Does Brave browser prevent logging in for anyone else (using magic links)?

[usmanity]

I'm using next-auth's email magic links for logging in and today I noticed while testing on Brave browser that magic links don't work as expected.

I didn't want to create an issue b/c I'm not sure if this is a bug with next-auth or with my own setup somehow.

I was wondering if anyone else has run into this?

How to reproduce

1. Create a login request (send an email magic link)
2. Click on the link in Brave
3. You'll see a callback error in the URL and be sent to the login page.

Example email link sent to user

https://www.example.com/api/auth/callback/email?callbackUrl=https%3A%2F%2Fwww.example.com%2Flogin&token=exampleToken123abc&email=example%40gmail.com

Looking at my logs, I see the following error:

ERROR	[next-auth][error][adapter_error_getSessionAndUser] 
https://next-auth.js.org/errors#adapter_error_getsessionanduser 
Invalid `prisma.session.findUnique()` invocation:
Inconsistent query result: Field user is required to return data, got `null` instead. {
  message: '\n' +
    'Invalid `prisma.session.findUnique()` invocation:\n' +
    '\n' +
    '\n' +
    'Inconsistent query result: Field user is required to return data, got `null` instead.',
  stack: 'Error: \n' +
    'Invalid `prisma.session.findUnique()` invocation:\n' +
    '\n' +
    '\n' +
    'Inconsistent query result: Field user is required to return data, got `null` instead.\n' +
    '    at RequestHandler.handleRequestError (/var/task/node_modules/@prisma/client/runtime/index.js:29913:13)\n' +
    '    at RequestHandler.request (/var/task/node_modules/@prisma/client/runtime/index.js:29892:12)\n' +
    '    at async PrismaClient._request (/var/task/node_modules/@prisma/client/runtime/index.js:30864:16)\n' +
    '    at async getSessionAndUser (/var/task/node_modules/@next-auth/prisma-adapter/dist/index.js:22:36)',
  name: 'Error'
}

My schema.prisma setup:

generator client {
  provider        = "prisma-client-js"
  previewFeatures = ["referentialIntegrity", "fullTextSearch", "fullTextIndex"]
}

datasource db {
  provider             = "mysql"
  url                  = env("DATABASE_URL")
  referentialIntegrity = "prisma"
}

model User {
  id             String    @id @default(cuid())
  name           String?
  username       String?   @unique
  email          String?   @unique
  emailVerified  DateTime?
  image          String?
  Session        Session[]
  Account        Account?
}

model Account {
  id                       String  @id @default(cuid())
  userId                   String  @unique
  type                     String
  provider                 String
  providerAccountId        String
  refresh_token            String? @db.Text
  access_token             String? @db.Text
  expires_at               Int?
  token_type               String?
  scope                    String?
  id_token                 String? @db.Text
  session_state            String?
  refresh_token_expires_in Int?
  user                     User?   @relation(fields: [userId], references: [id])

  @@unique([provider, providerAccountId])
  @@index([userId])
}

model Session {
  id           String   @id @default(cuid())
  sessionToken String   @unique
  userId       String
  expires      DateTime
  user         User     @relation(fields: [userId], references: [id])

  @@index([userId])
}

model VerificationToken {
  identifier String
  token      String   @unique
  expires    DateTime

  @@unique([identifier, token])
}

The nextauth set up file below:

export default NextAuth({
  adapter: PrismaAdapter(prisma),
  providers: [
    GithubProvider({
      clientId: process.env.GITHUB_ID,
      clientSecret: process.env.GITHUB_SECRET,
    }),
    EmailProvider({
      server: process.env.EMAIL_SERVER,
      from: process.env.EMAIL_FROM,
    }),
  ],
  session: {
    strategy: "database",
    maxAge: 30 * 24 * 60 * 60, // 30 days
    updateAge: 24 * 60 * 60, // 24 hours
  },
  pages: {
    signIn: "/login",
    newUser: "/welcome",
    verifyRequest: "/emailSent",
  },
  callbacks: {
    session: async ({ session, user }) => {
      session.user = user;
      const username: string = user.username as string;
      session.username = username ? username : "";
      if (user && user.image) {
        session.provider = user.image.includes("github") ? "Github" : "Email";
      }
      const s = await session;
      return s;
    },
  },
});

Any help/input would be appreciated on this. If someone can test this on their own site, I'd appreciate it!

Possible causes

This might be a browser level issue that's hard to diagnose. I tried the same setup on a separate computer using Brave browser and it works fine. For anyone looking for a solution to this, follow Simon's suggestions below.

[simonfarah]

Hello @usmanity. I am using brave with the email provider and it works perfectly. Can you please share your own setup and the callback error you get?

[simonfarah]

You're welcome! I think that the problem comes from the User model. Try changing the Session and Account fields to :

model User {
  ...
  sessions      Session[]
  accounts      Account[]
}

[usmanity]

This change would mean user can have multiple sessions and accounts linked? Interesting...I thought Account could only be a singular relation.

[usmanity]

So I did a bit more digging into this, it's odd but it seems to only happen on one of my computers. I tried it on a different computer (same browser) and it works fine. I am going to wait until I see real users complain about this issue. Thank you for your help Simon!

[simonfarah]

This change would mean user can have multiple sessions and accounts linked? Interesting...I thought Account could only be a singular relation.

Exactly! A user can be signed in on many devices so having multiple sessions for a single user is a must. And in addition, a single user can have multiple accounts, but each account can only have one user. A user could access his account from a GitHub provider, Google provider... but each of those login options can refer to a single user. And be sure to spell the modification I suggested as it is, all lowercase. This is the schema that next-auth works on and any modification to those fields will result in errors. Let me know if it works!

[usmanity]

Thanks again, so I updated as you suggested and everything seems fine but the original Brave browser I am doing this is in still having this issue. I'm gonna stop looking into it at this point b/c it seems like a weird URL cleaning issue in Brave. All other browsers work fine and don't have any login issues.