fix(provider): proper check of protection property (#1694 )

* fix(provider): proper check of protection property * chore: add comment
fix: truly replace .flat() to support Node <11 again (#1691 )
2026-05-01 10:55:20 +00:00 · 2021-04-12 00:15:29 +02:00 · 2021-04-11 23:20:37 +02:00
3 changed files with 15 additions and 13 deletions
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -72,15 +72,15 @@ async function NextAuthHandler (req, res, userOptions) {
    const providers = parseProviders({ providers: userOptions.providers, baseUrl, basePath })
    const provider = providers.find(({ id }) => id === providerId)

-    if (provider &&
-      provider.type === 'oauth' && provider.version?.startsWith('2') &&
-       (!provider.protection && provider.state !== false)
-    ) {
-      provider.protection = 'state' // Default to state, as we did in 3.1 REVIEW: should we use "pkce" or "none" as default?
-    }
-
-    if (typeof provider?.protection === 'string') {
-      provider.protection = [provider.protection]
+    // Protection only works on OAuth 2.x providers
+    if (provider?.type === 'oauth' && provider.version?.startsWith('2')) {
+      // When provider.state is undefined, we still want this to pass
+      if (!provider.protection && provider.state !== false) {
+        // Default to state, as we did in 3.1 REVIEW: should we use "pkce" or "none" as default?
+        provider.protection = ['state']
+      } else if (typeof provider.protection === 'string') {
+        provider.protection = [provider.protection]
+      }
    }

    const maxAge = 30 * 24 * 60 * 60 // Sessions expire after 30 days of being idle
--- a/src/server/lib/oauth/pkce-handler.js
+++ b/src/server/lib/oauth/pkce-handler.js
@@ -16,7 +16,8 @@ const PKCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
 export async function handleCallback (req, res) {
  const { cookies, provider, baseUrl, basePath } = req.options
  try {
-    if (!provider.protection.includes('pkce')) { // Provider does not support PKCE, nothing to do.
+    // Provider does not support PKCE, nothing to do.
+    if (!provider.protection?.includes('pkce')) {
      return
    }

@@ -50,7 +51,7 @@ export async function handleCallback (req, res) {
 export async function handleSignin (req, res) {
  const { cookies, provider, baseUrl, basePath } = req.options
  try {
-    if (!provider.protection.includes('pkce')) { // Provider does not support PKCE, nothing to do.
+    if (!provider.protection?.includes('pkce')) { // Provider does not support PKCE, nothing to do.
      return
    }
    // Started login flow, add generated pkce to req.options and (encrypted) code_verifier to a cookie
--- a/src/server/lib/oauth/state-handler.js
+++ b/src/server/lib/oauth/state-handler.js
@@ -12,7 +12,8 @@ import { OAuthCallbackError } from '../../../lib/errors'
 export async function handleCallback (req, res) {
  const { csrfToken, provider, baseUrl, basePath } = req.options
  try {
-    if (!provider.protection.includes('state')) { // Provider does not support state, nothing to do.
+    // Provider does not support state, nothing to do.
+    if (!provider.protection?.includes('state')) {
      return
    }

@@ -41,7 +42,7 @@ export async function handleCallback (req, res) {
 export async function handleSignin (req, res) {
  const { provider, baseUrl, basePath, csrfToken } = req.options
  try {
-    if (![provider.protection].flat().includes('state')) { // Provider does not support state, nothing to do.
+    if (!provider.protection?.includes('state')) { // Provider does not support state, nothing to do.
      return
    }
Author	SHA1	Message	Date
Balázs Orbán	3dedf6c26c	fix(provider): proper check of protection property (#1694 ) * fix(provider): proper check of protection property * chore: add comment	2021-04-12 00:15:29 +02:00
Amauri Dias	d1dbfe1023	fix: truly replace .flat() to support Node <11 again (#1691 )	2021-04-11 23:20:37 +02:00