-
-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redirect to custom credential sign in page using ServersideProps requires submitting twice to login #2426
Comments
Not a security vulnerability, since it's using a post method. You should make sure the page is using https in production yourself. |
Okay thanks for the clarification, how about the issue that I am reporting? Is this something you are able to comment on...? |
Will do when I have the time! 😊 |
@sabi-wabi I was unable to reproduce! Here's what I did:
I was able to login with just one press of the submit button. There didn't appear to be any reload first, nor did I need to click the button twice to get logged in. I was then able to see the hardcoded user logged-in, and was able to log out successfully. I suggest you might play around with your |
I am also seeing this issue using the v4 beta, the email provider and a custom sign in page. It doesn't happen every time, but often enough that it's annoying. I will try to see if I can get to the bottom of what's going on. |
I have the same problem with the next-auth ^4.0.5 version. The only thing I caught is that the first time I'm redirected to the login page I have a link like this EDIT: |
I'm running into the same issue with the EmailProvider (password less sign in). The sign in page redirects to |
Seems like this issue only happens when calling Sample:
|
I was experiencing this both in production and development. The silent failure on first attempt was caused by the csrfToken in my login form to be mismatching the one in my browser's cookie. In development, I can see that calls to On Vercel, the TLDR; for me, the fix was simple: don't provide csrfToken as a prop with const Login = () => {
const session = useSession();
const [csrfToken, setCsrfToken] = useState('');
useEffect(() => {
async function fetchCsrfToken() {
const result = await getCsrfToken();
if (!result) {
throw new Error('Can not sign in without a CSRF token');
}
setCsrfToken(result);
}
/*
Wait until session is fetched before obtaining csrfToken
to prevent synchronization issues caused by both
/api/auth/session and /api/auth/csrf setting the cookie.
Only happens in dev environment.
*/
if (session.status !== 'loading') {
fetchCsrfToken();
}
}, [session.status]);
return <form>
{/* Hiding the rest for brevity */}
</form>
} |
@magnusdr Thank you!! |
Sorry for the late revisiting - in the issue description, I see that OP was using |
Description 🐜
There is already a discussion opened for this issue, but it seems to be stagnant.
auth/signin
getServerSideProps
if no user found in sessionWhen submitting the form for the first time, the page will reload and nothing happens.
Is this a bug in your own project?
No
How to reproduce ☕️
Here is the repository to reproduce the issue
http://localhost:3000/
http://localhost:3000/auth/signin?callbackUrl=http://localhost:3000
On an unrelated note, I noticed that it is possible to see the submitted form inputs in the Network tab, is this not a security vulnerability?
Screenshots / Logs 📽
No response
Environment 🖥
System:
OS: macOS 11.4
CPU: (16) x64 Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz
Memory: 60.74 MB / 16.00 GB
Shell: 5.8 - /bin/zsh
Binaries:
Node: 14.16.1 - /usr/local/bin/node
Yarn: 1.22.10 - /usr/local/bin/yarn
npm: 6.14.12 - /usr/local/bin/npm
Browsers:
Brave Browser: 91.1.26.77
Edge: 92.0.902.55
Safari: 14.1.1
npmPackages:
next: ^11.0.0 => 11.0.1
next-auth: latest => 3.27.3
react: ^17.0.2 => 17.0.2
Contributing 🙌🏽
No, I am afraid I cannot help regarding this
The text was updated successfully, but these errors were encountered: