remove accessToken from being sent to client components (#206)

* remove accessToken from being sent to client components

* ignore unused vars in sanitize function

* improve type on sanitize helper function

* remove oauthTokens from mock in test

Author: nicknisi

__tests__/authkit-provider.spec.tsx

@@ -219,8 +219,6 @@ describe('useAuth', () => {
       permissions: ['read', 'write'],
       entitlements: ['feature1'],
       impersonator: { email: 'admin@example.com' },
-      oauthTokens: { access_token: 'token123' },
-      accessToken: 'access123',
     });
 
     const TestComponent = () => {

src/actions.ts

@@ -1,9 +1,22 @@
 'use server';
 
 import { signOut } from './auth.js';
+import { NoUserInfo, UserInfo } from './interfaces.js';
 import { refreshSession, withAuth } from './session.js';
 import { getWorkOS } from './workos.js';
 
+/**
+ * This function is used to sanitize the auth object.
+ * Remove the accessToken from the auth object as it is not needed on the client side.
+ * @param value - The auth object to sanitize
+ * @returns The sanitized auth object
+ */
+function sanitize<T extends UserInfo | NoUserInfo>(value: T) {
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  const { accessToken, ...sanitized } = value;
+  return sanitized;
+}
+
 /**
  * This action is only accessible to authenticated users,
  * there is no need to check the session here as the middleware will
@@ -22,7 +35,7 @@ export const getOrganizationAction = async (organizationId: string) => {
 };
 
 export const getAuthAction = async (options?: { ensureSignedIn?: boolean }) => {
-  return await withAuth(options);
+  return sanitize(await withAuth(options));
 };
 
 export const refreshAuthAction = async ({
@@ -32,5 +45,5 @@ export const refreshAuthAction = async ({
   ensureSignedIn?: boolean;
   organizationId?: string;
 }) => {
-  return await refreshSession({ ensureSignedIn, organizationId });
+  return sanitize(await refreshSession({ ensureSignedIn, organizationId }));
 };

src/components/authkit-provider.tsx

@@ -12,7 +12,6 @@ type AuthContextType = {
   permissions: string[] | undefined;
   entitlements: string[] | undefined;
   impersonator: Impersonator | undefined;
-  accessToken: string | undefined;
   loading: boolean;
   getAuth: (options?: { ensureSignedIn?: boolean }) => Promise<void>;
   refreshAuth: (options?: { ensureSignedIn?: boolean; organizationId?: string }) => Promise<void | { error: string }>;
@@ -38,7 +37,6 @@ export const AuthKitProvider = ({ children, onSessionExpired }: AuthKitProviderP
   const [permissions, setPermissions] = useState<string[] | undefined>(undefined);
   const [entitlements, setEntitlements] = useState<string[] | undefined>(undefined);
   const [impersonator, setImpersonator] = useState<Impersonator | undefined>(undefined);
-  const [accessToken, setAccessToken] = useState<string | undefined>(undefined);
   const [loading, setLoading] = useState(true);
 
   const getAuth = async ({ ensureSignedIn = false }: { ensureSignedIn?: boolean } = {}) => {
@@ -51,7 +49,6 @@ export const AuthKitProvider = ({ children, onSessionExpired }: AuthKitProviderP
       setPermissions(auth.permissions);
       setEntitlements(auth.entitlements);
       setImpersonator(auth.impersonator);
-      setAccessToken(auth.accessToken);
     } catch (error) {
       setUser(null);
       setSessionId(undefined);
@@ -60,7 +57,6 @@ export const AuthKitProvider = ({ children, onSessionExpired }: AuthKitProviderP
       setPermissions(undefined);
       setEntitlements(undefined);
       setImpersonator(undefined);
-      setAccessToken(undefined);
     } finally {
       setLoading(false);
     }
@@ -81,7 +77,6 @@ export const AuthKitProvider = ({ children, onSessionExpired }: AuthKitProviderP
       setPermissions(auth.permissions);
       setEntitlements(auth.entitlements);
       setImpersonator(auth.impersonator);
-      setAccessToken(auth.accessToken);
     } catch (error) {
       return error instanceof Error ? { error: error.message } : { error: String(error) };
     } finally {
@@ -154,7 +149,6 @@ export const AuthKitProvider = ({ children, onSessionExpired }: AuthKitProviderP
         permissions,
         entitlements,
         impersonator,
-        accessToken,
         loading,
         getAuth,
         refreshAuth,