Skip to content

fix(auth): disable NextAuth debug mode in production#1748

Open
MinitJain wants to merge 3 commits into
CapSoftware:mainfrom
MinitJain:fix/nextauth-debug-mode-production
Open

fix(auth): disable NextAuth debug mode in production#1748
MinitJain wants to merge 3 commits into
CapSoftware:mainfrom
MinitJain:fix/nextauth-debug-mode-production

Conversation

@MinitJain

@MinitJain MinitJain commented Apr 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • `debug: true` was hardcoded unconditionally in `authOptions()`, causing NextAuth to log full JWT contents, session data, and user objects in production
  • Changed to `process.env.NODE_ENV !== "production"` so debug logging only activates in development
  • Removed three production-path `console.log` statements in `sendVerificationRequest` that logged raw OTP tokens and recipient emails to stdout on every auth request

Changes

1. NextAuth debug flag

```ts

  • debug: true,
  • debug: process.env.NODE_ENV !== "production",
    ```

2. OTP logging in production email path

Removed from the `RESEND_API_KEY` (production) branch of `sendVerificationRequest`:

  • `console.log("sendVerificationRequest")` — unconditional, fires in all environments
  • `console.log({ identifier, token })` — logged raw OTP code + recipient email
  • `console.log({ email })` — logged rendered OTP email JSX

The dev fallback path (`!RESEND_API_KEY`) is unchanged — OTP codes still print to console in development.

Security Impact

NextAuth debug mode exposes session tokens and OAuth token data in stdout logs. In any hosted deployment, these logs are retained in log aggregation systems (Vercel, Datadog, CloudWatch, etc.), making every session token readable to anyone with log access.

The `console.log({ identifier, token })` statement had the same exposure profile: raw OTP code + user email written to prod stdout on every magic-link auth attempt.

Test plan

  • Dev environment: verify OTP codes still appear in console (debug active, dev fallback path intact)
  • Production build (`NODE_ENV=production`): verify no JWT/session data in logs
  • Production build: verify no OTP tokens or emails in logs from `sendVerificationRequest`

@superagent-security superagent-security Bot added contributor:verified Contributor passed trust analysis. pr:verified PR passed security analysis. labels May 13, 2026
@richiemcilroy

richiemcilroy commented Jun 19, 2026

Copy link
Copy Markdown
Member

hey @greptileai please review

@superagent-security

superagent-security Bot commented Jun 20, 2026

Copy link
Copy Markdown

Superagent didn't find any vulnerabilities or security issues in this PR.

@superagent-security superagent-security Bot removed pr:verified PR passed security analysis. contributor:verified Contributor passed trust analysis. labels Jun 20, 2026
tembo[bot]
tembo Bot reviewed Jun 20, 2026
View reviewed changes
Comment thread packages/database/auth/auth-options.ts Outdated
MinitJain and others added 3 commits June 20, 2026 21:45
@MinitJain @claude
fix(auth): disable NextAuth debug mode in production
e3095c1 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@MinitJain
fix(auth): remove production OTP token logging in sendVerificationReq…
c3d623c 
…uest

console.log({ identifier, token }) and console.log({ email }) ran
unconditionally in the RESEND_API_KEY (production) path, writing raw
OTP codes and recipient emails to stdout on every auth request.
console.log("sendVerificationRequest") fired unconditionally.

All three are debug-only artifacts with no functional role. Dev fallback
path (!RESEND_API_KEY) is unchanged.
@MinitJain
fix(auth): tighten debug flag to development env only
d995455 
NODE_ENV !== "production" enables debug logging in test/staging/unset
environments. === "development" restricts it strictly to local dev,
preventing JWT/session data from appearing in staging logs.

Addresses review suggestion from tembo.
@MinitJain MinitJain force-pushed the fix/nextauth-debug-mode-production branch from 2db8115 to d995455 Compare June 20, 2026 16:15
@MinitJain

MinitJain commented Jun 20, 2026

Copy link
Copy Markdown
Contributor Author

@richiemcilroy Typecheck CI is failing but these errors are pre-existing on main and unrelated to this PR.

Verified: the same 4 errors appear in the last CI run on main (run 27854095056, 2026-06-20T00:08):

  • apps/desktop/src/routes/editor/context.ts(229)CaptionsData | null not assignable to EditorCaptionsData | null
  • apps/desktop/src/store/captions.ts(242)CaptionAnimation type mismatch
  • apps/web/__tests__/unit/caption-tracks.test.ts(101)dispatch doesn't exist on HTMLVideoElement
  • apps/web/app/(site)/Footer.tsx(4) — missing @fortawesome/fontawesome-svg-core

This PR only modifies packages/database/auth/auth-options.ts. Happy to rebase again once main is green, but the typecheck failure is not caused by these changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tembo tembo[bot] tembo[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MinitJain @richiemcilroy