Skip to content

Enable AuthJS debug #619

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
edulelis merged 1 commit into from
Aug 1, 2025
Merged

Enable AuthJS debug #619

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion apps/web/utils/auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ const PROVIDER_CONFIG = {
} as const;

export const getAuthOptions: () => NextAuthConfig = () => ({
debug: false,
debug: true,
providers: [
Comment on lines 83 to 85
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Aug 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Unconditional debug: true will emit verbose console logs in production – leaks PII and breaches repo lint rules

next-auth prints every request, token, and account object via console.* when debug is enabled.

  1. That contravenes the coding-guideline “Don’t use console.”
  2. Access/refresh tokens and user e-mails may land in server logs, violating the principle of least-privilege and triggering compliance concerns (GDPR/PII).

Gate the flag to non-production environments and/or rely on the scoped logger instead:

-export const getAuthOptions: () => NextAuthConfig = () => ({
-  debug: true,
+export const getAuthOptions: () => NextAuthConfig = () => ({
+  // Enable AuthJS debug logs only during local development
+  debug: env.NODE_ENV !== "production",
   providers: [

(or remove the flag and uncomment the custom logger block).

🏁 Script executed:

#!/bin/bash
# Display the definition of getAuthOptions and any debug flags in auth.ts
rg -n "getAuthOptions" -A5 apps/web/utils/auth.ts || true
rg -n "debug" -A2 apps/web/utils/auth.ts || true

Length of output: 708

🏁 Script executed:

#!/bin/bash
# Check environment variable usage and imports in auth.ts
rg -n "env\." -A2 apps/web/utils/auth.ts || true
rg -n "import.*env" -A1 apps/web/utils/auth.ts || true

# Check for existing logger usage or imports
rg -n "logger" -A5 apps/web/utils/auth.ts || true

# Display the top of the file to inspect imports
head -n 50 apps/web/utils/auth.ts || true

Length of output: 10367

🏁 Script executed:

#!/bin/bash
# Locate the env.ts file
fd env.ts

# Check for NODE_ENV definition and exported variables in env.ts
rg -n "export const env" -A5 apps/web/env.ts || true
rg -n "NODE_ENV" -A2 apps/web/env.ts || true

Length of output: 446

Gate AuthJS debug to non-production

Unconditional debug: true in getAuthOptions will force NextAuth to emit console.* logs (including tokens and user data) in production, violating our “no console” rule and risking PII exposure. Please update as follows in apps/web/utils/auth.ts (around lines 83–85):

 export const getAuthOptions: () => NextAuthConfig = () => ({
-  debug: true,
+  // Enable verbose AuthJS logs only in non-production environments
+  debug: env.NODE_ENV !== "production",
   providers: [

Alternatively, remove the debug flag entirely and enable the custom logger block below (lines 115–125) to route AuthJS logs through our scoped logger.

  • apps/web/utils/auth.ts:83–85 — replace debug: true
  • apps/web/utils/auth.ts:115–125 — uncomment/customize the logger section if you prefer scoped logging
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
export const getAuthOptions: () => NextAuthConfig = () => ({
debug: false,
debug: true,
providers: [
export const getAuthOptions: () => NextAuthConfig = () => ({
// Enable verbose AuthJS logs only in non-production environments
debug: env.NODE_ENV !== "production",
providers: [
🤖 Prompt for AI Agents 
In apps/web/utils/auth.ts around lines 83 to 85, the debug flag is set
unconditionally to true, causing sensitive logs in production. Modify the debug
setting to be true only in non-production environments by checking the NODE_ENV
variable or remove the debug flag entirely. If you remove it, uncomment and
customize the logger block around lines 115 to 125 to route AuthJS logs through
the scoped logger instead of using console logs.

GoogleProvider({
clientId: env.GOOGLE_CLIENT_ID,
Expand Down
Loading