fix: validate token on isAuthenticated

package.json

@@ -106,9 +106,9 @@
   "dependencies": {
     "@babel/preset-env": "^7.23.9",
     "@kinde-oss/kinde-typescript-sdk": "2.9.1",
+    "@kinde/jwt-decoder": "^0.2.0",
     "cookie": "^1.0.0",
     "crypto-js": "^4.1.1",
-    "jwt-decode": "^3.1.2",
     "uncrypto": "^0.1.3"
   },
   "files": [

src/authMiddleware/authMiddleware.js → src/authMiddleware/authMiddleware.ts

@@ -1,22 +1,19 @@
-import jwt_decode from 'jwt-decode';
 import {NextResponse} from 'next/server';
 import {config} from '../config/index';
 import {isTokenValid} from '../utils/pageRouter/isTokenValid';
+import {type KindeAccessToken, KindeIdToken} from '../../types';
+import {jwtDecoder} from '@kinde/jwt-decoder';
 
 const trimTrailingSlash = (str) =>
   str && str.charAt(str.length - 1) === '/' ? str.slice(0, -1) : str;
 
 export function authMiddleware(request) {
-  let isAuthenticated = false;
   const nextUrl = trimTrailingSlash(request.nextUrl.href);
   const logoutUrl = trimTrailingSlash(config.postLogoutRedirectURL);
   const kinde_token = request.cookies.get('kinde_token');
   const isLogoutUrl = nextUrl === logoutUrl;
 
-  if (kinde_token) {
-    const payload = jwt_decode(JSON.parse(kinde_token.value).access_token);
-    isAuthenticated = true;
-  }
+  const isAuthenticated = isTokenValid(kinde_token?.value);
 
   if (!isAuthenticated && !isLogoutUrl) {
     return NextResponse.redirect(
@@ -60,8 +57,12 @@ const handleMiddleware = async (req, options, onSuccess) => {
     return response;
   }
 
-  const accessTokenValue = jwt_decode(req.cookies.get('access_token').value);
-  const idTokenValue = jwt_decode(req.cookies.get('id_token')?.value);
+  const accessTokenValue = jwtDecoder<KindeAccessToken>(
+    req.cookies.get('access_token').value
+  );
+  const idTokenValue = jwtDecoder<KindeIdToken>(
+    req.cookies.get('id_token')?.value
+  );
 
   const isAuthorized = options?.isAuthorized
     ? options.isAuthorized({req, token: accessTokenValue})
@@ -96,6 +97,7 @@ const handleMiddleware = async (req, options, onSuccess) => {
 export function withAuth(...args) {
   // most basic usage - no options
   if (!args.length || args[0] instanceof Request) {
+    // @ts-ignore
     return handleMiddleware(...args);
   }
 
@@ -112,5 +114,6 @@ export function withAuth(...args) {
 
   // includes options
   const options = args[0];
+  // @ts-ignore
   return async (...args) => await handleMiddleware(args[0], options);
 }

src/handlers/setup.ts

@@ -1,4 +1,4 @@
-import jwtDecode from 'jwt-decode';
+import {jwtDecoder} from '@kinde/jwt-decoder';
 import {KindeAccessToken, KindeIdToken} from '../../types';
 import {config} from '../config/index';
 import {generateUserObject} from '../utils/generateUserObject';
@@ -14,17 +14,15 @@ export const setup = async (routerClient) => {
       routerClient.sessionManager
     );
 
-    const accessTokenEncoded = await routerClient.sessionManager.getSessionItem(
-      'access_token'
-    );
+    const accessTokenEncoded =
+      await routerClient.sessionManager.getSessionItem('access_token');
 
-    const idTokenEncoded = await routerClient.sessionManager.getSessionItem(
-      'id_token'
-    );
+    const idTokenEncoded =
+      await routerClient.sessionManager.getSessionItem('id_token');
 
-    const accessToken = jwtDecode(accessTokenEncoded);
+    const accessToken = jwtDecoder<KindeAccessToken>(accessTokenEncoded);
 
-    const idToken = jwtDecode(idTokenEncoded);
+    const idToken = jwtDecoder<KindeIdToken>(idTokenEncoded);
 
     const permissions = await routerClient.kindeClient.getClaimValue(
       routerClient.sessionManager,

src/session/getUser.ts

@@ -1,23 +1,23 @@
-import jwtDecode from 'jwt-decode';
 import {NextApiRequest, NextApiResponse} from 'next';
 import {KindeAccessToken, KindeIdToken, KindeUser} from '../../types';
 import {config} from '../config/index';
 import {generateUserObject} from '../utils/generateUserObject';
 import {sessionManager} from './sessionManager';
+import {jwtDecoder} from '@kinde/jwt-decoder';
 
 export const getUserFactory =
   (req: NextApiRequest, res: NextApiResponse) =>
   async <T = Record<string, any>>(): Promise<KindeUser<T>> => {
     try {
-      const idToken = jwtDecode(
+      const idToken = jwtDecoder<KindeIdToken>(
         (await sessionManager(req, res).getSessionItem('id_token')) as string
-      ) as KindeIdToken;
+      );
 
-      const accessToken = jwtDecode(
+      const accessToken = jwtDecoder<KindeAccessToken>(
         (await sessionManager(req, res).getSessionItem(
           'access_token'
         )) as string
-      ) as KindeAccessToken;
+      );
       return generateUserObject(idToken, accessToken) as KindeUser<T>;
     } catch (error) {
       if (config.isDebugMode) {

src/session/isAuthenticated.js

@@ -1,3 +1,4 @@
+import {isTokenValid} from '../utils/pageRouter/isTokenValid';
 import {getUserFactory} from './getUser';
 
 /**
@@ -7,6 +8,12 @@ import {getUserFactory} from './getUser';
  * @returns {() => Promise<boolean>}
  */
 export const isAuthenticatedFactory = (req, res) => async () => {
+  const accessToken = await sessionManager(req, res).getSessionItem(
+    'access_token'
+  );
+
+  const validToken = isTokenValid(accessToken);
+
   const user = await getUserFactory(req, res)();
-  return Boolean(user);
+  return validToken && Boolean(user);
 };

src/utils/pageRouter/isTokenValid.js

@@ -1,12 +1,12 @@
-import jwt_decode from 'jwt-decode';
+import {jwtDecoder, TokenPart} from '@kinde/jwt-decoder';
 import {config} from '../../config/index';
 
 const isTokenValid = (token) => {
   const accessToken = (token && token.access_token) || token;
   if (!accessToken) return false;
 
-  const accessTokenHeader = jwt_decode(accessToken, {header: true});
-  const accessTokenPayload = jwt_decode(accessToken);
+  const accessTokenHeader = jwtDecoder(accessToken, TokenPart.header);
+  const accessTokenPayload = jwtDecoder(accessToken);
   let isAudienceValid = true;
   if (config.audience)
     isAudienceValid =