Migration to authjs 🚀

[zoey-kaiser]

Hello everyone 👋

The time has come: We are slowly moving forward to migrate NuxtAuth from using NextAuth under the hood to running the new authjs package!

This will come with numerous benefits, including:

• Smaller bundle size (as we no longer need to include the default Login Page built for React)
• Improvements to many bugs that have been blocked by NextAuth
• Support for future features
  • Serverless deployments
  • etc.

This issue will track our current progress, issues and goals. We are currently beginning this migration, therefore more information will follow soon.

[phoenix-ru]

Valid point regarding trustHost: #691 (comment)

[phoenix-ru]

It makes perfect sense to wait for a release of next-auth@5 which would also mean a release of a significant @auth/core version (maybe even v1).

Tracking:
https://github.com/nextauthjs/next-auth/releases

[zoey-kaiser]

It makes perfect sense to wait for a release of next-auth@5 which would also mean a release of a significant @auth/core version (maybe even v1).

Agreed! I can see that they already have alpha versions of Version 5 released. Have they added support for trusthost there yet? I think we can also still continue internally preparing for the release, by outlining which changes we will be making and updating our internal logic in preparation for this. But I do agree that we should wait with the official switch until they release!

[hopkins385]

I am a bit concerned, see reports below.
What is missing/required to start with the migration process?

package.json

"@sidebase/nuxt-auth": "^0.7.2",
"next-auth": "4.21.1",

Audit Report:

# npm audit report
next  >=13.4.0 <14.1.1
Severity: high
Next.js Server-Side Request Forgery in Server Actions - https://github.com/advisories/GHSA-fr5h-rqp8-mj6g
fix available via `npm audit fix`
node_modules/next

next-auth  <4.24.5
Severity: moderate
Possible user mocking that bypasses basic authentication - https://github.com/advisories/GHSA-v64w-49xw-qq89
fix available via `npm audit fix --force`
Will install @sidebase/nuxt-auth@0.6.7, which is a breaking change
node_modules/next-auth
  @sidebase/nuxt-auth  0.3.0-alpha.1 - 0.4.0-alpha.6 || >=0.7.0-rc.0
  Depends on vulnerable versions of next-auth
  node_modules/@sidebase/nuxt-auth

3 vulnerabilities (2 moderate, 1 high)

Why next

❯ npm why next
next@13.5.6 peer
node_modules/next
  peer next@"^12.2.5 || ^13" from next-auth@4.21.1
  node_modules/next-auth
    next-auth@"4.21.1" from the root project
    peer next-auth@"^4" from @next-auth/prisma-adapter@1.0.7
    node_modules/@next-auth/prisma-adapter
      @next-auth/prisma-adapter@"^1.0.7" from the root project
    peer next-auth@"~4.21.1" from @sidebase/nuxt-auth@0.7.2
    node_modules/@sidebase/nuxt-auth

[zoey-kaiser]

Valid point regarding trustHost: #691 (comment)

Primarily some missing security features, such as trustHost. Aside from this, we would definitely wait to deprecate the current version until authjs makes their full official release. We want to avoid solely relying on a package that has not had a proper release yet.

We have already investigated internally what is required for a migration and are slowly preparing our module for this in the future, however, due to the reasons mentioned above, we will not release a stable version of the authjs provider, until they do so as well!

I am a bit concerned, see reports below.

If you delve into the actual report (GHSA-v64w-49xw-qq89), you'll see that the vulnerability only affects the default NextAuth middleware. One of the fixes they also mention is writing your own middleware that adds a check that was missing. See original statement from us here: #514 (comment)

However, this middleware is never used inside our module, as we have our own custom Nuxt middleware. Therefore this vulnerability does not affect the module. If you have any additional questions feel free to raise them. 😊