From 6fad48f65ad7cbb927fd80de49930a8256110331 Mon Sep 17 00:00:00 2001
From: Meier Lukas <meierschlumpf@gmail.com>
Date: Sat, 1 Mar 2025 17:24:31 +0100
Subject: [PATCH] feat: use fetch with trusted certificates for oidc (#2412)

* feat: use fetch with trusted certificates for oidc

* fix: change custom-fetch symbol from auth-core to next-auth

* test: add mock for next-auth in events test

* refactor: use package import instead of relative import
---
 packages/auth/package.json                    | 1 +
 packages/auth/providers/oidc/oidc-provider.ts | 7 +++++++
 packages/auth/test/events.spec.ts             | 1 +
 pnpm-lock.yaml                                | 3 +++
 4 files changed, 12 insertions(+)

diff --git a/packages/auth/package.json b/packages/auth/package.json
index 1ea47abcb..6a6f2c1a3 100644
--- a/packages/auth/package.json
+++ b/packages/auth/package.json
@@ -25,6 +25,7 @@
   "dependencies": {
     "@auth/core": "^0.38.0",
     "@auth/drizzle-adapter": "^1.8.0",
+    "@homarr/certificates": "workspace:^0.1.0",
     "@homarr/common": "workspace:^0.1.0",
     "@homarr/db": "workspace:^0.1.0",
     "@homarr/definitions": "workspace:^0.1.0",
diff --git a/packages/auth/providers/oidc/oidc-provider.ts b/packages/auth/providers/oidc/oidc-provider.ts
index 82328b3ff..d03d9c736 100644
--- a/packages/auth/providers/oidc/oidc-provider.ts
+++ b/packages/auth/providers/oidc/oidc-provider.ts
@@ -1,6 +1,9 @@
 import type { ReadonlyHeaders } from "next/dist/server/web/spec-extension/adapters/headers";
 import type { OIDCConfig } from "@auth/core/providers";
 import type { Profile } from "@auth/core/types";
+import { customFetch } from "next-auth";
+
+import { fetchWithTrustedCertificatesAsync } from "@homarr/certificates/server";
 
 import { env } from "../../env";
 import { createRedirectUri } from "../../redirect";
@@ -35,6 +38,10 @@ export const OidcProvider = (headers: ReadonlyHeaders | null): OIDCConfig<Profil
       provider: "oidc",
     };
   },
+  // The type for fetch is not identical, but for what we need it it's okay to not be an 1:1 match
+  // See documentation https://authjs.dev/guides/corporate-proxy?framework=next-js
+  // @ts-expect-error `undici` has a `duplex` option
+  [customFetch]: fetchWithTrustedCertificatesAsync,
 });
 
 export const extractProfileName = (profile: Profile) => {
diff --git a/packages/auth/test/events.spec.ts b/packages/auth/test/events.spec.ts
index 0fe01ddf1..ad6178ab2 100644
--- a/packages/auth/test/events.spec.ts
+++ b/packages/auth/test/events.spec.ts
@@ -11,6 +11,7 @@ import { colorSchemeCookieKey, everyoneGroup } from "@homarr/definitions";
 
 import { createSignInEventHandler } from "../events";
 
+vi.mock("next-auth", () => ({}));
 vi.mock("../env", () => {
   return {
     env: {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 404d5813b..3a47b5745 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -639,6 +639,9 @@ importers:
       '@auth/drizzle-adapter':
         specifier: ^1.8.0
         version: 1.8.0
+      '@homarr/certificates':
+        specifier: workspace:^0.1.0
+        version: link:../certificates
       '@homarr/common':
         specifier: workspace:^0.1.0
         version: link:../common