/api/auth/callback/credentials returns a 302, shouldn't it return a 200?

[KLagdani]

Your question
/api/auth/callback/credentials returns a 302, shouldn't it return a 200?

What are you trying to do
When trying to signin with Credentials using the call to /api/auth/callback/credentials with a login/password and a csrfToken, the returned response is a 302, why is that? Shouldn't it return a 200?

The session is created which means that the signin did work, still I get a 302 response.

Also, what should the response actually be if successful?

Feedback
I followed the exact same steps in the documentation on here for using a custom signin page:
https://next-auth.js.org/configuration/pages#credentials-sign-in

• Found the documentation helpful
• Found documentation but was incomplete
• Could not find relevant documentation
• Found the example project helpful
• Did not find the example project helpful

Thank you !

[iaincollins]

This endpoint returns an HTTP 302 because it needs to be able to redirect a client either to the callback URL (if successful) or to an error page (if not successful), which isn't possible with an HTTP 200 response.

It is up to the destination (e.g. the callback URL, or error page) to return an HTTP 200 (or some other status code). Commonly request libraries resolve redirects automatically as their default behaviour which covers cases like this.

Is there a particular reason for asking? (e.g. are you trying to handle success/failed responses better on a custom page?)

[iaincollins]

^ I ask because we have had recently had people asking about this and I think we have scope to maybe provide some more detailed examples and/or enhanced API behaviour.

If you are looking to do a custom sign in page page, note that you can customise both the error page and the sign in page and point both at the same URL (e.g. /signin) this provides a simple way to handle errors callbacks (e.g. /signin?error=ERROR_CODE).

Using a post submission and customising the error URL is the supported way of doing this right now.

If you want to do something a bit fancier, you can also pass json: true to the sign in URL to request a response in JSON rather than a 302. This is an undocumented internal feature a few folks have discovered and leveraged.

const res = await fetch('/api/auth/signin/credentials', {
  method: 'post',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded'
  },
  body: _encodedForm({
    ...args,
    csrfToken: await getCsrfToken(),
    callbackUrl: 'http://localhost:3000/signin',
    json: true
  })
})
const data = await res.json()
const url = data.url

The response just contains a URL object currently, but we are considering adding an error object to it for unsuccessful responses, to make it easier to handle errors within JavaScript. We might make some changes to the client API to facilitate this too.

[KLagdani]

Is there a particular reason for asking? (e.g. are you trying to handle success/failed responses better on a custom page?)

That is exactly what I was trying to do: handle success/failed responses better on a custom page.

Thank you for your response, I think an example project with Custom Credentials and a custom login page would be highly appreciated :)

[alexandrepaiva-dev]

@iaincollins I'm also trying to handle the URL error in a custom page to display a customized error message to the user without a page redirection, I did what you suggested in your last comment but it's always returning the same response, for example:

Response {type: "basic", url: "http://localhost:3000/signin?callbackUrl=http://localhost:3000/signin", redirected: true, status: 200, ok: true, …}

It looks like the fetch request isn't even reaching the credentials provider inside /api/auth/[...nextauth].js

If I use signIn("credentials", { username: "someuser", password: "pw123" }); it works fine, but with the redirection.

Please any idea how to fix it? Thank you

[wkocjan]

@alexandrepaivaa

I experienced the same problem and what helped for me was changing the request's url from /api/auth/signin/credentials to /api/auth/callback/credentials.

[alexandrepaiva-dev]

@wkocjan that's working now, thanks!!

[DragoshDX]

Hello, I am having this exact same issue, which I've re-documented in this discussion:
#995

I did add json: true to my POST request, but it still doesn't seem to return any response that I can handle and redirect the user with my SPA's router.
I switched from /callback/credentials and /signin/credentials and I just get (sometimes a 302 response) "could not load response data".

Sorry to say, but while I salute the intention of having these authentication systems safer, people really do need credentials login. And of course SPA support. I believe a working example of how we can customize the credentials page so it can create true SPA behavior and not refresh the page is key to the credentials provider.

[ishtiaq363]

I am trying to implement next-auth in next-js. when I try to sing in It gives
POST /api/auth/callback/credentials 302 in 1703ms
│
└──── POST http://localhost:3000/api/users 200 in 1607ms (cache: MISS)
user object is fine but there is no value for session. please guide me how to fix it. thaks

[Apoorv3000]

Did you find a solution for this yet?

[waqas-raja]

did you find any solution for this? i am getting the response from the callback and i can check it by console.log but still i am facing the access denied message.

[mendoanjoe]

Add

callbacks: {
    async jwt({ token, user }) {
      if (user) {
        token.id = Number(user.id);
        token.image = user.image;
      }
      return token;
  },
  async session({ session, token }) {
      if (session?.user) {
        session.user.id = String(token.id);
      }
      return session;
  }
},
{ strategy: "jwt" }