srizan/archived-next-auth
1
0
Fork 0
mirror of https://github.com/SrIzan10/next-auth.git synced 2026-05-01 10:55:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into firebase-admin-adapter

Browse Source
This commit is contained in:
Balázs Orbán
2023-02-04 15:47:58 +01:00
parent 63099497ec e9d8805609
commit 1cd5cbb02a
54 changed files with 1839 additions and 1128 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.eslintignore
View File

@@ -24,7 +24,7 @@ pnpm-lock.yaml
.docusaurus
build
docs/docs/reference/core
docs/docs/reference/04-sveltekit
docs/docs/reference/sveltekit
static
# --------------- Packages ---------------

2
.github/ISSUE_TEMPLATE/1_bug_framework.yml vendored
View File

@@ -30,7 +30,7 @@ body:
Run this command in your project's root folder and paste the result:
```sh
npx envinfo --system --binaries --browsers --npmPackages "next,react,next-auth"
npx envinfo --system --binaries --browsers --npmPackages "next,react,next-auth,@auth/*"
```
Alternatively, you can manually gather the version information from your package.json for these packages: "next", "react" and "next-auth". Please also mention your OS and Node.js version, as well as the browser you are using.
validations:

4
.github/ISSUE_TEMPLATE/2_bug_provider.yml vendored
View File

@@ -25,6 +25,7 @@ body:
- "Custom provider"
- "42 School"
- "Apple"
- "Asgardeo"
- "Atlassian"
- "Auth0"
- "Authentik"
@@ -57,6 +58,7 @@ body:
- "Medium"
- "Naver"
- "Netlify"
- "Notion"
- "Okta"
- "OneLogin"
- "Osso"
@@ -87,7 +89,7 @@ body:
Run this command in your project's root folder and paste the result:
```sh
npx envinfo --system --binaries --browsers --npmPackages "next,react,next-auth"
npx envinfo --system --binaries --browsers --npmPackages "next,react,next-auth,@auth/*"
```
Alternatively, you can manually gather the version information from your package.json for these packages: "next", "react" and "next-auth". Please also mention your OS and Node.js version, as well as the browser you are using.
validations:

2
.github/ISSUE_TEMPLATE/3_bug_adapter.yml vendored
View File

@@ -44,7 +44,7 @@ body:
Run this command in your project's root folder and paste the result:
```sh
npx envinfo --system --binaries --browsers --npmPackages "next,react,next-auth" && npx envinfo --npmPackages "@next-auth/*"
npx envinfo --system --binaries --browsers --npmPackages "next,react,next-auth,@auth/*" && npx envinfo --npmPackages "@next-auth/*"
```
Alternatively, if the above command did not work, we need the version of the following packages from your package.json: "next", "react", "next-auth" and your adapter. Please also mention your OS and Node.js version, as well as the browser you are using.
validations:

31
.github/workflows/release.yml vendored
View File

@@ -35,21 +35,22 @@ jobs:
UPSTASH_REDIS_KEY: ${{ secrets.UPSTASH_REDIS_KEY }}
TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
- name: Run E2E tests
run: pnpm e2e
timeout-minutes: 15
env:
AUTH0_USERNAME: ${{ secrets.AUTH0_USERNAME }}
AUTH0_PASSWORD: ${{ secrets.AUTH0_PASSWORD }}
TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
- name: Upload E2E artifacts
uses: actions/upload-artifact@v3
if: always()
with:
name: playwright-report
path: apps/dev/nextjs/playwright-report/
retention-days: 30
# - name: Run E2E tests
# if: github.repository == 'nextauthjs/next-auth'
# run: pnpm e2e
# timeout-minutes: 15
# env:
# AUTH0_USERNAME: ${{ secrets.AUTH0_USERNAME }}
# AUTH0_PASSWORD: ${{ secrets.AUTH0_PASSWORD }}
# TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
# TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
# - name: Upload E2E artifacts
# if: github.repository == 'nextauthjs/next-auth'
# uses: actions/upload-artifact@v3
# with:
# name: playwright-report
# path: apps/dev/nextjs/playwright-report/
# retention-days: 30
# - name: Coverage
# uses: codecov/codecov-action@v1
# with:

4
.gitignore vendored
View File

@@ -40,7 +40,6 @@ packages/*/*.js
packages/*/*.d.ts
packages/*/*.d.ts.map
# Development app
apps/dev/src/css
apps/dev/prisma/migrations
@@ -80,11 +79,12 @@ docs/.docusaurus
docs/providers.json
# Core
packages/core/src/providers/oauth-types.ts
packages/core/lib
packages/core/providers
packages/core/src/lib/pages/styles.ts
docs/docs/reference/core
docs/docs/reference/04-sveltekit
docs/docs/reference/sveltekit
# SvelteKit

2
.prettierignore
View File

@@ -21,7 +21,7 @@ pnpm-lock.yaml
.docusaurus
build
docs/docs/reference/core
docs/docs/reference/04-sveltekit
docs/docs/reference/sveltekit
static
docs/providers.json

8
apps/dev/nextjs/.env.local.example
View File

@@ -9,6 +9,10 @@ NEXTAUTH_URL=http://localhost:3000
# and/or verification tokens.
NEXTAUTH_SECRET=secret
ASGARDEO_CLIENT_ID=
ASGARDEO_CLIENT_SECRET=
ASGARDEO_ISSUER=
AUTH0_ID=
AUTH0_SECRET=
AUTH0_ISSUER=
@@ -17,6 +21,10 @@ KEYCLOAK_ID=
KEYCLOAK_SECRET=
KEYCLOAK_ISSUER=
NOTION_ID=
NOTION_SECRET=
NOTION_REDIRECT_URI=
IDS4_ID=
IDS4_SECRET=
IDS4_ISSUER=

6
apps/dev/nextjs/pages/api/auth/[...nextauth].ts
View File

@@ -2,6 +2,7 @@ import { Auth, type AuthConfig } from "@auth/core"
// Providers
import Apple from "@auth/core/providers/apple"
import Asgardeo from "@auth/core/providers/asgardeo"
import Auth0 from "@auth/core/providers/auth0"
import AzureAD from "@auth/core/providers/azure-ad"
import AzureB2C from "@auth/core/providers/azure-ad-b2c"
@@ -23,6 +24,7 @@ import Instagram from "@auth/core/providers/instagram"
import Line from "@auth/core/providers/line"
import LinkedIn from "@auth/core/providers/linkedin"
import Mailchimp from "@auth/core/providers/mailchimp"
import Notion from "@auth/core/providers/notion"
// import Okta from "@auth/core/providers/okta"
import Osu from "@auth/core/providers/osu"
import Patreon from "@auth/core/providers/patreon"
@@ -68,7 +70,7 @@ import WorkOS from "@auth/core/providers/workos"
export const authConfig: AuthConfig = {
// adapter,
// debug: process.env.NODE_ENV !== "production",
debug: process.env.NODE_ENV !== "production",
theme: {
logo: "https://next-auth.js.org/img/logo/logo-sm.png",
brandColor: "#1786fb",
@@ -82,6 +84,7 @@ export const authConfig: AuthConfig = {
},
}),
Apple({ clientId: process.env.APPLE_ID, clientSecret: process.env.APPLE_SECRET }),
Asgardeo({ clientId: process.env.ASGARDEO_CLIENT_ID, clientSecret: process.env.ASGARDEO_CLIENT_SECRET, issuer: process.env.ASGARDEO_ISSUER }),
Auth0({ clientId: process.env.AUTH0_ID, clientSecret: process.env.AUTH0_SECRET, issuer: process.env.AUTH0_ISSUER }),
AzureAD({
clientId: process.env.AZURE_AD_CLIENT_ID,
@@ -105,6 +108,7 @@ export const authConfig: AuthConfig = {
Line({ clientId: process.env.LINE_ID, clientSecret: process.env.LINE_SECRET }),
LinkedIn({ clientId: process.env.LINKEDIN_ID, clientSecret: process.env.LINKEDIN_SECRET }),
Mailchimp({ clientId: process.env.MAILCHIMP_ID, clientSecret: process.env.MAILCHIMP_SECRET }),
Notion({ clientId: process.env.NOTION_ID, clientSecret: process.env.NOTION_SECRET, redirectUri: process.env.NOTION_REDIRECT_URI }),
// Okta({ clientId: process.env.OKTA_ID, clientSecret: process.env.OKTA_SECRET, issuer: process.env.OKTA_ISSUER }),
Osu({ clientId: process.env.OSU_CLIENT_ID, clientSecret: process.env.OSU_CLIENT_SECRET }),
Patreon({ clientId: process.env.PATREON_ID, clientSecret: process.env.PATREON_SECRET }),

4
apps/dev/sveltekit/package.json
View File

@@ -19,8 +19,8 @@
"vite": "4.0.1"
},
"dependencies": {
"@auth/core": "0.2.5",
"@auth/sveltekit": "0.1.12"
"@auth/core": "workspace:*",
"@auth/sveltekit": "workspace:*"
},
"type": "module"
}

7
apps/playgrounds/nuxt/package.json
View File

@@ -2,11 +2,10 @@
"name": "playground-nuxt",
"private": true,
"scripts": {
"build": "nuxt build",
"dev": "export NODE_OPTIONS='--no-experimental-fetch' && nuxt dev",
"build": "nuxt prepare && nuxt build",
"dev": "nuxt prepare && export NODE_OPTIONS='--no-experimental-fetch' && nuxt dev",
"generate": "nuxt generate",
"preview": "nuxt preview",
"postinstall": "nuxt prepare"
"preview": "nuxt preview"
},
"devDependencies": {
"@nuxt/eslint-config": "^0.1.1",

2
docs/docs/getting-started/05-typescript.md
View File

@@ -5,7 +5,7 @@ title: TypeScript
Auth.js has its own type definitions to use in your TypeScript projects safely. Even if you don't use TypeScript, IDEs like VSCode will pick this up to provide you with a better developer experience. While you are typing, you will get suggestions about what certain objects/functions look like, and sometimes links to documentation, examples, and other valuable resources.
Check out the example repository showcasing how to use `next-auth` on a Next.js application with TypeScript:
https://github.com/nextauthjs/next-auth-typescript-example
https://github.com/nextauthjs/next-auth-example
---

153
docs/docs/guides/03-basics/role-based-authentication.md Normal file
View File

@@ -0,0 +1,153 @@
---
title: Role-based authentication
---
There are two ways to add role-based authentication (RBAC) to your application, based on the [session strategy](/concepts/session-strategies) you choose. Let's see an example for each of these.
## Getting the role
We are going to start by adding a `profile()` callback to the providers' config to determine the user role:
```ts title="/pages/api/auth/[...nextauth].ts"
import NextAuth from "next-auth"
import Google from "next-auth/providers/google"
export default NextAuth({
providers: [
Google({
profile(profile) {
return { role: profile.role ?? "user", ... }
},
...
})
],
})
```
:::tip
To determine the user's role, you can either add your logic or if your provider assigns roles already, use that instead.
:::
## Persisting the role
### With JWT
When you don't have a database configured, the role will be persisted in a cookie, by using the `jwt()` callback. On sign-in, the `role` property is exposed from the `profile` callback on the `user` object. Persist the `user.role` value by assigning it to `token.role`. That's it!
If you also want to use the role on the client, you can expose it via the `session` callback.
```ts title="/pages/api/auth/[...nextauth].ts"
import NextAuth from "next-auth"
import Google from "next-auth/providers/google"
export default NextAuth({
providers: [
Google({
profile(profile) {
return { role: profile.role ?? "user", ... }
},
...
})
],
// highlight-start
callbacks: {
jwt({ token, user }) {
if(user) token.role = user.role
return token
},
session({ session, token }) {
session.user.role = token.role
return session
}
}
// highlight-end
})
```
:::info
With this strategy, if you want to update the role, the user needs to be forced to sign in again.
:::
### With Database
When you have a database, you can save the user role on the [User model](/reference/adapters/models#user). The below example is showing you how to do this with Prisma, but the idea is the same for all adapters.
First, add a `role` column to the User model.
```ts title="/prisma/schema.prisma"
model User {
id String @id @default(cuid())
name String?
email String? @unique
emailVerified DateTime?
image String?
role String? // New column
accounts Account[]
sessions Session[]
}
```
The `profile()` callback's return value is used to create users in the database. That's it! Your newly created users will now have an assigned role.
If you also want to use the role on the client, you can expose it via the `session` callback.
```ts title="/pages/api/auth/[...nextauth].ts"
import NextAuth from "next-auth"
import Google from "next-auth/providers/google"
// highlight-next-line
import prisma from "lib/prisma"
export default NextAuth({
// highlight-next-line
adapter: PrismaAdapter(prisma),
providers: [
Google({
profile(profile) {
return { role: profile.role ?? "user", ... }
}
...
})
],
// highlight-start
callbacks: {
session({ session, user }) {
session.user.role = user.role
return session
}
}
// highlight-end
})
```
:::info
It is up to you how you want to manage to update the roles, either through direct database access or building your role update API.
:::
## Using the role
If you want to use the role in the client, for both cases above, when using the `useSession` hook, `session.user.role` will have the required role if you exposed it via the `session` callback. You can use this to render a different UI for different users.
```ts title="/pages/admin.tsx"
import { useSession } from "next-auth/react"
export default function Page() {
const session = await useSession()
if (session?.user.role === "admin") {
return <p>You are an admin, welcome!</p>
}
return <p>You are not authorized to view this page!</p>
}
```
:::tip
When using Next.js and JWT, you can alternatively also use [Middleware](https://next-auth.js.org/configuration/nextjs#wrap-middleware) to redirect the user based on their role, even before rendering the page.
:::
## Resources
- [Concepts: Session strategies](/concepts/session-strategies)
- [Next.js: Middleware](https://next-auth.js.org/configuration/nextjs#wrap-middleware)
- [Adapters: User model](/reference/adapters/models#user)
- [Adapters: Prisma adapter](/reference/adapters/prisma)
- [TypeScript](/getting-started/typescript)

64
docs/docs/guides/03-basics/role-based-login-strategy.md
View File

@@ -1,64 +0,0 @@
---
title: Role based logins
---
To add role based authentication to your application, you must do three things.
1. Update your database schema
2. Add the `role` to the session object
3. Check for `role` in your pages/components
First modify the `user` table and add a `role` column with the type of `String?`.
Below is an example Prisma schema file.
```javascript title="/prisma/schema.prisma"
model User {
id String @id @default(cuid())
name String?
email String? @unique
emailVerified DateTime?
image String?
role String? // New Column
accounts Account[]
sessions Session[]
}
```
Next, implement a custom session callback in the `[...nextauth].js` file, as shown below.
```javascript title="/pages/api/auth/[...nextauth].js"
callbacks: {
async session({ session, token, user }) {
session.user.role = user.role; // Add role value to user object so it is passed along with session
return session;
},
```
Going forward, when using the `getSession` hook, check that `session.user.role` matches the required role. The example below assumes the role `'admin'` is required.
```javascript title="/pages/admin.js"
import { getSession } from "next-auth/react"
export default function Page() {
const session = await getSession({ req })
if (session && session.user.role === "admin") {
return (
<div>
<h1>Admin</h1>
<p>Welcome to the Admin Portal!</p>
</div>
)
} else {
return (
<div>
<h1>You are not authorized to view this page!</h1>
</div>
)
}
}
```
Then it is up to you how you manage your roles, either through direct database access or building your own role update API.

2
docs/docs/reference/04-providers/04-email.md
View File

@@ -16,4 +16,4 @@ sidebar_label: Email options
See our guides on magic links authentication for further tips on how to customize this provider:
- [Tutorial](/getting-started/email-tutorial)
- [Guide deep-dive](guides/providers/email)
- [Guide deep-dive](/guides/providers/email)

3
docs/docs/reference/06-adapters/prisma.md
View File

@@ -139,9 +139,10 @@ Prisma supports MongoDB, and so does Auth.js. Following the instructions of the
id String @id @default(auto()) @map("_id") @db.ObjectId
```
2. The Native database type attribute to `@db.String` from `@db.Text`.
2. The Native database type attribute to `@db.String` from `@db.Text` and userId to `@db.ObjectId`.
```prisma
user_id String @db.ObjectId
refresh_token String? @db.String
access_token String? @db.String
id_token String? @db.String

25
docs/docs/reference/index.md
View File

@@ -1,25 +0,0 @@
---
title: Overview
sidebar_label: Overview
sidebar_position: 0
---
## Core
## Providers
- OAuth/OIDC
- Email/Passwordless
- Credentials
## Database Adapters
## Frameworks
- Next.js
- SvelteKit
- SolidStart
- Remix
- Nuxt
- Gatsby
- etc.

2
docs/docusaurus.config.js
View File

@@ -220,7 +220,7 @@ const docusaurusConfig = {
watch: process.env.TYPEDOC_WATCH,
entryPoints: ["index.ts", "client.ts"].map((e) => `../packages/frameworks-sveltekit/src/lib/${e}`),
tsconfig: "../packages/frameworks-sveltekit/tsconfig.json",
out: "reference/04-sveltekit",
out: "reference/sveltekit",
sidebar: {
indexLabel: "index",
},

3
docs/sidebars.js
View File

@@ -14,7 +14,6 @@ module.exports = {
},
],
referenceSidebar: [
"reference/index",
{
type: "category",
label: "@auth/core",
@@ -25,7 +24,7 @@ module.exports = {
type: "category",
label: "@auth/sveltekit",
link: { type: "doc", id: "reference/sveltekit/index" },
items: [{ type: "autogenerated", dirName: "reference/04-sveltekit" }],
items: [{ type: "autogenerated", dirName: "reference/sveltekit" }],
},
{
type: "category",

25
docs/src/css/index.css
View File

@@ -272,27 +272,4 @@ html[data-theme="dark"] #carbonads > span {
html[data-theme="dark"] #carbonads .carbon-poweredby {
color: #aaa;
background: #1e2021;
}
/*
This is a hack to hide the "Reflection" category and "main" module from the sidebar.
This is because:
1. opening any page under the "Reflection" category would hide the entire sidebar.
2. the "main" module would show up twice.
See sidebars.js
*/
.reflection-category,
.theme-doc-sidebar-item-link-level-2 [href="/reference/core/modules/main"],
.theme-doc-sidebar-item-link-level-2
[href="/reference/sveltekit/modules/main"] {
display: none;
}
/*
HACK: to hide the "Classes" header and duplicate items together with the "typedoc-plugin-markdown" patch.
See: https://github.com/TypeStrong/typedoc/issues/2006
*/
/* h3.anchor + p:has(code, strong), */ /** hack did not work as it hides property types elsewhere */
#classes {
display: none;
}
}

7
docs/static/img/providers/asgardeo-dark.svg vendored Normal file
View File

@@ -0,0 +1,7 @@
<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" viewBox="0 0 99.881 86.449">
<g id="asgardeo-trifactor-logo-dark-16x40" transform="translate(-553.024 -388.98)">
<path id="Path_264" data-name="Path 264" d="M743.533,388.98l9.161,15.892-10.153,17.6h20.306l9.209,15.892H714.97Z" transform="translate(-119.151 0)" fill="#ff7300"/>
<path id="Path_265" data-name="Path 265" d="M705.95,438.364l9.209-15.892h20.306l-10.153-17.6,9.162-15.892,28.6,49.393Z" transform="translate(-152.926 0.009)" fill="#ff7300"/>
<path id="Path_266" data-name="Path 266" d="M749.175,446.183l-10.153-17.6-10.2,17.6H710.46l28.6-49.393,28.515,49.393Z" transform="translate(-136.043 29.246)"/>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 711 B

7
docs/static/img/providers/asgardeo.svg vendored Normal file
View File

@@ -0,0 +1,7 @@
<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" viewBox="0 0 99.881 86.449">
<g id="asgardeo-trifactor-logo-light-16x40" transform="translate(-553.024 -388.98)">
<path id="Path_264" data-name="Path 264" d="M743.533,388.98l9.161,15.892-10.153,17.6h20.306l9.209,15.892H714.97Z" transform="translate(-119.151)" fill="#ff7300"/>
<path id="Path_265" data-name="Path 265" d="M705.95,438.364l9.209-15.892h20.306l-10.153-17.6,9.162-15.892,28.6,49.393Z" transform="translate(-152.926 0.009)" fill="#ff7300"/>
<path id="Path_266" data-name="Path 266" d="M749.175,446.183l-10.153-17.6-10.2,17.6H710.46l28.6-49.393,28.515,49.393Z" transform="translate(-136.043 29.246)" fill="#fff"/>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 722 B

5
docs/static/img/providers/notion.svg vendored Normal file
View File

@@ -0,0 +1,5 @@
<svg width="32" height="32" viewBox="0 0 100 100" fill="none" xmlns="http://www.w3.org/2000/svg">
<title>Notion icon</title>
<path d="M6.017 4.313l55.333 -4.087c6.797 -0.583 8.543 -0.19 12.817 2.917l17.663 12.443c2.913 2.14 3.883 2.723 3.883 5.053v68.243c0 4.277 -1.553 6.807 -6.99 7.193L24.467 99.967c-4.08 0.193 -6.023 -0.39 -8.16 -3.113L3.3 79.94c-2.333 -3.113 -3.3 -5.443 -3.3 -8.167V11.113c0 -3.497 1.553 -6.413 6.017 -6.8z" fill="#fff"/>
<path fill-rule="evenodd" clip-rule="evenodd" d="M61.35 0.227l-55.333 4.087C1.553 4.7 0 7.617 0 11.113v60.66c0 2.723 0.967 5.053 3.3 8.167l13.007 16.913c2.137 2.723 4.08 3.307 8.16 3.113l64.257 -3.89c5.433 -0.387 6.99 -2.917 6.99 -7.193V20.64c0 -2.21 -0.873 -2.847 -3.443 -4.733L74.167 3.143c-4.273 -3.107 -6.02 -3.5 -12.817 -2.917zM25.92 19.523c-5.247 0.353 -6.437 0.433 -9.417 -1.99L8.927 11.507c-0.77 -0.78 -0.383 -1.753 1.557 -1.947l53.193 -3.887c4.467 -0.39 6.793 1.167 8.54 2.527l9.123 6.61c0.39 0.197 1.36 1.36 0.193 1.36l-54.933 3.307 -0.68 0.047zM19.803 88.3V30.367c0 -2.53 0.777 -3.697 3.103 -3.893L86 22.78c2.14 -0.193 3.107 1.167 3.107 3.693v57.547c0 2.53 -0.39 4.67 -3.883 4.863l-60.377 3.5c-3.493 0.193 -5.043 -0.97 -5.043 -4.083zm59.6 -54.827c0.387 1.75 0 3.5 -1.75 3.7l-2.91 0.577v42.773c-2.527 1.36 -4.853 2.137 -6.797 2.137 -3.107 0 -3.883 -0.973 -6.21 -3.887l-19.03 -29.94v28.967l6.02 1.363s0 3.5 -4.857 3.5l-13.39 0.777c-0.39 -0.78 0 -2.723 1.357 -3.11l3.497 -0.97v-38.3L30.48 40.667c-0.39 -1.75 0.58 -4.277 3.3 -4.473l14.367 -0.967 19.8 30.327v-26.83l-5.047 -0.58c-0.39 -2.143 1.163 -3.7 3.103 -3.89l13.4 -0.78z" fill="#000"/>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.6 KiB

2
packages/adapter-dynamodb/package.json
View File

@@ -1,7 +1,7 @@
{
"name": "@next-auth/dynamodb-adapter",
"repository": "https://github.com/nextauthjs/next-auth",
"version": "1.0.6",
"version": "1.2.0",
"description": "AWS DynamoDB adapter for next-auth.",
"keywords": [
"next-auth",

11
packages/adapter-firebase/src/getFirebase.ts Normal file
View File

@@ -0,0 +1,11 @@
import { initializeApp, getApps, FirebaseOptions } from "firebase/app"
export default function getFirebase(firebaseOptions: FirebaseOptions) {
const apps = getApps()
const app = apps.find((app) => app.name === firebaseOptions.projectId)
if (app) {
return app
} else {
return initializeApp(firebaseOptions)
}
}

4
packages/adapter-xata/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@next-auth/xata-adapter",
"version": "0.2.0",
"version": "0.2.2",
"description": "Xata adapter for next-auth.",
"homepage": "https://authjs.dev",
"repository": "https://github.com/nextauthjs/next-auth",
@@ -43,4 +43,4 @@
"jest": {
"preset": "@next-auth/adapter-test/jest"
}
}
}

9
packages/core/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@auth/core",
"version": "0.2.5",
"version": "0.3.0",
"description": "Authentication for the Web.",
"keywords": [
"authentication",
@@ -69,7 +69,7 @@
"preact-render-to-string": "5.2.3"
},
"peerDependencies": {
"nodemailer": "6.8.0"
"nodemailer": "^6.8.0"
},
"peerDependenciesMeta": {
"nodemailer": {
@@ -77,10 +77,11 @@
}
},
"scripts": {
"build": "pnpm css && tsc",
"build": "pnpm css && pnpm providers && tsc",
"clean": "rm -rf *.js *.d.ts* lib providers",
"css": "node scripts/generate-css",
"dev": "pnpm css && tsc -w"
"dev": "pnpm css && pnpm providers && tsc -w",
"providers": "node scripts/generate-providers"
},
"devDependencies": {
"@next-auth/tsconfig": "workspace:*",

18
packages/core/scripts/generate-providers.js Normal file
View File

@@ -0,0 +1,18 @@
import { join } from "path"
import { readdirSync, writeFileSync } from "fs"
const providersPath = join(process.cwd(), "src/providers")
const files = readdirSync(providersPath, "utf8")
const providers = files.map((file) => {
const strippedProviderName = file.substring(0, file.indexOf("."))
return `"${strippedProviderName}"`
}).filter((provider) => provider !== '"oauth-types"' && provider !== '"index"')
const result = `
// THIS FILE IS AUTOGENERATED. DO NOT EDIT.
export type OAuthProviderType =
| ${providers.join("\n | ")}`
writeFileSync(join(providersPath, "oauth-types.ts"), result)

17
packages/core/src/index.ts
View File

@@ -31,14 +31,14 @@
* ## Resources
*
* - [Getting started](https://authjs.dev/getting-started/introduction)
* - [Most common use case guides](https://authjs.dev/guides/overview)
* - [Most common use case guides](https://authjs.dev/guides)
*
* @module index
*/
import { assertConfig } from "./lib/assert.js"
import { ErrorPageLoop } from "./errors.js"
import { AuthInternal } from "./lib/index.js"
import { AuthInternal, skipCSRFCheck } from "./lib/index.js"
import renderPage from "./lib/pages/index.js"
import { logger, setLogger, type LoggerInstance } from "./lib/utils/logger.js"
import { toInternalRequest, toResponse } from "./lib/web.js"
@@ -55,6 +55,8 @@ import type {
import type { Provider } from "./providers/index.js"
import { JWTOptions } from "./jwt.js"
export { skipCSRFCheck }
/**
* Core functionality provided by Auth.js.
*
@@ -302,14 +304,3 @@ export interface AuthConfig {
trustHost?: boolean
skipCSRFCheck?: typeof skipCSRFCheck
}
/**
* :::danger
* This option is inteded for framework authors.
* :::
*
* Auth.js comes with built-in {@link https://authjs.dev/concepts/security#csrf CSRF} protection, but
* if you are implementing a framework that is already protected against CSRF attacks, you can skip this check by
* passing this value to {@link AuthConfig.skipCSRFCheck}.
*/
export const skipCSRFCheck = Symbol("skip-csrf-check")

16
packages/core/src/lib/index.ts
View File

@@ -1,5 +1,4 @@
import { UnknownAction } from "../errors.js"
import { skipCSRFCheck } from "../index.js"
import { SessionStore } from "./cookie.js"
import { init } from "./init.js"
import renderPage from "./pages/index.js"
@@ -72,9 +71,9 @@ export async function AuthInternal<
if (pages.signIn) {
let signinUrl = `${pages.signIn}${
pages.signIn.includes("?") ? "&" : "?"
}callbackUrl=${encodeURIComponent(options.callbackUrl)}`
}${new URLSearchParams({ callbackUrl: options.callbackUrl })}`
if (error)
signinUrl = `${signinUrl}&error=${encodeURIComponent(error)}`
signinUrl = `${signinUrl}&${new URLSearchParams({ error })}`
return { redirect: signinUrl, cookies }
}
@@ -186,3 +185,14 @@ export async function AuthInternal<
}
throw new UnknownAction(`Cannot handle action: ${action}`)
}
/**
* :::danger
* This option is intended for framework authors.
* :::
*
* Auth.js comes with built-in {@link https://authjs.dev/concepts/security#csrf CSRF} protection, but
* if you are implementing a framework that is already protected against CSRF attacks, you can skip this check by
* passing this value to {@link AuthConfig.skipCSRFCheck}.
*/
export const skipCSRFCheck = Symbol("skip-csrf-check")

73
packages/core/src/lib/oauth/authorization-url.ts
View File

@@ -1,7 +1,7 @@
import * as checks from "./checks.js"
import * as o from "oauth4webapi"
import type {
CookiesOptions,
InternalOptions,
RequestInternal,
ResponseInternal,
@@ -58,10 +58,10 @@ export async function getAuthorizationUrl(
const cookies: Cookie[] = []
if (provider.checks?.includes("state")) {
const { value, raw } = await createState(options)
authParams.set("state", raw)
cookies.push(value)
const state = await checks.state.create(options)
if (state) {
authParams.set("state", state.value)
cookies.push(state.cookie)
}
if (provider.checks?.includes("pkce")) {
@@ -70,17 +70,17 @@ export async function getAuthorizationUrl(
// a random `nonce` must be used for CSRF protection.
provider.checks = ["nonce"]
} else {
const { code_challenge, pkce } = await createPKCE(options)
authParams.set("code_challenge", code_challenge)
const { value, cookie } = await checks.pkce.create(options)
authParams.set("code_challenge", value)
authParams.set("code_challenge_method", "S256")
cookies.push(pkce)
cookies.push(cookie)
}
}
if (provider.checks?.includes("nonce")) {
const nonce = await createNonce(options)
const nonce = await checks.nonce.create(options)
if (nonce) {
authParams.set("nonce", nonce.value)
cookies.push(nonce)
cookies.push(nonce.cookie)
}
// TODO: This does not work in normalizeOAuth because authorization endpoint can come from discovery
@@ -90,54 +90,5 @@ export async function getAuthorizationUrl(
}
logger.debug("authorization url is ready", { url, cookies, provider })
return { redirect: url, cookies }
}
/** Returns a signed cookie. */
export async function signCookie(
type: keyof CookiesOptions,
value: string,
maxAge: number,
options: InternalOptions<"oauth">
): Promise<Cookie> {
const { cookies, jwt, logger } = options
logger.debug(`CREATE_${type.toUpperCase()}`, { value, maxAge })
const expires = new Date()
expires.setTime(expires.getTime() + maxAge * 1000)
return {
name: cookies[type].name,
value: await jwt.encode({ ...jwt, maxAge, token: { value } }),
options: { ...cookies[type].options, expires },
}
}
const STATE_MAX_AGE = 60 * 15 // 15 minutes in seconds
async function createState(options: InternalOptions<"oauth">) {
const raw = o.generateRandomState()
const maxAge = STATE_MAX_AGE
const value = await signCookie("state", raw, maxAge, options)
return { value, raw }
}
const PKCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
async function createPKCE(options: InternalOptions<"oauth">) {
const code_verifier = o.generateRandomCodeVerifier()
const code_challenge = await o.calculatePKCECodeChallenge(code_verifier)
const maxAge = PKCE_MAX_AGE
const pkce = await signCookie(
"pkceCodeVerifier",
code_verifier,
maxAge,
options
)
return { code_challenge, pkce }
}
const NONCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
async function createNonce(options: InternalOptions<"oauth">) {
const raw = o.generateRandomNonce()
const maxAge = NONCE_MAX_AGE
return await signCookie("nonce", raw, maxAge, options)
return { redirect: url.toString(), cookies }
}

15
packages/core/src/lib/oauth/callback.ts
View File

@@ -1,8 +1,6 @@
import * as checks from "./checks.js"
import * as o from "oauth4webapi"
import { OAuthCallbackError, OAuthProfileParseError } from "../../errors.js"
import { useNonce } from "./nonce-handler.js"
import { usePKCECodeVerifier } from "./pkce-handler.js"
import { useState } from "./state-handler.js"
import type {
InternalOptions,
@@ -73,7 +71,7 @@ export async function handleOAuth(
const resCookies: Cookie[] = []
const state = await useState(cookies, resCookies, options)
const state = await checks.state.use(cookies, resCookies, options)
const parameters = o.validateAuthResponse(
as,
@@ -91,7 +89,7 @@ export async function handleOAuth(
throw new OAuthCallbackError(parameters.error)
}
const codeVerifier = await usePKCECodeVerifier(
const codeVerifier = await checks.pkce.use(
cookies?.[options.cookies.pkceCodeVerifier.name],
options
)
@@ -99,7 +97,10 @@ export async function handleOAuth(
if (codeVerifier) resCookies.push(codeVerifier.cookie)
// TODO:
const nonce = await useNonce(cookies?.[options.cookies.nonce.name], options)
const nonce = await checks.nonce.use(
cookies?.[options.cookies.nonce.name],
options
)
if (nonce && provider.type === "oidc") {
resCookies.push(nonce.cookie)
}
@@ -202,7 +203,7 @@ async function getProfile(
// If we didn't get a response either there was a problem with the provider
// response *or* the user cancelled the action with the provider.
//
// Unfortuately, we can't tell which - at least not in a way that works for
// Unfortunately, we can't tell which - at least not in a way that works for
// all providers, so we return an empty object; the user should then be
// redirected back to the sign up page. We log the error to help developers
// who might be trying to debug this when configuring a new provider.

155
packages/core/src/lib/oauth/checks.ts Normal file
View File

@@ -0,0 +1,155 @@
import * as o from "oauth4webapi"
import * as jwt from "../../jwt.js"
import type {
InternalOptions,
RequestInternal,
CookiesOptions,
} from "../../types.js"
import type { Cookie } from "../cookie.js"
import { InvalidState } from "../../errors.js"
/** Returns a signed cookie. */
export async function signCookie(
type: keyof CookiesOptions,
value: string,
maxAge: number,
options: InternalOptions<"oauth">
): Promise<Cookie> {
const { cookies, logger } = options
logger.debug(`CREATE_${type.toUpperCase()}`, { value, maxAge })
const expires = new Date()
expires.setTime(expires.getTime() + maxAge * 1000)
return {
name: cookies[type].name,
value: await jwt.encode({ ...options.jwt, maxAge, token: { value } }),
options: { ...cookies[type].options, expires },
}
}
const PKCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
export const pkce = {
async create(options: InternalOptions<"oauth">) {
const code_verifier = o.generateRandomCodeVerifier()
const value = await o.calculatePKCECodeChallenge(code_verifier)
const maxAge = PKCE_MAX_AGE
const cookie = await signCookie(
"pkceCodeVerifier",
code_verifier,
maxAge,
options
)
return { cookie, value }
},
/**
* Returns code_verifier if provider uses PKCE,
* and clears the container cookie afterwards.
*/
async use(
codeVerifier: string | undefined,
options: InternalOptions<"oauth">
): Promise<{ codeVerifier: string; cookie: Cookie } | undefined> {
const { cookies, provider } = options
if (!provider?.checks?.includes("pkce") || !codeVerifier) {
return
}
const pkce = (await jwt.decode({
...options.jwt,
token: codeVerifier,
})) as any
return {
codeVerifier: pkce?.value ?? undefined,
cookie: {
name: cookies.pkceCodeVerifier.name,
value: "",
options: { ...cookies.pkceCodeVerifier.options, maxAge: 0 },
},
}
},
}
const STATE_MAX_AGE = 60 * 15 // 15 minutes in seconds
export const state = {
async create(options: InternalOptions<"oauth">) {
if (!options.provider.checks.includes("state")) return
// TODO: support customizing the state
const value = o.generateRandomState()
const maxAge = STATE_MAX_AGE
const cookie = await signCookie("state", value, maxAge, options)
return { cookie, value }
},
/**
* Returns state from the saved cookie
* if the provider supports states,
* and clears the container cookie afterwards.
*/
async use(
cookies: RequestInternal["cookies"],
resCookies: Cookie[],
options: InternalOptions<"oauth">
): Promise<string | undefined> {
const { provider, jwt } = options
if (!provider.checks.includes("state")) return
const state = cookies?.[options.cookies.state.name]
if (!state) throw new InvalidState("State was missing from the cookies.")
// IDEA: Let the user do something with the returned state
const value = (await jwt.decode({ ...options.jwt, token: state })) as any
if (!value?.value) throw new InvalidState("Could not parse state cookie.")
// Clear the state cookie after use
resCookies.push({
name: options.cookies.state.name,
value: "",
options: { ...options.cookies.state.options, maxAge: 0 },
})
return value.value
},
}
const NONCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
export const nonce = {
async create(options: InternalOptions<"oauth">) {
if (!options.provider.checks.includes("nonce")) return
const value = o.generateRandomNonce()
const maxAge = NONCE_MAX_AGE
const cookie = await signCookie("nonce", value, maxAge, options)
return { cookie, value }
},
/**
* Returns nonce from if the provider supports nonce,
* and clears the container cookie afterwards.
*/
async use(
nonce: string | undefined,
options: InternalOptions<"oauth">
): Promise<{ value: string; cookie: Cookie } | undefined> {
const { cookies, provider } = options
if (!provider?.checks?.includes("nonce") || !nonce) {
return
}
const value = (await jwt.decode({ ...options.jwt, token: nonce })) as any
return {
value: value?.value ?? undefined,
cookie: {
name: cookies.nonce.name,
value: "",
options: { ...cookies.nonce.options, maxAge: 0 },
},
}
},
}

77
packages/core/src/lib/oauth/nonce-handler.ts
View File

@@ -1,77 +0,0 @@
import * as o from "oauth4webapi"
import * as jwt from "../../jwt.js"
import type { InternalOptions } from "../../types.js"
import type { Cookie } from "../cookie.js"
const NONCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
/**
* Returns nonce if the provider supports it
* and saves it in a cookie
*/
export async function createNonce(options: InternalOptions<"oauth">): Promise<
| undefined
| {
value: string
cookie: Cookie
}
> {
const { cookies, logger, provider } = options
if (!provider.checks?.includes("nonce")) {
// Provider does not support nonce, return nothing.
return
}
const nonce = o.generateRandomNonce()
const expires = new Date()
expires.setTime(expires.getTime() + NONCE_MAX_AGE * 1000)
// Encrypt nonce and save it to an encrypted cookie
const encryptedNonce = await jwt.encode({
...options.jwt,
maxAge: NONCE_MAX_AGE,
token: { nonce },
})
logger.debug("CREATE_ENCRYPTED_NONCE", {
nonce,
maxAge: NONCE_MAX_AGE,
})
return {
cookie: {
name: cookies.nonce.name,
value: encryptedNonce,
options: { ...cookies.nonce.options, expires },
},
value: nonce,
}
}
/**
* Returns nonce from if the provider supports nonce,
* and clears the container cookie afterwards.
*/
export async function useNonce(
nonce: string | undefined,
options: InternalOptions<"oauth">
): Promise<{ value: string; cookie: Cookie } | undefined> {
const { cookies, provider } = options
if (!provider?.checks?.includes("nonce") || !nonce) {
return
}
const value = (await jwt.decode({ ...options.jwt, token: nonce })) as any
return {
value: value?.value ?? undefined,
cookie: {
name: cookies.nonce.name,
value: "",
options: { ...cookies.nonce.options, maxAge: 0 },
},
}
}

87
packages/core/src/lib/oauth/pkce-handler.ts
View File

@@ -1,87 +0,0 @@
import * as o from "oauth4webapi"
import * as jwt from "../../jwt.js"
import type { InternalOptions } from "../../types.js"
import type { Cookie } from "../cookie.js"
const PKCE_CODE_CHALLENGE_METHOD = "S256"
const PKCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
/**
* Returns `code_challenge` and `code_challenge_method`
* and saves them in a cookie.
*/
export async function createPKCE(options: InternalOptions<"oauth">): Promise<
| undefined
| {
code_challenge: string
code_challenge_method: "S256"
cookie: Cookie
}
> {
const { cookies, logger, provider } = options
if (!provider.checks?.includes("pkce")) {
// Provider does not support PKCE, return nothing.
return
}
const code_verifier = o.generateRandomCodeVerifier()
const code_challenge = await o.calculatePKCECodeChallenge(code_verifier)
const maxAge = cookies.pkceCodeVerifier.options.maxAge ?? PKCE_MAX_AGE
const expires = new Date()
expires.setTime(expires.getTime() + maxAge * 1000)
// Encrypt code_verifier and save it to an encrypted cookie
const encryptedCodeVerifier = await jwt.encode({
...options.jwt,
maxAge,
token: { code_verifier },
})
logger.debug("CREATE_PKCE_CHALLENGE_VERIFIER", {
code_challenge,
code_challenge_method: PKCE_CODE_CHALLENGE_METHOD,
code_verifier,
maxAge,
})
return {
code_challenge,
code_challenge_method: PKCE_CODE_CHALLENGE_METHOD,
cookie: {
name: cookies.pkceCodeVerifier.name,
value: encryptedCodeVerifier,
options: { ...cookies.pkceCodeVerifier.options, expires },
},
}
}
/**
* Returns code_verifier if provider uses PKCE,
* and clears the container cookie afterwards.
*/
export async function usePKCECodeVerifier(
codeVerifier: string | undefined,
options: InternalOptions<"oauth">
): Promise<{ codeVerifier: string; cookie: Cookie } | undefined> {
const { cookies, provider } = options
if (!provider?.checks?.includes("pkce") || !codeVerifier) {
return
}
const pkce = (await jwt.decode({
...options.jwt,
token: codeVerifier,
})) as any
return {
codeVerifier: pkce?.value ?? undefined,
cookie: {
name: cookies.pkceCodeVerifier.name,
value: "",
options: { ...cookies.pkceCodeVerifier.options, maxAge: 0 },
},
}
}

72
packages/core/src/lib/oauth/state-handler.ts
View File

@@ -1,72 +0,0 @@
import * as o from "oauth4webapi"
import type { InternalOptions, RequestInternal } from "../../types.js"
import type { Cookie } from "../cookie.js"
import { InvalidState } from "../../errors.js"
const STATE_MAX_AGE = 60 * 15 // 15 minutes in seconds
/** Returns state if the provider supports it */
export async function createState(
options: InternalOptions<"oauth">
): Promise<{ cookie: Cookie; value: string } | undefined> {
const { logger, provider, jwt, cookies } = options
if (!provider.checks?.includes("state")) {
// Provider does not support state, return nothing
return
}
const state = o.generateRandomState()
const maxAge = cookies.state.options.maxAge ?? STATE_MAX_AGE
const encodedState = await jwt.encode({
...jwt,
maxAge,
token: { state },
})
logger.debug("CREATE_STATE", { state, maxAge })
const expires = new Date()
expires.setTime(expires.getTime() + maxAge * 1000)
return {
value: state,
cookie: {
name: cookies.state.name,
value: encodedState,
options: { ...cookies.state.options, expires },
},
}
}
/**
* Returns state from the saved cookie
* if the provider supports states,
* and clears the container cookie afterwards.
*/
export async function useState(
cookies: RequestInternal["cookies"],
resCookies: Cookie[],
options: InternalOptions<"oauth">
): Promise<string | undefined> {
const { provider, jwt } = options
if (!provider.checks.includes("state")) return
const state = cookies?.[options.cookies.state.name]
if (!state) throw new InvalidState("State was missing from the cookies.")
// IDEA: Let the user do something with the returned state
const value = (await jwt.decode({ ...options.jwt, token: state })) as any
if (!value?.value) throw new InvalidState("Could not parse state cookie.")
// Clear the state cookie after use
resCookies.push({
name: options.cookies.state.name,
value: "",
options: { ...options.cookies.state.options, maxAge: 0 },
})
return value.value
}

8
packages/core/src/lib/routes/callback.ts
View File

@@ -53,7 +53,7 @@ export async function callback(params: {
cookies.push(...authorizationResult.cookies)
}
logger.debug("authroization result", authorizationResult)
logger.debug("authorization result", authorizationResult)
const { profile, account, OAuthProfile } = authorizationResult
@@ -149,7 +149,7 @@ export async function callback(params: {
return {
redirect: `${pages.newUser}${
pages.newUser.includes("?") ? "&" : "?"
}callbackUrl=${encodeURIComponent(callbackUrl)}`,
}${new URLSearchParams({ callbackUrl })}`,
cookies,
}
}
@@ -256,7 +256,7 @@ export async function callback(params: {
return {
redirect: `${pages.newUser}${
pages.newUser.includes("?") ? "&" : "?"
}callbackUrl=${encodeURIComponent(callbackUrl)}`,
}${new URLSearchParams({ callbackUrl })}`,
cookies,
}
}
@@ -350,6 +350,6 @@ export async function callback(params: {
logger.error(error)
url.searchParams.set("error", CallbackRouteError.name)
url.pathname += "/error"
return { redirect: url, cookies }
return { redirect: url.toString(), cookies }
}
}

7
packages/core/src/lib/routes/shared.ts
View File

@@ -7,19 +7,20 @@ export async function handleAuthorized(
params: any,
{ url, logger, callbacks: { signIn } }: InternalOptions
) {
url.pathname += "/error"
try {
const authorized = await signIn(params)
if (!authorized) {
url.pathname += "/error"
logger.debug("User not authorized", params)
url.searchParams.set("error", "AccessDenied")
return { status: 403 as const, redirect: url }
return { status: 403 as const, redirect: url.toString() }
}
} catch (e) {
url.pathname += "/error"
const error = new AuthorizedCallbackError(e as Error)
logger.error(error)
url.searchParams.set("error", "Configuration")
return { status: 500 as const, redirect: url }
return { status: 500 as const, redirect: url.toString() }
}
}

2
packages/core/src/lib/routes/signin.ts
View File

@@ -54,7 +54,7 @@ export async function signin(
logger.error(error)
url.searchParams.set("error", error.name)
url.pathname += "/error"
return { redirect: url }
return { redirect: url.toString() }
}
}

2
packages/core/src/lib/routes/signout.ts
View File

@@ -8,7 +8,7 @@ import type { SessionStore } from "../cookie.js"
* If the session strategy is database,
* The session is also deleted from the database.
* In any case, the session cookie is cleared and
* an `events.signOut` is emitted.
* {@link EventCallbacks.signOut} is emitted.
*/
export async function signout(
sessionStore: SessionStore,

27
packages/core/src/lib/web.ts
View File

@@ -76,27 +76,22 @@ export function toResponse(res: ResponseInternal): Response {
res.cookies?.forEach((cookie) => {
const { name, value, options } = cookie
const cookieHeader = serialize(name, value, options)
if (headers.has("Set-Cookie")) {
headers.append("Set-Cookie", cookieHeader)
} else {
headers.set("Set-Cookie", cookieHeader)
}
if (headers.has("Set-Cookie")) headers.append("Set-Cookie", cookieHeader)
else headers.set("Set-Cookie", cookieHeader)
// headers.set("Set-Cookie", cookieHeader) // TODO: Remove. Seems to be a bug with Headers in the runtime
})
const body =
headers.get("content-type") === "application/json"
? JSON.stringify(res.body)
: res.body
let body = res.body
const response = new Response(body, {
headers,
status: res.redirect ? 302 : res.status ?? 200,
})
if (headers.get("content-type") === "application/json")
body = JSON.stringify(res.body)
else if (headers.get("content-type") === "application/x-www-form-urlencoded")
body = new URLSearchParams(res.body).toString()
if (res.redirect) {
response.headers.set("Location", res.redirect.toString())
}
const status = res.redirect ? 302 : res.status ?? 200
const response = new Response(body, { headers, status })
if (res.redirect) response.headers.set("Location", res.redirect)
return response
}

112
packages/core/src/providers/asgardeo.ts Normal file
View File

@@ -0,0 +1,112 @@
/**
* <div style={{backgroundColor: "#24292f", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
* <span>Built-in <b>Asgardeo</b> integration.</span>
* <a href="https://wso2.com/asgardeo/">
* <img style={{display: "block"}} src="https://authjs.dev/img/providers/asgardeo-dark.svg" height="48" width="48"/>
* </a>
* </div>
*
* ---
* @module providers/asgardeo
*/
import type { OIDCConfig, OIDCUserConfig } from "./index.js"
export interface AsgardeoProfile {
sub: string
given_name: string
email: string
picture: string
}
/**
* Add Asgardeo login to your page.
* ## Documentation
*
* https://wso2.com/asgardeo/docs/guides/authentication
*
*
* ## Instructions
*
* - Log into https://console.asgardeo.io.
* - Next, go to "Application" tab (More info: https://wso2.com/asgardeo/docs/guides/applications/register-oidc-web-app/).
* - Register standard based - Open id connect, application.
* - Add callback URL: http://localhost:3000/api/auth/callback/asgardeo and https://your-domain.com/api/auth/callback/asgardeo
* - After registering the application, go to protocol tab.
* - Check `code` grant type.
* - Add Authorized redirect URLs & Allowed origins fields.
* - Make Email, First Name, Photo URL user attributes mandatory from the console.
*
* Create a `.env` file in the project root add the following entries:
*
* These values can be collected from the application created.
*
* ```
* ASGARDEO_CLIENT_ID=<Copy client ID from protocol tab here>
* ASGARDEO_CLIENT_SECRET=<Copy client from protocol tab here>
* ASGARDEO_ISSUER=<Copy the issuer url from the info tab here>
* ```
*
* In `pages/api/auth/[...nextauth].js` find or add the `Asgardeo` entries:
*
* ```js
* import Asgardeo from "next-auth/providers/asgardeo";
* ...
* providers: [
* Asgardeo({
* clientId: process.env.ASGARDEO_CLIENT_ID,
* clientSecret: process.env.ASGARDEO_CLIENT_SECRET,
* issuer: process.env.ASGARDEO_ISSUER
* }),
* ],
*
* ...
* ```
*
* ## Resources
*
* @see [Asgardeo - Authentication Guide](https://wso2.com/asgardeo/docs/guides/authentication)
* @see [Learn more about OAuth](https://authjs.dev/concepts/oauth)
* @see [Source code](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/asgardeo.ts)
*
* ## Notes
*
* By default, Auth.js assumes that the Asgardeo provider is
* based on the [OAuth 2](https://www.rfc-editor.org/rfc/rfc6749.html) specification.
*
* :::tip
*
* The Asgardeo provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/asgardeo.ts).
* To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/providers/custom-provider#override-default-options).
*
* :::
*
* :::info **Disclaimer**
*
* If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
*
* Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
* the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
* we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
*
* :::
*/
export default function Asgardeo(
config: OIDCUserConfig<AsgardeoProfile>
): OIDCConfig<AsgardeoProfile> {
return {
id: "asgardeo",
name: "Asgardeo",
type: "oidc",
wellKnown: `${config?.issuer}/oauth2/token/.well-known/openid-configuration`,
style: {
logo: "/asgardeo.svg",
logoDark: "/asgardeo-dark.svg",
bg: "#fff",
text: "#000",
bgDark: "#000",
textDark: "#fff",
},
options: config,
}
}

31
packages/core/src/providers/azure-ad.ts
View File

@@ -34,22 +34,21 @@ export default function AzureAD<P extends AzureADProfile>(
)
// Confirm that profile photo was returned
if (response.ok) {
const pictureBuffer = await response.arrayBuffer()
const pictureBase64 = Buffer.from(pictureBuffer).toString("base64")
return {
id: profile.sub,
name: profile.name,
email: profile.email,
image: `data:image/jpeg;base64, ${pictureBase64}`,
}
} else {
return {
id: profile.sub,
name: profile.name,
email: profile.email,
image: null,
}
let image
// TODO: Do this without Buffer
if (response.ok && typeof Buffer !== "undefined") {
try {
const pictureBuffer = await response.arrayBuffer()
const pictureBase64 = Buffer.from(pictureBuffer).toString("base64")
image = `data:image/jpeg;base64, ${pictureBase64}`
} catch {}
}
return {
id: profile.sub,
name: profile.name,
email: profile.email,
image: image ?? null,
}
},
style: {

4
packages/core/src/providers/credentials.ts
View File

@@ -49,10 +49,6 @@ export interface CredentialsConfig<
export type CredentialsProviderType = "Credentials"
export type CredentialsConfigInternal<
C extends Record<string, CredentialInput> = Record<string, CredentialInput>
> = CredentialsConfig<C> & { options: CredentialsConfig<C> }
/**
* The Credentials provider allows you to handle signing in with arbitrary credentials,
* such as a username and password, domain, or two factor authentication or hardware device (e.g. YubiKey U2F / FIDO).

80
packages/core/src/providers/discord.ts
View File

@@ -1,21 +1,77 @@
import type { OAuthConfig, OAuthUserConfig } from "./index.js"
/**
* Corresponds to the user structure documented here:
* https://discord.com/developers/docs/resources/user#user-object-user-structure
*/
export interface DiscordProfile extends Record<string, any> {
accent_color: number
avatar: string
banner: string
banner_color: string
discriminator: string
email: string
flags: number
/** the user's id (i.e. the numerical snowflake) */
id: string
image_url: string
locale: string
mfa_enabled: boolean
premium_type: number
public_flags: number
/** the user's username, not unique across the platform */
username: string
/** the user's 4-digit discord-tag */
discriminator: string
/**
* the user's avatar hash:
* https://discord.com/developers/docs/reference#image-formatting
*/
avatar: string | null
/** whether the user belongs to an OAuth2 application */
bot?: boolean
/**
* whether the user is an Official Discord System user (part of the urgent
* message system)
*/
system?: boolean
/** whether the user has two factor enabled on their account */
mfa_enabled: boolean
/**
* the user's banner hash:
* https://discord.com/developers/docs/reference#image-formatting
*/
banner: string | null
/** the user's banner color encoded as an integer representation of hexadecimal color code */
accent_color: number | null
/**
* the user's chosen language option:
* https://discord.com/developers/docs/reference#locales
*/
locale: string
/** whether the email on this account has been verified */
verified: boolean
/** the user's email */
email: string | null
/**
* the flags on a user's account:
* https://discord.com/developers/docs/resources/user#user-object-user-flags
*/
flags: number
/**
* the type of Nitro subscription on a user's account:
* https://discord.com/developers/docs/resources/user#user-object-premium-types
*/
premium_type: number
/**
* the public flags on a user's account:
* https://discord.com/developers/docs/resources/user#user-object-user-flags
*/
public_flags: number
/** undocumented field; corresponds to the user's custom nickname */
display_name: string | null
/**
* undocumented field; corresponds to the Discord feature where you can e.g.
* put your avatar inside of an ice cube
*/
avatar_decoration: string | null
/**
* undocumented field; corresponds to the premium feature where you can
* select a custom banner color
*/
banner_color: string | null
/** undocumented field; the CDN URL of their profile picture */
image_url: string
}
export default function Discord<P extends DiscordProfile>(

6
packages/core/src/providers/index.ts
View File

@@ -65,12 +65,16 @@ export type Provider<P extends Profile = Profile> = (
| EmailConfig
| CredentialsConfig
) & {
/**
* Used to deep merge user-provided config with the default config
* @internal
*/
options: Record<string, unknown>
}
export type BuiltInProviders = Record<
OAuthProviderType,
(options: Partial<OAuthConfig<any>>) => OAuthConfig<any>
(config: Partial<OAuthConfig<any>>) => OAuthConfig<any>
> &
Record<CredentialsProviderType, typeof CredentialsProvider> &
Record<EmailProviderType, typeof EmailProvider>

166
packages/core/src/providers/notion.ts Normal file
View File

@@ -0,0 +1,166 @@
/**
* <div style={{backgroundColor: "#000", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
* <span>Built-in <b>Notion</b> integration.</span>
* <a href="https://notion.so">
* <img style={{display: "block"}} src="https://authjs.dev/img/providers/notion.svg" height="48" width="48"/>
* </a>
* </div>
*
* ---
* @module providers/notion
*/
import type { OAuthConfig, OAuthUserConfig } from "."
export interface Person extends Record<string, any> {
email: string
}
// https://developers.notion.com/reference/user
export interface User extends Record<string, any> {
object: "user" | "bot"
id: string
type: string
name: string
avatar_url: null | string
person: Person
owner?: {
type: "workspace" | "user"
workspace: string
}
workspace_name?: string | null
}
export interface Owner {
type: string
user: User
}
// Notion responds with an access_token + some additional information, which we define here
// More info - https://developers.notion.com/docs/authorization#step-4-notion-responds-with-an-access_token-and-some-additional-information
export interface NotionProfile extends Record<string, any> {
access_token: string
bot_id: string
duplicated_template_id: string
owner?: Owner
workspace_icon: string
workspace_id: number
workspace_name: string
}
// Any config required that isn't part of the `OAuthUserConfig` spec should belong here
// For example, we must pass a `redirectUri` to the Notion API when requesting tokens, therefore we add it here
interface AdditionalConfig {
redirectUri: string
}
const NOTION_HOST = "https://api.notion.com"
const NOTION_API_VERSION = "2022-06-28"
/**
* Add Notion login to your page.
*
* ## Example
*
* ```ts
* import { Auth } from "@auth/core"
* import Notion from "@auth/core/providers/notion"
*
* const request = new Request("https://example.com")
* const response = await Auth(request, {
* providers: [Notion({ clientId: "", clientSecret: "", redirectUri: "" })],
* })
* ```
*
* ---
*
* ## Resources
* - [Notion Docs](https://developers.notion.com/docs)
* - [Notion Authorization Docs](https://developers.notion.com/docs/authorization)
* - [Notion Integrations](https://www.notion.so/my-integrations)
*
* ---
*
* ## Notes
* You need to select "Public Integration" on the configuration page to get an `oauth_id` and `oauth_secret`. Private integrations do not provide these details.
* You must provide a `clientId` and `clientSecret` to use this provider, as-well as a redirect URI (due to this being required by Notion endpoint to fetch tokens).
*
* :::tip
*
* The Notion provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/notion.ts).
* To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/providers/custom-provider#override-default-options).
*
* :::
*
* :::info **Disclaimer**
*
* If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
*
* Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
* the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
* we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
*
* :::
*/
export default function NotionProvider<P extends NotionProfile>(
options: OAuthUserConfig<P> & AdditionalConfig
): OAuthConfig<P> {
return {
id: "notion",
name: "Notion",
type: "oauth",
token: {
url: `${NOTION_HOST}/v1/oauth/token`,
},
userinfo: {
url: `${NOTION_HOST}/v1/users`,
// The result of this method will be the input to the `profile` callback.
// We use a custom request handler, since we need to do things such as pass the "Notion-Version" header
// More info: https://next-auth.js.org/configuration/providers/oauth
async request(context) {
const profile = await fetch(`${NOTION_HOST}/v1/users/me`, {
headers: {
Authorization: `Bearer ${context.tokens.access_token}`,
"Notion-Version": NOTION_API_VERSION,
},
})
const {
bot: {
owner: { user },
},
} = await profile.json()
return user
},
},
authorization: {
params: {
client_id: options.clientId,
response_type: "code",
owner: "user",
redirect_uri: options.redirectUri,
},
url: `${NOTION_HOST}/v1/oauth/authorize`,
},
async profile(profile, tokens) {
return {
id: profile.id,
name: profile.name,
email: profile.person.email,
image: profile.avatar_url,
}
},
style: {
logo: "/notion.svg",
logoDark: "/notion.svg",
bg: "#fff",
text: "#000",
bgDark: "#fff",
textDark: "#000",
},
options,
}
}

69
packages/core/src/providers/oauth-types.ts
View File

@@ -1,69 +0,0 @@
// THIS FILE IS AUTOGENERATED. DO NOT EDIT.
export type OAuthProviderType =
| "42-school"
| "apple"
| "atlassian"
| "auth0"
| "authentik"
| "azure-ad-b2c"
| "azure-ad"
| "battlenet"
| "box"
| "boxyhq-saml"
| "bungie"
| "cognito"
| "coinbase"
| "credentials"
| "discord"
| "dropbox"
| "duende-identity-server6"
| "email"
| "eveonline"
| "facebook"
| "faceit"
| "foursquare"
| "freshbooks"
| "fusionauth"
| "github"
| "gitlab"
| "google"
| "hubspot"
| "identity-server4"
| "index"
| "instagram"
| "kakao"
| "keycloak"
| "line"
| "linkedin"
| "mailchimp"
| "mailru"
| "medium"
| "naver"
| "netlify"
| "oauth-types.js"
| "oauth"
| "okta"
| "onelogin"
| "osso"
| "osu"
| "patreon"
| "pinterest"
| "pipedrive"
| "reddit"
| "salesforce"
| "slack"
| "spotify"
| "strava"
| "todoist"
| "trakt"
| "twitch"
| "twitter"
| "united-effects"
| "vk"
| "wikimedia"
| "wordpress"
| "workos"
| "yandex"
| "zitadel"
| "zoho"
| "zoom"

2
packages/core/src/providers/oauth.ts
View File

@@ -66,7 +66,7 @@ export type TokenEndpointHandler = EndpointHandler<
params: CallbackParamsType
/**
* When using this custom flow, make sure to do all the necessary security checks.
* Thist object contains parameters you have to match against the request to make sure it is valid.
* This object contains parameters you have to match against the request to make sure it is valid.
*/
checks: OAuthChecks
},

6
packages/core/src/types.ts
View File

@@ -203,7 +203,7 @@ export interface CallbacksOptions<P = Profile, A = Account> {
* Its content is forwarded to the `session` callback,
* where you can control what should be returned to the client.
* Anything else will be kept inaccessible from the client.
*
*
* Returning `null` will invalidate the JWT session by clearing
* the user's cookies. You'll still have to monitor and invalidate
* unexpired tokens from future requests yourself to prevent
@@ -220,7 +220,7 @@ export interface CallbacksOptions<P = Profile, A = Account> {
account?: A | null
profile?: P
isNewUser?: boolean
}) => Awaitable<JWT|null>
}) => Awaitable<JWT | null>
}
/** [Documentation](https://authjs.dev/reference/configuration/auth-config#cookies) */
@@ -452,7 +452,7 @@ export interface ResponseInternal<
status?: number
headers?: Headers | HeadersInit
body?: Body
redirect?: URL | string
redirect?: string
cookies?: Cookie[]
}

4
packages/frameworks-sveltekit/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@auth/sveltekit",
"version": "0.1.12",
"version": "0.2.0",
"description": "Authentication for SvelteKit.",
"keywords": [
"authentication",
@@ -69,4 +69,4 @@
},
"./package.json": "./package.json"
}
}
}

10
packages/frameworks-sveltekit/scripts/postbuild.js
View File

@@ -1,8 +1,16 @@
// After build, copy the files in ./package to the root directory, excluding the package.json file.
import fs from "fs/promises"
import path from "path"
const __dirname = path.dirname(new URL(import.meta.url).pathname)
let __dirname = path.dirname(new URL(import.meta.url).pathname)
// The above hack to polyfill "__dirname" for ESM does not work on Windows computers,
// so we might have to manually perform more steps.
__dirname = __dirname.split(path.sep).join(path.posix.sep)
if (__dirname.match(/^\/\w:\//)) {
__dirname = __dirname.slice(3) // Remove the drive prefix.
}
const root = path.join(__dirname, "..")
const pkgDir = path.join(root, "package")

1501
pnpm-lock.yaml generated
View File

File diff suppressed because it is too large Load Diff

4
turbo.json
View File

@@ -25,6 +25,10 @@
"dependsOn": ["^build"],
"outputs": ["lib/**", "providers/**", "*.js", "*.d.ts", "*.d.ts.map"]
},
"@auth/sveltekit#build": {
"dependsOn": ["^build"],
"outputs": ["client.*", "index.*"]
},
"clean": {
"cache": false
},