4.0.0-beta.12 (#1848)

README.md

@@ -5,7 +5,7 @@
 ### 1. Install the SDK
 
 ```shell
-npm i @auth0/[email protected].11
+npm i @auth0/[email protected].12
 ```
 
 ### 2. Add the environment variables

V4_MIGRATION_GUIDE.md

@@ -241,3 +241,4 @@ If you'd like to customize the `user` object to include additional custom claims
 - All cookies set by the SDK default to `SameSite=Lax`
 - `touchSession` method was removed. The middleware enables rolling sessions by default and can be configured via the [session configuration](https://github.com/auth0/nextjs-auth0/tree/v4?tab=readme-ov-file#session-configuration).
 - `getAccessToken` can now be called in React Server Components.
+- By default, v4 will use [OpenID Connect's RP-Initiated Logout](https://auth0.com/docs/authenticate/login/logout/log-users-out-of-auth0) if it's enabled on the tenant. Otherwise, it will fallback to the `/v2/logout` endpoint.

e2e/test-app/pages/api/pages-router/update-session/index.ts

@@ -2,11 +2,9 @@ import type { NextApiRequest, NextApiResponse } from "next"
 
 import { auth0 } from "@/lib/auth0"
 
-type ResponseData =
-  | {}
-  | {
-      error: string
-    }
+type ResponseData = {
+  error?: string
+}
 
 export default async function handler(
   req: NextApiRequest,

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@auth0/nextjs-auth0",
-  "version": "4.0.0-beta.11",
+  "version": "4.0.0-beta.12",
   "description": "Auth0 Next.js SDK",
   "scripts": {
     "build": "tsc",

src/server/auth-client.test.ts

@@ -4007,38 +4007,6 @@ ca/T0LLtgmbMmxSv/MmzIg==
       })
     })
   })
-
-  describe("allowInsecureRequests", async () => {
-    it("should now allow setting allowInsecureRequests when NODE_ENV is set to `production`", async () => {
-      process.env.NODE_ENV = "production"
-      const secret = await generateSecret(32)
-      const transactionStore = new TransactionStore({
-        secret,
-      })
-      const sessionStore = new StatelessSessionStore({
-        secret,
-      })
-      expect(
-        () =>
-          new AuthClient({
-            transactionStore,
-            sessionStore,
-
-            domain: DEFAULT.domain,
-            clientId: DEFAULT.clientId,
-            clientSecret: DEFAULT.clientSecret,
-
-            secret,
-            appBaseUrl: DEFAULT.appBaseUrl,
-
-            fetch: getMockAuthorizationServer(),
-            allowInsecureRequests: true,
-          })
-      ).toThrowError(
-        "Insecure requests are not allowed in production environments."
-      )
-    })
-  })
 })
 
 const _authorizationServerMetadata = {

src/server/auth-client.ts

@@ -137,8 +137,8 @@ export class AuthClient {
     this.allowInsecureRequests = options.allowInsecureRequests ?? false
 
     if (this.allowInsecureRequests && process.env.NODE_ENV === "production") {
-      throw new Error(
-        "Insecure requests are not allowed in production environments."
+      console.warn(
+        "allowInsecureRequests is enabled in a production environment. This is not recommended."
       )
     }
 

src/server/client.ts

@@ -152,12 +152,6 @@ export class Auth0Client {
       if (protocol === "https:") {
         cookieOptions.secure = true
       }
-
-      if (process.env.NODE_ENV === "production" && !cookieOptions.secure) {
-        console.warn(
-          `The application's base URL (${appBaseUrl}) is not set to HTTPS. This is not recommended for production environments.`
-        )
-      }
     }
 
     this.transactionStore = new TransactionStore({