Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

withMiddlewareAuthRequired returnTo param should not be full URL #1025

Closed
7 tasks done
zcarlson-gmgt opened this issue Jan 23, 2023 · 1 comment · Fixed by #1028
Closed
7 tasks done

withMiddlewareAuthRequired returnTo param should not be full URL #1025

zcarlson-gmgt opened this issue Jan 23, 2023 · 1 comment · Fixed by #1028
Labels
needs investigation This needs to be investigated further before proceeding

Comments

@zcarlson-gmgt
Copy link

zcarlson-gmgt commented Jan 23, 2023
edited
Loading

Checklist

  • The issue can be reproduced in the sample app (or N/A).
  • I have looked into the README and have not found a suitable solution or answer.
  • I have looked into the examples and have not found a suitable solution or answer.
  • I have looked into the API documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Description

I have implemented withMiddlewareAuthRequired to protect our pages. The returnTo param that is added automatically as redirect when navigating to a protected page directly contains the full URL instead of a relative path to the page.

I expect a relative URL to be set as described in the docs:
"/api/auth/login: Your Next.js application redirects users to your identity provider for them to log in (you can optionally pass a returnTo parameter to return to a custom relative URL after login, for example /api/auth/login?returnTo=/profile)."

We host our app as a container and in that environment it still shows localhost as the domain instead of our custom domain. (ex. "/api/auth/login?returnTo=http://localhost:3000/profile")

Also, these docs could use some updates. This import does not work:
import { withMiddlewareAuthRequired } from '@auth0/nextjs-auth0/middleware';
But this does:
import { withMiddlewareAuthRequired } from '@auth0/nextjs-auth0/edge';

Reproduction

  1. Sample repo: auth0-samples/auth0-nextjs-samples@main...zcarlson-gmgt:auth0-nextjs-samples:main

  2. Implement middleware authentication using the following:
    import { withMiddlewareAuthRequired } from '@auth0/nextjs-auth0/edge'; export default withMiddlewareAuthRequired();

  3. Navigate to a page that should be protected and isn't using page level protection (ex. localhost:3000/profile)

  4. See that the returnTo param is set to localhost:3000/profile instead of /profile

SDK version

2.1.0

Next.js version

13.1

Node.js version

18.12.0
@adamjmcgrath
Copy link
Contributor

Hi @zcarlson-gmgt - thanks for raising this

This is a good point, the ssr and csr withPageAuthRequired helpers both set a relative url for the returnTo parameter. Will investigate.

Also, these docs could use some updates. This import does not work:

This has been fixed in #1019 - will update on the next release, thanks for pointing that out though

@adamjmcgrath adamjmcgrath added the needs investigation This needs to be investigated further before proceeding label Jan 24, 2023
@adamjmcgrath adamjmcgrath mentioned this issue Jan 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs investigation This needs to be investigated further before proceeding
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

withMiddlewareAuthRequired returnTo should be a relative url auth0/nextjs-auth0
2 participants
@adamjmcgrath @zcarlson-gmgt