feat(adapter-nextjs): server-side auth flows integrating cognito hosted UI

[HuiSF]

Description of changes

Implemented the following flow integrating Cognito Hosted UI endpoints:

1. sign-in -> Hosted UI -> sign-in-callback (including Social Providers) -> httpOnly cookies
2. sign-up -> Hosted UI -> sign-in-callback -> httpOnly cookies
3. sign-out -> Hosted UI -> sign-out-callback -> httpOnly cookies

API Route handlers work with both Next.js App Router and Pages Router.

Issue #, if available

Description of how you validated changes

1. Unit tests
2. Manual testing with Next.js samples apps created with the App Router and Pages Router

Checklist

• PR description included
• yarn test passes
• Unit Tests are changed or added
• Relevant documentation is changed or added (and PR referenced)

Checklist for repo maintainers

• Verify E2E tests for existing workflows are working as expected or add E2E tests for newly added workflows
• New source file paths included in this PR have been added to CODEOWNERS, if appropriate

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
…ide auth…ide auth…ide auth

[HuiSF]

The base tsconfig has jsdom as a lib, that makes origin variable a legit global variable which is not desired.

[HuiSF]

Existing impl. moved out.

[HuiSF]

Existing impl. moved out.

[HuiSF]

These three attributes are not configurable.

[jjarvisp]

Almost done with review, I should be able to wrap up soon.

[jjarvisp]

Are there valid scenarios when username would be missing from payload or any particular reasoning around default username to "username"?

[HuiSF]

Not really. I just followed the original client-side impl.
This is a good question, let me dig and get back to you.

[AllanZhengYP]

Do we see needs for customers to customize the error payloads and render different messages accordingly?

[AllanZhengYP]

Super nit: prefer to re-name this locally to callout the cookie removal, similar to the next line. Something like

		createSignInFlowProofRemoveCookies(),

Which is also a similar practice to the createTokenRemoveCookies below

[HuiSF]

This function sets only cookie name-value - which is not add or remove specific. The only difference is on the options.

[AllanZhengYP]

Clarification question, how is this isSigningOut cookie used?

[HuiSF]

When isSigningOut is true proceed with handleSignOutCallback otherwise client is doing something wrong.

[AllanZhengYP]

Clarify question: do we need to return early if CX is already signed in?

[HuiSF]

Yes, that's what's the next PR adds: #13839

[AllanZhengYP]

Do we need to count for clock drift here? Maybe it's handled in the orchestrator, but just want to double check.

[HuiSF]

Good question - should use maxAge attribute here to avoid concerns of clock drift. Will update.

[HuiSF]

I will do this in a separate PR.

[AllanZhengYP]

Should we use the URL util and parse the origin from the oAuthConfig more strictly?

[HuiSF]

I don't think it's necessary to construct a URL object from the config redirect URL strings - as a client-side validation this should be good enough, as eventually HostedUI will also match the URL on the service side.