Skip to content

fix(auth): accept active WorkOS client during Convex deploy #214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
anand-testcompare merged 1 commit into from
May 21, 2026
+52 −13
Merged

fix(auth): accept active WorkOS client during Convex deploy #214

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions packages/backend/convex/auth.config.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
import { beforeAll, describe, expect, test } from "vitest";

let buildWorkOsClientIds: (primaryClientId: string) => string[];

beforeAll(async () => {
process.env.WORKOS_CLIENT_ID = "client_current";
({ buildWorkOsClientIds } = await import("./auth.config"));
});

describe("buildWorkOsClientIds", () => {
test("keeps the primary client id first", () => {
expect(buildWorkOsClientIds("client_current")).toEqual(["client_current"]);
});

test("accepts current production tokens when Convex still has the preview client", () => {
expect(buildWorkOsClientIds("client_01KFPXKM905BYDQY5Q7BFJN409")).toEqual([
"client_01KFPXKM905BYDQY5Q7BFJN409",
"client_01KG0NPZN3AWXNTRHC58VAPVW2",
]);
});

test("accepts preview and production tokens when Convex still has the legacy preview client", () => {
expect(buildWorkOsClientIds("client_01KG0NZ3QX0AJQE87CKZC74YXQ")).toEqual([
"client_01KG0NZ3QX0AJQE87CKZC74YXQ",
"client_01KFPXKM905BYDQY5Q7BFJN409",
"client_01KG0NPZN3AWXNTRHC58VAPVW2",
]);
});
});
36 changes: 23 additions & 13 deletions packages/backend/convex/auth.config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,20 +8,30 @@ if (!clientId) {

const previewWorkOsClientId = "client_01KFPXKM905BYDQY5Q7BFJN409";
const legacyPreviewAuthConfigClientId = "client_01KG0NZ3QX0AJQE87CKZC74YXQ";
const productionWorkOsClientId = "client_01KG0NPZN3AWXNTRHC58VAPVW2";

const clientIds = Array.from(
new Set(
[
clientId,
// Convex auth config only permits env vars already set in Convex.
// During preview deploys, auth config currently sees the legacy client
// while Vercel/WorkOS mint tokens for the newer preview client.
clientId === legacyPreviewAuthConfigClientId
? previewWorkOsClientId
: null,
].filter((value): value is string => Boolean(value))
)
);
export function buildWorkOsClientIds(primaryClientId: string): string[] {
return Array.from(
new Set(
[
primaryClientId,
// Convex auth config can see the previously stored client during the
// same deploy that refreshes WorkOS/Vercel credentials. Keep the
// active handoff clients valid so first deploys do not reject fresh
// AuthKit tokens.
primaryClientId === legacyPreviewAuthConfigClientId
? previewWorkOsClientId
: null,
primaryClientId === legacyPreviewAuthConfigClientId ||
primaryClientId === previewWorkOsClientId
? productionWorkOsClientId
: null,
].filter((value): value is string => Boolean(value))
)
);
}

const clientIds = buildWorkOsClientIds(clientId);

export default {
providers: clientIds.flatMap((currentClientId) => {
Expand Down
Loading