@workos-inc/authkit-nextjs 4.1.1 → 4.1.2

package/README.md

@@ -992,11 +992,11 @@ The `wos-auth-verifier` cookie must survive the round-trip from sign-in initiati
 
 If the cookie is missing or doesn't match, authentication will fail with one of:
 
-- `Auth cookie missing` — the cookie was not sent back with the callback request. This typically happens when a reverse proxy or CDN strips `Set-Cookie` headers on redirects.
+- `Sign-in session could not be verified` — the cookie was not sent back with the callback request. This typically happens when the session has expired or a reverse proxy or CDN strips `Set-Cookie` headers on redirects.
 - `OAuth state mismatch` — the cookie and URL `state` parameter don't match, indicating a possible CSRF attack or cookie corruption.
 
 > [!IMPORTANT]
-> **Upgrading to v3:** Previous versions would silently fall back to verifying only the URL `state` parameter when the cookie was missing. This fallback has been removed because it disabled CSRF protection. If you see `Auth cookie missing` errors after upgrading, ensure that `Set-Cookie` headers are propagated on redirects between your application and the user's browser.
+> **Upgrading to v3:** Previous versions would silently fall back to verifying only the URL `state` parameter when the cookie was missing. This fallback has been removed because it disabled CSRF protection. If you see `Sign-in session could not be verified` errors after upgrading, ensure that `Set-Cookie` headers are propagated on redirects between your application and the user's browser.
 
 ### Troubleshooting
 

package/dist/esm/authkit-callback-route.js

@@ -41,7 +41,7 @@ export function handleAuth(options = {}) {
             const pkceCookie = request.cookies.get(pkceCookieName)?.value ?? request.cookies.get(PKCE_COOKIE_NAME)?.value;
             // CSRF verification: both channels (cookie + URL state) must be present and match
             if (!pkceCookie) {
-                throw new Error('Auth cookie missing — cannot verify OAuth state. Ensure Set-Cookie headers are propagated on redirects.');
+                throw new Error('Sign-in session could not be verified. Please try signing in again.');
             }
             if (state !== pkceCookie) {
                 throw new Error('OAuth state mismatch');

package/dist/esm/authkit-callback-route.js.map

@@ -1 +1 @@
-{"version":3,"file":"authkit-callback-route.js","sourceRoot":"","sources":["../../src/authkit-callback-route.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,gBAAgB,EAAE,yBAAyB,EAAE,2BAA2B,EAAE,MAAM,WAAW,CAAC;AACrG,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,yBAAyB,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AACxG,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAExC,SAAS,cAAc,CAAC,OAAgB;IACtC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC9B,yBAAyB,CAAC,OAAO,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,UAA6B,EAAE;IACxD,MAAM,EAAE,cAAc,EAAE,oBAAoB,GAAG,GAAG,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC;IAE5F,iDAAiD;IACjD,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC;YACH,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,oBAAoB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QACnE,CAAC;IACH,CAAC;IAED,OAAO,KAAK,UAAU,GAAG,CAAC,OAAoB;QAC5C,iFAAiF;QACjF,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAE3D,+BAA+B;QAC/B,MAAM,IAAI,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACjD,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAEnD,qEAAqE;QACrE,sEAAsE;QACtE,0CAA0C;QAC1C,IAAI,CAAC;YACH,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACpB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;YACrD,CAAC;YAED,oEAAoE;YACpE,uEAAuE;YACvE,sEAAsE;YACtE,oEAAoE;YACpE,6CAA6C;YAC7C,MAAM,cAAc,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAC;YACxD,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,KAAK,CAAC;YAE9G,kFAAkF;YAClF,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CACb,yGAAyG,CAC1G,CAAC;YACJ,CAAC;YAED,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC;gBACzB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;YAC1C,CAAC;YAED,MAAM,EACJ,YAAY,EACZ,WAAW,EACX,cAAc,EAAE,mBAAmB,GACpC,GAAG,MAAM,2BAA2B,CAAC,UAAU,CAAC,CAAC;YAElD,+EAA+E;YAC/E,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAAE,cAAc,EAAE,GACxG,MAAM,SAAS,EAAE,CAAC,cAAc,CAAC,oBAAoB,CAAC;gBACpD,QAAQ,EAAE,gBAAgB;gBAC1B,IAAI;gBACJ,YAAY;aACb,CAAC,CAAC;YAEL,IAAI,CAAC,WAAW,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClC,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;YAChD,CAAC;YAED,4DAA4D;YAC5D,0EAA0E;YAC1E,4DAA4D;YAC5D,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC;YAExE,iBAAiB;YACjB,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAChC,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAEjC,uDAAuD;YACvD,MAAM,cAAc,GAAG,mBAAmB,IAAI,oBAAoB,CAAC;YAEnE,yDAAyD;YACzD,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,cAAc,EAAE,yBAAyB,CAAC,CAAC;YAC3E,GAAG,CAAC,QAAQ,GAAG,eAAe,CAAC,QAAQ,CAAC;YACxC,GAAG,CAAC,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC;YAEpC,mEAAmE;YACnE,iCAAiC;YACjC,MAAM,QAAQ,GAAG,oBAAoB,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;YACtD,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAEjC,4FAA4F;YAC5F,0EAA0E;YAC1E,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,cAAc,MAAM,oBAAoB,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;YAE9G,MAAM,WAAW,CAAC,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,oBAAoB,EAAE,EAAE,OAAO,CAAC,CAAC;YAEpG,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,SAAS,CAAC;oBACd,WAAW;oBACX,YAAY;oBACZ,IAAI;oBACJ,YAAY;oBACZ,WAAW;oBACX,oBAAoB;oBACpB,cAAc;oBACd,KAAK,EAAE,WAAW;iBACnB,CAAC,CAAC;YACL,CAAC;YAED,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;YACjD,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YAErD,4FAA4F;YAC5F,0EAA0E;YAC1E,IAAI,KAAK,EAAE,CAAC;gBACV,QAAQ,CAAC,OAAO,CAAC,MAAM,CACrB,YAAY,EACZ,GAAG,yBAAyB,CAAC,KAAK,CAAC,MAAM,oBAAoB,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,CACzF,CAAC;YACJ,CAAC;YAED,OAAO,QAAQ,CAAC;QAClB,CAAC;IACH,CAAC,CAAC;IAEF,KAAK,UAAU,aAAa,CAAC,OAAoB,EAAE,KAAe;QAChE,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;YACnD,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACjC,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,MAAM,QAAQ,GAAG,yBAAyB,CAAC;YACzC,KAAK,EAAE;gBACL,OAAO,EAAE,sBAAsB;gBAC/B,WAAW,EAAE,8FAA8F;aAC5G;SACF,CAAC,CAAC;QAEH,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACjC,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC"}
+{"version":3,"file":"authkit-callback-route.js","sourceRoot":"","sources":["../../src/authkit-callback-route.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,gBAAgB,EAAE,yBAAyB,EAAE,2BAA2B,EAAE,MAAM,WAAW,CAAC;AACrG,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,yBAAyB,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AACxG,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAExC,SAAS,cAAc,CAAC,OAAgB;IACtC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC9B,yBAAyB,CAAC,OAAO,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,UAA6B,EAAE;IACxD,MAAM,EAAE,cAAc,EAAE,oBAAoB,GAAG,GAAG,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC;IAE5F,iDAAiD;IACjD,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC;YACH,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,oBAAoB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QACnE,CAAC;IACH,CAAC;IAED,OAAO,KAAK,UAAU,GAAG,CAAC,OAAoB;QAC5C,iFAAiF;QACjF,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAE3D,+BAA+B;QAC/B,MAAM,IAAI,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACjD,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAEnD,qEAAqE;QACrE,sEAAsE;QACtE,0CAA0C;QAC1C,IAAI,CAAC;YACH,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACpB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;YACrD,CAAC;YAED,oEAAoE;YACpE,uEAAuE;YACvE,sEAAsE;YACtE,oEAAoE;YACpE,6CAA6C;YAC7C,MAAM,cAAc,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAC;YACxD,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,KAAK,CAAC;YAE9G,kFAAkF;YAClF,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;YACzF,CAAC;YAED,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC;gBACzB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;YAC1C,CAAC;YAED,MAAM,EACJ,YAAY,EACZ,WAAW,EACX,cAAc,EAAE,mBAAmB,GACpC,GAAG,MAAM,2BAA2B,CAAC,UAAU,CAAC,CAAC;YAElD,+EAA+E;YAC/E,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAAE,cAAc,EAAE,GACxG,MAAM,SAAS,EAAE,CAAC,cAAc,CAAC,oBAAoB,CAAC;gBACpD,QAAQ,EAAE,gBAAgB;gBAC1B,IAAI;gBACJ,YAAY;aACb,CAAC,CAAC;YAEL,IAAI,CAAC,WAAW,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClC,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;YAChD,CAAC;YAED,4DAA4D;YAC5D,0EAA0E;YAC1E,4DAA4D;YAC5D,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC;YAExE,iBAAiB;YACjB,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAChC,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAEjC,uDAAuD;YACvD,MAAM,cAAc,GAAG,mBAAmB,IAAI,oBAAoB,CAAC;YAEnE,yDAAyD;YACzD,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,cAAc,EAAE,yBAAyB,CAAC,CAAC;YAC3E,GAAG,CAAC,QAAQ,GAAG,eAAe,CAAC,QAAQ,CAAC;YACxC,GAAG,CAAC,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC;YAEpC,mEAAmE;YACnE,iCAAiC;YACjC,MAAM,QAAQ,GAAG,oBAAoB,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;YACtD,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAEjC,4FAA4F;YAC5F,0EAA0E;YAC1E,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,cAAc,MAAM,oBAAoB,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;YAE9G,MAAM,WAAW,CAAC,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,oBAAoB,EAAE,EAAE,OAAO,CAAC,CAAC;YAEpG,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,SAAS,CAAC;oBACd,WAAW;oBACX,YAAY;oBACZ,IAAI;oBACJ,YAAY;oBACZ,WAAW;oBACX,oBAAoB;oBACpB,cAAc;oBACd,KAAK,EAAE,WAAW;iBACnB,CAAC,CAAC;YACL,CAAC;YAED,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;YACjD,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YAErD,4FAA4F;YAC5F,0EAA0E;YAC1E,IAAI,KAAK,EAAE,CAAC;gBACV,QAAQ,CAAC,OAAO,CAAC,MAAM,CACrB,YAAY,EACZ,GAAG,yBAAyB,CAAC,KAAK,CAAC,MAAM,oBAAoB,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,CACzF,CAAC;YACJ,CAAC;YAED,OAAO,QAAQ,CAAC;QAClB,CAAC;IACH,CAAC,CAAC;IAEF,KAAK,UAAU,aAAa,CAAC,OAAoB,EAAE,KAAe;QAChE,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;YACnD,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACjC,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,MAAM,QAAQ,GAAG,yBAAyB,CAAC;YACzC,KAAK,EAAE;gBACL,OAAO,EAAE,sBAAsB;gBAC/B,WAAW,EAAE,8FAA8F;aAC5G;SACF,CAAC,CAAC;QAEH,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACjC,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@workos-inc/authkit-nextjs",
-  "version": "4.1.1",
+  "version": "4.1.2",
   "description": "Authentication and session helpers for using WorkOS & AuthKit with Next.js",
   "sideEffects": false,
   "type": "module",

package/src/authkit-callback-route.spec.ts

@@ -233,6 +233,50 @@ describe('authkit-callback-route', () => {
       expect(location).not.toContain('https://example.com/invite');
     });
 
+    // Regression coverage for the open-redirect / javascript:-URI class reported
+    // against the `state` param. `returnPathname` is read only from the sealed
+    // (tamper-proof) PKCE cookie and the callback copies only the pathname +
+    // search onto the app's own origin, so a hostile value can never change the
+    // redirect's scheme or host. These tests pin that invariant so a refactor
+    // that started honoring the full URL would fail loudly.
+    describe('returnPathname is neutralized to the app origin', () => {
+      const appOrigin = 'http://example.com';
+      const hostileReturnPathnames = [
+        'javascript:alert(document.domain)',
+        'data:text/html,<script>alert(1)</script>',
+        'https://evil.com/phishing',
+        '//evil.com/phishing',
+        '/\\evil.com/phishing',
+        'https:/evil.com',
+      ];
+
+      it.each(hostileReturnPathnames)('keeps the redirect same-origin for %s', async (returnPathname) => {
+        vi.mocked(workos.userManagement.authenticateWithCode).mockResolvedValue(mockAuthResponse);
+
+        const sealedState = await setAuthCookie(request, {
+          nonce: 'foo',
+          codeVerifier: 'test-verifier',
+          returnPathname,
+        });
+        request.nextUrl.searchParams.set('code', 'test-code');
+        request.nextUrl.searchParams.set('state', sealedState);
+
+        const handler = handleAuth();
+        const response = await handler(request);
+
+        const location = response.headers.get('Location');
+        expect(location).not.toBeNull();
+        const redirectUrl = new URL(location!);
+
+        // The scheme is never javascript:/data: and the host is never the
+        // attacker's — a hostile value can only ever become a path on our own
+        // origin (e.g. "https:/evil.com" lands at http://example.com/evil.com).
+        expect(redirectUrl.protocol).toBe('http:');
+        expect(redirectUrl.origin).toBe(appOrigin);
+        expect(redirectUrl.hostname).toBe('example.com');
+      });
+    });
+
     it('should use Response if NextResponse.redirect is not available', async () => {
       const originalRedirect = NextResponse.redirect;
       (NextResponse as Partial<typeof NextResponse>).redirect = undefined;

package/src/authkit-callback-route.ts

@@ -50,9 +50,7 @@ export function handleAuth(options: HandleAuthOptions = {}) {
 
       // CSRF verification: both channels (cookie + URL state) must be present and match
       if (!pkceCookie) {
-        throw new Error(
-          'Auth cookie missing — cannot verify OAuth state. Ensure Set-Cookie headers are propagated on redirects.',
-        );
+        throw new Error('Sign-in session could not be verified. Please try signing in again.');
       }
 
       if (state !== pkceCookie) {