Is it possible to deactivate the error message in the query string?

[FrankDaze]

If I get an login error, I redirect the user back to the login page. But then next-auth adds the error as query string to the URL.
In my opinion this is not good for security reasons. For debugging it would be ok, but not in production environment.

My question, is it possible to deactivate that? Or to modify the message to something like "login not allowed".

thanks in advance
Frank

[balazsorban44]

Here are the possible error types: https://next-auth.js.org/configuration/pages#sign-in-page

Which one of these do you feel is a security risk?

We provide that information, so you can give the user a meaningful (but minimal) feedback on what action they should do, like checking their credentials.

Here is a snippet from the above link:

We don't recommend providing information about which part of the credentials were wrong, as it might be abused by malicious hackers.

So I agree on you partially, but I think with the above error types, we don't expose anything sensitive.

[FrankDaze]

In my case I get something like ?error=error reading JSON in 0 ....

[balazsorban44]

That should not be the case, do you have some code to show?

[FrankDaze]

in [...nextauth].js I check for the moment is there an entry with the given email address and is this account active (password validation will be added in the next step):

  providers: [
    Providers.Credentials({
      id: "Credentials",
      name: "Credentials",
      async authorize(credentials) {
        // Add logic here to look up the user from the credentials supplied
        let user = {};
        const query =
          "SELECT uuid, email,firstname, lastname, isAdmin FROM users WHERE email=? AND isActive=1";
        const results = await sql_query(query, [credentials.email]);
        if (results) {
          const DBUser = JSON.parse(JSON.stringify(results[0]));
          user = {
            name: DBUser.firstname + " " + DBUser.lastname,
            email: DBUser.email,
            image: null,
            uuid: DBUser.uuid,
            isAdmin: DBUser.isAdmin,
          };
        }

        if (user) {
          // Any object returned will be saved in `user` property of the JWT
          return user;
        } else {
          return null;
        }
      },
    }),
  ],

And my pages setup looks like this:

  pages: {
   signIn: "/login",
   signOut: "/logout",
   error: "/login",
 },

If the account is active, all is fine. If the account is not active I get redirected to this URL:

http://localhost:3000/login?error=Unexpected%20token%20u%20in%20JSON%20at%20position%200

[FrankDaze]

ok my fault, I found the problem. I sent always the user object, even if it was empty.

I fixed it now:

 providers: [
    Providers.Credentials({
      id: "Credentials",
      name: "Credentials",
      async authorize(credentials) {
        // Add logic here to look up the user from the credentials supplied

        const query =
          "SELECT uuid, email,firstname, lastname, isAdmin FROM users WHERE email=? AND isActive=1";
        const results = await sql_query(query, [credentials.email]);
        if (results && results.length !== 0) {
          const DBUser = JSON.parse(JSON.stringify(results[0]));

          user = {
            name: DBUser.firstname + " " + DBUser.lastname,
            email: DBUser.email,
            image: null,
            uuid: DBUser.uuid,
            isAdmin: DBUser.isAdmin,
          };
          return Promise.resolve(user);
        } else {
          return Promise.resolve(null);
        }
      },
    }),
  ],