fix(deps): update dependency next-auth to v4.10.3 [security] - autoclosed

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next-auth (source)	4.9.0 -> 4.10.3

GitHub Vulnerability Alerts

CVE-2022-35924

Impact

next-auth users who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected.

If an attacker could forge a request that sent a comma-separated list of emails (eg.: attacker@attacker.com,victim@victim.com) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being attacker@attacker.com,victim@victim.com. This means that basic authorization like email.endsWith("@​victim.com") in the signIn callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an @attacker.com address.

Patches

We patched this vulnerability in v4.10.3 and v3.29.10 by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a normalizeIdentifier callback on the EmailProvider configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance)

To upgrade, run one of the following:

npm i next-auth@latest

yarn add next-auth@latest

pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended. v3 is unmaintained.)

Workarounds

If for some reason you cannot upgrade, you can normalize the incoming request like the following, using Advanced Initialization:

// pages/api/auth/[...nextauth].ts

function normalize(identifier) {
  // Get the first two elements only,
  // separated by `@` from user input.
  let [local, domain] = identifier.toLowerCase().trim().split("@​")
  // The part before "@​" can contain a ","
  // but we remove it on the domain part
  domain = domain.split(",")[0]
  return `${local}@​${domain}`
}

export default async function handler(req, res) {
  if (req.body.email) req.body.email = normalize(req.body.email)
  return await NextAuth(req, res, {/* your options */ })
}

References

• EmailProvider: https://next-auth.js.org/providers/email
• Normalize the email address: https://next-auth.js.org/providers/email#normalizing-the-email-address
• Email syntax: https://en.wikipedia.org/wiki/Email_address#Local-part
• signIn callback: https://next-auth.js.org/configuration/callbacks#sign-in-callback
• Advanced Initialization: https://next-auth.js.org/configuration/initialization#advanced-initialization
• nodemailer address: https://nodemailer.com/message/addresses

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 26th of July, a response was sent out in less than 1 hour and after identifying the issue a patch was published within 5 working days.

CVE-2022-31186

Impact

An information disclosure vulnerability in next-auth before v4.10.2 and v3.29.9 allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log (which is thrown during OAuth error handling) and use it to leverage further attacks on the system, like impersonating the client to ask for extensive permissions.

Patches

We patched this vulnerability in v4.10.2 and v3.29.9 by moving the log for provider information to the debug level. In addition, we added a warning for having the debug: true option turned on in production and documented it here.

You have enabled the debug option. It is meant for development only, to help you catch issues in your authentication flow and you should consider removing this option when deploying to production. One way of only allowing debugging while not in production is to set debug: process.env.NODE_ENV !== "production", so you can commit this without needing to change the value.

If you want to log debug messages during production anyway, we recommend setting the logger option with proper sanitization of potentially sensitive user information.

To upgrade:

npm i next-auth@latest
# or
yarn add next-auth@latest
# or
pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended. v3 is unmaintained.)

Workarounds

If for some reason you cannot upgrade, you can user the logger configuration option by sanitizing the logs:

// Example
import log from "your-logging-service"
export const authOptions: NextAuthOptions = {
  debug: process.env.NODE_ENV !== "production",
  logger: {
    error: (code, metadata) => {
      if (!(metadata instanceof Error) &&  metadata.provider) {
        // redact the provider secret here
        delete metadata.provider
        log.error(code, metadata)
      } else {
        log.error(code, metadata)
      }
    }
  },
}

References

Related documentation:

• https://next-auth.js.org/warnings#debug_enabled
• https://next-auth.js.org/configuration/options#logger
• https://next-auth.js.org/getting-started/upgrade-v4

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 18th of July, a response was sent out in less than 20 minutes and after identifying the issue a patch was published within a week.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by Mend Renovate. View repository job log here.

[vercel[bot]]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated
chirpy	❌ Failed (Inspect)		Aug 5, 2022 at 5:56AM (UTC)

[renovate[bot]]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

installing v2 tool pnpm v7.8.0
npm WARN config global `--global`, `--local` are deprecated. Use `--location=global` instead.

added 1 package in 3s
linking tool pnpm v7.8.0
7.8.0
Installed v2 /usr/local/buildpack/tools/v2/pnpm.sh in 4 seconds
Scope: all 9 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 9, reused 0, downloaded 4, added 0
Progress: resolved 13, reused 0, downloaded 10, added 0
Progress: resolved 32, reused 0, downloaded 15, added 0
Progress: resolved 40, reused 0, downloaded 23, added 0
Progress: resolved 48, reused 0, downloaded 30, added 0
Progress: resolved 60, reused 0, downloaded 37, added 0
Progress: resolved 67, reused 0, downloaded 42, added 0
Progress: resolved 79, reused 0, downloaded 55, added 0
Progress: resolved 85, reused 0, downloaded 62, added 0
Progress: resolved 89, reused 0, downloaded 66, added 0
Progress: resolved 93, reused 0, downloaded 71, added 0
Progress: resolved 105, reused 0, downloaded 76, added 0
Progress: resolved 106, reused 0, downloaded 79, added 0
Progress: resolved 118, reused 0, downloaded 86, added 0
Progress: resolved 128, reused 0, downloaded 94, added 0
Progress: resolved 130, reused 0, downloaded 96, added 0
Progress: resolved 132, reused 0, downloaded 98, added 0
Progress: resolved 135, reused 0, downloaded 100, added 0
Progress: resolved 139, reused 0, downloaded 106, added 0
Progress: resolved 144, reused 0, downloaded 111, added 0
Progress: resolved 153, reused 0, downloaded 118, added 0
Progress: resolved 158, reused 0, downloaded 124, added 0
Progress: resolved 161, reused 0, downloaded 127, added 0
Progress: resolved 166, reused 0, downloaded 133, added 0
Progress: resolved 188, reused 0, downloaded 152, added 0
Progress: resolved 209, reused 0, downloaded 169, added 0
Progress: resolved 239, reused 0, downloaded 194, added 0
Progress: resolved 259, reused 0, downloaded 212, added 0
Progress: resolved 274, reused 0, downloaded 228, added 0
Progress: resolved 288, reused 0, downloaded 241, added 0
Progress: resolved 309, reused 0, downloaded 257, added 0
Progress: resolved 325, reused 0, downloaded 271, added 0
Progress: resolved 345, reused 0, downloaded 291, added 0
Progress: resolved 359, reused 0, downloaded 305, added 0
Progress: resolved 369, reused 0, downloaded 317, added 0
Progress: resolved 388, reused 0, downloaded 328, added 0
Progress: resolved 397, reused 0, downloaded 336, added 0
Progress: resolved 409, reused 0, downloaded 345, added 0
Progress: resolved 415, reused 0, downloaded 350, added 0
Progress: resolved 423, reused 0, downloaded 360, added 0
Progress: resolved 432, reused 0, downloaded 365, added 0
Progress: resolved 452, reused 0, downloaded 373, added 0
Progress: resolved 464, reused 0, downloaded 382, added 0
Progress: resolved 475, reused 0, downloaded 392, added 0
Progress: resolved 493, reused 0, downloaded 408, added 0
Progress: resolved 510, reused 0, downloaded 425, added 0
Progress: resolved 516, reused 0, downloaded 431, added 0
Progress: resolved 526, reused 0, downloaded 437, added 0
Progress: resolved 546, reused 0, downloaded 456, added 0
Progress: resolved 564, reused 0, downloaded 473, added 0
Progress: resolved 591, reused 0, downloaded 487, added 0
Progress: resolved 599, reused 0, downloaded 494, added 0
Progress: resolved 615, reused 0, downloaded 504, added 0
Progress: resolved 623, reused 0, downloaded 512, added 0
Progress: resolved 637, reused 0, downloaded 525, added 0
Progress: resolved 650, reused 0, downloaded 536, added 0
Progress: resolved 670, reused 0, downloaded 557, added 0
Progress: resolved 685, reused 0, downloaded 572, added 0
Progress: resolved 694, reused 0, downloaded 579, added 0
Progress: resolved 715, reused 0, downloaded 589, added 0
Progress: resolved 730, reused 0, downloaded 589, added 0
Progress: resolved 756, reused 0, downloaded 611, added 0
Progress: resolved 787, reused 0, downloaded 640, added 0
Progress: resolved 833, reused 0, downloaded 685, added 0
Progress: resolved 867, reused 0, downloaded 713, added 0
Progress: resolved 893, reused 0, downloaded 735, added 0
Progress: resolved 926, reused 0, downloaded 757, added 0
Progress: resolved 956, reused 0, downloaded 773, added 0
Progress: resolved 976, reused 0, downloaded 789, added 0
Progress: resolved 997, reused 0, downloaded 802, added 0
Progress: resolved 1018, reused 0, downloaded 817, added 0
Progress: resolved 1039, reused 0, downloaded 835, added 0
Progress: resolved 1069, reused 0, downloaded 862, added 0
Progress: resolved 1095, reused 0, downloaded 886, added 0
Progress: resolved 1118, reused 0, downloaded 911, added 0
Progress: resolved 1135, reused 0, downloaded 926, added 0
Progress: resolved 1149, reused 0, downloaded 943, added 0
Progress: resolved 1171, reused 0, downloaded 961, added 0
Progress: resolved 1201, reused 0, downloaded 983, added 0
Progress: resolved 1226, reused 0, downloaded 1004, added 0
Progress: resolved 1235, reused 0, downloaded 1018, added 0
Progress: resolved 1238, reused 0, downloaded 1021, added 0
Progress: resolved 1271, reused 0, downloaded 1041, added 0
Progress: resolved 1274, reused 0, downloaded 1051, added 0
Progress: resolved 1274, reused 0, downloaded 1052, added 0
Progress: resolved 1274, reused 0, downloaded 1053, added 0
Progress: resolved 1276, reused 0, downloaded 1054, added 0
Progress: resolved 1276, reused 0, downloaded 1055, added 0
Progress: resolved 1277, reused 0, downloaded 1055, added 0
Progress: resolved 1282, reused 0, downloaded 1055, added 0
Progress: resolved 1305, reused 0, downloaded 1063, added 0
Progress: resolved 1314, reused 0, downloaded 1071, added 0
Progress: resolved 1329, reused 0, downloaded 1079, added 0
Progress: resolved 1345, reused 0, downloaded 1095, added 0
Progress: resolved 1373, reused 0, downloaded 1109, added 0
Progress: resolved 1409, reused 0, downloaded 1127, added 0
Progress: resolved 1428, reused 0, downloaded 1141, added 0
Progress: resolved 1461, reused 0, downloaded 1153, added 0
Progress: resolved 1477, reused 0, downloaded 1163, added 0
Progress: resolved 1491, reused 0, downloaded 1168, added 0
Progress: resolved 1502, reused 0, downloaded 1174, added 0
apps/main                                |  WARN  deprecated stable@0.1.8
Progress: resolved 1514, reused 0, downloaded 1179, added 0
Progress: resolved 1528, reused 0, downloaded 1189, added 0
Progress: resolved 1543, reused 0, downloaded 1197, added 0
Progress: resolved 1559, reused 0, downloaded 1215, added 0
Progress: resolved 1575, reused 0, downloaded 1229, added 0
Progress: resolved 1585, reused 0, downloaded 1240, added 0
Progress: resolved 1602, reused 0, downloaded 1254, added 0
Progress: resolved 1626, reused 0, downloaded 1265, added 0
Progress: resolved 1641, reused 0, downloaded 1284, added 0
apps/main                                |  WARN  deprecated request@2.88.2
Progress: resolved 1659, reused 0, downloaded 1293, added 0
Progress: resolved 1681, reused 0, downloaded 1316, added 0
apps/main                                |  WARN  deprecated topojson@1.6.27
Progress: resolved 1706, reused 0, downloaded 1334, added 0
Progress: resolved 1737, reused 0, downloaded 1357, added 0
Progress: resolved 1769, reused 0, downloaded 1383, added 0
Progress: resolved 1778, reused 0, downloaded 1392, added 0
Progress: resolved 1782, reused 0, downloaded 1400, added 0
Progress: resolved 1785, reused 0, downloaded 1405, added 0
Progress: resolved 1797, reused 0, downloaded 1413, added 0
Progress: resolved 1811, reused 0, downloaded 1422, added 0
Progress: resolved 1831, reused 0, downloaded 1434, added 0
Progress: resolved 1884, reused 0, downloaded 1452, added 0
apps/main                                |  WARN  deprecated source-map-resolve@0.6.0
Progress: resolved 1901, reused 0, downloaded 1464, added 0
apps/main                                |  WARN  deprecated har-validator@5.1.5
Progress: resolved 1926, reused 0, downloaded 1487, added 0
Progress: resolved 1941, reused 0, downloaded 1501, added 0
Progress: resolved 1985, reused 0, downloaded 1521, added 0
Progress: resolved 2016, reused 0, downloaded 1540, added 0
Progress: resolved 2026, reused 0, downloaded 1551, added 0
Progress: resolved 2041, reused 0, downloaded 1569, added 0
Progress: resolved 2041, reused 0, downloaded 1571, added 0
Progress: resolved 2050, reused 0, downloaded 1575, added 0
Progress: resolved 2068, reused 0, downloaded 1590, added 0
Progress: resolved 2086, reused 0, downloaded 1601, added 0
Progress: resolved 2101, reused 0, downloaded 1613, added 0
Progress: resolved 2106, reused 0, downloaded 1616, added 0
Progress: resolved 2117, reused 0, downloaded 1620, added 0
Progress: resolved 2124, reused 0, downloaded 1622, added 0
apps/main                                |  WARN  deprecated uuid@3.4.0
Progress: resolved 2140, reused 0, downloaded 1626, added 0
Progress: resolved 2160, reused 0, downloaded 1633, added 0
Progress: resolved 2189, reused 0, downloaded 1644, added 0
Progress: resolved 2219, reused 0, downloaded 1668, added 0
Progress: resolved 2242, reused 0, downloaded 1681, added 0
Progress: resolved 2278, reused 0, downloaded 1692, added 0
Progress: resolved 2281, reused 0, downloaded 1694, added 0
Progress: resolved 2288, reused 0, downloaded 1701, added 0
Progress: resolved 2299, reused 0, downloaded 1710, added 0
Progress: resolved 2308, reused 0, downloaded 1719, added 0
Progress: resolved 2326, reused 0, downloaded 1729, added 0
Progress: resolved 2338, reused 0, downloaded 1738, added 0
Progress: resolved 2348, reused 0, downloaded 1744, added 0
Progress: resolved 2370, reused 0, downloaded 1757, added 0
Progress: resolved 2394, reused 0, downloaded 1774, added 0
Progress: resolved 2416, reused 0, downloaded 1787, added 0
Progress: resolved 2440, reused 0, downloaded 1810, added 0
Progress: resolved 2455, reused 0, downloaded 1820, added 0
apps/main                                |  WARN  deprecated querystring@0.2.1
Progress: resolved 2482, reused 0, downloaded 1842, added 0
Progress: resolved 2506, reused 0, downloaded 1859, added 0
Progress: resolved 2529, reused 0, downloaded 1877, added 0
Progress: resolved 2551, reused 0, downloaded 1901, added 0
Progress: resolved 2558, reused 0, downloaded 1907, added 0
Progress: resolved 2583, reused 0, downloaded 1924, added 0
Progress: resolved 2625, reused 0, downloaded 1946, added 0
Progress: resolved 2654, reused 0, downloaded 1967, added 0
Progress: resolved 2690, reused 0, downloaded 1997, added 0
Progress: resolved 2737, reused 0, downloaded 2032, added 0
Progress: resolved 2774, reused 0, downloaded 2066, added 0
Progress: resolved 2811, reused 0, downloaded 2083, added 0
Progress: resolved 2860, reused 0, downloaded 2102, added 0
Progress: resolved 2892, reused 0, downloaded 2123, added 0
Progress: resolved 2916, reused 0, downloaded 2137, added 0
Progress: resolved 2968, reused 0, downloaded 2151, added 0
Progress: resolved 3035, reused 0, downloaded 2177, added 0
Progress: resolved 3063, reused 0, downloaded 2197, added 0
Progress: resolved 3100, reused 0, downloaded 2222, added 0
apps/main                                |  WARN  deprecated sane@4.1.0
Progress: resolved 3141, reused 0, downloaded 2253, added 0
Progress: resolved 3162, reused 0, downloaded 2264, added 0
Progress: resolved 3205, reused 0, downloaded 2296, added 0
Progress: resolved 3247, reused 0, downloaded 2328, added 0
Progress: resolved 3301, reused 0, downloaded 2362, added 0
apps/main                                |  WARN  deprecated chokidar@2.1.8
Progress: resolved 3347, reused 0, downloaded 2379, added 0
Progress: resolved 3396, reused 0, downloaded 2411, added 0
apps/main                                |  WARN  deprecated fsevents@1.2.13
Progress: resolved 3430, reused 0, downloaded 2429, added 0
Progress: resolved 3464, reused 0, downloaded 2446, added 0
apps/main                                |  WARN  deprecated querystring@0.2.0
Progress: resolved 3500, reused 0, downloaded 2481, added 0
apps/main                                |  WARN  deprecated source-map-resolve@0.5.3
apps/main                                |  WARN  deprecated resolve-url@0.2.1
Progress: resolved 3517, reused 0, downloaded 2500, added 0
apps/main                                |  WARN  deprecated urix@0.1.0
Progress: resolved 3568, reused 0, downloaded 2537, added 0
apps/main                                |  WARN  deprecated source-map-url@0.4.1
Progress: resolved 3620, reused 0, downloaded 2584, added 0
Progress: resolved 3620, reused 0, downloaded 2585, added 0
 ERR_PNPM_PATCH_NOT_APPLIED  The following patches were not applied: next-auth@4.9.0

Either remove them from "patchedDependencies" or update them to much packages in your dependencies.

[changeset-bot[bot]]

⚠️ No Changeset found

Latest commit: 55de760e190ffc3a398a6526833359352fa850af

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR