Skip to content

feat(pkce)!: consume storage-owned verifier cookie API (authkit-session 0.4.0) #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
nicknisi wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

feat(pkce)!: consume storage-owned verifier cookie API (authkit-session 0.4.0) #66

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8914927
feat!: bind OAuth state to PKCE verifier cookie
nicknisi Apr 17, 2026
a630a98
refactor: extract applyContextRedirectUri helper
nicknisi Apr 17, 2026
f1556a3
feat(pkce)!: consume storage-owned verifier cookie API
nicknisi Apr 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions example/src/components/sign-in-button.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ import { Button, Flex } from '@radix-ui/themes';
import { Link } from '@tanstack/react-router';
import type { User } from '@workos/authkit-tanstack-react-start';

export default function SignInButton({ large, user, url }: { large?: boolean; user: User | null; url: string }) {
export default function SignInButton({ large, user }: { large?: boolean; user: User | null }) {
if (user) {
return (
<Flex gap="3">
Expand All @@ -17,7 +17,7 @@ export default function SignInButton({ large, user, url }: { large?: boolean; us

return (
<Button asChild size={large ? '3' : '2'}>
<a href={url}>Sign In{large && ' with AuthKit'}</a>
<a href="/api/auth/sign-in">Sign In{large && ' with AuthKit'}</a>
</Button>
);
}
35 changes: 33 additions & 2 deletions example/src/routeTree.gen.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import { Route as ClientRouteImport } from './routes/client'
import { Route as AuthenticatedRouteImport } from './routes/_authenticated'
import { Route as IndexRouteImport } from './routes/index'
import { Route as AuthenticatedAccountRouteImport } from './routes/_authenticated/account'
import { Route as ApiAuthSignInRouteImport } from './routes/api/auth/sign-in'
import { Route as ApiAuthCallbackRouteImport } from './routes/api/auth/callback'

const LogoutRoute = LogoutRouteImport.update({
Expand All @@ -40,6 +41,11 @@ const AuthenticatedAccountRoute = AuthenticatedAccountRouteImport.update({
path: '/account',
getParentRoute: () => AuthenticatedRoute,
} as any)
const ApiAuthSignInRoute = ApiAuthSignInRouteImport.update({
id: '/api/auth/sign-in',
path: '/api/auth/sign-in',
getParentRoute: () => rootRouteImport,
} as any)
const ApiAuthCallbackRoute = ApiAuthCallbackRouteImport.update({
id: '/api/auth/callback',
path: '/api/auth/callback',
Expand All @@ -52,13 +58,15 @@ export interface FileRoutesByFullPath {
'/logout': typeof LogoutRoute
'/account': typeof AuthenticatedAccountRoute
'/api/auth/callback': typeof ApiAuthCallbackRoute
'/api/auth/sign-in': typeof ApiAuthSignInRoute
}
export interface FileRoutesByTo {
'/': typeof IndexRoute
'/client': typeof ClientRoute
'/logout': typeof LogoutRoute
'/account': typeof AuthenticatedAccountRoute
'/api/auth/callback': typeof ApiAuthCallbackRoute
'/api/auth/sign-in': typeof ApiAuthSignInRoute
}
export interface FileRoutesById {
__root__: typeof rootRouteImport
Expand All @@ -68,12 +76,25 @@ export interface FileRoutesById {
'/logout': typeof LogoutRoute
'/_authenticated/account': typeof AuthenticatedAccountRoute
'/api/auth/callback': typeof ApiAuthCallbackRoute
'/api/auth/sign-in': typeof ApiAuthSignInRoute
}
export interface FileRouteTypes {
fileRoutesByFullPath: FileRoutesByFullPath
fullPaths: '/' | '/client' | '/logout' | '/account' | '/api/auth/callback'
fullPaths:
| '/'
| '/client'
| '/logout'
| '/account'
| '/api/auth/callback'
| '/api/auth/sign-in'
fileRoutesByTo: FileRoutesByTo
to: '/' | '/client' | '/logout' | '/account' | '/api/auth/callback'
to:
| '/'
| '/client'
| '/logout'
| '/account'
| '/api/auth/callback'
| '/api/auth/sign-in'
id:
| '__root__'
| '/'
Expand All @@ -82,6 +103,7 @@ export interface FileRouteTypes {
| '/logout'
| '/_authenticated/account'
| '/api/auth/callback'
| '/api/auth/sign-in'
fileRoutesById: FileRoutesById
}
export interface RootRouteChildren {
Expand All @@ -90,6 +112,7 @@ export interface RootRouteChildren {
ClientRoute: typeof ClientRoute
LogoutRoute: typeof LogoutRoute
ApiAuthCallbackRoute: typeof ApiAuthCallbackRoute
ApiAuthSignInRoute: typeof ApiAuthSignInRoute
}

declare module '@tanstack/react-router' {
Expand Down Expand Up @@ -129,6 +152,13 @@ declare module '@tanstack/react-router' {
preLoaderRoute: typeof AuthenticatedAccountRouteImport
parentRoute: typeof AuthenticatedRoute
}
'/api/auth/sign-in': {
id: '/api/auth/sign-in'
path: '/api/auth/sign-in'
fullPath: '/api/auth/sign-in'
preLoaderRoute: typeof ApiAuthSignInRouteImport
parentRoute: typeof rootRouteImport
}
'/api/auth/callback': {
id: '/api/auth/callback'
path: '/api/auth/callback'
Expand Down Expand Up @@ -157,6 +187,7 @@ const rootRouteChildren: RootRouteChildren = {
ClientRoute: ClientRoute,
LogoutRoute: LogoutRoute,
ApiAuthCallbackRoute: ApiAuthCallbackRoute,
ApiAuthSignInRoute: ApiAuthSignInRoute,
}
export const routeTree = rootRouteImport
._addFileChildren(rootRouteChildren)
Expand Down
11 changes: 3 additions & 8 deletions example/src/routes/__root.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ import { HeadContent, Link, Outlet, Scripts, createRootRoute } from '@tanstack/r
import appCssUrl from '../app.css?url';
import { TanStackRouterDevtools } from '@tanstack/react-router-devtools';
import { Suspense } from 'react';
import { getSignInUrl } from '@workos/authkit-tanstack-react-start';
import { AuthKitProvider, Impersonation, getAuthAction } from '@workos/authkit-tanstack-react-start/client';
import Footer from '../components/footer';
import SignInButton from '../components/sign-in-button';
Expand All @@ -29,18 +28,14 @@ export const Route = createRootRoute({
// getAuthAction() returns auth state without accessToken, safe for client
// Pass to AuthKitProvider as initialAuth to avoid loading flicker
const auth = await getAuthAction();
const url = await getSignInUrl();
return {
auth,
url,
};
return { auth };
},
component: RootComponent,
notFoundComponent: () => <div>Not Found</div>,
});

function RootComponent() {
const { auth, url } = Route.useLoaderData();
const { auth } = Route.useLoaderData();
return (
<RootDocument>
<AuthKitProvider initialAuth={auth}>
Expand All @@ -67,7 +62,7 @@ function RootComponent() {
</Flex>

<Suspense fallback={<div>Loading...</div>}>
<SignInButton user={auth.user} url={url} />
<SignInButton user={auth.user} />
</Suspense>
</header>
</Flex>
Expand Down
7 changes: 3 additions & 4 deletions example/src/routes/_authenticated.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,13 @@
import { redirect, createFileRoute } from '@tanstack/react-router';
import { getAuth, getSignInUrl } from '@workos/authkit-tanstack-react-start';
import { getAuth } from '@workos/authkit-tanstack-react-start';

export const Route = createFileRoute('/_authenticated')({
loader: async ({ location }) => {
// Loader runs on server (even during client-side navigation via RPC)
const { user } = await getAuth();
if (!user) {
const path = location.pathname;
const href = await getSignInUrl({ data: { returnPathname: path } });
throw redirect({ href });
const returnPathname = encodeURIComponent(location.pathname);
throw redirect({ href: `/api/auth/sign-in?returnPathname=${returnPathname}` });
}
},
});
17 changes: 17 additions & 0 deletions example/src/routes/api/auth/sign-in.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
import { createFileRoute } from '@tanstack/react-router';
import { getSignInUrl } from '@workos/authkit-tanstack-react-start';

export const Route = createFileRoute('/api/auth/sign-in')({
server: {
handlers: {
GET: async ({ request }: { request: Request }) => {
const returnPathname = new URL(request.url).searchParams.get('returnPathname');
const url = await getSignInUrl(returnPathname ? { data: { returnPathname } } : undefined);
return new Response(null, {
status: 307,
headers: { Location: url },
});
},
},
},
});
11 changes: 5 additions & 6 deletions example/src/routes/index.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,18 @@
import { Button, Flex, Heading, Text } from '@radix-ui/themes';
import { Link, createFileRoute } from '@tanstack/react-router';
import { getAuth, getSignInUrl } from '@workos/authkit-tanstack-react-start';
import { getAuth } from '@workos/authkit-tanstack-react-start';
import SignInButton from '../components/sign-in-button';

export const Route = createFileRoute('/')({
component: Home,
loader: async () => {
const { user } = await getAuth();
const url = await getSignInUrl();
return { user, url };
return { user };
},
});

function Home() {
const { user, url } = Route.useLoaderData();
const { user } = Route.useLoaderData();

return (
<Flex direction="column" align="center" gap="2">
Expand All @@ -27,7 +26,7 @@ function Home() {
<Button asChild size="3" variant="soft">
<Link to="/account">View account</Link>
</Button>
<SignInButton url={url} user={user} large />
<SignInButton user={user} large />
</Flex>
</>
) : (
Expand All @@ -37,7 +36,7 @@ function Home() {
<Text size="5" color="gray" mb="4">
Sign in to view your account details
</Text>
<SignInButton user={user} url={url} large />
<SignInButton user={user} large />
</>
)}
</Flex>
Expand Down
7 changes: 5 additions & 2 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@
"url": "https://github.com/workos/authkit-tanstack-start/issues"
},
"dependencies": {
"@workos/authkit-session": "0.3.4"
"@workos/authkit-session": "0.4.0"
},
"peerDependencies": {
"@tanstack/react-router": ">=1.0.0",
Expand Down Expand Up @@ -97,6 +97,9 @@
"onlyBuiltDependencies": [
"@parcel/watcher",
"esbuild"
]
],
"overrides": {
"@workos/authkit-session": "link:../authkit-session"
}
Comment on lines +101 to +103
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 link: override must be removed before merging

The pnpm.overrides entry resolves @workos/authkit-session to link:../authkit-session, which means any environment that only has this repo checked out (including most CI systems and every downstream contributor) will get a hard install failure — ../authkit-session won't exist. The package.json dependencies field correctly specifies "0.4.0", but pnpm still resolves through the override before publishing. This entire block must be removed (or reverted to a registry version) before the PR lands on main.

Suggested change
"overrides": {
"@workos/authkit-session": "link:../authkit-session"
}
"pnpm": {
"onlyBuiltDependencies": [
"@parcel/watcher",
"esbuild"
]
}

}
}
39 changes: 5 additions & 34 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading