Open megagames-me opened 1 year ago
After further debugging, I believe this issue is either on my end (replit) or SvelteKit's end. In hooks.server.ts
, the handle function is passed an object with the keys event
and resolve
. The event object has a URL object inside of it which is apparently used by Auth.js but it gives a protocol of http instead of https. Also, the request object inside of the event object has a URL object too which is wrong. Here is the modified code that corrects this. This should fix the issue.
// src/hooks.server.ts
let handlerFunc = SvelteKitAuth({
//@ts-expect-error issue https://github.com/nextauthjs/next-auth/issues/6174
providers: [Google({
clientId: GOOGLE_ID,
clientSecret: GOOGLE_SECRET,
})],
useSecureCookies: true,
trustHost: true,
debug:true,
});
export const handle = ({event, resolve}: any) => {
event.url.protocol = "https:";
const symbol = Object.getOwnPropertySymbols(event.request)[1];
event.request[symbol].url.protocol = "https:";
for (let i = 0; i < event.request[symbol].urlList.length; i++) {
event.request[symbol].urlList[i].protocol = "https:";
}
return handlerFunc({event, resolve});
};
After further debugging, I believe this issue is either on my end (replit) or SvelteKit's end. In
hooks.server.ts
, the handle function is passed an object with the keysevent
andresolve
. The event object has a URL object inside of it which is apparently used by Auth.js but it gives a protocol of http instead of https. Also, the request object inside of the event object has a URL object too which is wrong. Here is the modified code that corrects this. This should fix the issue.// src/hooks.server.ts let handlerFunc = SvelteKitAuth({ //@ts-expect-error issue https://github.com/nextauthjs/next-auth/issues/6174 providers: [Google({ clientId: GOOGLE_ID, clientSecret: GOOGLE_SECRET, })], useSecureCookies: true, trustHost: true, debug:true, }); export const handle = ({event, resolve}: any) => { event.url.protocol = "https:"; const symbol = Object.getOwnPropertySymbols(event.request)[1]; event.request[symbol].url.protocol = "https:"; for (let i = 0; i < event.request[symbol].urlList.length; i++) { event.request[symbol].urlList[i].protocol = "https:"; } return handlerFunc({event, resolve}); };
Having the same issue here, did you figure out a fix?
I'm using discord and whenever i use the website through the domain i get 403 on the /auth/discord/signin endpoint :(
The code I put there was my solution. Did it not work for you? It changes the protocol to https which should fix all your issues.
Please give me further information if my solution didn't work for you.
@megagames-me
The code works, but should this really be needed?
It feels very odd to me!
@megagames-me
The code works, but should this really be needed?
It feels very odd to me!
I'm not sure why, but the library thinks that the website is on http not https. I looked through the code of Auth.js and found that this variable is what is used to check whether it should redirect to http or https. I'm not sure whether the UrlList thing is necessary though. It is quite odd.
I probably shouldn't have closed this issue since it's just a temporary fix anyway. I'll reopen it now.
I encountered the same issue using sveltekit, but only when I tried production mode. The reason of the issue is that auth.js tries to run on https when in production and if you don't configure your sveltekit app to detect the https protocol or to ignore it, then you are going to face this problem.
I fixed by modifying the .env
file. In the deployment page https://kit.svelte.dev/docs/adapter-node you have the option of adding some variables, one of them is your origin url:
ORIGIN=https://my.site
# or e.g. for local previewing and testing
ORIGIN=http://localhost:3000
In my case I added ORIGIN=http://localhost:3000
because I just want to test the deployment.
very annoying/confusing bug. I am running with https in development mode using vite-plugin-mkcert calling https://localhost:5173/auth/session after a successful login would show my session details but my sveltekit layouts/pages calling event.locals.auth() or event.locals.getSession() would always receive null
when debugging I also noticed that the difference between the two is that authjs thinks I am on http in the failing case and fails because it is looking for thet http session token cookie (names differ)
my fix is
SvelteKitAuth({
useSecureCookies: true
})
very annoying/confusing bug. I am running with https in development mode using vite-plugin-mkcert calling https://localhost:5173/auth/session after a successful login would show my session details but my sveltekit layouts/pages calling event.locals.auth() or event.locals.getSession() would always receive null
when debugging I also noticed that the difference between the two is that authjs thinks I am on http in the failing case and fails because it is looking for thet http session token cookie (names differ)
my fix is
SvelteKitAuth({ useSecureCookies: true })
I think maybe create a new issue? The problem I was talking about seems to be fixed in that context but you seem to be having it in a different one. Maybe a new issue would bring more attention to it
Environment
I'm using sveltekit, so I'll give the versions relevant to it.
I'm using node.js 18.2.0 on replit using Ubuntu 20.04.2 LTS (Focal Fossa). My browser is chrome 108.0.5359.124.
Reproduction URL
https://replit.com/@grapecoder/amc
Describe the issue
When setting up Auth.js for SvelteKit, I followed the instructions in the documentation here. However, when trying to have my sign in button do the function
signIn()
, nothing was happening when I clicked on it. In the console, I got a 403 error saying thatCross-site POST form submissions are forbidden
. So, after that I tried copying the method in the example repo which uses a link to/auth/signin/
instead. However, that still didn't work as when I click on the Sign in with Google button I get the same error and an alert saying that this form isn't secure. I believe the issue is due to the callbackUrl and signinUrl using the http protocol instead of https. This is my first time using this library in a while and back then there was an environment variable namedNEXTAUTH_URL
that would fix this issue but apparently it doesn't exist anymore. I'm using the google provider so I tried going through the code for the provider and the OAuthConfig interfaces to see whether I could modify this but I couldn't find anything.Here is some of my code:
How to reproduce
Follow the exact same instructions at https://authjs.dev/reference/sveltekit/modules/main but use the google provider instead.
Expected behavior
It should redirect to the google sign in page.