Initial commit

Author: Paul Asjes

.eslintignore

@@ -0,0 +1 @@
+.eslintrc.cjs

.eslintrc.cjs

@@ -0,0 +1,10 @@
+module.exports = {
+  root: true,
+  extends: [
+		'eslint:recommended',
+		'prettier',
+    'plugin:@typescript-eslint/recommended',
+    'plugin:require-extensions/recommended',
+  ],
+  plugins: ['require-extensions'],
+};

.github/workflows/release.yml

@@ -0,0 +1,45 @@
+name: Release
+
+on:
+  # Support manually pushing a new release
+  workflow_dispatch: {}
+  # Trigger when a release is published
+  release:
+    types: [published]
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  test:
+    name: Publish to NPM
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 18
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install Dependencies
+        run: |
+          npm install
+
+      - name: Build project
+        run: |
+          npm run build
+
+      - name: Push Release
+        if: ${{ !github.event.release.prerelease }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          npm publish --tag latest --access=public
+
+      - name: Push Pre-Release
+        if: ${{ github.event.release.prerelease }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          npm publish --tag next --access=public

.gitignore

@@ -0,0 +1,3 @@
+.DS_Store
+node_modules
+dist

.prettierrc

@@ -0,0 +1,6 @@
+{
+  "quoteProps": "consistent",
+  "singleQuote": true,
+  "trailingComma": "all",
+  "printWidth": 120
+}

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 WorkOS
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,219 @@
+# AuthKit Remix Library
+
+The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js.
+
+## Installation
+
+Install the package with:
+
+```
+npm i @workos-inc/authkit-nextjs
+```
+
+or
+
+```
+yarn add @workos-inc/authkit-nextjs
+```
+
+## Pre-flight
+
+Make sure the following values are present in your `.env.local` environment variables file. The client ID and API key can be found in the [WorkOS dashboard](https://dashboard.workos.com), and the redirect URI can also be configured there.
+
+```sh
+WORKOS_CLIENT_ID="client_..." # retrieved from the WorkOS dashboard
+WORKOS_API_KEY="sk_test_..." # retrieved from the WorkOS dashboard
+WORKOS_REDIRECT_URI="http://localhost:3000/callback" # configured in the WorkOS dashboard
+WORKOS_COOKIE_PASSWORD="<your password>" # generate a secure password here
+```
+
+`WORKOS_COOKIE_PASSWORD` is the private key used to encrypt the session cookie. It has to be at least 32 characters long. You can use the [1Password generator](https://1password.com/password-generator/) or the `openssl` library to generate a strong password via the command line:
+
+```
+openssl rand -base64 24
+```
+
+To use the `signOut` method, you'll need to set your app's homepage in your WorkOS dashboard settings under "Redirects".
+
+### Optional configuration
+
+Certain environment variables are optional and can be used to debug or configure cookie settings.
+
+```sh
+WORKOS_COOKIE_MAX_AGE='600' # maximum age of the cookie in seconds. Defaults to 31 days
+WORKOS_API_HOSTNAME='api.workos.com' # base WorkOS API URL
+WORKOS_API_HTTPS=true # whether to use HTTPS in API calls
+WORKOS_API_PORT=3000 # port to use for API calls
+```
+
+## Setup
+
+### Callback route
+
+WorkOS requires that you have a callback URL to redirect users back to after they've authenticated. In your Next.js app, [expose an API route](https://nextjs.org/docs/app/building-your-application/routing/route-handlers) and add the following.
+
+```ts
+import { handleAuth } from '@workos-inc/authkit-nextjs';
+
+export const GET = handleAuth();
+```
+
+Make sure this route matches the `WORKOS_REDIRECT_URI` variable and the configured redirect URI in your WorkOS dashboard. For instance if your redirect URI is `http://localhost:3000/auth/callback` then you'd put the above code in `/app/auth/callback/route.ts`.
+
+You can also control the pathname the user will be sent to after signing-in by passing a `returnPathname` option to `handleAuth` like so:
+
+```ts
+export const GET = handleAuth({ returnPathname: '/dashboard' });
+```
+
+### Middleware
+
+This library relies on [Next.js middleware](https://nextjs.org/docs/app/building-your-application/routing/middleware) to provide session management for routes. Put the following in your `middleware.ts` file in the root of your project:
+
+```ts
+import { authkitMiddleware } from '@workos-inc/authkit-nextjs';
+
+export default authkitMiddleware();
+
+// Match against pages that require auth
+// Leave this out if you want auth on every resource (including images, css etc.)
+export const config = { matcher: ['/', '/admin'] };
+```
+
+## Usage
+
+### Get the current user
+
+For pages where you want to display a signed-in and signed-out view, use `getUser` to retrieve the user profile from WorkOS.
+
+```jsx
+import Link from 'next/link';
+import { getSignInUrl, getSignUpUrl, getUser, signOut } from '@workos-inc/authkit-nextjs';
+
+export default async function HomePage() {
+  // Retrieves the user from the session or returns `null` if no user is signed in
+  const { user } = await getUser();
+
+  if (!user) {
+    // Get the URL to redirect the user to AuthKit to sign in
+    const signInUrl = await getSignInUrl();
+
+    // Get the URL to redirect the user to AuthKit to sign up
+    const signUpUrl = await getSignUpUrl();
+
+    return (
+      <>
+        <Link href={signInUrl}>Log in</Link>
+        <Link href={signUpUrl}>Sign Up</Link>
+      </>
+    );
+  }
+
+  return (
+    <form
+      action={async () => {
+        'use server';
+        await signOut();
+      }}
+    >
+      <p>Welcome back {user?.firstName && `, ${user?.firstName}`}</p>
+      <button type="submit">Sign out</button>
+    </form>
+  );
+}
+```
+
+### Requiring auth
+
+For pages where a signed-in user is mandatory, you can use the `ensureSignedIn` option:
+
+```jsx
+const { user } = await getUser({ ensureSignedIn: true });
+```
+
+Enabling `ensureSignedIn` will redirect users to AuthKit if they attempt to access the page without being authenticated.
+
+### Middleware auth
+
+The default behavior of this library is to request authentication via the `getUser` method on a per-page basis. There are some use cases where you don't want to call `getUser` (e.g. you don't need user data for your page) or if you'd prefer a "secure by default" approach where every route defined in your middleware matcher is protected unless specified otherwise. In those cases you can opt-in to use middleware auth instead:
+
+```ts
+import { authkitMiddleware } from '@workos-inc/authkit-nextjs';
+
+export default authkitMiddleware({
+  middlewareAuth: {
+    enabled: true,
+    unauthenticatedPaths: ['/', '/about'],
+  },
+});
+
+// Match against pages that require auth
+// Leave this out if you want auth on every resource (including images, css etc.)
+export const config = { matcher: ['/', '/admin/:path*', '/about'] };
+```
+
+In the above example the `/admin` page will require a user to be signed in, whereas `/` and `/about` can be accessed without signing in.
+
+`unauthenticatedPaths` uses the same glob logic as the [Next.js matcher](https://nextjs.org/docs/pages/building-your-application/routing/middleware#matcher).
+
+### Signing out
+
+Use the `signOut` method to sign out the current logged in user and redirect to your app's homepage. The homepage redirect is set in your WorkOS dashboard settings under "Redirect".
+
+### Visualizing an impersonation
+
+Render the `Impersonation` component in your app so that it is clear when someone is [impersonating a user](https://workos.com/docs/user-management/impersonation).
+The component will display a frame with some information about the impersonated user, as well as a button to stop impersonating.
+
+```jsx
+import { Impersonation } from '@workos-inc/authkit-nextjs';
+
+export default function App() {
+  return (
+    <div>
+      <Impersonation />
+      {/* Your app content */}
+    </div>
+  );
+}
+```
+
+### Get the access token
+
+Sometimes it is useful to obtain the access token directly, for instance to make API requests to another service.
+
+```jsx
+import { getUser } from '@workos-inc/authkit-nextjs';
+
+export default async function HomePage() {
+  const { accessToken } = await getUser();
+
+  if (!accessToken) {
+    return <div>Not signed in</div>;
+  }
+
+  const serviceData = await fetch('/api/path', {
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+    },
+  });
+
+  return <div>{serviceData}</div>;
+}
+```
+
+### Debugging
+
+To enable debug logs, initialize the middleware with the debug flag enabled.
+
+```js
+import { authkitMiddleware } from '@workos-inc/authkit-nextjs';
+
+export default authkitMiddleware({ debug: true });
+```
+
+### Troubleshooting
+
+#### NEXT_REDIRECT error when using try/catch blocks
+
+Wrapping a `getUser({ ensureSignedIn: true })` call in a try/catch block will cause a `NEXT_REDIRECT` error. This is because `getUser` will attempt to redirect the user to AuthKit if no session is detected and redirects in Next must be [called outside a try/catch](https://nextjs.org/docs/app/building-your-application/data-fetching/server-actions-and-mutations#redirecting).