The problem🔗

Typically, this is how it looks like when Google blocks your website:

image

Every browser will show this message to a user when they navigate to your website.

This means that Google treats your website as dangerous, malicious, deceptive, human organs black market, etc.

The next step: Youtube (if you have an account) removes videos that they believe correlate to the website, they ban your account, etc.

Potential consequences: your business is just ruined.

The solution🔗

The main problem is that, by some weird reason, Google treats the standard next-auth sign-in page (/api/auth/signIn) as deceptive. So, when it sees the page, often it triggers the red flag.

To mitigate this, check the following use cases.

Always use custom sign-in page🔗

You should always have your own custom sign-in page (e.g. /sign-in). When you initialize the authentication provider, always specify your custom sign-in page in the options:

export const authOptions: NextAuthOptions = {
  adapter: PrismaAdapter(prisma),
  providers: [
    ...
  ],
  pages: {
    signIn: "/sign-in",
  },
}

This way, when a not authenticated user navigates to a protected page, it will be redirected to the custom sign-in page, instead of the next-auth's standard one.

Unauthorized user redirect workflow🔗

Imagine a typical user flow:

  • user navigates to the main page
  • on the main page there is a link to the internal dashboard
  • the dashboard page checks whether user is authenticated; if not, user is redirected to the sign-in page

And here is also the problem: Google, by some weird reason, might trigger the red flag saying that the website is "trying to trick user to enter personal data".

They key thing here is to reverse the redirecting unauthorized user logic. The better user flow is this:

  • user navigates to the main page
  • on the main page there is a link to the sign-in page
  • the sign-in page checks whether user is authenticated; if so, it redirects user to the internal dashboard

These are the two major reasons why Google triggers "deceptive website warning" bullshit on a normal website that uses next-auth.

After you have fixed these two issues, go to the Google Search Console and apply for a review of the incident. If everything is fine, you should see the issue is gone in the Search Console, and also in a while the warning message should disappear from browsers.

Conclusion🔗

Fuck Google.