fix(core): return JSON for non-HTML server route errors (#5442)

balazsorban44 · web-flow · commit 6deccf610fa1 · 2022-09-28T17:01:39.000+01:00
* fix(core): return JSON for non-HTML server route errors

* refactor: throw in `unstable_getServerSession`

* test: expect `unstable_getServerSession` to throw

* refactor: destructure

* fix unrelated test formatting

* catch error page
diff --git a/packages/next-auth/src/core/index.ts b/packages/next-auth/src/core/index.ts
@@ -94,13 +94,21 @@ export async function NextAuthHandler<
     assertionResult.forEach(logger.warn)
   } else if (assertionResult instanceof Error) {
     // Bail out early if there's an error in the user config
-    const { pages, theme } = userOptions
     logger.error(assertionResult.code, assertionResult)
 
+    const htmlPages = ["signin", "signout", "error", "verify-request"]
+    if (!htmlPages.includes(req.action) || req.method !== "GET") {
+      const message = `There is a problem with the server configuration. Check the server logs for more information.`
+      return {
+        status: 500,
+        headers: [{ key: "Content-Type", value: "application/json" }],
+        body: { message } as any,
+      }
+    }
+    const { pages, theme } = userOptions
+
     const authOnErrorPage =
-      pages?.error &&
-      req.action === "signin" &&
-      req.query?.callbackUrl.startsWith(pages.error)
+      pages?.error && req.query?.callbackUrl?.startsWith(pages.error)
 
     if (!pages?.error || authOnErrorPage) {
       if (authOnErrorPage) {
diff --git a/packages/next-auth/src/next/index.ts b/packages/next-auth/src/next/index.ts
@@ -118,12 +118,14 @@ export async function unstable_getServerSession(
     },
   })
 
-  const { body, cookies } = session
+  const { body, cookies, status = 200 } = session
 
   cookies?.forEach((cookie) => setCookie(res, cookie))
 
-  if (body && typeof body !== "string" && Object.keys(body).length)
-    return body as Session
+  if (body && typeof body !== "string" && Object.keys(body).length) {
+    if (status === 200) return body as Session
+    throw new Error((body as any).message)
+  }
 
   return null
 }
diff --git a/packages/next-auth/tests/getServerSession.test.ts b/packages/next-auth/tests/getServerSession.test.ts
@@ -47,17 +47,19 @@ describe("Treat secret correctly", () => {
   })
 
   it("Error if missing NEXTAUTH_SECRET and secret", async () => {
-    const session = await unstable_getServerSession(req, res, {
-      providers: [],
-      logger,
-    })
+    const configError = new Error(
+      "There is a problem with the server configuration. Check the server logs for more information."
+    )
+    await expect(
+      unstable_getServerSession(req, res, { providers: [], logger })
+    ).rejects.toThrowError(configError)
 
-    expect(session).toEqual(null)
     expect(logger.error).toBeCalledTimes(1)
     expect(logger.error).toBeCalledWith("NO_SECRET", expect.any(MissingSecret))
   })
 
   it("Only logs warning once and in development", async () => {
+    process.env.NEXTAUTH_SECRET = "secret"
     // Expect console.warn to NOT be called due to NODE_ENV=production
     await unstable_getServerSession(req, res, { providers: [], logger })
     expect(console.warn).toBeCalledTimes(0)
@@ -71,6 +73,7 @@ describe("Treat secret correctly", () => {
     // Expect console.warn to be still only be called ONCE
     await unstable_getServerSession(req, res, { providers: [], logger })
     expect(console.warn).toBeCalledTimes(1)
+    delete process.env.NEXTAUTH_SECRET
   })
 })
 
diff --git a/packages/next-auth/tests/middleware.test.ts b/packages/next-auth/tests/middleware.test.ts
@@ -1,40 +1,40 @@
 import { NextMiddleware } from "next/server"
-import { NextAuthMiddlewareOptions, withAuth } from "../next/middleware"
+import { NextAuthMiddlewareOptions, withAuth } from "../src/next/middleware"
 
 it("should not match pages as public paths", async () => {
   const options: NextAuthMiddlewareOptions = {
     pages: {
       signIn: "/",
-      error: "/"
+      error: "/",
     },
-    secret: "secret"
+    secret: "secret",
   }
 
   const nextUrl: any = {
     pathname: "/protected/pathA",
     search: "",
-    origin: "http://127.0.0.1"
+    origin: "http://127.0.0.1",
   }
   const req: any = { nextUrl, headers: { authorization: "" } }
 
   const handleMiddleware = withAuth(options) as NextMiddleware
-  const res = await handleMiddleware(req, null)
+  const res = await handleMiddleware(req, null as any)
   expect(res).toBeDefined()
-  expect(res.status).toBe(307)
+  expect(res?.status).toBe(307)
 })
 
 it("should not redirect on public paths", async () => {
   const options: NextAuthMiddlewareOptions = {
-    secret: "secret"
+    secret: "secret",
   }
   const nextUrl: any = {
     pathname: "/_next/foo",
     search: "",
-    origin: "http://127.0.0.1"
+    origin: "http://127.0.0.1",
   }
   const req: any = { nextUrl, headers: { authorization: "" } }
 
   const handleMiddleware = withAuth(options) as NextMiddleware
-  const res = await handleMiddleware(req, null)
+  const res = await handleMiddleware(req, null as any)
   expect(res).toBeUndefined()
 })
