npm - @workos-inc/authkit-nextjs - Versions diffs - 3.0.0-beta.1 → 3.0.1 - Mend

@workos-inc/authkit-nextjs 3.0.0-beta.1 → 3.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (106) hide show

package/README.md +305 -102
package/dist/esm/actions.js +35 -5
package/dist/esm/actions.js.map +1 -1
package/dist/esm/auth.js +71 -21
package/dist/esm/auth.js.map +1 -1
package/dist/esm/authkit-callback-route.js +90 -92
package/dist/esm/authkit-callback-route.js.map +1 -1
package/dist/esm/components/authkit-provider.js +36 -15
package/dist/esm/components/authkit-provider.js.map +1 -1
package/dist/esm/components/impersonation.js +17 -15
package/dist/esm/components/impersonation.js.map +1 -1
package/dist/esm/components/min-max-button.js +1 -1
package/dist/esm/components/min-max-button.js.map +1 -1
package/dist/esm/components/tokenStore.js +28 -19
package/dist/esm/components/tokenStore.js.map +1 -1
package/dist/esm/components/useAccessToken.js +1 -1
package/dist/esm/components/useAccessToken.js.map +1 -1
package/dist/esm/components/useTokenClaims.js +1 -1
package/dist/esm/components/useTokenClaims.js.map +1 -1
package/dist/esm/cookie.js +20 -5
package/dist/esm/cookie.js.map +1 -1
package/dist/esm/env-variables.js +6 -6
package/dist/esm/env-variables.js.map +1 -1
package/dist/esm/errors.js +36 -0
package/dist/esm/errors.js.map +1 -0
package/dist/esm/get-authorization-url.js +51 -12
package/dist/esm/get-authorization-url.js.map +1 -1
package/dist/esm/index.js +5 -2
package/dist/esm/index.js.map +1 -1
package/dist/esm/interfaces.js +7 -1
package/dist/esm/interfaces.js.map +1 -1
package/dist/esm/middleware-helpers.js +102 -0
package/dist/esm/middleware-helpers.js.map +1 -0
package/dist/esm/middleware.js +3 -1
package/dist/esm/middleware.js.map +1 -1
package/dist/esm/pkce.js +52 -0
package/dist/esm/pkce.js.map +1 -0
package/dist/esm/session.js +82 -35
package/dist/esm/session.js.map +1 -1
package/dist/esm/test-helpers.js +1 -1
package/dist/esm/test-helpers.js.map +1 -1
package/dist/esm/types/actions.d.ts +34 -5
package/dist/esm/types/auth.d.ts +7 -15
package/dist/esm/types/components/authkit-provider.d.ts +6 -2
package/dist/esm/types/components/impersonation.d.ts +2 -1
package/dist/esm/types/cookie.d.ts +9 -0
package/dist/esm/types/env-variables.d.ts +2 -1
package/dist/esm/types/errors.d.ts +15 -0
package/dist/esm/types/get-authorization-url.d.ts +2 -2
package/dist/esm/types/index.d.ts +5 -2
package/dist/esm/types/interfaces.d.ts +12 -0
package/dist/esm/types/jwt.d.ts +9 -9
package/dist/esm/types/middleware-helpers.d.ts +27 -0
package/dist/esm/types/middleware.d.ts +3 -1
package/dist/esm/types/pkce.d.ts +17 -0
package/dist/esm/types/session.d.ts +1 -1
package/dist/esm/types/utils.d.ts +5 -0
package/dist/esm/types/validate-api-key.d.ts +1 -0
package/dist/esm/types/workos.d.ts +1 -1
package/dist/esm/utils.js +10 -2
package/dist/esm/utils.js.map +1 -1
package/dist/esm/validate-api-key.js +16 -0
package/dist/esm/validate-api-key.js.map +1 -0
package/dist/esm/workos.js +1 -1
package/package.json +33 -34
package/src/actions.spec.ts +91 -18
package/src/actions.ts +44 -6
package/src/auth.spec.ts +79 -29
package/src/auth.ts +74 -42
package/src/authkit-callback-route.spec.ts +372 -58
package/src/authkit-callback-route.ts +121 -103
package/src/components/authkit-provider.spec.tsx +264 -70
package/src/components/authkit-provider.tsx +40 -15
package/src/components/button.spec.tsx +4 -6
package/src/components/impersonation.spec.tsx +152 -35
package/src/components/impersonation.tsx +37 -30
package/src/components/min-max-button.spec.tsx +2 -1
package/src/components/tokenStore.spec.ts +59 -44
package/src/components/tokenStore.ts +11 -3
package/src/components/useAccessToken.spec.tsx +82 -83
package/src/components/useTokenClaims.spec.tsx +23 -22
package/src/cookie.spec.ts +63 -9
package/src/cookie.ts +35 -0
package/src/env-variables.ts +2 -0
package/src/errors.spec.ts +108 -0
package/src/errors.ts +46 -0
package/src/get-authorization-url.spec.ts +170 -15
package/src/get-authorization-url.ts +69 -23
package/src/index.ts +20 -2
package/src/interfaces.ts +15 -0
package/src/jwt.ts +9 -9
package/src/middleware-helpers.spec.ts +238 -0
package/src/middleware-helpers.ts +134 -0
package/src/middleware.spec.ts +25 -0
package/src/middleware.ts +4 -1
package/src/pkce.spec.ts +146 -0
package/src/pkce.ts +59 -0
package/src/session.spec.ts +87 -89
package/src/session.ts +104 -27
package/src/test-helpers.ts +1 -1
package/src/utils.spec.ts +14 -31
package/src/utils.ts +9 -0
package/src/validate-api-key.spec.ts +111 -0
package/src/validate-api-key.ts +19 -0
package/src/workos.spec.ts +2 -2
package/src/workos.ts +1 -1

package/src/cookie.spec.ts CHANGED Viewed

@@ -1,14 +1,13 @@
-import { describe, it, expect } from '@jest/globals';
-// Mock at the top of the file
-jest.mock('./env-variables');
 describe('cookie.ts', () => {
   beforeEach(() => {
     // Clear all mocks before each test
-    jest.clearAllMocks();
-    // Reset modules
-    jest.resetModules();
+    vi.clearAllMocks();
+    // Reset modules to ensure fresh imports
+    vi.resetModules();
+    // Re-mock env-variables with a fresh copy each time
+    vi.doMock('./env-variables', async (importOriginal) => {
+      return { ...(await importOriginal<typeof import('./env-variables')>()) };
+    });
   });
   describe('getCookieOptions', () => {
@@ -147,11 +146,17 @@ describe('cookie.ts', () => {
   });
   describe('getJwtCookie', () => {
+    const originalEnv = process.env;
     beforeEach(() => {
-      // Reset NODE_ENV for each test
+      process.env = { ...originalEnv };
       delete process.env.NODE_ENV;
     });
+    afterEach(() => {
+      process.env = originalEnv;
+    });
     it('should create JWT cookie with Secure flag for HTTPS URLs', async () => {
       const { getJwtCookie } = await import('./cookie');
@@ -273,4 +278,53 @@ describe('cookie.ts', () => {
       expect(ipCookie).not.toContain('Secure');
     });
   });
+  describe('getPKCECookieOptions', () => {
+    it('should use 10-minute max-age, not the session cookie max-age', async () => {
+      const { getPKCECookieOptions } = await import('./cookie');
+      const options = getPKCECookieOptions();
+      expect(options).toEqual(expect.objectContaining({ maxAge: 600 }));
+    });
+    it('should use 10-minute max-age in string format', async () => {
+      const { getPKCECookieOptions } = await import('./cookie');
+      const options = getPKCECookieOptions('http://localhost:3000', true);
+      expect(options).toContain('Max-Age=600');
+      expect(options).not.toContain('Max-Age=34560000');
+    });
+    it('should use max-age 0 when expired in object format', async () => {
+      const { getPKCECookieOptions } = await import('./cookie');
+      const options = getPKCECookieOptions(undefined, false, true);
+      expect(options).toEqual(expect.objectContaining({ maxAge: 0 }));
+    });
+    it('should use max-age 0 when expired in string format', async () => {
+      const { getPKCECookieOptions } = await import('./cookie');
+      const options = getPKCECookieOptions('http://localhost:3000', true, true);
+      expect(options).toContain('Max-Age=0');
+    });
+    it('should downgrade SameSite=Strict to Lax', async () => {
+      const envVars = await import('./env-variables');
+      Object.defineProperty(envVars, 'WORKOS_COOKIE_SAMESITE', { value: 'strict' });
+      const { getPKCECookieOptions } = await import('./cookie');
+      const objectOptions = getPKCECookieOptions();
+      expect(objectOptions).toEqual(expect.objectContaining({ sameSite: 'lax' }));
+      const stringOptions = getPKCECookieOptions('http://localhost:3000', true);
+      expect(stringOptions).toContain('SameSite=Lax');
+      expect(stringOptions).not.toContain('SameSite=Strict');
+    });
+  });
 });

package/src/cookie.ts CHANGED Viewed

@@ -92,6 +92,41 @@ export function getCookieOptions(
   };
 }
+const PKCE_COOKIE_MAX_AGE = 600; // 10 minutes
+/**
+ * Cookie options for the PKCE verifier cookie.
+ * 'strict' blocks the cookie on the cross-site redirect back from WorkOS; downgrade to 'lax'.
+ * 'none' is more permissive and must be preserved for iframe/cross-origin embed flows.
+ * Max-age is always capped to 10 minutes — PKCE cookies are single-use and short-lived.
+ */
+export function getPKCECookieOptions(): CookieOptions;
+export function getPKCECookieOptions(redirectUri: string | null | undefined, asString: true, expired?: boolean): string;
+export function getPKCECookieOptions(
+  redirectUri?: string | null,
+  asString?: boolean,
+  expired?: boolean,
+): CookieOptions | string;
+export function getPKCECookieOptions(
+  redirectUri?: string | null,
+  asString: boolean = false,
+  expired: boolean = false,
+): CookieOptions | string {
+  if (asString) {
+    const options = getCookieOptions(redirectUri, true, expired);
+    return options
+      .replace(/SameSite=Strict/i, 'SameSite=Lax')
+      .replace(/Max-Age=\d+/, `Max-Age=${expired ? 0 : PKCE_COOKIE_MAX_AGE}`);
+  }
+  const options = getCookieOptions(redirectUri);
+  return {
+    ...options,
+    sameSite: options.sameSite.toLowerCase() === 'strict' ? 'lax' : options.sameSite,
+    maxAge: expired ? 0 : PKCE_COOKIE_MAX_AGE,
+  };
+}
 export function getJwtCookie(body: string | null, requestUrlOrRedirectUri?: string | null, expired?: boolean): string {
   const cookie = `${JWT_COOKIE_NAME}=${expired ? '' : (body ?? '')}`;

package/src/env-variables.ts CHANGED Viewed

@@ -12,6 +12,7 @@ const WORKOS_COOKIE_DOMAIN = getEnvVariable('WORKOS_COOKIE_DOMAIN');
 const WORKOS_COOKIE_MAX_AGE = getEnvVariable('WORKOS_COOKIE_MAX_AGE');
 const WORKOS_COOKIE_NAME = getEnvVariable('WORKOS_COOKIE_NAME');
 const WORKOS_COOKIE_SAMESITE = getEnvVariable('WORKOS_COOKIE_SAMESITE') as 'lax' | 'strict' | 'none' | undefined;
+const WORKOS_CLAIM_TOKEN = getEnvVariable('WORKOS_CLAIM_TOKEN');
 // Required env variables
 const WORKOS_API_KEY = getEnvVariable('WORKOS_API_KEY') ?? '';
@@ -24,6 +25,7 @@ export {
   WORKOS_API_HTTPS,
   WORKOS_API_KEY,
   WORKOS_API_PORT,
+  WORKOS_CLAIM_TOKEN,
   WORKOS_CLIENT_ID,
   WORKOS_COOKIE_DOMAIN,
   WORKOS_COOKIE_MAX_AGE,

package/src/errors.spec.ts ADDED Viewed

@@ -0,0 +1,108 @@
+import { AuthKitError, TokenRefreshError, getSessionErrorContext } from './errors.js';
+import type { Session } from './interfaces.js';
+import type { User } from '@workos-inc/node';
+describe('AuthKitError', () => {
+  it('creates error with message', () => {
+    const error = new AuthKitError('Test error');
+    expect(error.message).toBe('Test error');
+    expect(error.name).toBe('AuthKitError');
+    expect(error).toBeInstanceOf(Error);
+  });
+  it('creates error with cause and data', () => {
+    const originalError = new Error('Original error');
+    const data = { userId: '123' };
+    const error = new AuthKitError('Test error', originalError, data);
+    expect(error.cause).toBe(originalError);
+    expect(error.data).toEqual(data);
+  });
+});
+describe('TokenRefreshError', () => {
+  it('creates error with correct name and inheritance', () => {
+    const error = new TokenRefreshError('Refresh failed');
+    expect(error.name).toBe('TokenRefreshError');
+    expect(error.message).toBe('Refresh failed');
+    expect(error).toBeInstanceOf(AuthKitError);
+    expect(error).toBeInstanceOf(Error);
+  });
+  it('creates error with cause and context', () => {
+    const originalError = new Error('Network error');
+    const error = new TokenRefreshError('Refresh failed', originalError, {
+      userId: 'user_123',
+      sessionId: 'session_456',
+    });
+    expect(error.cause).toBe(originalError);
+    expect(error.userId).toBe('user_123');
+    expect(error.sessionId).toBe('session_456');
+  });
+  it('has undefined properties when no context provided', () => {
+    const error = new TokenRefreshError('Refresh failed');
+    expect(error.userId).toBeUndefined();
+    expect(error.sessionId).toBeUndefined();
+  });
+});
+describe('getSessionErrorContext', () => {
+  function createTestJwt(payload: Record<string, unknown>): string {
+    const header = btoa(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
+    const payloadStr = btoa(JSON.stringify(payload));
+    return `${header}.${payloadStr}.test-signature`;
+  }
+  it('returns empty object for missing session', () => {
+    expect(getSessionErrorContext(null)).toEqual({});
+    expect(getSessionErrorContext(undefined)).toEqual({});
+  });
+  it('extracts userId and sessionId from access token', () => {
+    const session: Session = {
+      accessToken: createTestJwt({ sub: 'user_456', sid: 'session_123' }),
+      refreshToken: 'refresh_token',
+      user: {
+        id: 'user_456',
+        email: 'test@example.com',
+        emailVerified: true,
+        profilePictureUrl: null,
+        firstName: null,
+        lastName: null,
+        createdAt: '2024-01-01',
+        updatedAt: '2024-01-01',
+        object: 'user',
+      } as User,
+    };
+    const context = getSessionErrorContext(session);
+    expect(context.userId).toBe('user_456');
+    expect(context.sessionId).toBe('session_123');
+  });
+  it('returns empty object for invalid JWT', () => {
+    const session: Session = {
+      accessToken: 'invalid-jwt',
+      refreshToken: 'refresh_token',
+      user: {
+        id: 'user_123',
+        email: 'test@example.com',
+        emailVerified: true,
+        profilePictureUrl: null,
+        firstName: null,
+        lastName: null,
+        createdAt: '2024-01-01',
+        updatedAt: '2024-01-01',
+        object: 'user',
+      } as User,
+    };
+    const context = getSessionErrorContext(session);
+    expect(context).toEqual({});
+  });
+});

package/src/errors.ts ADDED Viewed

@@ -0,0 +1,46 @@
+import type { Session } from './interfaces.js';
+import { decodeJwt } from './jwt.js';
+export class AuthKitError extends Error {
+  data?: Record<string, unknown>;
+  constructor(message: string, cause?: unknown, data?: Record<string, unknown>) {
+    super(message);
+    this.name = 'AuthKitError';
+    this.cause = cause;
+    this.data = data;
+  }
+}
+export interface TokenRefreshErrorContext {
+  userId?: string;
+  sessionId?: string;
+}
+export class TokenRefreshError extends AuthKitError {
+  readonly userId?: string;
+  readonly sessionId?: string;
+  constructor(message: string, cause?: unknown, context?: TokenRefreshErrorContext) {
+    super(message, cause);
+    this.name = 'TokenRefreshError';
+    this.userId = context?.userId;
+    this.sessionId = context?.sessionId;
+  }
+}
+export function getSessionErrorContext(session?: Session | null): TokenRefreshErrorContext {
+  if (!session?.accessToken) {
+    return {};
+  }
+  try {
+    const { payload } = decodeJwt(session.accessToken);
+    return {
+      userId: payload.sub,
+      sessionId: payload.sid,
+    };
+  } catch {
+    return {};
+  }
+}

package/src/get-authorization-url.spec.ts CHANGED Viewed

@@ -1,33 +1,45 @@
-import { describe, it, expect, beforeEach, jest } from '@jest/globals';
 import { getAuthorizationUrl } from './get-authorization-url.js';
 import { headers } from 'next/headers';
 import { getWorkOS } from './workos.js';
-jest.mock('next/headers');
+import { getStateFromPKCECookieValue } from './pkce.js';
 // Mock dependencies
-const fakeWorkosInstance = {
-  userManagement: {
-    getAuthorizationUrl: jest.fn(),
+const { fakeWorkosInstance } = vi.hoisted(() => ({
+  fakeWorkosInstance: {
+    baseURL: 'https://api.workos.com',
+    userManagement: {
+      getAuthorizationUrl: vi.fn(),
+    },
+    pkce: {
+      generate: vi.fn().mockResolvedValue({
+        codeVerifier: 'test-code-verifier',
+        codeChallenge: 'test-code-challenge',
+        codeChallengeMethod: 'S256' as const,
+      }),
+    },
   },
-};
+}));
-jest.mock('./workos', () => ({
-  getWorkOS: jest.fn(() => fakeWorkosInstance),
+vi.mock('./workos', () => ({
+  getWorkOS: vi.fn(() => fakeWorkosInstance),
 }));
 describe('getAuthorizationUrl', () => {
   const workos = getWorkOS();
   beforeEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
+    fakeWorkosInstance.pkce.generate.mockResolvedValue({
+      codeVerifier: 'test-code-verifier',
+      codeChallenge: 'test-code-challenge',
+      codeChallengeMethod: 'S256' as const,
+    });
   });
   it('uses x-redirect-uri header when redirectUri option is not provided', async () => {
     const nextHeaders = await headers();
     nextHeaders.set('x-redirect-uri', 'http://test-redirect.com');
-    // Mock workos.userManagement.getAuthorizationUrl
-    jest.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+    vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
     await getAuthorizationUrl({});
@@ -39,15 +51,15 @@ describe('getAuthorizationUrl', () => {
   });
   it('works when called with no arguments', async () => {
-    jest.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+    vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
-    await getAuthorizationUrl(); // Call with no arguments
+    await getAuthorizationUrl();
     expect(workos.userManagement.getAuthorizationUrl).toHaveBeenCalled();
   });
   it('works when prompt is provided', async () => {
-    jest.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+    vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
     await getAuthorizationUrl({ prompt: 'consent' });
@@ -57,4 +69,147 @@ describe('getAuthorizationUrl', () => {
       }),
     );
   });
+  describe('claim nonce', () => {
+    afterEach(() => {
+      delete process.env.WORKOS_CLAIM_TOKEN;
+    });
+    it('does not fetch nonce when WORKOS_CLAIM_TOKEN is not set', async () => {
+      const fetchSpy = vi.spyOn(globalThis, 'fetch');
+      vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+      await getAuthorizationUrl({});
+      expect(fetchSpy).not.toHaveBeenCalledWith(expect.stringContaining('claim-nonces'), expect.anything());
+      expect(workos.userManagement.getAuthorizationUrl).toHaveBeenCalledWith(
+        expect.not.objectContaining({ claimNonce: expect.any(String) }),
+      );
+      fetchSpy.mockRestore();
+    });
+    it('fetches nonce and passes claimNonce when WORKOS_CLAIM_TOKEN is set', async () => {
+      process.env.WORKOS_CLAIM_TOKEN = 'test-claim-token';
+      const fetchSpy = vi
+        .spyOn(globalThis, 'fetch')
+        .mockResolvedValueOnce(new Response(JSON.stringify({ nonce: 'test-nonce' }), { status: 201 }));
+      vi.resetModules();
+      const { getAuthorizationUrl: freshGetAuthorizationUrl } = await import('./get-authorization-url.js');
+      vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+      await freshGetAuthorizationUrl({});
+      expect(fetchSpy).toHaveBeenCalledWith(
+        'https://api.workos.com/x/one-shot-environments/claim-nonces',
+        expect.objectContaining({
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ client_id: 'client_1234567890', claim_token: 'test-claim-token' }),
+        }),
+      );
+      expect(workos.userManagement.getAuthorizationUrl).toHaveBeenCalledWith(
+        expect.objectContaining({ claimNonce: 'test-nonce' }),
+      );
+      fetchSpy.mockRestore();
+    });
+    it('proceeds without nonce on network error', async () => {
+      process.env.WORKOS_CLAIM_TOKEN = 'test-claim-token';
+      const fetchSpy = vi.spyOn(globalThis, 'fetch').mockRejectedValueOnce(new Error('Network error'));
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      vi.resetModules();
+      const { getAuthorizationUrl: freshGetAuthorizationUrl } = await import('./get-authorization-url.js');
+      vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+      await freshGetAuthorizationUrl({});
+      expect(workos.userManagement.getAuthorizationUrl).toHaveBeenCalledWith(
+        expect.not.objectContaining({ claimNonce: expect.any(String) }),
+      );
+      expect(warnSpy).toHaveBeenCalledWith(
+        '[authkit-nextjs]: Failed to exchange WORKOS_CLAIM_TOKEN. Try removing WORKOS_CLAIM_TOKEN from your environment variables.',
+        expect.any(Error),
+      );
+      fetchSpy.mockRestore();
+      warnSpy.mockRestore();
+    });
+    it('proceeds without nonce on non-OK response', async () => {
+      process.env.WORKOS_CLAIM_TOKEN = 'test-claim-token';
+      const fetchSpy = vi
+        .spyOn(globalThis, 'fetch')
+        .mockResolvedValueOnce(new Response('Unauthorized', { status: 401 }));
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      vi.resetModules();
+      const { getAuthorizationUrl: freshGetAuthorizationUrl } = await import('./get-authorization-url.js');
+      vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+      await freshGetAuthorizationUrl({});
+      expect(workos.userManagement.getAuthorizationUrl).toHaveBeenCalledWith(
+        expect.not.objectContaining({ claimNonce: expect.any(String) }),
+      );
+      expect(warnSpy).toHaveBeenCalledWith(
+        '[authkit-nextjs]: Failed to exchange WORKOS_CLAIM_TOKEN (401). Try removing WORKOS_CLAIM_TOKEN from your environment variables.',
+      );
+      fetchSpy.mockRestore();
+      warnSpy.mockRestore();
+    });
+    it('includes PKCE and claim nonce together', async () => {
+      process.env.WORKOS_CLAIM_TOKEN = 'test-claim-token';
+      const fetchSpy = vi
+        .spyOn(globalThis, 'fetch')
+        .mockResolvedValueOnce(new Response(JSON.stringify({ nonce: 'test-nonce' }), { status: 201 }));
+      vi.resetModules();
+      const { getAuthorizationUrl: freshGetAuthorizationUrl } = await import('./get-authorization-url.js');
+      vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+      const result = await freshGetAuthorizationUrl({});
+      expect(workos.userManagement.getAuthorizationUrl).toHaveBeenCalledWith(
+        expect.objectContaining({
+          claimNonce: 'test-nonce',
+          codeChallenge: 'test-code-challenge',
+          codeChallengeMethod: 'S256',
+        }),
+      );
+      expect(result.sealedState).toBeDefined();
+      fetchSpy.mockRestore();
+    });
+  });
+  describe('PKCE', () => {
+    it('always generates PKCE pair and includes code challenge', async () => {
+      vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+      const result = await getAuthorizationUrl({});
+      expect(fakeWorkosInstance.pkce.generate).toHaveBeenCalled();
+      expect(workos.userManagement.getAuthorizationUrl).toHaveBeenCalledWith(
+        expect.objectContaining({
+          codeChallenge: 'test-code-challenge',
+          codeChallengeMethod: 'S256',
+        }),
+      );
+      expect(result.url).toBe('mock-url');
+      expect(result.sealedState).toBeDefined();
+      expect(result.sealedState).not.toBe('');
+    });
+    it('seals codeVerifier and nonce into state', async () => {
+      vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+      const result = await getAuthorizationUrl({});
+      const { codeVerifier, nonce } = await getStateFromPKCECookieValue(result.sealedState);
+      expect(codeVerifier).toBe('test-code-verifier');
+      expect(nonce).toBeDefined();
+      expect(typeof nonce).toBe('string');
+    });
+  });
 });

package/src/get-authorization-url.ts CHANGED Viewed

@@ -1,37 +1,83 @@
-import { getWorkOS } from './workos.js';
-import { WORKOS_CLIENT_ID, WORKOS_REDIRECT_URI } from './env-variables.js';
-import { GetAuthURLOptions } from './interfaces.js';
+import { sealData } from 'iron-session';
 import { headers } from 'next/headers';
+import { WORKOS_CLAIM_TOKEN, WORKOS_CLIENT_ID, WORKOS_COOKIE_PASSWORD, WORKOS_REDIRECT_URI } from './env-variables.js';
+import { GetAuthURLOptions, GetAuthURLResult, State } from './interfaces.js';
+import { getWorkOS } from './workos.js';
-async function getAuthorizationUrl(options: GetAuthURLOptions = {}) {
-  const headersList = await headers();
-  const {
-    returnPathname,
-    screenHint,
-    organizationId,
-    redirectUri = headersList.get('x-redirect-uri'),
-    loginHint,
-    prompt,
-    state: customState,
-  } = options;
+async function fetchClaimNonce(baseURL: string): Promise<string | null> {
+  try {
+    const response = await fetch(`${baseURL}/x/one-shot-environments/claim-nonces`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        client_id: WORKOS_CLIENT_ID,
+        claim_token: WORKOS_CLAIM_TOKEN,
+      }),
+    });
+    if (!response.ok) {
+      if (response.status !== 409) {
+        console.warn(
+          `[authkit-nextjs]: Failed to exchange WORKOS_CLAIM_TOKEN (${response.status}). Try removing WORKOS_CLAIM_TOKEN from your environment variables.`,
+        );
+      }
+      return null;
+    }
+    const data = await response.json();
+    return data.nonce;
+  } catch (error) {
+    console.warn(
+      '[authkit-nextjs]: Failed to exchange WORKOS_CLAIM_TOKEN. Try removing WORKOS_CLAIM_TOKEN from your environment variables.',
+      error,
+    );
+    return null;
+  }
+}
+async function getAuthorizationUrl({
+  returnPathname,
+  screenHint,
+  organizationId,
+  loginHint,
+  prompt,
+  state: customState,
+  redirectUri,
+}: GetAuthURLOptions = {}): Promise<GetAuthURLResult> {
+  const redirectUriToUse = await (async () => {
+    if (redirectUri) {
+      return redirectUri;
+    }
+    const headersList = await headers();
+    return headersList.get('x-redirect-uri') ?? undefined;
+  })();
-  const internalState = returnPathname
-    ? btoa(JSON.stringify({ returnPathname })).replace(/\+/g, '-').replace(/\//g, '_')
-    : null;
+  const pkce = await getWorkOS().pkce.generate();
+  const claimNonce = WORKOS_CLAIM_TOKEN ? await fetchClaimNonce(getWorkOS().baseURL) : null;
-  const finalState =
-    internalState && customState ? `${internalState}.${customState}` : internalState || customState || undefined;
+  const state = {
+    nonce: crypto.randomUUID(),
+    codeVerifier: pkce.codeVerifier,
+    customState,
+    returnPathname,
+  } satisfies State;
+  const sealedState = await sealData(state, { password: WORKOS_COOKIE_PASSWORD, ttl: 600 });
-  return getWorkOS().userManagement.getAuthorizationUrl({
-    provider: 'authkit',
+  const url = getWorkOS().userManagement.getAuthorizationUrl({
+    provider: 'authkit' as const,
     clientId: WORKOS_CLIENT_ID,
-    redirectUri: redirectUri ?? WORKOS_REDIRECT_URI,
-    state: finalState,
+    redirectUri: redirectUriToUse ?? WORKOS_REDIRECT_URI,
     screenHint,
     organizationId,
     loginHint,
     prompt,
+    state: sealedState,
+    codeChallenge: pkce.codeChallenge,
+    codeChallengeMethod: pkce.codeChallengeMethod,
+    ...(claimNonce && { claimNonce }),
   });
+  return { url, sealedState };
 }
 export { getAuthorizationUrl };

package/src/index.ts CHANGED Viewed

@@ -1,22 +1,40 @@
 import { getSignInUrl, getSignUpUrl, signOut, switchToOrganization } from './auth.js';
 import { handleAuth } from './authkit-callback-route.js';
-import { authkit, authkitMiddleware } from './middleware.js';
+import { AuthKitError, TokenRefreshError } from './errors.js';
+import { authkit, authkitMiddleware, authkitProxy } from './middleware.js';
+export {
+  applyResponseHeaders,
+  handleAuthkitHeaders,
+  handleAuthkitProxy,
+  partitionAuthkitHeaders,
+  isAuthkitRequestHeader,
+  AUTHKIT_REQUEST_HEADERS,
+  type AuthkitHeadersResult,
+  type AuthkitRedirectStatus,
+  type AuthkitRequestHeader,
+  type HandleAuthkitHeadersOptions,
+} from './middleware-helpers.js';
 import { getTokenClaims, refreshSession, saveSession, withAuth } from './session.js';
+import { validateApiKey } from './validate-api-key.js';
 import { getWorkOS } from './workos.js';
 export * from './interfaces.js';
 export {
+  AuthKitError,
+  TokenRefreshError,
   authkit,
   authkitMiddleware,
+  authkitProxy,
   getSignInUrl,
   getSignUpUrl,
+  getTokenClaims,
   getWorkOS,
   handleAuth,
   refreshSession,
   saveSession,
   signOut,
   switchToOrganization,
+  validateApiKey,
   withAuth,
-  getTokenClaims,
 };