search

nextauthjs / next-auth

Authentication for the Web.
https://authjs.dev
ISC License
23.26k stars 3.18k forks source link

Next auth with credential issues #5183

Closed nirazanbasnet closed 1 year ago

nirazanbasnet commented 1 year ago

Environment

System: Vercel production Binaries: Node: 14.19.1 - ~/.nvm/versions/node/v14.19.1/bin/node Yarn: 1.22.18 - ~/.nvm/versions/node/v14.19.1/bin/yarn npm: 8.12.2 - ~/.nvm/versions/node/v14.19.1/bin/npm Browsers: Brave Browser: 104.1.42.88 Chrome: 104.0.5112.79 Safari: 15.6 npmPackages: next: ^12.0.9 => 12.2.4 next-auth: ^4.10.3 => 4.10.3 react: 17.0.2 => 17.0.2

Reproduction URL

https://nextjs-nextauth-laravel-login.vercel.app/

Describe the issue

I used const session = await unstable_getServerSession(req, res, authOptions); on serverSideProps to get the session. But the session is shared on deploying production to Vercel. So it is misbehaving on the login module.

These are two users' credentials. Whenever we log in from the account, the session is shared which is causing misbehavior on the login module by using the next-auth API route.

You can access the code here: https://github.com/puncoz/nextjs-nextauth-laravel-login

How to reproduce

URL: https://nextjs-nextauth-laravel-login.vercel.app/

username: er.nirajan.basnet@gmail.com password: password123

username: nirajan.basnet@webo.digital password: password123

For the account that logs in to the system, the session is shared until the previous account logout.

Expected behavior

The two different accounts must have different sessions and sessions should not have shared.

mshd commented 1 year ago

I checked your code, where is the authorize/login pointing to? It seems as if that code in not the rep. Look at the next-auth database adapters. Also next-auth works great with social login. See the demo here: https://next-auth-example.vercel.app/

puncoz commented 1 year ago

hi @mshd, thanks for the response. We have another auth server and don't have direct access to database. hence unable to use next-auth database adapters. Hence we are calling login API from next-auth API using the "Credentials provider". You can check here in this file (Line number 19) :

https://github.com/puncoz/nextjs-nextauth-laravel-login/blob/main/src/pages/api/auth/%5B...nextauth%5D.ts

balazsorban44 commented 1 year ago

It sounds like some kind of caching issue. Sessions between different users cannot reach other devices unless you have cached the session response. Make sure it's not the case!

If it's the same machine, NextAuth.js has a 30 days session expiry by default, unless the user explicitly logs out earlier. You can change the max session age as shown in the docs https://next-auth.js.org/configuration/options#session

puncoz commented 1 year ago

hi @balazsorban44 you can check the codebase in github. there is no cache or something as such implemented. its just a simple standard code as mentioned in next-auth documentation.

Files to look into the code:

I tried deploying the same code/repo in netlify and a custom vps server. its working fine there.

But only in vercel, the session is being shared. (here session shared means if one user logged in from any device, and then another user logged in from another (or same, no matter what) device, the second user will receive the profile information of first user).

wendy121418 commented 4 months ago

hi @balazsorban44 you can check the codebase in github. there is no cache or something as such implemented. its just a simple standard code as mentioned in next-auth documentation.

Files to look into the code:

I tried deploying the same code/repo in netlify and a custom vps server. its working fine there.

But only in vercel, the session is being shared. (here session shared means if one user logged in from any device, and then another user logged in from another (or same, no matter what) device, the second user will receive the profile information of first user).

did you solve this issue? i have same issue with hostinger vps.