You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While authenticating with the email provider, the current flow is as follows:
Send the user's email to email.ts.
The route creates a temporary JWT which is then sent it in an email to the user.
Store the temp JWT in the database.
Redirect the user to the "verify-request" page.
Upon clicking the link on the email:
The callback API generates a JWT.
The JWT is returned and stored in a cookie.
The main issue arises from the fact that the JWT token gets stored in the browser that clicks on the link, rather than the browser that initiated the authentication flow.
For example, if a user starts the authentication flow on their desktop but receives a notification on their phone to verify the email and completes the verification on the phone, the desktop browser does not receive the authentication cookie, while the mobile browser does. A similar situation occurs when using an email client on the desktop that opens links in the default browser, such as Apple's email client defaulting to Safari. This can create discrepancies when the authentication flow was initiated in a different browser like Chrome or Firefox.
How to reproduce
Ensure you have a nextjs project with next-auth and an email provider. then, use a different device or browser to verify the request.
Expected behavior
For the email provider, api/callback should not return the JWT directly, instead when the browser initiates an authentication flow, it should receive a JWT with a flag indicating that it's waiting for email verification. Once the email is verified, the flag should be updated.
providerstriageUnseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
1 participant
Converted from issue
This discussion was converted from issue #8303 on August 12, 2023 10:55.
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Provider type
Email
Environment
"next": "13.4.13"
"next-auth": "^4.23.0"
"react": "18.2.0"
"nodemailer": "^6.9.4"
Node v20.4.0
OSX 13.4.1
Reproduction URL
.
Describe the issue
While authenticating with the email provider, the current flow is as follows:
Upon clicking the link on the email:
The main issue arises from the fact that the JWT token gets stored in the browser that clicks on the link, rather than the browser that initiated the authentication flow.
For example, if a user starts the authentication flow on their desktop but receives a notification on their phone to verify the email and completes the verification on the phone, the desktop browser does not receive the authentication cookie, while the mobile browser does. A similar situation occurs when using an email client on the desktop that opens links in the default browser, such as Apple's email client defaulting to Safari. This can create discrepancies when the authentication flow was initiated in a different browser like Chrome or Firefox.
How to reproduce
Ensure you have a nextjs project with next-auth and an email provider. then, use a different device or browser to verify the request.
Expected behavior
For the email provider, api/callback should not return the JWT directly, instead when the browser initiates an authentication flow, it should receive a JWT with a flag indicating that it's waiting for email verification. Once the email is verified, the flag should be updated.
Beta Was this translation helpful? Give feedback.
All reactions