[@hono/auth-js] don't use request body

[bordeo]

auth-js don't need request body.
accessing request body prevent future usage by other hono handlers

[changeset-bot]

🦋 Changeset detected

Latest commit: 3d02cab

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@hono/auth-js	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[yusukebe]

Hi @bordeo Thank you for the PR.

@divyam234 Can you review this?

[divyam234]

@bordeo request body is always used in login action

middleware/packages/auth-js/src/react.tsx

Line 319 in 2d1a89d

body: new URLSearchParams({ ...opts, csrfToken, callbackUrl }),

see here. @yusukebe this pr should not be merged

[yusukebe]

@divyam234 Thanks! I'll close this PR now.

[bordeo]

I understand your point @divyam234, I'm gonna create a new PR with different approach because if we use verifyAuth and we try to read the request body we have the error.

[divyam234]

Are you using bun?

[bordeo]

yes. the problem isn't the runtime but the fact that request body can be used only once

[divyam234]

@bordeo This was added as a workaround for bun as req cloning was not working prior to 1.26 but now this can be replaced by simple request cloning like other runtimes.You can raise pr for that.

[divyam234]

import { test, expect } from "bun:test";

test("should clone request with a readable stream body correctly", async () => {
  const originalUrl = "https://example.com";
  const clonedUrl = "https://example1.com";
  const bodyContent = "test";

  const readableStream = new ReadableStream({
    start(controller) {
      controller.enqueue(new TextEncoder().encode(bodyContent));
      controller.close();
    }
  });

  const req = new Request(originalUrl, {
    method: "POST",
    body: readableStream,
    headers: {
      test: "test"
    }
  });

  const cloneRequest = new Request(clonedUrl, req);

  expect(cloneRequest.url).toBe(clonedUrl);

  expect(cloneRequest.method).toBe(req.method);

  expect(cloneRequest.headers.get("test")).toBe(req.headers.get("test"));

  const clonedBody = await cloneRequest.text();
  expect(clonedBody).toBe(bodyContent);
});

I had this test in one of my repo which was faling in earlier versions for bun but its passing now on latest version.Took them one year to fix this simple issue

[bordeo]

yes your code is going to work because you are reading the body once with .text.
verifyAuth calls getAuthUser, which calls reqWithEnvUrl, which calls cloneRequest. However, cloneRequest is not using the proper method .clone but is instead creating a new Request object with the body read from the original request using request.blob.
Once you read from the original request, you can't read it again.
The original request can be used in the handler after verifyAuth to read body JSON params, for example, but attempting to read it throws an error because cloneRequest has already read it

[divyam234]

#790 this pr will fix this issue