Open zoey-kaiser opened 7 months ago
Valid point regarding trustHost
: https://github.com/sidebase/nuxt-auth/issues/691#issuecomment-1972763234
It makes perfect sense to wait for a release of next-auth@5
which would also mean a release of a significant @auth/core
version (maybe even v1).
It makes perfect sense to wait for a release of next-auth@5 which would also mean a release of a significant @auth/core version (maybe even v1).
Agreed! I can see that they already have alpha versions of Version 5 released. Have they added support for trusthost
there yet? I think we can also still continue internally preparing for the release, by outlining which changes we will be making and updating our internal logic in preparation for this. But I do agree that we should wait with the official switch until they release!
I am a bit concerned, see reports below. What is missing/required to start with the migration process?
package.json
"@sidebase/nuxt-auth": "^0.7.2",
"next-auth": "4.21.1",
Audit Report:
# npm audit report
next >=13.4.0 <14.1.1
Severity: high
Next.js Server-Side Request Forgery in Server Actions - https://github.com/advisories/GHSA-fr5h-rqp8-mj6g
fix available via `npm audit fix`
node_modules/next
next-auth <4.24.5
Severity: moderate
Possible user mocking that bypasses basic authentication - https://github.com/advisories/GHSA-v64w-49xw-qq89
fix available via `npm audit fix --force`
Will install @sidebase/nuxt-auth@0.6.7, which is a breaking change
node_modules/next-auth
@sidebase/nuxt-auth 0.3.0-alpha.1 - 0.4.0-alpha.6 || >=0.7.0-rc.0
Depends on vulnerable versions of next-auth
node_modules/@sidebase/nuxt-auth
3 vulnerabilities (2 moderate, 1 high)
Why next
❯ npm why next
next@13.5.6 peer
node_modules/next
peer next@"^12.2.5 || ^13" from next-auth@4.21.1
node_modules/next-auth
next-auth@"4.21.1" from the root project
peer next-auth@"^4" from @next-auth/prisma-adapter@1.0.7
node_modules/@next-auth/prisma-adapter
@next-auth/prisma-adapter@"^1.0.7" from the root project
peer next-auth@"~4.21.1" from @sidebase/nuxt-auth@0.7.2
node_modules/@sidebase/nuxt-auth
Valid point regarding trustHost: https://github.com/sidebase/nuxt-auth/issues/691#issuecomment-1972763234
Primarily some missing security features, such as trustHost
. Aside from this, we would definitely wait to deprecate the current version until authjs makes their full official release. We want to avoid solely relying on a package that has not had a proper release yet.
We have already investigated internally what is required for a migration and are slowly preparing our module for this in the future, however, due to the reasons mentioned above, we will not release a stable version of the authjs provider, until they do so as well!
I am a bit concerned, see reports below.
If you delve into the actual report (https://github.com/advisories/GHSA-v64w-49xw-qq89), you'll see that the vulnerability only affects the default NextAuth middleware. One of the fixes they also mention is writing your own middleware that adds a check that was missing. See original statement from us here: https://github.com/sidebase/nuxt-auth/issues/514#issuecomment-1849679979
However, this middleware is never used inside our module, as we have our own custom Nuxt middleware. Therefore this vulnerability does not affect the module. If you have any additional questions feel free to raise them. 😊
Hello there :) Would it be possible to get some news re. this subject? I just checked, and it seems that the underlying v5 has been released since then.
Hello there :) Would it be possible to get some news re. this subject? I just checked, and it seems that the underlying v5 has been released since then.
Hey all, I wanted to +1 this request for an update considering the circumstances of the rewrite. :-)
Hi everyone 👋
Short update regarding our migration timeline: We are finalizing release 0.8.0 (Check out https://github.com/sidebase/nuxt-auth/releases/tag/0.8.0-rc.1). In this release, we primarily focused on housekeeping and improving the internal module code as well as some long-awaited and necessary updates for the local
and refresh
providers:
Housekeeping:
Refresh and Local Providers:
With the release of 0.8.0
, we feel we have a much better basis for NuxtAuth to continue evolving. While I can't give precise updates on the next steps, I do hope to be able to update you soon once @phoenix-ru and I outline the scope for the next release!
@zoey-kaiser Does NuxtAuth make use of any Next.js server actions? I am asking because I am wondering if using NuxtAuth in our project would open us up to any vulnerabilities surrounding this GitHub advisory: https://github.com/advisories/GHSA-fr5h-rqp8-mj6g
Thanks!
Hi @johnwilson-wsh 👋
Thanks for raising the advisory. I would also pull in @phoenix-ru for his opinion, but my initial thoughts are that this should not affect the module, as all requests are still made via the Nuxt 3 server. We have an internal "converter" that accepts H3events and transforms them into requests that NextAuth can handle (See code here).
Therefore, I do not think that any SSRF vulnerabilities exclusive to Nextjs server actions that allow you to modify the HOST header would not affect this package!
Hi,
I was reading the documentation of the new version. I see that it is still stuck with the old NextAuth version, with the comment "NextAuth has changed their package exports, blocking NuxtAuth users from using the newer versions."
What do you think, when will this be solved? Is NextAuth doing this on purpose? If nuxt-auth is stuck to the old version for ever, this will be a dead end.
Regards, Sven
What do you think, when will this be solved? Is NextAuth doing this on purpose? If nuxt-auth is stuck to the old version for ever, this will be a dead end.
Hey Sven! They changes the exports to prepare for their own next version. We had raised this with them and they will not change the exports. This is the reasons we are now working on a migration to authjs, to ensure that this module is not stuck on the old version!
Hi everyone 👋
I wanted to give a quick update on the AuthJS Migration! We have now pushed the first working version of NuxtAuth, using AuthJS under the hood 🥳
There is still much work under the hood to ensure all the features are working correctly, but we are confident this migration is going well! We would like to get this update into your hands as quickly as possible so you can help us test the module since testing every form of authentication internally is close to impossible 😮💨
Therefore, we aim to introduce the first alpha version of NuxtAuth 1.0.0 next week, which will already be available for you to download and test. We do not recommend running it in production yet. However, it would be fantastic if you could install it into your projects using NuxtAuth and see if any issues occur with your setup.
We will release more information on this in the coming week, as we are still figuring out how we want to deploy a second version of the docs for the migration and keep the main
branch "clean" to push updates to <=0.8.0. We will also add a new issue template specifically for NuxtAuth 1.0.0 issues.
Feel free to already peak into #818 and follow along with our progress!
Hello everyone! Thank you for this great project. It's a awesome library that I have as inspirational reference.
I've been trying @sidebase/nuxt-auth@1.0.0-alpha.0 and I like to report an issue.
I'm using the credentials provider with a custom login page that calls the signIn() of useAuth().
Before, the nuxt-auth/core callback handler have been returning an object with redirect property:
And the useAuth/signIn always expected to receive an object:
But now, with auth/core, it just throws an error:
The error is never handled, producing an internal server error:
And the useAuth/signIn now receives an HTML of the error page:
References:
next-auth@4.22.1/core - previous callback handler: https://github.com/nextauthjs/next-auth/blob/25388de0278f97f58f65bae85adf951ce09f5b21/packages/core/src/lib/routes/callback.ts#L280-L289
auth/core - now just throws: https://github.com/nextauthjs/next-auth/blob/748c9ecb8ce10bef2b628520451f676db0499f9d/packages/core/src/lib/actions/callback/index.ts#L327
Hi @guesant 👋
Thank you for being brave enough to try out the alpha! After publishing and playing around with it we ran into a lot of issues ourselves and due to this decided to refrain from making an official announcement!
Thank you for posting about your issue, I will take it into our list! As this version is still super early in development, we do not recommend using it in any capacity yet and hope to be able to release a more stable version soon, that can then be fully tested by the community!
Hi everyone 👋
I wanted to give another short update on the progress with the authjs migration! As mentioned in my comment above, we released an alpha version on our next
branch, where we migrated to AuthJS under the hood.
Sadly this upgrade came with a lot of new issues and was not stable enough for a full release. However, as we wanted to continue developing the other provider and patch other bugs, we decided to backport a portion of the migration into main
.
This was done in https://github.com/sidebase/nuxt-auth/pull/849, where we switched to the @auth/core
methods exposed by AuthJS. NextAuth has already provided the majority of the new AuthJS core, which we now import, instead of the NextAuth imports. We could import these from next-auth/core
(exports both the old next-auth
versions and the "new" authjs
versions). You can see an example of this here.
The next step will be to fully replace next-auth
with @auth/core
. We will continue testing the migration and ill try and keep you updated as best I can 😊
Hello everyone 👋
The time has come: We are slowly moving forward to migrate NuxtAuth from using NextAuth under the hood to running the new authjs package!
This will come with numerous benefits, including:
This issue will track our current progress, issues and goals. We are currently beginning this migration, therefore more information will follow soon.