fix: add NextjsGrader check for getSignInUrl in Server Components (#110)

nicknisi · web-flow · commit f2a6ec29a88c · 2026-03-31T16:23:36.000-05:00
* fix: add NextjsGrader check for getSignInUrl in Server Components

- Add exported findUnsafeGetSignInUrlUsage() helper that scans .tsx
  files for getSignInUrl() invocations without top-level 'use client'
  or 'use server' directives
- Add hasTopLevelDirective() with module prologue detection (strips
  comments/whitespace, ignores inline 'use server' in function bodies)
- Wire check into grade() after AuthKitProvider check
- Add 7 unit tests covering: server page, shared component, client
  component, top-level server action, inline server action trap,
  no usage, and comment mention edge case

Addresses Alexander Southgate's friction log where the agent generated
nav-auth.tsx as a Server Component calling getSignInUrl().

* fix: strip comments before checking getSignInUrl invocations

The invocation regex matched getSignInUrl() inside comments, causing
false positives on files with commented-out examples or TODOs like
"// don't call getSignInUrl() here". Strip single-line and multi-line
comments before testing the regex. Add test case for this edge case.

* test: strengthen use client test with real getSignInUrl() invocation

The test fixture previously only imported getSignInUrl without calling
it. Now includes an actual getSignInUrl() call inside an onClick
handler to properly exercise the directive detection logic.

* chore: formatting

* refactor: simplify stripComments regex and use path.relative

- Combine two-pass comment stripping into single regex
- Use path.relative() instead of fragile string replacement

* chore: bump @workos/skills to 0.2.4
diff --git a/package.json b/package.json
@@ -51,7 +51,7 @@
     "@clack/prompts": "1.0.1",
     "@napi-rs/keyring": "^1.2.0",
     "@workos-inc/node": "^8.7.0",
-    "@workos/skills": "0.2.2",
+    "@workos/skills": "0.2.4",
     "chalk": "^5.6.2",
     "diff": "^8.0.3",
     "fast-glob": "^3.3.3",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/tests/evals/graders/__tests__/nextjs-server-component-safety.spec.ts b/tests/evals/graders/__tests__/nextjs-server-component-safety.spec.ts
@@ -0,0 +1,138 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { mkdtemp, mkdir, writeFile, rm } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { findUnsafeGetSignInUrlUsage } from '../nextjs.grader.js';
+
+describe('findUnsafeGetSignInUrlUsage', () => {
+  let workDir: string;
+
+  beforeEach(async () => {
+    workDir = await mkdtemp(join(tmpdir(), 'grader-test-'));
+    await mkdir(join(workDir, 'app'), { recursive: true });
+  });
+
+  afterEach(async () => {
+    await rm(workDir, { recursive: true, force: true });
+  });
+
+  it('fails when getSignInUrl() is called in app/page.tsx', async () => {
+    await writeFile(
+      join(workDir, 'app/page.tsx'),
+      `
+import { getSignInUrl } from '@workos-inc/authkit-nextjs';
+export default async function Page() {
+  const url = await getSignInUrl();
+  return <a href={url}>Sign in</a>;
+}
+`,
+    );
+    const result = await findUnsafeGetSignInUrlUsage(workDir);
+    expect(result).not.toBeNull();
+    expect(result!.file).toBe('app/page.tsx');
+  });
+
+  it('fails when getSignInUrl() is in a shared component without directive', async () => {
+    await mkdir(join(workDir, 'app/components'), { recursive: true });
+    await writeFile(
+      join(workDir, 'app/components/nav-auth.tsx'),
+      `
+import { getSignInUrl } from '@workos-inc/authkit-nextjs';
+export default async function NavAuth() {
+  const url = await getSignInUrl();
+  return <a href={url}>Sign in</a>;
+}
+`,
+    );
+    const result = await findUnsafeGetSignInUrlUsage(workDir);
+    expect(result).not.toBeNull();
+    expect(result!.file).toContain('nav-auth.tsx');
+  });
+
+  it('passes when getSignInUrl() is in a use client component', async () => {
+    await writeFile(
+      join(workDir, 'app/page.tsx'),
+      `
+'use client';
+import { getSignInUrl } from '@workos-inc/authkit-nextjs';
+export default function Page() {
+  const handleClick = async () => { const url = await getSignInUrl(); window.location.href = url; };
+  return <button onClick={handleClick}>Sign in</button>;
+}
+`,
+    );
+    const result = await findUnsafeGetSignInUrlUsage(workDir);
+    expect(result).toBeNull();
+  });
+
+  it('passes when getSignInUrl() is in a top-level use server file', async () => {
+    await mkdir(join(workDir, 'app/actions'), { recursive: true });
+    await writeFile(
+      join(workDir, 'app/actions/auth.tsx'),
+      `
+'use server';
+import { getSignInUrl } from '@workos-inc/authkit-nextjs';
+export async function getUrl() { return getSignInUrl(); }
+`,
+    );
+    const result = await findUnsafeGetSignInUrlUsage(workDir);
+    expect(result).toBeNull();
+  });
+
+  it('fails when use server is inline, not top-level', async () => {
+    await writeFile(
+      join(workDir, 'app/page.tsx'),
+      `
+import { getSignInUrl } from '@workos-inc/authkit-nextjs';
+export default async function Page() {
+  const url = await getSignInUrl();
+  async function logout() {
+    'use server';
+    // server action
+  }
+  return <a href={url}>Sign in</a>;
+}
+`,
+    );
+    const result = await findUnsafeGetSignInUrlUsage(workDir);
+    expect(result).not.toBeNull();
+  });
+
+  it('passes when no files contain getSignInUrl()', async () => {
+    await writeFile(
+      join(workDir, 'app/page.tsx'),
+      `
+export default function Page() {
+  return <h1>Home</h1>;
+}
+`,
+    );
+    const result = await findUnsafeGetSignInUrlUsage(workDir);
+    expect(result).toBeNull();
+  });
+
+  it('ignores mere mention of getSignInUrl without invocation', async () => {
+    await writeFile(
+      join(workDir, 'app/page.tsx'),
+      `
+// Do not use getSignInUrl in server components
+export default function Page() { return <h1>Home</h1>; }
+`,
+    );
+    const result = await findUnsafeGetSignInUrlUsage(workDir);
+    expect(result).toBeNull();
+  });
+
+  it('ignores commented-out getSignInUrl() calls', async () => {
+    await writeFile(
+      join(workDir, 'app/page.tsx'),
+      `
+// don't call getSignInUrl() here
+/* const url = await getSignInUrl(); */
+export default function Page() { return <h1>Home</h1>; }
+`,
+    );
+    const result = await findUnsafeGetSignInUrlUsage(workDir);
+    expect(result).toBeNull();
+  });
+});
diff --git a/tests/evals/graders/nextjs.grader.ts b/tests/evals/graders/nextjs.grader.ts
@@ -1,12 +1,63 @@
+import fg from 'fast-glob';
+import { readFile } from 'node:fs/promises';
+import { relative } from 'node:path';
 import { FileGrader } from './file-grader.js';
 import { BuildGrader } from './build-grader.js';
 import type { Grader, GradeResult, GradeCheck } from '../types.js';
 
+/**
+ * Module prologue directive check.
+ * Only matches 'use client' / 'use server' when they appear as the
+ * first statement in the file (ignoring leading comments and whitespace).
+ * Does NOT match inline 'use server' inside function bodies.
+ */
+export function hasTopLevelDirective(content: string, directive: string): boolean {
+  // Strip leading whitespace, single-line comments, and multi-line comments
+  const stripped = content.replace(/^\s*(\/\/[^\n]*\n|\/\*[\s\S]*?\*\/\s*)*/g, '');
+  // Check if the file starts with the directive (single or double quotes, with semicolon optional)
+  return stripped.startsWith(`'${directive}'`) || stripped.startsWith(`"${directive}"`);
+}
+
+const INVOCATION_PATTERN = /\bgetSignInUrl\s*\(/;
+
+/**
+ * Strip single-line (//) and multi-line comments from source code
+ * so the invocation regex doesn't match commented-out calls.
+ */
+function stripComments(content: string): string {
+  return content.replace(/\/\/[^\n]*|\/\*[\s\S]*?\*\//g, '');
+}
+
+export async function findUnsafeGetSignInUrlUsage(workDir: string): Promise<{ file: string } | null> {
+  const files = await fg('{app,src/app}/**/*.tsx', {
+    cwd: workDir,
+    ignore: ['**/callback/**', '**/node_modules/**'],
+    absolute: true,
+  });
+
+  for (const file of files) {
+    const content = await readFile(file, 'utf-8');
+    const code = stripComments(content);
+
+    if (
+      INVOCATION_PATTERN.test(code) &&
+      !hasTopLevelDirective(content, 'use client') &&
+      !hasTopLevelDirective(content, 'use server')
+    ) {
+      return { file: relative(workDir, file) };
+    }
+  }
+
+  return null;
+}
+
 export class NextjsGrader implements Grader {
   private fileGrader: FileGrader;
   private buildGrader: BuildGrader;
+  private workDir: string;
 
   constructor(workDir: string) {
+    this.workDir = workDir;
     this.fileGrader = new FileGrader(workDir);
     this.buildGrader = new BuildGrader(workDir);
   }
@@ -91,6 +142,16 @@ export class NextjsGrader implements Grader {
     );
     checks.push(authKitProviderCheck);
 
+    // Check for getSignInUrl() in server components (no top-level directive)
+    const unsafeUsage = await findUnsafeGetSignInUrlUsage(this.workDir);
+    checks.push({
+      name: 'No getSignInUrl in Server Components',
+      passed: unsafeUsage === null,
+      message: unsafeUsage
+        ? `${unsafeUsage.file} calls getSignInUrl() without a top-level 'use client' or 'use server' directive — will throw in Next.js 15+`
+        : 'No unsafe getSignInUrl usage in Server Components',
+    });
+
     // Check build succeeds
     checks.push(await this.buildGrader.checkBuild());
 
