fix: tests and upgrade to node 22

.github/workflows/deploy-dev.yml

@@ -14,7 +14,7 @@ jobs:
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
         with:
           cache: "yarn"
-          node-version: "20.x"
+          node-version: "22.x"
           registry-url: "https://npm.pkg.github.com"
           scope: "@sesamyab"
       - name: Install dependencies

.github/workflows/release.yml

@@ -13,7 +13,7 @@ jobs:
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
         with:
           cache: "yarn"
-          node-version: "20.x"
+          node-version: "22.x"
           registry-url: "https://npm.pkg.github.com"
           scope: "@sesamyab"
       - name: Install dependencies

.github/workflows/unit-tests.yml

@@ -14,10 +14,10 @@ jobs:
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
-      - name: Setup Node.js 20
+      - name: Setup Node.js 22
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
           cache: 'yarn'
           registry-url: 'https://npm.pkg.github.com'
 

.nvmrc

@@ -1 +1 @@
-20
+22

package.json

@@ -57,7 +57,7 @@
     "@planetscale/database": "1.19.0",
     "@xmldom/xmldom": "^0.9.5",
     "arctic": "^2.2.2",
-    "authhero": "^0.13.1",
+    "authhero": "^0.13.2",
     "bcryptjs": "^2.4.3",
     "fast-xml-parser": "^4.5.0",
     "hono": "4.4.0",

src/routes/universal-login/routes.tsx

@@ -474,12 +474,7 @@ export const loginRoutes = new OpenAPIHono<{ Bindings: Env; Variables: Var }>()
           algorithm: "bcrypt",
         };
 
-        try {
-          // In case the password doesn't exist
-          await env.data.passwords.create(client.tenant.id, passwordOptions);
-        } catch {
-          await env.data.passwords.update(client.tenant.id, passwordOptions);
-        }
+        await env.data.passwords.update(client.tenant.id, passwordOptions);
 
         // we could do this on the GET...
         if (!user.email_verified) {

test/integration/disable-signup.spec.ts

@@ -2,7 +2,6 @@ import { test, expect } from "vitest";
 import { getTestServer } from "./helpers/test-server";
 import { testClient } from "hono/testing";
 import { snapshotResponse } from "./helpers/playwrightSnapshots";
-import { base64url } from "oslo/encoding";
 import { AuthorizationResponseType } from "@authhero/adapter-interfaces";
 
 test("only allows existing users to progress to the enter code step", async () => {
@@ -46,11 +45,16 @@ test("only allows existing users to progress to the enter code step", async () =
   });
   // this will only render the FB button
   await env.data.connections.create("breakit", {
-    id: "breakit-connection",
     name: "facebook",
     strategy: "facebook",
     options: {},
   });
+  // We need another option so it doesn't redirect straight to facebook
+  await env.data.connections.create("breakit", {
+    name: "email",
+    strategy: "email",
+    options: {},
+  });
 
   const response = await oauthClient.authorize.$get({
     query: {
@@ -62,6 +66,8 @@ test("only allows existing users to progress to the enter code step", async () =
       state: "state",
     },
   });
+
+  expect(response.status).toBe(302);
   const location = response.headers.get("location");
   const stateParam = new URLSearchParams(location!.split("?")[1]);
   const query = Object.fromEntries(stateParam.entries());

test/integration/flows/code-flow.spec.ts

@@ -179,17 +179,8 @@ describe("code-flow", () => {
         "clientId",
       );
 
-    const {
-      // these are the fields that change on every test run
-      exp,
-      iat,
-      sid,
-      sub,
-      ...restOfIdTokenPayload
-    } = silentAuthIdTokenPayload;
-
-    expect(sub).toContain("email|");
-    expect(restOfIdTokenPayload).toEqual({
+    expect(silentAuthIdTokenPayload.sub).toContain("email|");
+    expect(silentAuthIdTokenPayload).toMatchObject({
       aud: "clientId",
       name: "test@example.com",
       email: "test@example.com",
@@ -256,23 +247,8 @@ describe("code-flow", () => {
         "clientId",
       );
 
-    const {
-      sub: sub2,
-      // TO TEST? that these fields are the same as on the first silent auth?
-      exp: exp2,
-      iat: iat2,
-      sid: sid2,
-      //
-      family_name: family_name2,
-      given_name: given_name2,
-      nickname: nickname2,
-      locale: locale2,
-      picture: picture2,
-      ...restOfIdTokenPayload2
-    } = silentAuthIdTokenPayload2;
-
-    expect(sub2).toEqual(sub);
-    expect(restOfIdTokenPayload2).toEqual({
+    expect(silentAuthIdTokenPayload2.sub).toEqual(silentAuthIdTokenPayload.sub);
+    expect(silentAuthIdTokenPayload2).toMatchObject({
       aud: "clientId",
       name: "test@example.com",
       email: "test@example.com",
@@ -622,19 +598,10 @@ describe("code-flow", () => {
         "clientId",
       );
 
-    const {
-      // these are the fields that change on every test run
-      exp,
-      iat,
-      sid,
-      sub,
-      ...restOfIdTokenPayload
-    } = silentAuthIdTokenPayload;
-
     // this is the id of the primary account
-    expect(sub).toBe("auth2|userId");
+    expect(silentAuthIdTokenPayload.sub).toBe("auth2|userId");
 
-    expect(restOfIdTokenPayload).toEqual({
+    expect(silentAuthIdTokenPayload).toMatchObject({
       aud: "clientId",
       email: "foo@example.com",
       email_verified: true,

test/integration/flows/magic-link-flow.spec.ts

@@ -145,17 +145,8 @@ describe("magic link flow", () => {
           "clientId",
         );
 
-      const {
-        // these are the fields that change on every test run
-        exp,
-        iat,
-        sid,
-        sub,
-        ...restOfIdTokenPayload
-      } = silentAuthIdTokenPayload;
-
-      expect(sub).toContain("email|");
-      expect(restOfIdTokenPayload).toEqual({
+      expect(silentAuthIdTokenPayload.sub).toContain("email|");
+      expect(silentAuthIdTokenPayload).toMatchObject({
         aud: "clientId",
         name: "new-user@example.com",
         email: "new-user@example.com",
@@ -279,10 +270,7 @@ describe("magic link flow", () => {
           "clientId",
         );
 
-      const { exp, iat, sid, ...restOfIdTokenPayload } =
-        silentAuthIdTokenPayload;
-
-      expect(restOfIdTokenPayload).toEqual({
+      expect(silentAuthIdTokenPayload).toMatchObject({
         sub: "email|userId2",
         aud: "clientId",
         name: "",
@@ -391,10 +379,7 @@ describe("magic link flow", () => {
           "clientId",
         );
 
-      const { exp, iat, sid, ...restOfIdTokenPayload } =
-        silentAuthIdTokenPayload;
-
-      expect(restOfIdTokenPayload).toEqual({
+      expect(silentAuthIdTokenPayload).toMatchObject({
         sub: "auth2|userId",
         aud: "clientId",
         name: "Åkesson Þorsteinsson",
@@ -492,10 +477,7 @@ describe("magic link flow", () => {
           "clientId",
         );
 
-      const { exp, iat, sid, ...restOfIdTokenPayload } =
-        silentAuthIdTokenPayload;
-
-      expect(restOfIdTokenPayload).toEqual({
+      expect(silentAuthIdTokenPayload).toMatchObject({
         sub: "auth2|userId",
         aud: "clientId",
         name: "Åkesson Þorsteinsson",

test/integration/flows/password.spec.ts

@@ -185,16 +185,9 @@ describe("password-flow", () => {
           "unique-nonce",
           "clientId",
         );
-      const {
-        // these are the fields that change on every test run
-        exp,
-        iat,
-        sid,
-        sub,
-        ...restOfIdTokenPayload
-      } = silentAuthIdTokenPayload;
-      expect(sub).toContain("auth2|");
-      expect(restOfIdTokenPayload).toEqual({
+
+      expect(silentAuthIdTokenPayload.sub).toContain("auth2|");
+      expect(silentAuthIdTokenPayload).toMatchObject({
         aud: "clientId",
         email: "password-login-test@example.com",
         email_verified: true,
@@ -520,7 +513,7 @@ describe("password-flow", () => {
     });
 
     it("should not allow a new sign up to overwrite the password of an existing signup", async () => {
-      const { oauthApp, emails, env } = await getTestServer();
+      const { oauthApp, env } = await getTestServer();
       const aNewPassword = "A-new-valid-password-1234!";
       const oauthClient = testClient(oauthApp, env);
 
@@ -572,7 +565,7 @@ describe("password-flow", () => {
   });
   describe("Login with password", () => {
     it("should login with existing user", async () => {
-      const { oauthApp, emails, env } = await getTestServer();
+      const { oauthApp, env } = await getTestServer();
       const oauthClient = testClient(oauthApp, env);
       // foo@example.com is an existing username-password user, with password - Test!
 
@@ -643,9 +636,7 @@ describe("password-flow", () => {
           "unique-nonce",
           "clientId",
         );
-      const { exp, iat, sid, ...restOfIdTokenPayload } =
-        silentAuthIdTokenPayload;
-      expect(restOfIdTokenPayload).toEqual({
+      expect(silentAuthIdTokenPayload).toMatchObject({
         sub: "auth2|userId",
         aud: "clientId",
         email: "foo@example.com",

test/integration/flows/social.spec.ts

@@ -216,13 +216,7 @@ describe("social sign on", () => {
           },
         );
         const newSocialUser = (await newSocialUserRes.json()) as UserResponse;
-        const {
-          created_at,
-          updated_at,
-          last_login,
-          ...newSocialUserWithoutDates
-        } = newSocialUser;
-        expect(newSocialUserWithoutDates).toEqual(EXPECTED_NEW_USER);
+        expect(newSocialUser).toMatchObject(EXPECTED_NEW_USER);
       });
 
       // like apple
@@ -319,13 +313,7 @@ describe("social sign on", () => {
           },
         );
         const newSocialUser = (await newSocialUserRes.json()) as UserResponse;
-        const {
-          created_at,
-          updated_at,
-          last_login,
-          ...newSocialUserWithoutDates
-        } = newSocialUser;
-        expect(newSocialUserWithoutDates).toEqual(EXPECTED_NEW_USER);
+        expect(newSocialUser).toMatchObject(EXPECTED_NEW_USER);
       });
     });
   });
@@ -404,7 +392,7 @@ describe("social sign on", () => {
       });
 
       const socialCallbackResponseQuery = new URLSearchParams(
-        socialCallbackResponse.headers.get("location")?.split("#")[1]!,
+        socialCallbackResponse.headers.get("location")?.split("#")[1],
       );
       const accessTokenPayload = parseJwt(
         socialCallbackResponseQuery.get("access_token")!,
@@ -515,7 +503,7 @@ describe("social sign on", () => {
       });
 
       const socialCallbackResponse2Query = new URLSearchParams(
-        socialCallbackResponse2.headers.get("location")?.split("#")[1]!,
+        socialCallbackResponse2.headers.get("location")?.split("#")[1],
       );
       expect(
         parseJwt(socialCallbackResponse2Query.get("access_token")!).sub,
@@ -552,9 +540,7 @@ describe("social sign on", () => {
       expect(socialCallbackResponseAnotherSSO.status).toBe(302);
 
       const socialCallbackResponseAnotherSSOQuery = new URLSearchParams(
-        socialCallbackResponseAnotherSSO.headers
-          .get("location")
-          ?.split("#")[1]!,
+        socialCallbackResponseAnotherSSO.headers.get("location")?.split("#")[1],
       );
       // these confirm we are still signing in with the primary user
       expect(
@@ -698,7 +684,7 @@ describe("social sign on", () => {
       });
 
       const socialCallbackResponseQuery = new URLSearchParams(
-        socialCallbackResponse.headers.get("location")?.split("#")[1]!,
+        socialCallbackResponse.headers.get("location")?.split("#")[1],
       );
 
       const accessTokenPayload = parseJwt(

test/integration/login/login-hint.spec.ts

@@ -53,7 +53,7 @@ it("should prefill email with login_hint if passed to /authorize", async () => {
   const usernameValue = await usernameInput!.getAttribute("value");
   expect(usernameValue).toBe("suggested-email@example.com");
 
-  // @ts-ignore
+  // @ts-expect-error - dynamic import
   if (import.meta.env.TEST_SNAPSHOTS === "true") {
     const snapshot = await page.screenshot();
     expect(snapshot).toMatchImageSnapshot();
@@ -138,6 +138,7 @@ it("should redirect the user back with a code if the email matches the current s
   });
 
   expect(tokenResponse.status).toBe(200);
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
   const tokenBody: any = await tokenResponse.json();
   expect(tokenBody.access_token).toBeTypeOf("string");
 });

yarn.lock

@@ -24,11 +24,6 @@
   resolved "https://registry.yarnpkg.com/@authhero/adapter-interfaces/-/adapter-interfaces-0.24.0.tgz#834d2af113969d30314eb00db2647e4fdf6b7cd9"
   integrity sha512-7gZ+8pmjzJVVusDPbbzbdMPP00p3cCgme9R2MbZ1Kqees9ji5u6XtKmkB1ApyKi5mjOo2DjzHHCfSa0tg4xHHQ==
 
-"@authhero/adapter-interfaces@^0.23.0":
-  version "0.23.0"
-  resolved "https://registry.yarnpkg.com/@authhero/adapter-interfaces/-/adapter-interfaces-0.23.0.tgz#738a49c870302761a890ee6760a6682dd56b7ab9"
-  integrity sha512-dQmJquo3Ta8T5cnX5Ul1Ordmd8ZnJiGu2AVGyxB1Q503oYOrzPWkil8TxYjle1+RORia7uB+/EofJNR9bDLfBA==
-
 "@authhero/kysely-adapter@0.21.0":
   version "0.21.0"
   resolved "https://registry.yarnpkg.com/@authhero/kysely-adapter/-/kysely-adapter-0.21.0.tgz#437a49e3ce5f99232f5c57d7ab8180891b2e0380"
@@ -2242,12 +2237,12 @@ assertion-error@^2.0.1:
   resolved "https://registry.yarnpkg.com/assertion-error/-/assertion-error-2.0.1.tgz#f641a196b335690b1070bf00b6e7593fec190bf7"
   integrity sha512-Izi8RQcffqCeNVgFigKli1ssklIbpHnCYc6AknXGYoB6grJqyeby7jv12JUQgmTAnIDnbck1uxksT4dzN3PWBA==
 
-authhero@^0.13.1:
-  version "0.13.1"
-  resolved "https://registry.yarnpkg.com/authhero/-/authhero-0.13.1.tgz#f0b9646ec193857f7d873dc6f9b9a8ed79709892"
-  integrity sha512-y1Ztph7fwHVzj/aa3orxSu3IhCzkXUUgVuwCLa9xrmFHGxvRYqHnJoPNq8ES+ANgVMYAlehoLoJgpvGSujM0DA==
+authhero@^0.13.2:
+  version "0.13.2"
+  resolved "https://registry.yarnpkg.com/authhero/-/authhero-0.13.2.tgz#7113a123092e4ae422d47e91a06d66e497e5079c"
+  integrity sha512-xPl9KANGFGvLzSfEVcAdUOAYBHw2sd3dv9k14u8lOJausJ86eTYIJGRaK5UfTvxasmRbtnKyRTdM0BcnJC4tdA==
   dependencies:
-    "@authhero/adapter-interfaces" "^0.23.0"
+    "@authhero/adapter-interfaces" "^0.24.0"
     "@peculiar/x509" "^1.12.3"
     bcrypt "^5.1.1"
     bcryptjs "^2.4.3"