@workos-inc/authkit-nextjs 2.6.0 → 2.7.1

package/src/components/useAccessToken.ts

@@ -51,8 +51,13 @@ export function useAccessToken(): UseAccessTokenReturn {
 
   useEffect(() => {
     if (!user) {
-      tokenStore.clearToken();
       setIsInitialTokenLoading(false);
+      // Clear token when user logs out
+      if (prevUserIdRef.current !== undefined) {
+        tokenStore.clearToken();
+      }
+      prevUserIdRef.current = undefined;
+      prevSessionRef.current = undefined;
       return;
     }
 

package/src/components/useTokenClaims.spec.tsx

@@ -0,0 +1,194 @@
+import '@testing-library/jest-dom';
+import { render, waitFor } from '@testing-library/react';
+import React from 'react';
+import { useAuth } from './authkit-provider.js';
+
+jest.mock('../actions.js', () => ({
+  getAccessTokenAction: jest.fn(),
+  refreshAccessTokenAction: jest.fn(),
+}));
+
+jest.mock('./authkit-provider.js', () => {
+  const originalModule = jest.requireActual('./authkit-provider.js');
+  return {
+    ...originalModule,
+    useAuth: jest.fn(),
+  };
+});
+
+jest.mock('./useAccessToken.js', () => ({
+  useAccessToken: jest.fn(() => ({ accessToken: undefined })),
+}));
+
+jest.mock('jose', () => ({
+  decodeJwt: jest.fn((token: string) => {
+    if (token === 'malformed-token' || token === 'throw-error-token') {
+      throw new Error('Invalid JWT');
+    }
+    try {
+      const parts = token.split('.');
+      if (parts.length !== 3) throw new Error('Invalid JWT');
+      const payload = JSON.parse(atob(parts[1]));
+      return payload;
+    } catch {
+      throw new Error('Invalid JWT');
+    }
+  }),
+}));
+
+// Import after mocks are set up
+import { useAccessToken } from './useAccessToken.js';
+import { useTokenClaims } from './useTokenClaims.js';
+
+describe('useTokenClaims', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+    jest.useFakeTimers();
+
+    (useAuth as jest.Mock).mockImplementation(() => ({
+      user: { id: 'user_123' },
+      sessionId: 'session_123',
+      refreshAuth: jest.fn().mockResolvedValue({}),
+    }));
+
+    // Reset useAccessToken mock to default
+    (useAccessToken as jest.Mock).mockReturnValue({ accessToken: undefined });
+  });
+
+  afterEach(() => {
+    jest.useRealTimers();
+  });
+
+  const TokenClaimsTestComponent = () => {
+    const tokenClaims = useTokenClaims();
+    return (
+      <div>
+        <div data-testid="claims">{JSON.stringify(tokenClaims)}</div>
+      </div>
+    );
+  };
+
+  it('should return empty object when no access token is available', async () => {
+    (useAccessToken as jest.Mock).mockReturnValue({ accessToken: undefined });
+
+    const { getByTestId } = render(<TokenClaimsTestComponent />);
+
+    await waitFor(() => {
+      expect(getByTestId('claims')).toHaveTextContent('{}');
+    });
+  });
+
+  it('should return all token claims when access token is available', async () => {
+    const payload = {
+      aud: 'audience',
+      exp: 9999999999,
+      iat: 1234567800,
+      iss: 'issuer',
+      sub: 'user_123',
+      sid: 'session_123',
+      org_id: 'org_123',
+      role: 'admin',
+      permissions: ['read', 'write'],
+      entitlements: ['feature_a'],
+      feature_flags: ['device-authorization-grant'],
+      jti: 'jwt_123',
+      nbf: 1234567800,
+      // Custom claims
+      customField1: 'value1',
+      customField2: 42,
+      customObject: { nested: 'data' },
+    };
+    const token = `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.${btoa(JSON.stringify(payload))}.mock-signature`;
+
+    (useAccessToken as jest.Mock).mockReturnValue({ accessToken: token });
+
+    const { getByTestId } = render(<TokenClaimsTestComponent />);
+
+    await waitFor(() => {
+      expect(getByTestId('claims')).toHaveTextContent(JSON.stringify(payload));
+    });
+  });
+
+  it('should return all standard claims when token has only standard claims', async () => {
+    const payload = {
+      aud: 'audience',
+      exp: 9999999999,
+      iat: 1234567800,
+      iss: 'issuer',
+      sub: 'user_123',
+      sid: 'session_123',
+      org_id: 'org_123',
+      role: 'admin',
+      permissions: ['read', 'write'],
+      entitlements: ['feature_a'],
+      feature_flags: ['device-authorization-grant'],
+      jti: 'jwt_123',
+      nbf: 1234567800,
+    };
+    const token = `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.${btoa(JSON.stringify(payload))}.mock-signature`;
+
+    (useAccessToken as jest.Mock).mockReturnValue({ accessToken: token });
+
+    const { getByTestId } = render(<TokenClaimsTestComponent />);
+
+    await waitFor(() => {
+      expect(getByTestId('claims')).toHaveTextContent(JSON.stringify(payload));
+    });
+  });
+
+  it('should handle partial claims', async () => {
+    const payload = {
+      sub: 'user_123',
+      exp: 9999999999,
+      customField: 'value',
+      anotherCustom: true,
+    };
+    const token = `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.${btoa(JSON.stringify(payload))}.mock-signature`;
+
+    (useAccessToken as jest.Mock).mockReturnValue({ accessToken: token });
+
+    const { getByTestId } = render(<TokenClaimsTestComponent />);
+
+    await waitFor(() => {
+      expect(getByTestId('claims')).toHaveTextContent(JSON.stringify(payload));
+    });
+  });
+
+  it('should handle complex nested claims', async () => {
+    const payload = {
+      sub: 'user_123',
+      exp: 9999999999,
+      metadata: {
+        preferences: {
+          theme: 'dark',
+          language: 'en',
+        },
+        settings: ['setting1', 'setting2'],
+      },
+      tags: ['tag1', 'tag2'],
+      permissions_custom: {
+        read: true,
+        write: false,
+      },
+    };
+    const token = `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.${btoa(JSON.stringify(payload))}.mock-signature`;
+
+    (useAccessToken as jest.Mock).mockReturnValue({ accessToken: token });
+
+    const { getByTestId } = render(<TokenClaimsTestComponent />);
+
+    await waitFor(() => {
+      expect(getByTestId('claims')).toHaveTextContent(JSON.stringify(payload));
+    });
+  });
+
+  it('should return empty object when decodeJwt throws an error', async () => {
+    (useAccessToken as jest.Mock).mockReturnValue({ accessToken: 'malformed-token' });
+
+    const { getByTestId } = render(<TokenClaimsTestComponent />);
+
+    await waitFor(() => {
+      expect(getByTestId('claims')).toHaveTextContent('{}');
+    });
+  });
+});

package/src/cookie.spec.ts

@@ -0,0 +1,276 @@
+import { describe, it, expect } from '@jest/globals';
+
+// Mock at the top of the file
+jest.mock('./env-variables');
+
+describe('cookie.ts', () => {
+  beforeEach(() => {
+    // Clear all mocks before each test
+    jest.clearAllMocks();
+    // Reset modules
+    jest.resetModules();
+  });
+
+  describe('getCookieOptions', () => {
+    it('should return the default cookie options', async () => {
+      const { getCookieOptions } = await import('./cookie');
+
+      const options = getCookieOptions();
+      expect(options).toEqual(
+        expect.objectContaining({
+          path: '/',
+          httpOnly: true,
+          secure: false,
+          sameSite: 'lax',
+          maxAge: 400 * 24 * 60 * 60,
+          domain: 'example.com',
+        }),
+      );
+    });
+
+    it('should return the cookie options with custom values', async () => {
+      // Import the mocked module
+      const envVars = await import('./env-variables');
+
+      // Set the mock values
+      Object.defineProperty(envVars, 'WORKOS_COOKIE_MAX_AGE', { value: '1000' });
+      Object.defineProperty(envVars, 'WORKOS_COOKIE_DOMAIN', { value: 'foobar.com' });
+
+      const { getCookieOptions } = await import('./cookie');
+      const options = getCookieOptions('http://example.com');
+
+      expect(options).toEqual(
+        expect.objectContaining({
+          secure: false,
+          maxAge: 1000,
+          domain: 'foobar.com',
+        }),
+      );
+
+      Object.defineProperty(envVars, 'WORKOS_COOKIE_DOMAIN', { value: '' });
+
+      const options2 = getCookieOptions('http://example.com');
+      expect(options2).toEqual(
+        expect.objectContaining({
+          secure: false,
+          maxAge: 1000,
+          domain: '',
+        }),
+      );
+
+      const options3 = getCookieOptions('https://example.com', true);
+      // Domain should not be included when WORKOS_COOKIE_DOMAIN is empty
+      expect(options3).toEqual(expect.not.stringContaining('Domain='));
+    });
+
+    it('should return the cookie options with expired set to true', async () => {
+      const { getCookieOptions } = await import('./cookie');
+      const options = getCookieOptions('http://example.com', false, true);
+      expect(options).toEqual(expect.objectContaining({ maxAge: 0 }));
+    });
+
+    it('should return the cookie options as a string', async () => {
+      const { getCookieOptions } = await import('./cookie');
+      const options = getCookieOptions('http://example.com', true, false);
+      expect(options).toEqual(expect.stringContaining('HttpOnly; SameSite=Lax; Max-Age=34560000; Domain=example.com'));
+      expect(options).toEqual(expect.not.stringContaining('Secure'));
+
+      const options2 = getCookieOptions('https://example.com', true, true);
+      expect(options2).toEqual(expect.stringContaining('HttpOnly'));
+      expect(options2).toEqual(expect.stringContaining('Secure'));
+      expect(options2).toEqual(expect.stringContaining('SameSite=Lax'));
+      expect(options2).toEqual(expect.stringContaining('Max-Age=0'));
+      expect(options2).toEqual(expect.stringContaining('Domain=example.com'));
+    });
+
+    it('allows the sameSite config to be set by the WORKOS_COOKIE_SAMESITE env variable', async () => {
+      const envVars = await import('./env-variables');
+      Object.defineProperty(envVars, 'WORKOS_COOKIE_SAMESITE', { value: 'none' });
+
+      const { getCookieOptions } = await import('./cookie');
+      const options = getCookieOptions('http://example.com');
+      expect(options).toEqual(expect.objectContaining({ sameSite: 'none' }));
+    });
+
+    it('throws an error if the sameSite value is invalid', async () => {
+      const envVars = await import('./env-variables');
+      Object.defineProperty(envVars, 'WORKOS_COOKIE_SAMESITE', { value: 'invalid' });
+
+      const { getCookieOptions } = await import('./cookie');
+      expect(() => getCookieOptions('http://example.com')).toThrow('Invalid SameSite value: invalid');
+    });
+
+    it('defaults to secure=true when no URL is available', async () => {
+      const envVars = await import('./env-variables');
+      Object.defineProperty(envVars, 'WORKOS_REDIRECT_URI', { value: undefined });
+
+      const { getCookieOptions } = await import('./cookie');
+      const options = getCookieOptions();
+      expect(options).toEqual(expect.objectContaining({ secure: true }));
+    });
+
+    it('defaults to secure=true when no URL is available with lax sameSite', async () => {
+      const envVars = await import('./env-variables');
+      Object.defineProperty(envVars, 'WORKOS_REDIRECT_URI', { value: undefined });
+      Object.defineProperty(envVars, 'WORKOS_COOKIE_SAMESITE', { value: 'lax' });
+
+      const { getCookieOptions } = await import('./cookie');
+      const options = getCookieOptions();
+      expect(options).toEqual(expect.objectContaining({ secure: true, sameSite: 'lax' }));
+    });
+
+    it('handles invalid URLs gracefully by defaulting to secure=true', async () => {
+      const { getCookieOptions } = await import('./cookie');
+      const options = getCookieOptions('not-a-valid-url');
+      expect(options).toEqual(expect.objectContaining({ secure: true }));
+    });
+
+    it('handles invalid WORKOS_COOKIE_MAX_AGE gracefully', async () => {
+      const envVars = await import('./env-variables');
+      Object.defineProperty(envVars, 'WORKOS_COOKIE_MAX_AGE', { value: 'invalid-number' });
+
+      const { getCookieOptions } = await import('./cookie');
+      const options = getCookieOptions();
+      expect(options).toEqual(expect.objectContaining({ maxAge: 34560000 })); // Falls back to default
+    });
+
+    it('properly formats cookie string without Domain when not set', async () => {
+      const envVars = await import('./env-variables');
+      Object.defineProperty(envVars, 'WORKOS_COOKIE_DOMAIN', { value: '' });
+
+      const { getCookieOptions } = await import('./cookie');
+      const cookieString = getCookieOptions('https://example.com', true);
+      expect(cookieString).not.toContain('Domain=');
+      expect(cookieString).toContain('Secure');
+      expect(cookieString).toContain('SameSite=Lax'); // Capitalized
+    });
+  });
+
+  describe('getJwtCookie', () => {
+    beforeEach(() => {
+      // Reset NODE_ENV for each test
+      delete process.env.NODE_ENV;
+    });
+
+    it('should create JWT cookie with Secure flag for HTTPS URLs', async () => {
+      const { getJwtCookie } = await import('./cookie');
+
+      const cookie = getJwtCookie('test-token', 'https://example.com');
+
+      expect(cookie).toBe('workos-access-token=test-token; SameSite=Lax; Max-Age=30; Secure');
+    });
+
+    it('should create JWT cookie without Secure flag for HTTP URLs', async () => {
+      const { getJwtCookie } = await import('./cookie');
+
+      const cookie = getJwtCookie('test-token', 'http://localhost:3000');
+
+      expect(cookie).toBe('workos-access-token=test-token; SameSite=Lax; Max-Age=30');
+    });
+
+    it('should force Secure in production except for localhost', async () => {
+      process.env.NODE_ENV = 'production';
+
+      const { getJwtCookie } = await import('./cookie');
+
+      // Production with regular domain should be secure
+      const prodCookie = getJwtCookie('prod-token', 'http://example.com');
+      expect(prodCookie).toContain('Secure');
+
+      // Production with localhost should not be secure
+      const localhostCookie = getJwtCookie('local-token', 'http://localhost:3000');
+      expect(localhostCookie).not.toContain('Secure');
+    });
+
+    it('should handle invalid URLs with no fallback URL', async () => {
+      process.env.NODE_ENV = 'production';
+
+      // Mock no WORKOS_REDIRECT_URI
+      const envVars = await import('./env-variables');
+      Object.defineProperty(envVars, 'WORKOS_REDIRECT_URI', { value: '' });
+
+      const { getJwtCookie } = await import('./cookie');
+
+      const cookie = getJwtCookie('token', 'invalid-url');
+
+      expect(cookie).toContain('Secure'); // Should default to secure in production when no fallback
+    });
+
+    it('should fall back to WORKOS_REDIRECT_URI when invalid URL provided', async () => {
+      const envVars = await import('./env-variables');
+      Object.defineProperty(envVars, 'WORKOS_REDIRECT_URI', { value: 'https://app.workos.com/callback' });
+
+      const { getJwtCookie } = await import('./cookie');
+
+      const cookie = getJwtCookie('token', 'invalid-url');
+
+      expect(cookie).toContain('Secure'); // Should use HTTPS from fallback URL
+    });
+
+    it('should set secure to false when WORKOS_REDIRECT_URI parsing fails', async () => {
+      process.env.NODE_ENV = 'development'; // Not production
+
+      const envVars = await import('./env-variables');
+      Object.defineProperty(envVars, 'WORKOS_REDIRECT_URI', { value: 'also-invalid-url' });
+
+      const { getJwtCookie } = await import('./cookie');
+
+      const cookie = getJwtCookie('token', null); // This triggers the WORKOS_REDIRECT_URI path
+
+      expect(cookie).not.toContain('Secure'); // Should be false when URL parsing fails (line 128)
+    });
+
+    it('should handle both main URL and fallback URL parsing failures', async () => {
+      const envVars = await import('./env-variables');
+      Object.defineProperty(envVars, 'WORKOS_REDIRECT_URI', { value: 'invalid-fallback-url' });
+
+      const { getJwtCookie } = await import('./cookie');
+
+      // Invalid main URL with invalid fallback URL - should hit line 118
+      const cookie = getJwtCookie('token', 'invalid-main-url');
+
+      expect(cookie).not.toContain('Secure'); // Line 118: secure = false when fallback parsing fails
+    });
+
+    it('should use WORKOS_REDIRECT_URI when no URL provided', async () => {
+      const envVars = await import('./env-variables');
+      Object.defineProperty(envVars, 'WORKOS_REDIRECT_URI', { value: 'https://secure.example.com' });
+
+      const { getJwtCookie } = await import('./cookie');
+
+      const cookie = getJwtCookie('token', null);
+
+      expect(cookie).toContain('Secure'); // Should use HTTPS from WORKOS_REDIRECT_URI
+    });
+
+    it('should create expired JWT cookie for deletion', async () => {
+      const { getJwtCookie } = await import('./cookie');
+
+      const cookie = getJwtCookie('token', 'https://example.com', true);
+
+      expect(cookie).toBe(
+        'workos-access-token=; SameSite=Lax; Max-Age=0; Secure; Expires=Thu, 01 Jan 1970 00:00:00 GMT',
+      );
+    });
+
+    it('should handle null token body', async () => {
+      const { getJwtCookie } = await import('./cookie');
+
+      const cookie = getJwtCookie(null, 'https://example.com');
+
+      expect(cookie).toBe('workos-access-token=; SameSite=Lax; Max-Age=30; Secure');
+    });
+
+    it('should handle localhost vs 127.0.0.1 in production', async () => {
+      process.env.NODE_ENV = 'production';
+
+      const { getJwtCookie } = await import('./cookie');
+
+      const localhostCookie = getJwtCookie('token', 'http://localhost:3000');
+      const ipCookie = getJwtCookie('token', 'http://127.0.0.1:3000');
+
+      expect(localhostCookie).not.toContain('Secure');
+      expect(ipCookie).not.toContain('Secure');
+    });
+  });
+});

package/src/cookie.ts

@@ -8,6 +8,9 @@ import { CookieOptions } from './interfaces.js';
 
 type ValidSameSite = CookieOptions['sameSite'];
 
+const JWT_COOKIE_MAX_AGE = 30; // seconds
+const JWT_COOKIE_NAME = 'workos-access-token';
+
 function assertValidSamSite(sameSite: string): asserts sameSite is ValidSameSite {
   if (!['lax', 'strict', 'none'].includes(sameSite.toLowerCase())) {
     throw new Error(`Invalid SameSite value: ${sameSite}`);
@@ -88,3 +91,56 @@ export function getCookieOptions(
     domain: WORKOS_COOKIE_DOMAIN || '',
   };
 }
+
+export function getJwtCookie(body: string | null, requestUrlOrRedirectUri?: string | null, expired?: boolean): string {
+  const cookie = `${JWT_COOKIE_NAME}=${expired ? '' : (body ?? '')}`;
+
+  // Force Secure in production, except for localhost
+  let secure = false;
+  const isProduction = process.env.NODE_ENV === 'production';
+
+  if (requestUrlOrRedirectUri) {
+    try {
+      const url = new URL(requestUrlOrRedirectUri);
+      const isLocalhost = url.hostname === 'localhost' || url.hostname === '127.0.0.1';
+      // In production, always use Secure unless explicitly on localhost
+      secure = isProduction ? !isLocalhost : url.protocol === 'https:';
+    } catch {
+      // If URL parsing fails, default to secure in production
+      secure = isProduction;
+      // If it's not a valid URL, fall back to WORKOS_REDIRECT_URI
+      const fallbackUrl = WORKOS_REDIRECT_URI;
+      if (fallbackUrl) {
+        try {
+          const url = new URL(fallbackUrl);
+          secure = url.protocol === 'https:';
+        } catch {
+          secure = false;
+        }
+      }
+    }
+  } else if (WORKOS_REDIRECT_URI) {
+    // No URL provided, check WORKOS_REDIRECT_URI
+    try {
+      const url = new URL(WORKOS_REDIRECT_URI);
+      secure = url.protocol === 'https:';
+    } catch {
+      secure = false;
+    }
+  }
+
+  const maxAge = expired ? 0 : JWT_COOKIE_MAX_AGE;
+
+  const parts = [cookie, 'SameSite=Lax', `Max-Age=${maxAge}`];
+
+  // Only add Secure flag if on HTTPS
+  if (secure) {
+    parts.push('Secure');
+  }
+
+  if (expired) {
+    parts.push(`Expires=${new Date(0).toUTCString()}`);
+  }
+
+  return parts.join('; ');
+}

package/src/get-authorization-url.spec.ts

@@ -0,0 +1,60 @@
+import { describe, it, expect, beforeEach, jest } from '@jest/globals';
+import { getAuthorizationUrl } from './get-authorization-url.js';
+import { headers } from 'next/headers';
+import { getWorkOS } from './workos.js';
+
+jest.mock('next/headers');
+
+// Mock dependencies
+const fakeWorkosInstance = {
+  userManagement: {
+    getAuthorizationUrl: jest.fn(),
+  },
+};
+
+jest.mock('./workos', () => ({
+  getWorkOS: jest.fn(() => fakeWorkosInstance),
+}));
+
+describe('getAuthorizationUrl', () => {
+  const workos = getWorkOS();
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('uses x-redirect-uri header when redirectUri option is not provided', async () => {
+    const nextHeaders = await headers();
+    nextHeaders.set('x-redirect-uri', 'http://test-redirect.com');
+
+    // Mock workos.userManagement.getAuthorizationUrl
+    jest.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+
+    await getAuthorizationUrl({});
+
+    expect(workos.userManagement.getAuthorizationUrl).toHaveBeenCalledWith(
+      expect.objectContaining({
+        redirectUri: 'http://test-redirect.com',
+      }),
+    );
+  });
+
+  it('works when called with no arguments', async () => {
+    jest.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+
+    await getAuthorizationUrl(); // Call with no arguments
+
+    expect(workos.userManagement.getAuthorizationUrl).toHaveBeenCalled();
+  });
+
+  it('works when prompt is provided', async () => {
+    jest.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+
+    await getAuthorizationUrl({ prompt: 'consent' });
+
+    expect(workos.userManagement.getAuthorizationUrl).toHaveBeenCalledWith(
+      expect.objectContaining({
+        prompt: 'consent',
+      }),
+    );
+  });
+});

package/src/interfaces.ts

@@ -76,9 +76,11 @@ export interface AuthkitMiddlewareOptions {
   middlewareAuth?: AuthkitMiddlewareAuth;
   redirectUri?: string;
   signUpPaths?: string[];
+  eagerAuth?: boolean;
 }
 
 export interface AuthkitOptions {
+  eagerAuth?: boolean;
   debug?: boolean;
   redirectUri?: string;
   screenHint?: 'sign-up' | 'sign-in';