diff --git a/apps/web/src/server/auth.ts b/apps/web/src/server/auth.ts index 1f53f4c5..ccd9d388 100644 --- a/apps/web/src/server/auth.ts +++ b/apps/web/src/server/auth.ts @@ -14,6 +14,8 @@ import { sendSignUpEmail } from "~/server/mailer"; import { env } from "~/env"; import { db } from "~/server/db"; +const GITHUB_OAUTH_ISSUER = "https://github.com/login/oauth"; + /** * Module augmentation for `next-auth` types. Allows us to add custom properties to the `session` * object and keep type safety. @@ -54,6 +56,8 @@ function getProviders() { GitHubProvider({ clientId: env.GITHUB_ID, clientSecret: env.GITHUB_SECRET, + // GitHub now includes `iss` on OAuth callbacks, so NextAuth needs the expected issuer. + issuer: GITHUB_OAUTH_ISSUER, allowDangerousEmailAccountLinking: true, authorization: { params: { diff --git a/apps/web/src/server/auth.unit.test.ts b/apps/web/src/server/auth.unit.test.ts new file mode 100644 index 00000000..50682cb1 --- /dev/null +++ b/apps/web/src/server/auth.unit.test.ts @@ -0,0 +1,52 @@ +import { describe, expect, it, vi } from "vitest"; + +vi.mock("next-auth", () => ({ + getServerSession: vi.fn(), +})); + +vi.mock("@auth/prisma-adapter", () => ({ + PrismaAdapter: vi.fn(() => ({})), +})); + +vi.mock("next-auth/providers/google", () => ({ + default: vi.fn(), +})); + +vi.mock("next-auth/providers/email", () => ({ + default: vi.fn(), +})); + +vi.mock("~/server/db", () => ({ + db: {}, +})); + +vi.mock("~/server/mailer", () => ({ + sendSignUpEmail: vi.fn(), +})); + +vi.mock("~/env", () => ({ + env: { + GITHUB_ID: "github-client-id", + GITHUB_SECRET: "github-client-secret", + NEXT_PUBLIC_IS_CLOUD: true, + }, +})); + +import { authOptions } from "~/server/auth"; + +describe("authOptions", () => { + it("configures the GitHub provider with an explicit issuer", () => { + const githubProvider = authOptions.providers.find( + (provider) => provider.id === "github", + ); + + expect(githubProvider).toMatchObject({ + id: "github", + options: { + clientId: "github-client-id", + clientSecret: "github-client-secret", + issuer: "https://github.com/login/oauth", + }, + }); + }); +});