TTC
Theo's Typesafe Cult•10mo ago
cupofcrypto

Auth.js v5 issue with UntrustedHost

Hi all, I have hard times figuring out this issue. I am working on a Next.js 14 + Auth.js v5 project where I need to handle the login via a custom external REST API server built in Nest.js As far as I can see everything works quite nicely. I am able to login via the external server, store the access and refresh tokens in the session but I would like to use middleware.ts to handle few redirects. I am not a master at all when we talk about implementing a login system, tbh I relied all my career on third party tools and oAuth system. Also I am following this video from the Code With Antonio channel that's focused on v5. The thing is that when I try to check the content of req.auth in my middleware.ts that's passed to the auth function I always get the following even if the user is logged in. 
{
  message: 'There was a problem with the server configuration. Check the server logs for more information.',
  code: 'UntrustedHost'
}
{
  message: 'There was a problem with the server configuration. Check the server logs for more information.',
  code: 'UntrustedHost'
}
The thing is that in my local dev env I have both the FE and BE under the http and even if I am able to load a certificate with the --experimental-https option in next dev, obviously this is still failing because I am making REST calls to an untrusted server. I tryed to leverage the trustHost: false option in auth.js but the situation is getting even worst because I get redirected to the /api/auth/error endpoint for next-auth. From the code example I rely on req.auth to check if user is logged in or not, but in this case the returned object is always set so to the app looks like the user is logged-in even though is not. Can you help me figure out what's going on? Thanks in advance guys
6 Replies
stanisław
stanisław•10mo ago
Hi @cupofcrypto I am just starting on implementing next auth with an external rest api. Do you mind sharing some resources that you used throught the process or maybe some code examples? In my case I will be working with python backend and access / refresh tokens but I guess that doesn't matter Thanks
cupofcrypto
cupofcryptoOP•10mo ago
no issue at all but I believe that my code needs a lot of improvements 😅 If you login with a REST API does not matter which language has been chosen by the server. In my case I have an BE/auth/signin endpoint that accepts email:password and responds just with the access_token and the refresh_token With v4 I saw that bot get injected in the session, but in v5 it didn't happen. I had not time to investigate because right now I am under pressure to respect the sprint, i've allocated time to refactor/investigation for next one. Anyway, in order to populate the session I had to use the jwt and session callbacks like this: 
// Part of auth.ts
callbacks: {
    async jwt({ token, user }) {
        // I have to call `/users/me` to get the user data
        if (token.access_token) {
            const res = await fetch(`${process.env.BACKEND_URL}/users/me`, {
                method: "GET",
                headers: {
                    "Content-Type": "application/json",
                    Authorization: `Bearer ${token.access_token}`,
                },
            });

            const {
                person: { dossiers, ...person },
                ...rest
            } = await res.json();

            const res_user = { ...rest, person }
                ;
            return { ...token, user: res_user };
        }

        return { ...token, ...user };
    },
    async session({ session, token }) {
        session.user = token.user;
        session.access_token = token.access_token;
        session.refresh_token = token.refresh_token;
        session.exp = token.exp;
        
        return session;
    },
},
session: {
    strategy: "jwt",
},
// Part of auth.ts
callbacks: {
    async jwt({ token, user }) {
        // I have to call `/users/me` to get the user data
        if (token.access_token) {
            const res = await fetch(`${process.env.BACKEND_URL}/users/me`, {
                method: "GET",
                headers: {
                    "Content-Type": "application/json",
                    Authorization: `Bearer ${token.access_token}`,
                },
            });

            const {
                person: { dossiers, ...person },
                ...rest
            } = await res.json();

            const res_user = { ...rest, person }
                ;
            return { ...token, user: res_user };
        }

        return { ...token, ...user };
    },
    async session({ session, token }) {
        session.user = token.user;
        session.access_token = token.access_token;
        session.refresh_token = token.refresh_token;
        session.exp = token.exp;
        
        return session;
    },
},
session: {
    strategy: "jwt",
},
sachin
sachin•10mo ago
Hey @cupofcrypto, have you manuallly upgrade the next-auth version in the app, because T3 app comes with v4 version, right?
stanisław
stanisław•10mo ago
And where do you do refreshing tokens? I mean actually using refresh token
cupofcrypto
cupofcryptoOP•10mo ago
I am not using T3 for this project, as I wrote at the beginning I have an external server and I login via REST API
cupofcrypto
cupofcryptoOP•10mo ago
still have to implement it tbh, this GH issue has good info about that and also Auth.js has docs about that my main issue is with UntrustedDomain
GitHub
JWT Token refresh - getting outdated token to JWT callback · nextau...
I have implemented credentials provider (custom backend) with token rotation (based on https://next-auth.js.org/tutorials/refresh-token-rotation). Signin/Signout works nicely. When I call getServer...
Refresh token rotation | Auth.js
Refresh token rotation is the practice of updating an accesstoken on behalf of the user, without requiring interaction (eg.: re-sign in). accesstokens are usually issued for a limited time. After they expire, the service verifying them will ignore the value. Instead of asking the user to sign in again to obtain a new accesstoken, certain provide...
Want results from more Discord servers?
Add your server