Closed renovate[bot] closed 1 year ago
Latest commit: 86d4832ee533485201b6ca36b3b0c4197a0d6b12
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
The latest updates on your projects. Learn more about Vercel for Git โ๏ธ
Name | Status | Preview | Comments | Updated (UTC) |
---|---|---|---|---|
chirpy | โ Ready (Inspect) | Visit Preview | ๐ฌ Add feedback | May 2, 2023 6:46am |
626f0e8(current) vs 5ece64a main#1349(baseline)
:bangbang: Bundle introduced 1 duplicate package
Metrics (5 changes)
โโโโโโโโโโ | โโโโโโCurrent Job #1350 |
โโโโโBaseline Job #1349 |
---|---|---|
Initial JS | 1.46MiB (+0.07% ) |
1.46MiB |
Initial CSS | 99.56KiB |
99.56KiB |
Cache Invalidation | 22.19% |
15.09% |
Chunks | 51 |
51 |
Assets | 63 |
63 |
Modules | 1133 (+0.35% ) |
1129 |
Duplicate Modules | 199 |
199 |
Duplicate Code | 4.9% |
4.9% |
Packages | 124 (+0.81% ) |
123 |
Duplicate Packages | 2 (+100% ) |
1 |
View job #1350 reportโView refs/pull/568/merge branch activity
2 | 4 | 0 | 1 | 0 |
Details:
fix(deps): update dependency next-auth to v4.20.1 [security] | |||
Project: chirpy | Commit: 86d4832ee5 |
||
Status: Failed | Duration: 02:26 ๐ก | ||
Started: May 2, 2023 6:48 AM | Ended: May 2, 2023 6:50 AM |
View
Output
Video
Test | Artifacts | |
---|---|---|
Header > should show user menu |
Output
Screenshots
Video
|
View
Output
Video
Test | Artifacts | |
---|---|---|
Project > should show integration doc |
Output
Screenshots
Video
|
This comment has been generated by cypress-bot as a result of this project's GitHub integration settings.
./apps/main
St.:grey_question: |
Category | Percentage | Covered / Total |
---|---|---|---|
๐ด | Statements | 8.73% | 40/458 |
๐ด | Branches | 10.23% | 9/88 |
๐ด | Functions | 4.35% | 3/69 |
๐ด | Lines | 9.25% | 38/411 |
2 tests passing in 2 suites.
Report generated by ๐งชjest coverage report action from 86d4832ee533485201b6ca36b3b0c4197a0d6b12
This PR contains the following updates:
4.17.0
->4.20.1
GitHub Vulnerability Alerts
CVE-2023-27490
Impact
next-auth
applications using OAuth provider versions beforev4.20.1
are affected.A bad actor who can spy on the victim's network or able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to log in as the victim, bypassing the CSRF protection.
As an example, an attack can happen in the following scenario.
The victim attempts to log in to the
next-auth
site. For example https://next-auth-example.vercel.app/next-auth
sets thechecks
cookies according to how the OAuth provider is configured. In this case,state
andpkce
are set by default for the Google Provider.The attacker intercepts the returned authorization URL, strips away the OAuth check (nonce, state, pkce), and returns the URL without the check to the victim's browser. For example: From
https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=client_id&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fnext-auth-example.vercel.app%2Fapi%2Fauth%2Fcallback%2Fgoogle&state=state&code_challenge=code_challenge&code_challenge_method=S256&service=lso&o2v=2&flowName=GeneralOAuthFlow
tohttps://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=client_id&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fnext-auth-example.vercel.app%2Fapi%2Fauth%2Fcallback%2Fgoogle&service=lso&o2v=2&flowName=GeneralOAuthFlow
. Notice the parametersstate
,code_challenge
andcode_verifier
are removed from the victim's address bar.The victim attempts to log in using their OAuth account.
The Authorization Server logs the victim in and calls back to the
next-auth
api/auth/callback/:providerId
endpoint. 5.1. The attacker intercepts and logs this callback URL for later use. 5.2.next-auth
checks the callback call from OAuth Authorization Server (doesn't have checks) and compares the checks with the cookies set (has checks) at step 2. This check will fail, resulting in the victim isn't logged in. However, at this step, the Authorization Server has already accepted the victim's request to log in and generated/sent acode
in the URL.The attacker now has an authorization URL with the
code
that the AS will exchange for validaccess_token
/id_token
and can log in as the victim automatically. They can open a new browser window and paste in the URL logged at step 5.1 and log in as the victim.Patches
We patched the vulnerability in
next-auth
v4.20.1
To upgrade, run one of the following:Workarounds
Upgrading to
latest
is the recommended way to fix this issue. However, using Advanced Initialization, developers can manually check the callback request forstate
,pkce
, andnonce
against the provider configuration, and abort the sign-in process if there is a mismatch. Check out the source code for help.References
checks
provider configRelease Notes
nextauthjs/next-auth
### [`v4.20.1`](https://togithub.com/nextauthjs/next-auth/releases/tag/next-auth%404.20.1) [Compare Source](https://togithub.com/nextauthjs/next-auth/compare/next-auth@4.20.0...next-auth@4.20.1) **Full Changelog**: https://github.com/nextauthjs/next-auth/compare/next-auth@4.20.0...next-auth@4.20.1 ### [`v4.20.0`](https://togithub.com/nextauthjs/next-auth/releases/tag/next-auth%404.20.0) [Compare Source](https://togithub.com/nextauthjs/next-auth/compare/next-auth@4.19.2...next-auth@4.20.0) #### What's Changed - Add success handler to `getServerSideProps` by [@ChinonsoIg](https://togithub.com/ChinonsoIg) in [https://github.com/nextauthjs/next-auth/pull/6589](https://togithub.com/nextauthjs/next-auth/pull/6589) - docs: update pages configuration example to typescript by [@rawbinary](https://togithub.com/rawbinary) in [https://github.com/nextauthjs/next-auth/pull/6596](https://togithub.com/nextauthjs/next-auth/pull/6596) - fix(next-auth): remove `engines` requirement on `openid-client` by [@balazsorban44](https://togithub.com/balazsorban44) in [https://github.com/nextauthjs/next-auth/pull/6654](https://togithub.com/nextauthjs/next-auth/pull/6654) - docs: fix wording for deployment on Vercel preview by [@jirihofman](https://togithub.com/jirihofman) in [https://github.com/nextauthjs/next-auth/pull/6705](https://togithub.com/nextauthjs/next-auth/pull/6705) - Update custom sign in getProvider example by [@wsfuller](https://togithub.com/wsfuller) in [https://github.com/nextauthjs/next-auth/pull/6706](https://togithub.com/nextauthjs/next-auth/pull/6706) - fix: Add missing logo to Default Signin Page by [@raulmarindev](https://togithub.com/raulmarindev) in [https://github.com/nextauthjs/next-auth/pull/6728](https://togithub.com/nextauthjs/next-auth/pull/6728) - fix broken sudo pipe in hostname example by [@tomryanx](https://togithub.com/tomryanx) in [https://github.com/nextauthjs/next-auth/pull/6769](https://togithub.com/nextauthjs/next-auth/pull/6769) - docs: fix typo on 'nextjs#getserversession' page by [@babblebey](https://togithub.com/babblebey) in [https://github.com/nextauthjs/next-auth/pull/6790](https://togithub.com/nextauthjs/next-auth/pull/6790) - feat: priortize `NEXTAUTH_URL_INTERNAL` by [@ThangHuuVu](https://togithub.com/ThangHuuVu) in [https://github.com/nextauthjs/next-auth/pull/6814](https://togithub.com/nextauthjs/next-auth/pull/6814) - docs: typo in faq.md by [@antjocks](https://togithub.com/antjocks) in [https://github.com/nextauthjs/next-auth/pull/6826](https://togithub.com/nextauthjs/next-auth/pull/6826) #### New Contributors - [@ChinonsoIg](https://togithub.com/ChinonsoIg) made their first contribution in [https://github.com/nextauthjs/next-auth/pull/6589](https://togithub.com/nextauthjs/next-auth/pull/6589) - [@wsfuller](https://togithub.com/wsfuller) made their first contribution in [https://github.com/nextauthjs/next-auth/pull/6706](https://togithub.com/nextauthjs/next-auth/pull/6706) - [@tomryanx](https://togithub.com/tomryanx) made their first contribution in [https://github.com/nextauthjs/next-auth/pull/6769](https://togithub.com/nextauthjs/next-auth/pull/6769) - [@babblebey](https://togithub.com/babblebey) made their first contribution in [https://github.com/nextauthjs/next-auth/pull/6790](https://togithub.com/nextauthjs/next-auth/pull/6790) - [@antjocks](https://togithub.com/antjocks) made their first contribution in [https://github.com/nextauthjs/next-auth/pull/6826](https://togithub.com/nextauthjs/next-auth/pull/6826) **Full Changelog**: https://github.com/nextauthjs/next-auth/compare/next-auth@4.19.2...next-auth@4.20.0 ### [`v4.19.2`](https://togithub.com/nextauthjs/next-auth/releases/tag/next-auth%404.19.2) [Compare Source](https://togithub.com/nextauthjs/next-auth/compare/next-auth@4.19.1...next-auth@4.19.2) #### What's Changed - fix(ts): stop using typeof + generic together by [@balazsorban44](https://togithub.com/balazsorban44) in [https://github.com/nextauthjs/next-auth/pull/6595](https://togithub.com/nextauthjs/next-auth/pull/6595) **Full Changelog**: https://github.com/nextauthjs/next-auth/compare/next-auth@4.19.1...next-auth@4.19.2 ### [`v4.19.1`](https://togithub.com/nextauthjs/next-auth/releases/tag/next-auth%404.19.1) [Compare Source](https://togithub.com/nextauthjs/next-auth/compare/next-auth@4.19.0...next-auth@4.19.1) #### What's Changed - Remove the `unstable` note. by [@OrJDev](https://togithub.com/OrJDev) in [https://github.com/nextauthjs/next-auth/pull/6537](https://togithub.com/nextauthjs/next-auth/pull/6537) - fix(ts): correctly type `unstable_getServerSession` by [@joulev](https://togithub.com/joulev) in [https://github.com/nextauthjs/next-auth/pull/6560](https://togithub.com/nextauthjs/next-auth/pull/6560) - feat: redesign all default pages by [@ThangHuuVu](https://togithub.com/ThangHuuVu) and [@Gawdfrey](https://togithub.com/Gawdfrey) #### New Contributors - [@joulev](https://togithub.com/joulev) made their first contribution in [https://github.com/nextauthjs/next-auth/pull/6560](https://togithub.com/nextauthjs/next-auth/pull/6560) **Full Changelog**: https://github.com/nextauthjs/next-auth/compare/next-auth@4.19.0...next-auth@4.19.1 ### [`v4.19.0`](https://togithub.com/nextauthjs/next-auth/releases/tag/next-auth%404.19.0) [Compare Source](https://togithub.com/nextauthjs/next-auth/compare/next-auth@4.18.10...next-auth@4.19.0) #### What's Changed - fix(oauth1): pass `oauth_token_secret` in [https://github.com/nextauthjs/next-auth/pull/6534](https://togithub.com/nextauthjs/next-auth/pull/6534) - feat: remove `unstable_` prefix `getServerSession` in [https://github.com/nextauthjs/next-auth/pull/6535](https://togithub.com/nextauthjs/next-auth/pull/6535) - feat: make `generateSessionToken` awaitable in [https://github.com/nextauthjs/next-auth/pull/6536](https://togithub.com/nextauthjs/next-auth/pull/6536) **Full Changelog**: https://github.com/nextauthjs/next-auth/compare/next-auth@4.18.10...next-auth@4.19.0 ### [`v4.18.10`](https://togithub.com/nextauthjs/next-auth/releases/tag/next-auth%404.18.10) [Compare Source](https://togithub.com/nextauthjs/next-auth/compare/next-auth@4.18.9...next-auth@4.18.10) **Full Changelog**: https://github.com/nextauthjs/next-auth/compare/next-auth@4.18.9...next-auth@4.18.10 ### [`v4.18.9`](https://togithub.com/nextauthjs/next-auth/releases/tag/next-auth%404.18.9) [Compare Source](https://togithub.com/nextauthjs/next-auth/compare/next-auth@4.18.8...next-auth@4.18.9) #### Bugfixes - **next-auth**: remove engines ([`f54424c`](https://togithub.com/nextauthjs/next-auth/commit/f54424c2)) - **providers**: default image to `null` for Azure AD ([`09bcc1d`](https://togithub.com/nextauthjs/next-auth/commit/09bcc1d5)) - Allow adding own logo to provider ([#6465](https://togithub.com/nextauthjs/next-auth/issues/6465)) ### [`v4.18.8`](https://togithub.com/nextauthjs/next-auth/releases/tag/next-auth%404.18.8) [Compare Source](https://togithub.com/nextauthjs/next-auth/compare/next-auth@v4.18.7...next-auth@4.18.8) #### What's Changed - chore(docs): fix aloglia `docusaurus.config.js` settings (`v4`) [https://github.com/nextauthjs/next-auth/pull/6160](https://togithub.com/nextauthjs/next-auth/pull/6160) - fix broken links related to issue [#6157](https://togithub.com/nextauthjs/next-auth/issues/6157) [https://github.com/nextauthjs/next-auth/pull/6183](https://togithub.com/nextauthjs/next-auth/pull/6183) - Replaced the word peer dependency [https://github.com/nextauthjs/next-auth/pull/6197](https://togithub.com/nextauthjs/next-auth/pull/6197) - fix(docs): import `NextAuth` correctly [https://github.com/nextauthjs/next-auth/pull/6206](https://togithub.com/nextauthjs/next-auth/pull/6206) - chore(docs): fix middleware verbiage [https://github.com/nextauthjs/next-auth/pull/5981](https://togithub.com/nextauthjs/next-auth/pull/5981) - fix: remove outdated nested middleware info [#5180](https://togithub.com/nextauthjs/next-auth/issues/5180) [https://github.com/nextauthjs/next-auth/pull/5181](https://togithub.com/nextauthjs/next-auth/pull/5181) **Full Changelog**: https://github.com/nextauthjs/next-auth/compare/next-auth@v4.18.7...next-auth@4.18.8 ### [`v4.18.7`](https://togithub.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.18.7) [Compare Source](https://togithub.com/nextauthjs/next-auth/compare/next-auth@v4.18.6...next-auth@v4.18.7) #### Bugfixes - **next-auth**: revert to 4.17 and replay other fixes ([https://github.com/nextauthjs/next-auth/pull/6132](https://togithub.com/nextauthjs/next-auth/pull/6132)) ### [`v4.18.6`](https://togithub.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.18.6) [Compare Source](https://togithub.com/nextauthjs/next-auth/compare/next-auth@v4.18.5...next-auth@v4.18.6) #### Bugfixes - **core**: preserve incoming set cookies ([#6029](https://togithub.com/nextauthjs/next-auth/issues/6029)) ([`2875b49`](https://togithub.com/nextauthjs/next-auth/commit/2875b49f)) - **next**: correctly bundle next-auth/middleware fixes [#6025](https://togithub.com/nextauthjs/next-auth/issues/6025) ([`5259d24`](https://togithub.com/nextauthjs/next-auth/commit/5259d247)) ### [`v4.18.5`](https://togithub.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.18.5) [Compare Source](https://togithub.com/nextauthjs/next-auth/compare/next-auth@v4.18.4...next-auth@v4.18.5) #### Bugfixes - **core**: host detection/NEXTAUTH_URL ([#6007](https://togithub.com/nextauthjs/next-auth/issues/6007)) ([`62f672a`](https://togithub.com/nextauthjs/next-auth/commit/62f672ae)) - **core**: correct status code when returning redirects ([#6004](https://togithub.com/nextauthjs/next-auth/issues/6004)) ([`2c669b3`](https://togithub.com/nextauthjs/next-auth/commit/2c669b32)) ### [`v4.18.4`](https://togithub.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.18.4) [Compare Source](https://togithub.com/nextauthjs/next-auth/compare/next-auth@v4.18.3...next-auth@v4.18.4) ##### Bugfixes - **core**: handle `Request` -> `Response` regressions ([#5991](https://togithub.com/nextauthjs/next-auth/issues/5991)) ([`5c4a9a6`](https://togithub.com/nextauthjs/next-auth/commit/5c4a9a69)) - **next**: don't override `Content-Type` by `unstable_getServerSession` [https://github.com/nextauthjs/next-auth/pull/5991](https://togithub.com/nextauthjs/next-auth/pull/5991)/commits/7c24c5613f470f4b33f0486201821c6d40bedca8 - **core**: handle `,` while setting `set-cookie` [https://github.com/nextauthjs/next-auth/pull/5991](https://togithub.com/nextauthjs/next-auth/pull/5991)/commits/7a390844c8db3c548ca0155f16d6a033693a3fbf ### [`v4.18.3`](https://togithub.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.18.3) [Compare Source](https://togithub.com/nextauthjs/next-auth/compare/next-auth@v4.18.2...next-auth@v4.18.3) ##### Bugfixes - **core**: throw error if no action can be determined ([`157269e`](https://togithub.com/nextauthjs/next-auth/commit/157269e0)) - **core**: add protocol if missing ([`221bc8e`](https://togithub.com/nextauthjs/next-auth/commit/221bc8e9)) ##### Other - **core**: fix test ([`0a140cd`](https://togithub.com/nextauthjs/next-auth/commit/0a140cdf)) ### [`v4.18.2`](https://togithub.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.18.2) [Compare Source](https://togithub.com/nextauthjs/next-auth/compare/next-auth@v4.18.1...next-auth@v4.18.2) #### Bugfixes - **core**: properly construct url ([#5984](https://togithub.com/nextauthjs/next-auth/issues/5984)) ([`f329102`](https://togithub.com/nextauthjs/next-auth/commit/f3291025)) ### [`v4.18.1`](https://togithub.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.18.1) [Compare Source](https://togithub.com/nextauthjs/next-auth/compare/next-auth@v4.18.0...next-auth@v4.18.1) #### Bugfixes - **core**: don't mutate `authOptions` in `unstable_getServerSession` ([#5973](https://togithub.com/nextauthjs/next-auth/issues/5973)) ([`b19b2bc`](https://togithub.com/nextauthjs/next-auth/commit/b19b2bcb)) #### Other - **core**: use standard `Request` and `Response` ([#4769](https://togithub.com/nextauthjs/next-auth/issues/4769)) ([`7e91d7d`](https://togithub.com/nextauthjs/next-auth/commit/7e91d7df)) - **dev**: upgrade dev app and deps ([`c4352a7`](https://togithub.com/nextauthjs/next-auth/commit/c4352a7d)) ### [`v4.18.0`](https://togithub.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.18.0) [Compare Source](https://togithub.com/nextauthjs/next-auth/compare/next-auth@v4.17.0...next-auth@v4.18.0) #### Features - **core**: make pkce and state maxAge configurable on the cookies ([#4719](https://togithub.com/nextauthjs/next-auth/issues/4719)) ([`f277989`](https://togithub.com/nextauthjs/next-auth/commit/f277989c)) #### Bugfixes - **next**: improve dev environment variable handling ([#5763](https://togithub.com/nextauthjs/next-auth/issues/5763)) ([`0d17578`](https://togithub.com/nextauthjs/next-auth/commit/0d175781)) - **provider**: modify `response.name` to `response.nickname` (Naver) ([#5915](https://togithub.com/nextauthjs/next-auth/issues/5915)) ([`6e408e2`](https://togithub.com/nextauthjs/next-auth/commit/6e408e24)) - **ts**: improve `unstable_getServerSession` return type ([#5792](https://togithub.com/nextauthjs/next-auth/issues/5792)) ([`a307079`](https://togithub.com/nextauthjs/next-auth/commit/a307079e)) #### Other - **types**: fix typo in comment ([#5815](https://togithub.com/nextauthjs/next-auth/issues/5815)) ([`2301c1b`](https://togithub.com/nextauthjs/next-auth/commit/2301c1be))Configuration
๐ Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
๐ฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.
โป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
๐ Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.