Merge branch 'main' into 1965

Author: frederikprijck

.version

@@ -1 +1 @@
-v4.1.0
+v4.3.0

CHANGELOG.md

@@ -1,5 +1,27 @@
 # Change Log
 
+## [v4.3.0](https://github.com/auth0/nextjs-auth0/tree/v4.3.0) (2025-03-28)
+[Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v4.2.1...v4.3.0)
+
+**Added**
+- Access Token Exposure Control [\#1979](https://github.com/auth0/nextjs-auth0/pull/1979) ([tusharpandey13](https://github.com/tusharpandey13))
+- Cookie chunking support [\#1975](https://github.com/auth0/nextjs-auth0/pull/1975) ([tusharpandey13](https://github.com/tusharpandey13))
+- Add idToken to TokenSet in SessionData [\#1978](https://github.com/auth0/nextjs-auth0/pull/1978) ([tusharpandey13](https://github.com/tusharpandey13))
+
+## [v4.2.1](https://github.com/auth0/nextjs-auth0/tree/v4.2.1) (2025-03-24)
+[Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v4.2.0...v4.2.1)
+
+**Changed**
+- Bump next in SDK as well as examples [\#1992](https://github.com/auth0/nextjs-auth0/pull/1992) ([frederikprijck](https://github.com/frederikprijck))
+
+## [v4.2.0](https://github.com/auth0/nextjs-auth0/tree/v4.2.0) (2025-03-23)
+[Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v4.1.0...v4.2.0)
+
+**Security**
+- Enforce nextjs peerDependency to 14.2.25 and 15.2.3 [\#1988](https://github.com/auth0/nextjs-auth0/pull/1988) ([frederikprijck](https://github.com/frederikprijck))
+
+The above security fix was done to help prevent customers being vulnerable to [Authorization Bypass in Next.js Middleware](https://github.com/advisories/GHSA-f82v-jwr5-mffw).
+
 ## [v4.1.0](https://github.com/auth0/nextjs-auth0/tree/v4.1.0) (2025-03-13)
 [Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v4.0.3...v4.1.0)
 

EXAMPLES.md

@@ -32,6 +32,10 @@
   - [Custom routes](#custom-routes)
 - [Testing helpers](#testing-helpers)
   - [`generateSessionCookie`](#generatesessioncookie)
+- [Programmatically starting interactive login](#programmatically-starting-interactive-login)
+  - [Passing authorization parameters](#passing-authorization-parameters-1)
+  - [The `returnTo` parameter](#the-returnto-parameter-1)
+    - [Redirecting the user after authentication](#redirecting-the-user-after-authentication-1)
 
 ## Passing authorization parameters
 
@@ -60,14 +64,18 @@ The `returnTo` parameter can be appended to the login to specify where you would
 
 For example: `/auth/login?returnTo=/dashboard` would redirect the user to the `/dashboard` route after they have authenticated.
 
+> [!NOTE]  
+> The URL specified as `returnTo` parameters must be registered in your client's **Allowed Callback URLs**.
+
+
 ### Redirecting the user after logging out
 
 The `returnTo` parameter can be appended to the logout to specify where you would like to redirect the user after they have logged out.
 
 For example: `/auth/login?returnTo=https://example.com/some-page` would redirect the user to the `https://example.com/some-page` URL after they have logged out.
 
 > [!NOTE]  
-> The URLs specified as `returnTo` parameters must be registered in your client's **Allowed Logout URLs**.
+> The URL specified as `returnTo` parameters must be registered in your client's **Allowed Logout URLs**.
 
 ## Accessing the authenticated user
 
@@ -185,6 +193,15 @@ export async function middleware(request: NextRequest) {
 > [!IMPORTANT]  
 > The `request` object must be passed as a parameter to the `getSession(request)` method when called from a middleware to ensure that any updates to the session can be read within the same request.
 
+## Accessing the idToken
+`idToken` can be accessed from the session in the following way:
+
+```js
+const session = await auth0.getSession();
+const idToken = session.tokenSet.idToken;
+```
+
+
 ## Updating the session
 
 The `updateSession` method could be used to update the session of the currently authenticated user in the App Router, Pages Router, and middleware. If the user does not have a session, an error will be thrown.
@@ -754,31 +771,66 @@ const sessionCookieValue = await generateSessionCookie(
 ```
 
 
-## Programmatic Pushed Authentication Requests (PAR)
+## Programmatically starting interactive login
 
-The method `startInteractiveLogin` can be called with authorizationParams to initiate an interactive login flow.  
-The code collects authorization parameters on the server side rather than constructing them directly in the browser.
+Additionally to the ability to initialize the interactive login process by redirecting the user to the built-in `auth/login` endpoint,
+the `startInteractiveLogin` method can also be called programmatically.
 
 ```typescript
-// app/api/auth/login/route.ts
 import { auth0 } from "./lib/auth0";
 import { NextRequest } from "next/server";
 
 export const GET = async (req: NextRequest) => {
-  // Extract custom parameters from request URL if needed
-  const searchParams = Object.fromEntries(req.nextUrl.searchParams.entries());
+  return auth0.startInteractiveLogin();
+};
+```
+
+### Passing authorization parameters
+
+There are 2 ways to customize the authorization parameters that will be passed to the `/authorize` endpoint when calling `startInteractiveLogin` programmatically. The first option is through static configuration when instantiating the client, like so:
+
+```ts
+export const auth0 = new Auth0Client({
+  authorizationParameters: {
+    scope: "openid profile email",
+    audience: "urn:custom:api",
+  },
+});
+```
+
+The second option is by configuring `authorizationParams` when calling `startInteractiveLogin`:
+
+```ts
+import { auth0 } from "./lib/auth0";
+import { NextRequest } from "next/server";
 
+export const GET = async (req: NextRequest) => {
   // Call startInteractiveLogin with optional parameters
   return auth0.startInteractiveLogin({
-    // a custom returnTo URL can be specified
-    returnTo: "/dashboard",
     authorizationParameters: {
-      prompt: searchParams.prompt,
-      login_hint: searchParams.login_hint,
-      // Add any custom auth parameters if required
-      audience: "custom-audience"
+      scope: "openid profile email",
+      audience: "urn:custom:api",
     }
   });
 };
+```
 
-```
+## The `returnTo` parameter
+
+### Redirecting the user after authentication
+
+When calling `startInteractiveLogin`, the `returnTo` parameter can be configured to specify where you would like to redirect the user to after they have completed their authentication and have returned to your application.
+
+```ts
+import { auth0 } from "./lib/auth0";
+import { NextRequest } from "next/server";
+
+export const GET = async (req: NextRequest) => {
+  return auth0.startInteractiveLogin({
+    returnTo: '/dashboard',
+  });
+};
+```
+
+> [!NOTE]  
+> The URLs specified as `returnTo` parameters must be registered in your client's **Allowed Callback URLs**.

README.md

@@ -151,9 +151,9 @@ You can customize the client by using the options below:
 
 The SDK mounts 6 routes:
 
-1. `/auth/login`: the login route that the user will be redirected to to start a initiate an authentication transaction
-2. `/auth/logout`: the logout route that must be addedto your Auth0 application's Allowed Logout URLs
-3. `/auth/callback`: the callback route that must be addedto your Auth0 application's Allowed Callback URLs
+1. `/auth/login`: the login route that the user will be redirected to to initiate an authentication transaction
+2. `/auth/logout`: the logout route that must be added to your Auth0 application's Allowed Logout URLs
+3. `/auth/callback`: the callback route that must be added to your Auth0 application's Allowed Callback URLs
 4. `/auth/profile`: the route to check the user's session and return their attributes
 5. `/auth/access-token`: the route to check the user's session and return an access token (which will be automatically refreshed if a refresh token is available)
 6. `/auth/backchannel-logout`: the route that will receive a `logout_token` when a configured Back-Channel Logout initiator occurs
@@ -165,7 +165,7 @@ The SDK mounts 6 routes:
 We appreciate feedback and contribution to this repo! Before you get started, please read the following:
 
 - [Auth0's general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
-- [Auth0's code of conduct guidelines](https://github.com/auth0/express-openid-connect/blob/master/CODE-OF-CONDUCT.md)
+- [Auth0's code of conduct guidelines](https://github.com/auth0/nextjs-auth0/blob/main/CODE-OF-CONDUCT.md)
 - [This repo's contribution guide](./CONTRIBUTING.md)
 
 ### Raise an issue
@@ -189,5 +189,5 @@ Please do not report security vulnerabilities on the public GitHub issue tracker
   Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout <a href="https://auth0.com/why-auth0">Why Auth0?</a>
 </p>
 <p align="center">
-  This project is licensed under the MIT license. See the <a href="https://github.com/auth0/express-openid-connect/blob/master/LICENSE"> LICENSE</a> file for more info.
+  This project is licensed under the MIT license. See the <a href="https://github.com/auth0/nextjs-auth0/blob/main/LICENSE"> LICENSE</a> file for more info.
 </p>