@workos-inc/authkit-nextjs 2.4.4 → 2.4.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/dist/esm/auth.js +7 -6
  2. package/dist/esm/auth.js.map +1 -1
  3. package/dist/esm/cookie.js +53 -16
  4. package/dist/esm/cookie.js.map +1 -1
  5. package/dist/esm/types/workos.d.ts +1 -1
  6. package/dist/esm/workos.js +1 -1
  7. package/package.json +1 -1
  8. package/src/auth.ts +7 -6
  9. package/src/cookie.ts +53 -18
  10. package/src/workos.ts +1 -1
package/dist/esm/auth.js CHANGED
@@ -1,8 +1,9 @@
1
1
  'use server';
2
- import { revalidatePath, revalidateTag } from 'next/cache';
3
- import { cookies, headers } from 'next/headers';
4
- import { redirect } from 'next/navigation';
5
- import { WORKOS_COOKIE_DOMAIN, WORKOS_COOKIE_NAME } from './env-variables.js';
2
+ import { revalidatePath, revalidateTag } from 'next/cache.js';
3
+ import { cookies, headers } from 'next/headers.js';
4
+ import { redirect } from 'next/navigation.js';
5
+ import { WORKOS_COOKIE_NAME } from './env-variables.js';
6
+ import { getCookieOptions } from './cookie.js';
6
7
  import { getAuthorizationUrl } from './get-authorization-url.js';
7
8
  import { refreshSession, withAuth } from './session.js';
8
9
  import { getWorkOS } from './workos.js';
@@ -26,8 +27,8 @@ export async function signOut({ returnTo } = {}) {
26
27
  finally {
27
28
  const nextCookies = await cookies();
28
29
  const cookieName = WORKOS_COOKIE_NAME || 'wos-session';
29
- const domain = WORKOS_COOKIE_DOMAIN || /* istanbul ignore next */ undefined;
30
- nextCookies.delete({ name: cookieName, domain, path: '/' });
30
+ const { domain, path, sameSite, secure } = getCookieOptions();
31
+ nextCookies.delete({ name: cookieName, domain, path, sameSite, secure });
31
32
  if (sessionId) {
32
33
  redirect(getWorkOS().userManagement.getLogoutUrl({ sessionId, returnTo }));
33
34
  }
package/dist/esm/auth.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/auth.ts"],"names":[],"mappings":"AAAA,YAAY,CAAC;AAEb,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3D,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC3C,OAAO,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC9E,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAEjE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AACxD,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,EACjC,cAAc,EACd,SAAS,EACT,WAAW,MAC8D,EAAE;IAC3E,OAAO,mBAAmB,CAAC,EAAE,cAAc,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,CAAC;AAChG,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,EACjC,cAAc,EACd,SAAS,EACT,WAAW,MAC8D,EAAE;IAC3E,OAAO,mBAAmB,CAAC,EAAE,cAAc,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,CAAC;AAChG,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,EAAE,QAAQ,KAA4B,EAAE;IACpE,IAAI,SAA6B,CAAC;IAElC,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,MAAM,QAAQ,EAAE,CAAC;QAC5C,SAAS,GAAG,GAAG,CAAC;IAClB,CAAC;YAAS,CAAC;QACT,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;QACpC,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;QACvD,MAAM,MAAM,GAAG,oBAAoB,IAAI,0BAA0B,CAAC,SAAS,CAAC;QAC5E,WAAW,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;QAE5D,IAAI,SAAS,EAAE,CAAC;YACd,QAAQ,CAAC,SAAS,EAAE,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;QAC7E,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,QAAQ,aAAR,QAAQ,cAAR,QAAQ,GAAI,GAAG,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,cAAsB,EACtB,UAAuC,EAAE;;IAEzC,MAAM,EAAE,QAAQ,EAAE,oBAAoB,GAAG,MAAM,EAAE,gBAAgB,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC;IACnF,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,IAAI,MAAgB,CAAC;IACrB,uBAAuB;IACvB,MAAM,QAAQ,GAAG,QAAQ,IAAI,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC;IAC7D,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,cAAc,CAAC,EAAE,cAAc,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1E,CAAC;IAAC;IACA,8DAA8D;IAC9D,KAAU,EACV,CAAC;QACD,MAAM,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC;QACxB,0BAA0B;QAC1B,IAAI,MAAA,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,OAAO,0CAAE,oBAAoB,EAAE,CAAC;YACzC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;QAC/C,CAAC;aAAM,CAAC;YACN,IAAI,CAAA,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,KAAK,MAAK,cAAc,IAAI,CAAA,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,KAAK,MAAK,gBAAgB,EAAE,CAAC;gBACzE,MAAM,GAAG,GAAG,MAAM,mBAAmB,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC;gBAC1D,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC;YACvB,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,QAAQ,oBAAoB,EAAE,CAAC;QAC7B,KAAK,MAAM;YACT,cAAc,CAAC,QAAQ,CAAC,CAAC;YACzB,MAAM;QACR,KAAK,KAAK;YACR,KAAK,MAAM,GAAG,IAAI,gBAAgB,EAAE,CAAC;gBACnC,aAAa,CAAC,GAAG,CAAC,CAAC;YACrB,CAAC;YACD,MAAM;IACV,CAAC;IACD,IAAI,oBAAoB,KAAK,MAAM,EAAE,CAAC;QACpC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACrB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}
1
+ {"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/auth.ts"],"names":[],"mappings":"AAAA,YAAY,CAAC;AAEb,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9D,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAEjE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AACxD,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,EACjC,cAAc,EACd,SAAS,EACT,WAAW,MAC8D,EAAE;IAC3E,OAAO,mBAAmB,CAAC,EAAE,cAAc,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,CAAC;AAChG,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,EACjC,cAAc,EACd,SAAS,EACT,WAAW,MAC8D,EAAE;IAC3E,OAAO,mBAAmB,CAAC,EAAE,cAAc,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,CAAC;AAChG,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,EAAE,QAAQ,KAA4B,EAAE;IACpE,IAAI,SAA6B,CAAC;IAElC,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,MAAM,QAAQ,EAAE,CAAC;QAC5C,SAAS,GAAG,GAAG,CAAC;IAClB,CAAC;YAAS,CAAC;QACT,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;QACpC,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;QACvD,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,gBAAgB,EAAE,CAAC;QAC9D,WAAW,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;QAEzE,IAAI,SAAS,EAAE,CAAC;YACd,QAAQ,CAAC,SAAS,EAAE,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;QAC7E,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,QAAQ,aAAR,QAAQ,cAAR,QAAQ,GAAI,GAAG,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,cAAsB,EACtB,UAAuC,EAAE;;IAEzC,MAAM,EAAE,QAAQ,EAAE,oBAAoB,GAAG,MAAM,EAAE,gBAAgB,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC;IACnF,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,IAAI,MAAgB,CAAC;IACrB,uBAAuB;IACvB,MAAM,QAAQ,GAAG,QAAQ,IAAI,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC;IAC7D,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,cAAc,CAAC,EAAE,cAAc,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1E,CAAC;IAAC;IACA,8DAA8D;IAC9D,KAAU,EACV,CAAC;QACD,MAAM,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC;QACxB,0BAA0B;QAC1B,IAAI,MAAA,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,OAAO,0CAAE,oBAAoB,EAAE,CAAC;YACzC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;QAC/C,CAAC;aAAM,CAAC;YACN,IAAI,CAAA,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,KAAK,MAAK,cAAc,IAAI,CAAA,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,KAAK,MAAK,gBAAgB,EAAE,CAAC;gBACzE,MAAM,GAAG,GAAG,MAAM,mBAAmB,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC;gBAC1D,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC;YACvB,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,QAAQ,oBAAoB,EAAE,CAAC;QAC7B,KAAK,MAAM;YACT,cAAc,CAAC,QAAQ,CAAC,CAAC;YACzB,MAAM;QACR,KAAK,KAAK;YACR,KAAK,MAAM,GAAG,IAAI,gBAAgB,EAAE,CAAC;gBACnC,aAAa,CAAC,GAAG,CAAC,CAAC;YACrB,CAAC;YACD,MAAM;IACV,CAAC;IACD,IAAI,oBAAoB,KAAK,MAAM,EAAE,CAAC;QACpC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACrB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}
package/dist/esm/cookie.js CHANGED
@@ -5,23 +5,60 @@ function assertValidSamSite(sameSite) {
5
5
  }
6
6
  }
7
7
  export function getCookieOptions(redirectUri, asString = false, expired = false) {
8
- const url = new URL(redirectUri || WORKOS_REDIRECT_URI);
9
8
  const sameSite = WORKOS_COOKIE_SAMESITE || 'lax';
10
9
  assertValidSamSite(sameSite);
11
- const secure = sameSite.toLowerCase() === 'none' ? true : url.protocol === 'https:';
12
- const maxAge = expired ? 0 : WORKOS_COOKIE_MAX_AGE ? parseInt(WORKOS_COOKIE_MAX_AGE, 10) : 60 * 60 * 24 * 400;
13
- return asString
14
- ? `Path=/; HttpOnly; Secure=${secure}; SameSite=${sameSite}; Max-Age=${maxAge}; Domain=${WORKOS_COOKIE_DOMAIN || ''}`
15
- : {
16
- path: '/',
17
- httpOnly: true,
18
- secure,
19
- sameSite,
20
- // Defaults to 400 days, the maximum allowed by Chrome
21
- // It's fine to have a long cookie expiry date as the access/refresh tokens
22
- // act as the actual time-limited aspects of the session.
23
- maxAge,
24
- domain: WORKOS_COOKIE_DOMAIN || '',
25
- };
10
+ const urlString = redirectUri || WORKOS_REDIRECT_URI;
11
+ // Default to secure=true when no URL available (production default)
12
+ // Developers should set WORKOS_REDIRECT_URI for proper local dev
13
+ let secure;
14
+ if (sameSite.toLowerCase() === 'none') {
15
+ secure = true;
16
+ }
17
+ else if (urlString) {
18
+ try {
19
+ const url = new URL(urlString);
20
+ secure = url.protocol === 'https:';
21
+ }
22
+ catch (_a) {
23
+ // Invalid URL - default to secure
24
+ secure = true;
25
+ }
26
+ }
27
+ else {
28
+ secure = true;
29
+ }
30
+ let maxAge;
31
+ if (expired) {
32
+ maxAge = 0;
33
+ }
34
+ else if (WORKOS_COOKIE_MAX_AGE) {
35
+ const parsed = parseInt(WORKOS_COOKIE_MAX_AGE, 10);
36
+ maxAge = Number.isFinite(parsed) ? parsed : 60 * 60 * 24 * 400;
37
+ }
38
+ else {
39
+ maxAge = 60 * 60 * 24 * 400;
40
+ }
41
+ if (asString) {
42
+ const capitalizedSameSite = sameSite.charAt(0).toUpperCase() + sameSite.slice(1).toLowerCase();
43
+ const parts = ['Path=/', 'HttpOnly', `SameSite=${capitalizedSameSite}`, `Max-Age=${maxAge}`];
44
+ if (WORKOS_COOKIE_DOMAIN) {
45
+ parts.push(`Domain=${WORKOS_COOKIE_DOMAIN}`);
46
+ }
47
+ if (secure) {
48
+ parts.push('Secure');
49
+ }
50
+ return parts.join('; ');
51
+ }
52
+ return {
53
+ path: '/',
54
+ httpOnly: true,
55
+ secure,
56
+ sameSite,
57
+ // Defaults to 400 days, the maximum allowed by Chrome
58
+ // It's fine to have a long cookie expiry date as the access/refresh tokens
59
+ // act as the actual time-limited aspects of the session.
60
+ maxAge,
61
+ domain: WORKOS_COOKIE_DOMAIN || '',
62
+ };
26
63
  }
27
64
  //# sourceMappingURL=cookie.js.map
package/dist/esm/cookie.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"cookie.js","sourceRoot":"","sources":["../../src/cookie.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mBAAmB,EACnB,qBAAqB,EACrB,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,oBAAoB,CAAC;AAK5B,SAAS,kBAAkB,CAAC,QAAgB;IAC1C,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,2BAA2B,QAAQ,EAAE,CAAC,CAAC;IACzD,CAAC;AACH,CAAC;AAeD,MAAM,UAAU,gBAAgB,CAC9B,WAA2B,EAC3B,WAAoB,KAAK,EACzB,UAAmB,KAAK;IAExB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,IAAI,mBAAmB,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,sBAAsB,IAAI,KAAK,CAAC;IACjD,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IAC7B,MAAM,MAAM,GAAG,QAAQ,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC;IAEpF,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,QAAQ,CAAC,qBAAqB,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC;IAE9G,OAAO,QAAQ;QACb,CAAC,CAAC,4BAA4B,MAAM,cAAc,QAAQ,aAAa,MAAM,YAAY,oBAAoB,IAAI,EAAE,EAAE;QACrH,CAAC,CAAC;YACE,IAAI,EAAE,GAAG;YACT,QAAQ,EAAE,IAAI;YACd,MAAM;YACN,QAAQ;YACR,sDAAsD;YACtD,2EAA2E;YAC3E,yDAAyD;YACzD,MAAM;YACN,MAAM,EAAE,oBAAoB,IAAI,EAAE;SACnC,CAAC;AACR,CAAC"}
1
+ {"version":3,"file":"cookie.js","sourceRoot":"","sources":["../../src/cookie.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mBAAmB,EACnB,qBAAqB,EACrB,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,oBAAoB,CAAC;AAK5B,SAAS,kBAAkB,CAAC,QAAgB;IAC1C,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,2BAA2B,QAAQ,EAAE,CAAC,CAAC;IACzD,CAAC;AACH,CAAC;AAeD,MAAM,UAAU,gBAAgB,CAC9B,WAA2B,EAC3B,WAAoB,KAAK,EACzB,UAAmB,KAAK;IAExB,MAAM,QAAQ,GAAG,sBAAsB,IAAI,KAAK,CAAC;IACjD,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IAE7B,MAAM,SAAS,GAAG,WAAW,IAAI,mBAAmB,CAAC;IACrD,oEAAoE;IACpE,iEAAiE;IACjE,IAAI,MAAe,CAAC;IACpB,IAAI,QAAQ,CAAC,WAAW,EAAE,KAAK,MAAM,EAAE,CAAC;QACtC,MAAM,GAAG,IAAI,CAAC;IAChB,CAAC;SAAM,IAAI,SAAS,EAAE,CAAC;QACrB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;YAC/B,MAAM,GAAG,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC;QACrC,CAAC;QAAC,WAAM,CAAC;YACP,kCAAkC;YAClC,MAAM,GAAG,IAAI,CAAC;QAChB,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,IAAI,CAAC;IAChB,CAAC;IAED,IAAI,MAAc,CAAC;IACnB,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,GAAG,CAAC,CAAC;IACb,CAAC;SAAM,IAAI,qBAAqB,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,QAAQ,CAAC,qBAAqB,EAAE,EAAE,CAAC,CAAC;QACnD,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC;IACjE,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC;IAC9B,CAAC;IAED,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,mBAAmB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QAC/F,MAAM,KAAK,GAAG,CAAC,QAAQ,EAAE,UAAU,EAAE,YAAY,mBAAmB,EAAE,EAAE,WAAW,MAAM,EAAE,CAAC,CAAC;QAC7F,IAAI,oBAAoB,EAAE,CAAC;YACzB,KAAK,CAAC,IAAI,CAAC,UAAU,oBAAoB,EAAE,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,MAAM,EAAE,CAAC;YACX,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvB,CAAC;QAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,OAAO;QACL,IAAI,EAAE,GAAG;QACT,QAAQ,EAAE,IAAI;QACd,MAAM;QACN,QAAQ;QACR,sDAAsD;QACtD,2EAA2E;QAC3E,yDAAyD;QACzD,MAAM;QACN,MAAM,EAAE,oBAAoB,IAAI,EAAE;KACnC,CAAC;AACJ,CAAC"}
package/dist/esm/types/workos.d.ts CHANGED
@@ -1,5 +1,5 @@
1
1
  import { WorkOS } from '@workos-inc/node';
2
- export declare const VERSION = "2.4.4";
2
+ export declare const VERSION = "2.4.5";
3
3
  /**
4
4
  * Create a WorkOS instance with the provided API key and options.
5
5
  * If an instance already exists, it returns the existing instance.
package/dist/esm/workos.js CHANGED
@@ -1,7 +1,7 @@
1
1
  import { WorkOS } from '@workos-inc/node';
2
2
  import { WORKOS_API_HOSTNAME, WORKOS_API_KEY, WORKOS_API_HTTPS, WORKOS_API_PORT } from './env-variables.js';
3
3
  import { lazy } from './utils.js';
4
- export const VERSION = '2.4.4';
4
+ export const VERSION = '2.4.5';
5
5
  const options = {
6
6
  apiHostname: WORKOS_API_HOSTNAME,
7
7
  https: WORKOS_API_HTTPS ? WORKOS_API_HTTPS === 'true' : true,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@workos-inc/authkit-nextjs",
3
- "version": "2.4.4",
3
+ "version": "2.4.5",
4
4
  "description": "Authentication and session helpers for using WorkOS & AuthKit with Next.js",
5
5
  "sideEffects": false,
6
6
  "type": "module",
package/src/auth.ts CHANGED
@@ -1,9 +1,10 @@
1
1
  'use server';
2
2
 
3
- import { revalidatePath, revalidateTag } from 'next/cache';
4
- import { cookies, headers } from 'next/headers';
5
- import { redirect } from 'next/navigation';
6
- import { WORKOS_COOKIE_DOMAIN, WORKOS_COOKIE_NAME } from './env-variables.js';
3
+ import { revalidatePath, revalidateTag } from 'next/cache.js';
4
+ import { cookies, headers } from 'next/headers.js';
5
+ import { redirect } from 'next/navigation.js';
6
+ import { WORKOS_COOKIE_NAME } from './env-variables.js';
7
+ import { getCookieOptions } from './cookie.js';
7
8
  import { getAuthorizationUrl } from './get-authorization-url.js';
8
9
  import { SwitchToOrganizationOptions, UserInfo } from './interfaces.js';
9
10
  import { refreshSession, withAuth } from './session.js';
@@ -38,8 +39,8 @@ export async function signOut({ returnTo }: { returnTo?: string } = {}) {
38
39
  } finally {
39
40
  const nextCookies = await cookies();
40
41
  const cookieName = WORKOS_COOKIE_NAME || 'wos-session';
41
- const domain = WORKOS_COOKIE_DOMAIN || /* istanbul ignore next */ undefined;
42
- nextCookies.delete({ name: cookieName, domain, path: '/' });
42
+ const { domain, path, sameSite, secure } = getCookieOptions();
43
+ nextCookies.delete({ name: cookieName, domain, path, sameSite, secure });
43
44
 
44
45
  if (sessionId) {
45
46
  redirect(getWorkOS().userManagement.getLogoutUrl({ sessionId, returnTo }));
package/src/cookie.ts CHANGED
@@ -32,24 +32,59 @@ export function getCookieOptions(
32
32
  asString: boolean = false,
33
33
  expired: boolean = false,
34
34
  ): CookieOptions | string {
35
- const url = new URL(redirectUri || WORKOS_REDIRECT_URI);
36
35
  const sameSite = WORKOS_COOKIE_SAMESITE || 'lax';
37
36
  assertValidSamSite(sameSite);
38
- const secure = sameSite.toLowerCase() === 'none' ? true : url.protocol === 'https:';
39
-
40
- const maxAge = expired ? 0 : WORKOS_COOKIE_MAX_AGE ? parseInt(WORKOS_COOKIE_MAX_AGE, 10) : 60 * 60 * 24 * 400;
41
-
42
- return asString
43
- ? `Path=/; HttpOnly; Secure=${secure}; SameSite=${sameSite}; Max-Age=${maxAge}; Domain=${WORKOS_COOKIE_DOMAIN || ''}`
44
- : {
45
- path: '/',
46
- httpOnly: true,
47
- secure,
48
- sameSite,
49
- // Defaults to 400 days, the maximum allowed by Chrome
50
- // It's fine to have a long cookie expiry date as the access/refresh tokens
51
- // act as the actual time-limited aspects of the session.
52
- maxAge,
53
- domain: WORKOS_COOKIE_DOMAIN || '',
54
- };
37
+
38
+ const urlString = redirectUri || WORKOS_REDIRECT_URI;
39
+ // Default to secure=true when no URL available (production default)
40
+ // Developers should set WORKOS_REDIRECT_URI for proper local dev
41
+ let secure: boolean;
42
+ if (sameSite.toLowerCase() === 'none') {
43
+ secure = true;
44
+ } else if (urlString) {
45
+ try {
46
+ const url = new URL(urlString);
47
+ secure = url.protocol === 'https:';
48
+ } catch {
49
+ // Invalid URL - default to secure
50
+ secure = true;
51
+ }
52
+ } else {
53
+ secure = true;
54
+ }
55
+
56
+ let maxAge: number;
57
+ if (expired) {
58
+ maxAge = 0;
59
+ } else if (WORKOS_COOKIE_MAX_AGE) {
60
+ const parsed = parseInt(WORKOS_COOKIE_MAX_AGE, 10);
61
+ maxAge = Number.isFinite(parsed) ? parsed : 60 * 60 * 24 * 400;
62
+ } else {
63
+ maxAge = 60 * 60 * 24 * 400;
64
+ }
65
+
66
+ if (asString) {
67
+ const capitalizedSameSite = sameSite.charAt(0).toUpperCase() + sameSite.slice(1).toLowerCase();
68
+ const parts = ['Path=/', 'HttpOnly', `SameSite=${capitalizedSameSite}`, `Max-Age=${maxAge}`];
69
+ if (WORKOS_COOKIE_DOMAIN) {
70
+ parts.push(`Domain=${WORKOS_COOKIE_DOMAIN}`);
71
+ }
72
+ if (secure) {
73
+ parts.push('Secure');
74
+ }
75
+
76
+ return parts.join('; ');
77
+ }
78
+
79
+ return {
80
+ path: '/',
81
+ httpOnly: true,
82
+ secure,
83
+ sameSite,
84
+ // Defaults to 400 days, the maximum allowed by Chrome
85
+ // It's fine to have a long cookie expiry date as the access/refresh tokens
86
+ // act as the actual time-limited aspects of the session.
87
+ maxAge,
88
+ domain: WORKOS_COOKIE_DOMAIN || '',
89
+ };
55
90
  }
package/src/workos.ts CHANGED
@@ -2,7 +2,7 @@ import { WorkOS } from '@workos-inc/node';
2
2
  import { WORKOS_API_HOSTNAME, WORKOS_API_KEY, WORKOS_API_HTTPS, WORKOS_API_PORT } from './env-variables.js';
3
3
  import { lazy } from './utils.js';
4
4
 
5
- export const VERSION = '2.4.4';
5
+ export const VERSION = '2.4.5';
6
6
 
7
7
  const options = {
8
8
  apiHostname: WORKOS_API_HOSTNAME,