From 4623743c8f1050246e5a967934ea9f0baad3b617 Mon Sep 17 00:00:00 2001 From: ekzyis Date: Tue, 31 Dec 2024 20:05:20 +0100 Subject: [PATCH] fix cookie pointer override during account switching (#1783) --- pages/api/auth/[...nextauth].js | 22 ++++++---------------- 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/pages/api/auth/[...nextauth].js b/pages/api/auth/[...nextauth].js index 2d1160ab..f2dcfde3 100644 --- a/pages/api/auth/[...nextauth].js +++ b/pages/api/auth/[...nextauth].js @@ -91,15 +91,14 @@ function getCallbacks (req, res) { token.sub = Number(token.id) } - // response is only defined during signup/login + // this only runs during a signup/login because response is only defined during signup/login + // and will add the multi_auth cookies for the user we just logged in as if (req && res) { req = new NodeNextRequest(req) res = new NodeNextResponse(res) const secret = process.env.NEXTAUTH_SECRET const jwt = await encodeJWT({ token, secret }) const me = await prisma.user.findUnique({ where: { id: token.id } }) - // we set multi_auth cookies on login/signup with only one user so the rest of the code doesn't - // have to consider the case where they aren't set yet because account switching wasn't used yet setMultiAuthCookies(req, res, { ...me, jwt }) } @@ -165,13 +164,15 @@ async function pubkeyAuth (credentials, req, res, pubkeyColumnName) { // does the pubkey already exist in our db? let user = await prisma.user.findUnique({ where: { [pubkeyColumnName]: pubkey } }) - // get token if it exists + // make following code aware of cookie pointer for account switching req = multiAuthMiddleware(req) + // token will be undefined if we're not logged in at all or if we switched to anon const token = await getToken({ req }) if (!user) { // we have not seen this pubkey before - // only update our pubkey if we're not currently trying to add a new account + // only update our pubkey if we're logged in (token exists) + // and we're not currently trying to add a new account if (token?.id && !multiAuth) { user = await prisma.user.update({ where: { id: token.id }, data: { [pubkeyColumnName]: pubkey } }) } else { @@ -180,17 +181,6 @@ async function pubkeyAuth (credentials, req, res, pubkeyColumnName) { } } - if (token && token?.id !== user.id && multiAuth) { - // we're logged in as a different user than the one we're authenticating as - // and we want to add a new account. this means we want to add this account - // to our list of accounts for switching between so we issue a new JWT and - // update the cookies for multi-authentication. - const secret = process.env.NEXTAUTH_SECRET - const userJWT = await encodeJWT({ token: { id: user.id, name: user.name, email: user.email }, secret }) - setMultiAuthCookies(req, res, { ...user, jwt: userJWT }) - return token - } - return user } } catch (error) {