How to handle a bad login error response with Sign In callback and a custom JWT credential provider #1563
-
|
Hi, I have been trying to deal with this without success. I'm using the credential provider with a custom backend and I'm trying to send an error when a user sends a bad password/email while trying to login. What I have done so far is trying to return an error in the sign In callback if the user.accessToken does not exist but I think it's only allowed to return a false boolean because if I return something else there is no error. What would be the proper way to handle this situation with crendentials? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 8 replies
-
|
You probably want to check out the redirect: false option of the signIn client-side method https://next-auth.js.org/getting-started/client#using-the-redirect-false-option Just for extra info, the signin callback is supposed to return a boolean, or a string (an url to redirect to in case an error occurs for example) which will cancel the login flow if false or a string. |
Beta Was this translation helpful? Give feedback.
-
|
@balazsorban44 I understand the security concern of discriminating between accounts not existing vs bad credentials etc... but what about service level errors? For example if our authentication service is down, users still get the same CredentialsSignIn error (which we message with "invalid username or password") and keep trying different credential pairs that will never work. |
Beta Was this translation helpful? Give feedback.
-
|
I'm implementing authjs v5 right now at my company, and i'm facing a similar issue. As @MattJustMatt pointed out, there is some service level errors that i need to have access in the client side to show to the user. For example, our company has to have a higher security, so, we have a rule that if a user tries and fails to log in a few times, that user gets blocked for some time. The way authjs works now, i cant show to my user that his account is blocked, only "invalid credentials" or something else, so he keeps trying not knowing that his user is actually blocked and that is just one of many use-cases we have here on error handling. Is it possible to think of a possibility to add custom error handling in a near future ? PS: i'm using the credentials provider, the only one allowed in our company. |
Beta Was this translation helpful? Give feedback.
-
|
@balazsorban44 , same issue as @igorbattaglion here |
Beta Was this translation helpful? Give feedback.
-
|
Apparently it's possible now! I asked our friend on Twitter and he replied with this, but haven't tried it yet! https://x.com/balazsorban44/status/1796360633107280311 @BrianRobertoRocha @igorbattaglion |
Beta Was this translation helpful? Give feedback.
-
|
@MattJustMatt Thank you for that, just tried and now it's working, i can show custom server errors to the client now |
Beta Was this translation helpful? Give feedback.
You probably want to check out the redirect: false option of the signIn client-side method https://next-auth.js.org/getting-started/client#using-the-redirect-false-option
Just for extra info, the signin callback is supposed to return a boolean, or a string (an url to redirect to in case an error occurs for example) which will cancel the login flow if false or a string.