fix(core): respect NEXTAUTH_SECRET in unstable_getServerSession (#4774)

balazsorban44 · web-flow · commit c194261617d4 · 2022-06-27T17:00:08.000+02:00
* fix(core): respect `NEXTAUTH_SECRET` in `unstable_getServerSession`

* add `secret` tests

* add `@types/jest`

* fix tests
diff --git a/packages/next-auth/package.json b/packages/next-auth/package.json
@@ -103,6 +103,7 @@
     "@testing-library/react": "^13.3.0",
     "@testing-library/react-hooks": "^8.0.0",
     "@testing-library/user-event": "^14.2.0",
+    "@types/jest": "^28.1.3",
     "@types/node": "^17.0.42",
     "@types/nodemailer": "^6.4.4",
     "@types/oauth": "^0.9.1",
diff --git a/packages/next-auth/src/next/index.ts b/packages/next-auth/src/next/index.ts
@@ -96,6 +96,9 @@ export async function unstable_getServerSession(
     )
 
   const [req, res, options] = args;
+  
+  options.secret = options.secret ?? process.env.NEXTAUTH_SECRET
+
   const session = await NextAuthHandler<Session | {}>({
     options,
     req: {
diff --git a/packages/next-auth/tests/assert.test.ts b/packages/next-auth/tests/assert.test.ts
@@ -1,3 +1,4 @@
+import { InvalidCallbackUrl, MissingSecret } from "../src/core/errors"
 import { handler } from "./lib"
 
 it("Show error page if secret is not defined", async () => {
@@ -10,7 +11,7 @@ it("Show error page if secret is not defined", async () => {
   expect(res.html).toMatch(/there is a problem with the server configuration./i)
   expect(res.html).toMatch(/check the server logs for more information./i)
 
-  expect(log.error).toBeCalledWith("NO_SECRET", expect.anything())
+  expect(log.error).toBeCalledWith("NO_SECRET", expect.any(MissingSecret))
 })
 
 it("Should show configuration error page on invalid `callbackUrl`", async () => {
@@ -25,7 +26,7 @@ it("Should show configuration error page on invalid `callbackUrl`", async () =>
 
   expect(log.error).toBeCalledWith(
     "INVALID_CALLBACK_URL_ERROR",
-    expect.anything()
+    expect.any(InvalidCallbackUrl)
   )
 })
 
@@ -38,6 +39,6 @@ it("Allow relative `callbackUrl`", async () => {
   expect(res.status).not.toBe(500)
   expect(log.error).not.toBeCalledWith(
     "INVALID_CALLBACK_URL_ERROR",
-    expect.anything()
+    expect.any(InvalidCallbackUrl)
   )
 })
diff --git a/packages/next-auth/tests/getServerSession.test.ts b/packages/next-auth/tests/getServerSession.test.ts
@@ -0,0 +1,53 @@
+import type { NextApiRequest } from "next"
+import { MissingSecret } from "../src/core/errors"
+import { unstable_getServerSession } from "../src/next"
+import { mockLogger } from "./lib"
+
+let originalWarn = console.warn
+let logger = mockLogger()
+
+beforeEach(() => {
+  process.env.NODE_ENV = "production"
+  process.env.NEXTAUTH_URL = "http://localhost"
+  console.warn = jest.fn()
+})
+
+afterEach(() => {
+  logger = mockLogger()
+  process.env.NODE_ENV = "test"
+  delete process.env.NEXTAUTH_URL
+  console.warn = originalWarn
+})
+
+describe("Treat secret correctly", () => {
+  const req: any = { headers: {} }
+  const res: any = { setHeader: jest.fn(), getHeader: jest.fn() }
+
+  it("Read from NEXTAUTH_SECRET", async () => {
+    process.env.NEXTAUTH_SECRET = "secret"
+    await unstable_getServerSession(req, res, { providers: [], logger })
+
+    expect(logger.error).toBeCalledTimes(0)
+    expect(logger.error).not.toBeCalledWith("NO_SECRET")
+
+    delete process.env.NEXTAUTH_SECRET
+  })
+
+  it("Read from options.secret", async () => {
+    await unstable_getServerSession(req, res, {
+      providers: [],
+      logger,
+      secret: "secret",
+    })
+
+    expect(logger.error).toBeCalledTimes(0)
+    expect(logger.error).not.toBeCalledWith("NO_SECRET")
+  })
+
+  it("Error if missing NEXTAUTH_SECRET and secret", async () => {
+    await unstable_getServerSession(req, res, { providers: [], logger })
+
+    expect(logger.error).toBeCalledTimes(1)
+    expect(logger.error).toBeCalledWith("NO_SECRET", expect.any(MissingSecret))
+  })
+})
diff --git a/packages/next-auth/tests/lib.ts b/packages/next-auth/tests/lib.ts
@@ -1,6 +1,12 @@
 import type { LoggerInstance, NextAuthOptions } from "../src"
 import { NextAuthHandler } from "../src/core"
 
+export const mockLogger: () => LoggerInstance = () => ({
+  error: jest.fn(() => {}),
+  warn: jest.fn(() => {}),
+  debug: jest.fn(() => {}),
+})
+
 export async function handler(
   options: NextAuthOptions,
   {
@@ -16,11 +22,6 @@ export async function handler(
   // @ts-ignore
   if (prod) process.env.NODE_ENV = "production"
 
-  const mockLogger: LoggerInstance = {
-    error: jest.fn(),
-    warn: jest.fn(),
-    debug: jest.fn(),
-  }
   const url = new URL(
     `http://localhost/api/auth/${path ?? "signin"}?${new URLSearchParams(
       params ?? {}
@@ -31,9 +32,10 @@ export async function handler(
       host: "",
     },
   })
+  const logger = mockLogger()
   const response = await NextAuthHandler({
     req,
-    options: { secret: "secret", ...options, logger: mockLogger },
+    options: { secret: "secret", ...options, logger },
   })
   // @ts-ignore
   if (prod) process.env.NODE_ENV = "test"
@@ -44,6 +46,6 @@ export async function handler(
       html:
         response.headers?.[0].value === "text/html" ? response.body : undefined,
     },
-    log: mockLogger,
+    log: logger,
   }
 }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml

Original file line number	Diff line number	Diff line change
`@@ -96,6 +96,9 @@ export async function unstable_getServerSession(`
`96`	`96`	`)`
`97`	`97`
`98`	`98`	`const [req, res, options] = args;`
	`99`	`+`
	`100`	`+ options.secret = options.secret ?? process.env.NEXTAUTH_SECRET`
	`101`	`+`
`99`	`102`	`const session = await NextAuthHandler<Session \| {}>({`
`100`	`103`	`options,`
`101`	`104`	`req: {`