[pull] main from nextauthjs:main #309
Conversation
![pull[bot]](https://github.com/avatars/in/12910?s=60&v=4){kind=small}
* fix(core): detect Vercel without `NEXTAUTH_URL` * chore(ts): use `any` * chore: use `process.env.VERCEL` to detect Vercel
Codecov Report
@@ Coverage Diff @@
## main #309 +/- ##
=========================================
+ Coverage 9.90% 13.08% +3.18%
=========================================
Files 84 91 +7
Lines 1403 1444 +41
Branches 395 384 -11
=========================================
+ Hits 139 189 +50
- Misses 1038 1241 +203
+ Partials 226 14 -212
Continue to review full report at Codecov.
|
* Added authentik provider * Removed idToken
…rting to base64 (#3656) * Fix: Add OpenID to authorization scope * Fix: Check for valid profile picture response before converting to base64 * Update src/providers/azure-ad.ts Co-authored-by: Balázs Orbán <info@balazsorban.com> * Confirm that profile photo was returned Co-authored-by: Balázs Orbán <info@balazsorban.com>
Avoid peer dependency warning when using React 18
Bumps [next](https://github.com/vercel/next.js) from 12.0.7 to 12.0.9. - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v12.0.7...v12.0.9) --- updated-dependencies: - dependency-name: next dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [node-fetch](https://github.com/node-fetch/node-fetch) from 2.6.6 to 2.6.7. - [Release notes](https://github.com/node-fetch/node-fetch/releases) - [Commits](node-fetch/node-fetch@v2.6.6...v2.6.7) --- updated-dependencies: - dependency-name: node-fetch dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* feat: added types for sign in errors * feat: adding type to error prop * chore: added documentation links to types
* feat(core): detect `NEXTAUTH_SECRET` env variable * chore(dev): use detected `NEXTAUTH_SECRET` in dev app
* fix(providers): properly warn when using Twitter OAuth 2 * refactor(providers): move Twitter OAuth2 warning to `assert` * fix: use proper warning code * refactor: only set boolean
* added trakt provider * fixed incorrect auth url * Update src/providers/trakt.ts Co-authored-by: Balázs Orbán <info@balazsorban.com> * Update src/providers/trakt.ts Co-authored-by: Balázs Orbán <info@balazsorban.com> * Update trakt.ts Co-authored-by: caidenwilson <caidenwilson@protonmail.com> Co-authored-by: Balázs Orbán <info@balazsorban.com>
* feat(middleware): introduce Middleware API to Next.js * chore(app): upgrade Next.js in dev app * chore(dev): add Middleware protected page to dev app * chore(middleware): add `next/middleware` to `exports` * fix(middleware): bail out redirect on custom pages * fix(middleware): allow one-line export * chore(middleware): simplify code * fix(middleware): redirect back to page after succesful login * feat(middleware): re-export `withAuth` as `default` * chore: export middleware from `next-auth/middleware` * chore: add `middleware` files to npm * feat(middleware): handle chaining, fix some bugs * chore(dev): showcase different middlewares * chore(middleware): remove `@ts-expect-error` comments * chore: update build clean script * fix: bail out when NextAuth.js paths * refactor: be more explicit about `initConfig` result * refactor: simplify * refactor: use `callbacks` similarily to `NextAuthOptions` * refactor: use `nextauth` namespace when setting `token` on `req` * refactor: don't allow passing `secret` * addressing review
* fix(middleware): handle no argument case * use absolute URLs * use origin instead of host
* chore: convert to monorepo * Remove eslint, typescript, semantic-release * Add yarn.lock * Add turbo * Run test command * Move to src * Add a seperate tsconfig file * Update .gitignore * Update commands to yarn * Replace semantic-release with changesets * Update changesets usage * Fix commands: dev, setup, clean * Add back changes from main * Fixed HMR * Update .gitignore
* fix labeler * try fixing test runs in GitHub Actions * pass flags to test command * test version pr * move versoin-pr action * remove --dry-run flag * re-enable testing, re-add semantic release for now * add docs * use `yarn.lock` and different docs port * simplify dev app config * fix coverage report * fix provider source links * fix more links
Bumps [next-auth](https://github.com/nextauthjs/next-auth) from 4.2.1 to 4.3.2. - [Release notes](https://github.com/nextauthjs/next-auth/releases) - [Changelog](https://github.com/nextauthjs/next-auth/blob/main/CHANGELOG.md) - [Commits](https://github.com/nextauthjs/next-auth/compare/v4.2.1...next-auth@v4.3.2) --- updated-dependencies: - dependency-name: next-auth dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Lluis Agusti <hi@llu.lu>
The build plugin now sets the NEXTAUTH_URL environment variable automatically when it detects that 'next-auth' is installed in the project.
* feat: pnpm * Update publish script * gitignore the pnpm debug log * Fix workspace * Fix dev commands * feat: pnpm * Update publish script * gitignore the pnpm debug log * Fix workspace * Fix dev commands * chore: fix pnpm install in GitHub Action * fix: update tsconfig path * pnpm run -> pnpm * chore: remove cache-node and add back setup-node * fix: tsconfig dependencies * chore: fix tsconfig path * fix: adapter-test dependencies * fix: setup-node for release-pr * fix: import adapter-test * chore: update workspace dependency for next-auth * fix: test failure * fix: add jest for adapters * fix: jest again * fix: mongo in prisma * fix: `--no-git-checks` for `release-pr` Co-authored-by: Balázs Orbán <info@balazsorban.com>
…4449) Co-authored-by: Lluis Agusti <hi@llu.lu> Co-authored-by: ndom91 <yo@ndo.dev>
Co-authored-by: Thang Vu <31528554+ThangHuuVu@users.noreply.github.com>
'this environment variable must be set', instead of 'this environment variables must be set'.
Co-authored-by: Lluis Agusti <hi@llu.lu>
![sonatype-lift[bot]](https://github.com/avatars/in/9843?s=60&v=4){kind=small}
| <Motion | ||
| key={`marquee-example-company-${icon}`} | ||
| initDeg={randomIntFromInterval(0, 360)} | ||
| direction={Math.random() > 0.5 ? "clockwise" : "counterclockwise"} |
There was a problem hiding this comment.
opt.semgrep.node_insecure_random_generator: crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| const errorUrl = new URL(errorPage, req.nextUrl.origin) | ||
| errorUrl.searchParams.append("error", "Configuration") | ||
|
|
||
| return NextResponse.redirect(errorUrl) |
There was a problem hiding this comment.
opt.semgrep.express_open_redirect: Untrusted user input in redirect() can result in Open Redirect vulnerability.
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| // the user is not logged in, redirect to the sign-in page | ||
| const signInUrl = new URL(signInPage, req.nextUrl.origin) | ||
| signInUrl.searchParams.append("callbackUrl", req.url) | ||
| return NextResponse.redirect(signInUrl) |
There was a problem hiding this comment.
opt.semgrep.express_open_redirect: Untrusted user input in redirect() can result in Open Redirect vulnerability.
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| ), | ||
| Delete(Ref(Users, userId)) | ||
| ) | ||
| ) |
There was a problem hiding this comment.
opt.semgrep.node_sqli_injection: Untrusted input concatenated with raw SQL query can result in SQL Injection.
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -0,0 +1,46 @@ | |||
| #!/usr/bin/env bash | |||
|
|
|||
| SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" | |||
There was a problem hiding this comment.
SC2034: SCRIPT_DIR appears unused. Verify use (or export if used externally).
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| if (!account) return null | ||
| const user = await ( | ||
| await db | ||
| ).U.findOne({ _id: new ObjectId(account.userId) }) |
There was a problem hiding this comment.
opt.semgrep.node_nosqli_injection: Untrusted user input in findOne() function can result in NoSQL Injection.
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| if (!session) return null | ||
| const user = await ( | ||
| await db | ||
| ).U.findOne({ _id: new ObjectId(session.userId) }) |
There was a problem hiding this comment.
opt.semgrep.node_nosqli_injection: Untrusted user input in findOne() function can result in NoSQL Injection.
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
…o `expires_at` (#4540) Co-authored-by: Lluis Agusti <hi@llu.lu>
Authentication Patterns for Next.js is moved official next.js docs https://nextjs.org/docs/authentication#authentication-patterns
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )