signIn API returns 200 and skips credentials validation when invalid csrfToken is passed #13051
Unanswered
waseemViwell
asked this question in
Help
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Summary
When making a POST request to /api/auth/callback/credentials with an invalid csrfToken, the request returns a 200 OK response without running the authorize() function at all. This results in misleading behavior — the API returns success, but no credential validation is actually performed.
Steps to Reproduce
Setup NextAuth with CredentialsProvider.
Use a proxy tool (e.g., Postman, Fiddler, etc.) to modify the request:
Change or nullify the csrfToken field in the body.
Submit a POST request to:
/api/auth/callback/credentials
Observe that:
The authorize() function is not called.
The response returns 200 OK, not an error like 403.
Expected Behavior
If the csrfToken is missing or invalid, the API should:
Respond with a 403 Forbidden, or
Return a clear error response indicating CSRF failure.
Not silently return 200, which may confuse clients and developers.
Actual Behavior
The API returns 200 OK.
The credentials are not validated (authorize is not executed).
No error is thrown or returned — behavior is silent.
Beta Was this translation helpful? Give feedback.
All reactions