Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Fix: 13142 - Replace only the pathname from signin to callback instead of the whole url #13162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rachirib wants to merge 3 commits into nextauthjs:main
base: main
Choose a base branch
Loading
from rachirib:fix/13142

Conversation

Copy link

@rachirib rachirib commented Aug 5, 2025
edited
Loading

☕️ Reasoning

There is an edge case where signin word might be on the hostname,
current code on the main branch will override the hostname and break the callback call.

This PR intents to solve that by creating a URL object out of the string then replace the pathname as required,
then return the transformed string back to url variable.

Additionally the following changes were added:

  • Sample page on apps/dev/nextjs on the app router that uses auth module to signin the user
  • Fix dependencies on the apps/dev/nextjs for react and react-dom, current setup triggers auseState(null) on Page router pages.

🧢 Checklist

  • Documentation
  • Tests
  • Ready to be merged

🎫 Affected issues

Fixes: #13142

📌 Resources

rachirib added 3 commits August 4, 2025 15:55 
Pages are not compatible with 19.x this make sure only one version of react is along the libraries.
Users might use `auth` module and create custom login forms,
This allow us to test this workflows.
Instead of replacing any word on the url, replace only pathname.
 13142
Copy link

vercel bot commented Aug 5, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
auth-docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Aug 5, 2025 11:43pm
1 Skipped Deployment
Name Status Preview Comments Updated (UTC)
next-auth-docs ⬜️ Ignored (Inspect) Visit Preview Aug 5, 2025 11:43pm

Copy link

vercel bot commented Aug 5, 2025

@rachirib is attempting to deploy a commit to the authjs Team on Vercel.

A member of the Team first needs to authorize it.

Copy link

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert (click "▶" to expand/collapse)
Warn Critical
esbuild-plugin-polyfill-node@0.2.0 is a Possible typosquat attack.

Did you mean: @esbuild-plugins/node-**globals-**polyfill~~-node~~

From: apps/examples/qwik/pnpm-lock.yamlnpm/esbuild-plugin-polyfill-node@0.2.0

i Read more on: This package | This alert | What is a typosquat?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild-plugin-polyfill-node@0.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
form-data@3.0.3 has a Critical CVE.

CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL)

Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4

Patched version: 3.0.4

From: apps/examples/qwik/pnpm-lock.yamlnpm/form-data@3.0.3

i Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@3.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ThangHuuVu ThangHuuVu Awaiting requested review from ThangHuuVu ThangHuuVu is a code owner

@ndom91 ndom91 Awaiting requested review from ndom91 ndom91 is a code owner

@balazsorban44 balazsorban44 Awaiting requested review from balazsorban44 balazsorban44 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Credential provider with custom sign in page and a hostname with signin word gets replaced by callback
1 participant

AltStyle によって変換されたページ (->オリジナル) /