feat: Expo Auth without setting AUTH_URL. #1054
Conversation
| const host = req.headers.get("host"); | ||
| const newURL = new URL(req.url); | ||
| newURL.host = host ?? req.nextUrl.host; | ||
| return new NextRequest(newURL, req); |
There was a problem hiding this comment.
Why do we need to rewrite if we disable csrf in dev?
There was a problem hiding this comment.
Because the generated callback URLs point to localhost:3000 no matter what. NextJS sets the nextUrl to the deployment URL, which is always localhost on development, but we need it to be the IP of the machine, i.e. 192.168.x.y so that it can properly route the request to the oauth provider and back. This function rewrites the URL to be the machine's IP, so that we can force nextauth to use that instead of the preset localhost.
There was a problem hiding this comment.
Having looked through authjs's source code, the callback url is generated by const baseUrl = env.AUTH_URL ?? request.url (pseudocode), so because we don't set AUTH_URL, we need to ensure request.url is set to the proper value.
EDIT: Reference code:
Authfunction (where request is passed by this app): https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/index.ts#L101AuthInternalfunction (request.url is retrieved) https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/lib/index.ts#L24initfunction call (handles events, we care about callback stuff): https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/lib/init.ts#L68C35-L68C49parseProviderscall, which generates the callback URL: https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/lib/utils/providers.ts#L29
The code above uses the request URL's origin (and the request URL origin gets overwritten with AUTH_URL if it is set) to generate the callback URL, so it must be set to the desired return IP for expo to work.
There was a problem hiding this comment.
So this means we have to set the ip at the oauth provider? Hmm...
There was a problem hiding this comment.
Just modifying the request URL seems to be sufficient. In my local testing, this has worked great both with and without the auth proxy server.
There was a problem hiding this comment.
Aight I'll try and test it out asap
juliusmarminge
merged commit a8deb69
into
t3-oss:11-02-feat_expo_auth
* feat: expo auth * rm * fix format * fix lock * feat: use expo-linking to construct urls for expo auth (#832) * expo install --fix * nit * fix cookie * use sync session store api * add custom handler back * fix exports * Use .find() instead of always first cookie (#1043) * feat: Expo Auth without setting AUTH_URL. (#1054) * feat: expo-auth without auth_url env var * Fix session cookie matching * feat: Restore old CSRF checks in non-dev environments * chore: Documenting some decisions with comments * Use node env instead of vercel-specific env var * Update readme to describe oauth changes * Fix redirectTo being missing and enforce home nav since it was showing a weird page * Disallow backwards navigation upon auth change * some light refactoring * dont' mutate args * helper * cmt * fmt --------- Co-authored-by: Jay McMullen <j@1f.io> Co-authored-by: Gabriel Bianchi <gdbianchii@gmail.com> Co-authored-by: Sam Riddle <Wundero@users.noreply.github.com>
This PR implements logic into the Expo <-> NextAuth linking which enables the IP that expo uses (e.g. 192.168.x.y) to work without having to set the AUTH_URL to be that IP.
See #720 for details and discussion related to this issue.