npm - @workos-inc/authkit-nextjs - Versions diffs - 3.0.0-beta.1 → 3.0.1 - Mend

@workos-inc/authkit-nextjs 3.0.0-beta.1 → 3.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (106) hide show

package/README.md +305 -102
package/dist/esm/actions.js +35 -5
package/dist/esm/actions.js.map +1 -1
package/dist/esm/auth.js +71 -21
package/dist/esm/auth.js.map +1 -1
package/dist/esm/authkit-callback-route.js +90 -92
package/dist/esm/authkit-callback-route.js.map +1 -1
package/dist/esm/components/authkit-provider.js +36 -15
package/dist/esm/components/authkit-provider.js.map +1 -1
package/dist/esm/components/impersonation.js +17 -15
package/dist/esm/components/impersonation.js.map +1 -1
package/dist/esm/components/min-max-button.js +1 -1
package/dist/esm/components/min-max-button.js.map +1 -1
package/dist/esm/components/tokenStore.js +28 -19
package/dist/esm/components/tokenStore.js.map +1 -1
package/dist/esm/components/useAccessToken.js +1 -1
package/dist/esm/components/useAccessToken.js.map +1 -1
package/dist/esm/components/useTokenClaims.js +1 -1
package/dist/esm/components/useTokenClaims.js.map +1 -1
package/dist/esm/cookie.js +20 -5
package/dist/esm/cookie.js.map +1 -1
package/dist/esm/env-variables.js +6 -6
package/dist/esm/env-variables.js.map +1 -1
package/dist/esm/errors.js +36 -0
package/dist/esm/errors.js.map +1 -0
package/dist/esm/get-authorization-url.js +51 -12
package/dist/esm/get-authorization-url.js.map +1 -1
package/dist/esm/index.js +5 -2
package/dist/esm/index.js.map +1 -1
package/dist/esm/interfaces.js +7 -1
package/dist/esm/interfaces.js.map +1 -1
package/dist/esm/middleware-helpers.js +102 -0
package/dist/esm/middleware-helpers.js.map +1 -0
package/dist/esm/middleware.js +3 -1
package/dist/esm/middleware.js.map +1 -1
package/dist/esm/pkce.js +52 -0
package/dist/esm/pkce.js.map +1 -0
package/dist/esm/session.js +82 -35
package/dist/esm/session.js.map +1 -1
package/dist/esm/test-helpers.js +1 -1
package/dist/esm/test-helpers.js.map +1 -1
package/dist/esm/types/actions.d.ts +34 -5
package/dist/esm/types/auth.d.ts +7 -15
package/dist/esm/types/components/authkit-provider.d.ts +6 -2
package/dist/esm/types/components/impersonation.d.ts +2 -1
package/dist/esm/types/cookie.d.ts +9 -0
package/dist/esm/types/env-variables.d.ts +2 -1
package/dist/esm/types/errors.d.ts +15 -0
package/dist/esm/types/get-authorization-url.d.ts +2 -2
package/dist/esm/types/index.d.ts +5 -2
package/dist/esm/types/interfaces.d.ts +12 -0
package/dist/esm/types/jwt.d.ts +9 -9
package/dist/esm/types/middleware-helpers.d.ts +27 -0
package/dist/esm/types/middleware.d.ts +3 -1
package/dist/esm/types/pkce.d.ts +17 -0
package/dist/esm/types/session.d.ts +1 -1
package/dist/esm/types/utils.d.ts +5 -0
package/dist/esm/types/validate-api-key.d.ts +1 -0
package/dist/esm/types/workos.d.ts +1 -1
package/dist/esm/utils.js +10 -2
package/dist/esm/utils.js.map +1 -1
package/dist/esm/validate-api-key.js +16 -0
package/dist/esm/validate-api-key.js.map +1 -0
package/dist/esm/workos.js +1 -1
package/package.json +33 -34
package/src/actions.spec.ts +91 -18
package/src/actions.ts +44 -6
package/src/auth.spec.ts +79 -29
package/src/auth.ts +74 -42
package/src/authkit-callback-route.spec.ts +372 -58
package/src/authkit-callback-route.ts +121 -103
package/src/components/authkit-provider.spec.tsx +264 -70
package/src/components/authkit-provider.tsx +40 -15
package/src/components/button.spec.tsx +4 -6
package/src/components/impersonation.spec.tsx +152 -35
package/src/components/impersonation.tsx +37 -30
package/src/components/min-max-button.spec.tsx +2 -1
package/src/components/tokenStore.spec.ts +59 -44
package/src/components/tokenStore.ts +11 -3
package/src/components/useAccessToken.spec.tsx +82 -83
package/src/components/useTokenClaims.spec.tsx +23 -22
package/src/cookie.spec.ts +63 -9
package/src/cookie.ts +35 -0
package/src/env-variables.ts +2 -0
package/src/errors.spec.ts +108 -0
package/src/errors.ts +46 -0
package/src/get-authorization-url.spec.ts +170 -15
package/src/get-authorization-url.ts +69 -23
package/src/index.ts +20 -2
package/src/interfaces.ts +15 -0
package/src/jwt.ts +9 -9
package/src/middleware-helpers.spec.ts +238 -0
package/src/middleware-helpers.ts +134 -0
package/src/middleware.spec.ts +25 -0
package/src/middleware.ts +4 -1
package/src/pkce.spec.ts +146 -0
package/src/pkce.ts +59 -0
package/src/session.spec.ts +87 -89
package/src/session.ts +104 -27
package/src/test-helpers.ts +1 -1
package/src/utils.spec.ts +14 -31
package/src/utils.ts +9 -0
package/src/validate-api-key.spec.ts +111 -0
package/src/validate-api-key.ts +19 -0
package/src/workos.spec.ts +2 -2
package/src/workos.ts +1 -1

package/src/auth.spec.ts CHANGED Viewed

@@ -1,57 +1,63 @@
-import { describe, it, expect, beforeEach, jest } from '@jest/globals';
 import { getSignInUrl, getSignUpUrl, signOut, switchToOrganization } from './auth.js';
 import * as session from './session.js';
 import * as cache from 'next/cache';
 import * as workosModule from './workos.js';
-// These are mocked in jest.setup.ts
+// These are mocked in vitest.setup.ts
 import { cookies, headers } from 'next/headers';
 import { redirect } from 'next/navigation';
 import { generateSession, generateTestToken } from './test-helpers.js';
 import { sealData } from 'iron-session';
 import { getWorkOS } from './workos.js';
+import { getStateFromPKCECookieValue } from './pkce.js';
 const workos = getWorkOS();
-jest.mock('next/cache', () => {
-  const actual = jest.requireActual<typeof cache>('next/cache');
+vi.mock('next/cache', async () => {
+  const actual = await vi.importActual<typeof cache>('next/cache');
   return {
     ...actual,
-    revalidateTag: jest.fn(),
-    revalidatePath: jest.fn(),
+    revalidateTag: vi.fn(),
+    revalidatePath: vi.fn(),
   };
 });
 // Create a fake WorkOS instance that will be used only in the "on error" tests
 const fakeWorkosInstance = {
   userManagement: {
-    authenticateWithRefreshToken: jest.fn(),
-    getAuthorizationUrl: jest.fn(),
-    getJwksUrl: jest.fn(() => 'https://api.workos.com/sso/jwks/client_1234567890'),
-    getLogoutUrl: jest.fn(),
+    authenticateWithRefreshToken: vi.fn(),
+    getAuthorizationUrl: vi.fn(),
+    getJwksUrl: vi.fn(() => 'https://api.workos.com/sso/jwks/client_1234567890'),
+    getLogoutUrl: vi.fn(),
+  },
+  pkce: {
+    generate: vi.fn().mockResolvedValue({
+      codeVerifier: 'test-code-verifier',
+      codeChallenge: 'test-code-challenge',
+      codeChallengeMethod: 'S256' as const,
+    }),
   },
 };
-const revalidatePath = jest.mocked(cache.revalidatePath);
-const revalidateTag = jest.mocked(cache.revalidateTag);
+const revalidatePath = vi.mocked(cache.revalidatePath);
+const revalidateTag = vi.mocked(cache.revalidateTag);
 // We'll only use these in the "on error" tests
 const authenticateWithRefreshToken = fakeWorkosInstance.userManagement.authenticateWithRefreshToken;
 const getAuthorizationUrl = fakeWorkosInstance.userManagement.getAuthorizationUrl;
-jest.mock('../src/session', () => {
-  const actual = jest.requireActual<typeof session>('../src/session');
+vi.mock('../src/session', async () => {
+  const actual = await vi.importActual<typeof session>('../src/session');
   return {
     ...actual,
-    refreshSession: jest.fn(actual.refreshSession),
+    refreshSession: vi.fn(actual.refreshSession),
   };
 });
 describe('auth.ts', () => {
   beforeEach(async () => {
     // Clear all mocks between tests
-    jest.clearAllMocks();
+    vi.clearAllMocks();
     // Reset the cookie store
     const nextCookies = await cookies();
@@ -76,6 +82,15 @@ describe('auth.ts', () => {
       expect(url).toBeDefined();
       expect(() => new URL(url)).not.toThrow();
     });
+    it('should include returnTo as returnPathname in the state parameter', async () => {
+      const url = await getSignInUrl({ returnTo: '/dashboard' });
+      const parsedUrl = new URL(url);
+      const state = parsedUrl.searchParams.get('state');
+      expect(state).toBeDefined();
+      const decoded = await getStateFromPKCECookieValue(state!);
+      expect(decoded.returnPathname).toBe('/dashboard');
+    });
   });
   it('should not include prompt when not specified for getSignInUrl', async () => {
@@ -103,6 +118,15 @@ describe('auth.ts', () => {
       const url = await getSignUpUrl({ prompt: 'consent' });
       expect(url).toContain('prompt=consent');
     });
+    it('should include returnTo as returnPathname in the state parameter', async () => {
+      const url = await getSignUpUrl({ returnTo: '/welcome' });
+      const parsedUrl = new URL(url);
+      const state = parsedUrl.searchParams.get('state');
+      expect(state).toBeDefined();
+      const decoded = await getStateFromPKCECookieValue(state!);
+      expect(decoded.returnPathname).toBe('/welcome');
+    });
   });
   describe('switchToOrganization', () => {
@@ -135,14 +159,21 @@ describe('auth.ts', () => {
         nextHeaders.set('x-url', 'http://localhost/test');
         await generateSession();
+        fakeWorkosInstance.pkce.generate.mockResolvedValue({
+          codeVerifier: 'test-code-verifier',
+          codeChallenge: 'test-code-challenge',
+          codeChallengeMethod: 'S256' as const,
+        });
         // Create a WorkOS-like object that matches what our tests need
         const mockWorkOS = {
           userManagement: fakeWorkosInstance.userManagement,
+          pkce: fakeWorkosInstance.pkce,
           // Add minimal properties to satisfy TypeScript
-          createHttpClient: jest.fn(),
-          createWebhookClient: jest.fn(),
-          createActionsClient: jest.fn(),
-          createIronSessionProvider: jest.fn(),
+          createHttpClient: vi.fn(),
+          createWebhookClient: vi.fn(),
+          createActionsClient: vi.fn(),
+          createIronSessionProvider: vi.fn(),
           apiKey: 'test',
           clientId: 'test',
           host: 'test',
@@ -154,12 +185,12 @@ describe('auth.ts', () => {
         // Apply the mock for these tests only
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        jest.spyOn(workosModule, 'getWorkOS').mockImplementation(() => mockWorkOS as any);
+        vi.spyOn(workosModule, 'getWorkOS').mockImplementation(() => mockWorkOS as any);
       });
       afterEach(() => {
         // Restore all mocks after each test
-        jest.restoreAllMocks();
+        vi.restoreAllMocks();
       });
       it('should redirect to sign in when error is "sso_required"', async () => {
@@ -243,11 +274,30 @@ describe('auth.ts', () => {
       expect(sessionCookie).toBeUndefined();
     });
+    it('should clear lingering PKCE verifier cookies (legacy and per-flow)', async () => {
+      const nextCookies = await cookies();
+      const nextHeaders = await headers();
+      nextHeaders.set('x-workos-middleware', 'true');
+      nextCookies.set('wos-session', 'foo');
+      nextCookies.set('wos-auth-verifier', 'legacy-state');
+      nextCookies.set('wos-auth-verifier-a1b2c3d4', 'flow-a-state');
+      nextCookies.set('wos-auth-verifier-deadbeef', 'flow-b-state');
+      nextCookies.set('unrelated-cookie', 'keep-me');
+      await signOut();
+      expect(nextCookies.get('wos-auth-verifier')).toBeUndefined();
+      expect(nextCookies.get('wos-auth-verifier-a1b2c3d4')).toBeUndefined();
+      expect(nextCookies.get('wos-auth-verifier-deadbeef')).toBeUndefined();
+      expect(nextCookies.get('unrelated-cookie')?.value).toBe('keep-me');
+    });
     describe('when given a `returnTo` parameter', () => {
       it('passes the `returnTo` through to the `getLogoutUrl` call', async () => {
-        jest
-          .spyOn(workos.userManagement, 'getLogoutUrl')
-          .mockReturnValue('https://user-management-logout.com/signed-out');
+        vi.spyOn(workos.userManagement, 'getLogoutUrl').mockReturnValue(
+          'https://user-management-logout.com/signed-out',
+        );
         const mockSession = {
           accessToken: await generateTestToken(),
           sessionId: 'session_123',
@@ -306,9 +356,9 @@ describe('auth.ts', () => {
         nextCookies.set('wos-session', encryptedSession);
-        jest
-          .spyOn(workos.userManagement, 'getLogoutUrl')
-          .mockReturnValue('https://api.workos.com/user_management/sessions/logout?session_id=session_123');
+        vi.spyOn(workos.userManagement, 'getLogoutUrl').mockReturnValue(
+          'https://api.workos.com/user_management/sessions/logout?session_id=session_123',
+        );
         await signOut();

package/src/auth.ts CHANGED Viewed

@@ -5,41 +5,47 @@ import { revalidatePath, revalidateTag } from 'next/cache';
 import { cookies, headers } from 'next/headers';
 import { redirect } from 'next/navigation';
 import { WORKOS_COOKIE_NAME } from './env-variables.js';
-import { getCookieOptions } from './cookie.js';
+import { getCookieOptions, getPKCECookieOptions } from './cookie.js';
 import { getAuthorizationUrl } from './get-authorization-url.js';
-import type { AccessToken, SwitchToOrganizationOptions, UserInfo } from './interfaces.js';
+import type { AccessToken, GetAuthURLOptions, SwitchToOrganizationOptions, UserInfo } from './interfaces.js';
+import { PKCE_COOKIE_NAME, setPKCECookie } from './pkce.js';
 import { getSessionFromCookie, refreshSession, withAuth } from './session.js';
 import { getWorkOS } from './workos.js';
-export async function getSignInUrl({
-  organizationId,
-  loginHint,
-  redirectUri,
-  prompt,
-  state,
-}: {
-  organizationId?: string;
-  loginHint?: string;
-  redirectUri?: string;
-  prompt?: 'consent';
-  state?: string;
-} = {}) {
-  return getAuthorizationUrl({ organizationId, screenHint: 'sign-in', loginHint, redirectUri, prompt, state });
+/**
+ * A wrapper around revalidateTag to provide compatibility with previous versions.
+ * @param tag The tag to revalidate.
+ */
+function revalidateTagCompat(tag: string): void {
+  const fn = revalidateTag as (tag: string, profile: string) => void;
+  return fn(tag, 'max');
+}
+async function getAuthURLAndSetPKCECookie(options: GetAuthURLOptions): Promise<string> {
+  const { url, sealedState } = await getAuthorizationUrl(options);
+  await setPKCECookie(sealedState);
+  return url;
+}
+type GetSignUrlOptions = Omit<GetAuthURLOptions, 'screenHint' | 'returnPathname'> & {
+  returnTo?: string;
+};
+export async function getSignInUrl(authUrlOptions: GetSignUrlOptions = {}) {
+  return getAuthURLAndSetPKCECookie({
+    ...authUrlOptions,
+    returnPathname: authUrlOptions.returnTo,
+    screenHint: 'sign-in',
+  });
 }
-export async function getSignUpUrl({
-  organizationId,
-  loginHint,
-  redirectUri,
-  prompt,
-  state,
-}: {
-  organizationId?: string;
-  loginHint?: string;
-  redirectUri?: string;
-  prompt?: 'consent';
-  state?: string;
-} = {}) {
-  return getAuthorizationUrl({ organizationId, screenHint: 'sign-up', loginHint, redirectUri, prompt, state });
+export async function getSignUpUrl(authUrlOptions: GetSignUrlOptions = {}) {
+  return getAuthURLAndSetPKCECookie({
+    ...authUrlOptions,
+    returnPathname: authUrlOptions.returnTo,
+    screenHint: 'sign-up',
+  });
 }
 /**
@@ -67,7 +73,30 @@ export async function signOut({ returnTo }: { returnTo?: string } = {}) {
     const nextCookies = await cookies();
     const cookieName = WORKOS_COOKIE_NAME || 'wos-session';
     const { domain, path, sameSite, secure } = getCookieOptions();
-    nextCookies.delete({ name: cookieName, domain, path, sameSite, secure });
+    try {
+      nextCookies.delete({ name: cookieName, domain, path, sameSite, secure });
+    } catch {
+      // Some environments (e.g., vinext) only accept a string cookie name
+      nextCookies.delete(cookieName);
+    }
+    // Clear any lingering PKCE verifier cookies so orphans from abandoned
+    // flows don't accumulate toward HTTP 431 or confuse future sign-ins.
+    const pkceOptions = getPKCECookieOptions();
+    for (const { name } of nextCookies.getAll()) {
+      if (!name.startsWith(PKCE_COOKIE_NAME)) continue;
+      try {
+        nextCookies.delete({
+          name,
+          domain: pkceOptions.domain,
+          path: pkceOptions.path,
+          sameSite: pkceOptions.sameSite,
+          secure: pkceOptions.secure,
+        });
+      } catch {
+        nextCookies.delete(name);
+      }
+    }
     if (sessionId) {
       redirect(getWorkOS().userManagement.getLogoutUrl({ sessionId, returnTo }));
@@ -98,22 +127,25 @@ export async function switchToOrganization(
       redirect(cause.rawData.authkit_redirect_url);
     } else {
       if (cause?.error === 'sso_required' || cause?.error === 'mfa_enrollment') {
-        const url = await getAuthorizationUrl({ organizationId });
-        return redirect(url);
+        return redirect(await getAuthURLAndSetPKCECookie({ organizationId }));
       }
       throw error;
     }
   }
-  switch (revalidationStrategy) {
-    case 'path':
-      revalidatePath(pathname);
-      break;
-    case 'tag':
-      for (const tag of revalidationTags) {
-        revalidateTag(tag);
-      }
-      break;
+  try {
+    switch (revalidationStrategy) {
+      case 'path':
+        revalidatePath(pathname);
+        break;
+      case 'tag':
+        for (const tag of revalidationTags) {
+          revalidateTagCompat(tag);
+        }
+        break;
+    }
+  } catch {
+    // revalidatePath/revalidateTag may not be available in non-Next.js environments (e.g., vinext)
   }
   if (revalidationStrategy !== 'none') {
     redirect(pathname);