Closed mdelapenya closed 3 years ago
Hey @balazsorban44 @iaincollins I updated the issue following the template with repro steps. Could you please ๐ ๐ ?
I'm not a frontend engineer, but my first guess is related to using native fetch
when a web proxy is sitting in front of the NextJS app. Not sure if using https://www.npmjs.com/package/node-fetch-with-proxy or node-https-proxy-agent
could help here (more info on the latter: https://github.com/node-fetch/node-fetch/issues/79#issuecomment-184594701)
Thank you in advance for this wonderful library, it is awesome!
Would https://next-auth.js.org/configuration/options#nextauth_url_internal help here?
Will take a look, as that variable was not present when I started this thread back in January, thanks!! ๐
No, it is not working :(
Adding more context: clicking in the "Server" link in the example menu throws this log error in the server:
web | [next-auth][error][client_fetch_error] web | https://next-auth.js.org/errors#client_fetch_error session FetchError: request to https://local.myapp.com/api/auth/session failed, reason: connect ECONNREFUSED 127.0.0.1:443 web | at ClientRequest.
(/usr/src/node_modules/node-fetch/lib/index.js:1461:11) web | at ClientRequest.emit (node:events:378:20) web | at TLSSocket.socketErrorListener (node:_http_client:462:9) web | at TLSSocket.emit (node:events:378:20) web | at emitErrorNT (node:internal/streams/destroy:188:8) web | at emitErrorCloseNT (node:internal/streams/destroy:153:3) web | at processTicksAndRejections (node:internal/process/task_queues:81:21) { web | type: 'system', web | errno: 'ECONNREFUSED', web | code: 'ECONNREFUSED' web | } proxy | 172.19.0.1 - - local.myapp.com [29/Mar/2021:05:49:56 +0000] "GET /_next/data/6w9DobGzr43yUxUwLlOHW/server.json HTTP/2.0" 200 45 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36"
wait... After updating the NEXTAUTH_URL_INTERNAL to https://proxy:8443
, which is proxy's internal URL, and adding NODE_TLS_REJECT_UNAUTHORIZED=0
(to skip verification of the self-signed certificate), then the error is different:
web | [next-auth][error][client_fetch_error] web | https://next-auth.js.org/errors#client_fetch_error session FetchError: invalid json response body at https://proxy:8443/api/auth/session reason: Unexpected token < in JSON at position 0 web | at /usr/src/node_modules/node-fetch/lib/index.js:272:32 web | at processTicksAndRejections (node:internal/process/task_queues:94:5) { web | type: 'invalid-json' web | } proxy | 172.19.0.2 - - proxy [29/Mar/2021:06:06:42 +0000] "GET /api/auth/session HTTP/1.1" 403 146 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)"
Maybe similar to https://github.com/realm/realm-js/pull/1556/files?
On the other hand, using NEXTAUTH_URL_INTERNAL=http://proxy:8080
for insecure communications from proxy to webapp, it gives the following fetch
error, although instead of Google APIs returning a 403 Forbidden error (as above), it returns a 302 Found (see last log error)
web | [next-auth][error][client_fetch_error] web | https://next-auth.js.org/errors#client_fetch_error session FetchError: request to https://proxy/api/auth/session failed, reason: connect ECONNREFUSED 172.21.0.3:443 web | at ClientRequest.
(/usr/src/node_modules/node-fetch/lib/index.js:1461:11) web | at ClientRequest.emit (node:events:378:20) web | at TLSSocket.socketErrorListener (node:_http_client:462:9) web | at TLSSocket.emit (node:events:378:20) web | at emitErrorNT (node:internal/streams/destroy:188:8) web | at emitErrorCloseNT (node:internal/streams/destroy:153:3) web | at processTicksAndRejections (node:internal/process/task_queues:81:21) { web | type: 'system', web | errno: 'ECONNREFUSED', web | code: 'ECONNREFUSED' web | } proxy | 172.21.0.1 - - local.myapp.com [29/Mar/2021:06:15:47 +0000] "GET /api/auth/callback/google?state=REDACTED&code=REDACTED&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=1&prompt=none HTTP/2.0" 302 0 "https://accounts.google.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36"
Please take a look at the IP in the error: fetch
still thinks HTTPS is handled by the web service (ECONNREFUSED 172.21.0.3:443
), as the proxy service runs on 127.21.0.1
@balazsorban44 any guess about the behaviour shown in this issue? ๐
@mdelapenya Hi! Did you manage to solve this problem? Thanks.
Nope, still stuck on that. Did not have time to work on that, but thinking about replacing node-fetch using the proxy version in my fork
Hi there! It looks like this issue hasn't had any activity for a while. It will be closed if no further activity occurs. If you think your issue is still relevant, feel free to comment on it to keep it open. (Read more at #912) Thanks!
Hi there! It looks like this issue hasn't had any activity for a while. To keep things tidy, I am going to close this issue for now. If you think your issue is still relevant, just leave a comment and I will reopen it. (Read more at #912) Thanks!
Would https://next-auth.js.org/configuration/options#nextauth_url_internal help here?
this is working with nginx proxy, thx u
Describe the bug NextAuth is not handling the session when the NextJS app is behind a proxy.
Steps to reproduce
https://local.myapp.com/api/auth/callback/google
to the Authorised URLs in the OAuth credentials section in your Google Cloud console127.0.0.1 local.domain.example
docker-compose up
https://local.myapp.com
(Note: in Chrome you maybe need to type "thisisunsafe")Expected behavior You should be able to login again
Current behavior It's not possible to login again.
Screenshots or error logs If applicable add screenshots or error logs to help explain the problem.
Additional context Verified in Chrome and Firefox, and there is an open discussion #676 with more context.
There is a weird behaviour here: when the proxy is recreated:
and you browse
local.myapp.com
in another tab (so Chrome requires you to type again the 'thisisunsafe' thing) it is possible to login again, and it also could be the case that if the session is still active, you could see yourself logged in. But at the moment you logout, then it's not possible again.Feedback Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.
Not sure if this is the right manner to do, but wanted to put attention in the https://github.com/nextauthjs/next-auth/discussions/676 discussion, where we explained an use case where auth is not able to go via proxy, including an example.
Any help there?