From 7a583aa7afdc0315093cf431471ba1714a2ecac1 Mon Sep 17 00:00:00 2001 From: Lucas Smith Date: Tue, 27 Jan 2026 20:25:16 +1100 Subject: [PATCH] fix: preserve prompt parameter in OAuth authorize URL builder (#2421) The prompt option was being discarded for OAuth authorize URLs after adding support for the NEXT_PRIVATE_OIDC_PROMPT env var. This meant select_account (used elsewhere) was not being passed through. Now defaults prompt to the provided option (or 'login'), and only overwrites it when a valid OIDC prompt env var is set. Also adds a type guard to validate the env var value. --- .../server/lib/utils/handle-oauth-authorize-url.ts | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/packages/auth/server/lib/utils/handle-oauth-authorize-url.ts b/packages/auth/server/lib/utils/handle-oauth-authorize-url.ts index f62d27fa9..047543882 100644 --- a/packages/auth/server/lib/utils/handle-oauth-authorize-url.ts +++ b/packages/auth/server/lib/utils/handle-oauth-authorize-url.ts @@ -30,11 +30,17 @@ type HandleOAuthAuthorizeUrlOptions = { prompt?: 'none' | 'login' | 'consent' | 'select_account'; }; +const isOidcPrompt = (value: unknown): value is HandleOAuthAuthorizeUrlOptions['prompt'] => { + return value === 'none' || value === 'login' || value === 'consent' || value === 'select_account'; +}; + const oauthCookieMaxAge = 60 * 10; // 10 minutes. export const handleOAuthAuthorizeUrl = async (options: HandleOAuthAuthorizeUrlOptions) => { const { c, clientOptions, redirectPath } = options; + let prompt = options.prompt ?? 'login'; + if (!clientOptions.clientId || !clientOptions.clientSecret) { throw new AppError(AppErrorCode.NOT_SETUP); } @@ -63,12 +69,12 @@ export const handleOAuthAuthorizeUrl = async (options: HandleOAuthAuthorizeUrlOp ); // Pass the prompt to the authorization endpoint. - if (process.env.NEXT_PRIVATE_OIDC_PROMPT !== '') { - const prompt = process.env.NEXT_PRIVATE_OIDC_PROMPT ?? 'login'; - - url.searchParams.append('prompt', prompt); + if (process.env.NEXT_PRIVATE_OIDC_PROMPT && isOidcPrompt(process.env.NEXT_PRIVATE_OIDC_PROMPT)) { + prompt = process.env.NEXT_PRIVATE_OIDC_PROMPT; } + url.searchParams.set('prompt', prompt); + setCookie(c, `${clientOptions.id}_oauth_state`, state, { ...sessionCookieOptions, sameSite: 'lax',