SvelteKitAuth: Unable to login when a base path is configured

[aakash14goplani]

Environment

System:
  OS: Windows 11 10.0.22621
  CPU: (8) x64 11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40GHz
  Memory: 6.41 GB / 15.41 GB
Binaries:
  Node: 20.9.0 - C:\Program Files\nodejs\node.EXE
  Yarn: 1.22.19 - ~\AppData\Roaming\npm\yarn.CMD
  npm: 10.1.0 - C:\Program Files\nodejs\npm.CMD
  pnpm: 8.14.1 - ~\AppData\Local\pnpm\pnpm.CMD
Browsers:
  Edge: Chromium (121.0.2277.83)
  Internet Explorer: 11.0.22621.1
npmPackages:
  @auth/core: ^0.25.0 => 0.25.0
  @auth/sveltekit: ^0.11.0 => 0.11.0
  @sveltejs/kit: ^2.5.0 => 2.5.0
  svelte: ^4.2.9 => 4.2.9

Reproduction URL

https://github.com/aakash14goplani/sveltekit-auth-session-token/tree/new-version-test

Describe the issue

• When base path is configured in SvelteKit, the login flow breaks.
• This is true with both client (via signIn) and server initiated login (via fetch api)
• Issue occurred with the latest release of @auth/sveltekit i.e. 0.11.0, prior to this version, everything works like charm

How to reproduce

• Configure your application with base path
  • In app.html set base href i.e.

    <base href="/aakash/" />

  • In svelte.config.js set base path i.e.

    const config = {
    preprocess: vitePreprocess(),
    kit: {
      paths: {
        base: '/aakash',
        relative: true
      },
    },

• Login with client flow using signIn, check network tab, "csrf" call gets failed

• Login with server flow using below code but csrf call gets failed

  import { base } from '$app/paths';
  
  const tokenCall = await fetch(base + '/auth/csrf');
  const csrfTokenResponse = await new Response(tokenCall.body).json();
  const csrfToken = csrfTokenResponse.csrfToken;

Expected behavior

User should be able to login when base path is configured in SvelteKit app

[aakash14goplani]

cc: @balazsorban44 @ThangHuuVu @ndom91

[ndom91]

Hey @aakash14goplani so first of all, thanks for the reproduction!

However, I'm having trouble getting it to reproduce the error, as the reproduction doesn't include any basePath configuration. Not in the svelte.config nor in the Auth.js config.

Just in general, you shuold set the basePath in the auth config as well (key basePath). You can drop the NEXTAUTH_URL / AUTH_URL env var as well.

Can you give that a shot?

[ndom91]

Okay so i was able to get everything to work in 0.5.0 and not in 0.11.0. With the error message Not found: "/aakash/auth/signout".

To get your repro to work in 0.5.0 required some changes though, for future reference:

• Add basePath to Auth.js config and sveltekit config
• Remove NEXTAUTH_URL from .env
• Added event.url.pathname.includes('/aakash') || to the hooks.server.ts redirect logic (line 12)

That setup leads to all Auth.js routes to be 404-ed, i.e. /aakash/auth/session, /aakash/auth/signout, etc.

[ndom91]

@aakash14goplani looks like this small change (https://github.com/nextauthjs/next-auth/pull/9889) was able to get it working in 0.11.0 in the following situations:

• No basePath set in Auth.js config + no base set in svelte.config and no AUTH_URL set.
• No basePath set in Auth.js config + no base set in svelte.config, but AUTH_URL is set.
• basePath set in Auth.js config + base set in svelte.config and no AUTH_URL
• basePath set in Auth.js config + base set in svelte.config and AUTH_URL is set.

Give it a shot and let me know if it helps your case as well :+1:

[aakash14goplani]

Hello @ndom91

Thanks for quick response. I was able to fix it by adding basePath property in SvelteKitAuthConfig. It's value must be "/my-base-url/auth". Also removed NEXTAUTH_URL from environment variables.

Feedback - I have been an early user of SvelteKitAuth. I have been using it for over an year now, starting with v0.3 - till date. All the releases are making this package more useful (and thanks to all of your combined efforts for that) but this version literally broke the flow. Please think about it as I maybe the first one to notice and I expect streams of similar issues will be followed as "basePath" was nowhere in picture and suddenly it is mandatory with recent change!

Thanks Again!

[balazsorban44]

@aakash14goplani first of all thanks for being an early adopter! Your feedback and issues like these are essential for us to reach stability!

The idea is that it won't be required to set basePath by default! Hence it was not communicated. See @ndom91's PR #9889 (merging/releasing as I write this).