The CSRF token is not being passed in the body of the request to the Auth method from Auth.js

[gkettani]

Which middleware has the bug?

@hono/auth-js

What version of the middleware?

1.0.15

What version of Hono are you using?

4.6.11

What runtime/platform is your app running on? (with version if possible)

Bun

What steps can reproduce the bug?

1. Create a sample React app using vite

import { signIn } from "@hono/auth-js/react";

function App() {
  return (
    <>
      <Button onClick={() => signIn("google")}>Sign In now</Button>
    </>
  );

}

createRoot(document.getElementById('root')!).render(
  <StrictMode>
    <SessionProvider>
      <App />
    </SessionProvider>
  </StrictMode>
);

2. Then in the backend, use hono + bun

app.use(
  '*',
  initAuthConfig((c) => ({
    secret: c.env.AUTH_SECRET,
    providers: [
      GoogleProvider({
        clientId: c.env.GOOGLE_CLIENT_ID,
        clientSecret: c.env.GOOGLE_CLIENT_SECRET,
      }),
    ],
    basePath: '/api/auth',
  }))
);

app.use('/api/auth/*', authHandler());

app.use('/api/*', verifyAuth());

What is the expected behavior?

The user should be able to sign in, by clicking the sign in button.

What do you see instead?

The operation fails, returning a CSRF token missing.

Additional information

Upon investigation, the CSRF token is not passed in the body to the Auth method Auth.js

middleware/packages/auth-js/src/index.ts

Line 138 in ecb7a1d

const res = await Auth(reqWithEnvUrl(c.req.raw, ctxEnv.AUTH_URL), config)

Auth.js expects to receive the csrfToken as part of the body on POST requests

[yusukebe]

@gkettani Thank you for the issue.

Hi @divyam234, Can you take a look?