diff --git a/src/server/index.js b/src/server/index.js index 9bae971aca..8f7975d302 100644 --- a/src/server/index.js +++ b/src/server/index.js @@ -72,15 +72,15 @@ async function NextAuthHandler (req, res, userOptions) { const providers = parseProviders({ providers: userOptions.providers, baseUrl, basePath }) const provider = providers.find(({ id }) => id === providerId) - if (provider && - provider.type === 'oauth' && provider.version?.startsWith('2') && - (!provider.protection && provider.state !== false) - ) { - provider.protection = 'state' // Default to state, as we did in 3.1 REVIEW: should we use "pkce" or "none" as default? - } - - if (typeof provider?.protection === 'string') { - provider.protection = [provider.protection] + // Protection only works on OAuth 2.x providers + if (provider?.type === 'oauth' && provider.version?.startsWith('2')) { + // When provider.state is undefined, we still want this to pass + if (!provider.protection && provider.state !== false) { + // Default to state, as we did in 3.1 REVIEW: should we use "pkce" or "none" as default? + provider.protection = ['state'] + } else if (typeof provider.protection === 'string') { + provider.protection = [provider.protection] + } } const maxAge = 30 * 24 * 60 * 60 // Sessions expire after 30 days of being idle diff --git a/src/server/lib/oauth/pkce-handler.js b/src/server/lib/oauth/pkce-handler.js index 72063b0f1b..d5613392da 100644 --- a/src/server/lib/oauth/pkce-handler.js +++ b/src/server/lib/oauth/pkce-handler.js @@ -16,7 +16,8 @@ const PKCE_MAX_AGE = 60 * 15 // 15 minutes in seconds export async function handleCallback (req, res) { const { cookies, provider, baseUrl, basePath } = req.options try { - if (!provider.protection.includes('pkce')) { // Provider does not support PKCE, nothing to do. + // Provider does not support PKCE, nothing to do. + if (!provider.protection?.includes('pkce')) { return } @@ -50,7 +51,7 @@ export async function handleCallback (req, res) { export async function handleSignin (req, res) { const { cookies, provider, baseUrl, basePath } = req.options try { - if (!provider.protection.includes('pkce')) { // Provider does not support PKCE, nothing to do. + if (!provider.protection?.includes('pkce')) { // Provider does not support PKCE, nothing to do. return } // Started login flow, add generated pkce to req.options and (encrypted) code_verifier to a cookie diff --git a/src/server/lib/oauth/state-handler.js b/src/server/lib/oauth/state-handler.js index 01815045d9..8c866f62fb 100644 --- a/src/server/lib/oauth/state-handler.js +++ b/src/server/lib/oauth/state-handler.js @@ -12,7 +12,8 @@ import { OAuthCallbackError } from '../../../lib/errors' export async function handleCallback (req, res) { const { csrfToken, provider, baseUrl, basePath } = req.options try { - if (!provider.protection.includes('state')) { // Provider does not support state, nothing to do. + // Provider does not support state, nothing to do. + if (!provider.protection?.includes('state')) { return } @@ -41,7 +42,7 @@ export async function handleCallback (req, res) { export async function handleSignin (req, res) { const { provider, baseUrl, basePath, csrfToken } = req.options try { - if (!provider.protection.includes('state')) { // Provider does not support state, nothing to do. + if (!provider.protection?.includes('state')) { // Provider does not support state, nothing to do. return }