From 467cc2d5222aa3e3feea5a7876d3d3c9565a4fcf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20Orb=C3=A1n?= <info@balazsorban.com>
Date: Thu, 31 Dec 2020 21:38:37 +0100
Subject: [PATCH 1/3] feat: allow to return string in signIn callback

---
 src/server/routes/callback.js | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/server/routes/callback.js b/src/server/routes/callback.js
index 71ccd76dd3..72bcaf62b4 100644
--- a/src/server/routes/callback.js
+++ b/src/server/routes/callback.js
@@ -71,13 +71,16 @@ export default async (req, res, options, done) => {
             const signInCallbackResponse = await callbacks.signIn(userOrProfile, account, OAuthProfile)
             if (signInCallbackResponse === false) {
               return redirect(`${baseUrl}${basePath}/error?error=AccessDenied`)
+            } else if (typeof signInCallbackResponse === 'string') {
+              return redirect(signInCallbackResponse)
             }
           } catch (error) {
             if (error instanceof Error) {
               return redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
-            } else {
-              return redirect(error)
             }
+            // TODO: Remove in a future major release
+            logger.warn('SIGNIN_CALLBACK_REJECT_REDIRECT')
+            return redirect(error)
           }
 
           // Sign user in
@@ -162,13 +165,16 @@ export default async (req, res, options, done) => {
         const signInCallbackResponse = await callbacks.signIn(profile, account, { email })
         if (signInCallbackResponse === false) {
           return redirect(`${baseUrl}${basePath}/error?error=AccessDenied`)
+        } else if (typeof signInCallbackResponse === 'string') {
+          return redirect(signInCallbackResponse)
         }
       } catch (error) {
         if (error instanceof Error) {
           return redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
-        } else {
-          return redirect(error)
         }
+        // TODO: Remove in a future major release
+        logger.warn('SIGNIN_CALLBACK_REJECT_REDIRECT')
+        return redirect(error)
       }
 
       // Sign user in

From 7bf93ddefaa3b97562b363b05847b17fce9804c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20Orb=C3=A1n?= <info@balazsorban.com>
Date: Thu, 31 Dec 2020 21:39:06 +0100
Subject: [PATCH 2/3] docs: add deprecation warning for invalid signIn callback

---
 www/docs/warnings.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/www/docs/warnings.md b/www/docs/warnings.md
index dc2912ebcd..557c3eac72 100644
--- a/www/docs/warnings.md
+++ b/www/docs/warnings.md
@@ -48,3 +48,23 @@ You can use [node-jose-tools](https://www.npmjs.com/package/node-jose-tools) to
 
 #### JWT_AUTO_GENERATED_ENCRYPTION_KEY
 
+#### SIGNIN_CALLBACK_REJECT_REDIRECT
+
+You returned something in the `signIn` callback, that is being deprecated.
+
+You probably had something similar in the callback:
+```js
+  return Promise.reject("/some/url")
+```
+
+or
+
+```js
+  throw "/some/url"
+```
+
+To remedy this, simply return the url instead:
+
+```js
+  return "/some/url"
+```
\ No newline at end of file

From f5ca0a8f474fc4ff2eb2479266259be4dd862a4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20Orb=C3=A1n?= <info@balazsorban.com>
Date: Thu, 31 Dec 2020 21:51:49 +0100
Subject: [PATCH 3/3] docs: update allowed signIn callback return type

---
 src/server/lib/callbacks.js         | 3 ++-
 www/docs/configuration/callbacks.md | 8 ++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/server/lib/callbacks.js b/src/server/lib/callbacks.js
index 4c760c20b6..865bf45676 100644
--- a/src/server/lib/callbacks.js
+++ b/src/server/lib/callbacks.js
@@ -12,8 +12,9 @@
  * @param  {object} profile  User profile (e.g. user id, name, email)
  * @param  {object} account  Account used to sign in (e.g. OAuth account)
  * @param  {object} metadata Provider specific metadata (e.g. OAuth Profile)
- * @return {boolean|object}  Return `true` (or a modified JWT) to allow sign in
+ * @return {boolean|string}  Return `true` to allow sign in
  *                           Return `false` to deny access
+ *                           Return `string` to redirect to (eg.: "/unauthorized")
  */
 const signIn = async (profile, account, metadata) => {
   const isAllowedToSignIn = true
diff --git a/www/docs/configuration/callbacks.md b/www/docs/configuration/callbacks.md
index 2ecc4745e1..956a8e3acc 100644
--- a/www/docs/configuration/callbacks.md
+++ b/www/docs/configuration/callbacks.md
@@ -44,8 +44,9 @@ callbacks: {
    * @param  {object} user     User object
    * @param  {object} account  Provider account
    * @param  {object} profile  Provider profile 
-   * @return {boolean}         Return `true` (or a modified JWT) to allow sign in
+   * @return {boolean|string}  Return `true` to allow sign in
    *                           Return `false` to deny access
+   *                           Return `string` to redirect to (eg.: "/unauthorized")
    */
   signIn: async (user, account, profile) => {
     const isAllowedToSignIn = true
@@ -54,9 +55,8 @@ callbacks: {
     } else {
       // Return false to display a default error message
       return false
-      // You can also Reject this callback with an Error or with a URL:
-      // throw new Error('error message') // Redirect to error page
-      // return '/path/to/redirect'        // Redirect to a URL
+      // Or you can return a URL to redirect to:
+      // return '/unauthorized'
     }
   }
 }