CSRF Token Failure in App Router CredentialsProvider Returns 200 OK Without Calling authorize() or Providing Error #78770
Unanswered
jyotiprakash-55
asked this question in
App Router
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
App Router
Version Info:
next-auth: v4.24.11
next: 13/14+ (App Router)
Provider: CredentialsProvider
Session Strategy: jwt
Using: signIn("credentials", { redirect: false })
When making a POST request to /api/auth/callback/credentials with an invalid or tampered CSRF token, the following happens:
NextAuth does not call authorize()
The route handler (route.ts) is not invoked
It returns 200 OK with a body like:
{ "url": "/api/auth/signin?csrf=true" }
Why This Is a Problem
From the frontend, we cannot differentiate a CSRF failure from a successful login (both return 200 OK)
No way to display a useful error message
In Postman or API clients, it always returns 200 OK, which makes CSRF debugging and custom UI handling impossible
Behavior is inconsistent compared to CredentialsSignin, which returns usable .error
Anyone can you help me with this issue.
Thank you !
Beta Was this translation helpful? Give feedback.
All reactions