Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(next): returns correct status for signing in with redirect: false for route handler #8775

Merged
merged 2 commits into from
Oct 2, 2023
Merged

fix(next): returns correct status for signing in with redirect: false for route handler #8775

merged 2 commits into from
Oct 2, 2023

Conversation

ThangHuuVu
Copy link
Member

@ThangHuuVu ThangHuuVu commented Oct 2, 2023
edited by balazsorban44
Loading

NOTE:

  • It's a good idea to open an issue first to discuss potential changes.
  • Please make sure that you are NOT opening a PR to fix a potential security vulnerability. Instead, please follow the Security guidelines to disclose the issue to us confidentially.

☕️ Reasoning

When signing in with next-auth/react signIn() function with redirect: false, the status is not correctly set in the response. There are two cases that this bug will return 200 OK instead of the expected status:

  1. When signing in with the Credential provider and the authorize function returns false or throws an error. Expected status: 401
  2. When the signIn callback returns false. Expected status: 403

Basically, the bug appears every time we return status and redirect at the same time for one return statement in packages/next-auth/src/core/routes/callback.ts.

Note that this bug only affects Route Handler. For API Route, we calls res: NextApiResponse instead of returning a new Response object.

🧢 Checklist

  • Documentation
  • Tests
  • Ready to be merged

🎫 Affected issues

Please scout and link issues that might be solved by this PR.

Fixes: #7638, fixes #7725, fixes #8340

📌 Resources

@vercel
Copy link

vercel bot commented Oct 2, 2023
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
next-auth-docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 2, 2023 2:49am
2 Ignored Deployments
Name Status Preview Comments Updated (UTC)
auth-docs ⬜️ Ignored (Inspect) Visit Preview Oct 2, 2023 2:49am
auth-docs-nextra ⬜️ Ignored (Inspect) Visit Preview Oct 2, 2023 2:49am

@github-actions github-actions bot added the legacy Refers to `next-auth` v4. Minimal maintenance. label Oct 2, 2023
@github-actions
Copy link

github-actions bot commented Oct 2, 2023

🎉 Experimental release published 📦️ on npm!

pnpm add next-auth@0.0.0-pr.8775.a98a849e
yarn add next-auth@0.0.0-pr.8775.a98a849e
npm i next-auth@0.0.0-pr.8775.a98a849e

@ThangHuuVu ThangHuuVu merged commit 27b2519 into v4 Oct 2, 2023
9 checks passed
@ThangHuuVu ThangHuuVu deleted the fix/credential-provider-redirect-false-route-handler branch October 2, 2023 11:48
This was referenced Oct 2, 2023
Closed
Closed
Closed
ThangHuuVu added a commit that referenced this pull request Oct 2, 2023
@ThangHuuVu
fix: set correct response status if X-Auth-Return-Redirect
a0b087b 
Copy from #8775
@ThangHuuVu ThangHuuVu mentioned this pull request Oct 2, 2023
Merged
3 tasks
@umair-mirza
Copy link

@balazsorban44 Really apologize for my tone in #7725 . I can't really begin to appreciate the work you have done for the community. Hundreds of thousands of developers are powering their apps with this awesome package. I never intended to disregard or disrespect you. Thank you so much for all the hard work you are putting into it.

balazsorban44 pushed a commit that referenced this pull request Oct 3, 2023
@ThangHuuVu
fix: set correct response status if X-Auth-Return-Redirect (#8779)
5133892 
Copy from #8775
@balazsorban44
Copy link
Member

@umair-mirza probably wasn't intentional on your side, no worries. What I tried to clarify in #7725 (comment) is how this is a very widespread issue in OSS, sometimes it's hard to see the people on the other side.

Appreciate your words! 🙏

@ZeroCho ZeroCho mentioned this pull request Feb 23, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@balazsorban44 balazsorban44 balazsorban44 approved these changes

Assignees
No one assigned
Labels
legacy Refers to `next-auth` v4. Minimal maintenance.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ThangHuuVu @umair-mirza @balazsorban44