Migration to authjs 🚀 #673
Comments
zoey-kaiser
added
p4
|
Valid point regarding |
|
It makes perfect sense to wait for a release of |
Agreed! I can see that they already have alpha versions of Version 5 released. Have they added support for |
|
I am a bit concerned, see reports below. package.json Audit Report: # npm audit report
next >=13.4.0 <14.1.1
Severity: high
Next.js Server-Side Request Forgery in Server Actions - https://github.com/advisories/GHSA-fr5h-rqp8-mj6g
fix available via `npm audit fix`
node_modules/next
next-auth <4.24.5
Severity: moderate
Possible user mocking that bypasses basic authentication - https://github.com/advisories/GHSA-v64w-49xw-qq89
fix available via `npm audit fix --force`
Will install @sidebase/[email protected], which is a breaking change
node_modules/next-auth
@sidebase/nuxt-auth 0.3.0-alpha.1 - 0.4.0-alpha.6 || >=0.7.0-rc.0
Depends on vulnerable versions of next-auth
node_modules/@sidebase/nuxt-auth
3 vulnerabilities (2 moderate, 1 high)Why next ❯ npm why next
[email protected] peer
node_modules/next
peer next@"^12.2.5 || ^13" from [email protected]
node_modules/next-auth
next-auth@"4.21.1" from the root project
peer next-auth@"^4" from @next-auth/[email protected]
node_modules/@next-auth/prisma-adapter
@next-auth/prisma-adapter@"^1.0.7" from the root project
peer next-auth@"~4.21.1" from @sidebase/[email protected]
node_modules/@sidebase/nuxt-auth |
Primarily some missing security features, such as We have already investigated internally what is required for a migration and are slowly preparing our module for this in the future, however, due to the reasons mentioned above, we will not release a stable version of the authjs provider, until they do so as well!
If you delve into the actual report (GHSA-v64w-49xw-qq89), you'll see that the vulnerability only affects the default NextAuth middleware. One of the fixes they also mention is writing your own middleware that adds a check that was missing. See original statement from us here: #514 (comment) However, this middleware is never used inside our module, as we have our own custom Nuxt middleware. Therefore this vulnerability does not affect the module. If you have any additional questions feel free to raise them. 😊 |
|
Hello there :) Would it be possible to get some news re. this subject? I just checked, and it seems that the underlying v5 has been released since then. |
Hey all, I wanted to +1 this request for an update considering the circumstances of the rewrite. :-) |
|
Hi everyone 👋 Short update regarding our migration timeline: We are finalizing release 0.8.0 (Check out https://github.com/sidebase/nuxt-auth/releases/tag/0.8.0-rc.1). In this release, we primarily focused on housekeeping and improving the internal module code as well as some long-awaited and necessary updates for the Housekeeping:
Refresh and Local Providers:
With the release of |
|
@zoey-kaiser Does NuxtAuth make use of any Next.js server actions? I am asking because I am wondering if using NuxtAuth in our project would open us up to any vulnerabilities surrounding this GitHub advisory: GHSA-fr5h-rqp8-mj6g Thanks! |
|
Hi @johnwilson-wsh 👋 Thanks for raising the advisory. I would also pull in @phoenix-ru for his opinion, but my initial thoughts are that this should not affect the module, as all requests are still made via the Nuxt 3 server. We have an internal "converter" that accepts H3events and transforms them into requests that NextAuth can handle (See code here). Therefore, I do not think that any SSRF vulnerabilities exclusive to Nextjs server actions that allow you to modify the HOST header would not affect this package! |
|
Hi, I was reading the documentation of the new version. I see that it is still stuck with the old NextAuth version, with the comment "NextAuth has changed their package exports, blocking NuxtAuth users from using the newer versions." What do you think, when will this be solved? Is NextAuth doing this on purpose? If nuxt-auth is stuck to the old version for ever, this will be a dead end. Regards, |
Hey Sven! They changes the exports to prepare for their own next version. We had raised this with them and they will not change the exports. This is the reasons we are now working on a migration to authjs, to ensure that this module is not stuck on the old version! |
|
Hi everyone 👋 I wanted to give a quick update on the AuthJS Migration! We have now pushed the first working version of NuxtAuth, using AuthJS under the hood 🥳 There is still much work under the hood to ensure all the features are working correctly, but we are confident this migration is going well! We would like to get this update into your hands as quickly as possible so you can help us test the module since testing every form of authentication internally is close to impossible 😮💨 Therefore, we aim to introduce the first alpha version of NuxtAuth 1.0.0 next week, which will already be available for you to download and test. We do not recommend running it in production yet. However, it would be fantastic if you could install it into your projects using NuxtAuth and see if any issues occur with your setup. We will release more information on this in the coming week, as we are still figuring out how we want to deploy a second version of the docs for the migration and keep the Feel free to already peak into #818 and follow along with our progress! |
Co-authored-by: Zoey <[email protected]>
|
Hello everyone! Thank you for this great project. It's a awesome library that I have as inspirational reference. I've been trying @sidebase/[email protected] and I like to report an issue. I'm using the credentials provider with a custom login page that calls the signIn() of useAuth(). Before, the nuxt-auth/core callback handler have been returning an object with redirect property:
And the useAuth/signIn always expected to receive an object:
But now, with auth/core, it just throws an error:
The error is never handled, producing an internal server error:
And the useAuth/signIn now receives an HTML of the error page:
References:
|
|
Hi @guesant 👋 Thank you for being brave enough to try out the alpha! After publishing and playing around with it we ran into a lot of issues ourselves and due to this decided to refrain from making an official announcement! Thank you for posting about your issue, I will take it into our list! As this version is still super early in development, we do not recommend using it in any capacity yet and hope to be able to release a more stable version soon, that can then be fully tested by the community! |
|
Hi everyone 👋 I wanted to give another short update on the progress with the authjs migration! As mentioned in my comment above, we released an alpha version on our Sadly this upgrade came with a lot of new issues and was not stable enough for a full release. However, as we wanted to continue developing the other provider and patch other bugs, we decided to backport a portion of the migration into This was done in #849, where we switched to the The next step will be to fully replace |
Hello everyone 👋
The time has come: We are slowly moving forward to migrate NuxtAuth from using NextAuth under the hood to running the new authjs package!
This will come with numerous benefits, including:
This issue will track our current progress, issues and goals. We are currently beginning this migration, therefore more information will follow soon.
The text was updated successfully, but these errors were encountered: