-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: make missing secret an error #3143
Conversation
Codecov Report
@@ Coverage Diff @@
## beta #3143 +/- ##
==========================================
- Coverage 13.86% 13.60% -0.26%
==========================================
Files 87 88 +1
Lines 1363 1389 +26
Branches 354 362 +8
==========================================
Hits 189 189
- Misses 1163 1189 +26
Partials 11 11
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good 👏🏽 ✅
I moved the user config assertion to the core, and refactored the code so that in case of a configuration error, we either render the default error page or redirect to the user's custom one. The error is still logged through |
🎉 Experimental release published on npm! npm i [email protected] yarn add [email protected] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pair review, looking great 💪🏽
BREAKING CHANGE: It is now required to set a `secret` in production.
If no
secret
specified inNextAuthOptions
,next-auth
generates one based on the user configuration. If the user does not use an OAuth provider, the generated secret will not contain enough entropy. Someone could guess the user's config, thus gaining access to the JWT encryption method. We already make this clear in the docs by saying:This PR makes this an error in production.
The corresponding documentation is also made more clear, see nextauthjs/docs#103