Revert auth0 v4 upgrade (PRs #13229 and #13159)#13231
Merged
Merged
Conversation
rcantin-w
approved these changes
Jul 1, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Reverts the identity webapp’s Auth0 integration from @auth0/nextjs-auth0 v4 back to v3 to avoid incompatibilities with the Next.js middleware Edge runtime (notably AsyncLocalStorage), restoring the prior pages-router-based Auth flows.
Changes:
- Downgrades
@auth0/nextjs-auth0to the v3 line and removes v4-only dependencies/configuration. - Switches Auth routing back to a pages API catch-all (
pages/api/auth/[...auth0].ts) and removes the Next.js middleware-based auth implementation. - Removes v4-specific helpers/tests/docs that were introduced to support the upgrade.
Reviewed changes
Copilot reviewed 19 out of 20 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| yarn.lock | Locks dependency graph back to Auth0 SDK v3-era transitive deps. |
| identity/webapp/package.json | Downgrades @auth0/nextjs-auth0 to ^3.5.0. |
| identity/webapp/utils/auth0.ts | Reverts to initAuth0-based configuration and SSR helper wrapper. |
| identity/webapp/pages/api/auth/[...auth0].ts | Reintroduces pages-router Auth0 handler entrypoint. |
| identity/webapp/pages/api/auth/signup.ts | Updates signup to use handleLogin with screen_hint=signup. |
| identity/webapp/pages/api/users/[[...users]].ts | Adapts token retrieval / types to the v3 SDK surface. |
| identity/webapp/pages/index.tsx | Updates session access patterns for v3 API shape. |
| identity/webapp/pages/validated.tsx | Adjusts token/session refresh calls for the reverted SDK. |
| identity/webapp/views/pages/index.tsx | Updates Auth0 user type import for props typing. |
| identity/webapp/config.js | Moves session/auth config back into serverRuntimeConfig for v3 usage. |
| identity/webapp/next.config.js | Removes v4/middleware-related env wiring for basePath. |
| identity/webapp/middleware.ts | Removes middleware-based auth (Edge-runtime problematic). |
| identity/webapp/pages/api/auth/me.ts | Removes bespoke /me handler introduced for v4. |
| identity/webapp/test/registration.test.ts | Updates runtime-config mocking for new config shape. |
| identity/webapp/test/patron-claims.test.ts | Removes v4-only patron-claims preservation tests. |
| identity/webapp/test/api-auth-me.test.ts | Removes tests for the bespoke /me handler (now removed). |
| playwright/user-stories/identity.md | Removes manual regression script added with the v4 upgrade. |
| docs/SUMMARY.md | Removes docs nav entry for the deleted manual regression script. |
| .github/dependabot.yml | Prevents Dependabot from upgrading @auth0/nextjs-auth0 automatically. |
Comments suppressed due to low confidence (1)
identity/webapp/test/registration.test.ts:109
- The
next/configmock doesn't match the runtime shape introduced inidentity/webapp/config.js:sessionKeysshould be an array (split fromSESSION_KEYS) andsessionVersionis required byutils/auth0.ts. As-is, tests can fail or silently useundefinedsession naming.
jest.mock('next/config', () => () => ({
serverRuntimeConfig: {
sessionKeys: 'test_test_test',
siteBaseUrl: 'http://test.test',
identityBasePath: '/account',
auth0: {
domain: 'test.test',
clientID: 'test',
clientSecret: 'test',
},
remoteApi: {
host: 'test.test',
apiKey: 'test',
},
},
}));
Comment on lines
+7
to
+11
| if (error) { | ||
| const query = new URLSearchParams(req.url); | ||
| res.redirect(`/account/error?${query.toString()}`); | ||
| return; | ||
| } |
Comment on lines
+1
to
+11
| import auth0 from '@weco/identity/utils/auth0'; | ||
|
|
||
| import { identityBasePath } from '@weco/identity/utils/auth0'; | ||
|
|
||
| // This will redirect the user directly to the sign-up page: the SDK's login | ||
| // handler forwards arbitrary authorization params from the query string. | ||
| // This will redirect the user directly to the sign-up page. | ||
| // | ||
| // See | ||
| // https://community.auth0.com/t/how-do-i-redirect-users-directly-to-the-hosted-signup-page/42520 | ||
| export default async ( | ||
| req: NextApiRequest, | ||
| res: NextApiResponse | ||
| ): Promise<void> => { | ||
| // Forward any query params (eg returnTo) to the login handler, as the v3 | ||
| // signup handler did, but always force the signup screen. | ||
| const params = new URLSearchParams(); | ||
| for (const [key, value] of Object.entries(req.query)) { | ||
| for (const v of Array.isArray(value) ? value : [value]) { | ||
| if (typeof v === 'string') params.append(key, v); | ||
| } | ||
| } | ||
| params.set('screen_hint', 'signup'); | ||
|
|
||
| res.redirect(`${identityBasePath}/api/auth/login?${params.toString()}`); | ||
| }; | ||
| // https://github.com/auth0/nextjs-auth0/issues/16#issuecomment-898565337 | ||
| export default async (req, res) => | ||
| auth0.handleLogin(req, res, { | ||
| authorizationParams: { screen_hint: 'signup' }, | ||
| }); |
Contributor
Author
|
None of this is new, so ignoring copilot's suggestions - we're just putting things back how they were |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reverts both prvious merges due to incompatibility between @auth0/nextjs-auth0 v4 and Next.js middleware Edge runtime. The v4 SDK requires AsyncLocalStorage which is unavailable in Edge runtime, causing 500 errors on /api/auth/login.
Reverts: