Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

NEXTAUTH_SECRET unnecessary when using own encode/decode

See original GitHub issue

Question 💬

Hi @balazsorban44,

in https://github.com/nextauthjs/next-auth/blob/3ec3761634f7953acc52d460e8bb0b2a678d7703/packages/next-auth/src/core/lib/assert.ts#L39-L45 you always will check and warn due to assertConfig if the env NEXTAUTH_SECRET (regarding options.secret) is set.

When running own signing and verification by self-developed encode/decode function this makes no sense.

In addition that makes it necessary to set some DUMMY VALUE just to come above the assert ???

If this assert should still exist in future better check also encode/decode in assertConfig.

  if (!options.secret && !options.encode && !options.decode) {
    if (process.env.NODE_ENV === "production") {
      return new MissingSecret("Please define a `secret` in production.")
    } else {
      return "NO_SECRET"
    }
  }

For my point of view it is also a security vulnerability in case to expose an env value which is not ever used for function.

How to reproduce ☕️

Don’t give a value to NEXTAUTH_SECRET or options.secret in jwt config.

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

Issue Analytics

State:
Created 2 years ago
Comments:5 (5 by maintainers)

Top GitHub Comments

1reaction

TomFreudenbergcommented, Feb 23, 2022

PS. Feel free to not tag me for no reason when simply opening a new issue I won’t give more attention to the issue, and I do read all issues anyway. 😊

Sorry for tagging you - got that

0reactions

TomFreudenbergcommented, Mar 3, 2022

Got it - thanks for taking time