fix(adapter-nextjs): server-side sign out not working with Firefox and Safari (aws-amplify#14246)

Author: HuiSF

packages/adapter-nextjs/__tests__/auth/handleAuthApiRouteRequestForAppRouter.test.ts

@@ -295,6 +295,7 @@ describe('handleAuthApiRouteRequestForAppRouter', () => {
 			oAuthConfig: testOAuthConfig,
 			setCookieOptions: {},
 			userPoolClientId: 'userPoolClientId',
+			origin: testOrigin,
 		});
 	});
 });

packages/adapter-nextjs/__tests__/auth/handleAuthApiRouteRequestForPagesRouter.test.ts

@@ -289,6 +289,7 @@ describe('handleAuthApiRouteRequestForPagesRouter', () => {
 				oAuthConfig: testOAuthConfig,
 				setCookieOptions: {},
 				userPoolClientId: 'userPoolClientId',
+				origin: testOrigin,
 			},
 		);
 	});

packages/adapter-nextjs/__tests__/auth/handlers/handleSignInCallbackRequest.test.ts

@@ -7,7 +7,7 @@ import {
 	appendSetCookieHeaders,
 	createAuthFlowProofCookiesRemoveOptions,
 	createErrorSearchParamsString,
-	createOnSignInCompleteRedirectIntermediate,
+	createRedirectionIntermediary,
 	createSignInFlowProofCookies,
 	createTokenCookies,
 	createTokenCookiesSetOptions,
@@ -37,8 +37,8 @@ const mockAppendSetCookieHeaders = jest.mocked(appendSetCookieHeaders);
 const mockCreateAuthFlowProofCookiesRemoveOptions = jest.mocked(
 	createAuthFlowProofCookiesRemoveOptions,
 );
-const mockCreateOnSignInCompleteRedirectIntermediate = jest.mocked(
-	createOnSignInCompleteRedirectIntermediate,
+const mockCreateRedirectionIntermediary = jest.mocked(
+	createRedirectionIntermediary,
 );
 const mockCreateSignInFlowProofCookies = jest.mocked(
 	createSignInFlowProofCookies,
@@ -78,7 +78,7 @@ describe('handleSignInCallbackRequest', () => {
 	afterEach(() => {
 		mockAppendSetCookieHeaders.mockClear();
 		mockCreateAuthFlowProofCookiesRemoveOptions.mockClear();
-		mockCreateOnSignInCompleteRedirectIntermediate.mockClear();
+		mockCreateRedirectionIntermediary.mockClear();
 		mockCreateSignInFlowProofCookies.mockClear();
 		mockCreateTokenCookies.mockClear();
 		mockCreateTokenCookiesSetOptions.mockClear();
@@ -300,8 +300,8 @@ describe('handleSignInCallbackRequest', () => {
 				headers.append('Set-cookie', 'mock-cookie-1');
 				headers.append('Set-cookie', 'mock-cookie-2');
 			});
-			mockCreateOnSignInCompleteRedirectIntermediate.mockImplementationOnce(
-				({ redirectOnSignInComplete }) =>
+			mockCreateRedirectionIntermediary.mockImplementationOnce(
+				({ redirectTo: redirectOnSignInComplete }) =>
 					`<html>redirect to ${redirectOnSignInComplete}</html>`,
 			);
 
@@ -352,10 +352,8 @@ describe('handleSignInCallbackRequest', () => {
 				mockCreateSignInFlowProofCookiesResult,
 				mockCreateAuthFlowProofCookiesRemoveOptionsResult,
 			);
-			expect(
-				mockCreateOnSignInCompleteRedirectIntermediate,
-			).toHaveBeenCalledWith({
-				redirectOnSignInComplete: expectedFinalRedirect,
+			expect(mockCreateRedirectionIntermediary).toHaveBeenCalledWith({
+				redirectTo: expectedFinalRedirect,
 			});
 			expect(mockGetRedirectOrDefault).toHaveBeenCalledWith(
 				handlerInput.redirectOnSignInComplete,

packages/adapter-nextjs/__tests__/auth/handlers/handleSignInCallbackRequestForPagesRouter.test.ts

@@ -7,7 +7,7 @@ import {
 	appendSetCookieHeadersToNextApiResponse,
 	createAuthFlowProofCookiesRemoveOptions,
 	createErrorSearchParamsString,
-	createOnSignInCompleteRedirectIntermediate,
+	createRedirectionIntermediary,
 	createSignInFlowProofCookies,
 	createTokenCookies,
 	createTokenCookiesSetOptions,
@@ -40,8 +40,8 @@ const mockAppendSetCookieHeadersToNextApiResponse = jest.mocked(
 const mockCreateAuthFlowProofCookiesRemoveOptions = jest.mocked(
 	createAuthFlowProofCookiesRemoveOptions,
 );
-const mockCreateOnSignInCompleteRedirectIntermediate = jest.mocked(
-	createOnSignInCompleteRedirectIntermediate,
+const mockCreateRedirectionIntermediary = jest.mocked(
+	createRedirectionIntermediary,
 );
 const mockCreateSignInFlowProofCookies = jest.mocked(
 	createSignInFlowProofCookies,
@@ -91,7 +91,7 @@ describe('handleSignInCallbackRequest', () => {
 	afterEach(() => {
 		mockAppendSetCookieHeadersToNextApiResponse.mockClear();
 		mockCreateAuthFlowProofCookiesRemoveOptions.mockClear();
-		mockCreateOnSignInCompleteRedirectIntermediate.mockClear();
+		mockCreateRedirectionIntermediary.mockClear();
 		mockCreateSignInFlowProofCookies.mockClear();
 		mockCreateTokenCookies.mockClear();
 		mockCreateTokenCookiesSetOptions.mockClear();
@@ -345,8 +345,8 @@ describe('handleSignInCallbackRequest', () => {
 					response.appendHeader('Set-cookie', 'mock-cookie-2');
 				},
 			);
-			mockCreateOnSignInCompleteRedirectIntermediate.mockImplementationOnce(
-				({ redirectOnSignInComplete }) =>
+			mockCreateRedirectionIntermediary.mockImplementationOnce(
+				({ redirectTo: redirectOnSignInComplete }) =>
 					`<html>redirect to ${redirectOnSignInComplete}</html>`,
 			);
 
@@ -396,10 +396,8 @@ describe('handleSignInCallbackRequest', () => {
 				mockSetCookieOptions,
 			);
 
-			expect(
-				mockCreateOnSignInCompleteRedirectIntermediate,
-			).toHaveBeenCalledWith({
-				redirectOnSignInComplete: expectedFinalRedirect,
+			expect(mockCreateRedirectionIntermediary).toHaveBeenCalledWith({
+				redirectTo: expectedFinalRedirect,
 			});
 			expect(getRedirectOrDefault).toHaveBeenCalledWith(
 				handlerInput.redirectOnSignInComplete,

packages/adapter-nextjs/__tests__/auth/handlers/handleSignOutCallbackRequest.test.ts

@@ -5,15 +5,21 @@ import {
 	createKeysForAuthStorage,
 } from 'aws-amplify/adapter-core';
 
-import { IS_SIGNING_OUT_COOKIE_NAME } from '../../../src/auth/constant';
+import {
+	IS_SIGNING_OUT_COOKIE_NAME,
+	IS_SIGNING_OUT_REDIRECTING_COOKIE_NAME,
+} from '../../../src/auth/constant';
 import { handleSignOutCallbackRequest } from '../../../src/auth/handlers/handleSignOutCallbackRequest';
 import { CreateAuthRoutesHandlersInput } from '../../../src/auth/types';
 import {
 	appendSetCookieHeaders,
+	createAuthFlowProofCookiesRemoveOptions,
+	createRedirectionIntermediary,
 	createTokenCookiesRemoveOptions,
 	createTokenRemoveCookies,
 	getCookieValuesFromRequest,
 	getRedirectOrDefault,
+	resolveRedirectSignOutUrl,
 	revokeAuthNTokens,
 } from '../../../src/auth/utils';
 
@@ -32,6 +38,13 @@ const mockGetCookieValuesFromRequest = jest.mocked(getCookieValuesFromRequest);
 const mockRevokeAuthNTokens = jest.mocked(revokeAuthNTokens);
 const mockCreateKeysForAuthStorage = jest.mocked(createKeysForAuthStorage);
 const mockGetRedirectOrDefault = jest.mocked(getRedirectOrDefault);
+const mockCreateAuthFlowProofCookiesRemoveOptions = jest.mocked(
+	createAuthFlowProofCookiesRemoveOptions,
+);
+const mockCreateRedirectionIntermediary = jest.mocked(
+	createRedirectionIntermediary,
+);
+const mockResolveRedirectSignOutUrl = jest.mocked(resolveRedirectSignOutUrl);
 
 describe('handleSignOutCallbackRequest', () => {
 	const mockRequest = new Request(
@@ -57,6 +70,9 @@ describe('handleSignOutCallbackRequest', () => {
 		mockGetCookieValuesFromRequest.mockClear();
 		mockRevokeAuthNTokens.mockClear();
 		mockGetRedirectOrDefault.mockClear();
+		mockCreateAuthFlowProofCookiesRemoveOptions.mockClear();
+		mockCreateRedirectionIntermediary.mockClear();
+		mockResolveRedirectSignOutUrl.mockClear();
 	});
 
 	it(`returns a 400 response when the request does not have the "${IS_SIGNING_OUT_COOKIE_NAME}" cookie`, async () => {
@@ -68,6 +84,7 @@ describe('handleSignOutCallbackRequest', () => {
 			userPoolClientId: mockUserPoolClientId,
 			oAuthConfig: mockOAuthConfig,
 			setCookieOptions: mockSetCookieOptions,
+			origin: 'https://example.com',
 		});
 
 		// verify the response
@@ -76,9 +93,88 @@ describe('handleSignOutCallbackRequest', () => {
 		// verify the calls to dependencies
 		expect(mockGetCookieValuesFromRequest).toHaveBeenCalledWith(mockRequest, [
 			IS_SIGNING_OUT_COOKIE_NAME,
+			IS_SIGNING_OUT_REDIRECTING_COOKIE_NAME,
 		]);
 	});
 
+	it(`returns a 200 response with the intermediate redirect HTML when the request has the "${IS_SIGNING_OUT_COOKIE_NAME}" and "${IS_SIGNING_OUT_REDIRECTING_COOKIE_NAME}" cookies`, async () => {
+		mockGetCookieValuesFromRequest.mockReturnValueOnce({
+			[IS_SIGNING_OUT_COOKIE_NAME]: 'true',
+			[IS_SIGNING_OUT_REDIRECTING_COOKIE_NAME]: 'true',
+		});
+		const mockCreateTokenRemoveCookiesResult = [
+			{
+				name: IS_SIGNING_OUT_REDIRECTING_COOKIE_NAME,
+				value: '',
+			},
+		];
+		mockCreateTokenRemoveCookies.mockReturnValueOnce(
+			mockCreateTokenRemoveCookiesResult,
+		);
+		const mockCreateTokenCookiesRemoveOptionsResult = {
+			path: '/',
+			maxAge: -1,
+			domain: mockSetCookieOptions.domain,
+		};
+		mockCreateAuthFlowProofCookiesRemoveOptions.mockReturnValueOnce(
+			mockCreateTokenCookiesRemoveOptionsResult,
+		);
+		const mockResolveRedirectSignOutUrlResult =
+			'https://example.com/sign-out-callback';
+		mockResolveRedirectSignOutUrl.mockReturnValueOnce(
+			mockResolveRedirectSignOutUrlResult,
+		);
+		const mockCreateOnSignInCompleteRedirectIntermediateResult =
+			'<html><head><meta http-equiv="refresh" content="0;url=/"></head></html>';
+		mockCreateRedirectionIntermediary.mockReturnValueOnce(
+			mockCreateOnSignInCompleteRedirectIntermediateResult,
+		);
+		mockAppendSetCookieHeaders.mockImplementationOnce(headers => {
+			headers.append(
+				'Set-Cookie',
+				'mock_cookie1=; Domain=.example.com; Path=/',
+			);
+			headers.append(
+				'Set-Cookie',
+				'mock_cookie2=; Domain=.example.com; Path=/',
+			);
+		});
+
+		const response = await handleSignOutCallbackRequest({
+			request: mockRequest,
+			handlerInput: mockHandlerInput,
+			userPoolClientId: mockUserPoolClientId,
+			oAuthConfig: mockOAuthConfig,
+			setCookieOptions: mockSetCookieOptions,
+			origin: 'https://example.com',
+		});
+
+		// verify the response
+		expect(response.status).toBe(200);
+		expect(response.headers.get('Content-Type')).toBe('text/html');
+		expect(response.headers.get('Set-Cookie')).toBe(
+			'mock_cookie1=; Domain=.example.com; Path=/, mock_cookie2=; Domain=.example.com; Path=/',
+		);
+		expect(await response.text()).toBe(
+			mockCreateOnSignInCompleteRedirectIntermediateResult,
+		);
+
+		// verify the calls to dependencies
+		expect(mockCreateTokenRemoveCookies).toHaveBeenCalledWith([
+			IS_SIGNING_OUT_REDIRECTING_COOKIE_NAME,
+		]);
+		expect(mockCreateAuthFlowProofCookiesRemoveOptions).toHaveBeenCalledWith(
+			mockSetCookieOptions,
+		);
+		expect(mockResolveRedirectSignOutUrl).toHaveBeenCalledWith(
+			'https://example.com',
+			mockOAuthConfig,
+		);
+		expect(mockCreateRedirectionIntermediary).toHaveBeenCalledWith({
+			redirectTo: mockResolveRedirectSignOutUrlResult,
+		});
+	});
+
 	it('returns a 302 response to redirect to handlerInput.redirectOnSignOutComplete when the request cookies do not have a username', async () => {
 		mockGetCookieValuesFromRequest
 			.mockReturnValueOnce({
@@ -92,6 +188,7 @@ describe('handleSignOutCallbackRequest', () => {
 			userPoolClientId: mockUserPoolClientId,
 			oAuthConfig: mockOAuthConfig,
 			setCookieOptions: mockSetCookieOptions,
+			origin: 'https://example.com',
 		});
 
 		// verify the response
@@ -101,6 +198,7 @@ describe('handleSignOutCallbackRequest', () => {
 		// verify the calls to dependencies
 		expect(mockGetCookieValuesFromRequest).toHaveBeenCalledWith(mockRequest, [
 			IS_SIGNING_OUT_COOKIE_NAME,
+			IS_SIGNING_OUT_REDIRECTING_COOKIE_NAME,
 		]);
 		expect(mockGetCookieValuesFromRequest).toHaveBeenCalledWith(mockRequest, [
 			`${AUTH_KEY_PREFIX}.${mockUserPoolClientId}.LastAuthUser`,
@@ -126,6 +224,7 @@ describe('handleSignOutCallbackRequest', () => {
 			userPoolClientId: mockUserPoolClientId,
 			oAuthConfig: mockOAuthConfig,
 			setCookieOptions: mockSetCookieOptions,
+			origin: 'https://example.com',
 		});
 
 		// verify the response
@@ -136,6 +235,7 @@ describe('handleSignOutCallbackRequest', () => {
 		// verify the calls to dependencies
 		expect(mockGetCookieValuesFromRequest).toHaveBeenCalledWith(mockRequest, [
 			IS_SIGNING_OUT_COOKIE_NAME,
+			IS_SIGNING_OUT_REDIRECTING_COOKIE_NAME,
 		]);
 		expect(mockGetCookieValuesFromRequest).toHaveBeenCalledWith(mockRequest, [
 			`${AUTH_KEY_PREFIX}.${mockUserPoolClientId}.LastAuthUser`,
@@ -167,6 +267,7 @@ describe('handleSignOutCallbackRequest', () => {
 			userPoolClientId: mockUserPoolClientId,
 			oAuthConfig: mockOAuthConfig,
 			setCookieOptions: mockSetCookieOptions,
+			origin: 'https://example.com',
 		});
 
 		// verify the response
@@ -176,6 +277,7 @@ describe('handleSignOutCallbackRequest', () => {
 		// verify the calls to dependencies
 		expect(mockGetCookieValuesFromRequest).toHaveBeenCalledWith(mockRequest, [
 			IS_SIGNING_OUT_COOKIE_NAME,
+			IS_SIGNING_OUT_REDIRECTING_COOKIE_NAME,
 		]);
 		expect(mockGetCookieValuesFromRequest).toHaveBeenCalledWith(mockRequest, [
 			`${AUTH_KEY_PREFIX}.${mockUserPoolClientId}.LastAuthUser`,
@@ -257,6 +359,7 @@ describe('handleSignOutCallbackRequest', () => {
 				userPoolClientId: mockUserPoolClientId,
 				oAuthConfig: mockOAuthConfig,
 				setCookieOptions: mockSetCookieOptions,
+				origin: 'https://example.com',
 			});
 
 			// verify the calls to dependencies
@@ -269,6 +372,7 @@ describe('handleSignOutCallbackRequest', () => {
 			// verify the calls to dependencies
 			expect(mockGetCookieValuesFromRequest).toHaveBeenCalledWith(mockRequest, [
 				IS_SIGNING_OUT_COOKIE_NAME,
+				IS_SIGNING_OUT_REDIRECTING_COOKIE_NAME,
 			]);
 			expect(mockGetCookieValuesFromRequest).toHaveBeenCalledWith(mockRequest, [
 				`${AUTH_KEY_PREFIX}.${mockUserPoolClientId}.LastAuthUser`,