Skip to content

bug: handleSignIn used wrong URL for callback url check #968

Closed as not planned
@leric

Description

@leric

Describe the bug

https://github.com/logto-io/js/blob/master/packages/next/server-actions/index.ts#L60

In this function handleSignIn, if the passed in param searchParamsOrUrl is not a instance of URL, it will construct a bad url for client.handleSignInCallbackto handle.

In the Next.js (App Router) tutorial, the sample code do pass a URLSearchParams as searchParamsOrUrl, so if your redirect url is not /callback, it will throw error callback_uri_verification.redirect_uri_mismatched

Expected behavior

Use the sample code given by Next.js (App Router) tutorial:

import { handleSignIn } from '@logto/next/server-actions';
import { redirect } from 'next/navigation';
import { NextRequest } from 'next/server';
import { logtoConfig } from '../logto';

export async function GET(request: NextRequest) {
  const searchParams = request.nextUrl.searchParams;
  await handleSignIn(logtoConfig, searchParams);

  redirect('/');
}

Should handle login callback correctly.

How to reproduce?

Set redirect URI to any url other than http://hostname/callback, e.g. http://localhost:3000/api/auth/callback
handleSignIn will check the actual redirect url agains http://hostname/callback, result in a 'callback_uri_verification.redirect_uri_mismatched' error

Environment

Logto Cloud

Screenshots

No response

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions