chore(core/oauth): remove support for userinfo.request

closes #6696

.github/ISSUE_TEMPLATE/2_bug_provider.yml

@@ -74,6 +74,7 @@ body:
         - "Trakt"
         - "Twitch"
         - "Twitter"
+        - "Vipps"
         - "Vk"
         - "Wordpress"
         - "WorkOS"

apps/examples/solid-start/src/routes/protected.tsx

@@ -3,7 +3,7 @@ import { Protected } from "~/components";
 export const { routeData, Page } = Protected((session) => {
   return (
     <main class="flex flex-col gap-2 items-center">
-      <h1>This is a proteced route</h1>
+      <h1>This is a protected route</h1>
     </main>
   );
 });

docs/docs/getting-started/02-oauth-tutorial.mdx

@@ -9,7 +9,7 @@ import startAppAndSignInImg from "./img/getting-started-app-start.png"
 import githubAuthCredentials from "./img/getting-started-github-auth.png"
 import nextAuthUserLoggedIn from "./img/getting-started-nextauth-success.png"
 
-We know, authentication is hard. Is a rabbit hole and it's easy to get lost on it. The goal of making Auth.js is that you can add authentication easily to your project with just a few lines of code.
+We know, authentication is hard. It's a rabbit hole and it's easy to get lost on it. The goal of making Auth.js is that you can add authentication easily to your project with just a few lines of code.
 
 The easiest way is to setup Auth.js with an [OAuth](https://en.wikipedia.org/wiki/OAuth) provider. In this tutorial we'll be setting Auth.js in a **Next.js app** to be able to login with **Github**.
 
@@ -214,7 +214,7 @@ Note that, for each provider, the configuration process will be similar to what
 2. Create create your OAuth application within it
 3. Set the callback URL
 4. Get the Client ID and Generate a Client Secret
-   :::
+:::
 
 ## 3. Wiring all together
 
@@ -253,11 +253,13 @@ Once inserted and correct, Github will redirect the user to our app and Auth.js
 <img src={nextAuthUserLoggedIn} />
 
 Great! We have completed the whole E2E authentication flow setup so that users can login in our application through Github!
+:::
 
 :::info
-You can create your own Sign In page instead of using the default one from Auth.js. You can learn how to do so in our dedicated guide for it.
+You can create your own Sign In page instead of using the default one from Auth.js. You can learn how to do so in our [dedicated guide for it](/guides/basics/pages).
 :::
 
+
 ## 4. Deploying to production
 
 ### Configuring different environments

docs/docs/getting-started/03-email-tutorial.mdx

@@ -72,11 +72,11 @@ export default NextAuth({
   providers: [
     Email({
       server: {
-        host: process.env.EMAIL_SERVER_HOST,
-        port: Number(process.env.EMAIL_SERVER_PORT),
+        host: process.env.SMTP_HOST,
+        port: Number(process.env.SMTP_PORT),
         auth: {
-          user: process.env.EMAIL_SERVER_USER,
-          pass: process.env.EMAIL_SERVER_PASSWORD,
+          user: process.env.SMTP_USER,
+          pass: process.env.SMTP_PASSWORD,
         },
       },
       from: process.env.EMAIL_FROM,
@@ -147,8 +147,8 @@ import EmailProvider from "next-auth/providers/email"
 
 export default NextAuth({
   secret: process.env.NEXTAUTH_SECRET,
++ adapter: MongoDBAdapter(clientPromise),
   providers: [
-+   adapter: MongoDBAdapter(clientPromise),
     EmailProvider({
       server: {
         host: process.env.EMAIL_SERVER_HOST,
@@ -188,7 +188,7 @@ Let's now check our email, and look for one sent from NextAuth (check your spam
 
 <img src={mailboxImg} alt="Screenshot of mailbox" />
 
-Nice! We got one, coming from the sender specified in the `EMAIL_FROM` environment variable from our configuration above and that's is the sender we verified in Sengrid.
+Nice! We got one, coming from the sender specified in the `EMAIL_FROM` environment variable from our configuration above and that's is the sender we verified in Sendgrid.
 
 Click on "Sign in" and a new browser tab will open, you should then land on your application as authenticated!
 

docs/docs/guides/03-basics/refresh-token-rotation.md

@@ -45,10 +45,10 @@ export default Auth(new Request("https://example.com"), {
         // Save the access token and refresh token in the JWT on the initial login
         return {
           access_token: account.access_token,
-          expires_at: Date.now() + account.expires_in * 1000,
+          expires_at: Math.floor(Date.now() / 1000 + account.expires_in),
           refresh_token: account.refresh_token,
         }
-      } else if (Date.now() < token.expires_at) {
+      } else if (Date.now() < token.expires_at * 1000) {
         // If the access token has not expired yet, return it
         return token
       } else {
@@ -74,7 +74,7 @@ export default Auth(new Request("https://example.com"), {
           return {
             ...token, // Keep the previous token properties
             access_token: tokens.access_token,
-            expires_at: Date.now() + tokens.expires_in * 1000,
+            expires_at: Math.floor(Date.now() / 1000 + tokens.expires_in),
             // Fall back to old refresh token, but note that
             // many providers may only allow using a refresh token once.
             refresh_token: tokens.refresh_token ?? token.refresh_token,
@@ -136,7 +136,7 @@ export default Auth(new Request("https://example.com"), {
       const [google] = await prisma.account.findMany({
         where: { userId: user.id, provider: "google" },
       })
-      if (google.expires_at < Date.now()) {
+      if (google.expires_at * 1000 < Date.now()) {
         // If the access token has expired, try to refresh it
         try {
           // https://accounts.google.com/.well-known/openid-configuration
@@ -159,7 +159,7 @@ export default Auth(new Request("https://example.com"), {
           await prisma.account.update({
             data: {
               access_token: tokens.access_token,
-              expires_at: Date.now() + tokens.expires_in * 1000,
+              expires_at: Math.floor(Date.now() / 1000 + tokens.expires_in),
               refresh_token: tokens.refresh_token ?? google.refresh_token,
             },
             where: {

docs/docs/guides/07-corporate-proxies/corporate-proxy.md

@@ -2,7 +2,7 @@
 title: Corporate proxy
 ---
 
-Using Auth.js behind a corporate proxy is not supported out of the box. This is due to the fact that the underlying library we use, [`openid-client`](https://npm.im/openid-client) which uses the built-in Node.js `http` / `https` libraries, and those do not support proxys by default:
+Using Auth.js behind a corporate proxy is not supported out of the box. This is due to the fact that the underlying library we use, [`openid-client`](https://npm.im/openid-client) which uses the built-in Node.js `http` / `https` libraries, and those do not support proxies by default:
 
 - [`http` docs](https://nodejs.org/dist/latest-v18.x/docs/api/http.html)
 - [`https` docs](https://nodejs.org/dist/latest-v18.x/docs/api/https.html)

docs/docs/guides/08-other/ldap-auth.md

@@ -26,7 +26,7 @@ export default NextAuth({
         password: { label: "Password", type: "password" },
       },
       async authorize(credentials, req) {
-        // You might want to pull this call out so we're not making a new LDAP client on every login attemp
+        // You might want to pull this call out so we're not making a new LDAP client on every login attempt
         const client = ldap.createClient({
           url: process.env.LDAP_URI,
         })

docs/docs/reference/04-solidstart/index.md

@@ -23,8 +23,8 @@ AUTH_SECRET=your_auth_secret
 in this example we are using github so make sure to set the following environment variables:
 
 ```
-GITHUB_ID=your_github_oatuh_id
-GITHUB_SECRET=your_github_oatuh_secret
+GITHUB_ID=your_github_oauth_id
+GITHUB_SECRET=your_github_oauth_secret
 ```
 
 ```ts

docs/docs/reference/04-solidstart/protected.md

@@ -11,7 +11,7 @@ When using SSR, I recommend creating a `Protected` component that will trigger s
 
 ```tsx
 // components/Protected.tsx
-import { type Session } from "@auth/core";
+import { type Session } from "@auth/core/types";
 import { getSession } from "@auth/solid-start";
 import { Component, Show } from "solid-js";
 import { useRouteData } from "solid-start";
@@ -60,7 +60,7 @@ import Protected from "~/components/Protected";
 export const { routeData, Page } = Protected((session) => {
   return (
     <main class="flex flex-col gap-2 items-center">
-      <h1>This is a proteced route</h1>
+      <h1>This is a protected route</h1>
     </main>
   );
 });
@@ -110,7 +110,7 @@ And now you can easily create a protected route:
 export default () => {
   return (
     <main class="flex flex-col gap-2 items-center">
-      <h1>This is a proteced route</h1>
+      <h1>This is a protected route</h1>
     </main>
   );
 };

docs/docs/reference/05-oauth-providers/trakt.md

@@ -33,7 +33,7 @@ providers: [
 ```
 
 :::warning
-Trakt does not allow hotlinking images. Even the authenticated user's profie picture.
+Trakt does not allow hotlinking images. Even the authenticated user's profile picture.
 :::
 
 :::warning

docs/docs/reference/06-adapters/dgraph.md

@@ -91,7 +91,7 @@ type VerificationToken {
 ## Securing your database
 
 For production deployments you will want to restrict the access to the types used
-by next-auth. The main form of access control used in Dgraph is via `@auth` directive alongide types in the schema.
+by next-auth. The main form of access control used in Dgraph is via `@auth` directive alongside types in the schema.
 
 #### Secure schema
 

docs/scripts/generate-snippets.mjs

@@ -18,7 +18,7 @@ for (const file of files) {
   body.push(" */")
   const name = file.replace(/\.md$/, "")
   result[name] = {
-    description: `Snippet genereated from ${file} by pnpm \`generate-snippet\``,
+    description: `Snippet generated from ${file} by pnpm \`generate-snippet\``,
     scope: "typescript",
     prefix: name,
     body,

docs/snippets/oauth-docs.md

@@ -7,7 +7,7 @@ import { Auth } from "@auth/core"
 import $1 from "@auth/core/providers/$2"
 
 const request = new Request("https://example.com")
-const resposne = await AuthHandler(request, {
+const response = await AuthHandler(request, {
   providers: [$1({ clientId: "", clientSecret: "" })],
 })
 ```

docs/snippets/oauth-provider.md

@@ -9,7 +9,7 @@ import Auth from "@auth/core"
 import { $1 } from "@auth/core/providers/$2"
 
 const request = new Request("https://example.com")
-const resposne = await AuthHandler(request, {
+const response = await AuthHandler(request, {
   providers: [$1({ clientId: "", clientSecret: "" })],
 })
 ```

docs/static/img/providers/vipps-dark.svg

@@ -0,0 +1,3 @@
+<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M15.2103 9.19238C16.3543 9.19238 17.3348 8.33691 17.3348 7.10693C17.3348 5.87646 16.3543 5.021 15.2103 5.021C14.0667 5.021 13.0867 5.87646 13.0867 7.10693C13.0867 8.33691 14.0667 9.19238 15.2103 9.19238ZM17.9881 12.5625C16.5716 14.3804 15.074 15.6377 12.4324 15.6377C9.7376 15.6377 7.63994 14.0332 6.00615 11.6797C5.35235 10.7168 4.34502 10.5029 3.60967 11.0112C2.92901 11.4927 2.76592 12.5088 3.3919 13.3916C5.65166 16.7881 8.7835 18.7666 12.4324 18.7666C15.782 18.7666 18.3968 17.1621 20.4388 14.4878C21.201 13.4985 21.1736 12.4824 20.4388 11.9204C19.7576 11.3853 18.7503 11.5732 17.9881 12.5625Z" fill="white"/>
+</svg>

docs/static/img/providers/vipps.svg

@@ -0,0 +1,3 @@
+<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M15.2103 9.19238C16.3543 9.19238 17.3348 8.33691 17.3348 7.10693C17.3348 5.87646 16.3543 5.021 15.2103 5.021C14.0667 5.021 13.0867 5.87646 13.0867 7.10693C13.0867 8.33691 14.0667 9.19238 15.2103 9.19238ZM17.9881 12.5625C16.5716 14.3804 15.074 15.6377 12.4324 15.6377C9.7376 15.6377 7.63994 14.0332 6.00615 11.6797C5.35235 10.7168 4.34502 10.5029 3.60967 11.0112C2.92901 11.4927 2.76592 12.5088 3.3919 13.3916C5.65166 16.7881 8.7835 18.7666 12.4324 18.7666C15.782 18.7666 18.3968 17.1621 20.4388 14.4878C21.201 13.4985 21.1736 12.4824 20.4388 11.9204C19.7576 11.3853 18.7503 11.5732 17.9881 12.5625Z" fill="white"/>
+</svg>

docs/vercel.json

@@ -73,7 +73,7 @@
           "value": "sveltekit.authjs.dev"
         }
       ],
-      "destination": "https://authjs.dev/reference/sveltekit/modules/main"
+      "destination": "https://authjs.dev/reference/sveltekit"
     },
     {
       "source": "/",
@@ -93,7 +93,7 @@
           "value": "errors.authjs.dev"
         }
       ],
-      "destination": "https://authjs.dev/reference/core/modules/errors/:path*"
+      "destination": "https://authjs.dev/reference/core/errors/:path*"
     },
     {
       "source": "/:path(.*)",
@@ -123,7 +123,7 @@
           "value": "providers.authjs.dev"
         }
       ],
-      "destination": "https://authjs.dev/reference/core/functions/providers_:path.default"
+      "destination": "https://authjs.dev/reference/core/providers_:path.default"
     }
   ]
 }

packages/adapter-dgraph/README.md

@@ -60,7 +60,7 @@ The simplest way to use Dgraph is by copy pasting the unsecure schema into your
 
 ## Securing your database
 
-Fore sake of security and mostly if your client directly communicate with the graphql server you obviously want to restrict the access to the types used by next-auth. That's why you see a lot of @auth directive alongide this types in the schema.
+Fore sake of security and mostly if your client directly communicate with the graphql server you obviously want to restrict the access to the types used by next-auth. That's why you see a lot of @auth directive alongside this types in the schema.
 
 ### Dgraph.Authorization
 

packages/adapter-dynamodb/README.md

@@ -85,7 +85,7 @@ export default NextAuth({
 The table respects the single table design pattern. This has many advantages:
 
 - Only one table to manage, monitor and provision.
-- Querying relations is faster than with multi-table schemas (for eg. retreiving all sessions for a user).
+- Querying relations is faster than with multi-table schemas (for eg. retrieving all sessions for a user).
 - Only one table needs to be replicated, if you want to go multi-region.
 
 Here is a schema of the table :

packages/adapter-dynamodb/src/index.ts

@@ -375,14 +375,14 @@ function generateUpdateExpression(object: Record<string, any>): {
   ExpressionAttributeNames: Record<string, string>
   ExpressionAttributeValues: Record<string, unknown>
 } {
-  const formatedSession = format.to(object)
+  const formattedSession = format.to(object)
   let UpdateExpression = "set"
   const ExpressionAttributeNames: Record<string, string> = {}
   const ExpressionAttributeValues: Record<string, unknown> = {}
-  for (const property in formatedSession) {
+  for (const property in formattedSession) {
     UpdateExpression += ` #${property} = :${property},`
     ExpressionAttributeNames["#" + property] = property
-    ExpressionAttributeValues[":" + property] = formatedSession[property]
+    ExpressionAttributeValues[":" + property] = formattedSession[property]
   }
   UpdateExpression = UpdateExpression.slice(0, -1)
   return {

packages/adapter-firebase/src/utils.ts

@@ -67,7 +67,7 @@ export function getConverter<Document extends Record<string, any>>(options: {
     fromFirestore(
       snapshot: FirebaseFirestore.QueryDocumentSnapshot<Document>
     ): Document {
-      const document = snapshot.data()! // we can guarentee it exists
+      const document = snapshot.data()! // we can guarantee it exists
 
       const object: Record<string, unknown> = {}
 

packages/adapter-pouchdb/README.md

@@ -22,7 +22,7 @@ Depending on your architecture you can use PouchDB's http adapter to reach any d
 
 1. Install `next-auth` and `@next-auth/pouchdb-adapter`, as well as `pouchdb`.
 
-> **Prerequesite**: Your PouchDB instance MUST provide the `pouchdb-find` plugin since it is used internally by the adapter to build and manage indexes
+> **Prerequisite**: Your PouchDB instance MUST provide the `pouchdb-find` plugin since it is used internally by the adapter to build and manage indexes
 
 ```js
 npm install next-auth @next-auth/pouchdb-adapter pouchdb

packages/adapter-pouchdb/src/index.ts

@@ -41,7 +41,7 @@ export const PouchDBAdapter: Adapter<
 > = (pouchdb) => {
   return {
     async getAdapter({ session, secret, ...appOptions }) {
-      // create PoucDB indexes if they don't exist
+      // create PouchDB indexes if they don't exist
       const res = await pouchdb.getIndexes()
       const indexes = res.indexes.map((index) => index.name, [])
       if (!indexes.includes("nextAuthUserByEmail")) {

packages/adapter-upstash-redis/README.md

@@ -24,7 +24,7 @@ This is the Upstash Redis adapter for [`next-auth`](https://authjs.dev). This pa
 npm install next-auth @next-auth/upstash-redis-adapter @upstash/redis
 ```
 
-2. Add the follwing code to your `pages/api/[...nextauth].js` next-auth configuration object.
+2. Add the following code to your `pages/api/[...nextauth].js` next-auth configuration object.
 
 ```js
 import NextAuth from "next-auth"

packages/core/src/adapters.ts

@@ -5,7 +5,7 @@
  * A database adapter provides a common interface for Auth.js so that it can work with
  * _any_ database/ORM adapter without concerning itself with the implementation details of the database/ORM.
  *
- * Auth.js supports 2 session strtategies to persist the login state of a user.
+ * Auth.js supports 2 session strategies to persist the login state of a user.
  * The default is to use a cookie + {@link https://authjs.dev/concepts/session-strategies#jwt JWT}
  * based session store (`strategy: "jwt"`),
  * but you can also use a database adapter to store the session in a database.
@@ -26,7 +26,7 @@
  *
  * ## Usage
  *
- * {@link https://authjs.dev/reference/adapters/overview Built-in adapters} already implement this interfac, so you likely won't need to
+ * {@link https://authjs.dev/reference/adapters/overview Built-in adapters} already implement this interface, so you likely won't need to
  * implement it yourself. If you do, you can use the following example as a
  * starting point.
  *

packages/core/src/index.ts

@@ -22,7 +22,7 @@
  * ```ts
  * import { Auth } from "@auth/core"
  *
- * const request = new Request("https://example.com"
+ * const request = new Request("https://example.com")
  * const response = await Auth(request, {...})
  *
  * console.log(response instanceof Response) // true
@@ -166,7 +166,7 @@ export async function Auth(
  * const response = await AuthHandler(request, authConfig)
  * ```
  *
- * @see [Initiailzation](https://authjs.dev/reference/configuration/auth-options)
+ * @see [Initialization](https://authjs.dev/reference/configuration/auth-options)
  */
 export interface AuthConfig {
   /**

packages/core/src/jwt.ts

@@ -6,7 +6,7 @@
  * issued and used by Auth.js.
  *
  * The JWT issued by Auth.js is _encrypted by default_, using the _A256GCM_ algorithm ({@link https://www.rfc-editor.org/rfc/rfc7516 JWE}).
- * It uses the `AUTH_SECRET` environment variable to dervice a sufficient encryption key.
+ * It uses the `AUTH_SECRET` environment variable to derive a sufficient encryption key.
  *
  * :::info Note
  * Auth.js JWTs are meant to be used by the same app that issued them.
@@ -203,7 +203,7 @@ export interface JWTOptions {
   /**
    * The secret used to encode/decode the Auth.js issued JWT.
    *
-   * @deprecated  Set the `AUTH_SECRET` environment vairable or
+   * @deprecated  Set the `AUTH_SECRET` environment variable or
    * use the top-level `secret` option instead
    */
   secret: string

packages/core/src/lib/callback-handler.ts

@@ -15,8 +15,8 @@ import type { SessionToken } from "./cookie.js"
  * It prevents insecure behaviour, such as linking OAuth accounts unless a user is
  * signed in and authenticated with an existing valid account.
  *
- * All verification (e.g. OAuth flows or email address verificaiton flows) are
- * done prior to this handler being called to avoid additonal complexity in this
+ * All verification (e.g. OAuth flows or email address verification flows) are
+ * done prior to this handler being called to avoid additional complexity in this
  * handler.
  */
 export async function handleLogin(
@@ -203,7 +203,7 @@ export async function handleLogin(
         // accounts (by email or provider account id)...
         //
         // If no account matching the same [provider].id or .email exists, we can
-        // create a new account for the user, link it to the OAuth acccount and
+        // create a new account for the user, link it to the OAuth account and
         // create a new session for them so they are signed in with it.
         const { id: _, ...newUser } = { ...profile, emailVerified: null }
         user = await createUser(newUser)

packages/core/src/lib/csrf-token.ts

@@ -16,7 +16,7 @@ interface CreateCSRFTokenParams {
  * where 'token' is the CSRF token and 'hash' is a hash made of the token and
  * the secret, and the two values are joined by a pipe '|'. By storing the
  * value and the hash of the value (with the secret used as a salt) we can
- * verify the cookie was set by the server and not by a malicous attacker.
+ * verify the cookie was set by the server and not by a malicious attacker.
  *
  * For more details, see the following OWASP links:
  * https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie

packages/core/src/lib/init.ts

@@ -60,7 +60,7 @@ export async function init({
 
   const maxAge = 30 * 24 * 60 * 60 // Sessions expire after 30 days of being idle by default
 
-  // User provided options are overriden by other options,
+  // User provided options are overridden by other options,
   // except for the options with special handling above
   const options: InternalOptions = {
     debug: false,

packages/core/src/lib/pages/styles.css

@@ -15,7 +15,7 @@
   --color-control-border: #bbb;
   --color-button-active-background: #f9f9f9;
   --color-button-active-border: #aaa;
-  --color-seperator: #ccc;
+  --color-separator: #ccc;
 }
 
 .__next-auth-theme-dark {
@@ -26,7 +26,7 @@
   --color-control-border: #555;
   --color-button-active-background: #060606;
   --color-button-active-border: #666;
-  --color-seperator: #444;
+  --color-separator: #444;
 }
 
 @media (prefers-color-scheme: dark) {
@@ -38,7 +38,7 @@
     --color-control-border: #555;
     --color-button-active-background: #060606;
     --color-button-active-border: #666;
-    --color-seperator: #444;
+    --color-separator: #444;
   }
 }
 
@@ -218,7 +218,7 @@ a.site {
   hr {
     display: block;
     border: 0;
-    border-top: 1px solid var(--color-seperator);
+    border-top: 1px solid var(--color-separator);
     margin: 2rem auto 1rem auto;
     overflow: visible;
 

packages/core/src/lib/routes/callback.ts

@@ -264,7 +264,7 @@ export async function callback(params: {
       // Callback URL is already verified at this point, so safe to use if specified
       return { redirect: callbackUrl, cookies }
     } else if (provider.type === "credentials" && method === "POST") {
-      const credentials = body
+      const credentials = body ?? {}
 
       // TODO: Forward the original request as is, instead of reconstructing it
       Object.entries(query ?? {}).forEach(([k, v]) =>

packages/core/src/providers/auth0.ts

@@ -84,7 +84,7 @@ export interface Auth0Profile {
  * import Auth0 from "@auth/core/providers/auth0"
  *
  * const request = new Request("https://example.com")
- * const resposne = await Auth(request, {
+ * const response = await Auth(request, {
  *   providers: [Auth0({ clientId: "", clientSecret: "", issuer: "" })],
  * })
  * ```

packages/core/src/providers/credentials.ts

@@ -3,7 +3,7 @@ import type { Awaitable, User } from "../types.js"
 import type { JSXInternal } from "preact/src/jsx.js"
 
 /**
- * Besieds providing type safety inside {@link CredentialsConfig.authorize}
+ * Besides providing type safety inside {@link CredentialsConfig.authorize}
  * it also determines how the credentials input fields will be rendered
  * on the default sign in page.
  */
@@ -40,8 +40,16 @@ export interface CredentialsConfig<
    * //...
    */
   authorize: (
-    /** See {@link CredentialInput} */
-    credentials: Record<keyof CredentialsInputs, string> | undefined,
+    /**
+     * The available keys are determined by {@link CredentialInput}.
+     *
+     * @note The existence/correctness of a field cannot be guaranteed at compile time,
+     * so you should always validate the input before using it.
+     *
+     * You can add basic validation depending on your use case,
+     * or you can use a popular library like [Zod](https://zod.dev) for example.
+     */
+    credentials: Partial<Record<keyof CredentialsInputs, unknown>>,
     /** The original request is forward for convenience */
     request: Request
   ) => Awaitable<User | null>
@@ -71,10 +79,10 @@ export type CredentialsProviderType = "Credentials"
  * @example
  * ```js
  * import Auth from "@auth/core"
- * import { Credentials } from "@auth/core/providers/credentials"
+ * import Credentials from "@auth/core/providers/credentials"
  *
  * const request = new Request("https://example.com")
- * const resposne = await AuthHandler(request, {
+ * const response = await AuthHandler(request, {
  *   providers: [
  *     Credentials({
  *       credentials: {

packages/core/src/providers/email.ts

@@ -82,7 +82,7 @@ export interface EmailConfig extends CommonProviderOptions {
 export type EmailProviderType = "email"
 
 /** TODO: */
-export function Email(config: EmailConfig): EmailConfig {
+export default function Email(config: EmailConfig): EmailConfig {
   return {
     id: "email",
     type: "email",

packages/core/src/providers/foursquare.js

@@ -1,6 +1,6 @@
 /** @type {import(".").OAuthProvider} */
 export default function Foursquare(options) {
-  const { apiVersion = "20210801" } = options
+  const { apiVersion = "20230131" } = options
   return {
     id: "foursquare",
     name: "Foursquare",
@@ -15,7 +15,7 @@ export default function Foursquare(options) {
         return fetch(url).then((res) => res.json())
       },
     },
-    profile({ response: { profile } }) {
+    profile({ response: { user: profile } }) {
       return {
         id: profile.id,
         name: `${profile.firstName} ${profile.lastName}`,

packages/core/src/providers/github.ts

@@ -78,7 +78,7 @@ export interface GitHubProfile {
  * import GitHub from "@auth/core/providers/github"
  *
  * const request = new Request("https://example.com")
- * const resposne = await Auth(request, {
+ * const response = await Auth(request, {
  *   providers: [GitHub({ clientId: "", clientSecret: "" })],
  * })
  * ```

packages/core/src/providers/gitlab.ts

@@ -54,10 +54,10 @@ export interface GitLabProfile extends Record<string, any> {
  *
  * ```js
  * import Auth from "@auth/core"
- * import { GitLab } from "@auth/core/providers/gitlab"
+ * import GitLab from "@auth/core/providers/gitlab"
  *
  * const request = new Request("https://example.com")
- * const resposne = await AuthHandler(request, {
+ * const response = await AuthHandler(request, {
  *   providers: [
  *     GitLab({clientId: "", clientSecret: ""})
  *   ]

packages/core/src/providers/index.ts

@@ -4,11 +4,8 @@ import type {
   CredentialsConfig,
   CredentialsProviderType,
 } from "./credentials.js"
-import type {
-  Email as EmailProvider,
-  EmailConfig,
-  EmailProviderType,
-} from "./email.js"
+import type EmailProvider from "./email.js"
+import type { EmailConfig, EmailProviderType } from "./email.js"
 import type {
   OAuth2Config,
   OAuthConfig,

packages/core/src/providers/spotify.ts

@@ -20,10 +20,10 @@ export interface SpotifyProfile extends Record<string, any> {
  *
  * ```ts
  * import Auth from "@auth/core"
- * import { Spotify } from "@auth/core/providers/spotify"
+ * import Spotify from "@auth/core/providers/spotify"
  *
  * const request = new Request("https://example.com")
- * const resposne = await AuthHandler(request, {
+ * const response = await AuthHandler(request, {
  *   providers: [
  *     Spotify({clientId: "", clientSecret: ""})
  *   ]

packages/core/src/providers/vipps.ts

@@ -0,0 +1,90 @@
+import type { OIDCConfig, OIDCUserConfig } from "./index.js"
+
+/** @see [User Profile Structure](https://vippsas.github.io/vipps-developer-docs/docs/APIs/login-api/vipps-login-api#userinfo) */
+export interface VippsProfile extends Record<string, any> {
+  sid: string
+  birthdate: string
+  email: string
+  email_verified: boolean
+  family_name: string
+  given_name: string
+  name: string
+  phone_number: string
+  sub: string
+}
+
+interface AdditonalConfig {
+  redirectUri?: string
+}
+
+/**
+ * @see [Vipps Login API](https://vippsas.github.io/vipps-developer-docs/docs/APIs/login-api/vipps-login-api)
+ *
+ * ## Example
+ *
+ * ```ts
+ * import Vipps from "@auth/core/providers/vipps"
+ * ...
+ * providers: [
+ *  Vipps({
+ *    clientId: process.env.VIPPS_CLIENT_ID,
+ *    clientSecret: process.env.VIPPS_CLIENT_SECRET,
+ *  })
+ * ]
+ * ...
+ * ```
+ * ::: note
+ * If you're testing, make sure to override the issuer option with apitest.vipps.no
+ * :::
+ */
+
+export default function Vipps<P extends VippsProfile>(
+  options: OIDCUserConfig<P> & AdditonalConfig
+): OIDCConfig<P> {
+  options.issuer ??= "https://api.vipps.no/access-management-1.0/access"
+  return {
+    id: "vipps",
+    name: "Vipps",
+    type: "oidc",
+    client: {
+      token_endpoint_auth_method: "client_secret_post",
+    },
+    authorization: {
+      params: {
+        scope: "openid name email",
+        client_id: options.clientId,
+        response_type: "code",
+      },
+    },
+    userinfo: {
+      async request({ tokens }) {
+        const response = await fetch(
+          "https://apitest.vipps.no/vipps-userinfo-api/userinfo",
+          {
+            headers: {
+              Authorization: `Bearer ${tokens.access_token}`,
+            },
+          }
+        )
+
+        return await response.json()
+      },
+    },
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email,
+      }
+    },
+    style: {
+      bgDark: "#f05c18",
+      bg: "#f05c18",
+      text: "#fff",
+      textDark: "#fff",
+      logo: "/vipps.svg",
+      logoDark: "/vipps-dark.svg",
+    },
+    options,
+  }
+}

packages/frameworks-solid-start/README.MD

@@ -27,8 +27,8 @@ AUTH_TRUST_HOST=true
 in this example we are using github so make sure to set the following environment variables:
 
 ```
-GITHUB_ID=your_github_oatuh_id
-GITHUB_SECRET=your_github_oatuh_secret
+GITHUB_ID=your_github_oauth_id
+GITHUB_SECRET=your_github_oauth_secret
 ```
 
 ```ts

packages/frameworks-sveltekit/package.json

@@ -20,7 +20,7 @@
     "Balázs Orbán <info@balazsorban.com>",
     "Nico Domino <yo@ndo.dev>",
     "Lluis Agusti <hi@llu.lu>",
-    "Iain Collins <me@iaincollins.com"
+    "Iain Collins <me@iaincollins.com>"
   ],
   "scripts": {
     "dev": "svelte-package -w",
@@ -69,4 +69,4 @@
     },
     "./package.json": "./package.json"
   }
-}
+}

packages/frameworks-sveltekit/src/lib/index.ts

@@ -113,7 +113,7 @@
  * This code sample already implements the correct method by using `const { session } = await parent();`
  * :::
  *
- * You should NOT put authorization logic in a `+layout.server.ts` as the logic is not guaranteed to propragate to leafs in the tree.
+ * You should NOT put authorization logic in a `+layout.server.ts` as the logic is not guaranteed to propagate to leafs in the tree.
  * Prefer to manually protect each route through the `+page.server.ts` file to avoid mistakes.
  * It is possible to force the layout file to run the load function on all routes, however that relies certain behaviours that can change and are not easily checked.
  * For more information about these caveats make sure to read this issue in the SvelteKit repository: https://github.com/sveltejs/kit/issues/6315

turbo.json

@@ -47,6 +47,15 @@
     "docs#dev": {
       "dependsOn": ["^build"],
       "cache": false
+    },
+    "docs#build": {
+      "dependsOn": ["^build"],
+      "outputs": [
+        "build",
+        "docs/reference/core",
+        "docs/reference/sveltekit",
+        "docs/reference/adapter/**"
+      ]
     }
   }
 }