Skip to content

Revert auth0 v4 upgrade (PRs #13229 and #13159)#13231

Merged
gestchild merged 1 commit into
mainfrom
revert-auth0-v4-upgrade
Jul 1, 2026
Merged

Revert auth0 v4 upgrade (PRs #13229 and #13159)#13231
gestchild merged 1 commit into
mainfrom
revert-auth0-v4-upgrade

Conversation

@gestchild

Copy link
Copy Markdown
Contributor

Reverts both prvious merges due to incompatibility between @auth0/nextjs-auth0 v4 and Next.js middleware Edge runtime. The v4 SDK requires AsyncLocalStorage which is unavailable in Edge runtime, causing 500 errors on /api/auth/login.

Reverts:

Reverts both merges due to incompatibility between @auth0/nextjs-auth0 v4
and Next.js middleware Edge runtime. The v4 SDK requires AsyncLocalStorage
which is unavailable in Edge runtime, causing 500 errors on /api/auth/login.

Reverts:
- b2d51d3 (PR #13229)
- 017fb66 (PR #13159)

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Reverts the identity webapp’s Auth0 integration from @auth0/nextjs-auth0 v4 back to v3 to avoid incompatibilities with the Next.js middleware Edge runtime (notably AsyncLocalStorage), restoring the prior pages-router-based Auth flows.

Changes:

  • Downgrades @auth0/nextjs-auth0 to the v3 line and removes v4-only dependencies/configuration.
  • Switches Auth routing back to a pages API catch-all (pages/api/auth/[...auth0].ts) and removes the Next.js middleware-based auth implementation.
  • Removes v4-specific helpers/tests/docs that were introduced to support the upgrade.

Reviewed changes

Copilot reviewed 19 out of 20 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
yarn.lock Locks dependency graph back to Auth0 SDK v3-era transitive deps.
identity/webapp/package.json Downgrades @auth0/nextjs-auth0 to ^3.5.0.
identity/webapp/utils/auth0.ts Reverts to initAuth0-based configuration and SSR helper wrapper.
identity/webapp/pages/api/auth/[...auth0].ts Reintroduces pages-router Auth0 handler entrypoint.
identity/webapp/pages/api/auth/signup.ts Updates signup to use handleLogin with screen_hint=signup.
identity/webapp/pages/api/users/[[...users]].ts Adapts token retrieval / types to the v3 SDK surface.
identity/webapp/pages/index.tsx Updates session access patterns for v3 API shape.
identity/webapp/pages/validated.tsx Adjusts token/session refresh calls for the reverted SDK.
identity/webapp/views/pages/index.tsx Updates Auth0 user type import for props typing.
identity/webapp/config.js Moves session/auth config back into serverRuntimeConfig for v3 usage.
identity/webapp/next.config.js Removes v4/middleware-related env wiring for basePath.
identity/webapp/middleware.ts Removes middleware-based auth (Edge-runtime problematic).
identity/webapp/pages/api/auth/me.ts Removes bespoke /me handler introduced for v4.
identity/webapp/test/registration.test.ts Updates runtime-config mocking for new config shape.
identity/webapp/test/patron-claims.test.ts Removes v4-only patron-claims preservation tests.
identity/webapp/test/api-auth-me.test.ts Removes tests for the bespoke /me handler (now removed).
playwright/user-stories/identity.md Removes manual regression script added with the v4 upgrade.
docs/SUMMARY.md Removes docs nav entry for the deleted manual regression script.
.github/dependabot.yml Prevents Dependabot from upgrading @auth0/nextjs-auth0 automatically.
Comments suppressed due to low confidence (1)

identity/webapp/test/registration.test.ts:109

  • The next/config mock doesn't match the runtime shape introduced in identity/webapp/config.js: sessionKeys should be an array (split from SESSION_KEYS) and sessionVersion is required by utils/auth0.ts. As-is, tests can fail or silently use undefined session naming.
jest.mock('next/config', () => () => ({
  serverRuntimeConfig: {
    sessionKeys: 'test_test_test',
    siteBaseUrl: 'http://test.test',
    identityBasePath: '/account',
    auth0: {
      domain: 'test.test',
      clientID: 'test',
      clientSecret: 'test',
    },
    remoteApi: {
      host: 'test.test',
      apiKey: 'test',
    },
  },
}));

Comment on lines +7 to +11
if (error) {
const query = new URLSearchParams(req.url);
res.redirect(`/account/error?${query.toString()}`);
return;
}
Comment thread identity/webapp/pages/api/auth/[...auth0].ts
Comment thread identity/webapp/pages/api/auth/[...auth0].ts
Comment thread identity/webapp/pages/index.tsx
Comment thread identity/webapp/utils/auth0.ts
Comment on lines +1 to +11
import auth0 from '@weco/identity/utils/auth0';

import { identityBasePath } from '@weco/identity/utils/auth0';

// This will redirect the user directly to the sign-up page: the SDK's login
// handler forwards arbitrary authorization params from the query string.
// This will redirect the user directly to the sign-up page.
//
// See
// https://community.auth0.com/t/how-do-i-redirect-users-directly-to-the-hosted-signup-page/42520
export default async (
req: NextApiRequest,
res: NextApiResponse
): Promise<void> => {
// Forward any query params (eg returnTo) to the login handler, as the v3
// signup handler did, but always force the signup screen.
const params = new URLSearchParams();
for (const [key, value] of Object.entries(req.query)) {
for (const v of Array.isArray(value) ? value : [value]) {
if (typeof v === 'string') params.append(key, v);
}
}
params.set('screen_hint', 'signup');

res.redirect(`${identityBasePath}/api/auth/login?${params.toString()}`);
};
// https://github.com/auth0/nextjs-auth0/issues/16#issuecomment-898565337
export default async (req, res) =>
auth0.handleLogin(req, res, {
authorizationParams: { screen_hint: 'signup' },
});
@gestchild

Copy link
Copy Markdown
Contributor Author

None of this is new, so ignoring copilot's suggestions - we're just putting things back how they were

@gestchild gestchild marked this pull request as ready for review July 1, 2026 15:47
@gestchild gestchild requested a review from a team as a code owner July 1, 2026 15:47
@gestchild gestchild merged commit 9b17560 into main Jul 1, 2026
11 checks passed
@gestchild gestchild deleted the revert-auth0-v4-upgrade branch July 1, 2026 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants