Although previous config worked locally, it turns out it isn't compatible with now.sh.
It turns out when deploying from a subdir (like 'www') on now.sh the contents of the parent directory isn't avalible.
* Now has 'www' directory at root level for the website (was 'docs').
* The 'docs' directory now only contains Markdown docs.
* Docusarus config looks in '../docs' for the docs.
This is deployed with now.sh to https://next-auth-docs.now.sh
* Better error handling, more specific messages.
* Async email option has been removed as was problematic on serverless.
* Refactored email sign in so that sending emails is now handled by the email provider.
* How email configuration works is now more customimzable - and cleanly seperated from database logic.
* Now possible to define logic for async email (e.g. pass messages to a queue) or use any email provider or API.
* Email providers can now set the option 'async' to 'true' to send emails AFTER displaying confirmation page, or to 'false' send emails BEFORE returning to the user. Defaults to false.
Setting it to true is faster for the user, but is hard to debug as it's not easy to know if it worked or not.
* Fixed bug with unsubscribe option.
* Moved oAuth and Email signin handlers together in `lib` dir.
* Added email verification adapater methods
* Added support on sign in page for email providers
* Added check email page
* Added SMTP transport to send email messages
Includes refactoring of model and handlers for the email verification flow.
Brings them into line with other methods.
Not refactoring other getUser* methods at this time as may be helpful for them to be explicit about what will be passed.
* Renamed 'Session ID' to 'Session Token'.
* Applies to model, functions and default cookie name.
* This avoids confusion by seperating it from 'id' property in session model.
* Updated documentation
* `lint` and `lint:fix` now seperate scripts
* Fixed simple linting issues
Still some linter errors as the email sign up flow is a work in progress.
Twitch recently made breaking changes to their oAuth API.
It no longer works like other oAuth 2 providers. The documentation for it is extensive, but poor quality.
This update still has intermittant problems, but as far as I can make out the problem is the API; they have completed their roll out to 100% but it's still failing sometimes.
* Run `npm run lint` to find (and where possible, fix) linting issues.
* Includes some minor refactoring, including directory structure for adapters and models, so that code for an adapter and the models for it sit together.
Background:
I've added elint to try and ensure a consistent style and to uncover hidden bugs.
I don't actually care much about what the rules are, it's just helpful to have a baseline.
If it's hard to get code to be compliant, I would rather we just disable a rule in that block of code until we can figure it out and am totally fine with that.
I'd much prefer that than the chore of maintaining a custom set of rules, which is why I just picked Standard JS.
Unfortunately, there is quite a lot that doesn't match the Standard JS format at this point, so this is going to be a big PR.
The file size has gone down in quite a few places, which is nice. I think it may have uncovered potential bugs.
I've run through the flow and everything seems to work as before, though it took some debugging after refactoring.
I have not yet added eslint to a commit hook and am in two minds about that.
This is an open source project and I'd like to make it easy to maintain, but also to have as low a barrier to entry as possible for contributors.
I'm happy to go with encouraging folks to run the linter and try to fix errors they find and to take on the work of wrangling any issues myself.
This error page will be used to handle display all errors to the client.
There will be an option to provide a custom error page URL.
Update includes some tweaks to CSS.
* Should database compatability issues with the model.
* Session expiry dates are still not enforced in client.
* All cookies are still sesison cookies and expire when the browser is closed.
* AccessToken expiry has been removed for now.
These are all know issues and intended behaviour for now, and will be addressed before release.
* Logic now centralized to avoid duplicaiton across multiple routes.
* Improved validation of query params.
* Also checks and cookie values as mitigation against cookie hijacking.
* CSRF token is verified first.
* If token doesn't match, redirect client to signout URL to prompt for confirmation.
* `deleteSessionById()` not yet implemented in default adapter, so does not work.
* Identified area for reafactoring around callbackUrl behaviour.
