Hi team, firstly thanks for your work on this repo, it is great to be able to build our adapter on top of it and I appreciate the work that goes into it.
I just wanted to report that I think there was an oversight with the new PKCE functionality in v0.6.0 with regards to the lazy createAuthService missing the clearPendingVerifierByName functionality. If I am doing something wrong or something is incorrect here I do apologise. Below is what I am finding.
In @workos/authkit-session@0.6.0, AuthService declares and implements clearPendingVerifierByName(), and the PKCE eviction docs point adapters toward clearing stale verifier cookies discovered by name, e.g. after selectStalePKCEVerifierCookieNames().
However, the object returned by createAuthService() does not expose clearPendingVerifierByName at runtime.
This creates a mismatch in the code:
- TypeScript says it exists, because
createAuthService<TRequest, TResponse>() returns AuthService<TRequest, TResponse>
- Runtime object does not include it, because
src/service/factory.ts returns a plain proxy object missing that method
We are following the documented createAuthService() integration path and as a result of the above we cannot safely call clearPendingVerifierByName()
Minimal runtime check:
import { createAuthService } from '@workos/authkit-session';
const service = createAuthService({
sessionStorageFactory: () => ({
getCookie: async () => null,
setCookie: async () => ({}),
clearCookie: async () => ({}),
getSession: async () => null,
saveSession: async () => ({}),
clearSession: async () => ({})
})
});
console.log('typeof clearPendingVerifier:', typeof service.clearPendingVerifier);
console.log('typeof clearPendingVerifierByName:', typeof service.clearPendingVerifierByName);
// @workos/authkit-session@0.6.0 output:
// typeof clearPendingVerifier: function
// typeof clearPendingVerifierByName: undefinedLike I say, do let me know if I am doing something wrong or if you need more information and thanks again for your work.
Hi team, firstly thanks for your work on this repo, it is great to be able to build our adapter on top of it and I appreciate the work that goes into it.
I just wanted to report that I think there was an oversight with the new PKCE functionality in v0.6.0 with regards to the lazy
createAuthServicemissing theclearPendingVerifierByNamefunctionality. If I am doing something wrong or something is incorrect here I do apologise. Below is what I am finding.In
@workos/authkit-session@0.6.0,AuthServicedeclares and implementsclearPendingVerifierByName(), and the PKCE eviction docs point adapters toward clearing stale verifier cookies discovered by name, e.g. afterselectStalePKCEVerifierCookieNames().However, the object returned by
createAuthService()does not exposeclearPendingVerifierByNameat runtime.This creates a mismatch in the code:
createAuthService<TRequest, TResponse>()returnsAuthService<TRequest, TResponse>src/service/factory.tsreturns a plain proxy object missing that methodWe are following the documented
createAuthService()integration path and as a result of the above we cannot safely callclearPendingVerifierByName()Minimal runtime check:
Like I say, do let me know if I am doing something wrong or if you need more information and thanks again for your work.