to standard URL parsing when nextUrl is not available (e.g., vinext)
+      const requestUrl = request.nextUrl ?? new URL(request.url);
+
+      // Gather mandatory information
+      const code = requestUrl.searchParams.get('code');
+      const state = requestUrl.searchParams.get('state');
+      const pkceCookie = request.cookies.get(PKCE_COOKIE_NAME)?.value;
+
+      if (!code || !state) {
+        throw new Error('Missing required auth parameter');
+      }
+
+      // CSRF verification: both channels (cookie + URL state) must be present and match
+      if (!pkceCookie) {
+        throw new Error(
+          'Auth cookie missing — cannot verify OAuth state. Ensure Set-Cookie headers are propagated on redirects.',
+        );
       }
-    }
 
-    return await errorResponse(request);
+      if (state !== pkceCookie) {
+        throw new Error('OAuth state mismatch');
+      }
+
+      const {
+        codeVerifier,
+        customState,
+        returnPathname: returnPathnameState,
+      } = await getStateFromPKCECookieValue(pkceCookie);
+
+      // Use the code returned to us by AuthKit and authenticate the user with WorkOS
+      const { accessToken, refreshToken, user, impersonator, oauthTokens, authenticationMethod, organizationId } =
+        await getWorkOS().userManagement.authenticateWithCode({
+          clientId: WORKOS_CLIENT_ID,
+          code,
+          codeVerifier,
+        });
+
+      if (!accessToken || !refreshToken) {
+        throw new Error('response is missing tokens');
+      }
+
+      // If baseURL is provided, use it instead of request.nextUrl
+      // This is useful if the app is being run in a container like docker where
+      // the hostname can be different from the one in the request
+      const url = baseURL ? new URL(baseURL) : new URL(requestUrl.toString());
+
+      // Cleanup params
+      url.searchParams.delete('code');
+      url.searchParams.delete('state');
+
+      // Redirect to the requested path and store the session
+      const returnPathname = returnPathnameState ?? returnPathnameOption;
+
+      // Extract pathname and search params from returnPathname
+      const parsedReturnUrl = new URL(returnPathname, 'https://placeholder.com');
+      url.pathname = parsedReturnUrl.pathname;
+      url.search = parsedReturnUrl.search;
+
+      // Fall back to standard Response if NextResponse is not available.
+      // This is to support Next.js 13.
+      const response = redirectWithFallback(url.toString());
+      preventCaching(response.headers);
+      response.headers.append('Set-Cookie', deleteCookie);
+
+      await saveSession({ accessToken, refreshToken, user, impersonator }, request);
+
+      if (onSuccess) {
+        await onSuccess({
+          accessToken,
+          refreshToken,
+          user,
+          impersonator,
+          oauthTokens,
+          authenticationMethod,
+          organizationId,
+          state: customState,
+        });
+      }
+
+      return response;
+    } catch (error) {
+      console.error('[AuthKit callback error]', error);
+      const response = await errorResponse(request, error);
+      response.headers.append('Set-Cookie', deleteCookie);
+      return response;
+    }
   };
 
   async function errorResponse(request: NextRequest, error?: unknown) {

package/src/components/authkit-provider.spec.tsx

@@ -1,3 +1,4 @@
+import type { Mock } from 'vitest';
 import React from 'react';
 import { render, waitFor, act } from '@testing-library/react';
 import '@testing-library/jest-dom';
@@ -228,17 +229,20 @@ describe('AuthKitProvider', () => {
   });
 
   describe('window.location.reload behavior', () => {
-    let originalLocation: Location;
+    let originalLocationDescriptor: PropertyDescriptor | undefined;
 
     beforeEach(() => {
-      originalLocation = window.location;
-      // @ts-expect-error - deleting window.location to mock it
-      delete window.location;
-      window.location = { reload: vi.fn() } as unknown as Location;
+      originalLocationDescriptor = Object.getOwnPropertyDescriptor(window, 'location');
+      Object.defineProperty(window, 'location', {
+        writable: true,
+        value: { reload: vi.fn() },
+      });
     });
 
     afterEach(() => {
-      window.location = originalLocation;
+      if (originalLocationDescriptor) {
+        Object.defineProperty(window, 'location', originalLocationDescriptor);
+      }
     });
 
     it('should reload the page when session is expired and no onSessionExpired handler is provided', async () => {
@@ -312,6 +316,85 @@ describe('useAuth', () => {
     });
   });
 
+  describe('client-side redirect for ensureSignedIn', () => {
+    let originalLocationDescriptor: PropertyDescriptor | undefined;
+
+    beforeEach(() => {
+      originalLocationDescriptor = Object.getOwnPropertyDescriptor(window, 'location');
+      Object.defineProperty(window, 'location', {
+        writable: true,
+        value: { href: '' },
+      });
+    });
+
+    afterEach(() => {
+      if (originalLocationDescriptor) {
+        Object.defineProperty(window, 'location', originalLocationDescriptor);
+      }
+    });
+
+    it('should redirect via window.location.href when getAuthAction returns signInUrl', async () => {
+      // First call (initial load): no user, no signInUrl
+      // Second call (ensureSignedIn triggered): no user, signInUrl returned
+      (getAuthAction as Mock)
+        .mockResolvedValueOnce({ user: null })
+        .mockResolvedValueOnce({ user: null, signInUrl: 'https://api.workos.com/authorize?client_id=test' });
+
+      const TestComponent = () => {
+        const auth = useAuth({ ensureSignedIn: true });
+        return <div data-testid="loading">{auth.loading.toString()}</div>;
+      };
+
+      render(
+        <AuthKitProvider>
+          <TestComponent />
+        </AuthKitProvider>,
+      );
+
+      await waitFor(() => {
+        expect(window.location.href).toBe('https://api.workos.com/authorize?client_id=test');
+      });
+    });
+
+    it('should redirect via window.location.href when refreshAuthAction returns signInUrl', async () => {
+      (getAuthAction as Mock).mockResolvedValueOnce({
+        user: { email: 'test@example.com' },
+        sessionId: 'test-session',
+      });
+      (refreshAuthAction as Mock).mockResolvedValueOnce({
+        user: null,
+        signInUrl: 'https://api.workos.com/authorize?client_id=refresh_test',
+      });
+
+      const TestComponent = () => {
+        const auth = useAuth();
+        return (
+          <div>
+            <button onClick={() => auth.refreshAuth({ ensureSignedIn: true })}>Refresh</button>
+          </div>
+        );
+      };
+
+      const { getByRole } = render(
+        <AuthKitProvider>
+          <TestComponent />
+        </AuthKitProvider>,
+      );
+
+      await waitFor(() => {
+        expect(getAuthAction).toHaveBeenCalledTimes(1);
+      });
+
+      act(() => {
+        getByRole('button').click();
+      });
+
+      await waitFor(() => {
+        expect(window.location.href).toBe('https://api.workos.com/authorize?client_id=refresh_test');
+      });
+    });
+  });
+
   it('should throw error when used outside of AuthKitProvider', () => {
     const TestComponent = () => {
       const auth = useAuth();

package/src/components/authkit-provider.tsx

@@ -1,6 +1,6 @@
 'use client';
 
-import React, { createContext, ReactNode, useCallback, useContext, useEffect, useState } from 'react';
+import React, { createContext, ReactNode, useCallback, useContext, useEffect, useRef, useState } from 'react';
 import {
   checkSessionAction,
   getAuthAction,
@@ -57,11 +57,27 @@ export const AuthKitProvider = ({ children, onSessionExpired, initialAuth }: Aut
   const [featureFlags, setFeatureFlags] = useState<string[] | undefined>(initialAuth?.featureFlags);
   const [impersonator, setImpersonator] = useState<Impersonator | undefined>(initialAuth?.impersonator);
   const [loading, setLoading] = useState(!initialAuth);
+  const redirectingRef = useRef(false);
+
+  // Redirect client-side to avoid CORS errors that occur when redirect()
+  // is called from a server action to an external URL.
+  const handleSignInRedirect = useCallback((auth: Record<string, unknown>): boolean => {
+    if ('signInUrl' in auth && auth.signInUrl) {
+      redirectingRef.current = true;
+      window.location.href = auth.signInUrl as string;
+      return true;
+    }
+    return false;
+  }, []);
 
   const getAuth = useCallback(async ({ ensureSignedIn = false }: { ensureSignedIn?: boolean } = {}) => {
+    if (redirectingRef.current) return;
     setLoading(true);
     try {
       const auth = await getAuthAction({ ensureSignedIn });
+
+      if (handleSignInRedirect(auth)) return;
+
       setUser(auth.user);
       setSessionId(auth.sessionId);
       setOrganizationId(auth.organizationId);
@@ -105,10 +121,13 @@ export const AuthKitProvider = ({ children, onSessionExpired, initialAuth }: Aut
 
   const refreshAuth = useCallback(
     async ({ ensureSignedIn = false, organizationId }: { ensureSignedIn?: boolean; organizationId?: string } = {}) => {
+      if (redirectingRef.current) return;
       try {
         setLoading(true);
         const auth = await refreshAuthAction({ ensureSignedIn, organizationId });
 
+        if (handleSignInRedirect(auth)) return;
+
         setUser(auth.user);
         setSessionId(auth.sessionId);
         setOrganizationId(auth.organizationId);

package/src/components/impersonation.spec.tsx

@@ -1,3 +1,4 @@
+import type { Mock } from 'vitest';
 import { render, act, screen } from '@testing-library/react';
 import '@testing-library/jest-dom';
 import { Impersonation } from './impersonation.js';

package/src/components/impersonation.tsx

@@ -29,35 +29,40 @@ export function Impersonation({ side = 'bottom', returnTo, ...props }: Impersona
     <div
       {...props}
       data-workos-impersonation-root=""
-      style={{
-        'position': 'fixed',
-        'inset': 0,
-        'pointerEvents': 'none',
-        'zIndex': 9999,
-
-        // short properties with defaults for authoring convenience
-        '--wi-minimized': '0',
-        '--wi-s': 'min(max(var(--workos-impersonation-size, 4px), 2px), 15px)',
-        '--wi-bgc': 'var(--workos-impersonation-background-color, #fce654)',
-        '--wi-c': 'var(--workos-impersonation-color, #1a1600)',
-        '--wi-bc': 'var(--workos-impersonation-border-color, #e0c36c)',
-        '--wi-bw': 'var(--workos-impersonation-border-width, 1px)',
-
-        ...props.style,
-      }}
+      style={
+        {
+          position: 'fixed',
+          inset: 0,
+          pointerEvents: 'none',
+          zIndex: 9999,
+
+          // short properties with defaults for authoring convenience
+          '--wi-minimized': '0',
+          '--wi-s': 'min(max(var(--workos-impersonation-size, 4px), 2px), 15px)',
+          '--wi-bgc': 'var(--workos-impersonation-background-color, #fce654)',
+          '--wi-c': 'var(--workos-impersonation-color, #1a1600)',
+          '--wi-bc': 'var(--workos-impersonation-border-color, #e0c36c)',
+          '--wi-bw': 'var(--workos-impersonation-border-width, 1px)',
+
+          ...props.style,
+        } as React.CSSProperties
+      }
     >
       <div
-        style={{
-          '--wi-frame-size': 'calc(var(--wi-s) * (1 - var(--wi-minimized)) + var(--wi-minimized) * var(--wi-bw) * -1)',
-          'position': 'absolute',
-          'inset': 'calc(var(--wi-frame-size) * -1)',
-          'borderRadius': 'calc(var(--wi-frame-size) * 3)',
-          'boxShadow': `
+        style={
+          {
+            '--wi-frame-size':
+              'calc(var(--wi-s) * (1 - var(--wi-minimized)) + var(--wi-minimized) * var(--wi-bw) * -1)',
+            position: 'absolute',
+            inset: 'calc(var(--wi-frame-size) * -1)',
+            borderRadius: 'calc(var(--wi-frame-size) * 3)',
+            boxShadow: `
 						inset 0 0 0 calc(var(--wi-frame-size) * 2) var(--wi-bgc),
 						inset 0 0 0 calc(var(--wi-frame-size) * 2 + var(--wi-bw)) var(--wi-bc)
 					`,
-          'transition': 'all 500ms cubic-bezier(0.16, 1, 0.3, 1)',
-        }}
+            transition: 'all 500ms cubic-bezier(0.16, 1, 0.3, 1)',
+          } as React.CSSProperties
+        }
       />
 
       <div

package/src/components/tokenStore.spec.ts

@@ -1,3 +1,4 @@
+import type { Mock } from 'vitest';
 import { tokenStore, TokenStore } from './tokenStore.js';
 import { getAccessTokenAction, refreshAccessTokenAction } from '../actions.js';
 
@@ -54,7 +55,7 @@ describe('tokenStore', () => {
         resolvePromise = resolve;
       });
 
-      mockRefreshAccessTokenAction.mockReturnValue(slowPromise);
+      mockRefreshAccessTokenAction.mockReturnValue(slowPromise.then((t) => ({ accessToken: t })));
 
       expect(tokenStore.isRefreshing()).toBe(false);
 
@@ -124,18 +125,25 @@ describe('tokenStore', () => {
       const refreshedToken =
         'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJyZWZyZXNoZWQiLCJzaWQiOiJzZXNzaW9uXzEyMyIsImV4cCI6OTk5OTk5OTk5OX0.mock-signature-2';
 
-      // Set expiring token first
+      // Set expiring token first — also set refresh mock since getAccessTokenSilently
+      // will trigger refresh for expiring tokens
       mockGetAccessTokenAction.mockResolvedValue(expiringToken);
+      mockRefreshAccessTokenAction.mockResolvedValueOnce({ accessToken: expiringToken });
       await tokenStore.getAccessTokenSilently();
 
-      // Setup refresh mock
-      mockRefreshAccessTokenAction.mockResolvedValue(refreshedToken);
+      // Clear mocks to track subsequent calls
+      mockGetAccessTokenAction.mockClear();
+      mockRefreshAccessTokenAction.mockClear();
 
-      // Now call getAccessToken - should trigger refresh
+      // Setup refresh to return new token
+      mockRefreshAccessTokenAction.mockResolvedValue({ accessToken: refreshedToken });
+
+      // Now call getAccessToken - should trigger refresh due to expiring token
       const token = await tokenStore.getAccessToken();
 
-      expect(token).toBe(refreshedToken);
+      // Should have called refresh since existing token was expiring
       expect(mockRefreshAccessTokenAction).toHaveBeenCalled();
+      expect(token).toBe(refreshedToken);
     });
 
     it('should refresh when no token exists', async () => {
@@ -192,7 +200,7 @@ describe('tokenStore', () => {
         'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJyZWZyZXNoZWQiLCJzaWQiOiJzZXNzaW9uXzEyMyIsImV4cCI6OTk5OTk5OTk5OX0.mock-signature-2';
 
       mockGetAccessTokenAction.mockResolvedValue(expiredToken);
-      mockRefreshAccessTokenAction.mockResolvedValue(refreshedToken);
+      mockRefreshAccessTokenAction.mockResolvedValue({ accessToken: refreshedToken });
 
       const token = await tokenStore.getAccessTokenSilently();
 
@@ -287,15 +295,18 @@ describe('tokenStore', () => {
       const refreshedToken =
         'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJyZWZyZXNoZWQiLCJzaWQiOiJzZXNzaW9uXzEyMyIsImV4cCI6OTk5OTk5OTk5OX0.mock-signature-2';
 
-      // First set an expiring token
+      // First set an expiring token — also set refresh mock since getAccessTokenSilently
+      // will trigger refresh for expiring tokens
       mockGetAccessTokenAction.mockResolvedValue(expiringToken);
+      mockRefreshAccessTokenAction.mockResolvedValueOnce({ accessToken: expiringToken });
       await tokenStore.getAccessTokenSilently();
 
       // Clear mocks
       mockGetAccessTokenAction.mockClear();
+      mockRefreshAccessTokenAction.mockClear();
 
       // Setup refresh to return new token
-      mockRefreshAccessTokenAction.mockResolvedValue(refreshedToken);
+      mockRefreshAccessTokenAction.mockResolvedValue({ accessToken: refreshedToken });
 
       // Call getAccessToken again - should trigger refresh due to expiring token
       const token = await tokenStore.getAccessToken();
@@ -526,7 +537,10 @@ describe('tokenStore', () => {
       await tokenStore.getAccessTokenSilently();
 
       // Now simulate network error during refresh
-      mockRefreshAccessTokenAction.mockRejectedValue(new Error('Network error'));
+      mockRefreshAccessTokenAction.mockResolvedValue({
+        accessToken: undefined,
+        error: 'Failed to refresh access token',
+      });
 
       try {
         await tokenStore.refreshToken();
@@ -543,7 +557,7 @@ describe('tokenStore', () => {
     it('should convert non-Error objects to Error instances', async () => {
       const errorString = 'network timeout';
 
-      mockRefreshAccessTokenAction.mockRejectedValue(errorString);
+      mockRefreshAccessTokenAction.mockResolvedValue({ accessToken: undefined, error: errorString });
 
       try {
         await tokenStore.refreshToken();
@@ -649,7 +663,7 @@ describe('tokenStore', () => {
 
       mockRefreshAccessTokenAction.mockImplementation(() => {
         callCount++;
-        return slowPromise;
+        return slowPromise.then((t) => ({ accessToken: t }));
       });
 
       // Clear any existing refresh promise
@@ -691,11 +705,11 @@ describe('tokenStore', () => {
   });
 
   describe('refresh state management', () => {
-    it('should preserve Error instances without conversion', async () => {
-      const errorInstance = new Error('actual error instance');
+    it('should create Error from server action error string', async () => {
+      const errorMessage = 'actual error instance';
 
-      // Mock refresh to throw an Error instance
-      mockRefreshAccessTokenAction.mockRejectedValue(errorInstance);
+      // Mock refresh to return an error result (as server actions do)
+      mockRefreshAccessTokenAction.mockResolvedValue({ accessToken: undefined, error: errorMessage });
 
       try {
         await tokenStore.refreshToken();
@@ -703,9 +717,10 @@ describe('tokenStore', () => {
         // Expected to throw
       }
 
-      // Verify the Error instance was preserved without conversion
+      // Verify an Error was created from the error string
       const state = tokenStore.getSnapshot();
-      expect(state.error).toBe(errorInstance); // Same instance, not a new one
+      expect(state.error).toBeInstanceOf(Error);
+      expect(state.error?.message).toBe(errorMessage);
     });
 
     it('should update state for manual refresh', async () => {
@@ -717,7 +732,7 @@ describe('tokenStore', () => {
       await tokenStore.getAccessTokenSilently();
 
       // Mock refresh to return new token
-      mockRefreshAccessTokenAction.mockResolvedValue(newToken);
+      mockRefreshAccessTokenAction.mockResolvedValue({ accessToken: newToken });
 
       // Call manual refresh which should update state
       const result = await tokenStore.refreshToken();
@@ -736,7 +751,7 @@ describe('tokenStore', () => {
 
       // Clear mocks and set up spy on setState
       mockGetAccessTokenAction.mockClear();
-      mockRefreshAccessTokenAction.mockResolvedValue(existingToken); // Same token
+      mockRefreshAccessTokenAction.mockResolvedValue({ accessToken: existingToken }); // Same token
 
       const listener = vi.fn();
       tokenStore.subscribe(listener);

package/src/components/tokenStore.ts

@@ -1,6 +1,14 @@
 import { getAccessTokenAction, refreshAccessTokenAction } from '../actions.js';
+import type { RefreshAccessTokenActionResult } from '../actions.js';
 import { decodeJwt } from '../jwt.js';
 
+function unwrapRefreshResult(result: RefreshAccessTokenActionResult): string | undefined {
+  if (result.error) {
+    throw new Error(result.error);
+  }
+  return result.accessToken;
+}
+
 interface TokenState {
   token: string | undefined;
   loading: boolean;
@@ -323,7 +331,7 @@ export class TokenStore {
 
         if (!silent) {
           // Manual refresh - always force refresh
-          token = await refreshAccessTokenAction();
+          token = unwrapRefreshResult(await refreshAccessTokenAction());
         } else {
           // Silent refresh - only fetch from server if we don't have a local token
           if (!previousToken) {
@@ -342,14 +350,14 @@ export class TokenStore {
 
             // If the token from server is expiring, refresh it
             if (!token || (tokenData && tokenData.isExpiring)) {
-              const refreshedToken = await refreshAccessTokenAction();
+              const refreshedToken = unwrapRefreshResult(await refreshAccessTokenAction());
               if (refreshedToken) {
                 token = refreshedToken;
               }
             }
           } else {
             // We have a local token that needs refreshing (already checked by getAccessTokenSilently)
-            token = await refreshAccessTokenAction();
+            token = unwrapRefreshResult(await refreshAccessTokenAction());
           }
         }