CSRF Mismatch Not Passed Back to custom login page using credentials

[davecarlson]

Description 🐜

If there is a CSRF mismatch when you are using a custom Login Page, then the ?csrf=true is lost from the response from the callback in the redirect chain.

Provider: Credentials:

config:

session: {
    strategy: 'jwt',
    maxAge: 90 * 24 * 60 * 60
 },
pages: {
    signIn: '/login',
    error: '/login?reason=invalid'
},

Is this a bug in your own project?

No

How to reproduce ☕️

Create a dummy project with a simple custom login form
On first load of the page, the CSRF is invalid
Enter valid credentials
you are redirected back to the login page with ?callBackUrl= in the url, but no csrf=true, or error=

Screenshots / Logs 📽

No response

Environment 🖥

vercel
nextjs 12
nextjs-auth 4.1.2

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[balazsorban44]

Please add a reproduction

[xorander00]

I'm seeing the same thing with [email protected] and [email protected]. As far as an reproducible example goes, I'll see what I can do, though I'm not sure if there's anything beyond just bootstrapping an empty Next.js project and adding some custom pages.

I tried using signIn("credentials", { username, password, redirect: false }) but that was always redirecting no matter what I tried. I then tried to manually make a fetch request and noticed that getCsrfToken was returning undefined.