@workos-inc/authkit-nextjs 2.6.0 → 2.7.1

package/src/session.ts

@@ -5,7 +5,7 @@ import { JWTPayload, createRemoteJWKSet, decodeJwt, jwtVerify } from 'jose';
 import { cookies, headers } from 'next/headers';
 import { redirect } from 'next/navigation';
 import { NextRequest, NextResponse } from 'next/server';
-import { getCookieOptions } from './cookie.js';
+import { getCookieOptions, getJwtCookie } from './cookie.js';
 import { WORKOS_CLIENT_ID, WORKOS_COOKIE_NAME, WORKOS_COOKIE_PASSWORD, WORKOS_REDIRECT_URI } from './env-variables.js';
 import { getAuthorizationUrl } from './get-authorization-url.js';
 import {
@@ -26,9 +26,25 @@ import { lazy, redirectWithFallback } from './utils.js';
 const sessionHeaderName = 'x-workos-session';
 const middlewareHeaderName = 'x-workos-middleware';
 const signUpPathsHeaderName = 'x-sign-up-paths';
+const jwtCookieName = 'workos-access-token';
 
 const JWKS = lazy(() => createRemoteJWKSet(new URL(getWorkOS().userManagement.getJwksUrl(WORKOS_CLIENT_ID))));
 
+/**
+ * Determines if a request is for an initial document load (not API/RSC/prefetch)
+ */
+function isInitialDocumentRequest(request: NextRequest): boolean {
+  const accept = request.headers.get('accept') || '';
+  const isDocumentRequest = accept.includes('text/html');
+  const isRSCRequest = request.headers.has('RSC') || request.headers.has('Next-Router-State-Tree');
+  const isPrefetch =
+    request.headers.get('Purpose') === 'prefetch' ||
+    request.headers.get('Sec-Purpose') === 'prefetch' ||
+    request.headers.has('Next-Router-Prefetch');
+
+  return isDocumentRequest && !isRSCRequest && !isPrefetch;
+}
+
 async function encryptSession(session: Session) {
   return sealData(session, {
     password: WORKOS_COOKIE_PASSWORD,
@@ -42,6 +58,7 @@ async function updateSessionMiddleware(
   middlewareAuth: AuthkitMiddlewareAuth,
   redirectUri: string,
   signUpPaths: string[],
+  eagerAuth = false,
 ) {
   if (!redirectUri && !WORKOS_REDIRECT_URI) {
     throw new Error('You must provide a redirect URI in the AuthKit middleware or in the environment variables.');
@@ -86,6 +103,7 @@ async function updateSessionMiddleware(
     debug,
     redirectUri,
     screenHint: getScreenHint(signUpPaths, request.nextUrl.pathname),
+    eagerAuth,
   });
 
   // If the user is logged out and this path isn't on the allowlist for logged out paths, redirect to AuthKit.
@@ -166,6 +184,16 @@ async function updateSession(
       feature_flags: featureFlags,
     } = decodeJwt<AccessToken>(session.accessToken);
 
+    // Set JWT cookie if eagerAuth is enabled
+    // Only set on document requests (initial page loads), not on API/RSC requests
+    if (options.eagerAuth && isInitialDocumentRequest(request)) {
+      const existingJwtCookie = request.cookies.get(jwtCookieName);
+      // Only set if cookie doesn't exist or has different value
+      if (!existingJwtCookie || existingJwtCookie.value !== session.accessToken) {
+        newRequestHeaders.append('Set-Cookie', getJwtCookie(session.accessToken, request.url));
+      }
+    }
+
     return {
       session: {
         sessionId,
@@ -213,6 +241,12 @@ async function updateSession(
     newRequestHeaders.append('Set-Cookie', `${cookieName}=${encryptedSession}; ${getCookieOptions(request.url, true)}`);
     newRequestHeaders.set(sessionHeaderName, encryptedSession);
 
+    // Set JWT cookie if eagerAuth is enabled
+    // Only set on document requests (initial page loads), not on API/RSC requests
+    if (options.eagerAuth && isInitialDocumentRequest(request)) {
+      newRequestHeaders.append('Set-Cookie', getJwtCookie(accessToken, request.url));
+    }
+
     const {
       sid: sessionId,
       org_id: organizationId,
@@ -247,6 +281,12 @@ async function updateSession(
     const deleteCookie = `${cookieName}=; Expires=${new Date(0).toUTCString()}; ${getCookieOptions(request.url, true, true)}`;
     newRequestHeaders.append('Set-Cookie', deleteCookie);
 
+    // Delete JWT cookie if eagerAuth is enabled
+    if (options.eagerAuth) {
+      const deleteJwtCookie = getJwtCookie(null, request.url, true);
+      newRequestHeaders.append('Set-Cookie', deleteJwtCookie);
+    }
+
     options.onSessionRefreshError?.({ error: e, request });
 
     return {

package/src/test-helpers.ts

@@ -0,0 +1,70 @@
+// istanbul ignore file
+
+import { sealData } from 'iron-session';
+import { SignJWT } from 'jose';
+import { WORKOS_COOKIE_NAME, WORKOS_COOKIE_PASSWORD } from './env-variables.js';
+import { cookies } from 'next/headers';
+import { User } from '@workos-inc/node';
+
+export async function generateTestToken(payload = {}, expired = false) {
+  const defaultPayload = {
+    sid: 'session_123',
+    org_id: 'org_123',
+    role: 'member',
+    permissions: ['posts:create', 'posts:delete'],
+    entitlements: ['audit-logs'],
+    feature_flags: ['device-authorization-grant'],
+  };
+
+  const mergedPayload = { ...defaultPayload, ...payload };
+
+  const secret = new TextEncoder().encode(process.env.WORKOS_COOKIE_PASSWORD as string);
+
+  const token = await new SignJWT(mergedPayload)
+    .setProtectedHeader({ alg: 'HS256' })
+    .setIssuedAt()
+    .setIssuer('urn:example:issuer')
+    .setExpirationTime(expired ? '0s' : '2h')
+    .sign(secret);
+
+  return token;
+}
+
+export async function generateSession(overrides: Partial<User> = {}) {
+  const mockUser = {
+    id: 'user_123',
+    email: 'test@example.com',
+    emailVerified: true,
+    profilePictureUrl: null,
+    firstName: 'Test',
+    lastName: 'User',
+    object: 'user',
+    createdAt: '2024-01-01T00:00:00Z',
+    updatedAt: '2024-01-01T00:00:00Z',
+    lastSignInAt: '2024-01-01T00:00:00Z',
+    externalId: null,
+    metadata: {},
+    ...overrides,
+  } satisfies User;
+
+  const accessToken = await generateTestToken({
+    sid: 'session_123',
+    org_id: 'org_123',
+  });
+
+  // Create and set a session cookie
+  const encryptedSession = await sealData(
+    {
+      accessToken,
+      refreshToken: 'refresh_token_123',
+      user: mockUser,
+    },
+    {
+      password: WORKOS_COOKIE_PASSWORD as string,
+    },
+  );
+
+  const cookieName = WORKOS_COOKIE_NAME || 'wos-session';
+  const nextCookies = await cookies();
+  nextCookies.set(cookieName, encryptedSession);
+}

package/src/utils.spec.ts

@@ -0,0 +1,142 @@
+import { NextResponse } from 'next/server';
+import { redirectWithFallback, errorResponseWithFallback } from './utils.js';
+
+describe('utils', () => {
+  afterEach(() => {
+    jest.resetModules();
+  });
+
+  describe('redirectWithFallback', () => {
+    it('uses NextResponse.redirect when available', () => {
+      const redirectUrl = 'https://example.com';
+      const mockRedirect = jest.fn().mockReturnValue('redirected');
+      const originalRedirect = NextResponse.redirect;
+
+      NextResponse.redirect = mockRedirect;
+
+      const result = redirectWithFallback(redirectUrl);
+
+      expect(mockRedirect).toHaveBeenCalledWith(redirectUrl, { headers: undefined });
+      expect(result).toBe('redirected');
+
+      NextResponse.redirect = originalRedirect;
+    });
+
+    it('uses headers when provided', () => {
+      const redirectUrl = 'https://example.com';
+      const headers = new Headers();
+      headers.set('Set-Cookie', 'test=1');
+
+      const result = redirectWithFallback(redirectUrl, headers);
+
+      expect(result.headers.get('Set-Cookie')).toBe('test=1');
+    });
+
+    it('falls back to standard Response when NextResponse exists but redirect is undefined', async () => {
+      const redirectUrl = 'https://example.com';
+
+      jest.resetModules();
+
+      jest.mock('next/server', () => ({
+        NextResponse: {
+          // exists but has no redirect method
+        },
+      }));
+
+      const { redirectWithFallback } = await import('./utils.js');
+
+      const result = redirectWithFallback(redirectUrl);
+
+      expect(result).toBeInstanceOf(Response);
+      expect(result.status).toBe(307);
+      expect(result.headers.get('Location')).toBe(redirectUrl);
+    });
+
+    it('falls back to standard Response when NextResponse is undefined', async () => {
+      const redirectUrl = 'https://example.com';
+
+      jest.resetModules();
+
+      // Mock with undefined NextResponse
+      jest.mock('next/server', () => ({
+        NextResponse: undefined,
+      }));
+
+      const { redirectWithFallback } = await import('./utils.js');
+
+      const result = redirectWithFallback(redirectUrl);
+
+      expect(result).toBeInstanceOf(Response);
+      expect(result.status).toBe(307);
+      expect(result.headers.get('Location')).toBe(redirectUrl);
+    });
+  });
+
+  describe('errorResponseWithFallback', () => {
+    const errorBody = {
+      error: {
+        message: 'Test error',
+        description: 'Test description',
+      },
+    };
+
+    it('uses NextResponse.json when available', () => {
+      const mockJson = jest.fn().mockReturnValue('error json response');
+      NextResponse.json = mockJson;
+
+      const result = errorResponseWithFallback(errorBody);
+
+      expect(mockJson).toHaveBeenCalledWith(errorBody, { status: 500 });
+      expect(result).toBe('error json response');
+    });
+
+    it('falls back to standard Response when NextResponse is not available', () => {
+      const originalJson = NextResponse.json;
+
+      // @ts-expect-error - This is to test the fallback
+      delete NextResponse.json;
+
+      const result = errorResponseWithFallback(errorBody);
+
+      expect(result).toBeInstanceOf(Response);
+      expect(result.status).toBe(500);
+      expect(result.headers.get('Content-Type')).toBe('application/json');
+
+      NextResponse.json = originalJson;
+    });
+
+    it('falls back to standard Response when NextResponse exists but json is undefined', async () => {
+      jest.resetModules();
+
+      jest.mock('next/server', () => ({
+        NextResponse: {
+          // exists but has no json method
+        },
+      }));
+
+      const { errorResponseWithFallback } = await import('./utils.js');
+
+      const result = errorResponseWithFallback(errorBody);
+
+      expect(result).toBeInstanceOf(Response);
+      expect(result.status).toBe(500);
+      expect(result.headers.get('Content-Type')).toBe('application/json');
+    });
+
+    it('falls back to standard Response when NextResponse is undefined', async () => {
+      jest.resetModules();
+
+      jest.mock('next/server', () => ({
+        NextResponse: undefined,
+      }));
+
+      const { errorResponseWithFallback } = await import('./utils.js');
+
+      const result = errorResponseWithFallback(errorBody);
+
+      expect(result).toBeInstanceOf(Response);
+      expect(result.status).toBe(500);
+      expect(result.headers.get('Content-Type')).toBe('application/json');
+    });
+  });
+});

package/src/workos.spec.ts

@@ -0,0 +1,67 @@
+import { WorkOS } from '@workos-inc/node';
+import { getWorkOS, VERSION } from './workos.js';
+
+describe('workos', () => {
+  const workos = getWorkOS();
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('initializes WorkOS with the correct configuration', () => {
+    // Extracting the config to avoid a circular dependency error
+    const workosConfig = {
+      apiHostname: workos.options.apiHostname,
+      https: workos.options.https,
+      port: workos.options.port,
+      appInfo: workos.options.appInfo,
+    };
+
+    expect(workosConfig).toEqual({
+      apiHostname: undefined,
+      https: true,
+      port: undefined,
+      appInfo: {
+        name: 'authkit/nextjs',
+        version: VERSION,
+      },
+    });
+  });
+
+  it('exports a WorkOS instance', () => {
+    expect(workos).toBeInstanceOf(WorkOS);
+  });
+
+  describe('with custom environment variables', () => {
+    const originalEnv = process.env;
+
+    beforeEach(() => {
+      jest.resetModules();
+      process.env = { ...originalEnv };
+    });
+
+    afterEach(() => {
+      process.env = originalEnv;
+    });
+
+    it('uses custom API hostname when provided', async () => {
+      process.env.WORKOS_API_HOSTNAME = 'custom.workos.com';
+      const { getWorkOS: customWorkos } = await import('./workos.js');
+
+      expect(customWorkos().options.apiHostname).toEqual('custom.workos.com');
+    });
+
+    it('uses custom HTTPS setting when provided', async () => {
+      process.env.WORKOS_API_HTTPS = 'false';
+      const { getWorkOS: customWorkos } = await import('./workos.js');
+
+      expect(customWorkos().options.https).toEqual(false);
+    });
+
+    it('uses custom port when provided', async () => {
+      process.env.WORKOS_API_PORT = '8080';
+      const { getWorkOS: customWorkos } = await import('./workos.js');
+
+      expect(customWorkos().options.port).toEqual(8080);
+    });
+  });
+});

package/src/workos.ts

@@ -2,7 +2,7 @@ import { WorkOS } from '@workos-inc/node';
 import { WORKOS_API_HOSTNAME, WORKOS_API_KEY, WORKOS_API_HTTPS, WORKOS_API_PORT } from './env-variables.js';
 import { lazy } from './utils.js';
 
-export const VERSION = '2.6.0';
+export const VERSION = '2.7.1';
 
 const options = {
   apiHostname: WORKOS_API_HOSTNAME,