Merge branch 'main' into next

2026-05-01 10:55:20 +00:00 · 2021-03-01 21:42:29 +01:00 · 2021-02-16 10:21:44 +01:00 · 2021-02-15 21:52:37 +01:00 · 2021-02-15 21:47:47 +01:00 · 2021-02-15 21:47:35 +01:00
4 changed files with 20 additions and 63 deletions
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -72,11 +72,13 @@ async function NextAuthHandler (req, res, userOptions) {
    const providers = parseProviders({ providers: userOptions.providers, baseUrl, basePath })
    const provider = providers.find(({ id }) => id === providerId)

-    if (provider &&
-      provider.type === 'oauth' && provider.version?.startsWith('2') &&
-       (!provider.protection && provider.state !== false)
+    if (
+      provider?.type === 'oauth' &&
+      provider?.version?.startsWith('2') &&
+      !provider?.protection
    ) {
-      provider.protection = 'state' // Default to state, as we did in 3.1 REVIEW: should we use "pkce" or "none" as default?
+      // Default to state, as we did in 3.1 REVIEW: should we use "pkce" or "none" as default?
+      provider.protection = 'state'
    }

    const maxAge = 30 * 24 * 60 * 60 // Sessions expire after 30 days of being idle
--- a/src/server/routes/callback.js
+++ b/src/server/routes/callback.js
@@ -65,18 +65,13 @@ export default async function callback (req, res) {

        try {
          const signInCallbackResponse = await callbacks.signIn(userOrProfile, account, OAuthProfile)
-          if (signInCallbackResponse === false) {
+          if (!signInCallbackResponse) {
            return res.redirect(`${baseUrl}${basePath}/error?error=AccessDenied`)
          } else if (typeof signInCallbackResponse === 'string') {
            return res.redirect(signInCallbackResponse)
          }
        } catch (error) {
-          if (error instanceof Error) {
-            return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
-          }
-          // TODO: Remove in a future major release
-          logger.warn('SIGNIN_CALLBACK_REJECT_REDIRECT')
-          return res.redirect(error)
+          return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
        }

        // Sign user in
@@ -161,18 +156,13 @@ export default async function callback (req, res) {
      // Check if user is allowed to sign in
      try {
        const signInCallbackResponse = await callbacks.signIn(profile, account, { email })
-        if (signInCallbackResponse === false) {
+        if (!signInCallbackResponse) {
          return res.redirect(`${baseUrl}${basePath}/error?error=AccessDenied`)
        } else if (typeof signInCallbackResponse === 'string') {
          return res.redirect(signInCallbackResponse)
        }
      } catch (error) {
-        if (error instanceof Error) {
-          return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
-        }
-        // TODO: Remove in a future major release
-        logger.warn('SIGNIN_CALLBACK_REJECT_REDIRECT')
-        return res.redirect(error)
+        return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
      }

      // Sign user in
@@ -236,12 +226,11 @@ export default async function callback (req, res) {
      userObjectReturnedFromAuthorizeHandler = await provider.authorize(credentials)
      if (!userObjectReturnedFromAuthorizeHandler) {
        return res.status(401).redirect(`${baseUrl}${basePath}/error?error=CredentialsSignin&provider=${encodeURIComponent(provider.id)}`)
+      } else if (typeof userObjectReturnedFromAuthorizeHandler === 'string') {
+        return res.redirect(userObjectReturnedFromAuthorizeHandler)
      }
    } catch (error) {
-      if (error instanceof Error) {
-        return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
-      }
-      return res.redirect(error)
+      return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
    }

    const user = userObjectReturnedFromAuthorizeHandler
@@ -249,14 +238,13 @@ export default async function callback (req, res) {

    try {
      const signInCallbackResponse = await callbacks.signIn(user, account, credentials)
-      if (signInCallbackResponse === false) {
+      if (!signInCallbackResponse) {
        return res.status(403).redirect(`${baseUrl}${basePath}/error?error=AccessDenied`)
+      } else if (typeof signInCallbackResponse === 'string') {
+        return res.redirect(signInCallbackResponse)
      }
    } catch (error) {
-      if (error instanceof Error) {
-        return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
-      }
-      return res.redirect(error)
+      return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
    }

    const defaultJwtPayload = {
--- a/src/server/routes/signin.js
+++ b/src/server/routes/signin.js
@@ -45,18 +45,13 @@ export default async function signin (req, res) {
    // Check if user is allowed to sign in
    try {
      const signInCallbackResponse = await callbacks.signIn(profile, account, { email, verificationRequest: true })
-      if (signInCallbackResponse === false) {
+      if (!signInCallbackResponse) {
        return res.redirect(`${baseUrl}${basePath}/error?error=AccessDenied`)
      } else if (typeof signInCallbackResponse === 'string') {
        return res.redirect(signInCallbackResponse)
      }
    } catch (error) {
-      if (error instanceof Error) {
-        return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
-      }
-      // TODO: Remove in a future major release
-      logger.warn('SIGNIN_CALLBACK_REJECT_REDIRECT')
-      return res.redirect(error)
+      return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
    }

    try {
--- a/www/docs/warnings.md
+++ b/www/docs/warnings.md
@@ -46,32 +46,4 @@ You can use [node-jose-tools](https://www.npmjs.com/package/node-jose-tools) to

 **Option 2**: Specify custom encode/decode functions on the jwt object. This gives you complete control over signing / verification / etc.

-#### JWT_AUTO_GENERATED_ENCRYPTION_KEY
-
-#### SIGNIN_CALLBACK_REJECT_REDIRECT
-
-You returned something in the `signIn` callback, that is being deprecated.
-
-You probably had something similar in the callback:
-```js
-  return Promise.reject("/some/url")
-```
-
-or
-
-```js
-  throw "/some/url"
-```
-
-To remedy this, simply return the url instead:
-
-```js
-  return "/some/url"
-```
-
-
-#### STATE_OPTION_DEPRECATION
-You provided `state: true` or `state: false` as a provider option. This is being deprecated in a later release in favour of `protection: "state"` and `protection: "none"` respectively. To remedy this warning:
-
- If you use `state: true`, just simply remove it. The default is `protection: "state"` already..
- If you use `state: false`, set `protection: "none"`.
+#### JWT_AUTO_GENERATED_ENCRYPTION_KEY
Author	SHA1	Message	Date
Balázs Orbán	10f3848940	Merge branch 'main' into next	2021-03-01 21:42:29 +01:00
Balázs Orbán	4a1a830eec	Merge branch 'main' into next	2021-02-16 10:21:44 +01:00
Balázs Orbán	29b67b6647	Merge branch 'main' into next	2021-02-15 21:52:37 +01:00
Balázs Orbán	111e7aabdf	feat(provider): remove state property BREAKING CHANGE: adding `state: true` is already redundant as `protection: "state` is the default value. `state: false` can be substituted with `protection: "state"`	2021-02-15 21:47:47 +01:00
Balázs Orbán	a113ef6fab	feat: encourage returning strings instead of throwing BREAKING CHANGE: We have supported throwing strings for redirections, while we were showing a waring. From now on, it is not possible. The user MUST return a string, rather than throw it.	2021-02-15 21:47:35 +01:00