npm - @workos-inc/authkit-nextjs - Versions diffs - 2.5.0 → 2.7.0 - Mend

@workos-inc/authkit-nextjs 2.5.0 → 2.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (53) hide show

package/README.md +124 -29
package/dist/esm/auth.js +18 -5
package/dist/esm/auth.js.map +1 -1
package/dist/esm/components/tokenStore.js +110 -11
package/dist/esm/components/tokenStore.js.map +1 -1
package/dist/esm/components/useAccessToken.js +34 -4
package/dist/esm/components/useAccessToken.js.map +1 -1
package/dist/esm/cookie.js +51 -0
package/dist/esm/cookie.js.map +1 -1
package/dist/esm/get-authorization-url.js +2 -1
package/dist/esm/get-authorization-url.js.map +1 -1
package/dist/esm/middleware.js +2 -2
package/dist/esm/middleware.js.map +1 -1
package/dist/esm/session.js +36 -3
package/dist/esm/session.js.map +1 -1
package/dist/esm/test-helpers.js +57 -0
package/dist/esm/test-helpers.js.map +1 -0
package/dist/esm/types/auth.d.ts +5 -3
package/dist/esm/types/components/tokenStore.d.ts +7 -2
package/dist/esm/types/cookie.d.ts +1 -0
package/dist/esm/types/interfaces.d.ts +3 -0
package/dist/esm/types/middleware.d.ts +1 -1
package/dist/esm/types/session.d.ts +2 -1
package/dist/esm/types/test-helpers.d.ts +3 -0
package/dist/esm/types/workos.d.ts +1 -1
package/dist/esm/workos.js +1 -1
package/package.json +5 -4
package/src/actions.spec.ts +100 -0
package/src/auth.spec.ts +347 -0
package/src/auth.ts +19 -6
package/src/authkit-callback-route.spec.ts +258 -0
package/src/components/authkit-provider.spec.tsx +471 -0
package/src/components/button.spec.tsx +46 -0
package/src/components/impersonation.spec.tsx +134 -0
package/src/components/min-max-button.spec.tsx +60 -0
package/src/components/tokenStore.spec.ts +816 -0
package/src/components/tokenStore.ts +147 -12
package/src/components/useAccessToken.spec.tsx +731 -0
package/src/components/useAccessToken.ts +40 -6
package/src/components/useTokenClaims.spec.tsx +194 -0
package/src/cookie.spec.ts +276 -0
package/src/cookie.ts +56 -0
package/src/get-authorization-url.spec.ts +60 -0
package/src/get-authorization-url.ts +2 -0
package/src/interfaces.ts +3 -0
package/src/jwt.spec.ts +159 -0
package/src/middleware.ts +2 -1
package/src/session.spec.ts +1152 -0
package/src/session.ts +42 -2
package/src/test-helpers.ts +70 -0
package/src/utils.spec.ts +142 -0
package/src/workos.spec.ts +67 -0
package/src/workos.ts +1 -1

package/src/components/tokenStore.ts CHANGED Viewed

@@ -11,19 +11,44 @@ const TOKEN_EXPIRY_BUFFER_SECONDS = 60;
 const MIN_REFRESH_DELAY_SECONDS = 15;
 const MAX_REFRESH_DELAY_SECONDS = 24 * 60 * 60;
 const RETRY_DELAY_SECONDS = 300; // 5 minutes for retry on error
+const jwtCookieName = 'workos-access-token';
+export class TokenStore {
+  private state: TokenState;
+  private serverSnapshot: TokenState;
+  constructor() {
+    // Initialize state with token from cookie if available
+    const initialToken = this.getInitialTokenFromCookie();
+    this.state = {
+      token: initialToken,
+      loading: false,
+      error: null,
+    };
-class TokenStore {
-  private static readonly SERVER_SNAPSHOT: TokenState = { token: undefined, loading: false, error: null };
+    // Server snapshot should match initial state for hydration
+    this.serverSnapshot = {
+      token: initialToken,
+      loading: false,
+      error: null,
+    };
-  private state: TokenState = {
-    token: undefined,
-    loading: false,
-    error: null,
-  };
+    /* istanbul ignore next */
+    if (initialToken) {
+      // Mark as consumed if we found a token
+      this.fastCookieConsumed = true;
+      // Schedule refresh based on token expiry
+      const tokenData = this.parseToken(initialToken);
+      if (tokenData) {
+        this.scheduleRefresh(tokenData.timeUntilExpiry);
+      }
+    }
+  }
   private listeners = new Set<() => void>();
   private refreshPromise: Promise<string | undefined> | null = null;
   private refreshTimeout: ReturnType<typeof setTimeout> | undefined;
+  private fastCookieConsumed = false;
   subscribe = (listener: () => void) => {
     this.listeners.add(listener);
@@ -38,7 +63,7 @@ class TokenStore {
   getSnapshot = () => this.state;
-  getServerSnapshot = () => TokenStore.SERVER_SNAPSHOT;
+  getServerSnapshot = () => this.serverSnapshot;
   private notify() {
     this.listeners.forEach((listener) => listener());
@@ -58,10 +83,12 @@ class TokenStore {
     const delay =
       typeof timeUntilExpiry === 'undefined' ? RETRY_DELAY_SECONDS * 1000 : this.getRefreshDelay(timeUntilExpiry);
-    this.refreshTimeout = setTimeout(() => {
-      /* istanbul ignore next */
-      void this.getAccessTokenSilently().catch(() => {});
-    }, delay);
+    this.refreshTimeout = setTimeout(
+      /* istanbul ignore next */ () => {
+        void this.getAccessTokenSilently().catch(/* istanbul ignore next */ () => {});
+      },
+      delay,
+    );
   }
   private getRefreshDelay(timeUntilExpiry: number) {
@@ -74,6 +101,92 @@ class TokenStore {
     return Math.min(Math.max(idealDelay, MIN_REFRESH_DELAY_SECONDS * 1000), MAX_REFRESH_DELAY_SECONDS * 1000);
   }
+  private deleteCookie() {
+    const isSecure = window.location.protocol === 'https:';
+    // Build deletion string to match EXACTLY what the server sets
+    // Server sets: Path=/, SameSite=Lax, and Secure (if HTTPS)
+    // NO Domain attribute is set by server, so we don't set it either
+    const deletionString = isSecure
+      ? `${jwtCookieName}=; SameSite=Lax; Max-Age=0; Secure`
+      : `${jwtCookieName}=; SameSite=Lax; Max-Age=0`;
+    document.cookie = deletionString;
+    // The cookie might still appear in document.cookie even after deletion
+    // due to browser caching, but it should be expired and not sent to server
+  }
+  private getInitialTokenFromCookie(): string | undefined {
+    if (typeof document === 'undefined' || typeof document.cookie === 'undefined') {
+      return;
+    }
+    // Parse cookies without regex
+    const cookies = document.cookie.split(';').reduce(
+      (acc, cookie) => {
+        const [name, ...valueParts] = cookie.trim().split('=');
+        if (name && valueParts.length > 0) {
+          const value = valueParts.join('='); // Handle values that contain '='
+          acc[name.trim()] = decodeURIComponent(value);
+        }
+        return acc;
+      },
+      {} as Record<string, string>,
+    );
+    const token = cookies[jwtCookieName];
+    if (!token) {
+      return;
+    }
+    // Delete the cookie immediately after reading it
+    this.deleteCookie();
+    return token;
+  }
+  private consumeFastCookie(): string | undefined {
+    // Only try to consume once per page load
+    if (this.fastCookieConsumed) {
+      return;
+    }
+    if (typeof document === 'undefined' || typeof document.cookie === 'undefined') {
+      return;
+    }
+    // Parse cookies without regex
+    const cookies = document.cookie.split(';').reduce(
+      (acc, cookie) => {
+        const [name, ...valueParts] = cookie.trim().split('=');
+        if (name && valueParts.length > 0) {
+          const value = valueParts.join('='); // Handle values that contain '='
+          acc[name.trim()] = decodeURIComponent(value);
+        }
+        return acc;
+      },
+      {} as Record<string, string>,
+    );
+    const newToken = cookies[jwtCookieName];
+    if (!newToken) {
+      // Mark as consumed even if not found, to avoid repeated checks
+      this.fastCookieConsumed = true;
+      return;
+    }
+    // Mark as consumed BEFORE deleting to prevent race conditions
+    this.fastCookieConsumed = true;
+    // Delete the cookie using protocol-aware deletion
+    this.deleteCookie();
+    if (newToken !== this.state.token) {
+      return newToken;
+    }
+  }
   parseToken(token: string | undefined) {
     if (!token) return null;
@@ -123,6 +236,13 @@ class TokenStore {
   }
   async getAccessToken(): Promise<string | undefined> {
+    const fastToken = this.consumeFastCookie();
+    if (fastToken) {
+      this.setState({ token: fastToken, loading: false, error: null });
+      return fastToken;
+    }
     const tokenData = this.parseToken(this.state.token);
     // If we have a valid JWT that's not expiring, return it
@@ -140,6 +260,20 @@ class TokenStore {
   }
   async getAccessTokenSilently(): Promise<string | undefined> {
+    const fastToken = this.consumeFastCookie();
+    if (fastToken) {
+      this.setState({ token: fastToken, loading: false, error: null });
+      // Schedule refresh based on token expiry
+      const tokenData = this.parseToken(fastToken);
+      if (tokenData) {
+        this.scheduleRefresh(tokenData.timeUntilExpiry);
+      }
+      return fastToken;
+    }
     const tokenData = this.parseToken(this.state.token);
     // If we have a valid JWT that's not expiring, return it
@@ -257,6 +391,7 @@ class TokenStore {
   reset() {
     this.state = { token: undefined, loading: false, error: null };
     this.refreshPromise = null;
+    this.fastCookieConsumed = false;
     if (this.refreshTimeout) {
       clearTimeout(this.refreshTimeout);
       this.refreshTimeout = undefined;