UNPKG

@auth/core

Version:

Authentication for the Web.

authjs.dev

nextauthjs/next-auth

141 lines (140 loc) 5.45 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
/** * * :::warning Experimental * `@auth/core` is under active development. * ::: * * This is the main entry point to the Auth.js library. * * Based on the {@link https://developer.mozilla.org/en-US/docs/Web/API/Request Request} * and {@link https://developer.mozilla.org/en-US/docs/Web/API/Response Response} Web standard APIs. * Primarily used to implement [framework](https://authjs.dev/getting-started/integrations)-specific packages, * but it can also be used directly. * * ## Installation * * ```bash npm2yarn * npm install @auth/core * ``` * * ## Usage * * ```ts * import { Auth } from "@auth/core" * * const request = new Request("https://example.com") * const response = await Auth(request, {...}) * * console.log(response instanceof Response) // true * ``` * * ## Resources * * - [Getting started](https://authjs.dev/getting-started) * - [Guides](https://authjs.dev/guides) * * @module @auth/core */ import { assertConfig } from "./lib/utils/assert.js"; import { AuthError, CredentialsSignin, ErrorPageLoop, isClientError, } from "./errors.js"; import { AuthInternal, raw, skipCSRFCheck } from "./lib/index.js"; import { setEnvDefaults, createActionURL } from "./lib/utils/env.js"; import renderPage from "./lib/pages/index.js"; import { logger, setLogger } from "./lib/utils/logger.js"; import { toInternalRequest, toResponse } from "./lib/utils/web.js"; import { isAuthAction } from "./lib/utils/actions.js"; export { skipCSRFCheck, raw, setEnvDefaults, createActionURL, isAuthAction }; /** * Core functionality provided by Auth.js. * * Receives a standard {@link Request} and returns a {@link Response}. * * @example * ```ts * import { Auth } from "@auth/core" * * const request = new Request("https://example.com") * const response = await Auth(request, { * providers: [Google], * secret: "...", * trustHost: true, * }) *``` * @see [Documentation](https://authjs.dev) */ export async function Auth(request, config) { setLogger(config.logger, config.debug); const internalRequest = await toInternalRequest(request, config); // There was an error parsing the request if (!internalRequest) return Response.json(`Bad request.`, { status: 400 }); const warningsOrError = assertConfig(internalRequest, config); if (Array.isArray(warningsOrError)) { warningsOrError.forEach(logger.warn); } else if (warningsOrError) { // If there's an error in the user config, bail out early logger.error(warningsOrError); const htmlPages = new Set([ "signin", "signout", "error", "verify-request", ]); if (!htmlPages.has(internalRequest.action) || internalRequest.method !== "GET") { const message = "There was a problem with the server configuration. Check the server logs for more information."; return Response.json({ message }, { status: 500 }); } const { pages, theme } = config; // If this is true, the config required auth on the error page // which could cause a redirect loop const authOnErrorPage = pages?.error && internalRequest.url.searchParams .get("callbackUrl") ?.startsWith(pages.error); // Either there was no error page configured or the configured one contains infinite redirects if (!pages?.error || authOnErrorPage) { if (authOnErrorPage) { logger.error(new ErrorPageLoop(`The error page ${pages?.error} should not require authentication`)); } const page = renderPage({ theme }).error("Configuration"); return toResponse(page); } return Response.redirect(`${pages.error}?error=Configuration`); } const isRedirect = request.headers?.has("X-Auth-Return-Redirect"); const isRaw = config.raw === raw; try { const internalResponse = await AuthInternal(internalRequest, config); if (isRaw) return internalResponse; const response = toResponse(internalResponse); const url = response.headers.get("Location"); if (!isRedirect || !url) return response; return Response.json({ url }, { headers: response.headers }); } catch (e) { const error = e; logger.error(error); const isAuthError = error instanceof AuthError; if (isAuthError && isRaw && !isRedirect) throw error; // If the CSRF check failed for POST/session, return a 400 status code. // We should not redirect to a page as this is an API route if (request.method === "POST" && internalRequest.action === "session") return Response.json(null, { status: 400 }); const isClientSafeErrorType = isClientError(error); const type = isClientSafeErrorType ? error.type : "Configuration"; const params = new URLSearchParams({ error: type }); if (error instanceof CredentialsSignin) params.set("code", error.code); const pageKind = (isAuthError && error.kind) || "error"; const pagePath = config.pages?.[pageKind] ?? `${config.basePath}/${pageKind.toLowerCase()}`; const url = `${internalRequest.url.origin}${pagePath}?${params}`; if (isRedirect) return Response.json({ url }); return Response.redirect(url); } }