Auth (@sumx/ssr-auth-core + @sumx/ssr-auth-react)
Portable OIDC + HttpOnly session stack for SumX Next.js apps.
| Package | Runs on | Responsibility |
|---|---|---|
@sumx/ssr-auth-core | Server (API routes, middleware helpers) | Cookies, token refresh, OIDC URLs, /api/auth/* factories |
@sumx/ssr-auth-react | Client | CheckToken gate, login skeleton, cross-tab dialog |
Subpath imports (ssr-auth-core)
Fine-grained imports keep server bundles smaller:
import { AUTH_SESSION_SYNC_ENDPOINT } from '@sumx/ssr-auth-core/auth-constants';
import { sanitizeReturnPath } from '@sumx/ssr-auth-core/return-path';
import { createAuthSessionHandler } from '@sumx/ssr-auth-core/next/auth-session-handler';Main barrel: import { ... } from '@sumx/ssr-auth-core'.
Documentation map
| Topic | Page |
|---|---|
| Storage keys, endpoints, timeouts | Constants |
| Session + token cookies, signing | Cookies & sessions |
| URL cleanup, token refresh, logout URLs | OIDC utilities |
| Post-login redirect, allowlist | Return path |
| Error types for session sync UI | Session sync errors |
| Pipeline identity / hard reload | OIDC pipeline identity |
createAuthSessionHandler, logout, well-known | API route handlers |
CheckToken, deps provider | React (CheckToken) |
End-to-end flow
- User hits a protected page →
CheckTokenshowsLoginSkeletonor OIDC redirect. - OIDC callback → client POSTs tokens to
POST /api/auth/session(handler from core). - Server sets signed session cookie + encrypted token cookie; optional permission fetch for return-path gate.
- Subsequent navigations →
GET /api/auth/sessionverifies/refreshes tokens. - Logout →
POST /api/auth/logoutclears cookies and may redirect to IdP end-session.
See Auth quickstart for portal wiring.