feat(auth0-fastify): add Custom Token Exchange support

[cschetan77]

Description

Expose loginWithCustomTokenExchange and customTokenExchange on auth0Client via the upgraded auth0-server-js ServerClient. Re-export the associated option and result types so consumers have full type coverage without importing from the underlying package directly.

Testing

Checklist

• I have added documentation for new/changed functionality in this PR or in auth0.com/docs
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not the default branch

Summary by CodeRabbit

• New Features

  • Custom token exchange option and result types now exported for public use.

• Tests

  • Added comprehensive test coverage for custom token exchange functionality, including session management, token retrieval, and actor token field handling.

[coderabbitai]

📝 Walkthrough

Walkthrough

Three new type names (LoginWithCustomTokenExchangeOptions, LoginWithCustomTokenExchangeResult, CustomTokenExchangeOptions) are added to the package's public re-exports. Six Vitest tests are added covering loginWithCustomTokenExchange (session creation, token storage, actor token forwarding) and customTokenExchange (no session created, actor token forwarding, existing session not overwritten).

Changes

Custom Token Exchange types and tests

Layer / File(s)	Summary
Public type re-exports packages/auth0-fastify/src/index.ts	Adds LoginWithCustomTokenExchangeOptions, LoginWithCustomTokenExchangeResult, and CustomTokenExchangeOptions to the named type re-exports from @auth0/auth0-server-js.
loginWithCustomTokenExchange and customTokenExchange tests packages/auth0-fastify/src/index.spec.ts	Six test cases covering: session cookie set and authenticated state after loginWithCustomTokenExchange; getAccessToken returning stored token; actor token fields forwarded in token endpoint body; customTokenExchange returning a token with no session created; actor token fields forwarded for customTokenExchange; existing session not overwritten by customTokenExchange.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Hop, hop, the tokens fly,
Custom exchanges reach the sky!
Session here, no session there,
Actor tokens fill the air.
The rabbit checks each cookie right,
All six tests pass — what a delight! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main feature addition: Custom Token Exchange support for the auth0-fastify library, which aligns with the PR's primary objective of exposing new methods and types.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/custom-token-exchange

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/auth0-fastify/src/index.ts`:
- Line 18: The export statement on line 18 attempts to re-export
LoginWithCustomTokenExchangeOptions, LoginWithCustomTokenExchangeResult, and
CustomTokenExchangeOptions from `@auth0/auth0-server-js`, but these types do not
exist in version 1.4.0, causing a TS2305 compilation error. Remove these three
non-existent type names from the export statement, keeping only DomainResolver
which is valid, or alternatively verify that the `@auth0/auth0-server-js`
dependency has been upgraded to a version that includes these types and update
the lockfile accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 0167da36-77cd-469b-a8e5-196cfbb38f93

📥 Commits

Reviewing files that changed from the base of the PR and between eef783f and 6f53bb0.

📒 Files selected for processing (2)

• packages/auth0-fastify/src/index.spec.ts
• packages/auth0-fastify/src/index.ts

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Check the current state of the file at line 18
cat -n packages/auth0-fastify/src/index.ts | head -30

Repository: auth0/auth0-fastify

Length of output: 1685

---

🏁 Script executed:

# Check the package.json to see the dependency version
cat packages/auth0-fastify/package.json | grep -A 5 -B 5 "`@auth0/auth0-server-js`"

Repository: auth0/auth0-fastify

Length of output: 323

---

🏁 Script executed:

# Search for LoginWithCustomTokenExchangeOptions in the codebase to understand usage
rg "LoginWithCustomTokenExchangeOptions" -n --type ts

Repository: auth0/auth0-fastify

Length of output: 265

---

🏁 Script executed:

# Check if node_modules exists and explore the auth0-server-js package
if [ -d "node_modules/@auth0/auth0-server-js" ]; then
  echo "=== Package exports from package.json ==="
  cat node_modules/@auth0/auth0-server-js/package.json | grep -A 20 '"exports"'
  echo ""
  echo "=== Checking index.d.ts for type exports ==="
  ls -la node_modules/@auth0/auth0-server-js/*.d.ts 2>/dev/null | head -5
  echo ""
  if [ -f "node_modules/@auth0/auth0-server-js/dist/index.d.ts" ]; then
    grep -E "(LoginWithCustomTokenExchange|CustomTokenExchangeOptions)" node_modules/@auth0/auth0-server-js/dist/index.d.ts
  fi
else
  echo "node_modules not available, checking lockfile"
fi

Repository: auth0/auth0-fastify

Length of output: 109

---

🏁 Script executed:

# Also check if there's a lockfile that pins the version
if [ -f "pnpm-lock.yaml" ]; then
  echo "=== pnpm-lock.yaml version info ==="
  grep -A 5 "`@auth0/auth0-server-js`" pnpm-lock.yaml | head -20
elif [ -f "package-lock.json" ]; then
  echo "=== package-lock.json version info ==="
  jq '.dependencies["`@auth0/auth0-server-js`"]' package-lock.json 2>/dev/null || grep -A 5 "`@auth0/auth0-server-js`" package-lock.json | head -10
elif [ -f "yarn.lock" ]; then
  echo "=== yarn.lock version info ==="
  grep -A 5 "`@auth0/auth0-server-js`" yarn.lock | head -10
fi

Repository: auth0/auth0-fastify

Length of output: 45

---

🏁 Script executed:

# Search for where these types might be defined in the repo itself
rg "LoginWithCustomTokenExchangeOptions|LoginWithCustomTokenExchangeResult|CustomTokenExchangeOptions" --type ts -B 2 -A 2

Repository: auth0/auth0-fastify

Length of output: 501

---

🏁 Script executed:

# Look for CI configuration that might show build errors
find . -name ".github" -o -name ".gitlab-ci.yml" -o -name ".circleci" 2>/dev/null | head -10

Repository: auth0/auth0-fastify

Length of output: 73

---

🏁 Script executed:

# Check if there are any recent git commits or comments about this change
git log --oneline -n 20 -- packages/auth0-fastify/src/index.ts 2>/dev/null | head -20

Repository: auth0/auth0-fastify

Length of output: 126

---

🏁 Script executed:

# Check the auth0-fastify-api package to see if it has similar structure
cat -n packages/auth0-fastify-api/src/index.ts 2>/dev/null | head -30

Repository: auth0/auth0-fastify

Length of output: 953

---

🌐 Web query:

@auth0/auth0-server-js 1.4.0 exports LoginWithCustomTokenExchangeOptions

💡 Result:

The @auth0/auth0-server-js library (version 1.4.0) does not export a type or interface named LoginWithCustomTokenExchangeOptions. While a similarly named type, LoginWithCustomTokenExchangeOptions, exists in the auth0-server-python SDK [1][2], the @auth0/auth0-server-js package is a distinct library [3][4] designed for different runtime environments. Documentation and type definitions for @auth0/auth0-server-js [4][5] do not reference a LoginWithCustomTokenExchangeOptions export. For contexts requiring custom token exchange (RFC 8693) in JavaScript or TypeScript, developers typically use other Auth0 SDKs like @auth0/auth0-spa-js [6][7] or the Node.js Auth0 SDK [8], which contain relevant types and methods for custom token exchange. If you are working with @auth0/auth0-server-js, ensure you are using the appropriate methods for your intended authentication flow, as this SDK is primarily built as a low-level foundation for other framework-specific authentication libraries [5].

Citations:

• 1: https://github.com/auth0/auth0-server-python
• 2: https://github.com/auth0/auth0-server-python/blob/main/examples/CustomTokenExchange.md
• 3: https://registry.npmjs.org/@auth0/auth0-server-js
• 4: https://github.com/auth0/auth0-auth-js/tree/main/packages/auth0-server-js
• 5: https://github.com/auth0/auth0-auth-js/blob/main/packages/auth0-server-js/README.md
• 6: https://auth0.github.io/auth0-spa-js/classes/Auth0Client.html
• 7: https://auth0.github.io/auth0-spa-js/types/CustomTokenExchangeOptions.html
• 8: https://auth0.github.io/node-auth0/types/auth.SDK.CustomTokenExchangeOptions.html

---

🏁 Script executed:

# Check the recent commit to see what was actually changed
git show 6f53bb0 --stat

Repository: auth0/auth0-fastify

Length of output: 5202

---

🏁 Script executed:

# Look at the full diff of that commit for the index.ts changes
git show 6f53bb0 -- packages/auth0-fastify/src/index.ts

Repository: auth0/auth0-fastify

Length of output: 15510

---

Remove invalid type re-exports or verify they exist in @auth0/auth0-server-js.

Line 18 attempts to re-export LoginWithCustomTokenExchangeOptions, LoginWithCustomTokenExchangeResult, and CustomTokenExchangeOptions from @auth0/auth0-server-js version 1.4.0, but these types do not exist in that package. This will cause a TS2305 compilation error. Either remove these non-existent types from the re-export list, or confirm the dependency version includes them and update the lockfile accordingly.

🧰 Tools

🪛 GitHub Actions: Build and Test / 0_Build Package (20).txt

[error] 18-18: TypeScript compilation failed (tsup/DTS). TS2305: Module "@auth0/auth0-server-js" has no exported member "LoginWithCustomTokenExchangeOptions".

🪛 GitHub Actions: Build and Test / Build Package (20)

[error] 18-18: TypeScript compilation error TS2305: Module "@auth0/auth0-server-js" has no exported member "LoginWithCustomTokenExchangeOptions".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/auth0-fastify/src/index.ts` at line 18, The export statement on line
18 attempts to re-export LoginWithCustomTokenExchangeOptions,
LoginWithCustomTokenExchangeResult, and CustomTokenExchangeOptions from
`@auth0/auth0-server-js`, but these types do not exist in version 1.4.0, causing a
TS2305 compilation error. Remove these three non-existent type names from the
export statement, keeping only DomainResolver which is valid, or alternatively
verify that the `@auth0/auth0-server-js` dependency has been upgraded to a version
that includes these types and update the lockfile accordingly.

Source: Pipeline failures

[cschetan77]

Duplicate of #78, closing this one out.