Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

next-auth

Package Overview
Dependencies
Maintainers
3
Versions
715
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

next-auth - npm Package Compare versions

Comparing version 4.17.0 to 4.18.0

6

core/index.js

@@ -36,3 +36,3 @@ "use strict";

async function toInternalRequest(req) {
async function toInternalRequest(req, trustHost = false) {
if (req instanceof Request) {

@@ -54,3 +54,3 @@ var _req$headers$get, _url$searchParams$get, _headers$xForwarded;

error: (_url$searchParams$get = url.searchParams.get("error")) !== null && _url$searchParams$get !== void 0 ? _url$searchParams$get : nextauth[1],
host: (0, _detectHost.detectHost)((_headers$xForwarded = headers["x-forwarded-host"]) !== null && _headers$xForwarded !== void 0 ? _headers$xForwarded : headers.host),
host: (0, _detectHost.detectHost)(trustHost, (_headers$xForwarded = headers["x-forwarded-host"]) !== null && _headers$xForwarded !== void 0 ? _headers$xForwarded : headers.host, "http://localhost:3000"),
query

@@ -70,3 +70,3 @@ };

} = params;
const req = await toInternalRequest(incomingRequest);
const req = await toInternalRequest(incomingRequest, userOptions.trustHost);
(0, _logger.setLogger)(userOptions.logger, userOptions.debug);

@@ -73,0 +73,0 @@ const assertionResult = (0, _assert.assertConfig)({

6

core/lib/cookie.js

@@ -63,3 +63,4 @@ "use strict";

path: "/",
secure: useSecureCookies
secure: useSecureCookies,
maxAge: 60 * 15
}

@@ -73,3 +74,4 @@ },

path: "/",
secure: useSecureCookies
secure: useSecureCookies,
maxAge: 60 * 15
}

@@ -76,0 +78,0 @@ },

9

core/lib/oauth/pkce-handler.js

@@ -21,3 +21,3 @@ "use strict";

async function createPKCE(options) {
var _provider$checks;
var _provider$checks, _cookies$pkceCodeVeri;

@@ -38,6 +38,7 @@ const {

const maxAge = (_cookies$pkceCodeVeri = cookies.pkceCodeVerifier.options.maxAge) !== null && _cookies$pkceCodeVeri !== void 0 ? _cookies$pkceCodeVeri : PKCE_MAX_AGE;
const expires = new Date();
expires.setTime(expires.getTime() + PKCE_MAX_AGE * 1000);
expires.setTime(expires.getTime() + maxAge * 1000);
const encryptedCodeVerifier = await jwt.encode({ ...options.jwt,
maxAge: PKCE_MAX_AGE,
maxAge,
token: {

@@ -51,3 +52,3 @@ code_verifier

code_verifier,
PKCE_MAX_AGE
maxAge
});

@@ -54,0 +55,0 @@ return {

9

core/lib/oauth/state-handler.js

@@ -14,3 +14,3 @@ "use strict";

async function createState(options) {
var _provider$checks;
var _provider$checks, _cookies$state$option;

@@ -30,4 +30,5 @@ const {

const maxAge = (_cookies$state$option = cookies.state.options.maxAge) !== null && _cookies$state$option !== void 0 ? _cookies$state$option : STATE_MAX_AGE;
const encodedState = await jwt.encode({ ...jwt,
maxAge: STATE_MAX_AGE,
maxAge,
token: {

@@ -39,6 +40,6 @@ state

state,
maxAge: STATE_MAX_AGE
maxAge
});
const expires = new Date();
expires.setTime(expires.getTime() + STATE_MAX_AGE * 1000);
expires.setTime(expires.getTime() + maxAge * 1000);
return {

@@ -45,0 +46,0 @@ value: state,

16

core/types.d.ts

@@ -27,6 +27,6 @@ import type { Adapter, AdapterUser } from "../adapters";

* A random string used to hash tokens, sign cookies and generate cryptographic keys.
* If not specified, it falls back to `jwt.secret` or `NEXTAUTH_SECRET` from environment vairables.
* Otherwise it will use a hash of all configuration options, including Client ID / Secrets for entropy.
* If not specified, it falls back to `jwt.secret` or `NEXTAUTH_SECRET` from environment variables.
* Otherwise, it will use a hash of all configuration options, including Client ID / Secrets for entropy.
*
* NOTE: The last behavior is extrmely volatile, and will throw an error in production.
* NOTE: The last behavior is extremely volatile, and will throw an error in production.
* * **Default value**: `string` (SHA hash of the "options" object)

@@ -193,2 +193,12 @@ * * **Required**: No - **but strongly recommended**!

cookies?: Partial<CookiesOptions>;
/**
* If set to `true`, NextAuth.js will use either the `x-forwarded-host` or `host` headers,
* instead of `NEXTAUTH_URL`
* Make sure that reading `x-forwarded-host` on your hosting platform can be trusted.
* - ⚠ **This is an advanced option.** Advanced options are passed the same way as basic options,
* but **may have complex implications** or side effects.
* You should **try to avoid using advanced options** unless you are very comfortable using them.
* @default Boolean(process.env.AUTH_TRUST_HOST ?? process.env.VERCEL)
*/
trustHost?: boolean;
}

@@ -195,0 +205,0 @@ /**

14

next/index.d.ts
import type { GetServerSidePropsContext, NextApiRequest, NextApiResponse } from "next";
import type { NextAuthOptions, Session } from "..";
import type { CallbacksOptions } from "../core/types";
declare function NextAuth(options: NextAuthOptions): any;
declare function NextAuth(req: NextApiRequest, res: NextApiResponse, options: NextAuthOptions): any;
export default NextAuth;
export declare function unstable_getServerSession(...args: [
GetServerSidePropsContext["req"],
GetServerSidePropsContext["res"],
NextAuthOptions
] | [NextApiRequest, NextApiResponse, NextAuthOptions] | [NextAuthOptions] | []): Promise<Session | null>;
declare type GetServerSessionOptions = Partial<Omit<NextAuthOptions, "callbacks">> & {
callbacks?: Omit<NextAuthOptions['callbacks'], "session"> & {
session?: (...args: Parameters<CallbacksOptions["session"]>) => any;
};
};
export declare function unstable_getServerSession<O extends GetServerSessionOptions, R = O["callbacks"] extends {
session: (...args: any[]) => infer U;
} ? U : Session>(...args: [GetServerSidePropsContext["req"], GetServerSidePropsContext["res"], O] | [NextApiRequest, NextApiResponse, O] | [O] | []): Promise<R | null>;
declare global {

@@ -12,0 +16,0 @@ namespace NodeJS {

26

next/index.js

@@ -16,3 +16,3 @@ "use strict";

async function NextAuthNextHandler(req, res, options) {
var _ref, _options$secret, _options$jwt, _ref2, _handler$status, _handler$cookies, _handler$headers;
var _options$secret, _options$jwt$secret, _options$jwt, _options$trustHost, _process$env$AUTH_TRU, _process$env$NEXTAUTH, _ref, _handler$status, _handler$cookies, _handler$headers;

@@ -23,6 +23,7 @@ const {

} = req.query;
options.secret = (_ref = (_options$secret = options.secret) !== null && _options$secret !== void 0 ? _options$secret : (_options$jwt = options.jwt) === null || _options$jwt === void 0 ? void 0 : _options$jwt.secret) !== null && _ref !== void 0 ? _ref : process.env.NEXTAUTH_SECRET;
(_options$secret = options.secret) !== null && _options$secret !== void 0 ? _options$secret : options.secret = (_options$jwt$secret = (_options$jwt = options.jwt) === null || _options$jwt === void 0 ? void 0 : _options$jwt.secret) !== null && _options$jwt$secret !== void 0 ? _options$jwt$secret : process.env.NEXTAUTH_SECRET;
(_options$trustHost = options.trustHost) !== null && _options$trustHost !== void 0 ? _options$trustHost : options.trustHost = !!((_process$env$AUTH_TRU = process.env.AUTH_TRUST_HOST) !== null && _process$env$AUTH_TRU !== void 0 ? _process$env$AUTH_TRU : process.env.VERCEL);
const handler = await (0, _core.NextAuthHandler)({
req: {
host: (0, _detectHost.detectHost)(req.headers["x-forwarded-host"]),
host: (0, _detectHost.detectHost)(options.trustHost, req.headers["x-forwarded-host"], (_process$env$NEXTAUTH = process.env.NEXTAUTH_URL) !== null && _process$env$NEXTAUTH !== void 0 ? _process$env$NEXTAUTH : process.env.NODE_ENV !== "production" && "http://localhost:3000"),
body: req.body,

@@ -35,3 +36,3 @@ query,

providerId: nextauth === null || nextauth === void 0 ? void 0 : nextauth[1],
error: (_ref2 = req.query.error) !== null && _ref2 !== void 0 ? _ref2 : nextauth === null || nextauth === void 0 ? void 0 : nextauth[1]
error: (_ref = req.query.error) !== null && _ref !== void 0 ? _ref : nextauth === null || nextauth === void 0 ? void 0 : nextauth[1]
},

@@ -74,3 +75,3 @@ options

async function unstable_getServerSession(...args) {
var _options$secret2;
var _options, _options$secret2, _options2, _options2$trustHost, _process$env$AUTH_TRU2, _process$env$NEXTAUTH2;

@@ -92,7 +93,5 @@ if (!experimentalWarningShown && process.env.NODE_ENV !== "production") {

if (isRSC) {
var _args$;
options = (_args$ = args[0]) !== null && _args$ !== void 0 ? _args$ : {
options = Object.assign({}, args[0], {
providers: []
};
});

@@ -119,10 +118,13 @@ const {

res = args[1];
options = args[2];
options = Object.assign(args[2], {
providers: []
});
}
options.secret = (_options$secret2 = options.secret) !== null && _options$secret2 !== void 0 ? _options$secret2 : process.env.NEXTAUTH_SECRET;
(_options$secret2 = (_options = options).secret) !== null && _options$secret2 !== void 0 ? _options$secret2 : _options.secret = process.env.NEXTAUTH_SECRET;
(_options2$trustHost = (_options2 = options).trustHost) !== null && _options2$trustHost !== void 0 ? _options2$trustHost : _options2.trustHost = !!((_process$env$AUTH_TRU2 = process.env.AUTH_TRUST_HOST) !== null && _process$env$AUTH_TRU2 !== void 0 ? _process$env$AUTH_TRU2 : process.env.VERCEL);
const session = await (0, _core.NextAuthHandler)({
options,
req: {
host: (0, _detectHost.detectHost)(req.headers["x-forwarded-host"]),
host: (0, _detectHost.detectHost)(options.trustHost, req.headers["x-forwarded-host"], (_process$env$NEXTAUTH2 = process.env.NEXTAUTH_URL) !== null && _process$env$NEXTAUTH2 !== void 0 ? _process$env$NEXTAUTH2 : process.env.NODE_ENV !== "production" && "http://localhost:3000"),
action: "session",

@@ -129,0 +131,0 @@ method: "GET",

12

next/middleware.d.ts

@@ -77,3 +77,13 @@ import type { NextMiddleware, NextFetchEvent } from "next/server";

*/
secret?: string;
secret?: NextAuthOptions["secret"];
/**
* If set to `true`, NextAuth.js will use either the `x-forwarded-host` or `host` headers,
* instead of `NEXTAUTH_URL`
* Make sure that reading `x-forwarded-host` on your hosting platform can be trusted.
* - ⚠ **This is an advanced option.** Advanced options are passed the same way as basic options,
* but **may have complex implications** or side effects.
* You should **try to avoid using advanced options** unless you are very comfortable using them.
* @default Boolean(process.env.VERCEL ?? process.env.AUTH_TRUST_HOST)
*/
trustHost?: NextAuthOptions["trustHost"];
}

@@ -80,0 +90,0 @@ declare type NextMiddlewareResult = ReturnType<NextMiddleware> | void;

10

next/middleware.js

@@ -17,5 +17,7 @@ "use strict";

async function handleMiddleware(req, options, onSuccess) {
var _options$pages$signIn, _options$pages, _options$pages$error, _options$pages2, _options$secret, _options$jwt, _options$cookies, _options$cookies$sess, _await$options$callba, _options$callbacks, _options$callbacks$au;
var _detectHost = require("../utils/detect-host");
async function handleMiddleware(req, options = {}, onSuccess) {
var _options$pages$signIn, _options$pages, _options$pages$error, _options$pages2, _ref, _options$trustHost, _process$env$NEXTAUTH, _options$secret, _options$jwt, _options$cookies, _options$cookies$sess, _await$options$callba, _options$callbacks, _options$callbacks$au;
const {

@@ -29,3 +31,5 @@ pathname,

const errorPage = (_options$pages$error = options === null || options === void 0 ? void 0 : (_options$pages2 = options.pages) === null || _options$pages2 === void 0 ? void 0 : _options$pages2.error) !== null && _options$pages$error !== void 0 ? _options$pages$error : "/api/auth/error";
const authPath = (0, _parseUrl.default)(process.env.NEXTAUTH_URL).path;
options.trustHost = Boolean((_ref = (_options$trustHost = options.trustHost) !== null && _options$trustHost !== void 0 ? _options$trustHost : process.env.VERCEL) !== null && _ref !== void 0 ? _ref : process.env.AUTH_TRUST_HOST);
const host = (0, _detectHost.detectHost)(options.trustHost, req.headers.get("x-forwarded-host"), (_process$env$NEXTAUTH = process.env.NEXTAUTH_URL) !== null && _process$env$NEXTAUTH !== void 0 ? _process$env$NEXTAUTH : process.env.NODE_ENV !== "production" && "http://localhost:3000");
const authPath = (0, _parseUrl.default)(host).path;
const publicPaths = ["/_next", "/favicon.ico"];

@@ -32,0 +36,0 @@

2

package.json
{
"name": "next-auth",
"version": "4.17.0",
"version": "4.18.0",
"description": "Authentication for Next.js",

@@ -5,0 +5,0 @@ "homepage": "https://next-auth.js.org",

2

providers/naver.js

@@ -20,3 +20,3 @@ "use strict";

id: profile.response.id,
name: profile.response.name,
name: profile.response.nickname,
email: profile.response.email,

@@ -23,0 +23,0 @@ image: profile.response.profile_image

2

utils/detect-host.d.ts
/** Extract the host from the environment */
export declare function detectHost(forwardedHost: any): any;
export declare function detectHost(trusted: boolean, forwardedValue: string | string[] | undefined | null, defaultValue: string | false): string | undefined;

9

utils/detect-host.js

@@ -8,7 +8,8 @@ "use strict";

function detectHost(forwardedHost) {
var _process$env$VERCEL;
function detectHost(trusted, forwardedValue, defaultValue) {
if (trusted && forwardedValue) {
return Array.isArray(forwardedValue) ? forwardedValue[0] : forwardedValue;
}
if ((_process$env$VERCEL = process.env.VERCEL) !== null && _process$env$VERCEL !== void 0 ? _process$env$VERCEL : process.env.AUTH_TRUST_HOST) return forwardedHost;
return process.env.NEXTAUTH_URL;
return defaultValue || undefined;
}
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc