v0.5.1

[nicknisi]

Patch release bumping @workos/authkit-session from 0.5.0 to 0.5.1.

What's in this release

• Security (CWE-601): handleCallback now sanitizes returnPathname decoded from OAuth state before returning it. A crafted state value (e.g. https://evil.com, //evil.com, /\evil.com) could previously flow into a downstream SDK's Location header and become an open-redirect primitive. The new sanitizeReturnPathname utility parses against a throwaway origin and rebuilds a same-origin relative path beginning with exactly one /. The fallback parameter goes through the same pipeline so a hostile fallback can't reopen the hole. (merged in f56e1d6)

Post-merge checklist

• Tag v0.5.1 and cut a GitHub release
• Confirm the release: published workflow publishes to npm with provenance

[greptile-apps]

Greptile Summary

This is a patch release bumping the package version from 0.5.0 to 0.5.1. The only diff in this PR is the version number in package.json; the underlying security fix (CWE-601 open-redirect in handleCallback) was already landed in the base commit f56e1d6 and is reflected in the current src/ tree. The sanitizeReturnPathname utility and its call-site in AuthService.handleCallback look correct and are well-covered by tests.

Confidence Score: 5/5

Safe to merge — single-field version bump with a well-tested security fix already in the base.

The only changed file is package.json (version field). The security fix shipped via this release was landed in the prior merge commit and the implementation is correct: sanitizeReturnPathname uses the WHATWG URL parser against a throwaway origin to strip host/scheme, then rebuilds a leading-slash-normalized relative path. Both the primary input and the fallback go through the same pipeline, and the test suite covers all the canonical redirect-bypass payloads (absolute URLs, protocol-relative, backslash smuggling, tab/newline injection, etc.).

No files require special attention.

Important Files Changed

Filename	Overview
package.json	Version bumped from 0.5.0 to 0.5.1 to publish the CWE-601 security fix — no other changes.

Sequence Diagram

sequenceDiagram
    participant Browser
    participant App as App (handleCallback)
    participant Core as AuthKitCore
    participant WOS as WorkOS API
    participant Util as sanitizeReturnPathname

    Browser->>App: GET /callback?code=…&state=…
    App->>App: getPKCECookieNameForState(state)
    App->>App: storage.getCookie(request, cookieName)
    App->>Core: verifyCallbackState({ stateFromUrl, cookieValue })
    Core-->>App: { codeVerifier, returnPathname, customState, redirectUri }
    App->>WOS: authenticateWithCode({ code, clientId, codeVerifier })
    WOS-->>App: { accessToken, refreshToken, user, impersonator }
    App->>App: encryptSession(session)
    App->>App: storage.saveSession(response, encryptedSession)
    App->>App: storage.clearCookie(response, cookieName, clearOptions)
    App->>Util: sanitizeReturnPathname(returnPathname)
    Note over Util: Parses against throwaway origin,<br/>strips host/scheme, rebuilds /path?q#h
    Util-->>App: safe relative path (e.g. /dashboard)
    App-->>Browser: { returnPathname, headers: Set-Cookie[], … }

Loading

_{Reviews (1): Last reviewed commit: "v0.5.1" | Re-trigger Greptile}