refactor(auth-next): remove unused code and enforce valid redirect URIs

rodrigo-fournier-immutable · rodrigo-fournier-immutable · commit 3b92d82260aa · 2026-02-16T16:11:46.000+11:00
- Remove DEFAULT_PRODUCTION_CLIENT_ID (unused in auth-next)
- Throw when window undefined in deriveDefaultRedirectUri and getSandboxLogoutConfig
  (OAuth requires absolute URLs; path-only is invalid)
- Inline resolvedConfig in createAuthConfig: config ?? { ... }
diff --git a/packages/auth-next-client/src/constants.ts b/packages/auth-next-client/src/constants.ts
@@ -9,7 +9,6 @@ export const DEFAULT_AUDIENCE = 'platform_api';
 export const DEFAULT_SCOPE = 'openid profile email offline_access transact';
 export const IMMUTABLE_PROVIDER_ID = 'immutable';
 export const DEFAULT_NEXTAUTH_BASE_PATH = '/api/auth';
-export const DEFAULT_PRODUCTION_CLIENT_ID = 'PtQRK4iRJ8GkXjiz6xfImMAYhPhW0cYk';
 export const DEFAULT_SANDBOX_CLIENT_ID = 'mjtCL8mt06BtbxSkp2vbrYStKWnXVZfo';
 export const DEFAULT_REDIRECT_URI_PATH = '/callback';
 export const DEFAULT_POPUP_REDIRECT_URI_PATH = '/callback';
diff --git a/packages/auth-next-client/src/defaultConfig.ts b/packages/auth-next-client/src/defaultConfig.ts
@@ -1,7 +1,7 @@
 /**
  * Sandbox default redirect URI for zero-config mode.
  * Defined locally to avoid importing from auth-next-server (which uses next/server).
- * Server: path only. Client: full URL (origin + path).
+ * OAuth requires an absolute URL; this runs in the browser when login is invoked.
  *
  * @internal
  */
@@ -10,7 +10,10 @@ import { DEFAULT_REDIRECT_URI_PATH } from './constants';
 
 export function deriveDefaultRedirectUri(): string {
   if (typeof window === 'undefined') {
-    return DEFAULT_REDIRECT_URI_PATH;
+    throw new Error(
+      '[auth-next-client] deriveDefaultRedirectUri requires window. '
+      + 'Login hooks run in the browser when the user triggers login.',
+    );
   }
   return `${window.location.origin}${DEFAULT_REDIRECT_URI_PATH}`;
 }
diff --git a/packages/auth-next-client/src/hooks.tsx b/packages/auth-next-client/src/hooks.tsx
@@ -68,9 +68,13 @@ function getSandboxLoginConfig(): LoginConfig {
 }
 
 function getSandboxLogoutConfig(): LogoutConfig {
-  const logoutRedirectUri = typeof window === 'undefined'
-    ? DEFAULT_LOGOUT_REDIRECT_URI_PATH
-    : window.location.origin + DEFAULT_LOGOUT_REDIRECT_URI_PATH;
+  if (typeof window === 'undefined') {
+    throw new Error(
+      '[auth-next-client] getSandboxLogoutConfig requires window. '
+      + 'Logout runs in the browser when the user triggers it.',
+    );
+  }
+  const logoutRedirectUri = window.location.origin + DEFAULT_LOGOUT_REDIRECT_URI_PATH;
   return {
     clientId: DEFAULT_SANDBOX_CLIENT_ID,
     logoutRedirectUri,
diff --git a/packages/auth-next-client/src/index.ts b/packages/auth-next-client/src/index.ts
@@ -66,7 +66,6 @@ export {
   DEFAULT_AUDIENCE,
   DEFAULT_SCOPE,
   IMMUTABLE_PROVIDER_ID,
-  DEFAULT_PRODUCTION_CLIENT_ID,
   DEFAULT_SANDBOX_CLIENT_ID,
   DEFAULT_REDIRECT_URI_PATH,
   DEFAULT_POPUP_REDIRECT_URI_PATH,
diff --git a/packages/auth-next-server/src/config.ts b/packages/auth-next-server/src/config.ts
@@ -87,23 +87,9 @@ async function validateTokens(
  * ```
  */
 export function createAuthConfig(config?: ImmutableAuthConfig): NextAuthConfig {
-  let clientId: string;
-  let redirectUri: string;
-
-  if (config) {
-    clientId = config.clientId;
-    redirectUri = config.redirectUri;
-  } else {
-    clientId = DEFAULT_SANDBOX_CLIENT_ID;
-    redirectUri = deriveDefaultRedirectUri();
-  }
-
-  const resolvedConfig: ImmutableAuthConfig = {
-    clientId,
-    redirectUri,
-    audience: config?.audience,
-    scope: config?.scope,
-    authenticationDomain: config?.authenticationDomain,
+  const resolvedConfig: ImmutableAuthConfig = config ?? {
+    clientId: DEFAULT_SANDBOX_CLIENT_ID,
+    redirectUri: deriveDefaultRedirectUri(),
   };
   const authDomain = resolvedConfig.authenticationDomain || DEFAULT_AUTH_DOMAIN;
 
diff --git a/packages/auth-next-server/src/constants.ts b/packages/auth-next-server/src/constants.ts
@@ -57,10 +57,8 @@ export const TOKEN_EXPIRY_BUFFER_MS = TOKEN_EXPIRY_BUFFER_SECONDS * 1000;
 export const DEFAULT_SESSION_MAX_AGE_SECONDS = 365 * 24 * 60 * 60;
 
 /**
- * Public client IDs for Immutable's default applications.
- * auth-next zero-config uses DEFAULT_SANDBOX_CLIENT_ID only.
+ * Sandbox client ID for auth-next zero-config.
  */
-export const DEFAULT_PRODUCTION_CLIENT_ID = 'PtQRK4iRJ8GkXjiz6xfImMAYhPhW0cYk';
 export const DEFAULT_SANDBOX_CLIENT_ID = 'mjtCL8mt06BtbxSkp2vbrYStKWnXVZfo';
 
 /**
diff --git a/packages/auth-next-server/src/index.ts b/packages/auth-next-server/src/index.ts
@@ -51,7 +51,6 @@ export {
   DEFAULT_SCOPE,
   IMMUTABLE_PROVIDER_ID,
   DEFAULT_NEXTAUTH_BASE_PATH,
-  DEFAULT_PRODUCTION_CLIENT_ID,
   DEFAULT_SANDBOX_CLIENT_ID,
   DEFAULT_REDIRECT_URI_PATH,
   DEFAULT_POPUP_REDIRECT_URI_PATH,

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`/**`
`2`	`2`	`* Sandbox default redirect URI for zero-config mode.`
`3`	`3`	`* Defined locally to avoid importing from auth-next-server (which uses next/server).`
`4`		`- * Server: path only. Client: full URL (origin + path).`
	`4`	`+ * OAuth requires an absolute URL; this runs in the browser when login is invoked.`
`5`	`5`	`*`
`6`	`6`	`* @internal`
`7`	`7`	`*/`
`@@ -10,7 +10,10 @@ import { DEFAULT_REDIRECT_URI_PATH } from './constants';`
`10`	`10`
`11`	`11`	`export function deriveDefaultRedirectUri(): string {`
`12`	`12`	`if (typeof window === 'undefined') {`
`13`		`- return DEFAULT_REDIRECT_URI_PATH;`
	`13`	`+ throw new Error(`
	`14`	`+ '[auth-next-client] deriveDefaultRedirectUri requires window. '`
	`15`	`+ + 'Login hooks run in the browser when the user triggers login.',`
	`16`	`+ );`
`14`	`17`	`}`
`15`	`18`	return `${window.location.origin}${DEFAULT_REDIRECT_URI_PATH}`;
`16`	`19`	`}`