feat(auth-nextjs): add auth-nextjs package

[shineli1984]

Summary

Adding auth-nextjs for convenient integration with nextjs + SSR.

---

Note

Adds @imtbl/auth-nextjs (NextAuth integration with SSR, hooks, token refresh), re-exports it from the SDK, and integrates it into the Passport sample app with env-specific API routes and provider setup.

• New Package: packages/auth-nextjs
  • NextAuth integration for Immutable (ImmutableAuth, createAuthOptions) with token refresh, JWT/session callbacks, and server-side session validation.
  • Client utilities: ImmutableAuthProvider, useImmutableAuth, useAccessToken, CallbackPage.
  • Server utilities: getImmutableSession, withPageAuthRequired.
  • Shared types/constants/utilities and build/ts configs; comprehensive README.
• SDK:
  • Adds dependency on @imtbl/auth-nextjs and re-exports via sdk (entries: auth_nextjs, auth_nextjs/client, auth_nextjs/server).
  • Updates sdk/src to expose auth, wallet, and authNextjs namespaces; extends exports map.
• Sample App (packages/passport/sdk-sample-app):
  • Integrates @imtbl/auth-nextjs: wraps app with ImmutableAuthProvider, adds AuthNextJS demo component, and prevents env switching when authenticated.
  • Adds NextAuth API routes per environment (/api/auth/{dev|sandbox|prod}/[...nextauth].api.ts) and callback page.
  • Config updates: next.config.js toggles API routes via ENABLE_API_ROUTES, supports static export when disabled; package.json adds next-auth and updates dev-with-sdk script.
• Repo Config:
  • Adds packages/auth-nextjs to pnpm-workspace.yaml.
  • Sets .npmrc network-concurrency=1.
  • Increases pre-commit NODE_OPTIONS to 10240.

^{Written by Cursor Bugbot for commit 5b504b5. This will update automatically on new commits. Configure here.}

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		HTTP dependency: npm @imtbl/contracts depends on https://github.com/immutable/seaport.git#1.6.0+im4 Dependency: seaport-16@https://github.com/immutable/seaport.git#1.6.0+im4 Location: Package overview From: examples/contracts/package.json → npm/@imtbl/[email protected] ℹ Read more on: This package | This alert | What are http dependencies? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Publish the HTTP URL dependency to a public or private package repository and consume it from there. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@imtbl/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		HTTP dependency: npm @imtbl/contracts depends on https://github.com/immutable/seaport-core.git#1.6.0+im2 Dependency: seaport-core-16@https://github.com/immutable/seaport-core.git#1.6.0+im2 Location: Package overview From: examples/contracts/package.json → npm/@imtbl/[email protected] ℹ Read more on: This package | This alert | What are http dependencies? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Publish the HTTP URL dependency to a public or private package repository and consume it from there. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@imtbl/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cursor]

This PR is being reviewed by Cursor Bugbot

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 5b504b5

Command	Status	Duration	Result
nx release publish --tag alpha	✅ Succeeded	46s	View ↗
nx run-many -p @imtbl/sdk,@imtbl/checkout-widge...	✅ Succeeded	2m 17s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-12-19 04:03:39 UTC

[nx-cloud]

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

_{To disable these notifications, a workspace admin can disable them in workspace settings.}

---

View your CI Pipeline Execution ↗ for commit e9cfdc4

Command	Status	Duration	Result
nx affected -t build,lint,test	❌ Failed	3m 12s	View ↗
nx run-many -p @imtbl/sdk,@imtbl/checkout-widge...	✅ Succeeded	3s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-12-17 04:04:32 UTC

[cursor]

Bug: Unhandled JSON.parse may crash callback page

The JSON.parse(storedEnv) call has no try-catch wrapper. If the localStorage value for IMX_PASSPORT_SAMPLE_ENVIRONMENT is corrupted or manually modified to contain invalid JSON, the callback page will throw an unhandled exception and crash, preventing the OAuth flow from completing.