proxy, google oauth, and connection refusal

[archywillhe]

Your question

How not to run into ECONNREFUSED for google oauth when on a local server on top of proxychain i.e. a proxy conection?

Details

I have tested my set up with Github OAuth and it works wonderfully. But for Google OAuth I keep getting ECONNREFUSED directly from Google server at 216.58.200.45.

https://next-auth.js.org/errors#oauth_get_access_token_error
[next-auth][error][callback_oauth_error] Error: connect ECONNREFUSED 216.58.200.45:443
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1141:16) {
  errno: 'ECONNREFUSED',
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: '216.58.200.45',
  port: 443
}
https://next-auth.js.org/errors#callback_oauth_error

My VPN is deployed on an AWS EC2 instance. And locally I have set up a http proxy for my proxychains that connect to my VPN's client. I'm inside the GFW at the moment so without proxychains I will get timeout error instead.

I did some googling and this appears to be a known issue with testing google oauth locally behind a proxy. Just wondering if anyone knows any way to solve it. Thanks!

Feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.

• Found the documentation helpful
• Found documentation but was incomplete
• Could not find relevant documentation
• Found the example project helpful
• Did not find the example project helpful

[archywillhe]

related: jenkinsci/google-oauth-plugin#62 jaredhanson/passport-google-oauth#54

[archywillhe]

also related: googleapis/google-api-nodejs-client#1943, googleapis/google-api-nodejs-client#2345

[archywillhe]

Interesting! Setting this in my proxychains.conf works!

strict_chain

tcp_read_time_out 15000
tcp_connect_time_out 8000

localnet 127.0.0.0/255.0.0.0

[ProxyList]
http {your proxy ip address} {your proxy port}

huge thanks to @neorxna's comment in googleapis/google-api-nodejs-client#998 !!!

[mathewtrivett]

@iaincollins I'm having a similar issue here. My next application is deployed behind a corporate proxy. I learned that node doesn't recognise http_proxy or https_proxy environment variables.

I need a way for requests made to Google by next-auth to go via the proxy.

@archywillhe Could you share how you are starting the next server using proxychains? Are you using a custom server for next? Are you using pm2 or something like proxychains yarn next start?

[mdelapenya]

I'm also interested in this issue. Seeing same behaviours in docker-compose using Bunkerised Nginx as proxy. I simply cloned https://github.com/nextauthjs/next-auth-example and added the following Dockerfile and docker-compose files next to it.

FROM node:alpine

RUN mkdir -p /usr/src
WORKDIR /usr/src

# Copy package.json and package-lock.json before other files
# Utilise Docker cache to save re-installing dependencies if unchanged
COPY ./package*.json ./

# Install dependencies
RUN npm install --production

COPY . /usr/src

RUN npx next telemetry disable
RUN npm run build
EXPOSE 3000
ENTRYPOINT [ "npm", "run", "start" ]

---
version: '3'
services:
  proxy:
    image: bunkerity/bunkerized-nginx:1.2.1
    container_name: proxy
    environment:
      - AUTO_LETS_ENCRYPT=no
      - ALLOWED_METHODS=DELETE|GET|OPTIONS|PATCH|POST|PUT
      - BLOCK_ABUSERS=yes
      - BLOCK_PROXIES=yes
      - BLOCK_TOR_EXIT_NODE=yes
      - BLOCK_USER_AGENT=yes
      - CONTENT_SECURITY_POLICY=default-src http://local.domain.example https://fonts.googleapis.com https://fonts.gstatic.com https://*.googleusercontent.com 'self' 'unsafe-eval' 'unsafe-inline' ; frame-ancestors 'self'; form-action https://accounts.google.com 'self' ; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';
      - NEXTAUTH_URL=http://local.domain.example
      - REDIRECT_HTTP_TO_HTTPS=no
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL_1=/
      - REVERSE_PROXY_HOST_1=http://web:3000
      - REVERSE_PROXY_URL_2=/api/auth
      - REVERSE_PROXY_HOST_2=http://web:3000/api/auth
      - SERVE_FILES=no
      - SERVER_NAME=local.domain.example
      - USE_BROTLI=yes
      - USE_GZIP=yes
      - USE_MODSECURITY=no
      - USE_PROXY_CACHE=yes
    healthcheck:
      test: ["CMD-SHELL", "wget -O /dev/null http://localhost:8080 || exit 1"]
      timeout: 10s
    volumes:
      - ./nginx/letsencrypt:/etc/letsencrypt
    ports:
      - 80:8080
      - 443:8443
    depends_on:
      - web
    networks:
      - nextauth
    restart: always
  web:
    build: "."
    container_name: "web"
    environment:
      - NEXTAUTH_SITE=http://local.domain.example
      - NEXTAUTH_URL=http://local.domain.example
      - GOOGLE_ID=YOUR_ID
      - GOOGLE_SECRET=YOUR_SECRET
    networks:
      - nextauth
    restart: always

networks:
  nextauth:

I also tried with proxychains, but it relies in the IP of the proxy, not the hostname, which is not deterministic in docker networks. Install it with APK:

RUN apk add proxychains-ng

and update NPM scripts:

  "scripts": {
    "dev": "proxychains next",
    "build": "next build",
    "start": "proxychains next start"
  },

Add proxychains.conf file at the root dir of the project, using "expected" IP address of my proxy:

strict_chain

tcp_read_time_out 15000
tcp_connect_time_out 8000

localnet 127.0.0.0/255.0.0.0

[ProxyList]
http 172.23.0.3 8080

The error I see is:

UPDATE: this log error happened while being already logged in in a previous iteration, without proxychains.

proxy    | 172.23.0.1 - - local.domain.example [26/Dec/2020:18:24:22 +0000] "GET /api/auth/session HTTP/1.1" 200 207 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
web      | [next-auth][error][client_fetch_error] [
web      |   'http://local.domain.example/api/auth/session',
web      |   FetchError: request to http://local.domain.example/api/auth/session failed, reason: connect ECONNREFUSED 127.0.0.1:80
web      |       at ClientRequest.<anonymous> (/usr/src/node_modules/next/dist/compiled/node-fetch/index.js:1:66404)
web      |       at ClientRequest.emit (node:events:376:20)
web      |       at Socket.socketErrorListener (node:_http_client:486:9)
web      |       at Socket.emit (node:events:376:20)
web      |       at emitErrorNT (node:internal/streams/destroy:188:8)
web      |       at emitErrorCloseNT (node:internal/streams/destroy:153:3)
web      |       at processTicksAndRejections (node:internal/process/task_queues:80:21) {
web      |     type: 'system',
web      |     errno: 'ECONNREFUSED',
web      |     code: 'ECONNREFUSED'
web      |   }
web      | ] 
web      | https://next-auth.js.org/errors#client_fetch_error

Although the login process can be accomplished, the session event fails. I checked the AI section in the example app and there is no payload for the session event (it did appear running the example without proxy):

[mdelapenya]

BTW it also happens to me with Facebook login and, surprisingly, when restarting/recreating the proxy the next app is able to catch the oauth payload and successfully recognize the user account, logging in the user.

[mdelapenya]

@iaincollins do you see anything wrong with this setup?

[mdelapenya]

@balazsorban44 or any other maintainer: is this discussion stale? I'm currently blocked at this scenario. I'd appreciate some feedback here 🙏

Thanks!

[Californian]

I ran into this running in docker-compose as well, but finally found a solution.

I fixed this by setting the internal port that next runs on to the same as the external port it's mapped to, and using the internal server host:port for my auth service.

In particular, I'm using fusionauth as the auth provider, which is internally running on 9011 (but mapped to a different external port, e.g. 8000). I manually overrode a few options: {authorizationUrl: "auth.example.test", accessTokenUrl: "fusionauth:9011/acces-token/path", profileUrl: "fusionauth:9011/profile/path"}. I'm running behind a reverse proxy (traefik), hence the auth.example.test domain (which traefik sends to the fusionauth container). For next's config, I set my Dockerfile's EXPOSE to, e.g. EXPOSE 3001, and my npm run dev command maps to next dev -p $PORT, where $PORT is defined in my .env.local file.

Hope that helps!

I'll note that, between this frustration and the general lack of sane defaults for a lot of things/generally unfavorable developer experience, we've decided to switch back to Auth0.

[raphaelpc]

I also had problems to use NextAuth behind corporate Proxy.
I created this PR but unfortunately it wasn't accepted:
#2493
I will try to use patch-package to fix the problem locally, as was suggested (which i don't think is the best solution since this is a problem of the current implementation of NextAuth, but it is what it is).

Relates issue: #2509

[balazsorban44]

I mentioned the reason for this in the PR. If you want to do the same against the next branch, I might have a look. Unfortunately, I don't think it's a common issue, and I simply don't have the time to look into it myself at the moment.

[raphaelpc]

Is there a time frame for the release of the next major Version?

[balazsorban44]

Hoping for this summer, but we will see. Don't want to give a hard date.