fix: default to VERCEL_URL for callbackUrl

fix: use VERCEL_URL by default for secureCookie (#3399 )
chore: fix typo in comment (#3388 )
2026-05-01 10:55:20 +00:00 · 2021-12-08 17:43:49 +01:00 · 2021-12-08 17:22:57 +01:00 · 2021-12-08 03:07:26 +01:00 · 2021-12-06 21:05:41 +01:00 · 2021-12-04 02:09:48 +01:00
10 changed files with 28 additions and 23 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,12 +2,6 @@

 NextAuth.js practices responsible disclosure.

-## Supported Versions
-
-Security updates are only released for the current version.
-
-Old releases are not maintained and do not receive updates.
-
 ## Reporting a Vulnerability

 We request that you contact us directly to report serious issues that might impact the security of sites using NextAuth.js.
@@ -19,6 +13,12 @@ If you contact us regarding a serious issue:
 - We will disclose the issue (and credit you, with your consent) once a fix to resolve the issue has been released.
 - If 90 days has elapsed and we still don't have a fix, we will disclose the issue publicly.

-Currently, the best way to report an issue is by contacting us via email at me@iaincollins.com or info@balazsorban.com and yo@ndo.dev.
+The best way to report an issue is by contacting us via email at info@balazsorban.com or me@iaincollins.com and yo@ndo.dev, or raise a public issue requesting someone get in touch with you via whatever means you prefer for more details. (Please do not disclose sensitive details publicly at this stage.)

-For less serious issues (e.g. RFC compliance for unsupported flows or potential issues that may cause a problem future or default behaviour / options) it is appropriate to submit these these publically as bug reports or feature requests or to raise a question to open a discussion around them.
+> For less serious issues (e.g. RFC compliance for unsupported flows or potential issues that may cause a problem in the future) it is appropriate to submit these these publically as bug reports or feature requests or to raise a question to open a discussion around them.
+
+## Supported Versions
+
+Security updates are only released for the current version.
+
+Old releases are not maintained and do not receive updates.
--- a/package-lock.json
+++ b/package-lock.json
@@ -11,6 +11,10 @@
        {
          "type": "github",
          "url": "https://github.com/sponsors/balazsorban44"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/nextauth"
        }
      ],
      "license": "ISC",
--- a/src/core/index.ts
+++ b/src/core/index.ts
@@ -74,7 +74,7 @@ export async function NextAuthHandler<
    action,
    providerId,
    host: req.host,
-    callbackUrl: req.body?.callbackUrl ?? req.query?.callbackUrl,
+    callbackUrl: req.body?.callbackUrl ?? req.query?.callbackUrl ?? req.host,
    csrfToken: req.body?.csrfToken,
    cookies: req.cookies,
    isPost: method === "POST",
--- a/src/core/init.ts
+++ b/src/core/init.ts
@@ -100,7 +100,7 @@ export async function init({
    // Callback functions
    callbacks: { ...defaultCallbacks, ...userOptions.callbacks },
    logger,
-    callbackUrl: process.env.NEXTAUTH_URL ?? "http://localhost:3000",
+    callbackUrl: "http://localhost:3000",
  }

  // Init cookies
--- a/src/core/types.ts
+++ b/src/core/types.ts
@@ -298,7 +298,7 @@ export interface CallbacksOptions<
   * This callback is called whenever a session is checked.
   * (Eg.: invoking the `/api/session` endpoint, using `useSession` or `getSession`)
   *
-   * ⚠ By default, only a subset (email, name, imgage)
+   * ⚠ By default, only a subset (email, name, image)
   * of the token is returned for increased security.
   *
   * If you want to make something available you added to the token through the `jwt` callback,
--- a/src/jwt/index.ts
+++ b/src/jwt/index.ts
@@ -3,7 +3,7 @@ import hkdf from "@panva/hkdf"
 import { v4 as uuid } from "uuid"
 import { SessionStore } from "../core/lib/cookie"
 import type { NextApiRequest } from "next"
-import type { JWT, JWTDecodeParams, JWTEncodeParams } from "./types"
+import type { JWT, JWTDecodeParams, JWTEncodeParams, JWTOptions } from "./types"
 import type { LoggerInstance } from ".."

 export * from "./types"
@@ -56,7 +56,7 @@ export interface GetTokenParams<R extends boolean = false> {
   */
  raw?: R
  secret: string
-  decode?: typeof decode
+  decode?: JWTOptions["decode"]
  logger?: LoggerInstance | Console
 }

@@ -70,10 +70,8 @@ export async function getToken<R extends boolean = false>(
 ): Promise<R extends true ? string : JWT | null> {
  const {
    req,
-    secureCookie = !(
-      !process.env.NEXTAUTH_URL ||
-      process.env.NEXTAUTH_URL.startsWith("http://")
-    ),
+    secureCookie = process.env.NEXTAUTH_URL?.startsWith("https://") ??
+      !!process.env.VERCEL_URL,
    cookieName = secureCookie
      ? "__Secure-next-auth.session-token"
      : "next-auth.session-token",
--- a/src/jwt/types.ts
+++ b/src/jwt/types.ts
@@ -1,4 +1,4 @@
-import { decode, encode } from "."
+import type { Awaitable } from ".."

 export interface DefaultJWT extends Record<string, unknown> {
  name?: string | null
@@ -42,9 +42,9 @@ export interface JWTOptions {
   */
  maxAge: number
  /** Override this method to control the NextAuth.js issued JWT encoding. */
-  encode: typeof encode
+  encode: (params: JWTEncodeParams) => Awaitable<string>
  /** Override this method to control the NextAuth.js issued JWT decoding. */
-  decode: typeof decode
+  decode: (params: JWTDecodeParams) => Awaitable<JWT | null>
 }

 export type Secret = string | Buffer
--- a/src/next/index.ts
+++ b/src/next/index.ts
@@ -21,7 +21,10 @@ async function NextAuthNextHandler(
  const { nextauth, ...query } = req.query
  const handler = await NextAuthHandler({
    req: {
-      host: (process.env.NEXTAUTH_URL ?? process.env.VERCEL_URL) as string,
+      host:
+        process.env.NEXTAUTH_URL ??
+        process.env.VERCEL_URL ??
+        "http://localhost:3000",
      body: req.body,
      query,
      cookies: req.cookies,
--- a/src/providers/42-school.ts
+++ b/src/providers/42-school.ts
@@ -168,7 +168,7 @@ export default function FortyTwo<
    userinfo: "https://api.intra.42.fr/v2/me",
    profile(profile) {
      return {
-        id: profile.id,
+        id: profile.id.toString(),
        name: profile.usual_full_name,
        email: profile.email,
        image: profile.image_url,
--- a/src/providers/auth0.ts
+++ b/src/providers/auth0.ts
@@ -2,7 +2,7 @@ import type { OAuthConfig, OAuthUserConfig } from "."

 export interface Auth0Profile {
  sub: string
-  nicname: string
+  nickname: string
  email: string
  picture: string
 }
Author	SHA1	Message	Date
Balázs Orbán	1c7fe57edb	fix: default to `VERCEL_URL` for `callbackUrl`	2021-12-08 17:43:49 +01:00
Balázs Orbán	59797bbdef	fix: use `VERCEL_URL` by default for `secureCookie` (#3399 )	2021-12-08 17:22:57 +01:00
Paul Büchner	9eb78a9de9	chore: fix typo in comment (#3388 )	2021-12-08 03:07:26 +01:00
Balázs Orbán	2670bbb28f	docs: match docs page wording for `SECURITY.md`	2021-12-06 21:05:41 +01:00
DmitryScaletta	0431c2a334	fix(ts): improve types for `encode`/`decode` functions (#3346 ) * fix: improve types for encode/decode functions * fix: use Awaitable type for encode/decode functions	2021-12-04 02:09:48 +01:00
Rraji Abdelbari	5ac688cc18	fix(providers): convert 42 School profile `id` to string (#3351 )	2021-12-04 02:08:48 +01:00
Anthony Ringoet	8ea75f0c1c	fix(ts): typo in `Auth0Profile` interface (#3347 )	2021-12-04 02:06:23 +01:00