BREAKING CHANGE:
`prisma-legacy` is now gone. Use `@next-auth/prisma-adapter`. Any features from the old adapter will be migrated over to the new one eventually. This is done so we can require the same default set of options from all the built-in providers, rather than allowing ambiguity on what an official adapter has to support.
The `TypeORM` adapter will probably be the only one migrated as-is, but in the future, we would like to break it down to lighter-weight adapters that only support single databases.
Adapters no longer have to return a `getAdapter()` method, they can return the actual adapter methods instead. All the values previously being provided through the arguments of `getAdapter` will now be available in a more digestible format directly in the concerning methods. This behavior was created so that connections could be handled more efficiently. Our review has shown that currently, the TypeORM adapter is the only one that does not handle connections out-of-the-box, so we are going to look into how we can create a wrapper/util function to make it work in the new version. For all other adapters, this will be a huge gain, as with this new API, methods are actually overrideable without creating a whole new custom adapter! 🥳
Example:
```js
function MySlightlyCustomAdapter(...args) {
const adapter = AdapterFromSomeoneElse(...args)
adapter.someMethodIWantToModify = (...args) => {
// Much better implementation goes here.
}
return adapter
}
```
**The following method names are changing:**
```diff
- getSession
+ getSessionAndUser
```
This method now requires that you return both the user and the session as `{user, session}`. If any of these could not be retrieved, you will have to return `null` instead. (In other words, this must be a transaction.) This requires one less database call, improving the user session retrieval. Any expiry logic included in the Adapter before is now done in the core as well.
```diff
- createVerificationRequest
+ createVerificationToken
```
Better describes the functionality. This method no longer needs to call `provider.sendVerificationRequest`, we are moving this into the core. This responsibility shouldn't have fallen to the adapter in the first place.
`createVerificationToken` will now receive a `VerificationToken` object, which looks like this:
```ts
interface VerificationToken {
identifier: string
expires: Date
token: string
}
```
The token provided is already hashed, so nothing has to be done, simply write it to your database. (Here we lift up the responsibility from the adapter to hash tokens)
```diff
- getVerificationRequest
+ useVerificationToken
```
Better describes the functionality. It now also has the responsibility to delete the used-up token from the database. Most ORMs should support retrieving the value while deleting it at the same time, so it will reduce the number of database calls.
``` diff
- deleteVerificationRequest
```
This method is gone. See `useVerificationToken`.
Most of the method signatures have been changed, have a look at the [TypeScript interface](ba4ec5faa3/types/adapters.d.ts) to get a better picture.
Adds a new way to import providers for modularity and better tree-shaking.
BREAKING CHANGE:
Providers now have to be imported one-by-one:
Example:
```diff
- import Provider from "next-auth/providers"
- Providers.Auth0({...})
+ import Auth0Provider from "next-auth/providers/auth0"
+ Auth0Provider({...})
```
* chore(deps): add openid-client
* chore: merge in next
* refactor(provider): remove redundant requestUrl param
* feat(provider): make profile callback optional
* refactor: use openid-client for OAuth2/OIDC
* refactor: use openidClient in oauth signin handler
* refactor: use openidClient in oauth callback handler
* docs(warn): add async issuer/old config warnings
* chore(deps): remove jsonwebtoken
* chore: add issuer property for testing locally
* chore(dev): import providers one-by-one
* fix(oauth): handle when no user in body/query
* chore(deps): remove pkce-challenge
* chore(dev): change Auth0 protection
* refactor(oauth): simplify pkce/state
* refactor: split OAuth1 client, reduce openid client
will improve API in another PR
* chore: change comment, dev app
* chore: mention OIDC client config discovery
* fix: add new operator when creating OIDC client
* refactor: delete req.query.nextauth after use
* docs(ts): use `TokenSet` from `openid-client`
* chore: simplify/type signin route
* refactor: rename to client-legacy to indicate intnet of maintenance
* chore(deps): try setting `oauth` as optional peer dep
* chore(deps): add `oauth` back as regular dependency
* chore(deps): add @types/oauth as dev dependency
* chore: remove params kept for backwards compatibility
* chore: don't make breaking changes in this PR
* chore(core): use correct TS declarations
* refactor: move files/add more accurate types internally
* chore: remove TODO comment
* chore: catch all errors in authorization URL generation
A living session could be a requirement for specific pages (like dashboards). If it doesn’t exist, the user should be redirected to a page asking them to sign in again.
Sometimes, a user might log out by accident, or by deleting cookies on purpose. If that happens (e.g. on a separate tab), then `useSession({ required: true })` should detect the absence of a session cookie and always return a non-nullable Session object type.
When `required: true` is set, the default behavior will be to redirect the user to the sign-in page. This can be overridden by an `action()` callback:
```js
const session = useSession({
required: true,
action() {
// ....
}
})
if (session.status === "Loading") return "Loading or not authenticated..."
// session.data is always defined here.
```
Co-authored-by: Kristóf Poduszló <kripod@protonmail.com>
Co-authored-by: Lluis Agusti <hi@llu.lu>
BREAKING CHANGE:
The `useSession` hook now returns an object. Here is how to accommodate for this change:
```diff
- const [ session, loading ] = useSession()
+ const { data: session, status } = useSession()
+ const loading = status === "loading"
```
With the new `status` option, you can test states much more clearly.
Node 10 has reached end-of-life, Next.js stopped supporting it in Next 11. Since we are a Next.js library, it doesn't make sense for us to support anything lower than that either.
I also upgraded a bunch of dependencies and dropped some that weren't necessary anymore.
BREAKING CHANGE:
The lowest supported Node version is 12. (We still support IE11 in browsers, until that is not dropped by Next.js itself)
**What**:
These changes ensure that we work more tightly with React that can also result in unforeseen performance boosts. In case we would decide on expanding to other libraries/frameworks, a new file per framework could be added.
**Why**:
Some performance issues (https://github.com/nextauthjs/next-auth/issues/844) could only be fixed by moving more of the client code into the `Provider`.
**How**:
Refactoring `next-auth/client`
Related: #1461, #1084, #1462
BREAKING CHANGE:
**1.** `next-auth/client` is renamed to `next-auth/react`.
**2.** In the past, we exposed most of the functions with different names for convenience. To simplify our source code, the new React specific client code exports only the following functions, listed with the necessary changes:
- `setOptions`: Not exposed anymore, use `SessionProvider` props
- `options`: Not exposed anymore, use `SessionProvider` props
- `session`: Rename to `getSession`
- `providers`: Rename to `getProviders`
- `csrfToken`: Rename to `getCsrfToken`
- `signin`: Rename to `signIn`
- `signout`: Rename to `signOut`
- `Provider`: Rename to `SessionProvider`
**3.** `Provider` changes.
- `Provider` is renamed to `SessionProvider`
- The `options` prop is now flattened as the props of `SessionProvider`.
- `clientMaxAge` has been renamed to `staleTime`.
- `keepAlive` has been renamed to `refetchInterval`.
An example of the changes:
```diff
- <Provider options={{clientMaxAge: 0, keepAlive: 0}}>{children}</Provider>
+ <SessionProvider staleTime={0} refetchInterval={0}>{children}</SessionProvider>
```
**4.** It is now **required** to wrap the part of your application that uses `useSession` into a `SessionProvider`.
Usually, the best place for this is in your `pages/_app.jsx` file:
```jsx
import { SessionProvider } from "next-auth/react"
export default function App({
Component,
pageProps: { session, ...pageProps }
}) {
return (
// `session` comes from `getServerSideProps` or `getInitialProps`.
// Avoids flickering/session loading on first load.
<SessionProvider session={session}>
<Component {...pageProps} />
</SessionProvider>
)
}
```
* feat(adapter): remove built-in adapters and database
BREAKING CHANGE:
From now on, you will have to import your own adapter
Check out https://github.com/nextauthjs/adapters
The migration is super easy and has HUGE advantages for those not using TypeORM.
```diff
// [...nextauth].js
+ import TypeORMAdapter from "@next-auth/typeorm-legacy-adapter"
import NextAuth from "next-auth"
...
export default NextAuth({
- database: "yourconnectionstring",
+ adapter: TypeORMAdapter("yourconnectionstring")
})
```
Co-authored-by: Lluis Agusti <hi@llu.lu>
Co-authored-by: Giovanni Carnel <479046+g10@users.noreply.github.com>
Contains the following squashed commits:
* chore(lint): run prettier on pre-commit
* chore(lint): format files on pre-commit
* chore(npm): update lock file
* chore: move dev app to its own folder
* docs: update CONTRIBUTING.md
* docs: fix typos in CONTRIBUTING
* chore: gitignore dev app lock files
* chore: move release config into package.json
* chore: add beta to release flow/GH actions
* feat(ts): expose types from the package (#1665)
* chore(types): move existing types to the repo
* feat(ts): expose types from the main package
* chore(deps): bring back `react-dom` version range
* chore(ts): cleanup deps and comments
* chore(ci): run types tests on a separate workflow
* chore(ci): fix typo on types workflow
* fix(ts): correctly export sub-module types (#1677)
* chore(types): build types script
Adds a script that moves the declaration files we have in `./types` to `./dist` relative to the files they intend to type.
This is the first step, we still need to change what we declare in `package.json`, add the script to the CI pipeline if we're happy with it and figure out how to type `next-auth/jwt`.
* refactor(lint): fix build-types script
* fix(ts): add .d.ts sub-module files to package.json
#1677 seemed to miss this
* fix(built): typo in package.json
* fix(build): fix release
* feat(ts): support module augmentation (#1681)
* chore(ts): remove unused imports
* refactor(ts): clean up CallbackOptions
* docs(ts): explain Module Augmentation
* docs(ts): don't use @ in folder name "types"
* test(ts): make jwt params optional
* docs(ts): fix typo (TypeScript -> NextAuth.js)
* style: replace ts-standard with eslint/prettier (#1724)
* style: move from ts-standard to eslint/prettier
* fix: install remaining eslint-config-standard peer deps
* fix: add remaining missing dependencies/config
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* docs(lint): update contributing.md (#1760)
Regarding ESLint / Prettier use and link to their VSCode extensions
* refactor(ts): de-duplicate types (#1690)
* refactor(ts): deduplicate internal types
* refactor(ts): ease up providers typings
* test(ts): fix failing TS tests
* test(ts): rename TS property to fix test
* docs(ts): mention TS docs in README.md
* feat(ts): move/update client types
* refactor(TS): rename some types
* test(ts): fix client tests
* docs(ts): move function descriptions to .d.ts
* chore: fix lint error
* refactor(ts): separate internal types
* chore: simplify build-types script
* chore: update type import paths in src
* chore(build): create root files at build
* chore: remove unnecessary .npmignore
* chore: run prettier on types
* fix(ts): clean up jwt types
* fix(ts): make getToken return type depend on raw param
* docs(page): explain page errors, add theming note
* docs(ts): add JSDoc to NextAuthOptions props
* chore(ts): remove unused import
* docs(ts): change JSDOC docs notation
* refactor(build): extract module entries into enum
* chore(ts): move ClientSafeProvider
* chore(ts): simplify GetTokenParams generic
* style(lint): fix linting errors
* chore: re-add generic extension to GetTokenParams
* fix(ts): extract EmailConfigServerOptions to interface
* fix(ts): use relative imports
* Merge branch 'main' into beta
* Merge main into beta
* fix(ts): fix typos, add more links to documentation
* test(ts): update JWT getToken test
* fix(build): fix tsconfig.json formatting
* test(ts): use absolute imports in test files
* fix(ts): add missing callbacks JSDoc
* docs: mention TS in FAQ, fix typos
* docs: fix some typos in the docs
Co-authored-by: Lluis Agusti <hi@llu.lu>
Co-authored-by: Nico Domino <yo@ndo.dev>
* feat(build): optionally include TypeORM
If the user doesn't use databases,
it shouldn't be necessary to iclude it in the bundle.
This can more than half the package size!
* feat(build): clean up in dependencies
Remove unused dependencies, move optional ones to be optional
* feat(build): add exports field
* fix: use peerDependenciesMeta instead of non-standard peerOptionalDependecns field
* fix: ts-standard string quotes
* fix: ts-standard string quotes
* refactor: use asnyc/await for sendVerificationRequest
* chore(deps): upgrade mongodb, remove require_optional
Co-authored-by: ndom91 <yo@ndo.dev>
BREAKING CHANGE:
`typeorm`, and `nodemailer` are no longer dependencies added by default.
If you need any of them, you will have to install them yourself in your project directory.
TypeOrm is the default adapter, so if you only provide an `adapter` configuration or a `database`, you will need `typeorm`. You could also check out `@next-auth/typeorm-adapter`. In case you are using the Email provider, you will have to install `nodemailer` (or you can use the choice of your library in the `sendVerificationRequest` callback to send out the e-mail.)
* chore: alias dev script to next
* feat(core): fallback to body when reading state
* refactor: set csrfToken on req.options implicitly
Ensures we do this similarly than
in other handlers like pkce, state, extendRes, callbackUrlHandler etc.
* chore: add code comment for debugging
