MissingSecret error during Next build since 5.0.0-beta.16 about next-auth HOT 12 CLOSED

the same, but in version 5.0.0-beta.15, it works.

from next-auth.

Fix is incoming #10592

from next-auth.

The fix isn't in 5.0.0-beta.15. You will either have to wait for the next beta or do a patch. I"m using pnpm to apply the patch, you can also use patch-package. #10592 is what fixed it for me.

from next-auth.

NEXT_PUBLIC_AUTH_SECRET is a horrible idea, please don't even suggest that. Those replies are marked as spam.

from next-auth.

@matthawk60 it was probably marked as spam not because you seem like a spammer, but because the suggestion is dangerous. My (limited) understanding is that the whole point of having a server-side secret like that is that it lets you be more lenient with what you store in cilent browsers, since it can be encrypted with said secret. If you hand out the secret to the client (which becomes possible when following your suggestion), enctyped cookies suddenly become decryptable.

See https://next-auth.js.org/configuration/options#secret

Obviously I was not suggesting NEXT_PUBLIC_AUTH_SECRET should be used in production. Perhaps I should have added that disclaimer. But by that thinking, no one should be using a beta release of software in the first place. However, if you want to use the app router and next-auth that is currently our only option.
My testing indicated the Nextjs was removing the secret becuase it was being exposed to the client, which would be a major problem. My comment was meant to help find the problem. While this issue has only been open for a few days, there are others which have been around since beta-16 was released.
My intention was not to help users, I was commenting on an issue hoping to help debug the problem and fix the underlying issue with the software.

from next-auth.

Sorry that it took a while to get a minimal repro going...

I know of the workaround by setting the value during the build to a fake value, but is that the official solution? It might be a bit confusing, since there's quite a bit of discussion due to this change in beta 16 (see #10305 but also in the other issues linked).

from next-auth.

Any fix is available for this ? , I have AUTH_SECRET in my env, still facing issue

from next-auth.

Any fix is available for this ? , I have AUTH_SECRET in my env, still facing issue

Same issue with me as well. After cloning the next-auth repository, and completing the .env file with my secrets, I get the same error even though AUTH-SECRET has been entered.

I tried downgrading to 5.0.0-beta.15 and that error goes away, but a different one emerges.

from next-auth.

@matthawk60 it was probably marked as spam not because you seem like a spammer, but because the suggestion is dangerous. My (limited) understanding is that the whole point of having a server-side secret like that is that it lets you be more lenient with what you store in cilent browsers, since it can be encrypted with said secret. If you hand out the secret to the client (which becomes possible when following your suggestion), enctyped cookies suddenly become decryptable.

See https://next-auth.js.org/configuration/options#secret

from next-auth.

@matthawk60

Okay, then I see where you're coming from. In the future I would still be careful about phrasing it in the way you did, because I would be willing to bet my savings that if the comment didn't get marked as spam (and therefore hidden by default) it would be tried by at least one confused developer trying to fix the error they're getting without taking the time to read up on the context around it (or what the NEXT_PUBLIC_ prefix means. It's perfectly plausible to me that it would end up as production code in that scenario.

Obviously I was not suggesting NEXT_PUBLIC_AUTH_SECRET should be used in production.

To someone new to next.js and nextauth I don't necessarily think it's obvious that you're not suggesting to use NEXT_PUBLIC_ as a production fix.

from next-auth.

Hi folks I am continuing to have the same issue. Tried to use 5.0.0-beta.15 but I got a different error on session.
Could someone help me please 🙏 ?

Uncaught MissingSecret: Missing secret, please set AUTH_SECRET or config.secret.

with this provider configuration

const providers = [
  KeycloakProvider({
    id: 'keycloak',
    clientId: process.env.AUTH_KEYCLOAK_ID,
    issuer: process.env.AUTH_KEYCLOAK_URL,
    clientSecret: process.env.AUTH_SECRET,
  }),
]

from next-auth.

The fix isn't in 5.0.0-beta.15. You will either have to wait for the next beta or do a patch. I"m using pnpm to apply the patch, you can also use patch-package. #10592 is what fixed it for me.

hi @matthawk60 👋
did you experimented that calling signout fn on a server action, raised an error Cookies can only be modified in a Server Action or Route Handler.? this happens only after upgrading to the last 5.0.0-beta.17
Ho you are using the signout? My use case is that I want to match the 401 and in this case signout

from next-auth.