Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TypeError: "pkcs8" must be PKCS#8 formatted string on /api/login in Vercel logs #246

Closed
michael5r opened this issue Aug 28, 2024 · 5 comments
Closed

TypeError: "pkcs8" must be PKCS#8 formatted string on /api/login in Vercel logs #246

michael5r opened this issue Aug 28, 2024 · 5 comments

Comments

@michael5r
Copy link

After doing a preview deployment with Vercel, and then trying to log in on my site, the page just refreshes & I'm getting these errors in the Vercel logs:

TypeError: "pkcs8" must be PKCS#8 formatted string at (../../node_modules/jose/dist/browser/key/import.js:20:0) at (../../node_modules/next-firebase-auth-edge/lib/auth/jwt/sign.js:9:0) at (../../node_modules/next-firebase-auth-edge/lib/auth/jwt/crypto-signer.js:16:0) at (../../node_modules/next-firebase-auth-edge/lib/auth/token-generator.js:69:0) at (../../node_modules/next-firebase-auth-edge/lib/auth/index.js:228:0) at (../../node_modules/next-firebase-auth-edge/lib/next/cookies.js:130:0) at (../../node_modules/next/dist/esm/server/web/adapter.js:158:0)

[GET] [middleware: "middleware"] /api/login reason=EDGE_FUNCTION_INVOCATION_FAILED, status=500, user_error=true

Everything works fine locally.
I've tried using both 1.6.2 and 1.7.0-canary.10 of next-firebase-auth-edge - it didn't make a difference.

Output of npx next info:

Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 23.4.0: Wed Feb 21 21:44:43 PST 2024; root:xnu-10063.101.15~2/RELEASE_ARM64_T6000
  Available memory (MB): 32768
  Available CPU cores: 10
Binaries:
  Node: 20.5.0
  npm: 9.8.0
  Yarn: 1.22.22
  pnpm: 8.6.10
Relevant Packages:
  next: 14.2.5 // There is a newer version (14.2.7) available, upgrade recommended!
  eslint-config-next: 14.2.5
  react: 18.3.1
  react-dom: 18.3.1
  typescript: 5.4.5

And this is what my middleware looks like:

import { NextRequest, NextResponse } from 'next/server';
import { authMiddleware } from 'next-firebase-auth-edge';
import { authConfig } from '~lib/firebase/server-config';

const AUTH_PATHS = ['/register', '/login', '/reset-password'];

const redirectToDashboard = (request: NextRequest) => {
    const url = request.nextUrl.clone();
    url.pathname = '/dashboard';

    return NextResponse.redirect(url);
};

export async function middleware(request: NextRequest) {
    return authMiddleware(request, {
        debug: true,
        loginPath: '/api/login',
        logoutPath: '/api/logout',
        refreshTokenPath: '/api/refresh-token',
        apiKey: authConfig.apiKey,
        cookieName: authConfig.cookieName,
        cookieSignatureKeys: authConfig.cookieSignatureKeys,
        cookieSerializeOptions: authConfig.cookieSerializeOptions,
        serviceAccount: authConfig.serviceAccount,
        checkRevoked: true,
        enableMultipleCookies: true,
        handleValidToken: async ({ token, decodedToken }, headers) => { // eslint-disable-line
            // Authenticated user should not be able to access /login, /register and /reset-password routes
            if (AUTH_PATHS.includes(request.nextUrl.pathname)) {
                return redirectToDashboard(request);
            }
            return NextResponse.next({
                request: {
                    headers
                }
            });
        }
    });
}

export const config = {
    matcher: [
        '/',
        '/((?!_next|favicon.ico|api|.*\\.).*)',
        '/api/login',
        '/api/logout',
        '/api/refresh-token'
    ]
};
@michael5r
Copy link
Author

@awinogrodzki Any ideas as to what might be happening? If I bypass your library, I can sign in with Firebase just fine - it's only when it's going through your middleware that I get the errors.

@awinogrodzki
Copy link
Owner

Hey @michael5r!

Thanks for reporting!

This error usually happens when incorrect private key is provided. Could you inspect the value you pass as serviceAccount.privateKey? The private key should match PKCS8 format mentioned here

@michael5r
Copy link
Author

You're absolutely right - the issue was that in the environment variables on vercel.com, the privateKey included double quotes at the beginning & end of the string:

image

Once I removed those double-quotes, the error disappeared. Thanks!

@awinogrodzki
Copy link
Owner

No worries! This is pretty common case, so probably I should re-throw this error with more user-friendly message. I will work on this soon :-)

awinogrodzki added a commit that referenced this issue Aug 30, 2024
@awinogrodzki
fix(#246): re-throw invalid PKCS8 error as AuthError with user-friend…
a7d7a22 
…ly message
github-actions bot pushed a commit that referenced this issue Aug 30, 2024
@semantic-release-bot
chore(release): 1.7.0-canary.11 [skip ci]
b7bf828 
# [1.7.0-canary.11](v1.7.0-canary.10...v1.7.0-canary.11) (2024-08-30)

### Bug Fixes

* **#246:** re-throw invalid PKCS8 error as AuthError with user-friendly message ([a7d7a22](a7d7a22)), closes [#246](#246)
@awinogrodzki
Copy link
Owner

More descriptive error message released in v1.7.0-canary.11

github-actions bot pushed a commit that referenced this issue Sep 9, 2024
@semantic-release-bot
chore(release): 1.7.0 [skip ci]
66de8c0 
# [1.7.0](v1.6.2...v1.7.0) (2024-09-09)

### Bug Fixes

* add debug logs for experimental feature ([41ef1df](41ef1df))
* **#242:** use TextEncoder when mapping token to UInt8Array ([23b04dc](23b04dc)), closes [#242](#242)
* **#246:** re-throw invalid PKCS8 error as AuthError with user-friendly message ([a7d7a22](a7d7a22)), closes [#246](#246)
* **#249:** merge error stack trace in token verifier to improve visibility on fetch errors ([6bce756](6bce756)), closes [#249](#249)
* add missing name property to decoded id token type ([39b086d](39b086d))
* pass cookie serialization options to cookie setter ([b28ce7a](b28ce7a))
* recreate canary tags after force push ([c9b7c18](c9b7c18))
* semantic-release rate exceeded error ([676b602](676b602))
* semantic-version git history issue ([d514f57](d514f57))
* update next.js peer dependency to rc ([f2953fd](f2953fd))

### Features

* **middleware:** introduced `redirectToPath` method and RegExp support in `redirectToLogin` method ([21024bb](21024bb))
* added `path` option to `redirectToHome` helper function ([54f07f4](54f07f4))
* allow setAuthCookies to accept custom auth headers or fall back ([b1d169b](b1d169b))
* experimental option to refresh token on expired kid header ([2869531](2869531))
* introduced `refreshCookiesWithIdToken` function to enable login using Server Actions ([#212](#212)) ([6cd0b13](6cd0b13))
* next.js 15 rc support ([a994dd0](a994dd0))
* pass custom auth header from authMiddleware ([71286af](71286af))
* **getTokens:** introduced optional `cookieSerializeOptions` option ([e041542](e041542))
* replaced no matching kid auth error with invalid token error ([9d2d0fc](9d2d0fc))
* support Node.js 22 ([6c7f435](6c7f435))
KG0517 pushed a commit to KG0517/next-firebase-auth-edge that referenced this issue Oct 14, 2024
@semantic-release-bot
chore(release): 1.7.0-canary.11 [skip ci]
bc4746d 
# [1.7.0-canary.11](awinogrodzki/next-firebase-auth-edge@v1.7.0-canary.10...v1.7.0-canary.11) (2024-08-30)

### Bug Fixes

* **#246:** re-throw invalid PKCS8 error as AuthError with user-friendly message ([a7d7a22](awinogrodzki/next-firebase-auth-edge@a7d7a22)), closes [#246](awinogrodzki/next-firebase-auth-edge#246)
KG0517 pushed a commit to KG0517/next-firebase-auth-edge that referenced this issue Oct 14, 2024
@semantic-release-bot
chore(release): 1.7.0 [skip ci]
2e77506 
# [1.7.0](awinogrodzki/next-firebase-auth-edge@v1.6.2...v1.7.0) (2024-09-09)

### Bug Fixes

* add debug logs for experimental feature ([41ef1df](awinogrodzki/next-firebase-auth-edge@41ef1df))
* **#242:** use TextEncoder when mapping token to UInt8Array ([23b04dc](awinogrodzki/next-firebase-auth-edge@23b04dc)), closes [#242](awinogrodzki/next-firebase-auth-edge#242)
* **#246:** re-throw invalid PKCS8 error as AuthError with user-friendly message ([a7d7a22](awinogrodzki/next-firebase-auth-edge@a7d7a22)), closes [#246](awinogrodzki/next-firebase-auth-edge#246)
* **#249:** merge error stack trace in token verifier to improve visibility on fetch errors ([6bce756](awinogrodzki/next-firebase-auth-edge@6bce756)), closes [#249](awinogrodzki/next-firebase-auth-edge#249)
* add missing name property to decoded id token type ([39b086d](awinogrodzki/next-firebase-auth-edge@39b086d))
* pass cookie serialization options to cookie setter ([b28ce7a](awinogrodzki/next-firebase-auth-edge@b28ce7a))
* recreate canary tags after force push ([c9b7c18](awinogrodzki/next-firebase-auth-edge@c9b7c18))
* semantic-release rate exceeded error ([676b602](awinogrodzki/next-firebase-auth-edge@676b602))
* semantic-version git history issue ([d514f57](awinogrodzki/next-firebase-auth-edge@d514f57))
* update next.js peer dependency to rc ([f2953fd](awinogrodzki/next-firebase-auth-edge@f2953fd))

### Features

* **middleware:** introduced `redirectToPath` method and RegExp support in `redirectToLogin` method ([21024bb](awinogrodzki/next-firebase-auth-edge@21024bb))
* added `path` option to `redirectToHome` helper function ([54f07f4](awinogrodzki/next-firebase-auth-edge@54f07f4))
* allow setAuthCookies to accept custom auth headers or fall back ([b1d169b](awinogrodzki/next-firebase-auth-edge@b1d169b))
* experimental option to refresh token on expired kid header ([2869531](awinogrodzki/next-firebase-auth-edge@2869531))
* introduced `refreshCookiesWithIdToken` function to enable login using Server Actions ([#212](awinogrodzki/next-firebase-auth-edge#212)) ([6cd0b13](awinogrodzki/next-firebase-auth-edge@6cd0b13))
* next.js 15 rc support ([a994dd0](awinogrodzki/next-firebase-auth-edge@a994dd0))
* pass custom auth header from authMiddleware ([71286af](awinogrodzki/next-firebase-auth-edge@71286af))
* **getTokens:** introduced optional `cookieSerializeOptions` option ([e041542](awinogrodzki/next-firebase-auth-edge@e041542))
* replaced no matching kid auth error with invalid token error ([9d2d0fc](awinogrodzki/next-firebase-auth-edge@9d2d0fc))
* support Node.js 22 ([6c7f435](awinogrodzki/next-firebase-auth-edge@6c7f435))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@michael5r @awinogrodzki