GoSec_Cloud/gsc-web-kit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): default signInPath to /api/auth/signin (NextAuth v5)

Browse Source 
Provider-specific paths like /api/auth/signin/keycloak are POST only
in NextAuth v5 — they're the form-submit endpoint with CSRF. A GET
redirect there bounces to /api/auth/error?error=Configuration with
"UnknownAction".

/api/auth/signin (no provider segment) is the GET-accessible page
that lists configured providers. Apps that want one-click Keycloak
should set signInPath to a custom page that calls signIn('keycloak').

Repros against next-auth 5.0.0-beta.31 on Next 16.1.1. Pre-existing
bug in createAuth + createAuthMiddleware + signInRedirect; surfaced
when first user-driven login was attempted against the live CRM.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude
2026-05-11 08:48:50 +02:00
parent b0e2c21d0a
commit 360b611ae6
3 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/auth/server.ts
View File

@@ -63,7 +63,13 @@ export interface AuthBundle {
* });
*/
export function createAuth(opts: CreateAuthOptions): AuthBundle {
const signInPath = opts.signInPath ?? "/api/auth/signin/keycloak";
// NextAuth v5: provider-specific paths like /api/auth/signin/keycloak
// are POST-only (CSRF-protected form submit). A GET redirect there
// bounces to /api/auth/error?error=Configuration ("UnknownAction").
// /api/auth/signin (no provider) is the GET-accessible page that
// lists configured providers. Apps wanting one-click Keycloak can
// override signInPath with a custom page that calls signIn('keycloak').
const signInPath = opts.signInPath ?? "/api/auth/signin";
const defaultTenantId =
opts.defaultTenantId ?? "00000000-0000-0000-0000-000000000000";