npm - @workos-inc/authkit-nextjs - Versions diffs - 3.0.0-beta.1 → 3.0.0 - Mend

@workos-inc/authkit-nextjs 3.0.0-beta.1 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (106) hide show

package/README.md +276 -102
package/dist/esm/actions.js +35 -4
package/dist/esm/actions.js.map +1 -1
package/dist/esm/auth.js +51 -20
package/dist/esm/auth.js.map +1 -1
package/dist/esm/authkit-callback-route.js +82 -93
package/dist/esm/authkit-callback-route.js.map +1 -1
package/dist/esm/components/authkit-provider.js +36 -15
package/dist/esm/components/authkit-provider.js.map +1 -1
package/dist/esm/components/impersonation.js +17 -15
package/dist/esm/components/impersonation.js.map +1 -1
package/dist/esm/components/min-max-button.js +1 -1
package/dist/esm/components/min-max-button.js.map +1 -1
package/dist/esm/components/tokenStore.js +28 -19
package/dist/esm/components/tokenStore.js.map +1 -1
package/dist/esm/components/useAccessToken.js +1 -1
package/dist/esm/components/useAccessToken.js.map +1 -1
package/dist/esm/components/useTokenClaims.js +1 -1
package/dist/esm/components/useTokenClaims.js.map +1 -1
package/dist/esm/cookie.js +16 -5
package/dist/esm/cookie.js.map +1 -1
package/dist/esm/env-variables.js +6 -6
package/dist/esm/env-variables.js.map +1 -1
package/dist/esm/errors.js +36 -0
package/dist/esm/errors.js.map +1 -0
package/dist/esm/get-authorization-url.js +51 -12
package/dist/esm/get-authorization-url.js.map +1 -1
package/dist/esm/index.js +5 -2
package/dist/esm/index.js.map +1 -1
package/dist/esm/interfaces.js +7 -1
package/dist/esm/interfaces.js.map +1 -1
package/dist/esm/middleware-helpers.js +102 -0
package/dist/esm/middleware-helpers.js.map +1 -0
package/dist/esm/middleware.js +3 -1
package/dist/esm/middleware.js.map +1 -1
package/dist/esm/pkce.js +38 -0
package/dist/esm/pkce.js.map +1 -0
package/dist/esm/session.js +73 -35
package/dist/esm/session.js.map +1 -1
package/dist/esm/test-helpers.js +1 -1
package/dist/esm/test-helpers.js.map +1 -1
package/dist/esm/types/actions.d.ts +34 -5
package/dist/esm/types/auth.d.ts +7 -15
package/dist/esm/types/components/authkit-provider.d.ts +6 -2
package/dist/esm/types/components/impersonation.d.ts +2 -1
package/dist/esm/types/cookie.d.ts +8 -0
package/dist/esm/types/env-variables.d.ts +2 -1
package/dist/esm/types/errors.d.ts +15 -0
package/dist/esm/types/get-authorization-url.d.ts +2 -2
package/dist/esm/types/index.d.ts +5 -2
package/dist/esm/types/interfaces.d.ts +12 -0
package/dist/esm/types/jwt.d.ts +9 -9
package/dist/esm/types/middleware-helpers.d.ts +27 -0
package/dist/esm/types/middleware.d.ts +3 -1
package/dist/esm/types/pkce.d.ts +12 -0
package/dist/esm/types/session.d.ts +1 -1
package/dist/esm/types/utils.d.ts +5 -0
package/dist/esm/types/validate-api-key.d.ts +1 -0
package/dist/esm/types/workos.d.ts +1 -1
package/dist/esm/utils.js +10 -2
package/dist/esm/utils.js.map +1 -1
package/dist/esm/validate-api-key.js +16 -0
package/dist/esm/validate-api-key.js.map +1 -0
package/dist/esm/workos.js +1 -1
package/package.json +32 -34
package/src/actions.spec.ts +94 -17
package/src/actions.ts +44 -5
package/src/auth.spec.ts +60 -29
package/src/auth.ts +55 -41
package/src/authkit-callback-route.spec.ts +310 -58
package/src/authkit-callback-route.ts +106 -103
package/src/components/authkit-provider.spec.tsx +264 -70
package/src/components/authkit-provider.tsx +40 -15
package/src/components/button.spec.tsx +4 -6
package/src/components/impersonation.spec.tsx +152 -35
package/src/components/impersonation.tsx +37 -30
package/src/components/min-max-button.spec.tsx +2 -1
package/src/components/tokenStore.spec.ts +59 -44
package/src/components/tokenStore.ts +11 -3
package/src/components/useAccessToken.spec.tsx +82 -83
package/src/components/useTokenClaims.spec.tsx +23 -22
package/src/cookie.spec.ts +14 -9
package/src/cookie.ts +29 -0
package/src/env-variables.ts +2 -0
package/src/errors.spec.ts +108 -0
package/src/errors.ts +46 -0
package/src/get-authorization-url.spec.ts +170 -15
package/src/get-authorization-url.ts +69 -23
package/src/index.ts +20 -2
package/src/interfaces.ts +15 -0
package/src/jwt.ts +9 -9
package/src/middleware-helpers.spec.ts +238 -0
package/src/middleware-helpers.ts +134 -0
package/src/middleware.spec.ts +25 -0
package/src/middleware.ts +4 -1
package/src/pkce.spec.ts +125 -0
package/src/pkce.ts +42 -0
package/src/session.spec.ts +87 -89
package/src/session.ts +91 -27
package/src/test-helpers.ts +1 -1
package/src/utils.spec.ts +14 -31
package/src/utils.ts +9 -0
package/src/validate-api-key.spec.ts +111 -0
package/src/validate-api-key.ts +19 -0
package/src/workos.spec.ts +2 -2
package/src/workos.ts +1 -1

package/src/authkit-callback-route.ts CHANGED Viewed

@@ -1,39 +1,15 @@
 import { NextRequest } from 'next/server';
+import { getPKCECookieOptions } from './cookie.js';
 import { WORKOS_CLIENT_ID } from './env-variables.js';
 import { HandleAuthOptions } from './interfaces.js';
+import { PKCE_COOKIE_NAME, getStateFromPKCECookieValue } from './pkce.js';
 import { saveSession } from './session.js';
-import { errorResponseWithFallback, redirectWithFallback } from './utils.js';
+import { errorResponseWithFallback, redirectWithFallback, setCachePreventionHeaders } from './utils.js';
 import { getWorkOS } from './workos.js';
-function handleState(state: string | null) {
-  let returnPathname: string | undefined = undefined;
-  let userState: string | undefined;
-  if (state?.includes('.')) {
-    const [internal, ...rest] = state.split('.');
-    userState = rest.join('.');
-    try {
-      // Reverse URL-safe base64 encoding
-      const decoded = internal.replace(/-/g, '+').replace(/_/g, '/');
-      returnPathname = JSON.parse(atob(decoded)).returnPathname;
-    } catch {
-      // Malformed internal part, ignore it
-    }
-  } else if (state) {
-    try {
-      const decoded = JSON.parse(atob(state));
-      if (decoded.returnPathname) {
-        returnPathname = decoded.returnPathname;
-      } else {
-        userState = state;
-      }
-    } catch {
-      userState = state;
-    }
-  }
-  return {
-    returnPathname,
-    state: userState,
-  };
+function preventCaching(headers: Headers): void {
+  headers.set('Vary', 'Cookie');
+  setCachePreventionHeaders(headers);
 }
 export function handleAuth(options: HandleAuthOptions = {}) {
@@ -49,90 +25,117 @@ export function handleAuth(options: HandleAuthOptions = {}) {
   }
   return async function GET(request: NextRequest) {
-    const code = request.nextUrl.searchParams.get('code');
-    const state = request.nextUrl.searchParams.get('state');
-    const { state: customState, returnPathname: returnPathnameState } = handleState(state);
-    if (code) {
-      try {
-        // Use the code returned to us by AuthKit and authenticate the user with WorkOS
-        const { accessToken, refreshToken, user, impersonator, oauthTokens, authenticationMethod, organizationId } =
-          await getWorkOS().userManagement.authenticateWithCode({
-            clientId: WORKOS_CLIENT_ID,
-            code,
-          });
-        // If baseURL is provided, use it instead of request.nextUrl
-        // This is useful if the app is being run in a container like docker where
-        // the hostname can be different from the one in the request
-        const url = baseURL ? new URL(baseURL) : request.nextUrl.clone();
-        // Cleanup params
-        url.searchParams.delete('code');
-        url.searchParams.delete('state');
-        // Redirect to the requested path and store the session
-        const returnPathname = returnPathnameState ?? returnPathnameOption;
-        // Extract the search params if they are present
-        if (returnPathname.includes('?')) {
-          const newUrl = new URL(returnPathname, 'https://example.com');
-          url.pathname = newUrl.pathname;
-          for (const [key, value] of newUrl.searchParams) {
-            url.searchParams.append(key, value);
-          }
-        } else {
-          url.pathname = returnPathname;
-        }
-        // Fall back to standard Response if NextResponse is not available.
-        // This is to support Next.js 13.
-        const response = redirectWithFallback(url.toString());
-        if (!accessToken || !refreshToken) throw new Error('response is missing tokens');
-        await saveSession({ accessToken, refreshToken, user, impersonator }, request);
-        if (onSuccess) {
-          await onSuccess({
-            accessToken,
-            refreshToken,
-            user,
-            impersonator,
-            oauthTokens,
-            authenticationMethod,
-            organizationId,
-            state: customState,
-          });
-        }
-        return response;
-      } catch (error) {
-        const errorRes = {
-          error: error instanceof Error ? error.message : String(error),
-        };
-        console.error(errorRes);
-        return errorResponse(request, error);
+    // Always delete the PKCE cookie after handling the callback, regardless of success or error
+    // to avoid stale cookies affecting future auth attempts & prevent replays
+    const deleteCookie = `${PKCE_COOKIE_NAME}=; ${getPKCECookieOptions(request.url, true, true)}`;
+    // We want to catch any & all errors and respond the same way
+    // Firstly, by destroying the 1-use PKCE cookie to prevent replay attacks
+    // or stale cookies affecting future auth attempts
+    try {
+      // Fall back to standard URL parsing when nextUrl is not available (e.g., vinext)
+      const requestUrl = request.nextUrl ?? new URL(request.url);
+      // Gather mandatory information
+      const code = requestUrl.searchParams.get('code');
+      const state = requestUrl.searchParams.get('state');
+      const pkceCookie = request.cookies.get(PKCE_COOKIE_NAME)?.value;
+      if (!code || !state) {
+        throw new Error('Missing required auth parameter');
       }
-    }
-    return errorResponse(request);
+      // CSRF verification: both channels (cookie + URL state) must be present and match
+      if (!pkceCookie) {
+        throw new Error(
+          'Auth cookie missing — cannot verify OAuth state. Ensure Set-Cookie headers are propagated on redirects.',
+        );
+      }
+      if (state !== pkceCookie) {
+        throw new Error('OAuth state mismatch');
+      }
+      const {
+        codeVerifier,
+        customState,
+        returnPathname: returnPathnameState,
+      } = await getStateFromPKCECookieValue(pkceCookie);
+      // Use the code returned to us by AuthKit and authenticate the user with WorkOS
+      const { accessToken, refreshToken, user, impersonator, oauthTokens, authenticationMethod, organizationId } =
+        await getWorkOS().userManagement.authenticateWithCode({
+          clientId: WORKOS_CLIENT_ID,
+          code,
+          codeVerifier,
+        });
+      if (!accessToken || !refreshToken) {
+        throw new Error('response is missing tokens');
+      }
+      // If baseURL is provided, use it instead of request.nextUrl
+      // This is useful if the app is being run in a container like docker where
+      // the hostname can be different from the one in the request
+      const url = baseURL ? new URL(baseURL) : new URL(requestUrl.toString());
+      // Cleanup params
+      url.searchParams.delete('code');
+      url.searchParams.delete('state');
+      // Redirect to the requested path and store the session
+      const returnPathname = returnPathnameState ?? returnPathnameOption;
+      // Extract pathname and search params from returnPathname
+      const parsedReturnUrl = new URL(returnPathname, 'https://placeholder.com');
+      url.pathname = parsedReturnUrl.pathname;
+      url.search = parsedReturnUrl.search;
+      // Fall back to standard Response if NextResponse is not available.
+      // This is to support Next.js 13.
+      const response = redirectWithFallback(url.toString());
+      preventCaching(response.headers);
+      response.headers.append('Set-Cookie', deleteCookie);
+      await saveSession({ accessToken, refreshToken, user, impersonator }, request);
+      if (onSuccess) {
+        await onSuccess({
+          accessToken,
+          refreshToken,
+          user,
+          impersonator,
+          oauthTokens,
+          authenticationMethod,
+          organizationId,
+          state: customState,
+        });
+      }
+      return response;
+    } catch (error) {
+      console.error('[AuthKit callback error]', error);
+      const response = await errorResponse(request, error);
+      response.headers.append('Set-Cookie', deleteCookie);
+      return response;
+    }
   };
-  function errorResponse(request: NextRequest, error?: unknown) {
+  async function errorResponse(request: NextRequest, error?: unknown) {
     if (onError) {
-      return onError({ error, request });
+      const response = await onError({ error, request });
+      preventCaching(response.headers);
+      return response;
     }
-    return errorResponseWithFallback({
+    const response = errorResponseWithFallback({
       error: {
         message: 'Something went wrong',
         description: "Couldn't sign in. If you are not sure what happened, please contact your organization admin.",
       },
     });
+    preventCaching(response.headers);
+    return response;
   }
 }