feat: Add DPoP (Demonstrating Proof-of-Possession)

[tusharpandey13]

What's New?

This PR introduces DPoP (Demonstrating Proof-of-Possession) support to the Auth0 Next.js SDK, implementing the RFC 9449 standard for enhanced OAuth 2.0 security.

Why DPoP? DPoP cryptographically binds access tokens to your client using public key cryptography, preventing token theft and replay attacks. Even if an access token is intercepted, it cannot be used without the corresponding private key.

Quick Start Example

import { Auth0Client } from '@auth0/nextjs-auth0/server';

// 1. Configure DPoP key pair in your .env file

// 2. Configure Auth0Client with DPoP enabled
const auth0 = new Auth0Client({
  issuerBaseURL: process.env.AUTH0_ISSUER_BASE_URL,
  clientID: process.env.AUTH0_CLIENT_ID,
  clientSecret: process.env.AUTH0_CLIENT_SECRET,
  useDpop: true
});

// 3. Create a secure fetcher for API calls
const fetcher = auth0.createFetcher();

// 4. Make protected API calls with automatic DPoP proof generation
const response = await fetcher.fetchWithAuth('/api/user/profile');
const userData = await response.json();

Your API calls are now secured with cryptographic proof-of-possession! 🔒

What's Included

This implementation provides a complete DPoP solution for Next.js applications:

• Core DPoP Functionality
• Developer-Friendly APIs
• • fetchWithAuth() - Protected resource requests with seamless DPoP integration
• • createFetcher() - High-level HTTP client with automatic DPoP support
• • generateDpopKeyPair() - Easy ES256 key pair generation
• Environment variable support
• Clock tolerance settings for JWT validation
• Customizable retry policies and backoff strategies
• Full support for App Router, Pages Router, Server Components, API Routes
• Comprehensive Documentation

✅ Testing

• 503 unit tests covering all DPoP functionality
• TypeScript support with comprehensive type definitions
• Full backward compatibility - existing apps continue to work unchanged
• No breaking changes to public APIs

References

• RFC 9449: OAuth 2.0 Demonstrating Proof-of-Possession
• Auth0 DPoP Documentation
• oauth4webapi Library - Certified OAuth 2.0 implementation

[tusharpandey13]

This replaces #2346

• Contract similar to auth0-spa-js, all fetcher hooks and callbacks supported
• Added fetcher instance scoped fetchWithAuth, auto nonce management
• Example contains demos for all server environments.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 70.66190% with 164 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.72%. Comparing base (a2e9666) to head (17a3276).

Files with missing lines	Patch %	Lines
src/server/auth-client.ts	59.06%	61 Missing ⚠️
src/utils/dpopUtils.ts	67.55%	61 Missing ⚠️
src/server/fetcher.ts	88.88%	19 Missing ⚠️
src/server/client.ts	35.71%	18 Missing ⚠️
src/errors/index.ts	58.33%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2357      +/-   ##
==========================================
- Coverage   88.58%   85.72%   -2.86%     
==========================================
  Files          32       35       +3     
  Lines        3109     3614     +505     
  Branches      615      726     +111     
==========================================
+ Hits         2754     3098     +344     
- Misses        352      513     +161     
  Partials        3        3              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.