search

nextauthjs / next-auth

Authentication for the Web.
https://authjs.dev
ISC License
24.19k stars 3.36k forks source link

Does not load env from `next.config.js` and keep using the wrong URL (localhost:3000) for sign in #6768

Closed khteh closed 1 year ago

khteh commented 1 year ago

Environment

System: OS: Linux 5.19 Ubuntu 22.10 22.10 (Kinetic Kudu) CPU: (20) x64 12th Gen Intel(R) Core(TM) i7-12800H Memory: 47.11 GB / 62.48 GB Container: Yes Shell: 5.2.2 - /bin/bash Binaries: Node: 19.6.0 - /usr/local/bin/node Yarn: 1.22.19 - /usr/local/bin/yarn npm: 9.4.0 - /usr/local/bin/npm Browsers: Chrome: 110.0.5481.100 Firefox: 110.0

Reproduction URL

https://github.com/nextauthjs/next-auth-example Any value other than https://localhost:3000

Describe the issue

I have both NEXTAUTH_URL and NEXTAUTH_URL_INTERNAL defined as https://localhost:4434 but clicking the sign in button keeps redirecting to http://localhost:3000/api/auth/signin/<provider>

"next-auth": "^4.19.2",

Console log:

NEXTAUTH_URL: https://localhost:4434
[next-auth][warn][NEXTAUTH_URL] 
https://next-auth.js.org/warnings#nextauth_url

How to reproduce

You can reproduce yourself!

Expected behavior

NEXTAUTH_URL and NEXTAUTH_SECRET should be read from next.config.js

github-actions[bot] commented 1 year ago

We cannot recreate the issue with the provided information. Please add a reproduction in order for us to be able to investigate.

Why was this issue marked with the incomplete label?

To be able to investigate, we need access to a reproduction to identify what triggered the issue. We prefer a link to a public GitHub repository (template), but you can also use a tool like CodeSandbox or StackBlitz.

To make sure the issue is resolved as quickly as possible, please make sure that the reproduction is as minimal as possible. This means that you should remove unnecessary code, files, and dependencies that do not contribute to the issue.

Please test your reproduction against the latest version of NextAuth.js (next-auth@latest) to make sure your issue has not already been fixed.

I added a link, why was it still marked?

Ensure the link is pointing to a codebase that is accessible (e.g. not a private repository). "example.com", "n/a", "will add later", etc. are not acceptable links -- we need to see a public codebase. See the above section for accepted links.

What happens if I don't provide a sufficient minimal reproduction?

Issues with the incomplete label that receives no meaningful activity (e.g. new comments with a reproduction link) are automatically closed and locked after 30 days.

If your issue has not been resolved in that time and it has been closed/locked, please open a new issue with the required reproduction.

I did not open this issue, but it is relevant to me, what can I do to help?

Anyone experiencing the same issue is welcome to provide a minimal reproduction following the above steps. Furthermore, you can upvote the issue using the :+1: reaction on the topmost comment (please do not comment "I have the same issue" without repro steps). Then, we can sort issues by votes to prioritize.

I think my reproduction is good enough, why aren't you looking into it quicker?

We look into every NextAuth.js issue and constantly monitor open issues for new comments.

However, sometimes we might miss one or two. We apologize, and kindly ask you to refrain from tagging core maintainers, as that will usually not result in increased priority.

Upvoting issues to show your interest will help us prioritize and address them as quickly as possible. That said, every issue is important to us, and if an issue gets closed by accident, we encourage you to open a new one linking to the old issue and we will look into it.

Useful Resources

khteh commented 1 year ago

Using .env.local works but NOT with next.config.js:

const config = require('config')
module.exports = {
    env: {
        NEXTAUTH_SECRET: config.get('NEXTAUTH_SECRET'),
        NEXTAUTH_URL: config.get('NEXTAUTH_URL'),
        DUENDE_IDS6_ISSUER: config.get('DUENDE_IDS6_ISSUER'),
        DUENDE_IDS6_CLIENT_ID: config.get('DUENDE_IDS6_CLIENT_ID'),
        DUENDE_IDS6_CLIENT_SECRET: config.get('DUENDE_IDS6_CLIENT_SECRET'),
    }    
}
balazsorban44 commented 1 year ago

Using next.config.js (especially for secrets!) is not recommended as they will be part of the client bundle, as documented:

Note: environment variables specified in this way will always be included in the JavaScript bundle, prefixing the environment variable name with NEXTPUBLIC only has an effect when specifying them through the environment or .env files.

https://nextjs.org/docs/api-reference/next.config.js/environment-variables

I recommend using .env.local for all variables instead.

_A kind reminder, you have posted 10 issues recently, all without a proper reproduction. http://localhost:3000 is not a reproduction. We need to see your code to investigate in most cases. If you have project-specific questions (like many of the opened issues), please use Discussuions instead._ The issue tracker is for reporting bugs.

redimongo commented 1 year ago

I am having issues with this with the latest version 4.20.1 and while running in a docker container.

I am using 

NEXTAUTH_URL_INTERNAL=http://nextjs:3000

as my docker name is nextjs it was working find when using 4.10.3. Tried to upgrade and bam things broke.

ricardasjak commented 1 year ago

I wouldn't consider this as a closed issue. I also stepped into this bug, the NEXTAUTH_URL is not anyhow secret variable, which we may not use as part of nextjs config. I have a use case where I want to put NEXTAUTH_URL into nextjs config.

akshay-nm commented 1 year ago

I have this in my logs (localhost):

[next-auth][warn][DEBUG_ENABLED] 
https://next-auth.js.org/warnings#debug_enabled
- error TypeError [ERR_INVALID_URL]: Invalid URL
    at new NodeError (node:internal/errors:399:5)
    at new URL (node:internal/url:560:13)
    at Object.redirect (webpack-internal:///(sc_server)/./node_modules/next-auth/core/lib/default-callbacks.js:12:18)
    at createCallbackUrl (webpack-internal:///(sc_server)/./node_modules/next-auth/core/lib/callback-url.js:10:39)
    at init (webpack-internal:///(sc_server)/./node_modules/next-auth/core/init.js:131:91)
    at AuthHandler (webpack-internal:///(sc_server)/./node_modules/next-auth/core/index.js:138:57)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async NextAuthRouteHandler (webpack-internal:///(sc_server)/./node_modules/next-auth/next/index.js:49:30)
    at async NextAuth._args$ (webpack-internal:///(sc_server)/./node_modules/next-auth/next/index.js:83:24)
    at async eval (webpack-internal:///(sc_server)/./node_modules/next/dist/server/future/route-modules/app-route/module.js:265:37) {
  input: 'null',
  code: 'ERR_INVALID_URL'
}

I have this in my .env.local:

NEXTAUTH_SECRET=SOMETHING_HERE
NEXTAUTH_URL=http://localhost:3000

My next.config.js does not have any env vars

This is my route.ts file (app router):

import GoogleProvider from "next-auth/providers/google";

export const authOptions = {
    providers: [
        GoogleProvider({
            clientId: process.env.GOOGLE_CLIENT_ID as string,
            clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
        }),
    ],
    pages: {
        signIn: "/signin",
        signOut: "/",
    },
    debug: true,
    secret: process.env.NEXTAUTH_SECRET as string,
};

const handler = NextAuth(authOptions);

export { handler as GET, handler as POST };
sreimer15 commented 1 year ago

I am trying to have my http server be accessible via proxy

npx local-ssl-proxy --source 3001 --target 3000

Since I have to do some hack for instagram OAUTH, but sinve my server is actually on http, all my sessions break because all my redirect urls are going to http in local development

is there some way to always force https using this library?