fix: properly handle callback URL fallback (#3402)

* fix: don't default to localhost on `host`

* fall back to `host` for `callbackUrl`

* use parsed host

* remove unnecessary type cast

SECURITY.md

@@ -2,12 +2,6 @@
 
 NextAuth.js practices responsible disclosure.
 
-## Supported Versions
-
-Security updates are only released for the current version.
-
-Old releases are not maintained and do not receive updates.
-
 ## Reporting a Vulnerability
 
 We request that you contact us directly to report serious issues that might impact the security of sites using NextAuth.js.
@@ -19,6 +13,12 @@ If you contact us regarding a serious issue:
 - We will disclose the issue (and credit you, with your consent) once a fix to resolve the issue has been released.
 - If 90 days has elapsed and we still don't have a fix, we will disclose the issue publicly.
 
-Currently, the best way to report an issue is by contacting us via email at me@iaincollins.com or info@balazsorban.com and yo@ndo.dev.
+The best way to report an issue is by contacting us via email at info@balazsorban.com or me@iaincollins.com and yo@ndo.dev, or raise a public issue requesting someone get in touch with you via whatever means you prefer for more details. (Please do not disclose sensitive details publicly at this stage.)
 
-For less serious issues (e.g. RFC compliance for unsupported flows or potential issues that may cause a problem future or default behaviour / options) it is appropriate to submit these these publically as bug reports or feature requests or to raise a question to open a discussion around them.
+> For less serious issues (e.g. RFC compliance for unsupported flows or potential issues that may cause a problem in the future) it is appropriate to submit these these publically as bug reports or feature requests or to raise a question to open a discussion around them.
+
+## Supported Versions
+
+Security updates are only released for the current version.
+
+Old releases are not maintained and do not receive updates.

app/package.json

@@ -21,7 +21,7 @@
     "@prisma/client": "^2.29.1",
     "fake-smtp-server": "^0.8.0",
     "faunadb": "^4.3.0",
-    "next": "^11.1.0",
+    "next": "^12.0.7",
     "nodemailer": "^6.6.3",
     "react": "^17.0.2",
     "react-dom": "^17.0.2"

package.json

@@ -123,7 +123,7 @@
     "jest": "^27.3.0",
     "jest-watch-typeahead": "^1.0.0",
     "msw": "^0.35.0",
-    "next": "v11.1.3-canary.0",
+    "next": "12.0.7",
     "postcss-cli": "^9.0.1",
     "postcss-nested": "^5.0.6",
     "prettier": "^2.4.1",

src/core/index.ts

@@ -12,7 +12,7 @@ import type { ErrorType } from "./pages/error"
 
 export interface IncomingRequest {
   /** @default "http://localhost:3000" */
-  host: string
+  host?: string
   method?: string
   cookies?: Record<string, string>
   headers?: Record<string, any>

src/core/init.ts

@@ -100,7 +100,7 @@ export async function init({
     // Callback functions
     callbacks: { ...defaultCallbacks, ...userOptions.callbacks },
     logger,
-    callbackUrl: process.env.NEXTAUTH_URL ?? "http://localhost:3000",
+    callbackUrl: url.origin,
   }
 
   // Init cookies

src/core/types.ts

@@ -298,7 +298,7 @@ export interface CallbacksOptions<
    * This callback is called whenever a session is checked.
    * (Eg.: invoking the `/api/session` endpoint, using `useSession` or `getSession`)
    *
-   * ⚠ By default, only a subset (email, name, imgage)
+   * ⚠ By default, only a subset (email, name, image)
    * of the token is returned for increased security.
    *
    * If you want to make something available you added to the token through the `jwt` callback,

src/jwt/index.ts

@@ -3,7 +3,7 @@ import hkdf from "@panva/hkdf"
 import { v4 as uuid } from "uuid"
 import { SessionStore } from "../core/lib/cookie"
 import type { NextApiRequest } from "next"
-import type { JWT, JWTDecodeParams, JWTEncodeParams } from "./types"
+import type { JWT, JWTDecodeParams, JWTEncodeParams, JWTOptions } from "./types"
 import type { LoggerInstance } from ".."
 
 export * from "./types"
@@ -56,7 +56,7 @@ export interface GetTokenParams<R extends boolean = false> {
    */
   raw?: R
   secret: string
-  decode?: typeof decode
+  decode?: JWTOptions["decode"]
   logger?: LoggerInstance | Console
 }
 
@@ -70,10 +70,8 @@ export async function getToken<R extends boolean = false>(
 ): Promise<R extends true ? string : JWT | null> {
   const {
     req,
-    secureCookie = !(
-      !process.env.NEXTAUTH_URL ||
-      process.env.NEXTAUTH_URL.startsWith("http://")
-    ),
+    secureCookie = process.env.NEXTAUTH_URL?.startsWith("https://") ??
+      !!process.env.VERCEL_URL,
     cookieName = secureCookie
       ? "__Secure-next-auth.session-token"
       : "next-auth.session-token",

src/jwt/types.ts

@@ -1,4 +1,4 @@
-import { decode, encode } from "."
+import type { Awaitable } from ".."
 
 export interface DefaultJWT extends Record<string, unknown> {
   name?: string | null
@@ -42,9 +42,9 @@ export interface JWTOptions {
    */
   maxAge: number
   /** Override this method to control the NextAuth.js issued JWT encoding. */
-  encode: typeof encode
+  encode: (params: JWTEncodeParams) => Awaitable<string>
   /** Override this method to control the NextAuth.js issued JWT decoding. */
-  decode: typeof decode
+  decode: (params: JWTDecodeParams) => Awaitable<JWT | null>
 }
 
 export type Secret = string | Buffer

src/next/index.ts

@@ -21,7 +21,7 @@ async function NextAuthNextHandler(
   const { nextauth, ...query } = req.query
   const handler = await NextAuthHandler({
     req: {
-      host: (process.env.NEXTAUTH_URL ?? process.env.VERCEL_URL) as string,
+      host: process.env.NEXTAUTH_URL ?? process.env.VERCEL_URL,
       body: req.body,
       query,
       cookies: req.cookies,
@@ -87,7 +87,7 @@ export async function getServerSession(
   const session = await NextAuthHandler<Session | {}>({
     options,
     req: {
-      host: (process.env.NEXTAUTH_URL ?? process.env.VERCEL_URL) as string,
+      host: process.env.NEXTAUTH_URL ?? process.env.VERCEL_URL,
       action: "session",
       method: "GET",
       cookies: context.req.cookies,

src/providers/42-school.ts

@@ -168,7 +168,7 @@ export default function FortyTwo<
     userinfo: "https://api.intra.42.fr/v2/me",
     profile(profile) {
       return {
-        id: profile.id,
+        id: profile.id.toString(),
         name: profile.usual_full_name,
         email: profile.email,
         image: profile.image_url,

src/providers/auth0.ts

@@ -2,7 +2,7 @@ import type { OAuthConfig, OAuthUserConfig } from "."
 
 export interface Auth0Profile {
   sub: string
-  nicname: string
+  nickname: string
   email: string
   picture: string
 }