fix: configure GitHub OAuth issuer

[joaomnuno]

Problem

GitHub OAuth sign-in fails during the callback stage with:

[next-auth][error][OAUTH_CALLBACK_ERROR]
issuer must be configured on the issuer

GitHub now includes an iss parameter in OAuth callback responses as part of RFC 9207. In NextAuth v4-style flows, the callback path validates that issuer when it is present. If the GitHub provider is configured without an explicit issuer, the callback throws before login can complete.

Root Cause

UseSend relies on the built-in GitHub provider defaults in next-auth@4.24.11. That appears to have been sufficient before GitHub started returning iss in callback requests. Once iss is present, the callback path expects the provider config to declare the matching issuer metadata.

This is the same failure mode reported in Langfuse issue #13091.

Fix

• Set the GitHub provider issuer explicitly to https://github.com/login/oauth
• Add a unit test that verifies the GitHub provider is configured with that explicit issuer

Testing

• Added a targeted unit test for the provider configuration
• Not run locally

References

• Langfuse issue: bug: GitHub OAuth sign-in fails with "issuer must be configured on the issuer" after GitHub enabled RFC 9207 langfuse/langfuse#13091
• Langfuse fix commit: langfuse/langfuse@ff97a3b
• Auth.js GitHub provider docs: https://authjs.dev/reference/core/providers/github

---

Summary by cubic

Fixes GitHub OAuth sign-in failures by setting the GitHub provider issuer to https://github.com/login/oauth in next-auth. Restores successful callbacks now that GitHub includes iss.

• Bug Fixes
  • Configure issuer on the GitHub provider to satisfy iss validation during OAuth callbacks.
  • Add and stabilize a unit test that verifies the provider issuer; mock NEXT_PUBLIC_IS_CLOUD so the provider initializes.

^{Written for commit c014f7f. Summary will update on new commits.}

Summary by CodeRabbit

• Bug Fixes

  • Improved GitHub OAuth configuration by explicitly setting the expected issuer to make authentication callbacks more reliable.

• Tests

  • Added unit tests to verify the authentication provider configuration, ensuring client credentials and the explicit issuer are correctly applied.

[vercel]

@joaomnuno is attempting to deploy a commit to the kmkoushik's projects Team on Vercel.

A member of the Team first needs to authorize it.

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ac9ad9ec-5807-44e5-8ec6-cb87ee8e9ccb

📥 Commits

Reviewing files that changed from the base of the PR and between bb91cf9 and c014f7f.

📒 Files selected for processing (1)

• apps/web/src/server/auth.unit.test.ts

---

Walkthrough

The pull request adds an explicit GitHub OAuth issuer constant (GITHUB_OAUTH_ISSUER = https://github.com/login/oauth) and passes it as the issuer option to the GitHubProvider in the server auth configuration. It also adds a unit test that mocks authentication-related modules and asserts the GitHub provider in authOptions.providers includes clientId, clientSecret, and the explicit issuer value.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding GitHub OAuth issuer configuration to fix OAuth callback failures.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/web/src/server/auth.unit.test.ts`:
- Around line 39-44: The mocked env in the vi.mock call currently sets GITHUB_ID
and GITHUB_SECRET but misses the cloud-mode flag; update the mocked env object
inside vi.mock("~/env", ...) to include NEXT_PUBLIC_IS_CLOUD: true so tests run
with cloud-mode semantics (modify the env object literal used in the test file's
vi.mock).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3efc3fcf-c0c4-48d5-9741-954744114b79

📥 Commits

Reviewing files that changed from the base of the PR and between b20f3b5 and 109aaa5.

📒 Files selected for processing (2)

• apps/web/src/server/auth.ts
• apps/web/src/server/auth.unit.test.ts