next-auth: Cancelling OAuth flow crashes the server

Description ๐Ÿœ

The OAuth flow works fine except when itโ€™s cancelled while running on production build. Although it logs the same error on development (ERR_HTTP_HEADERS_SENT), the server itself is not terminated.

Is this a bug in your own project?

Yes

How to reproduce โ˜•๏ธ

Part of the config. I donโ€™t think the other configurations are relevant.

export default NextAuth({
  ...,
  providers: [
    {
      id: 'esri',
      name: 'Esri',
      type: 'oauth',
      version: '2.0',
      authorizationUrl: `${process.env.ESRI_PORTAL}/oauth2/authorize?response_type=code`,
      accessTokenUrl: `${process.env.ESRI_PORTAL}/oauth2/token?grant_type=authorization_code&client_id=${process.env.ARCGIS_CLIENT_ID}`,
      profileUrl: `${process.env.ESRI_PORTAL}/oauth2/token?grant_type=authorization_code&client_id=${process.env.ARCGIS_CLIENT_ID}`,
      clientId: process.env.ARCGIS_CLIENT_ID,
      clientSecret: process.env.ARCGIS_CLIENT_SECRET,
      profile: async (_profile, tokens) => {
        ...
      },
    },
  ],
  pages: {
    signIn: '/auth/login',
  },
  callbacks: {
    redirect: async (url, baseUrl) => {
      return url.startsWith(baseUrl) ? url : `${baseUrl}${url}`;
    },
  },
});

Screenshots / Logs ๐Ÿ“ฝ

[next-auth][error][state_error] 
https://next-auth.js.org/errors#state_error OAuthCallbackError: Invalid state returned from OAuth provider
    at Object.handleCallback (./node_modules/next-auth/dist/server/lib/oauth/state-handler.js:42:13)
    at ./node_modules/next-auth/dist/server/index.js:186:29
    at processTicksAndRejections (node:internal/process/task_queues:94:5)
[next-auth][error][oauth_get_access_token_error] 
https://next-auth.js.org/errors#oauth_get_access_token_error {
  statusCode: 401,
  data: ''
} esri undefined
[next-auth][error][oauth_callback_error] 
https://next-auth.js.org/errors#oauth_callback_error {
  statusCode: 401,
  data: ''
}
node:internal/process/promises:245
          triggerUncaughtException(err, true /* fromPromise */);
          ^

Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client
    at new NodeError (node:internal/errors:329:5)
    at ServerResponse.setHeader (node:_http_outgoing:579:11)
    at ServerResponse.res.redirect (./node_modules/next-auth/dist/server/lib/extend-res.js:39:21)
    at Object.callback (./node_modules/next-auth/dist/server/routes/callback.js:156:18)
    at processTicksAndRejections (node:internal/process/task_queues:94:5) {
  code: 'ERR_HTTP_HEADERS_SENT'
}
error Command failed with exit code 1.

Environment ๐Ÿ–ฅ

  System:
    OS: Linux 5.10 Ubuntu 20.04.2 LTS (Focal Fossa)
    CPU: (12) x64 AMD Ryzen 5 5600X 6-Core Processor
    Memory: 15.01 GB / 25.02 GB
    Container: Yes
    Shell: 3.2.2 - /usr/bin/fish
  Binaries:
    Node: 15.14.0 - /usr/bin/node
    Yarn: 1.22.10 - /usr/bin/yarn
    npm: 7.23.0 - /usr/bin/npm
  npmPackages:
    next: 11.1.2 => 11.1.2 
    next-auth: ^3.28.0 => 3.28.0 
    react: 17.0.2 => 17.0.2

Contributing ๐Ÿ™Œ๐Ÿฝ

Yes, I am willing to help solve this bug in a PR

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 15 (8 by maintainers)

Most upvoted comments

thanks , Iโ€™ll have a look!

+1
balazsorban44 on Sep 24, 2021

I created an app with similar setup and it gives 2 different results based on the OAuth server.

  1. With the real ArcGIS OAuth, the failure callback includes state param and the server doesnโ€™t crash.
  2. Using custom ArcGIS OAuth provided by our client, the failure callback doesnโ€™t include state param and it crashes the server.
+1
zaidhuda on Sep 24, 2021
Read more comments on GitHub
← next-auth: callbackUrl seems to be ignored
next-auth: Can't use auth() to get values from jwt() callback in v5 →