GoSec_Cloud/gsc-web-kit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): default signInPath to /api/auth/signin (NextAuth v5)

Browse Source 
Provider-specific paths like /api/auth/signin/keycloak are POST only
in NextAuth v5 — they're the form-submit endpoint with CSRF. A GET
redirect there bounces to /api/auth/error?error=Configuration with
"UnknownAction".

/api/auth/signin (no provider segment) is the GET-accessible page
that lists configured providers. Apps that want one-click Keycloak
should set signInPath to a custom page that calls signIn('keycloak').

Repros against next-auth 5.0.0-beta.31 on Next 16.1.1. Pre-existing
bug in createAuth + createAuthMiddleware + signInRedirect; surfaced
when first user-driven login was attempted against the live CRM.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude
2026-05-11 08:48:50 +02:00
parent b0e2c21d0a
commit 360b611ae6
3 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/auth/index.ts
View File

@@ -17,7 +17,9 @@ export type { SessionUser } from "./types";
*/
export function signInRedirect(callbackUrl?: string): void {
if (typeof window === "undefined") return;
const target = "/api/auth/signin/keycloak";
// Match the server-side default. /api/auth/signin/<provider> is POST
// only in NextAuth v5 — a GET navigation there returns UnknownAction.
const target = "/api/auth/signin";
const url = new URL(target, window.location.origin);
url.searchParams.set("callbackUrl", callbackUrl ?? window.location.pathname);
window.location.href = url.toString();