This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
NextAuth not working behind corporate proxy #2509
Comments
|
To resolve this issue locally, i'm now using patch-package. I'm applying this patch: diff --git a/node_modules/next-auth/dist/server/lib/oauth/client.js b/node_modules/next-auth/dist/server/lib/oauth/client.js
index e35acd0..5b666ec 100644
--- a/node_modules/next-auth/dist/server/lib/oauth/client.js
+++ b/node_modules/next-auth/dist/server/lib/oauth/client.js
@@ -9,6 +9,10 @@ exports.default = oAuthClient;
var _oauth = require("oauth");
+var UrlLib = require("url");
+
+var HttpsProxyAgent = require("https-proxy-agent");
+
var _querystring = _interopRequireDefault(require("querystring"));
var _logger = _interopRequireDefault(require("../../../lib/logger"));
@@ -150,6 +154,12 @@ async function getOAuth2AccessToken(code, provider, codeVerifier) {
const postData = _querystring.default.stringify(params);
return new Promise((resolve, reject) => {
+ let parsedUrl = UrlLib.parse(url, true);
+ if (parsedUrl.protocol == "https:" && process.env.http_proxy) {
+ let agent = new HttpsProxyAgent(process.env.http_proxy);
+ this.setAgent(agent);
+ }
+
this._request('POST', url, headers, postData, null, (error, data, response) => {
if (error) {
_logger.default.error('OAUTH_GET_ACCESS_TOKEN_ERROR', error, data, response);
@@ -228,6 +238,12 @@ async function getOAuth2(provider, accessToken, results) {
}
return new Promise((resolve, reject) => {
+ let parsedUrl = UrlLib.parse(url, true);
+ if (parsedUrl.protocol == "https:" && process.env.http_proxy) {
+ let agent = new HttpsProxyAgent(process.env.http_proxy);
+ this.setAgent(agent);
+ }
+
this._request(httpMethod, url, headers, null, accessToken, (error, profileData) => {
if (error) {
return reject(error);It would be great if this issue could be resolved in future versions! Thanks in advance. |
|
@raphaelpc we released a beta for the new NextAuth v4 version today which uses the newer They use Notes:
Thinking out loud here based off the info in the above links.. but maybe here (https://github.com/nextauthjs/next-auth/blob/beta/src/server/lib/oauth/client.js), adding something along these lines? const { custom } = require('openid-client');
const { HttpsProxyAgent } = require('hpagent');
custom.setHttpOptionsDefaults({
agent: {
https: new HttpsProxyAgent({
keepAlive: true,
keepAliveMsecs: 1000,
maxSockets: 256,
maxFreeSockets: 256,
scheduling: 'lifo',
proxy: 'https://localhost:8080'
})
}
}); |
|
I've had this same issue I think. I have a site (wecodeni.com) that uses next-auth.js. Every now and then I'll have a customer get in touch saying they can't sign up when using the email login. I can never work out exactly what is causing it, but it's always from larger corporate customers. I can see from my database that a user is created in these cases, but the user is presented with the I'm pretty sure what's happening is their email server is scanning links in emails, and by requesting the link in the signin email, they are claiming it, and so the user can't then signin. |
|
@ThePaulMcBride looks like this might be a result of the invites being expired. See: next-auth/packages/next-auth/src/core/routes/callback.ts Lines 213 to 216 in a72f1b6 EDIT: Sorry just reread your email. We had an issue like this before with Office365, for example, like you suggested - it'll "check" the link to make sure its not a phishing site or whatever, thereby "using" up the invitation link. Let me see if I can find the issue / discussion again. There was a way to disable it in office365 and some other discussion. EDIT 2: Yeah here it is! #1840 |
|
Behind corporate proxy Next Auth unfortunately won't work with our
adjustments.
I've been trying to update NextAuth to the latest release on my
application, but I did not yet discover what patch should I create in order
for it to work, like I did in the older version. Did anyone find a solution?
Thanks.
Em qua., 9 de fev. de 2022 às 18:21, Nico Domino ***@***.***>
escreveu:
… @ThePaulMcBride <https://github.com/ThePaulMcBride> looks like this might
be a result of the invites being expires.
See:
https://github.com/nextauthjs/next-auth/blob/a72f1b6d21da89b4223542006c865862635c027b/packages/next-auth/src/core/routes/callback.ts#L213-L216
—
Reply to this email directly, view it on GitHub
<#2509 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHGXJF2PMLRIWSQTXHMCJHDU2LLD5ANCNFSM5B2N23GQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
As mentioned in @balazsorban44's final reply in that issue, you could modify the This should satisfy most URL checking / SafeLink behavior, and not allow the email invitation tokens to be used up. Something like: import type { NextApiRequest, NextApiResponse } from "next"
import NextAuth from "next-auth"
export default async function auth(req: NextApiRequest, res: NextApiResponse) {
if(req.method === "HEAD") {
return res.status(200)
}
...
}See NextAuth.js - Advanced Initialization for more details, as well as the issue #1840 as previously mentioned. |
|
Hello Nico!
Thanks for the answer! But I did not understand how this could be applied
to this situation, since the problem is that the methods used internally by
NextAuth don't work behind a corporate proxy. That is why a had to create a
patch-package for v3 in the first place. The thing is that I did not yet
discover what patch I should apply on v4 since all the internal methods
used for making requests changed from v3 to v4, like you mentioned in your
first reply to this thread. I checked all references you posted but was not
able to identify exactly what would need to be done for the methods to
start checking on proxy environment info when making the requests to
external services (for example, to the Google or Facebook auth endpoints).
If that could be resolved only using advanced inicialialization that would
be great, but I really did not identify how that could be used in this case.
Em qua., 9 de fev. de 2022 às 18:29, Nico Domino ***@***.***>
escreveu:
… As mentioned in @balazsorban44 <https://github.com/balazsorban44>'s final
reply in that issue, you could modify the [...nextauth].js config file
(which is a "normal" catch-all API route at the end of the day), to just
return a 200 immediately upon receiving a HEAD request.
This should satisfy most URL checking / SafeLink behavior, and not allow
the email invitation tokens to be used up.
Something like:
import type { NextApiRequest, NextApiResponse } from "next"import NextAuth from "next-auth"
export default async function auth(req: NextApiRequest, res: NextApiResponse) {
if(req.method === "HEAD") {
return res.status(200)
}
...}
See NextAuth.js - Advanced Initialization
<https://next-auth.js.org/configuration/initialization#advanced-initialization>
for more details, as well as the issue #1840
<#1840> as previously
mentioned.
—
Reply to this email directly, view it on GitHub
<#2509 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHGXJF5J36AISKLNAHIE3I3U2LME5ANCNFSM5B2N23GQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Important to clarify that Paul's error isn't necessarily the same as mine,
but the situation that I described on this thread is related to corporate
proxy, I don't even use the mail functionalities from NextAuth.
Em qui., 10 de fev. de 2022 às 09:09, Raphael Cavalcanti ***@***.***>
escreveu:
… Hello Nico!
Thanks for the answer! But I did not understand how this could be applied
to this situation, since the problem is that the methods used internally by
NextAuth don't work behind a corporate proxy. That is why a had to create a
patch-package for v3 in the first place. The thing is that I did not yet
discover what patch I should apply on v4 since all the internal methods
used for making requests changed from v3 to v4, like you mentioned in your
first reply to this thread. I checked all references you posted but was not
able to identify exactly what would need to be done for the methods to
start checking on proxy environment info when making the requests to
external services (for example, to the Google or Facebook auth endpoints).
If that could be resolved only using advanced inicialialization that would
be great, but I really did not identify how that could be used in this case.
Em qua., 9 de fev. de 2022 às 18:29, Nico Domino ***@***.***>
escreveu:
> As mentioned in @balazsorban44 <https://github.com/balazsorban44>'s
> final reply in that issue, you could modify the [...nextauth].js config
> file (which is a "normal" catch-all API route at the end of the day), to
> just return a 200 immediately upon receiving a HEAD request.
>
> This should satisfy most URL checking / SafeLink behavior, and not allow
> the email invitation tokens to be used up.
>
> Something like:
>
> import type { NextApiRequest, NextApiResponse } from "next"import NextAuth from "next-auth"
> export default async function auth(req: NextApiRequest, res: NextApiResponse) {
>
> if(req.method === "HEAD") {
> return res.status(200)
> }
>
> ...}
>
> See NextAuth.js - Advanced Initialization
> <https://next-auth.js.org/configuration/initialization#advanced-initialization>
> for more details, as well as the issue #1840
> <#1840> as previously
> mentioned.
>
> —
> Reply to this email directly, view it on GitHub
> <#2509 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AHGXJF5J36AISKLNAHIE3I3U2LME5ANCNFSM5B2N23GQ>
> .
> Triage notifications on the go with GitHub Mobile for iOS
> <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
> or Android
> <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
>
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
|
|
Sorry for jumping on your thread Rapheal, I initially had thought we were seeing the same thing! |
|
@raphaelpc ah right, okay my bad. The suggestion I made/wrote a tutorial for in the docs was strictly for the issue of corporate email clients / email services sending In terms of corporate proxy in general, we're now using Therefore, you'll have to either fork and modify With |
|
Regarding fixing with a patch, We let all |
Thanks for the tip. I have now been able to patch NextAuth v4 to be able to use it behind corporate proxy. This is what i did:
To do so, i first updated my Provider at [...nextauth].ts: Doing like that it unfortunately didn't work. I got this error: Probably because the way the "agent" is being received by the openidClient function makes it stop being a Agent-like Object.
I'm applying this patch: diff --git a/node_modules/next-auth/core/lib/oauth/client.js b/node_modules/next-auth/core/lib/oauth/client.js
index 77161bd..1082fba 100644
--- a/node_modules/next-auth/core/lib/oauth/client.js
+++ b/node_modules/next-auth/core/lib/oauth/client.js
@@ -7,11 +7,19 @@ exports.openidClient = openidClient;
var _openidClient = require("openid-client");
+var HttpsProxyAgent = require("https-proxy-agent");
+
async function openidClient(options) {
const provider = options.provider;
- if (provider.httpOptions) _openidClient.custom.setHttpOptionsDefaults(provider.httpOptions);
- let issuer;
+ let httpOptions = {};
+ if (provider.httpOptions) httpOptions = { ...provider.httpOptions };
+ if (process.env.http_proxy) {
+ let agent = new HttpsProxyAgent(process.env.http_proxy);
+ httpOptions.agent = agent;
+ }
+ _openidClient.custom.setHttpOptionsDefaults(httpOptions);
+ let issuer;
if (provider.wellKnown) {
issuer = await _openidClient.Issuer.discover(provider.wellKnown);
} else {
It would be great if this issue could be resolved in future versions! Anyway, in case anyone else has the same problem as i, i hope the patch can help! :) Thanks! |
balazsorban44
added
enhancement
|
Yeah. Unfortunately, this is not a priority right now as the use case seems to be uncommon enough, but I'm happy to keep this issue open as long as it doesn't get stale. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Description 🐜
NextAuth is not working behind corporate proxy.
I studied the current NextAuth implementation and found that this error happens because NextAuth makes use of the "node-auth" library (npm package "oauth") in it's "oAuthClient" (src/server/lib/oauth/client.js), which requires manually setting up an agent to be used by the "https" library.
I created a PR with the solution of the problem:
#2493
Related discussion: #676
Related StackOverflow: https://stackoverflow.com/questions/32130471/node-js-https-not-working-behind-corporate-proxy
If the PR is not going to be accepted, i believe it is important do register the issue here for other people facing the same problems that i'm facing right now (which are quite time consuming to debug).
Is this a bug in your own project?
No
How to reproduce ☕️
Just run any application with NextAuth behind a corporate proxy and try to log in with a Provider (like Google or GitHub).
Screenshots / Logs 📽
Environment 🖥
System:
OS: Windows 10 10.0.19042
CPU: (12) x64 Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz
Memory: 6.80 GB / 15.78 GB
Binaries:
Node: 14.16.1 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.5 - C:\Program Files (x86)\Yarn\bin\yarn.CMD
npm: 6.14.12 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: 44.19041.423.0
Internet Explorer: 11.0.19041.1
npmPackages:
react: ^17.0.2 => 17.0.2
Contributing 🙌🏽
Yes, I am willing to help solve this bug in a PR
The text was updated successfully, but these errors were encountered: