fix: throw MissingSecret when secret missing

[ndom91]

☕️ Reasoning

• We had thrown MissingSecret if config.secret wasn't set, but not early enough in the flow, so a missing AUTH_SECRET got through in early signin and threw a mysterious error when passed to hkdf
• Added another throw of this error if AUTH_SECRET isn't set in our core setEnvDefaults fn, since that's the only core place where one of config.secret or AUTH_SECRET should definitely have been set already. If you know a better place for it I'm all ears though 👍

Previous error msg on missing AUTH_SECRET:

New error msg:

🧢 Checklist

• Documentation
• Tests
• Ready to be merged

🎫 Affected issues

📌 Resources

• Security guidelines
• Contributing guidelines
• Code of conduct
• Contributing to Open Source

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
auth-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Mar 25, 2024 1:16pm

2 Ignored Deployments

Name	Status	Preview	Comments	Updated (UTC)
next-auth-docs	⬜️ Ignored (Inspect)	Visit Preview		Mar 25, 2024 1:16pm
nextra-docs	⬜️ Ignored (Inspect)	Visit Preview		Mar 25, 2024 1:16pm

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.77%. Comparing base (5ea8b7b) to head (24c5ea3).

Additional details and impacted files

@@             Coverage Diff             @@
##             main   #10305       +/-   ##
===========================================
+ Coverage   39.37%   80.77%   +41.39%     
===========================================
  Files         171       12      -159     
  Lines       27278     2445    -24833     
  Branches     1165      160     -1005     
===========================================
- Hits        10742     1975     -8767     
+ Misses      16536      470    -16066     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[DonikaV]

I have AUTH_SECRET in my .yaml file and it works in beta.5 but in beta.16 I am getting
Missing secret, please set AUTH_SECRET or config.secret.

[DuarteMartinho]

Bump! I m also getting "Missing secret, please set AUTH_SECRET or config.secret. Read more at https://errors.authjs.dev#missingsecret"

in my .env i have tried

AUTH_SECRET and NEXTAUTH_SECRET

Also tried setting it to SECRET and using that in auth.js in config and setting config.secret to that...

Also localhost works, but in CI or in Production seems to break

Screenshots from CI

Screenshot from production environment (only shows error on client console there is no logs)

@ThangHuuVu @ndom91

[ndom91]

Hey folks, yeah so setting the secret option on your main config or the AUTH_SECRET env var should be enough to not trigger this. Looking into it..

[DuarteMartinho]

Checked my production container for environment variable and AUTH_SECRET is set

@ndom91 Let me know what to do as this is kind of urgent, thanks!

[DuarteMartinho]

@DonikaV Found a fix for now

Use beta15 instead of beta16

[LoisDuplain]

Please revert this merge.

[ndom91]

I can't reproduce this in dev and prod builds of SvelteKit apps with Auth.js nor in dev / prod Next.js apps 🤔

Can you all provide some more details about your setups?

[adamspotlite]

@ndom91 we're build a container with nextjs and then we ship the .env at runtime so the secrets aren't exposed in the container.. what's the suggested work around here?

[DonikaV]

I am not ops specialist. Only knows that we could containers in GitHub CI and using a Docker file along with the yaml files for each of environments. And the beta15 version also has errors in the production build. So the last working version is beta.5 😀

[bpo-impact]

Having same issue as @adamspotlite we keep our secrets in aws secret manager and they are not available at build step only at runtime. We need to be able to build the code and then at runtime pass the secret.

[jdmnk]

Facing the same issue where secret is not known at build time and this change breaks the build if the secret is only known at runtime.

[laeo]

Can't preview or deploy to Cloudflare Pages, when trying preview it reports same ERROR message.

[jacogasp]

Hello everyone,

ump! I m also getting "Missing secret, please set AUTH_SECRET or config.secret. Read more at

Same behaviour here. I'm receiving the error message even if I set up AUTH_SECRET in .env file.
I tried the following cases:

1. Simply set AUTH_SECRET as env variable: not working
2. Set AUTH_SECRET env variable and in auth config I set secret: process.env.AUTH_SECRET: not working
3. Hardcoding the secret secret: "foo" into the auth config: it works.

What is really wired to me is that if I do a console.log(process.env.AUTH_SECRET) it correctly prints the secret:

// auth.config.ts

console.log("secret:", process.env.AUTH_SECRET);

export const authConfig: NextAuthConfig = {
  providers: [...],
  secret: process.env.AUTH_SECRET,
  ...
}

and the output is

> next dev -p 8080

  ▲ Next.js 14.2.1
  - Local:        http://localhost:8080
  - Environments: .env

 ✓ Starting...
 ✓ Ready in 5.6s
 ○ Compiling /src/middleware ...
 ✓ Compiled /src/middleware in 928ms (220 modules)
secret: foo
 ○ Compiling / ...
 ✓ Compiled / in 3s (1894 modules)
secret: foo
secret: foo
 GET / 200 in 3956ms
 GET / 200 in 3673ms

proving that the secret is valid each time the config is invoked. But still I receive the missing AUTH_SECRET error.

Unhandled Runtime Error

MissingSecret: Missing secret, please set AUTH_SECRET or config.secret. Read more at https://errors.authjs.dev#missingsecret


src/auth.ts (4:61) @ authConfig

  2 | import { authConfig } from "./auth.config";
  3 |
> 4 | export const { auth, handlers, signIn, signOut } = NextAuth(authConfig);
    |                                                             ^

Tried also with NEXTAUTH_SECRET but same result.

Apparently hardcoding the secret in the auth config is the only working method.
I'm currently testing v5 beta 16