nextauthjs · balazsorban44 · Dec 11, 2022 · Dec 9, 2022 · Dec 9, 2022 · Dec 9, 2022
@@ -72,6 +72,16 @@ export class InvalidCallbackUrl extends UnknownError {
   code = "INVALID_CALLBACK_URL_ERROR"
 }
 
+export class UnknownAction extends UnknownError {
+  name = "UnknownAction"
+  code = "UNKNOWN_ACTION_ERROR"
+}
+
+export class UntrustedHost extends UnknownError {
+  name = "UntrustedHost"
+  code = "UNTRUST_HOST_ERROR"
+}
+
 type Method = (...args: any[]) => Promise<any>
 
 export function upperSnake(s: string) {

@@ -1,19 +1,21 @@
 import logger, { setLogger } from "../utils/logger"
 import { toInternalRequest, toResponse } from "../utils/web"
-import * as routes from "./routes"
-import renderPage from "./pages"
 import { init } from "./init"
 import { assertConfig } from "./lib/assert"
 import { SessionStore } from "./lib/cookie"
+import renderPage from "./pages"
+import * as routes from "./routes"
 
-import type { AuthAction, AuthOptions } from "./types"
+import { UntrustedHost } from "./errors"
 import type { Cookie } from "./lib/cookie"
 import type { ErrorType } from "./pages/error"
+import type { AuthAction, AuthOptions } from "./types"
 
+/** @internal */
 export interface RequestInternal {
-  /** @default "http://localhost:3000" */
-  host?: string
-  method?: string
+  url: URL
+  /** @default "GET" */
+  method: string
   cookies?: Partial<Record<string, string>>
   headers?: Record<string, any>
   query?: Record<string, any>
@@ -23,22 +25,20 @@ export interface RequestInternal {
   error?: string
 }
 
-export interface NextAuthHeader {
-  key: string
-  value: string
-}
-
-// TODO: Rename to `ResponseInternal`
+/** @internal */
 export interface ResponseInternal<
   Body extends string | Record<string, any> | any[] = any
 > {
   status?: number
-  headers?: NextAuthHeader[]
+  headers?: Record<string, string>
   body?: Body
   redirect?: string
   cookies?: Cookie[]
 }
 
+const configErrorMessage =
+  "There is a problem with the server configuration. Check the server logs for more information."
+
 async function AuthHandlerInternal<
   Body extends string | Record<string, any> | any[]
 >(params: {
@@ -47,10 +47,9 @@ async function AuthHandlerInternal<
   /** REVIEW: Is this the best way to skip parsing the body in Node.js? */
   parsedBody?: any
 }): Promise<ResponseInternal<Body>> {
-  const { options: userOptions, req } = params
-  setLogger(userOptions.logger, userOptions.debug)
+  const { options: authOptions, req } = params
 
-  const assertionResult = assertConfig({ options: userOptions, req })
+  const assertionResult = assertConfig({ options: authOptions, req })
 
   if (Array.isArray(assertionResult)) {
     assertionResult.forEach(logger.warn)
@@ -60,14 +59,13 @@ async function AuthHandlerInternal<
 
     const htmlPages = ["signin", "signout", "error", "verify-request"]
     if (!htmlPages.includes(req.action) || req.method !== "GET") {
-      const message = `There is a problem with the server configuration. Check the server logs for more information.`
       return {
         status: 500,
-        headers: [{ key: "Content-Type", value: "application/json" }],
-        body: { message } as any,
+        headers: { "Content-Type": "application/json" },
+        body: { message: configErrorMessage } as any,
       }
     }
-    const { pages, theme } = userOptions
+    const { pages, theme } = authOptions
 
     const authOnErrorPage =
       pages?.error && req.query?.callbackUrl?.startsWith(pages.error)
@@ -90,13 +88,13 @@ async function AuthHandlerInternal<
     }
   }
 
-  const { action, providerId, error, method = "GET" } = req
+  const { action, providerId, error, method } = req
 
   const { options, cookies } = await init({
-    userOptions,
+    authOptions,
     action,
     providerId,
-    host: req.host,
+    origin: req.url.origin,
     callbackUrl: req.body?.callbackUrl ?? req.query?.callbackUrl,
     csrfToken: req.body?.csrfToken,
     cookies: req.cookies,
@@ -123,7 +121,7 @@ async function AuthHandlerInternal<
       }
       case "csrf":
         return {
-          headers: [{ key: "Content-Type", value: "application/json" }],
+          headers: { "Content-Type": "application/json" },
           body: { csrfToken: options.csrfToken } as any,
           cookies,
         }
@@ -240,7 +238,7 @@ async function AuthHandlerInternal<
         }
         break
       case "_log":
-        if (userOptions.logger) {
+        if (authOptions.logger) {
           try {
             const { code, level, ...metadata } = req.body ?? {}
             logger[level](code, metadata)
@@ -269,7 +267,28 @@ export async function AuthHandler(
   request: Request,
   options: AuthOptions
 ): Promise<Response> {
+  setLogger(options.logger, options.debug)
+
+  if (!options.trustHost) {
+    const error = new UntrustedHost(
+      `Host must be trusted. URL was: ${request.url}`
+    )
+    logger.error(error.code, error)
+
+    return new Response(JSON.stringify({ message: configErrorMessage }), {
+      status: 500,
+      headers: { "Content-Type": "application/json" },
+    })
+  }
+
   const req = await toInternalRequest(request)
+  if (req instanceof Error) {
+    logger.error((req as any).code, req)
+    return new Response(
+      `Error: This action with HTTP ${request.method} is not supported.`,
+      { status: 400 }
+    )
+  }
   const internalResponse = await AuthHandlerInternal({ req, options })
 
   const response = await toResponse(internalResponse)

@@ -15,8 +15,8 @@ import { RequestInternal } from "."
 import type { InternalOptions } from "./types"
 
 interface InitParams {
-  host?: string
-  userOptions: AuthOptions
+  origin?: string
+  authOptions: AuthOptions
   providerId?: string
   action: InternalOptions["action"]
   /** Callback URL value extracted from the incoming request. */
@@ -30,10 +30,10 @@ interface InitParams {
 
 /** Initialize all internal options and cookies. */
 export async function init({
-  userOptions,
+  authOptions,
   providerId,
   action,
-  host,
+  origin,
   cookies: reqCookies,
   callbackUrl: reqCallbackUrl,
   csrfToken: reqCsrfToken,
@@ -42,12 +42,12 @@ export async function init({
   options: InternalOptions
   cookies: cookie.Cookie[]
 }> {
-  const url = parseUrl(host)
+  const url = parseUrl(origin)
 
-  const secret = createSecret({ userOptions, url })
+  const secret = createSecret({ authOptions, url })
 
   const { providers, provider } = parseProviders({
-    providers: userOptions.providers,
+    providers: authOptions.providers,
     url,
     providerId,
   })
@@ -66,7 +66,7 @@ export async function init({
       buttonText: "",
     },
     // Custom options override defaults
-    ...userOptions,
+    ...authOptions,
     // These computed settings can have values in userOptions but we override them
     // and are request-specific.
     url,
@@ -75,38 +75,38 @@ export async function init({
     provider,
     cookies: {
       ...cookie.defaultCookies(
-        userOptions.useSecureCookies ?? url.base.startsWith("https://")
+        authOptions.useSecureCookies ?? url.base.startsWith("https://")
       ),
       // Allow user cookie options to override any cookie settings above
-      ...userOptions.cookies,
+      ...authOptions.cookies,
     },
     secret,
     providers,
     // Session options
     session: {
       // If no adapter specified, force use of JSON Web Tokens (stateless)
-      strategy: userOptions.adapter ? "database" : "jwt",
+      strategy: authOptions.adapter ? "database" : "jwt",
       maxAge,
       updateAge: 24 * 60 * 60,
       generateSessionToken: () => {
         // Use `randomUUID` if available. (Node 15.6+)
         return randomUUID?.() ?? randomBytes(32).toString("hex")
       },
-      ...userOptions.session,
+      ...authOptions.session,
     },
     // JWT options
     jwt: {
       secret, // Use application secret if no keys specified
       maxAge, // same as session maxAge,
       encode: jwt.encode,
       decode: jwt.decode,
-      ...userOptions.jwt,
+      ...authOptions.jwt,
     },
     // Event messages
-    events: eventsErrorHandler(userOptions.events ?? {}, logger),
-    adapter: adapterErrorHandler(userOptions.adapter, logger),
+    events: eventsErrorHandler(authOptions.events ?? {}, logger),
+    adapter: adapterErrorHandler(authOptions.adapter, logger),
     // Callback functions
-    callbacks: { ...defaultCallbacks, ...userOptions.callbacks },
+    callbacks: { ...defaultCallbacks, ...authOptions.callbacks },
     logger,
     callbackUrl: url.origin,
   }

@@ -7,7 +7,6 @@ import {
   InvalidCallbackUrl,
   MissingAdapterMethods,
 } from "../errors"
-import parseUrl from "../../utils/parse-url"
 import { defaultCookies } from "./cookie"
 
 import type { RequestInternal } from ".."
@@ -44,11 +43,11 @@ export function assertConfig(params: {
   req: RequestInternal
 }): ConfigError | WarningCode[] {
   const { options, req } = params
-
+  const { url } = req
   const warnings: WarningCode[] = []
 
   if (!warned) {
-    if (!req.host) warnings.push("NEXTAUTH_URL")
+    if (!url.origin) warnings.push("NEXTAUTH_URL")
 
     // TODO: Make this throw an error in next major. This will also get rid of `NODE_ENV`
     if (!options.secret && process.env.NODE_ENV !== "production")
@@ -70,21 +69,19 @@ export function assertConfig(params: {
 
   const callbackUrlParam = req.query?.callbackUrl as string | undefined
 
-  const url = parseUrl(req.host)
-
-  if (callbackUrlParam && !isValidHttpUrl(callbackUrlParam, url.base)) {
+  if (callbackUrlParam && !isValidHttpUrl(callbackUrlParam, url.origin)) {
     return new InvalidCallbackUrl(
       `Invalid callback URL. Received: ${callbackUrlParam}`
     )
   }
 
   const { callbackUrl: defaultCallbackUrl } = defaultCookies(
-    options.useSecureCookies ?? url.base.startsWith("https://")
+    options.useSecureCookies ?? url.protocol === "https://"
   )
   const callbackUrlCookie =
     req.cookies?.[options.cookies?.callbackUrl?.name ?? defaultCallbackUrl.name]
 
-  if (callbackUrlCookie && !isValidHttpUrl(callbackUrlCookie, url.base)) {
+  if (callbackUrlCookie && !isValidHttpUrl(callbackUrlCookie, url.origin)) {
     return new InvalidCallbackUrl(
       `Invalid callback URL. Received: ${callbackUrlCookie}`
     )

@@ -29,16 +29,16 @@ export function hashToken(token: string, options: InternalOptions<"email">) {
  * based on options passed here. If options contains unique data, such as
  * OAuth provider secrets and database credentials it should be sufficent. If no secret provided in production, we throw an error. */
 export function createSecret(params: {
-  userOptions: AuthOptions
+  authOptions: AuthOptions
   url: InternalUrl
 }) {
-  const { userOptions, url } = params
+  const { authOptions, url } = params
 
   return (
-    userOptions.secret ??
+    authOptions.secret ??
     // TODO: Remove falling back to default secret, and error in dev if one isn't provided
     createHash("sha256")
-      .update(JSON.stringify({ ...url, ...userOptions }))
+      .update(JSON.stringify({ ...url, ...authOptions }))
       .digest("hex")
   )
 }
@@ -31,7 +31,7 @@ export default function renderPage(params: RenderPageParams) {
     return {
       cookies,
       status,
-      headers: [{ key: "Content-Type", value: "text/html" }],
+      headers: { "Content-Type": "text/html" },
       body: `<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0"><style>${css()}</style><title>${title}</title></head><body class="__next-auth-theme-${
         theme?.colorScheme ?? "auto"
       }"><div class="page">${renderToString(html)}</div></body></html>`,

@@ -18,7 +18,7 @@ export default function providers(
   providers: InternalProvider[]
 ): ResponseInternal<Record<string, PublicProvider>> {
   return {
-    headers: [{ key: "Content-Type", value: "application/json" }],
+    headers: { "Content-Type": "application/json" },
     body: providers.reduce<Record<string, PublicProvider>>(
       (acc, { id, name, type, signinUrl, callbackUrl }) => {
         acc[id] = { id, name, type, signinUrl, callbackUrl }

@@ -31,7 +31,7 @@ export default async function session(
 
   const response: ResponseInternal<Session | {}> = {
     body: {},
-    headers: [{ key: "Content-Type", value: "application/json" }],
+    headers: { "Content-Type": "application/json" },
     cookies: [],
   }
 

@@ -210,7 +210,7 @@ export interface AuthOptions {
    * - ⚠ **This is an advanced option.** Advanced options are passed the same way as basic options,
    * but **may have complex implications** or side effects.
    * You should **try to avoid using advanced options** unless you are very comfortable using them.
-   * @default Boolean(process.env.AUTH_TRUST_HOST ?? process.env.VERCEL)
+   * @default Boolean(process.env.NEXTAUTH_URL ?? process.env.AUTH_TRUST_HOST ?? process.env.VERCEL)
    */
   trustHost?: boolean
 }

@@ -94,7 +94,7 @@ export async function getToken<R extends boolean = false>(
   const authorizationHeader =
     req.headers instanceof Headers
       ? req.headers.get("authorization")
-      : req.headers.authorization
+      : req.headers?.authorization
 
   if (!token && authorizationHeader?.split(" ")[0] === "Bearer") {
     const urlEncodedToken = authorizationHeader.split(" ")[1]