TTC
Theo's Typesafe Cult•6mo ago
cupofcrypto

Auth.js v5 issue with UntrustedHost

Hi all, I have hard times figuring out this issue. I am working on a Next.js 14 + Auth.js v5 project where I need to handle the login via a custom external REST API server built in Nest.js As far as I can see everything works quite nicely. I am able to login via the external server, store the access and refresh tokens in the session but I would like to use middleware.ts to handle few redirects. I am not a master at all when we talk about implementing a login system, tbh I relied all my career on third party tools and oAuth system. Also I am following this video from the Code With Antonio channel that's focused on v5. The thing is that when I try to check the content of req.auth in my middleware.ts that's passed to the auth function I always get the following even if the user is logged in. 
{
  message: 'There was a problem with the server configuration. Check the server logs for more information.',
  code: 'UntrustedHost'
}
{
  message: 'There was a problem with the server configuration. Check the server logs for more information.',
  code: 'UntrustedHost'
}
The thing is that in my local dev env I have both the FE and BE under the http and even if I am able to load a certificate with the --experimental-https option in next dev, obviously this is still failing because I am making REST calls to an untrusted server. I tryed to leverage the trustHost: false option in auth.js but the situation is getting even worst because I get redirected to the /api/auth/error endpoint for next-auth. From the code example I rely on req.auth to check if user is logged in or not, but in this case the returned object is always set so to the app looks like the user is logged-in even though is not. Can you help me figure out what's going on? Thanks in advance guys
6 Replies
stanisław
stanisław•6mo ago
Hi @cupofcrypto I am just starting on implementing next auth with an external rest api. Do you mind sharing some resources that you used throught the process or maybe some code examples? In my case I will be working with python backend and access / refresh tokens but I guess that doesn't matter Thanks
cupofcrypto
cupofcrypto•6mo ago
no issue at all but I believe that my code needs a lot of improvements 😅 If you login with a REST API does not matter which language has been chosen by the server. In my case I have an BE/auth/signin endpoint that accepts email:password and responds just with the access_token and the refresh_token With v4 I saw that bot get injected in the session, but in v5 it didn't happen. I had not time to investigate because right now I am under pressure to respect the sprint, i've allocated time to refactor/investigation for next one. Anyway, in order to populate the session I had to use the jwt and session callbacks like this: 
// Part of auth.ts
callbacks: {
    async jwt({ token, user }) {
        // I have to call `/users/me` to get the user data
        if (token.access_token) {
            const res = await fetch(`${process.env.BACKEND_URL}/users/me`, {
                method: "GET",
                headers: {
                    "Content-Type": "application/json",
                    Authorization: `Bearer ${token.access_token}`,
                },
            });

            const {
                person: { dossiers, ...person },
                ...rest
            } = await res.json();

            const res_user = { ...rest, person }
                ;
            return { ...token, user: res_user };
        }

        return { ...token, ...user };
    },
    async session({ session, token }) {
        session.user = token.user;
        session.access_token = token.access_token;
        session.refresh_token = token.refresh_token;
        session.exp = token.exp;
        
        return session;
    },
},
session: {
    strategy: "jwt",
},
// Part of auth.ts
callbacks: {
    async jwt({ token, user }) {
        // I have to call `/users/me` to get the user data
        if (token.access_token) {
            const res = await fetch(`${process.env.BACKEND_URL}/users/me`, {
                method: "GET",
                headers: {
                    "Content-Type": "application/json",
                    Authorization: `Bearer ${token.access_token}`,
                },
            });

            const {
                person: { dossiers, ...person },
                ...rest
            } = await res.json();

            const res_user = { ...rest, person }
                ;
            return { ...token, user: res_user };
        }

        return { ...token, ...user };
    },
    async session({ session, token }) {
        session.user = token.user;
        session.access_token = token.access_token;
        session.refresh_token = token.refresh_token;
        session.exp = token.exp;
        
        return session;
    },
},
session: {
    strategy: "jwt",
},
Sachin Mittal
Sachin Mittal•6mo ago
Hey @cupofcrypto, have you manuallly upgrade the next-auth version in the app, because T3 app comes with v4 version, right?
stanisław
stanisław•6mo ago
And where do you do refreshing tokens? I mean actually using refresh token
cupofcrypto
cupofcrypto•6mo ago
I am not using T3 for this project, as I wrote at the beginning I have an external server and I login via REST API
cupofcrypto
cupofcrypto•6mo ago
still have to implement it tbh, this GH issue has good info about that and also Auth.js has docs about that my main issue is with UntrustedDomain
GitHub
JWT Token refresh - getting outdated token to JWT callback · nextau...
I have implemented credentials provider (custom backend) with token rotation (based on https://next-auth.js.org/tutorials/refresh-token-rotation). Signin/Signout works nicely. When I call getServer...
Refresh token rotation | Auth.js
Refresh token rotation is the practice of updating an accesstoken on behalf of the user, without requiring interaction (eg.: re-sign in). accesstokens are usually issued for a limited time. After they expire, the service verifying them will ignore the value. Instead of asking the user to sign in again to obtain a new accesstoken, certain provide...
Want results from more Discord servers?
Add your server
More Posts
Prisma queries return type anyI have a basic T3 app with Prisma that I just created today. Basic queries are giving a return type Compressing images before uploading to UploadThing?Is there a way we can intercept the incoming upload request and, if they are images, compress them bI am trying to add some developers emails and it is not letting meI am trying to add some of my developers by email and when I do it does not add their email to the eFinance industry compliance (SOC / WORM)Hey all, I'm semi new so I hope it's ok to ask here, but I am a freelancer I recently got approach wwhat should be the best go-to main portfolio fullstack project stack before looking for a job rn?Hi, here's my github profile, with the stack I know on a junior-mid level: https://github.com/WisieGoogle security error on next auth js redirecthey guys, I'm getting a dangerous site error when using next auth js's signing page flow. Has anyoneCode runner using AWS lambda functionHi guys, i want to build code runner using AWS lambda function with custom runtime images for each lShadcn Date Picker dropdown background color ?I have a problem with shadcn's Date picker component - in project that I'm currently building in cusIs it possible to create a component named Home in a NextJS project?As the title states, I've been messing around with this one page I ported over from v0 and named theBest way to handle global state and component stateI want this a state globally. and i want quantity and rate should pass it and calculate it there. wh