Next-auth: CSRF - add list of urls to exclude

Thanks for the ticket.

Actually no, this option currently isn't exposed but is easy to do - I'll add it in the next update.

@iaincollins very keen on this as well. Have you made any progress yet?

@iaincollins This has already been implemented, right? And this issue can be closed. You can pass csrf option:
csrf: { whitelist: ...., blacklist: .... }

Any documentation?

@saintego next-auth just allows you to pass down options to https://www.npmjs.com/package/lusca so I suggest checking out their documentation.

Added documentation about it on #71 , by looking at the example I assumed the csrf type was only boolean, but you can pass an object to it and next-auth will use it to configure lusca, as @jenssogaard said.

could you please give us an example how to implement this to next-starter ?

Assuming that you have next-auth configured in your project, you need to pass the object in your configuration (usually next-auth.config.js, https://github.com/iaincollins/nextjs-starter/blob/master/next-auth.config.js) like this:
{
// ... other configs
csrf: {
blacklist: ["/graphql"]
}
}

I cannot for the life of me get the blacklist URLs to properly work.

I have csrf: { [blacklist: '/api/upload' ] } Added to my next-auth.config.js, however, it still gives me 403 errors when I POST to that URL. Is there anything else I need to be doing?

@ndom91 there is a syntax error in your quoted code. That should be csrf: { blacklist: ['/api/upload' ] }.

The solutions marked above worked for me, remember to reboot your server and that blacklist means CSRF disabled on the following routes. Good luck.

Closing this issue as this is much simpler in 2.0, which no longer requires a custom server so the CSRF logic is only applied to auth routes and does not require any configuration (and you don't need to excluded any routes, as it no longer impacts other routes).