New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error: no matching decryption secret #10633
Comments
I have the same issue, in two different projects.
|
There's definitely an issue with I encountered this error and also other weird things. I've noticed that it could come from the import type { NextAuthConfig } from 'next-auth';
import Discord from 'next-auth/providers/discord';
import { getSession } from '@/auth';
const AUTH_SECRETS_SEP = ';;;;;;';
const secret = process.env.AUTH_SECRETS!.split(AUTH_SECRETS_SEP);
const config = {
providers: [
Discord({
authorization: {
params: {
scope: 'identify+guilds'
}
},
clientSecret: process.env.DISCORD_CLIENT_SECRET ?? '',
clientId: process.env.DISCORD_CLIENT_ID ?? ''
})
],
callbacks: {
async session({ session }) {
const s = await getSession(session);
return s;
}
},
secret
} as const satisfies NextAuthConfig;
console.log(config.secret);
export default config; Here, I get an error intercepted by my IDE: This is super weird. Now, if I just do this: const secret = "hummmmm";
// * ...
callbacks: {
async session({ session }) {
const s = await getSession(session);
return s;
}
},
secret
} as const satisfies NextAuthConfig; Then, everything works properly. oO I'm curious, is this happening in your projects too? https://github.com/Tirraa/dashboard_rtm/blob/next-auth-v5-and-bentocache-exit/src/config/auth.ts Btw, cloning the repo and going on the Once you're on the branch, simply run (Don't forget to remove the hardcoded Running this project is pretty straightforward. (It's intended to become a full-features template...) Furthermore, I think that when I tested WITHOUT the navbar login button on my site, there was no infinite loop. It can be tested easily, just editing this file: And replacing I'm double checking this. Maybe there's an insidious problem with the EDIT: But when I remove the Super weird. Some help would be very appreciated! Also maybe related to: #10478 EDIT (2): Lmao, what's going on? Exporting anything else than the Sounds more and more like an underlying client/server issue in the current implementation. EDIT (3): Okay... const secret = process.env.AUTH_SECRETS?.split(AUTH_SECRETS_SEP) ?? 'NTM';
// * ...
if (config.secret === 'NTM') console.log('Secret is NTM!'); It looks like the current implementation sometimes try to access I think we should have a separated config for server and client purposes, and to ensure that the config on the server is frozen and only initialized once. It also worries me, the |
Hmm so these should be working.. Our example apps with the latest version have variations of all of these that work. @zmzlois in your repro, it looks like your custom import { ReactNode } from "react";
import { auth } from "@/auth";
import { useRouter, redirect } from "next/navigation";
export const SessionProvider = async ({
children,
}: Readonly<{ children: ReactNode }>) => {
const session = await auth();
+ const router = useRouter();
- if (!session) {
+ if (!session && router.pathname !== "/api/auth/signin") {
- return redirect("/");
+ return redirect("/api/auth/signin");
}
if (session) {
return <>{children}</>;
}
};
@gustaveWPM in your latest repro the Generally, you don't have to pass a secret or anything additionally. As long as you have |
|
That's not very helpful, did yuo figure out the config issue? It's still throwing |
This comment was marked as spam.
This comment was marked as spam.
Passing the In v4, it was possible to use EDIT: I think I'll manage my integration, but I'll have to use a lot of counter-intuitive "Tricks"... Doing this: import { useSession, signOut } from 'next-auth/react';
// * ...
const pathname = usePathname();
const whatever = isProtectedRoute(pathname) ? { callbackUrl: ROUTES_ROOTS.WEBSITE, redirect: true } : undefined;
// * ...
<button onClick={() => {
signOut(whatever);
}}
>
// * ... Causes the EDIT (final): finally, I managed to implement exactly what I wanted by sticking to Next Auth v4. |
Just wanted to pop in here and say I'm having the exact same issue on a previously working codebase, I believe it stopped working after an npm update but I'm not 100% on that. Is the original posters repo not slim enough for triage / debugging? If not I can try and make a tiny one if that's helpful, I'm not entirely sure exactly what you need for this. |
The main problem is that so many custom thing's have been done above that its hard to find what might be wrong. v5 is designed primarily to be used with next 14 and server components, so part of the issue seems like you guys are working very hard against next 14 and auth.js v5. Anyway, the example app has both working server components and a client component example page (https://next-auth-example.vercel.app). If youre having a specific issue, a minimal reproduction is immensely helpful for us to nail down any potential issue with auth.js. Not only because through making a minimal reproduction you usually find out if you yourself made an oopsie, but if there is an issue with auth.js we can then easily pinpoint it and fix it 🙏 |
@zmzlois I tried your reproduction but couldn't reproduce the issue. There are two things I have to change in your code before running:
Is there anything missing in your reproduction that could cause the issue? |
So this is becoming a problem for me as I had to delay the go-live of a site because of this bug. What I noticed is that the error does not occur immediately but after either a set time or when the development server is restarted. FYI we use a very standard v14 and server code. What can I do to help you find this bug? |
To clarify, even if the main focus was to treat Server Components/Actions as a first-class citizen, Anyone posting "same issue" here, please add a minimal reproduction. We cannot investigate otherwise. Screenshots of terminal errors or "standard" code is not sufficient. Check out https://github.com/nextauthjs/next-auth-example which is also deployed on https://next-auth-example.vercel.app/ and works correctly. |
Working my way through that example to figure out the root cause of this. I noticed something, The auth routes are exported both under /api/auth and /auth - is that intentional? |
weirdly, I open the repo again and it works now even when I comment out the export const { handlers, signIn, signOut, auth } = NextAuth({
providers: [Twitter],
// secret: "somesupertopsecret",
}) 😳?? |
Yes, I had the same experience last night. This used to be the code most likely causing the above error:
Removing the above and just defining the AUTH_SECRET works. |
Environment
System:
OS: macOS 14.2.1
CPU: (12) arm64 Apple M2 Pro
Memory: 245.33 MB / 16.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 20.11.0 - /usr/local/bin/node
Yarn: 1.22.21 - /usr/local/bin/yarn
npm: 10.2.4 - /usr/local/bin/npm
pnpm: 8.7.6 - /usr/local/bin/pnpm
bun: 1.0.35 - /usr/local/bin/bun
Browsers:
Chrome: 124.0.6367.61
Safari: 17.2.1
npmPackages:
next: 14.2.2 => 14.2.2
next-auth: ^5.0.0-beta.16 => 5.0.0-beta.16
react: ^18 => 18.2.0
Reproduction URL
https://github.com/zmzlois/next-auth-repro
Describe the issue
Under this set up, I constantly have this error
How to reproduce
and set environment varible secrets for
AUTH_SECRET
,AUTH_TWITTER_ID
andAUTH_TWITTER_SECRET
Click on the sign in button on first page
Expected behavior
After sign in, I should be redirected to dashboard if I am in, the auth secret is generated by
npx auth secret
and stored in.env
fileThe text was updated successfully, but these errors were encountered: