Merge branch 'master' into support-cookie-domain

packages/nextjs/src/middleware/ProxyRequestCallback.ts

@@ -6,6 +6,7 @@ import sdkVersion from '../sdkVersion';
 import config from '../config';
 import CookieManager from '../utils/cookies';
 import fronteggLogger from '../utils/fronteggLogger';
+import { isRefreshTokenRequest } from '../utils/refreshAccessTokenIfNeeded/helpers';
 
 const logger = fronteggLogger.child({ tag: 'FronteggApiMiddleware.ProxyRequestCallback' });
 /**
@@ -57,6 +58,11 @@ const ProxyRequestCallback: ProxyReqCallback<ClientRequest, NextApiRequest> = (p
       proxyReq.setHeader('cf-connecting-ip', cfConnectionIp);
     }
 
+    if (isRefreshTokenRequest(req.url!)) {
+      logger.debug(`${req.url} | removing Authorization header`);
+      proxyReq.removeHeader('authorization');
+    }
+
     [
       'x-invoke-path',
       'x-invoke-query',

packages/nextjs/src/utils/refreshAccessTokenIfNeeded/helpers.ts

@@ -5,6 +5,7 @@ import api from '../../api';
 import { getTokensFromCookie } from '../../common';
 import { IncomingMessage } from 'http';
 import config from '../../config';
+import { ApiUrls } from '../../api/urls';
 
 export function hasRefreshTokenCookie(cookies: Record<string, any>): boolean {
   const logger = fronteggLogger.child({ tag: 'refreshToken.hasRefreshTokenCookie' });
@@ -100,3 +101,13 @@ export function isSamlCallback(url: string): boolean {
 export function isSSOPostRequest(url: string): boolean {
   return url === '/frontegg/auth/saml/callback' || url === '/frontegg/auth/oidc/callback';
 }
+
+/**
+ * Checks if the request URL is a refresh token request.
+ * This is used to determine if the current request is targeting
+ * one of the predefined refresh token URLs (embedded or hosted modes).
+ */
+export function isRefreshTokenRequest(url: string): boolean {
+  const refreshTokenUrls = [ApiUrls.refreshToken.embedded, ApiUrls.refreshToken.hosted];
+  return refreshTokenUrls.includes(url);
+}