fix: allow signOut to work outside middleware coverage (#296)

Author: nicknisi

__tests__/auth.spec.ts

@@ -285,5 +285,63 @@ describe('auth.ts', () => {
         });
       });
     });
+
+    describe('when called outside of middleware', () => {
+      it('should fall back to reading session from cookie and redirect to logout URL', async () => {
+        const nextCookies = await cookies();
+
+        // Don't set x-workos-middleware header to simulate being outside middleware
+        // This will cause withAuth to throw
+
+        // Set up a session cookie with a valid access token
+        const mockSession = {
+          accessToken: await generateTestToken(),
+          refreshToken: 'refresh_token',
+          user: { id: 'user_123' },
+        };
+
+        const encryptedSession = await sealData(mockSession, {
+          password: process.env.WORKOS_COOKIE_PASSWORD as string,
+        });
+
+        nextCookies.set('wos-session', encryptedSession);
+
+        jest
+          .spyOn(workos.userManagement, 'getLogoutUrl')
+          .mockReturnValue('https://api.workos.com/user_management/sessions/logout?session_id=session_123');
+
+        await signOut();
+
+        // Cookie should be deleted
+        const sessionCookie = nextCookies.get('wos-session');
+        expect(sessionCookie).toBeUndefined();
+
+        // Should redirect to WorkOS logout URL with session ID
+        expect(redirect).toHaveBeenCalledTimes(1);
+        expect(redirect).toHaveBeenCalledWith(
+          'https://api.workos.com/user_management/sessions/logout?session_id=session_123',
+        );
+        expect(workos.userManagement.getLogoutUrl).toHaveBeenCalledWith(
+          expect.objectContaining({
+            sessionId: expect.stringMatching(/^session_/),
+          }),
+        );
+      });
+
+      it('should throw the original error when no session cookie exists outside middleware', async () => {
+        const nextCookies = await cookies();
+
+        // Don't set x-workos-middleware header to simulate being outside middleware
+        // Set a cookie to verify it gets deleted
+        nextCookies.set('wos-session', 'dummy-value');
+
+        // Should throw the error from withAuth since we can't recover
+        await expect(signOut()).rejects.toThrow(/You are calling 'withAuth'/);
+
+        // Cookie should still be deleted even though it throws
+        const sessionCookie = nextCookies.get('wos-session');
+        expect(sessionCookie).toBeUndefined();
+      });
+    });
   });
 });

src/auth.ts

@@ -1,13 +1,14 @@
 'use server';
 
+import { decodeJwt } from 'jose';
 import { revalidatePath, revalidateTag } from 'next/cache';
 import { cookies, headers } from 'next/headers';
 import { redirect } from 'next/navigation';
 import { WORKOS_COOKIE_NAME } from './env-variables.js';
 import { getCookieOptions } from './cookie.js';
 import { getAuthorizationUrl } from './get-authorization-url.js';
-import { SwitchToOrganizationOptions, UserInfo } from './interfaces.js';
-import { refreshSession, withAuth } from './session.js';
+import type { AccessToken, SwitchToOrganizationOptions, UserInfo } from './interfaces.js';
+import { getSessionFromCookie, refreshSession, withAuth } from './session.js';
 import { getWorkOS } from './workos.js';
 export async function getSignInUrl({
   organizationId,
@@ -38,6 +39,16 @@ export async function signOut({ returnTo }: { returnTo?: string } = {}) {
   try {
     const { sessionId: sid } = await withAuth();
     sessionId = sid;
+  } catch (error) {
+    // Fall back to reading session directly from cookie when middleware isn't available
+    const session = await getSessionFromCookie();
+    if (session && session.accessToken) {
+      const { sid } = decodeJwt<AccessToken>(session.accessToken);
+      sessionId = sid;
+    } else {
+      // can't recover - throw the original error.
+      throw error;
+    }
   } finally {
     const nextCookies = await cookies();
     const cookieName = WORKOS_COOKIE_NAME || 'wos-session';

src/session.ts

@@ -415,7 +415,7 @@ async function verifyAccessToken(accessToken: string) {
   }
 }
 
-async function getSessionFromCookie(request?: NextRequest) {
+export async function getSessionFromCookie(request?: NextRequest) {
   const cookieName = WORKOS_COOKIE_NAME || 'wos-session';
   let cookie;