feat: add support for connected accounts

[guabu]

📋 Changes

This PR adds support for the Connected Accounts flow:

• Introduces an opt-in endpoint /auth/connect to initiate connect account flow
• Introduces a connectAccount() method for custom route implementations
• Extended onCallback hook to handle connected account responses

Mounted route:

export const auth0 = new Auth0Client({
  enableConnectAccountEndpoint: true // Mounts /auth/connect endpoint (customizable)
});

Programmatically via:

const response = await auth0.connectAccount({
  connection: "my-connection",
  authorizationParams: {
    scope: "openid profile email",
    audience: "https://myapi.com"
  },
  returnTo: "/connected"
});

The onCallback hook now receives additional context for connected account flows:

• connectedAccount: Account linking response data
• responseType: Set to RESPONSE_TYPES.CONNECT_CODE for account linking
• returnTo: Original return URL from the linking initiation

[codecov-commenter]

Codecov Report

❌ Patch coverage is 79.48113% with 87 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.51%. Comparing base (44f3435) to head (79a6fd5).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
src/server/auth-client.ts	82.99%	58 Missing ⚠️
src/server/client.ts	18.18%	27 Missing ⚠️
src/errors/index.ts	95.12%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2344      +/-   ##
==========================================
- Coverage   88.58%   87.51%   -1.07%     
==========================================
  Files          32       34       +2     
  Lines        3109     3517     +408     
  Branches      615      657      +42     
==========================================
+ Hits         2754     3078     +324     
- Misses        352      436      +84     
  Partials        3        3              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[frederikprijck]

@claude

[github-actions]

Claude finished @frederikprijck's task —— View job

---

PR Review Complete

I've completed a comprehensive review of this PR that adds Connected Accounts support to the nextjs-auth0 SDK.

Overall Assessment

❌ This PR requires fixes before merging. I've identified several security and reliability issues that should be addressed, including missing input validation, potential null pointer exceptions, and error handling improvements. Additionally, there are typos in error messages and opportunities to improve OAuth2 security patterns.

Key Issues Found

Critical Issues:

• Missing validation for connect_code query parameter (line 628)
• Non-null assertion on optional authSession field without validation (line 627)
• Incomplete error response validation when parsing API errors (lines 1830, 1908)

Security Improvements:

• Should use oauth4webapi's protectedResourceRequest for DPoP support (lines 1812, 1892)
• Missing URI encoding for ticket parameter (line 1792)

Code Quality:

• Typos in error messages: "occured" → "occurred" (lines 1872, 1950)
• Inconsistent error handling patterns (line 933)
• Documentation gaps for user setup requirements (line 230 in client.ts)

All specific issues have been commented inline on the affected lines.

---

Job Run • Branch: connected-accounts