feat: Take cookie from session (#1037) RELEASE

## Related Issues

Fixes descope/etc#9622

## Description
make `session` to work also outside middleware, or of middleware was
chained

Author: asafshen

packages/sdks/nextjs-sdk/CHANGELOG.md

@@ -200,7 +200,7 @@ This setup ensures that you can clearly define which routes in your application
 
 use the `session()` helper to read session information in Server Components and Route handlers.
 
-Note: `session()` requires the `authMiddleware` to be used for the Server Component or Route handler that uses it.
+Note: While using `authMiddleware` is still recommended for session management (because it validates the session only once), `session()` can function without it. If `authMiddleware` does not set a session, `session()` will attempt to retrieve the session token from cookies, then parse and validate it.
 
 Server Component:
 
@@ -234,6 +234,19 @@ export async function GET() {
 }
 ```
 
+##### Optional Parameters
+
+If the middleware did not set a session, The `session()` function will attempt to retrieve the session token from cookies and validates it, this requires the project ID to be either set in the environment variables or passed as a parameter to the function.
+
+```
+session({ projectId?: string, baseUrl?: string })
+```
+
+- **projectId:** The Descope Project ID. If not provided, the function will fall back to `DESCOPE_PROJECT_ID` from the environment variables.
+- **baseUrl:** The Descope API base URL.
+
+This allows developers to use `session()` even if the project ID is not set in the environment.
+
 #### Access Descope SDK in server side
 
 Use `createSdk` function to create Descope SDK in server side.

packages/sdks/nextjs-sdk/README.md

@@ -13,8 +13,6 @@ export default () => (
 		}}
 	>
 		<h1>Applications Portal</h1>
-		<ApplicationsPortal
-			widgetId="applications-portal-widget"
-		/>
+		<ApplicationsPortal widgetId="applications-portal-widget" />
 	</div>
 );

packages/sdks/nextjs-sdk/examples/app-router/app/my-applications-portal/page.tsx

@@ -46,13 +46,13 @@ const getSessionJwt = (req: NextRequest): string | undefined => {
 
 const matchWildcardRoute = (route: string, path: string) => {
 	let regexPattern = route.replace(/[.+?^${}()|[\]\\]/g, '\\$&');
-  
+
 	// Convert wildcard (*) to match path segments only
 	regexPattern = regexPattern.replace(/\*/g, '[^/]*');
 	const regex = new RegExp(`^${regexPattern}$`);
-  
+
 	return regex.test(path);
-  };
+};
 
 const isPublicRoute = (req: NextRequest, options: MiddlewareOptions) => {
 	// Ensure publicRoutes and privateRoutes are arrays, defaulting to empty arrays if not defined
@@ -69,12 +69,16 @@ const isPublicRoute = (req: NextRequest, options: MiddlewareOptions) => {
 				'Both publicRoutes and privateRoutes are defined. Ignoring privateRoutes.'
 			);
 		}
-		return isDefaultPublicRoute || publicRoutes.some((route) => matchWildcardRoute(route, pathname))
+		return (
+			isDefaultPublicRoute ||
+			publicRoutes.some((route) => matchWildcardRoute(route, pathname))
+		);
 	}
 
 	if (privateRoutes.length > 0) {
 		return (
-			isDefaultPublicRoute || !privateRoutes.some((route) => matchWildcardRoute(route, pathname))
+			isDefaultPublicRoute ||
+			!privateRoutes.some((route) => matchWildcardRoute(route, pathname))
 		);
 	}
 

packages/sdks/nextjs-sdk/src/server/authMiddleware.ts

@@ -2,13 +2,18 @@ import descopeSdk from '@descope/node-sdk';
 import { baseHeaders } from './constants';
 
 type Sdk = ReturnType<typeof descopeSdk>;
-type CreateSdkParams = Omit<Parameters<typeof descopeSdk>[0], 'projectId'> & {
+type CreateServerSdkParams = Omit<
+	Parameters<typeof descopeSdk>[0],
+	'projectId'
+> & {
 	projectId?: string | undefined;
 };
 
+type CreateSdkParams = Pick<CreateServerSdkParams, 'projectId' | 'baseUrl'>;
+
 let globalSdk: Sdk;
 
-export const createSdk = (config?: CreateSdkParams): Sdk =>
+export const createSdk = (config?: CreateServerSdkParams): Sdk =>
 	descopeSdk({
 		...config,
 		projectId: config?.projectId || process.env.DESCOPE_PROJECT_ID,
@@ -20,9 +25,7 @@ export const createSdk = (config?: CreateSdkParams): Sdk =>
 		}
 	});
 
-export const getGlobalSdk = (
-	config?: Pick<CreateSdkParams, 'projectId' | 'baseUrl'>
-): Sdk => {
+export const getGlobalSdk = (config?: CreateSdkParams): Sdk => {
 	if (!globalSdk) {
 		if (!config?.projectId && !process.env.DESCOPE_PROJECT_ID) {
 			throw new Error('Descope project ID is required to create the SDK');
@@ -32,3 +35,5 @@ export const getGlobalSdk = (
 
 	return globalSdk;
 };
+
+export type { CreateSdkParams };

packages/sdks/nextjs-sdk/src/server/sdk.ts

@@ -1,7 +1,9 @@
-import { AuthenticationInfo } from '@descope/node-sdk';
+/* eslint-disable no-console */
+import descopeSdk, { AuthenticationInfo } from '@descope/node-sdk';
 import { NextApiRequest } from 'next';
-import { headers } from 'next/headers';
+import { cookies, headers } from 'next/headers';
 import { DESCOPE_SESSION_HEADER } from './constants';
+import { getGlobalSdk, CreateSdkParams } from './sdk';
 
 const extractSession = (
 	descopeSession?: string
@@ -18,17 +20,57 @@ const extractSession = (
 		return undefined;
 	}
 };
+
+const getSessionFromCookie = async (
+	config?: CreateSdkParams
+): Promise<AuthenticationInfo | undefined> => {
+	try {
+		const sessionCookie = (await cookies()).get(
+			descopeSdk.SessionTokenCookieName
+		);
+		if (!sessionCookie?.value) {
+			console.debug('Session cookie not found');
+			return undefined;
+		}
+		const sdk = getGlobalSdk(config);
+		const res = await sdk.validateJwt(sessionCookie.value);
+		return res;
+	} catch (err) {
+		console.debug('Error getting session from cookie', err);
+		return undefined;
+	}
+};
+
+// tries to extract the session header,
+// if it doesn't exist, it will attempt to get the session from the cookie
+const extractOrGetSession = async (
+	sessionHeader?: string,
+	config?: CreateSdkParams
+): Promise<AuthenticationInfo | undefined> => {
+	const session = extractSession(sessionHeader);
+	if (session) {
+		return session;
+	}
+
+	return getSessionFromCookie(config);
+};
+
 // returns the session token if it exists in the headers
-// This function require middleware
-export const session = async (): Promise<AuthenticationInfo | undefined> => {
+export const session = async (
+	config?: CreateSdkParams
+): Promise<AuthenticationInfo | undefined> => {
+	// first attempt to get the session from the headers
 	const reqHeaders = await headers();
 	const sessionHeader = reqHeaders.get(DESCOPE_SESSION_HEADER);
-	return extractSession(sessionHeader);
+	return extractOrGetSession(sessionHeader, config);
 };
 
 // returns the session token if it exists in the request headers
-// This function require middleware
-export const getSession = (
-	req: NextApiRequest
-): AuthenticationInfo | undefined =>
-	extractSession(req.headers[DESCOPE_SESSION_HEADER.toLowerCase()] as string);
+export const getSession = async (
+	req: NextApiRequest,
+	config?: CreateSdkParams
+): Promise<AuthenticationInfo | undefined> =>
+	extractOrGetSession(
+		req.headers[DESCOPE_SESSION_HEADER.toLowerCase()] as string,
+		config
+	);

packages/sdks/nextjs-sdk/src/server/session.ts

@@ -176,64 +176,64 @@ describe('authMiddleware', () => {
 
 	it('redirects unauthenticated users for private routes matching wildcard patterns', async () => {
 		mockValidateJwt.mockRejectedValue(new Error('Invalid JWT'));
-	  
+
 		const middleware = authMiddleware({
-		  privateRoutes: ['/private/*']
+			privateRoutes: ['/private/*']
 		});
-	  
+
 		// Mock request to a route matching the wildcard pattern
 		const mockReq = createMockNextRequest({ pathname: '/private/dashboard' });
-	  
+
 		const response = await middleware(mockReq);
-	  
+
 		// Expect a redirect since the user is unauthenticated
 		expect(NextResponse.redirect).toHaveBeenCalledWith(expect.anything());
 		expect(response).toEqual({
-		  pathname: DEFAULT_PUBLIC_ROUTES.signIn
+			pathname: DEFAULT_PUBLIC_ROUTES.signIn
 		});
-	  });
-	  
-	  it('allows authenticated users for private routes matching wildcard patterns', async () => {
+	});
+
+	it('allows authenticated users for private routes matching wildcard patterns', async () => {
 		const authInfo = {
-		  jwt: 'validJwt',
-		  token: { iss: 'project-1', sub: 'user-123' }
+			jwt: 'validJwt',
+			token: { iss: 'project-1', sub: 'user-123' }
 		};
 		mockValidateJwt.mockImplementation(() => authInfo);
-	  
+
 		const middleware = authMiddleware({
-		  privateRoutes: ['/private/*']
+			privateRoutes: ['/private/*']
 		});
-	  
+
 		const mockReq = createMockNextRequest({
-		  pathname: '/private/settings',
-		  headers: { Authorization: 'Bearer validJwt' }
+			pathname: '/private/settings',
+			headers: { Authorization: 'Bearer validJwt' }
 		});
-	  
+
 		await middleware(mockReq);
-	  
+
 		// Expect no redirect and that the session header is set
 		expect(NextResponse.redirect).not.toHaveBeenCalled();
 		expect(NextResponse.next).toHaveBeenCalled();
-	  
+
 		const headersArg = (NextResponse.next as any as jest.Mock).mock.lastCall[0]
-		  .request.headers;
+			.request.headers;
 		expect(headersArg.get('x-descope-session')).toEqual(
-		  Buffer.from(JSON.stringify(authInfo)).toString('base64')
+			Buffer.from(JSON.stringify(authInfo)).toString('base64')
 		);
-	  });
-	
+	});
+
 	it('allows unauthenticated users for public routes matching wildcard patterns', async () => {
 		mockValidateJwt.mockRejectedValue(new Error('Invalid JWT'));
-	
+
 		const middleware = authMiddleware({
 			publicRoutes: ['/public/*']
 		});
-	
+
 		// Mock request to a route matching the wildcard pattern
 		const mockReq = createMockNextRequest({ pathname: '/public/info' });
-	
+
 		await middleware(mockReq);
-	
+
 		// Expect no redirect since it's a public route
 		expect(NextResponse.redirect).not.toHaveBeenCalled();
 		expect(NextResponse.next).toHaveBeenCalled();