NextAuth.js: JWT 秘密破解应用
NextAuth.js: JWT secret breaks application
[我正在使用 Next.js (11.1.2) + NextAuth (4.0.0-beta.7) 登录 Strapi API,仅使用凭据提供程序 (JWT)。 ]
整个身份验证流程都在“处理”这个 [...nextauth].js:
import NextAuth from "next-auth"
import CredentialsProvider from 'next-auth/providers/credentials'
export default NextAuth({
providers: [
CredentialsProvider({
name: 'AppName',
credentials: {
email: {label: "Email", type: "text", placeholder: "daveglow@foomail.com"},
password: { label: "Password", type: "password" },
},
async authorize(credentials, req) {
const res = await fetch(process.env.CREDENTIALS_AUTH_URL, {
method: 'POST',
body: JSON.stringify(credentials),
headers: { "Content-Type": "application/json" }
})
const user = await res.json()
if (res.ok && user) {
return user
}
return null
}
})
],
session: {
strategy: "jwt",
maxAge: 30 * 24 * 60 * 60 // 30 days
},
pages: {
signIn: '/signin',
signOut: '/signin',
error: '/signin'
},
})
但是在用户登录几秒钟后,终端显示此消息并终止会话:
[next-auth][warn][NO_SECRET] https://next-auth.js.org/warnings#no_secret
[next-auth][error][JWT_SESSION_ERROR] https://next-auth.js.org/errors#jwt_session_error decryption operation failed {
message: 'decryption operation failed',
stack: 'JWEDecryptionFailed: decryption operation failed\n'
所以,我尝试添加:
secret: process.env.SECRET, //I've created using $ openssl rand -base64 32
然后我收到两条不同的消息
浏览器控制台:
[next-auth][error][CLIENT_FETCH_ERROR]
https://next-auth.js.org/errors#client_fetch_error
VS 代码终端:
[next-auth][error][CALLBACK_CREDENTIALS_JWT_ERROR]
https://next-auth.js.org/errors#callback_credentials_jwt_error Signin in with credentials only supported if JWT strategy is enabled UnsupportedStrategy [UnsupportedStrategyError]: Signin in with credentials only supported if JWT strategy is enabled
我尝试了几个不同的选项,但一直很混乱。
而现在,我不知道该怎么办。 :(
你能帮帮我吗?
中讨论的 beta 7 版 next-auth 中引入的错误
我升级到4.0.1版了。修复了问题。
我不是专家。但我认为这是库 NEXT auth 4.0.0
当前存在的问题
我可以使用版本“next-auth”解决问题:“^3.25.0”。
然后跟着这个 tutorial
[我正在使用 Next.js (11.1.2) + NextAuth (4.0.0-beta.7) 登录 Strapi API,仅使用凭据提供程序 (JWT)。 ]
整个身份验证流程都在“处理”这个 [...nextauth].js:
import NextAuth from "next-auth"
import CredentialsProvider from 'next-auth/providers/credentials'
export default NextAuth({
providers: [
CredentialsProvider({
name: 'AppName',
credentials: {
email: {label: "Email", type: "text", placeholder: "daveglow@foomail.com"},
password: { label: "Password", type: "password" },
},
async authorize(credentials, req) {
const res = await fetch(process.env.CREDENTIALS_AUTH_URL, {
method: 'POST',
body: JSON.stringify(credentials),
headers: { "Content-Type": "application/json" }
})
const user = await res.json()
if (res.ok && user) {
return user
}
return null
}
})
],
session: {
strategy: "jwt",
maxAge: 30 * 24 * 60 * 60 // 30 days
},
pages: {
signIn: '/signin',
signOut: '/signin',
error: '/signin'
},
})
但是在用户登录几秒钟后,终端显示此消息并终止会话:
[next-auth][warn][NO_SECRET] https://next-auth.js.org/warnings#no_secret
[next-auth][error][JWT_SESSION_ERROR] https://next-auth.js.org/errors#jwt_session_error decryption operation failed {
message: 'decryption operation failed',
stack: 'JWEDecryptionFailed: decryption operation failed\n'
所以,我尝试添加:
secret: process.env.SECRET, //I've created using $ openssl rand -base64 32
然后我收到两条不同的消息
浏览器控制台:
[next-auth][error][CLIENT_FETCH_ERROR]
https://next-auth.js.org/errors#client_fetch_error
VS 代码终端:
[next-auth][error][CALLBACK_CREDENTIALS_JWT_ERROR]
https://next-auth.js.org/errors#callback_credentials_jwt_error Signin in with credentials only supported if JWT strategy is enabled UnsupportedStrategy [UnsupportedStrategyError]: Signin in with credentials only supported if JWT strategy is enabled
我尝试了几个不同的选项,但一直很混乱。 而现在,我不知道该怎么办。 :( 你能帮帮我吗?
我升级到4.0.1版了。修复了问题。
我不是专家。但我认为这是库 NEXT auth 4.0.0
当前存在的问题我可以使用版本“next-auth”解决问题:“^3.25.0”。 然后跟着这个 tutorial