diff --git a/packages/auth/server/lib/utils/handle-oauth-authorize-url.ts b/packages/auth/server/lib/utils/handle-oauth-authorize-url.ts index f62d27fa9..047543882 100644 --- a/packages/auth/server/lib/utils/handle-oauth-authorize-url.ts +++ b/packages/auth/server/lib/utils/handle-oauth-authorize-url.ts @@ -30,11 +30,17 @@ type HandleOAuthAuthorizeUrlOptions = { prompt?: 'none' | 'login' | 'consent' | 'select_account'; }; +const isOidcPrompt = (value: unknown): value is HandleOAuthAuthorizeUrlOptions['prompt'] => { + return value === 'none' || value === 'login' || value === 'consent' || value === 'select_account'; +}; + const oauthCookieMaxAge = 60 * 10; // 10 minutes. export const handleOAuthAuthorizeUrl = async (options: HandleOAuthAuthorizeUrlOptions) => { const { c, clientOptions, redirectPath } = options; + let prompt = options.prompt ?? 'login'; + if (!clientOptions.clientId || !clientOptions.clientSecret) { throw new AppError(AppErrorCode.NOT_SETUP); } @@ -63,12 +69,12 @@ export const handleOAuthAuthorizeUrl = async (options: HandleOAuthAuthorizeUrlOp ); // Pass the prompt to the authorization endpoint. - if (process.env.NEXT_PRIVATE_OIDC_PROMPT !== '') { - const prompt = process.env.NEXT_PRIVATE_OIDC_PROMPT ?? 'login'; - - url.searchParams.append('prompt', prompt); + if (process.env.NEXT_PRIVATE_OIDC_PROMPT && isOidcPrompt(process.env.NEXT_PRIVATE_OIDC_PROMPT)) { + prompt = process.env.NEXT_PRIVATE_OIDC_PROMPT; } + url.searchParams.set('prompt', prompt); + setCookie(c, `${clientOptions.id}_oauth_state`, state, { ...sessionCookieOptions, sameSite: 'lax',