fix: hard-fail when GOOGLE_CLIENT_ID set but NEXTAUTH_SECRET is empty

[shrwnsan]

Problem

When a deployer configures Google OAuth by setting GOOGLE_CLIENT_ID but forgets NEXTAUTH_SECRET, NextAuth falls back to an empty string secret (process.env.NEXTAUTH_SECRET ?? ""). This means JWTs are effectively unsigned — anyone who knows the signing algorithm (HS256) can forge session tokens and impersonate any user.

Eval: eval-006 (HIGH)
Upstream status: Partially addressed by PR onecli#173 (removed auto-generated fallback), but the empty string fallback remains.

Current Behavior

// lib/env.ts
export const NEXTAUTH_SECRET = process.env.NEXTAUTH_SECRET ?? "";

// proxy.ts getSetupError()
// Only checks: secret set + no Google → "oauth-misconfigured"
// Does NOT check: Google set + no secret → silent misconfiguration

Proposed Fix

Add an inverse check in getSetupError():

// Google OAuth is configured but NEXTAUTH_SECRET is missing
if (GOOGLE_CLIENT_ID && !NEXTAUTH_SECRET) {
  return "missing-nextauth-secret";
}

Redirect to /setup-error?code=missing-nextauth-secret with instructions to generate a secret via openssl rand -hex 32.

Scope

• apps/web/src/proxy.ts — add new setup error check
• apps/web/src/app/setup-error/page.tsx — add error description

Tests

4 tests covering all env combinations:

• Both set → no redirect (valid OAuth mode)
• Neither set → no redirect (local mode)
• Secret only → oauth-misconfigured
• Google only → missing-nextauth-secret (NEW)

Branch

fix/nextauth-secret — based on integration branch

[shrwnsan]

PR Draft

Summary

Hard-fails setup when GOOGLE_CLIENT_ID is set but NEXTAUTH_SECRET is empty, preventing unsigned JWT forgery.

Changes

• apps/web/src/proxy.ts: Added "missing-nextauth-secret" to SetupErrorCode type and inverse check in getSetupError()
• apps/web/src/app/setup-error/page.tsx: Added error description with openssl rand -hex 32 generation hint

Test Results

• ✅ pnpm check-types — passes
• ✅ pnpm lint — 0 warnings
• ✅ pnpm build — succeeds
• ✅ 4/4 unit tests pass (all env combinations)

Behavior

GOOGLE_CLIENT_ID	NEXTAUTH_SECRET	Result
✗	✗	Local mode (no error)
✓	✓	OAuth mode (no error)
✓	✗	→ setup-error (NEW)
✗	✓	oauth-misconfigured (existing)

Related

• Eval: eval-006
• Upstream partial fix: PR fix: remove NEXTAUTH_SECRET fallback that forced OAuth mode onecli/onecli#173

[shrwnsan]

Upstream Status Update (2026-04-29)

Merged upstream/main (60 commits, v1.9.0 → v1.18.6) and re-evaluated.

What upstream resolved

• Fallback removal (b602f1b, fix: remove NEXTAUTH_SECRET fallback that forced OAuth mode onecli/onecli#173): Removed `"local-mode-fallback-unused" which is falsy, preventing silent OAuth mode activation when secret is unset.

What upstream did NOT resolve

• getSetupError() still missing the reverse check. It checks secret set + no Google → oauth-misconfigured but does NOT check Google set + no secret → missing-nextauth-secret. The gateway's Rust auth will hard-fail at runtime, but the web app shows no helpful setup error page — just a silent failure.

Verdict

Still open. Our fix/nextauth-secret branch's getSetupError() addition remains valuable — it would catch this misconfiguration early and redirect to a helpful setup error page.

[shrwnsan]

Re-implementation Update (2026-04-29)

Re-implemented on fresh dev branch against upstream/main (v1.18.6).

What this commit does (c781717)

Added the missing reverse check in getSetupError() (apps/web/src/proxy.ts):

// GOOGLE_CLIENT_ID is set but NEXTAUTH_SECRET is empty — JWTs would be unsigned
if (GOOGLE_CLIENT_ID && !NEXTAUTH_SECRET) {
  return "missing-nextauth-secret";
}

Added corresponding error page entry in apps/web/src/app/setup-error/page.tsx with:

• Clear explanation of the risk (unsigned JWTs)
• One-liner to generate and append the secret: echo "NEXTAUTH_SECRET=$(openssl rand -hex 32)" >> .env

What changed upstream since original fix

• env.ts still has NEXTAUTH_SECRET = process.env.NEXTAUTH_SECRET ?? "" (falsy fallback, good)
• Gateway Rust auth still hard-fails when NEXTAUTH_SECRET is empty (runtime error, no helpful message)
• setup-error/page.tsx was simplified by upstream (removed unused import), our addition is compatible

Testing

No test framework exists in upstream (vitest.config.ts was deleted). The fix is a simple conditional + UI addition — straightforward to verify manually.