feat(next-cookies): modernize for Next.js 16 and React 19#39
Open
riceharvest wants to merge 74 commits intomainfrom
Open
feat(next-cookies): modernize for Next.js 16 and React 19#39riceharvest wants to merge 74 commits intomainfrom
riceharvest wants to merge 74 commits intomainfrom
Conversation
- Upgraded multiple packages to modern standards (Next.js, Next-auth, PWA, SEO). - Added new utility packages: critters, next-circuit-breaker, next-csrf, next-images, next-json-ld. - Integrated Changesets for versioning. - Updated CI/CD workflows and linting configurations. - Fixed numerous linting and type-checking issues across the monorepo.
- Remove legacy NextAuth adapters and resolve workspace version conflicts - Clean up test warning noise and fix tsconfig/jest setups for next-auth - Update Workbox/Terser dependencies in next-pwa to align with workspace - Synchronize root lockfile to reflect nested package resolutions
Fixes `JWT_AUTO_GENERATED_SIGNING_KEY` and `JWT_AUTO_GENERATED_ENCRYPTION_KEY` warnings properly by supplying JWKs directly in the test suite rather than mocking the logger.
ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan Review Summary by QodoModernize monorepo for Next.js 16 and React 19 with comprehensive enhancements and test migrations
WalkthroughsDescription• **Modernized Next.js and React support**: Upgraded next to ^16.0.0 and updated peerDependencies for React 19 across multiple packages • **Test framework migrations**: Migrated test suites from Jest/Vitest to Node.js built-in test module and Vitest, with updated assertions and mock functions • **Enhanced session handling**: Refactored next-session with Web API (Request/Response) support, added getWebSession function, and improved type safety with explicit type parameters • **CSRF improvements**: Added App Router support with verifyCsrfToken() function, enhanced token extraction and validation logic, updated cookie defaults (httpOnly from true to false for tokens) • **MDX module expansion**: Implemented new utilities for node retrieval (getMdxNode, getAllMdxNodes), configuration loading, file discovery, dynamic route path generation, and client-side hydration hooks • **OAuth modernization**: Removed external oauth package dependency and implemented native OAuth 2.x client using fetch API with async/await patterns • **Router improvements**: Enhanced next-connect router with improved middleware dispatch logic, error handling for multiple next() calls, and better async/promise handling • **Security and bug fixes**: Fixed critical CSS inlining in critters, improved container detection robustness, enhanced iron-session crypto handling with validation • **Test coverage expansion**: Added comprehensive test suites for CSRF middleware, MDX functionality, OAuth providers, plugin composition, and authentication flows • **Type definitions**: Added TypeScript declarations for PWA plugin, react-virtualized components, and MDX client module • **Build configuration updates**: Simplified and modernized build configs for multiple packages with updated entry points and DTS generation • **Utility enhancements**: Enhanced session utilities with duration unit parsing (s, m, h, d), improved headers support for both ServerResponse and Headers objects, added token storage utilities Diagramflowchart LR
A["Next.js 16<br/>React 19"] -->|"Upgrade"| B["Core Packages"]
B -->|"Enhance"| C["Session<br/>CSRF<br/>MDX"]
C -->|"Add Web API"| D["getWebSession<br/>App Router"]
E["Test Frameworks"] -->|"Migrate"| F["Node.js test<br/>Vitest"]
G["OAuth Package"] -->|"Remove"| H["Native fetch<br/>Implementation"]
I["Router"] -->|"Improve"| J["Error Handling<br/>Async Support"]
K["Security"] -->|"Fix"| L["CSS Inlining<br/>Crypto Validation"]
File Changes1. packages/next-images/test/index.test.ts
|
Code Review by Qodo
1. vitest.config.js not Prettier
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d8e9f686a0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
+13
to
+15
| return { | ||
| getOAuthAccessToken: (code, codeVerifier) => getOAuth2AccessToken(code, provider, codeVerifier), | ||
| get: (accessToken, results) => getOAuth2(provider, accessToken, results) |
There was a problem hiding this comment.
The OAuth2 branch now returns an object with only getOAuthAccessToken and get, but oAuthCallback still unconditionally calls client.useAuthorizationHeaderforGET(...) before exchanging the code; this makes OAuth2 sign-in fail at runtime with TypeError for every OAuth2 provider callback. Please preserve that method (or update the caller and behavior together) so the callback flow remains executable.
Useful? React with 👍 / 👎.
Comment on lines
+225
to
+227
| async getOAuthRequestToken(params = {}) { | ||
| // Implement OAuth 1.0a request token logic | ||
| throw new Error("OAuth 1.0a is not yet fully implemented in the native client. Please use OAuth 2.0 or contact maintainers.") |
There was a problem hiding this comment.
The new OAuth1Client methods are placeholders that always throw, so any OAuth1 provider flow now fails during callback/sign-in (for example, providers that still declare OAuth 1.x like Twitter). This is a functional regression from the previous implementation, which delegated OAuth1 token operations to the oauth client.
Useful? React with 👍 / 👎.
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
Comment on lines
+1
to
+10
| import { defineConfig } from "vitest/config" | ||
|
|
||
| export default defineConfig({ | ||
| test: { | ||
| globals: true, | ||
| env: { | ||
| NEXTAUTH_URL: "http://localhost:3000/api/auth", | ||
| }, | ||
| }, | ||
| }) |
There was a problem hiding this comment.
1. vitest.config.js not prettier 📘 Rule violation ✓ Correctness
The newly added vitest.config.js uses double quotes and omits semicolons, conflicting with the repository’s Prettier style settings. This can create inconsistent formatting and noisy diffs across the monorepo.
Agent Prompt
## Issue description
`vitest.config.js` was added with formatting that conflicts with the repo’s Prettier style (double quotes and missing semicolons).
## Issue Context
Compliance requires Prettier-consistent formatting (2-space indentation, single quotes, semicolons, trailing commas, 100-char line length).
## Fix Focus Areas
- vitest.config.js[1-10]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+1
to
+6
| import path from "path" | ||
| import mock from "mock-fs" | ||
| import { renderToStaticMarkup } from "react-dom/server" | ||
| import { useHydrate } from "../src/client" | ||
| import { getNode, getAllNodes } from "../src/get-nodes" | ||
| import { getMdxNode } from "../src/get-nodes" |
There was a problem hiding this comment.
2. Next-mdx .test.js file 📘 Rule violation ⛯ Reliability
A new test file was added as packages/next-mdx/test/index.test.js, which does not follow the required *.test.ts/*.test.tsx convention. This can break consistent test discovery and enforcement across packages.
Agent Prompt
## Issue description
A new test was added with a `.test.js` extension, which violates the required `*.test.ts`/`*.test.tsx` naming convention.
## Issue Context
The monorepo requires consistent test naming for cross-package test discovery and runner configuration.
## Fix Focus Areas
- packages/next-mdx/test/index.test.js[1-114]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+4
to
+6
| "description": "Automatically optimize images used in next.js projects (jpeg, png, gif, svg).", | ||
| "main": "lib/index.js", | ||
| "files": [ |
There was a problem hiding this comment.
3. Next-optimized-images main uses lib 📘 Rule violation ⛯ Reliability
packages/next-optimized-images/package.json sets main to lib/index.js instead of keeping the public entrypoint at src/index.ts. This breaks the standardized package entrypoint convention expected across the monorepo.
Agent Prompt
## Issue description
The package `main` entrypoint is set to `lib/index.js` rather than maintaining the standardized `src/index.ts` entrypoint.
## Issue Context
The monorepo requires packages to expose their public API via `src/index.ts` for consistent tooling and discoverability.
## Fix Focus Areas
- packages/next-optimized-images/package.json[1-16]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
11
to
+16
| export default function oAuthClient(provider) { | ||
| if (provider.version?.startsWith("2.")) { | ||
| // Handle OAuth v2.x | ||
| const authorizationUrl = new URL(provider.authorizationUrl) | ||
| const basePath = authorizationUrl.origin | ||
| const authorizePath = authorizationUrl.pathname | ||
| const accessTokenPath = new URL(provider.accessTokenUrl).pathname | ||
| const oauth2Client = new OAuth2( | ||
| provider.clientId, | ||
| provider.clientSecret, | ||
| basePath, | ||
| authorizePath, | ||
| accessTokenPath, | ||
| provider.headers | ||
| ) | ||
| oauth2Client.getOAuthAccessToken = getOAuth2AccessToken | ||
| oauth2Client.get = getOAuth2 | ||
| return oauth2Client | ||
| } | ||
| // Handle OAuth v1.x | ||
| const oauth1Client = new OAuth( | ||
| provider.requestTokenUrl, | ||
| provider.accessTokenUrl, | ||
| provider.clientId, | ||
| provider.clientSecret, | ||
| provider.version || "1.0", | ||
| provider.callbackUrl, | ||
| provider.encoding || "HMAC-SHA1" | ||
| ) | ||
|
|
||
| // Promisify get() and getOAuth2AccessToken() for OAuth1 | ||
| const originalGet = oauth1Client.get.bind(oauth1Client) | ||
| oauth1Client.get = (...args) => { | ||
| return new Promise((resolve, reject) => { | ||
| originalGet(...args, (error, result) => { | ||
| if (error) { | ||
| return reject(error) | ||
| } | ||
| resolve(result) | ||
| }) | ||
| }) | ||
| } | ||
| const originalGetOAuth1AccessToken = | ||
| oauth1Client.getOAuthAccessToken.bind(oauth1Client) | ||
| oauth1Client.getOAuthAccessToken = (...args) => { | ||
| return new Promise((resolve, reject) => { | ||
| // eslint-disable-next-line camelcase | ||
| originalGetOAuth1AccessToken( | ||
| ...args, | ||
| (error, oauth_token, oauth_token_secret, params) => { | ||
| if (error) { | ||
| return reject(error) | ||
| } | ||
|
|
||
| resolve({ | ||
| // TODO: Remove, this is only kept for backward compativility | ||
| // These are not in the OAuth 1.x spec | ||
| accessToken: oauth_token, | ||
| refreshToken: oauth_token_secret, | ||
| results: params, | ||
|
|
||
| oauth_token, | ||
| oauth_token_secret, | ||
| params, | ||
| }) | ||
| } | ||
| ) | ||
| }) | ||
| return { | ||
| getOAuthAccessToken: (code, codeVerifier) => getOAuth2AccessToken(code, provider, codeVerifier), | ||
| get: (accessToken, results) => getOAuth2(provider, accessToken, results) | ||
| } |
There was a problem hiding this comment.
4. Oauth2 callback api broken 🐞 Bug ✓ Correctness
oAuthClient() no longer exposes useAuthorizationHeaderforGET and its getOAuthAccessToken/get signatures changed, but oauth/callback.js still calls the old API, causing runtime TypeErrors and incorrect request construction for OAuth2 providers. This breaks OAuth2 sign-in flows.
Agent Prompt
## Issue description
`packages/next-auth/src/server/lib/oauth/client.js` was refactored to return a new, smaller OAuth2 client API, but `packages/next-auth/src/server/lib/oauth/callback.js` still calls the old API (`useAuthorizationHeaderforGET`, 3-arg `getOAuthAccessToken`, and 3-arg `get`). This results in runtime failures for OAuth2 providers.
## Issue Context
The callback currently assumes an OAuth2 client similar to the previous `oauth` library wrapper. The new returned object does not provide the method or compatible signatures.
## Fix Focus Areas
- packages/next-auth/src/server/lib/oauth/client.js[11-16]
- packages/next-auth/src/server/lib/oauth/callback.js[38-62]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+215
to
+238
| class OAuth1Client { | ||
| constructor(provider) { | ||
| this.provider = provider | ||
| // Note: This is a placeholder for actual OAuth1 signature logic if needed. | ||
| // For now, we will use a small internal helper or inline the logic. | ||
| // Given the complexity of OAuth1 signatures, for the scope of this refactor | ||
| // and to maintain stability, we'll implement the basics or use a lightweight helper. | ||
| // In many cases, OAuth1 is being deprecated, but for this fork we want to keep it. | ||
| } | ||
|
|
||
| async getOAuthRequestToken(params = {}) { | ||
| // Implement OAuth 1.0a request token logic | ||
| throw new Error("OAuth 1.0a is not yet fully implemented in the native client. Please use OAuth 2.0 or contact maintainers.") | ||
| } | ||
|
|
||
| async getOAuthAccessToken(oauth_token, oauth_token_secret, oauth_verifier) { | ||
| // Implement OAuth 1.0a access token logic | ||
| throw new Error("OAuth 1.0a is not yet fully implemented in the native client.") | ||
| } | ||
|
|
||
| async get(url, oauth_token, oauth_token_secret) { | ||
| // Implement OAuth 1.0a authenticated request | ||
| throw new Error("OAuth 1.0a is not yet fully implemented in the native client.") | ||
| } |
There was a problem hiding this comment.
5. Oauth1 always throws 🐞 Bug ✓ Correctness
OAuth 1.x providers now receive an OAuth1Client whose token and profile request methods throw “not yet fully implemented” errors. This causes OAuth1 sign-in to fail for bundled OAuth1 providers (e.g., Twitter).
Agent Prompt
## Issue description
OAuth1 providers now route to an `OAuth1Client` implementation that throws for every required method, causing OAuth1 sign-in to fail.
## Issue Context
This repo includes an OAuth1 provider (`twitter`) and the OAuth callback path still executes OAuth1 flow for providers that do not start with `2.`.
## Fix Focus Areas
- packages/next-auth/src/server/lib/oauth/client.js[19-21]
- packages/next-auth/src/server/lib/oauth/client.js[215-238]
- packages/next-auth/src/providers/twitter.js[1-12]
- packages/next-auth/src/server/lib/oauth/callback.js[71-87]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| { | ||
| "name": "@opensourceframework/next-cookies", | ||
| "version": "2.1.3", | ||
| "version": "2.1.2", |
There was a problem hiding this comment.
6. Next-cookies version rollback 🐞 Bug ⛯ Reliability
@opensourceframework/next-cookies version was changed from 2.1.3 down to 2.1.2. Package publishing will fail (registries reject lower versions) and release automation/changelogs will be inconsistent.
Agent Prompt
## Issue description
The package version for `@opensourceframework/next-cookies` was decreased from `2.1.3` to `2.1.2`, which will block publishing and confuse release tooling.
## Issue Context
Package registries (npm) require strictly increasing versions for republishing.
## Fix Focus Areas
- packages/next-cookies/package.json[1-4]
- pr_files_diffs/packages_next-cookies_package_json.patch[6-12]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Owner
Author
|
|
1 similar comment
Owner
Author
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #22 (roadmap).
nextto ^16.0.0 and updatedpeerDependenciesfor React 19.