Merge branch 'feat/nextjs-auth' into feat/nextjs-auth-example-app

* JWT Token -> JWT

* document some errors

* improve errors, docs

.gitignore

@@ -26,15 +26,7 @@ dist
 # Generated files
 .docusaurus
 .cache-loader
-packages/next-auth/providers
-packages/next-auth/src/providers/oauth-types.ts
-packages/next-auth/client
-packages/next-auth/css
-packages/next-auth/utils
-packages/next-auth/core
-packages/next-auth/jwt
-packages/next-auth/react
-packages/next-auth/next
+
 packages/*/*.js
 packages/*/*.d.ts
 packages/*/*.d.ts.map
@@ -85,7 +77,10 @@ packages/core/providers
 packages/core/src/lib/pages/styles.ts
 docs/docs/reference/core
 docs/docs/reference/sveltekit
+docs/docs/reference/next-auth
 
+# Next.js
+packages/next-auth/lib
 
 # SvelteKit
 packages/frameworks-sveltekit/index.*

.prettierignore

@@ -40,10 +40,6 @@ packages/core/src/lib/pages/styles.ts
 packages/frameworks-sveltekit/package
 packages/frameworks-sveltekit/vite.config.{js,ts}.timestamp-*
 
-# next-auth
-packages/next-auth/src/providers/oauth-types.ts
-packages/next-auth/css/index.css
-
 
 # Adapters
 .branches

.vscode/settings.json

@@ -1,8 +1,8 @@
 {
   "files.exclude": {
-    "packages/core/{lib,providers,*.js,*.d.ts,*.d.ts.map}": true,
-    "packages/next-auth/{client,core,css,jwt,next,providers,react,utils,*.js,*.d.ts}": true
+    "packages/core/{lib,providers,*.js,*.d.ts*}": true,
+    "packages/next-auth/{lib,*.js,*.d.ts*}": true,
   },
   "typescript.tsdk": "node_modules/typescript/lib",
   "openInGitHub.remote.branch": "main"
-}
+}

apps/dev/nextjs/app/api/auth/[...nextauth]/route.ts

@@ -0,0 +1,3 @@
+import { handlers } from "auth"
+export const { GET, POST } = handlers
+export const runtime = "edge"

apps/dev/nextjs/app/api/protected/route.ts

@@ -0,0 +1,10 @@
+import { auth } from "auth"
+import { NextResponse } from "next/server"
+
+export const GET = auth(function GET(req) {
+  if (req.auth) {
+    return NextResponse.json(req.auth)
+  }
+
+  return NextResponse.json({ message: "Not authenticated" }, { status: 401 })
+})

apps/dev/nextjs/app/server-component/page.tsx

@@ -1,6 +1,37 @@
-import { unstable_getServerSession } from "next-auth/next"
+import { auth } from "auth"
+import { cookies, headers } from "next/headers"
+
+function SignIn({ id, children }: any) {
+  const $cookies = cookies()
+  const csrfToken = $cookies.get("next-auth.csrf-token")?.value.split("|")[0]
+  return (
+    <form action={`/api/auth/signin/${id}`} method="post">
+      <button type="submit">{children}</button>
+      <input type="hidden" name="csrfToken" value={csrfToken} />
+    </form>
+  )
+}
+
+function SignOut({ children }: any) {
+  const $cookies = cookies()
+  const csrfToken = $cookies.get("next-auth.csrf-token")?.value.split("|")[0]
+  return (
+    <form action="/api/auth/signout" method="post">
+      <button type="submit">{children}</button>
+      <input type="hidden" name="csrfToken" value={csrfToken} />
+    </form>
+  )
+}
 
 export default async function Page() {
-  const session = await unstable_getServerSession()
-  return <pre>{JSON.stringify(session, null, 2)}</pre>
+  const session = await auth(headers())
+  if (session) {
+    return (
+      <>
+        <pre>{JSON.stringify(session, null, 2)}</pre>
+        <SignOut>Sign out</SignOut>
+      </>
+    )
+  }
+  return <SignIn id="github">Sign in with github</SignIn>
 }

apps/dev/nextjs/auth.ts

@@ -0,0 +1,21 @@
+import { NextAuth } from "next-auth"
+import GitHub from "@auth/core/providers/github"
+
+export const { handlers, auth } = NextAuth({
+  providers: [GitHub],
+  callbacks: {
+    async authorized({ request, auth }) {
+      // if (request.method === "POST") {
+      // const [, token] = request.headers.get("Authorization")?.split(" ")
+      // const valid = validateToken(token)
+      // // If the request has a valid auth token, it is authorized
+      // if (valid) return true
+      // return NextResponse.json("Invalid auth token", { status: 401 })
+      // }
+
+      // Logged in users are authorized, otherwise, will redirect to login
+      // You could also return a custom redirect instead of the sign-in page
+      return !!auth
+    },
+  },
+})

apps/dev/nextjs/components/footer.js

@@ -1,6 +1,6 @@
 import Link from "next/link"
 import styles from "./footer.module.css"
-import packageJSON from "package.json"
+import packageJSON from "next-auth/package.json"
 
 export default function Footer() {
   return (

apps/dev/nextjs/components/header.js

@@ -76,12 +76,6 @@ export default function Header() {
           <li className={styles.navItem}>
             <Link href="/middleware-protected">Middleware protected</Link>
           </li>
-          <li className={styles.navItem}>
-            <Link href="/supabase-client-rls">Supabase RLS</Link>
-          </li>
-          <li className={styles.navItem}>
-            <Link href="/supabase-ssr">Supabase RLS(SSR)</Link>
-          </li>
         </ul>
       </nav>
     </header>

apps/dev/nextjs/middleware.ts

@@ -1,45 +1,10 @@
-export { default } from "next-auth/middleware"
+// export { auth as default } from "auth"
+import { auth } from "auth"
+import { NextResponse } from "next/server"
+
+export default auth((req) => {
+  if (req.auth) return NextResponse.json(req.auth)
+  return NextResponse.json("Not authorized", { status: 401 })
+})
 
 export const config = { matcher: ["/middleware-protected"] }
-
-// Other ways to use this middleware
-
-// import withAuth from "next-auth/middleware"
-// import { withAuth } from "next-auth/middleware"
-
-// export function middleware(req, ev) {
-//   return withAuth(req)
-// }
-
-// export function middleware(req, ev) {
-//   return withAuth(req, ev)
-// }
-
-// export function middleware(req, ev) {
-//   return withAuth(req, {
-//     callbacks: {
-//       authorized: ({ token }) => !!token,
-//     },
-//   })
-// }
-
-// export default withAuth(function middleware(req, ev) {
-//   console.log(req.nextauth.token)
-// })
-
-// export default withAuth(
-//   function middleware(req, ev) {
-//     console.log(req, ev)
-//   },
-//   {
-//     callbacks: {
-//       authorized: ({ token }) => token.name === "Balázs Orbán",
-//     },
-//   }
-// )
-
-// export default withAuth({
-//   callbacks: {
-//     authorized: ({ token }) => !!token,
-//   },
-// })

apps/dev/nextjs/package.json

@@ -15,6 +15,7 @@
   "license": "ISC",
   "dependencies": {
     "@auth/core": "workspace:*",
+    "next-auth": "workspace:*",
     "@next-auth/fauna-adapter": "workspace:*",
     "@next-auth/prisma-adapter": "workspace:*",
     "@next-auth/supabase-adapter": "workspace:*",
@@ -22,7 +23,7 @@
     "@prisma/client": "^3",
     "@supabase/supabase-js": "^2.0.5",
     "faunadb": "^4",
-    "next": "13.3.0",
+    "next": "13.3.2-canary.12",
     "next-auth": "workspace:*",
     "nodemailer": "^6",
     "react": "^18",

apps/dev/nextjs/pages/api/auth-old/[...nextauth].ts

@@ -94,7 +94,11 @@ export const authConfig: AuthConfig = {
       tenantId: process.env.AZURE_AD_TENANT_ID,
     }),
     AzureB2C({ clientId: process.env.AZURE_B2C_ID, clientSecret: process.env.AZURE_B2C_SECRET, issuer: process.env.AZURE_B2C_ISSUER }),
-    BeyondIdentity({ clientId: process.env.BEYOND_IDENTITY_CLIENT_ID, clientSecret: process.env.BEYOND_IDENTITY_CLIENT_SECRET, issuer: process.env.BEYOND_IDENTITY_ISSUER }),
+    BeyondIdentity({
+      clientId: process.env.BEYOND_IDENTITY_CLIENT_ID,
+      clientSecret: process.env.BEYOND_IDENTITY_CLIENT_SECRET,
+      issuer: process.env.BEYOND_IDENTITY_ISSUER,
+    }),
     BoxyHQSAML({ issuer: "https://jackson-demo.boxyhq.com", clientId: "tenant=boxyhq.com&product=saml-demo.boxyhq.com", clientSecret: "dummy" }),
     // Cognito({ clientId: process.env.COGNITO_ID, clientSecret: process.env.COGNITO_SECRET, issuer: process.env.COGNITO_ISSUER }),
     Discord({ clientId: process.env.DISCORD_ID, clientSecret: process.env.DISCORD_SECRET }),
@@ -156,4 +160,4 @@ function AuthHandler(...args: any[]) {
 
 export default AuthHandler(authConfig)
 
-export const config = { runtime: "experimental-edge" }
+export const config = { runtime: "edge" }

apps/dev/nextjs/pages/api/examples/protected.ts

@@ -1,9 +1,9 @@
 // This is an example of to protect an API route
-import { unstable_getServerSession } from "next-auth/next"
-import { authOptions } from "../auth/[...nextauth]"
+import { authConfig } from "../auth-old/[...nextauth]"
+import { getServerSession } from "next-auth/next"
 
 export default async (req, res) => {
-  const session = await unstable_getServerSession(req, res, authOptions)
+  const session = await getServerSession(req, res, authConfig as any)
 
   if (session) {
     res.send({

apps/dev/nextjs/pages/api/examples/session.js

@@ -1,8 +0,0 @@
-// This is an example of how to access a session from an API route
-import { unstable_getServerSession } from "next-auth/next"
-import { authOptions } from "../auth/[...nextauth]"
-
-export default async (req, res) => {
-  const session = await unstable_getServerSession(req, res, authOptions)
-  res.json(session)
-}

apps/dev/nextjs/pages/api/examples/session.ts

@@ -0,0 +1,8 @@
+import { authConfig } from "../auth-old/[...nextauth]"
+// This is an example of how to access a session from an API route
+import { getServerSession } from "next-auth/next"
+
+export default async (req, res) => {
+  const session = await getServerSession(req, res, authConfig as any)
+  res.json(session)
+}

apps/dev/nextjs/pages/api/examples/supabase-rls.js

@@ -1,30 +0,0 @@
-// This is an example of how to query data from Supabase with RLS.
-// Learn more about Row Levele Security (RLS): https://supabase.com/docs/guides/auth/row-level-security
-import { unstable_getServerSession } from "next-auth/next"
-import { authOptions } from "../auth/[...nextauth]"
-import { createClient } from "@supabase/supabase-js"
-
-export default async (req, res) => {
-  const session = await unstable_getServerSession(req, res, authOptions)
-
-  if (!session)
-    return res.send(JSON.stringify({ error: "No session!" }, null, 2))
-
-  const { supabaseAccessToken } = session
-
-  const supabase = createClient(
-    process.env.NEXT_PUBLIC_SUPABASE_URL,
-    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY,
-    {
-      global: {
-        headers: {
-          Authorization: `Bearer ${supabaseAccessToken}`,
-        },
-      },
-    }
-  )
-  // Now you can query with RLS enabled.
-  const { data, error } = await supabase.from("users").select("*")
-
-  res.send(JSON.stringify({ supabaseAccessToken, data, error }, null, 2))
-}

apps/dev/nextjs/pages/protected-ssr.js

@@ -1,6 +1,6 @@
 // This is an example of how to protect content using server rendering
-import { unstable_getServerSession } from "next-auth/next"
-import { authOptions } from "./api/auth/[...nextauth]"
+import { getServerSession } from "next-auth/next"
+import { authConfig } from "./api/auth-old/[...nextauth]"
 import Layout from "../components/layout"
 import AccessDenied from "../components/access-denied"
 
@@ -26,11 +26,7 @@ export default function Page({ content, session }) {
 }
 
 export async function getServerSideProps(context) {
-  const session = await unstable_getServerSession(
-    context.req,
-    context.res,
-    authOptions
-  )
+  const session = await getServerSession(context.req, context.res, authConfig)
   let content = null
 
   if (session) {

apps/dev/nextjs/pages/server.js

@@ -1,6 +1,6 @@
-import { unstable_getServerSession } from "next-auth/next"
+import { getServerSession } from "next-auth/next"
 import Layout from "../components/layout"
-import { authOptions } from "./api/auth/[...nextauth]"
+import { authConfig } from "./api/auth-old/[...nextauth]"
 
 export default function Page() {
   // As this page uses Server Side Rendering, the `session` will be already
@@ -12,11 +12,11 @@ export default function Page() {
     <Layout>
       <h1>Server Side Rendering</h1>
       <p>
-        This page uses the <strong>unstable_getServerSession()</strong> method
-        in <strong>getServerSideProps()</strong>.
+        This page uses the <strong>getServerSession()</strong> method in{" "}
+        <strong>getServerSideProps()</strong>.
       </p>
       <p>
-        Using <strong>unstable_getServerSession()</strong> in{" "}
+        Using <strong>getServerSession()</strong> in{" "}
         <strong>getServerSideProps()</strong> is currently the recommended
         approach, although the API may still change, if you need to support
         Server Side Rendering with authentication.
@@ -40,11 +40,7 @@ export default function Page() {
 export async function getServerSideProps(context) {
   return {
     props: {
-      session: await unstable_getServerSession(
-        context.req,
-        context.res,
-        authOptions
-      ),
+      session: await getServerSession(context.req, context.res, authConfig),
     },
   }
 }

apps/dev/nextjs/pages/supabase-client-rls.js

@@ -1,48 +0,0 @@
-import Layout from "../components/layout"
-import { useState, useEffect } from "react"
-import { useSession } from "next-auth/react"
-import { createClient } from "@supabase/supabase-js"
-
-export default function Page() {
-  const { data: session } = useSession()
-  const [data, setData] = useState(null)
-
-  useEffect(() => {
-    if (session) {
-      // User is logged in, let's fetch their data.
-      const { supabaseAccessToken } = session
-      const supabase = createClient(
-        process.env.NEXT_PUBLIC_SUPABASE_URL,
-        process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY,
-        {
-          global: {
-            headers: { Authorization: `Bearer ${supabaseAccessToken}` },
-          },
-        }
-      )
-      // Fetch data with RLS enabled.
-      supabase
-        .from("users")
-        .select("*")
-        .then(({ data }) => setData(data))
-    }
-  }, [session])
-
-  return (
-    <Layout>
-      <h1>Fetch Data from Supabase with RLS</h1>
-      <h2>Client-side data fetching with RLS:</h2>
-      <pre>{JSON.stringify(data, null, 2)}</pre>
-      <h2>API Example</h2>
-      <p>
-        You can also use Supabase in API routes. See the code in the
-        `/pages/api/examples/supabase-rls.js` file.
-      </p>
-      <p>
-        <em>You must be signed in to see responses.</em>
-      </p>
-      <p>/api/examples/supabase-rls</p>
-      <iframe src="/api/examples/supabase-rls" />
-    </Layout>
-  )
-}

apps/dev/nextjs/pages/supabase-ssr.js

@@ -1,68 +0,0 @@
-// This is an example of how to protect content using server rendering
-// and fetching data from Supabase with RLS enabled.
-import { unstable_getServerSession } from "next-auth/next"
-import { authOptions } from "./api/auth/[...nextauth]"
-import { createClient } from "@supabase/supabase-js"
-import Layout from "../components/layout"
-import AccessDenied from "../components/access-denied"
-
-export default function Page({ data, session }) {
-  // If no session exists, display access denied message
-  if (!session) {
-    return (
-      <Layout>
-        <AccessDenied />
-      </Layout>
-    )
-  }
-
-  // If session exists, display content
-  return (
-    <Layout>
-      <h1>Protected Page</h1>
-      <p>Data fetched during SSR from Supabase with RSL enabled:</p>
-      <pre>{JSON.stringify(data, null, 2)}</pre>
-    </Layout>
-  )
-}
-
-export async function getServerSideProps(context) {
-  const session = await unstable_getServerSession(
-    context.req,
-    context.res,
-    authOptions
-  )
-
-  if (!session)
-    return {
-      props: {
-        session,
-        data: null,
-        error: "No session",
-      },
-    }
-
-  const { supabaseAccessToken } = session
-
-  const supabase = createClient(
-    process.env.NEXT_PUBLIC_SUPABASE_URL,
-    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY,
-    {
-      global: {
-        headers: {
-          Authorization: `Bearer ${supabaseAccessToken}`,
-        },
-      },
-    }
-  )
-  // Now you can query with RLS enabled.
-  const { data, error } = await supabase.from("users").select("*")
-
-  return {
-    props: {
-      session,
-      data,
-      error,
-    },
-  }
-}

apps/dev/nextjs/types/nextauth.d.ts

@@ -18,3 +18,12 @@ declare module "next-auth" {
     foo: string
   }
 }
+
+
+declare global {
+  namespace NodeJS {
+    interface ProcessEnv {
+      [key: string]: string;
+    }
+  }
+}

apps/examples/nextjs/.env.local.example

@@ -1,5 +1,5 @@
 NEXTAUTH_URL=http://localhost:3000
-NEXTAUTH_SECRET= # Linux: `openssl rand -hex 32` or go to https://generate-secret.now.sh/32
+NEXTAUTH_SECRET= # Linux: `openssl rand -hex 32` or go to https://generate-secret.vercel.app/32
 
 
 AUTH0_ID=

apps/examples/nextjs/README.md

@@ -8,7 +8,7 @@
    <a href="https://nextjs.org" target="_blank">
    <img height="64" src="https://nextjs.org/static/favicon/android-chrome-192x192.png" />
    </a>
-   <h3 align="center"><b>NextAuth.js</b> - Example App</h3>
+   <h3 align="center"><b>next-auth</b> - Example App</h3>
    <p align="center">
    Open Source. Full Stack. Own Your Data.
    </p>
@@ -36,7 +36,7 @@ This is an example application that shows how `next-auth` is applied to a basic
 
 The deployed version can be found at [`next-auth-example.vercel.app`](https://next-auth-example.vercel.app)
 
-Go to [next-auth.js.org](https://next-auth.js.org) for more information and documentation.
+Go to [authjs.dev](https://authjs.dev) for more information and documentation.
 
 ## Getting Started
 
@@ -66,7 +66,7 @@ You **can** skip configuring a database and come back to it later if you want.
 
 For more information about setting up a database, please check out the following links:
 
-- Docs: [next-auth.js.org/adapters/overview](https://next-auth.js.org/adapters/overview)
+- Docs: [authjs.dev/reference/adapters](https://authjs.dev/reference/adapters)
 
 ### 3. Configure Authentication Providers
 
@@ -76,7 +76,7 @@ For more information about setting up a database, please check out the following
 
 e.g. For Google OAuth you would use: `http://localhost:3000/api/auth/callback/google`
 
-A list of configured providers and their callback URLs is available from the endpoint `/api/auth/providers`. You can find more information at https://next-auth.js.org/configuration/providers/oauth
+A list of configured providers and their callback URLs is available from the endpoint `/api/auth/providers`. You can find more information at [authjs.dev/getting-started/oauth-tutorial](https://authjs.dev/getting-started/oauth-tutorial)
 
 3. You can also choose to specify an SMTP server for passwordless sign in via email.
 
@@ -106,4 +106,4 @@ Follow the [Deployment documentation](https://authjs.dev/guides/basics/deploymen
 <a href="https://vercel.com?utm_source=nextauthjs&utm_campaign=oss">
 <img width="170px" src="https://raw.githubusercontent.com/nextauthjs/next-auth/main/docs/static/img/powered-by-vercel.svg" alt="Powered By Vercel" />
 </a>
-<p align="left">Thanks to Vercel sponsoring this project by allowing it to be deployed for free for the entire Auth.js Team</p>
+<p align="left">Thanks to Vercel sponsoring this project by allowing it to be deployed for free for the entire Auth.js Team</p>

apps/examples/nextjs/app/api/auth/[...nextauth]/route.ts

@@ -0,0 +1,3 @@
+import { handlers } from "auth"
+export const { GET, POST } = handlers
+export const runtime = "edge"

apps/examples/nextjs/app/api/protected/route.ts

@@ -0,0 +1,10 @@
+import { auth } from "auth"
+import { NextResponse } from "next/server"
+
+export const GET = auth(function GET(req) {
+  if (req.auth) {
+    return NextResponse.json(req.auth)
+  }
+
+  return NextResponse.json({ message: "Not authenticated" }, { status: 401 })
+})

apps/examples/nextjs/app/client/page.tsx

@@ -1,15 +1,13 @@
-import Layout from "../components/layout"
-
-export default function ClientPage() {
+export default function Page() {
   return (
-    <Layout>
+    <>
       <h1>Client Side Rendering</h1>
       <p>
         This page uses the <strong>useSession()</strong> React Hook in the{" "}
-        <strong>&lt;Header/&gt;</strong> component.
+        <strong>&lt;/Header&gt;</strong> component.
       </p>
       <p>
-        The <strong>useSession()</strong> React Hook is easy to use and allows
+        The <strong>useSession()</strong> React Hook easy to use and allows
         pages to render very quickly.
       </p>
       <p>
@@ -22,6 +20,6 @@ export default function ClientPage() {
         The disadvantage of <strong>useSession()</strong> is that it requires
         client side JavaScript.
       </p>
-    </Layout>
+    </>
   )
 }

apps/examples/nextjs/app/layout.tsx

@@ -0,0 +1,24 @@
+import Header from "components/header"
+import Footer from "components/footer"
+import './styles.css'
+
+export default function RootLayout({
+  children,
+}: {
+  children: React.ReactNode
+}) {
+  return (
+    <html>
+      <head></head>
+      <body>
+        <Header />
+        <main>
+          {children}
+        </main>
+        <Footer />
+      </body>
+    </html>
+  )
+}
+
+export const runtime = "experimental-edge"

apps/examples/nextjs/app/page.tsx

@@ -0,0 +1,13 @@
+export default function Page() {
+  return (
+    <>
+      <h1>NextAuth.js Example</h1>
+      <p>
+        This is an example site to demonstrate how to use{" "}
+        <a href="https://authjs.dev">NextAuth.js</a> for authentication.
+      </p>
+    </>
+  )
+}
+
+export const runtime = "experimental-edge"

apps/examples/nextjs/app/server-component/page.tsx

@@ -0,0 +1,39 @@
+import { auth } from "auth"
+import { cookies, headers } from "next/headers"
+
+function SignIn({ id, children, className }: any) {
+  const $cookies = cookies()
+  const csrfToken = $cookies.get("next-auth.csrf-token")?.value.split("|")[0]
+  return (
+    <form action={`/api/auth/signin/${id}`} method="post">
+      <button className={className} type="submit">{children}</button>
+      <input type="hidden" name="csrfToken" value={csrfToken} />
+    </form>
+  )
+}
+
+function SignOut({ children }: any) {
+  const $cookies = cookies()
+  const csrfToken = $cookies.get("next-auth.csrf-token")?.value.split("|")[0]
+  return (
+    <form action="/api/auth/signout" method="post">
+      <button type="submit">{children}</button>
+      <input type="hidden" name="csrfToken" value={csrfToken} />
+    </form>
+  )
+}
+
+export default async function Page() {
+  const session = await auth(headers())
+  if (session) {
+    return (
+      <>
+        <pre>{JSON.stringify(session, null, 2)}</pre>
+        <SignOut>Sign out</SignOut>
+      </>
+    )
+  }
+  return <SignIn id="github">Sign in with github</SignIn>
+}
+
+export const runtime = "experimental-edge"

apps/examples/nextjs/app/styles.css

@@ -1,4 +1,5 @@
 body {
+  color: red;
   font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont,
     "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif,
     "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
@@ -6,7 +7,7 @@ body {
   max-width: 680px;
   margin: 0 auto;
   background: #fff;
-  color: #333;
+  color: var(--color-text);
 }
 
 li,

apps/examples/nextjs/auth.ts

@@ -0,0 +1,21 @@
+import NextAuth from "next-auth"
+import GitHub from "@auth/core/providers/github"
+
+export const { handlers, auth } = NextAuth({
+  providers: [GitHub],
+  callbacks: {
+    async authorized({ request, auth }) {
+      // if (request.method === "POST") {
+      // const [, token] = request.headers.get("Authorization")?.split(" ")
+      // const valid = validateToken(token)
+      // // If the request has a valid auth token, it is authorized
+      // if (valid) return true
+      // return NextResponse.json("Invalid auth token", { status: 401 })
+      // }
+
+      // Logged in users are authorized, otherwise, will redirect to login
+      // You could also return a custom redirect instead of the sign-in page
+      return !!auth
+    },
+  },
+})

apps/examples/nextjs/components/footer.tsx

@@ -1,6 +1,6 @@
 import Link from "next/link"
 import styles from "./footer.module.css"
-import packageJSON from "../package.json"
+import packageJSON from "next-auth/package.json"
 
 export default function Footer() {
   return (
@@ -8,10 +8,10 @@ export default function Footer() {
       <hr />
       <ul className={styles.navItems}>
         <li className={styles.navItem}>
-          <a href="https://next-auth.js.org">Documentation</a>
+          <a href="https://authjs.dev">Documentation</a>
         </li>
         <li className={styles.navItem}>
-          <a href="https://www.npmjs.com/package/next-auth">NPM</a>
+          <a href="https://www.npmjs.com/package/@auth/core">NPM</a>
         </li>
         <li className={styles.navItem}>
           <a href="https://github.com/nextauthjs/next-auth-example">GitHub</a>
@@ -20,7 +20,7 @@ export default function Footer() {
           <Link href="/policy">Policy</Link>
         </li>
         <li className={styles.navItem}>
-          <em>next-auth@{packageJSON.dependencies["next-auth"]}</em>
+          <em>{packageJSON.version}</em>
         </li>
       </ul>
     </footer>

apps/examples/nextjs/components/header.module.css

@@ -1,5 +1,6 @@
 /* Set min-height to avoid page reflow while session loading */
 .signedInStatus {
+  position: relative;
   display: block;
   min-height: 4rem;
   width: 100%;

apps/examples/nextjs/components/header.tsx

@@ -1,65 +1,63 @@
 import Link from "next/link"
-import { signIn, signOut, useSession } from "next-auth/react"
+import { auth } from "auth"
+import { cookies, headers } from "next/headers"
 import styles from "./header.module.css"
 
-// The approach used in this component shows how to build a sign in and sign out
+function SignIn({ id, children, className }: any) {
+  const $cookies = cookies()
+  const csrfToken = $cookies.get("next-auth.csrf-token")?.value.split("|")[0]
+  return (
+    <form action={`/api/auth/signin/${id}`} method="post">
+      <button className={className} type="submit">{children}</button>
+      <input type="hidden" name="csrfToken" value={csrfToken} />
+    </form>
+  )
+}
+
+function SignOut({ children, className }: any) {
+  const $cookies = cookies()
+  const csrfToken = $cookies.get("next-auth.csrf-token")?.value.split("|")[0]
+  return (
+    <form action="/api/auth/signout" method="post">
+      <button className={className} type="submit">{children}</button>
+      <input type="hidden" name="csrfToken" value={csrfToken} />
+    </form>
+  )
+}
+
+// The approach used in this component shows how to built a sign in and sign out
 // component that works on pages which support both client and server side
 // rendering, and avoids any flash incorrect content on initial page load.
-export default function Header() {
-  const { data: session, status } = useSession()
-  const loading = status === "loading"
+export default async function Header() {
+  const session = await auth(headers())
 
   return (
     <header>
       <noscript>
-        <style>{`.nojs-show { opacity: 1; top: 0; }`}</style>
+        <style>{".nojs-show { opacity: 1; top: 0; }"}</style>
       </noscript>
       <div className={styles.signedInStatus}>
-        <p
-          className={`nojs-show ${
-            !session && loading ? styles.loading : styles.loaded
-          }`}
-        >
+        <p className={`nojs-show ${styles.loaded}`}>
           {!session && (
             <>
               <span className={styles.notSignedInText}>
                 You are not signed in
               </span>
-              <a
-                href={`/api/auth/signin`}
-                className={styles.buttonPrimary}
-                onClick={(e) => {
-                  e.preventDefault()
-                  signIn()
-                }}
-              >
-                Sign in
-              </a>
+              <SignIn className={styles.buttonPrimary}>Sign In</SignIn>
             </>
           )}
-          {session?.user && (
+          {session && (
             <>
               {session.user.image && (
-                <span
-                  style={{ backgroundImage: `url('${session.user.image}')` }}
-                  className={styles.avatar}
-                />
+                <img src={session.user.image} className={styles.avatar} />
               )}
               <span className={styles.signedInText}>
                 <small>Signed in as</small>
                 <br />
-                <strong>{session.user.email ?? session.user.name}</strong>
+                <strong>{session.user.email} </strong>
+                {session.user.name ? `(${session.user.name})` : null}
               </span>
-              <a
-                href={`/api/auth/signout`}
-                className={styles.button}
-                onClick={(e) => {
-                  e.preventDefault()
-                  signOut()
-                }}
-              >
-                Sign out
-              </a>
+              <SignOut className={styles.button}>Sign Out</SignOut>
             </>
           )}
         </p>
@@ -73,7 +71,7 @@ export default function Header() {
             <Link href="/client">Client</Link>
           </li>
           <li className={styles.navItem}>
-            <Link href="/server">Server</Link>
+            <Link href="/server-component">Server</Link>
           </li>
           <li className={styles.navItem}>
             <Link href="/protected">Protected</Link>
@@ -82,13 +80,12 @@ export default function Header() {
             <Link href="/api-example">API</Link>
           </li>
           <li className={styles.navItem}>
-            <Link href="/admin">Admin</Link>
-          </li>
-          <li className={styles.navItem}>
-            <Link href="/me">Me</Link>
+            <Link href="/middleware-protected">Middleware protected</Link>
           </li>
         </ul>
       </nav>
     </header>
   )
 }
+
+export const runtime = "experimental-edge"

apps/examples/nextjs/components/layout.tsx

@@ -1,13 +0,0 @@
-import Header from "./header"
-import Footer from "./footer"
-import type { ReactNode } from "react"
-
-export default function Layout({ children }: { children: ReactNode }) {
-  return (
-    <>
-      <Header />
-      <main>{children}</main>
-      <Footer />
-    </>
-  )
-}

apps/examples/nextjs/middleware.ts

@@ -1,17 +1,10 @@
-import { withAuth } from "next-auth/middleware"
+// export { auth as default } from "auth"
+import { auth } from "auth"
+import { NextResponse } from "next/server"
 
-// More on how NextAuth.js middleware works: https://next-auth.js.org/configuration/nextjs#middleware
-export default withAuth({
-  callbacks: {
-    authorized({ req, token }) {
-      // `/admin` requires admin role
-      if (req.nextUrl.pathname === "/admin") {
-        return token?.userRole === "admin"
-      }
-      // `/me` only requires the user to be logged in
-      return !!token
-    },
-  },
+export default auth((req) => {
+  if (req.auth) return NextResponse.json(req.auth)
+  return NextResponse.json("Not authorized", { status: 401 })
 })
 
-export const config = { matcher: ["/admin", "/me"] }
+export const config = { matcher: ["/middleware-protected"] }

apps/examples/nextjs/next-auth.d.ts

@@ -1,10 +0,0 @@
-import "next-auth/jwt"
-
-// Read more at: https://next-auth.js.org/getting-started/typescript#module-augmentation
-
-declare module "next-auth/jwt" {
-  interface JWT {
-    /** The user's role. */
-    userRole?: "admin"
-  }
-}

apps/examples/nextjs/next.config.js

@@ -0,0 +1,9 @@
+/** @type {import("next").NextConfig} */
+module.exports = {
+  webpack(config) {
+    config.experiments = { ...config.experiments, topLevelAwait: true }
+    return config
+  },
+  experimental: { appDir: true },
+  typescript: { ignoreBuildErrors: true },
+}

apps/examples/nextjs/package.json

@@ -1,5 +1,6 @@
 {
   "private": true,
+  "name": "nextjs-example-app",
   "description": "An example project for NextAuth.js with Next.js",
   "repository": "https://github.com/nextauthjs/next-auth-example.git",
   "bugs": {
@@ -18,8 +19,9 @@
     "Lluis Agusti <hi@llu.lu>"
   ],
   "dependencies": {
+    "@auth/core": "workspace:*",
     "next": "latest",
-    "next-auth": "latest",
+    "next-auth": "workspace:*",
     "react": "^18.2.0",
     "react-dom": "^18.2.0"
   },

apps/examples/nextjs/pages/_app.tsx

@@ -1,18 +0,0 @@
-import { SessionProvider } from "next-auth/react"
-import "./styles.css"
-
-import type { AppProps } from "next/app"
-import type { Session } from "next-auth"
-
-// Use of the <SessionProvider> is mandatory to allow components that call
-// `useSession()` anywhere in your application to access the `session` object.
-export default function App({
-  Component,
-  pageProps: { session, ...pageProps },
-}: AppProps<{ session: Session }>) {
-  return (
-    <SessionProvider session={session}>
-      <Component {...pageProps} />
-    </SessionProvider>
-  )
-}

apps/examples/nextjs/pages/admin.tsx

@@ -1,17 +0,0 @@
-import Layout from "../components/layout"
-
-export default function Page() {
-  return (
-    <Layout>
-      <h1>This page is protected by Middleware</h1>
-      <p>Only admin users can see this page.</p>
-      <p>
-        To learn more about the NextAuth middleware see&nbsp;
-        <a href="https://docs-git-misc-docs-nextauthjs.vercel.app/configuration/nextjs#middleware">
-          the docs
-        </a>
-        .
-      </p>
-    </Layout>
-  )
-}

apps/examples/nextjs/pages/api-example.tsx

@@ -1,19 +0,0 @@
-import Layout from "../components/layout"
-
-export default function ApiExamplePage() {
-  return (
-    <Layout>
-      <h1>API Example</h1>
-      <p>The examples below show responses from the example API endpoints.</p>
-      <p>
-        <em>You must be signed in to see responses.</em>
-      </p>
-      <h2>Session</h2>
-      <p>/api/examples/session</p>
-      <iframe src="/api/examples/session" />
-      <h2>JSON Web Token</h2>
-      <p>/api/examples/jwt</p>
-      <iframe src="/api/examples/jwt" />
-    </Layout>
-  )
-}

apps/examples/nextjs/pages/api/auth/[...nextauth].ts

@@ -1,44 +0,0 @@
-import NextAuth, { NextAuthOptions } from "next-auth"
-import GoogleProvider from "next-auth/providers/google"
-import FacebookProvider from "next-auth/providers/facebook"
-import GithubProvider from "next-auth/providers/github"
-import TwitterProvider from "next-auth/providers/twitter"
-import Auth0Provider from "next-auth/providers/auth0"
-
-// For more information on each option (and a full list of options) go to
-// https://next-auth.js.org/configuration/options
-export const authOptions: NextAuthOptions = {
-  // https://next-auth.js.org/configuration/providers/oauth
-  providers: [
-    Auth0Provider({
-      clientId: process.env.AUTH0_ID,
-      clientSecret: process.env.AUTH0_SECRET,
-      issuer: process.env.AUTH0_ISSUER,
-    }),
-    FacebookProvider({
-      clientId: process.env.FACEBOOK_ID,
-      clientSecret: process.env.FACEBOOK_SECRET,
-    }),
-    GithubProvider({
-      clientId: process.env.GITHUB_ID,
-      clientSecret: process.env.GITHUB_SECRET,
-    }),
-    GoogleProvider({
-      clientId: process.env.GOOGLE_ID,
-      clientSecret: process.env.GOOGLE_SECRET,
-    }),
-    TwitterProvider({
-      clientId: process.env.TWITTER_ID,
-      clientSecret: process.env.TWITTER_SECRET,
-      version: "2.0",
-    }),
-  ],
-  callbacks: {
-    async jwt({ token }) {
-      token.userRole = "admin"
-      return token
-    },
-  },
-}
-
-export default NextAuth(authOptions)

apps/examples/nextjs/pages/api/examples/jwt.ts

@@ -1,14 +0,0 @@
-// This is an example of how to read a JSON Web Token from an API route
-import { getToken } from "next-auth/jwt"
-
-import type { NextApiRequest, NextApiResponse } from "next"
-
-export default async function handler(
-  req: NextApiRequest,
-  res: NextApiResponse
-) {
-  // If you don't have the NEXTAUTH_SECRET environment variable set,
-  // you will have to pass your secret as `secret` to `getToken`
-  const token = await getToken({ req })
-  res.send(JSON.stringify(token, null, 2))
-}

apps/examples/nextjs/pages/api/examples/protected.ts

@@ -1,23 +0,0 @@
-// This is an example of to protect an API route
-import { getServerSession } from "next-auth/next"
-import { authOptions } from "../auth/[...nextauth]"
-
-import type { NextApiRequest, NextApiResponse } from "next"
-
-export default async function handler(
-  req: NextApiRequest,
-  res: NextApiResponse
-) {
-  const session = await getServerSession(req, res, authOptions)
-
-  if (session) {
-    return res.send({
-      content:
-        "This is protected content. You can access this content because you are signed in.",
-    })
-  }
-
-  res.send({
-    error: "You must be signed in to view the protected content on this page.",
-  })
-}

apps/examples/nextjs/pages/api/examples/session.ts

@@ -1,13 +0,0 @@
-// This is an example of how to access a session from an API route
-import { getServerSession } from "next-auth"
-import { authOptions } from "../auth/[...nextauth]"
-
-import type { NextApiRequest, NextApiResponse } from "next"
-
-export default async function handler(
-  req: NextApiRequest,
-  res: NextApiResponse
-) {
-  const session = await getServerSession(req, res, authOptions)
-  res.send(JSON.stringify(session, null, 2))
-}

apps/examples/nextjs/pages/index.tsx

@@ -1,13 +0,0 @@
-import Layout from "../components/layout"
-
-export default function IndexPage() {
-  return (
-    <Layout>
-      <h1>NextAuth.js Example</h1>
-      <p>
-        This is an example site to demonstrate how to use{" "}
-        <a href="https://next-auth.js.org">NextAuth.js</a> for authentication.
-      </p>
-    </Layout>
-  )
-}

apps/examples/nextjs/pages/me.tsx

@@ -1,12 +0,0 @@
-import { useSession } from "next-auth/react"
-import Layout from "../components/layout"
-
-export default function MePage() {
-  const { data } = useSession()
-
-  return (
-    <Layout>
-      <pre>{JSON.stringify(data, null, 2)}</pre>
-    </Layout>
-  )
-}

apps/examples/nextjs/pages/policy.tsx

@@ -1,32 +0,0 @@
-import Layout from "../components/layout"
-
-export default function PolicyPage() {
-  return (
-    <Layout>
-      <p>
-        This is an example site to demonstrate how to use{" "}
-        <a href="https://next-auth.js.org">NextAuth.js</a> for authentication.
-      </p>
-      <h2>Terms of Service</h2>
-      <p>
-        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
-        OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-        MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
-        IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
-        CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
-        TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
-        SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-      </p>
-      <h2>Privacy Policy</h2>
-      <p>
-        This site uses JSON Web Tokens and an in-memory database which resets
-        every ~2 hours.
-      </p>
-      <p>
-        Data provided to this site is exclusively used to support signing in and
-        is not passed to any third party services, other than via SMTP or OAuth
-        for the purposes of authentication.
-      </p>
-    </Layout>
-  )
-}

apps/examples/nextjs/pages/protected.tsx

@@ -1,40 +0,0 @@
-import { useState, useEffect } from "react"
-import { useSession } from "next-auth/react"
-import Layout from "../components/layout"
-import AccessDenied from "../components/access-denied"
-
-export default function ProtectedPage() {
-  const { data: session } = useSession()
-  const [content, setContent] = useState()
-
-  // Fetch content from protected route
-  useEffect(() => {
-    const fetchData = async () => {
-      const res = await fetch("/api/examples/protected")
-      const json = await res.json()
-      if (json.content) {
-        setContent(json.content)
-      }
-    }
-    fetchData()
-  }, [session])
-
-  // If no session exists, display access denied message
-  if (!session) {
-    return (
-      <Layout>
-        <AccessDenied />
-      </Layout>
-    )
-  }
-
-  // If session exists, display content
-  return (
-    <Layout>
-      <h1>Protected Page</h1>
-      <p>
-        <strong>{content ?? "\u00a0"}</strong>
-      </p>
-    </Layout>
-  )
-}

apps/examples/nextjs/pages/server.tsx

@@ -1,44 +0,0 @@
-import { getServerSession } from "next-auth/next"
-import { authOptions } from "./api/auth/[...nextauth]"
-import Layout from "../components/layout"
-
-import type { GetServerSidePropsContext } from "next"
-import { useSession } from "next-auth/react"
-
-export default function ServerSidePage() {
-  const { data: session } = useSession()
-  // As this page uses Server Side Rendering, the `session` will be already
-  // populated on render without needing to go through a loading stage.
-  return (
-    <Layout>
-      <h1>Server Side Rendering</h1>
-      <p>
-        This page uses the <strong>getServerSession()</strong> method in{" "}
-        <strong>getServerSideProps()</strong>.
-      </p>
-      <p>
-        Using <strong>getServerSession()</strong> in{" "}
-        <strong>getServerSideProps()</strong> is the recommended approach if you
-        need to support Server Side Rendering with authentication.
-      </p>
-      <p>
-        The advantage of Server Side Rendering is this page does not require
-        client side JavaScript.
-      </p>
-      <p>
-        The disadvantage of Server Side Rendering is that this page is slower to
-        render.
-      </p>
-      <pre>{JSON.stringify(session, null, 2)}</pre>
-    </Layout>
-  )
-}
-
-// Export the `session` prop to use sessions with Server Side Rendering
-export async function getServerSideProps(context: GetServerSidePropsContext) {
-  return {
-    props: {
-      session: await getServerSession(context.req, context.res, authOptions),
-    },
-  }
-}

apps/examples/nextjs/tsconfig.json

@@ -1,10 +1,14 @@
 {
   "compilerOptions": {
-    "target": "es5",
-    "lib": ["dom", "dom.iterable", "esnext"],
+    "target": "esnext",
+    "lib": [
+      "dom",
+      "dom.iterable",
+      "esnext"
+    ],
     "allowJs": true,
     "skipLibCheck": true,
-    "strict": true,
+    "strict": false,
     "forceConsistentCasingInFileNames": true,
     "noEmit": true,
     "esModuleInterop": true,
@@ -12,15 +16,24 @@
     "moduleResolution": "node",
     "resolveJsonModule": true,
     "isolatedModules": true,
+    "incremental": true,
     "jsx": "preserve",
-    "incremental": true
+    "baseUrl": ".",
+    "plugins": [
+      {
+        "name": "next"
+      }
+    ],
+    "strictNullChecks": true
   },
   "include": [
-    "process.d.ts",
     "next-env.d.ts",
-    "next-auth.d.ts",
     "**/*.ts",
-    "**/*.tsx"
+    "**/*.tsx",
+    ".next/types/**/*.ts"
   ],
-  "exclude": ["node_modules"]
+  "exclude": [
+    "node_modules",
+    "jest.config.js"
+  ]
 }

docs/docs/concepts/faq.md

@@ -269,7 +269,7 @@ Ultimately if your request is not accepted or is not actively in development, yo
 </summary>
 <p>
 
-Auth.js by default uses JSON Web Tokens for saving the user's session. However, if you use a [database adapter](/guides/adapters/using-a-database-adapter), the database will be used to persist the user's session. You can force the usage of JWT when using a database [through the configuration options](/reference/configuration/auth-config#session). Since v4 all our JWT tokens are now encrypted by default with A256GCM.
+Auth.js by default uses JSON Web Tokens for saving the user's session. However, if you use a [database adapter](/guides/adapters/using-a-database-adapter), the database will be used to persist the user's session. You can force the usage of JWT when using a database [through the configuration options](/reference/configuration/auth-config#session). Since v4 all our JWTs are now encrypted by default with A256GCM.
 
 </p>
 </details>

docs/docs/getting-started/oauth-tutorial.mdx

@@ -36,10 +36,6 @@ This tutorial assumes you have a Next.js application set up. If you don't, you c
 npm install next-auth
 ```
 
-:::info
-We are working on a new `@auth/nextjs` package that will make it easier to set up Auth.js with Next.js. Stay tuned! For now, you can use the `next-auth` package.
-:::
-
 ### Creating the server config
 
 Create the following [API route](https://nextjs.org/docs/api-routes/dynamic-api-routes#catch-all-api-routes) file. This route contains the necessary configuration for NextAuth.js, as well as the dynamic route handler:
@@ -270,7 +266,7 @@ Note that, for each provider, the configuration process will be similar to what
 2. Create create your OAuth application within it
 3. Set the callback URL
 4. Get the Client ID and Generate a Client Secret
-:::
+   :::
 
 ## 3. Wiring all together
 

docs/docs/guides/basics/events.md

@@ -29,7 +29,7 @@ Sent when the user signs out.
 
 The message object will contain one of these depending on if you use JWT or database persisted sessions:
 
-- `token`: The JWT token for this session.
+- `token`: The JWT for this session.
 - `session`: The session object from your adapter that is being ended
 
 ### createUser
@@ -60,5 +60,5 @@ Sent at the end of a request for the current session.
 
 The message object will contain one of these depending on if you use JWT or database persisted sessions:
 
-- `token`: The JWT token for this session.
+- `token`: The JWT for this session.
 - `session`: The session object from your adapter.

docs/docs/reference/adapters/index.md

@@ -2,7 +2,7 @@
 title: Overview
 ---
 
-Using a Auth.js / NextAuth.js adapter you can connect to any database service or even several different services at the same time. The following listed official adapters are created and maintained by the community:
+Using an Auth.js / NextAuth.js adapter you can connect to any database service or even several different services at the same time. The following listed official adapters are created and maintained by the community:
 
 <div class="adapter-card-list">
   <a href="/reference/adapter/dgraph" class="adapter-card">
@@ -71,7 +71,7 @@ If you don't find an adapter for the database or service you use, you can always
 ## Models
 
 
-Auth.js can be used with any database. Models tell you what structures Auth.js expects from your database. Models will vary slightly depending on which adapter you use, but in general, will look something like this. Each adapter's model/schema will be slightly adapted for its needs, but will look very much like this schema below:
+Auth.js can be used with any database. Models tell you what structures Auth.js expects from your database. Models will vary slightly depending on which adapter you use, but in general, will look something like this:
 
 ```mermaid
 erDiagram
@@ -96,15 +96,8 @@ erDiagram
       string type
       string provider
       string providerAccountId
-      string refresh_token
       string access_token
-      int expires_at
-      string token_type
-      string scope
       string id_token
-      string session_state
-      string oauth_token_secret
-      string oauth_token
     }
     VerificationToken {
       string identifier
@@ -113,10 +106,10 @@ erDiagram
     }
 ```
 
-More information about each Model / Table can be found below.
+More information about each Model/Table can be found below.
 
 :::note
-You can [create your own adapter](/guides/adapters/creating-a-database-adapter) if you want to use Auth.js with a database that is not supported out of the box, or you have to change fields on any of the models.
+You can [create your adapter](/guides/adapters/creating-a-database-adapter) if you want to use Auth.js with a database that is not supported out of the box, or you have to change fields on any of the models.
 :::
 
 ---
@@ -125,30 +118,31 @@ You can [create your own adapter](/guides/adapters/creating-a-database-adapter)
 
 The User model is for information such as the user's name and email address.
 
-Email address is optional, but if one is specified for a User then it must be unique.
+Email address is optional, but if one is specified for a User, then it must be unique.
 
 :::note
-If a user first signs in with OAuth then their email address is automatically populated using the one from their OAuth profile, if the OAuth provider returns one.
+If a user first signs in with an OAuth provider, then their email address is automatically populated using the one from their OAuth profile if the OAuth provider returns one.
 
-This provides a way to contact users and for users to maintain access to their account and sign in using email in the event they are unable to sign in with the OAuth provider in future (if the [Email Provider](/getting-started/email-tutorial) is configured).
+This provides a way to contact users and for users to maintain access to their account and sign in using email in the event they are unable to sign in with the OAuth provider in the future (if the [Email Provider](/reference/core/providers_email) is configured).
 :::
 
-User creation in the database is automatic, and happens when the user is logging in for the first time with a provider. The default data saved is `id`, `name`, `email` and `image`. You can add more profile data by returning extra fields in your [OAuth provider](/guides/providers/custom-provider)'s [`profile()`](/reference/core/providers#profile) callback.
+User creation in the database is automatic and happens when the user is logging in for the first time with a provider. 
+If the first sign-in is via the [OAuth Provider](/reference/core/providers_oauth), the default data saved is `id`, `name`, `email` and `image`. You can add more profile data by returning extra fields in your [OAuth provider](/guides/providers/custom-provider)'s [`profile()`](/reference/core/providers#profile) callback.
+
+If the first sign-in is via the [Email Provider](/reference/core/providers_email), then the saved user will have `id`, `email`, `emailVerified`, where `emailVerified` is the timestamp of when the user was created.
 
 ### Account
 
-The Account model is for information about OAuth accounts associated with a User. It will usually contain `access_token`, `id_token` and other OAuth specific data. [`TokenSet`](https://github.com/panva/node-openid-client/blob/main/docs/README.md#new-tokensetinput) from `openid-client` might give you an idea of all the fields.
-
-:::note
-In case of an OAuth 1.0 provider (like Twitter), you will have to look for `oauth_token` and `oauth_token_secret` string fields. GitHub also has an extra `refresh_token_expires_in` integer field. You have to make sure that your database schema includes these fields.
-:::
+The Account model is for information about OAuth accounts associated with a User
 
 A single User can have multiple Accounts, but each Account can only have one User.
 
-Linking Accounts to Users happen automatically, only when they have the same e-mail address, and the user is currently signed in. Check the [FAQ](/concepts/faq#security) for more information why this is a requirement.
+Account creation in the database is automatic and happens when the user is logging in for the first time with a provider, or the [`Adapter.linkAccount`](/reference/core/adapters#linkaccount) method is invoked. The default data saved is `access_token`, `refresh_token`, `id_token` and `expires_at`. You can save other fields by returning them in the [OAuth provider](/guides/providers/custom-provider)'s [`account()`](/reference/core/providers#account) callback.
+
+Linking Accounts to Users happen automatically, only when they have the same e-mail address, and the user is currently signed in. Check the [FAQ](/concepts/faq#security) for more information on why this is a requirement.
 
 :::tip
-You can manually unlink accounts, if your adapter implements the `unlinkAccount` method. Make sure to take all the necessary security steps to avoid data loss.
+You can manually unlink accounts if your adapter implements the `unlinkAccount` method. Make sure to take all the necessary security steps to avoid data loss.
 :::
 
 :::note
@@ -162,7 +156,7 @@ The Session model is used for database sessions. It is not used if JSON Web Toke
 A single User can have multiple Sessions, each Session can only have one User.
 
 :::tip
-When a Session is read, we check if it's `expires` field indicates an invalid session, and delete it from the database. You can also do this clean-up periodically in the background to avoid our extra delete call to the database during an active session retrieval. This might result in a slight performance increase in a few cases.
+When a Session is read, we check if its `expires` field indicates an invalid session, and delete it from the database. You can also do this clean-up periodically in the background to avoid our extra delete call to the database during an active session retrieval. This might result in a slight performance increase in a few cases.
 :::
 
 ### Verification Token
@@ -171,7 +165,7 @@ The Verification Token model is used to store tokens for passwordless sign in.
 
 A single User can have multiple open Verification Tokens (e.g. to sign in to different devices).
 
-It has been designed to be extendable for other verification purposes in the future (e.g. 2FA / short codes).
+It has been designed to be extendable for other verification purposes in the future (e.g. 2FA / magic codes, etc.).
 
 :::note
 Auth.js makes sure that every token is usable only once, and by default has a short (1 day, can be configured by [`maxAge`](/guides/providers/email)) lifetime. If your user did not manage to finish the sign-in flow in time, they will have to start the sign-in process again.
@@ -183,8 +177,7 @@ Due to users forgetting or failing at the sign-in flow, you might end up with un
 
 ## RDBMS Naming Convention
 
-Auth.js / NextAuth.js uses `camelCase` for its own database rows, while respecting the conventional `snake_case` formatting for OAuth related values. If mixed casing is an issue for you, most adapters have a dedicated section on how to use a single naming convention.
-
+Auth.js / NextAuth.js uses `camelCase` for its database rows while respecting the conventional `snake_case` formatting for OAuth-related values. If the mixed casing is an issue for you, most adapters have a dedicated documentation section on how to force a casing convention.
 
 ## TypeScript
 

docs/docs/reference/nextjs/client.md

@@ -1,7 +0,0 @@
----
-title: Client
----
-
-:::warning WIP
-`@auth/nextjs/client` is work in progress. For now, please use [NextAuth.js Client API](https://next-auth.js.org/getting-started/client).
-:::

docs/docs/reference/nextjs/index.md

@@ -1,7 +0,0 @@
----
-title: Next.js Auth
----
-
-:::warning WIP
-`@auth/nextjs` is work in progress. For now, please use [NextAuth.js](https://next-auth.js.org).
-:::

docs/docusaurus.config.js

@@ -7,7 +7,7 @@ const path = require("path")
 const coreSrc = "../packages/core/src"
 const providers = fs
   .readdirSync(path.join(__dirname, coreSrc, "/providers"))
-  .filter((file) => file.endsWith(".ts") && !file.startsWith("oauth"))
+  .filter((file) => file.endsWith(".ts"))
   .map((p) => `${coreSrc}/providers/${p}`)
 
 const typedocConfig = require("./typedoc.json")
@@ -38,6 +38,22 @@ function typedocAdapter(name) {
   ]
 }
 
+function typedocFramework(id, entrypoints) {
+  return [
+    "docusaurus-plugin-typedoc",
+    {
+      ...typedocConfig,
+      id: id.replace("frameworks-", ""),
+      plugin: [require.resolve("./typedoc-mdn-links")],
+      watch: process.env.TYPEDOC_WATCH,
+      entryPoints: entrypoints.map((e) => `../packages/${id}/src/${e}`),
+      tsconfig: `../packages/${id}/tsconfig.json`,
+      out: `reference/${id.replace("frameworks-", "")}`,
+      sidebar: { indexLabel: "index" },
+    },
+  ]
+}
+
 /** @type {import("@docusaurus/types").Config} */
 const docusaurusConfig = {
   markdown: {
@@ -231,36 +247,9 @@ const docusaurusConfig = {
     ],
   ],
   plugins: [
-    [
-      "docusaurus-plugin-typedoc",
-      {
-        ...typedocConfig,
-        id: "core",
-        plugin: [require.resolve("./typedoc-mdn-links")],
-        watch: process.env.TYPEDOC_WATCH,
-        entryPoints: ["index.ts", "adapters.ts", "errors.ts", "jwt.ts", "types.ts"].map((e) => `${coreSrc}/${e}`).concat(providers),
-        tsconfig: "../packages/core/tsconfig.json",
-        out: "reference/core",
-        sidebar: {
-          indexLabel: "index",
-        },
-      },
-    ],
-    [
-      "docusaurus-plugin-typedoc",
-      {
-        ...typedocConfig,
-        id: "sveltekit",
-        plugin: [require.resolve("./typedoc-mdn-links")],
-        watch: process.env.TYPEDOC_WATCH,
-        entryPoints: ["index.ts", "client.ts"].map((e) => `../packages/frameworks-sveltekit/src/lib/${e}`),
-        tsconfig: "../packages/frameworks-sveltekit/tsconfig.json",
-        out: "reference/sveltekit",
-        sidebar: {
-          indexLabel: "index",
-        },
-      },
-    ],
+    typedocFramework("core", ["index.ts", "adapters.ts", "errors.ts", "jwt.ts", "types.ts"]),
+    typedocFramework("frameworks-sveltekit", ["lib/index.ts", "lib/client.ts"]),
+    typedocFramework("next-auth", ["index.ts", "react.tsx", "jwt.ts", "adapters.ts", "next.ts", "types.ts", "middleware.ts"]),
     ...(process.env.TYPEDOC_SKIP_ADAPTERS
       ? []
       : [

docs/sidebars.js

@@ -35,16 +35,9 @@ module.exports = {
     },
     {
       type: "category",
-      label: "@auth/nextjs",
-      link: { type: "doc", id: "reference/nextjs/index" },
-      items: [
-        "reference/nextjs/client",
-        {
-          type: "link",
-          label: "NextAuth.js (next-auth)",
-          href: "https://next-auth.js.org",
-        },
-      ],
+      label: "next-auth",
+      link: { type: "doc", id: "reference/next-auth/index" },
+      items: [{ type: "autogenerated", dirName: "reference/next-auth" }],
     },
     ...(process.env.TYPEDOC_SKIP_ADAPTERS
       ? []

package.json

@@ -9,6 +9,7 @@
     "build": "turbo run build --filter=next-auth --filter=@next-auth/* --filter=@auth/* --no-deps",
     "test": "turbo run test --concurrency=1 --filter=[HEAD^1] --filter=./packages/* --filter=!@*upstash* --filter=!*dynamodb-*",
     "clean": "turbo run clean --no-cache",
+    "dev:example": "turbo run dev --parallel --continue --filter=nextjs-example-app... --filter=!./packages/adapter-*",
     "dev:db": "turbo run dev --parallel --continue --filter=next-auth-app...",
     "dev": "turbo run dev --parallel --continue --filter=next-auth-app... --filter=!./packages/adapter-*",
     "dev-v4:db": "turbo run dev --parallel --continue --filter=next-auth-app-v4...",
@@ -28,7 +29,7 @@
     "@actions/core": "^1.10.0",
     "@balazsorban/monorepo-release": "0.1.8",
     "@types/jest": "^28.1.3",
-    "@types/node": "^17.0.25",
+    "@types/node": "^18.15.11",
     "@typescript-eslint/eslint-plugin": "5.47.0",
     "@typescript-eslint/parser": "5.47.0",
     "eslint": "8.30.0",
@@ -96,8 +97,6 @@
     "packages/core/src/lib/pages/styles.ts",
     "packages/frameworks-sveltekit/package",
     "packages/frameworks-sveltekit/vite.config.{js,ts}.timestamp-*",
-    "packages/next-auth/src/providers/oauth-types.ts",
-    "packages/next-auth/css/index.css",
     ".branches",
     "db.sqlite",
     "dev.db",
@@ -248,8 +247,10 @@
     "overrides": [
       {
         "files": [
-          "apps/dev/nextjs/pages/api/auth/[...nextauth].ts",
-          "docs/{sidebars,docusaurus.config}.js"
+          "apps/dev/nextjs/pages/api/auth-old/[...nextauth].ts",
+          "apps/dev/nextjs/app/api/auth/[...nextauth]/route.ts",
+          "docs/{sidebars,docusaurus.config}.js",
+          "packages/next-auth/src/lib/env.ts"
         ],
         "options": {
           "printWidth": 150

packages/core/src/adapters.ts

@@ -228,6 +228,10 @@ export interface Adapter {
   deleteUser?(
     userId: string
   ): Promise<void> | Awaitable<AdapterUser | null | undefined>
+  /**
+   * This method is invoked internally (but optionally can be used for manual linking).
+   * It creates an [Account](https://authjs.dev/reference/adapters#models) in the database.
+   */
   linkAccount?(
     account: AdapterAccount
   ): Promise<void> | Awaitable<AdapterAccount | null | undefined>

packages/core/src/errors.ts

@@ -20,13 +20,6 @@ export class AuthError extends Error {
   }
 }
 
-/**
- * @todo
- * Thrown when an Email address is already associated with an account
- * but the user is trying an OAuth account that is not linked to it.
- */
-export class AccountNotLinked extends AuthError {}
-
 /**
  * @todo
  * One of the database `Adapter` methods failed.
@@ -37,8 +30,8 @@ export class AdapterError extends AuthError {}
 export class AuthorizedCallbackError extends AuthError {}
 
 /**
- * There was an error while trying to finish up authenticating the user.
- * Depending on the type of provider, this could be for multiple reasons.
+ * This error occurs when the user cannot finish the sign-in process.
+ * Depending on the provider type, this could have happened for multiple reasons.
  *
  * :::tip
  * Check out `[auth][details]` in the error message to know which provider failed.
@@ -48,7 +41,7 @@ export class AuthorizedCallbackError extends AuthError {}
  * ```
  * :::
  *
- * For an **OAuth provider**, possible causes are:
+ * For an [OAuth provider](https://authjs.dev/reference/core/providers_oauth), possible causes are:
  * - The user denied access to the application
  * - There was an error parsing the OAuth Profile:
  *   Check out the provider's `profile` or `userinfo.request` method to make sure
@@ -56,7 +49,7 @@ export class AuthorizedCallbackError extends AuthError {}
  * - The `signIn` or `jwt` callback methods threw an uncaught error:
  *   Check the callback method implementations.
  *
- * For an **Email provider**, possible causes are:
+ * For an [Email provider](https://authjs.dev/reference/core/providers_email), possible causes are:
  * - The provided email/token combination was invalid/missing:
  *   Check if the provider's `sendVerificationRequest` method correctly sends the email.
  * - The provided email/token combination has expired:
@@ -64,7 +57,7 @@ export class AuthorizedCallbackError extends AuthError {}
  * - There was an error with the database:
  *   Check the database logs.
  *
- * For a **Credentials provider**, possible causes are:
+ * For a [Credentials provider](https://authjs.dev/reference/core/providers_credentials), possible causes are:
  * - The `authorize` method threw an uncaught error:
  *   Check the provider's `authorize` method.
  * - The `signIn` or `jwt` callback methods threw an uncaught error:
@@ -107,11 +100,30 @@ export class MissingAPIRoute extends AuthError {}
 /** @todo */
 export class MissingAuthorize extends AuthError {}
 
-/** @todo */
+/**
+ * Auth.js requires a secret to be set, but none was not found. This is used to encrypt cookies, JWTs and other sensitive data.
+ *
+ * :::note
+ * If you are using a framework like Next.js, we try to automatically infer the secret from the `AUTH_SECRET` environment variable.
+ * Alternatively, you can also explicitly set the [`AuthConfig.secret`](https://authjs.dev/reference/core#secret).
+ * :::
+ *
+ *
+ * :::tip
+ * You can generate a good secret value:
+ *  - On Unix systems: type `openssl rand -hex 32` in the terminal
+ *  - Or generate one [online](https://generate-secret.vercel.app/32)
+ *
+ * :::
+ */
 export class MissingSecret extends AuthError {}
 
-/** @todo */
-export class OAuthSignInError extends AuthError {}
+/**
+ * @todo
+ * Thrown when an Email address is already associated with an account
+ * but the user is trying an OAuth account that is not linked to it.
+ */
+export class OAuthAccountNotLinked extends AuthError {}
 
 /** @todo */
 export class OAuthCallbackError extends AuthError {}
@@ -119,19 +131,51 @@ export class OAuthCallbackError extends AuthError {}
 /** @todo */
 export class OAuthCreateUserError extends AuthError {}
 
-/** @todo */
+/**
+ * This error occurs during an OAuth sign in attempt when the provdier's
+ * response could not be parsed. This could for example happen if the provider's API
+ * changed, or the [`OAuth2Config.profile`](https://authjs.dev/reference/core/providers_oauth#profile) method is not implemented correctly.
+ */
 export class OAuthProfileParseError extends AuthError {}
 
 /** @todo */
 export class SessionTokenError extends AuthError {}
 
-/** @todo */
+/**
+ * This error occurs when the user cannot initiate the sign-in process.
+ * Depending on the provider type, this could have happened for multiple reasons.
+ *
+ * :::tip
+ * Check out `[auth][details]` in the error message to know which provider failed.
+ * @example
+ * ```sh
+ * [auth][details]: { "provider": "github" }
+ * ```
+ * :::
+ *
+ * For an [OAuth provider](https://authjs.dev/reference/core/providers_oauth), possible causes are:
+ * - The Authorization Server is not compliant with the [OAuth 2.0 specifcation](https://www.ietf.org/rfc/rfc6749.html)
+ *   Check the details in the error message.
+ * - A runtime error occurred in Auth.js. This should be reported as a bug.
+ *
+ * For an [Email provider](https://authjs.dev/reference/core/providers_email), possible causes are:
+ * - The email sent from the client is invalid, could not be normalized by [`EmailConfig.normalizeIdentifier`](https://authjs.dev/reference/core/providers_email#normalizeidentifier)
+ * - The provided email/token combination has expired:
+ *   Ask the user to log in again.
+ * - There was an error with the database:
+ *   Check the database logs.
+ *
+ */
 export class SignInError extends AuthError {}
 
 /** @todo */
 export class SignOutError extends AuthError {}
 
-/** @todo */
+/**
+ * Auth.js was requested to handle an operation that it does not support.
+ *
+ * See [`AuthAction`](https://authjs.dev/reference/core/types#authaction) for the supported actions.
+ */
 export class UnknownAction extends AuthError {}
 
 /** @todo */

packages/core/src/jwt.ts

@@ -190,7 +190,7 @@ export interface JWTEncodeParams<Payload = JWT> {
   /**
    * The maximum age of the Auth.js issued JWT in seconds.
    *
-   * @default 30 * 24 * 30 * 60 // 30 days
+   * @default 30 * 24 * 60 * 60 // 30 days
    */
   maxAge?: number
 }
@@ -213,7 +213,7 @@ export interface JWTOptions {
   /**
    * The maximum age of the Auth.js issued JWT in seconds.
    *
-   * @default 30 * 24 * 30 * 60 // 30 days
+   * @default 30 * 24 * 60 * 60 // 30 days
    */
   maxAge: number
   /** Override this method to control the Auth.js issued JWT encoding. */

packages/core/src/lib/callback-handler.ts

@@ -1,4 +1,4 @@
-import { AccountNotLinked } from "../errors.js"
+import { OAuthAccountNotLinked } from "../errors.js"
 import { fromDate } from "./utils/date.js"
 
 import type {
@@ -49,7 +49,7 @@ export async function handleLogin(
   }
 
   const profile = _profile as AdapterUser
-  const account = _account as AdapterAccount
+  let account = _account as AdapterAccount
 
   const {
     createUser,
@@ -122,113 +122,116 @@ export async function handleLogin(
         })
 
     return { session, user, isNewUser }
-  } else if (account.type === "oauth" || account.type === "oidc") {
-    // If signing in with OAuth account, check to see if the account exists already
-    const userByAccount = await getUserByAccount({
-      providerAccountId: account.providerAccountId,
-      provider: account.provider,
-    })
-    if (userByAccount) {
-      if (user) {
-        // If the user is already signed in with this account, we don't need to do anything
-        if (userByAccount.id === user.id) {
-          return { session, user, isNewUser }
-        }
-        // If the user is currently signed in, but the new account they are signing in
-        // with is already associated with another user, then we cannot link them
-        // and need to return an error.
-        throw new AccountNotLinked(
-          "The account is already associated with another user",
-          { provider: account.provider }
-        )
-      }
-      // If there is no active session, but the account being signed in with is already
-      // associated with a valid user then create session to sign the user in.
-      session = useJwtSession
-        ? {}
-        : await createSession({
-            sessionToken: generateSessionToken(),
-            userId: userByAccount.id,
-            expires: fromDate(options.session.maxAge),
-          })
+  }
 
-      return { session, user: userByAccount, isNewUser }
-    } else {
-      if (user) {
-        // If the user is already signed in and the OAuth account isn't already associated
-        // with another user account then we can go ahead and link the accounts safely.
-        await linkAccount({ ...account, userId: user.id })
-        await events.linkAccount?.({ user, account, profile })
-
-        // As they are already signed in, we don't need to do anything after linking them
+  // If signing in with OAuth account, check to see if the account exists already
+  const userByAccount = await getUserByAccount({
+    providerAccountId: account.providerAccountId,
+    provider: account.provider,
+  })
+  if (userByAccount) {
+    if (user) {
+      // If the user is already signed in with this account, we don't need to do anything
+      if (userByAccount.id === user.id) {
         return { session, user, isNewUser }
       }
+      // If the user is currently signed in, but the new account they are signing in
+      // with is already associated with another user, then we cannot link them
+      // and need to return an error.
+      throw new OAuthAccountNotLinked(
+        "The account is already associated with another user",
+        { provider: account.provider }
+      )
+    }
+    // If there is no active session, but the account being signed in with is already
+    // associated with a valid user then create session to sign the user in.
+    session = useJwtSession
+      ? {}
+      : await createSession({
+          sessionToken: generateSessionToken(),
+          userId: userByAccount.id,
+          expires: fromDate(options.session.maxAge),
+        })
 
-      // If the user is not signed in and it looks like a new OAuth account then we
-      // check there also isn't an user account already associated with the same
-      // email address as the one in the OAuth profile.
-      //
-      // This step is often overlooked in OAuth implementations, but covers the following cases:
-      //
-      // 1. It makes it harder for someone to accidentally create two accounts.
-      //    e.g. by signin in with email, then again with an oauth account connected to the same email.
-      // 2. It makes it harder to hijack a user account using a 3rd party OAuth account.
-      //    e.g. by creating an oauth account then changing the email address associated with it.
-      //
-      // It's quite common for services to automatically link accounts in this case, but it's
-      // better practice to require the user to sign in *then* link accounts to be sure
-      // someone is not exploiting a problem with a third party OAuth service.
-      //
-      // OAuth providers should require email address verification to prevent this, but in
-      // practice that is not always the case; this helps protect against that.
-      const userByEmail = profile.email
-        ? await getUserByEmail(profile.email)
-        : null
-      if (userByEmail) {
-        const provider = options.provider as OAuthConfig<any>
-        if (provider?.allowDangerousEmailAccountLinking) {
-          // If you trust the oauth provider to correctly verify email addresses, you can opt-in to
-          // account linking even when the user is not signed-in.
-          user = userByEmail
-        } else {
-          // We end up here when we don't have an account with the same [provider].id *BUT*
-          // we do already have an account with the same email address as the one in the
-          // OAuth profile the user has just tried to sign in with.
-          //
-          // We don't want to have two accounts with the same email address, and we don't
-          // want to link them in case it's not safe to do so, so instead we prompt the user
-          // to sign in via email to verify their identity and then link the accounts.
-          throw new AccountNotLinked(
-            "Another account already exists with the same e-mail address",
-            { provider: account.provider }
-          )
-        }
-      } else {
-        // If the current user is not logged in and the profile isn't linked to any user
-        // accounts (by email or provider account id)...
-        //
-        // If no account matching the same [provider].id or .email exists, we can
-        // create a new account for the user, link it to the OAuth account and
-        // create a new session for them so they are signed in with it.
-        const { id: _, ...newUser } = { ...profile, emailVerified: null }
-        user = await createUser(newUser)
-      }
-      await events.createUser?.({ user })
+    return { session, user: userByAccount, isNewUser }
+  } else {
+    const { provider: p } = options as InternalOptions<"oauth" | "oidc">
+    const { type, provider, providerAccountId, userId, ...tokenSet } = account
+    const defaults = { providerAccountId, provider, type, userId }
+    account = Object.assign(p.account(tokenSet), defaults)
 
+    if (user) {
+      // If the user is already signed in and the OAuth account isn't already associated
+      // with another user account then we can go ahead and link the accounts safely.
       await linkAccount({ ...account, userId: user.id })
       await events.linkAccount?.({ user, account, profile })
 
-      session = useJwtSession
-        ? {}
-        : await createSession({
-            sessionToken: generateSessionToken(),
-            userId: user.id,
-            expires: fromDate(options.session.maxAge),
-          })
-
-      return { session, user, isNewUser: true }
+      // As they are already signed in, we don't need to do anything after linking them
+      return { session, user, isNewUser }
     }
-  }
 
-  throw new Error("Unsupported account type")
+    // If the user is not signed in and it looks like a new OAuth account then we
+    // check there also isn't an user account already associated with the same
+    // email address as the one in the OAuth profile.
+    //
+    // This step is often overlooked in OAuth implementations, but covers the following cases:
+    //
+    // 1. It makes it harder for someone to accidentally create two accounts.
+    //    e.g. by signin in with email, then again with an oauth account connected to the same email.
+    // 2. It makes it harder to hijack a user account using a 3rd party OAuth account.
+    //    e.g. by creating an oauth account then changing the email address associated with it.
+    //
+    // It's quite common for services to automatically link accounts in this case, but it's
+    // better practice to require the user to sign in *then* link accounts to be sure
+    // someone is not exploiting a problem with a third party OAuth service.
+    //
+    // OAuth providers should require email address verification to prevent this, but in
+    // practice that is not always the case; this helps protect against that.
+    const userByEmail = profile.email
+      ? await getUserByEmail(profile.email)
+      : null
+    if (userByEmail) {
+      const provider = options.provider as OAuthConfig<any>
+      if (provider?.allowDangerousEmailAccountLinking) {
+        // If you trust the oauth provider to correctly verify email addresses, you can opt-in to
+        // account linking even when the user is not signed-in.
+        user = userByEmail
+      } else {
+        // We end up here when we don't have an account with the same [provider].id *BUT*
+        // we do already have an account with the same email address as the one in the
+        // OAuth profile the user has just tried to sign in with.
+        //
+        // We don't want to have two accounts with the same email address, and we don't
+        // want to link them in case it's not safe to do so, so instead we prompt the user
+        // to sign in via email to verify their identity and then link the accounts.
+        throw new OAuthAccountNotLinked(
+          "Another account already exists with the same e-mail address",
+          { provider: account.provider }
+        )
+      }
+    } else {
+      // If the current user is not logged in and the profile isn't linked to any user
+      // accounts (by email or provider account id)...
+      //
+      // If no account matching the same [provider].id or .email exists, we can
+      // create a new account for the user, link it to the OAuth account and
+      // create a new session for them so they are signed in with it.
+      const { id: _, ...newUser } = { ...profile, emailVerified: null }
+      user = await createUser(newUser)
+    }
+    await events.createUser?.({ user })
+
+    await linkAccount({ ...account, userId: user.id })
+    await events.linkAccount?.({ user, account, profile })
+
+    session = useJwtSession
+      ? {}
+      : await createSession({
+          sessionToken: generateSessionToken(),
+          userId: user.id,
+          expires: fromDate(options.session.maxAge),
+        })
+
+    return { session, user, isNewUser: true }
+  }
 }

packages/core/src/lib/index.ts

@@ -110,14 +110,11 @@ export async function AuthInternal<
         if (
           [
             "Signin",
-            "OAuthSignin",
             "OAuthCallback",
             "OAuthCreateAccount",
             "EmailCreateAccount",
             "Callback",
             "OAuthAccountNotLinked",
-            "EmailSignin",
-            "CredentialsSignin",
             "SessionRequired",
           ].includes(error as string)
         ) {

packages/core/src/lib/oauth/callback.ts

@@ -3,6 +3,7 @@ import * as o from "oauth4webapi"
 import { OAuthCallbackError, OAuthProfileParseError } from "../../errors.js"
 
 import type {
+  Account,
   InternalOptions,
   LoggerInstance,
   Profile,
@@ -123,8 +124,8 @@ export async function handleOAuth(
     throw new Error("TODO: Handle www-authenticate challenges as needed")
   }
 
-  let profile: Profile = {}
-  let tokens: TokenSet
+  let profile: Profile
+  let tokens: TokenSet & Pick<Account, "expires_at">
 
   if (provider.type === "oidc") {
     const nonce = await checks.nonce.use(cookies, resCookies, options)
@@ -162,37 +163,49 @@ export async function handleOAuth(
         (tokens as any).access_token
       )
       profile = await userinfoResponse.json()
+    } else {
+      throw new TypeError("No userinfo endpoint configured")
     }
   }
 
-  const profileResult = await getProfile(profile, provider, tokens, logger)
+  if (tokens.expires_in) {
+    tokens.expires_at =
+      Math.floor(Date.now() / 1000) + Number(tokens.expires_in)
+  }
+
+  const profileResult = await getUserAndProfile(
+    profile,
+    provider,
+    tokens,
+    logger
+  )
 
   return { ...profileResult, cookies: resCookies }
 }
 
 /** Returns profile, raw profile and auth provider details */
-async function getProfile(
+async function getUserAndProfile(
   OAuthProfile: Profile,
   provider: OAuthConfigInternal<any>,
   tokens: TokenSet,
   logger: LoggerInstance
 ) {
   try {
-    const profile = await provider.profile(OAuthProfile, tokens)
-    profile.email = profile.email?.toLowerCase()
+    const user = await provider.profile(OAuthProfile, tokens)
+    user.email = user.email?.toLowerCase()
 
-    if (!profile.id) {
+    if (!user.id) {
       throw new TypeError(
-        `Profile id is missing in ${provider.name} OAuth profile response`
+        `User id is missing in ${provider.name} OAuth profile response`
       )
     }
 
     return {
-      profile,
+      user,
       account: {
         provider: provider.id,
         type: provider.type,
-        providerAccountId: profile.id.toString(),
+        providerAccountId: user.id.toString(),
         ...tokens,
       },
       OAuthProfile,
@@ -206,6 +219,8 @@ async function getProfile(
     // redirected back to the sign up page. We log the error to help developers
     // who might be trying to debug this when configuring a new provider.
     logger.debug("getProfile error details", OAuthProfile)
-    logger.error(new OAuthProfileParseError(e as Error))
+    logger.error(
+      new OAuthProfileParseError(e as Error, { provider: provider.id })
+    )
   }
 }

packages/core/src/lib/providers.ts

@@ -1,13 +1,15 @@
 import { merge } from "./utils/merge.js"
 
 import type {
+  AccountCallback,
   OAuthConfig,
   OAuthConfigInternal,
   OAuthEndpointType,
   OAuthUserConfig,
+  ProfileCallback,
   Provider,
 } from "../providers/index.js"
-import type { AuthConfig, InternalProvider } from "../types.js"
+import type { AuthConfig, InternalProvider, Profile } from "../types.js"
 
 /**
  * Adds `signinUrl` and `callbackUrl` to each provider
@@ -77,18 +79,47 @@ function normalizeOAuth(
     checks,
     userinfo,
     profile: c.profile ?? defaultProfile,
+    account: c.account ?? defaultAccount,
   }
 }
 
-function defaultProfile(profile: any) {
-  return {
+/**
+ * Returns basic user profile from the userinfo response/`id_token` claims.
+ * @see https://authjs.dev/reference/adapters#user
+ * @see https://openid.net/specs/openid-connect-core-1_0.html#IDToken
+ * @see https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+ */
+const defaultProfile: ProfileCallback<Profile> = (profile) => {
+  return stripUndefined({
     id: profile.sub ?? profile.id,
-    name:
-      profile.name ?? profile.nickname ?? profile.preferred_username ?? null,
-    email: profile.email ?? null,
-    image: profile.picture ?? null,
-  }
+    name: profile.name ?? profile.nickname ?? profile.preferred_username,
+    email: profile.email,
+    image: profile.picture,
+  })
 }
+
+/**
+ * Returns basic OAuth/OIDC values from the token response.
+ * @see https://www.ietf.org/rfc/rfc6749.html#section-5.1
+ * @see https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
+ * @see https://authjs.dev/reference/adapters#account
+ *
+ * @todo Return `refresh_token` and `expires_at` as well when built-in
+ * refresh token support is added. (Can make it opt-in first with a flag).
+ */
+const defaultAccount: AccountCallback = (account) => {
+  return stripUndefined({
+    access_token: account.access_token,
+    id_token: account.id_token,
+  })
+}
+
+function stripUndefined<T extends object>(o: T): T {
+  const result = {} as any
+  for (let [k, v] of Object.entries(o)) v !== undefined && (result[k] = v)
+  return result as T
+}
+
 function normalizeEndpoint(
   e?: OAuthConfig<any>[OAuthEndpointType],
   issuer?: string

packages/core/src/lib/routes/callback.ts

@@ -68,14 +68,18 @@ export async function callback(params: {
 
       logger.debug("authorization result", authorizationResult)
 
-      const { profile, account, OAuthProfile } = authorizationResult
+      const {
+        user: userFromProvider,
+        account,
+        OAuthProfile,
+      } = authorizationResult
 
       // If we don't have a profile object then either something went wrong
       // or the user cancelled signing in. We don't know which, so we just
       // direct the user to the signin page for now. We could do something
       // else in future.
       // TODO: Handle user cancelling signin
-      if (!profile || !account || !OAuthProfile) {
+      if (!userFromProvider || !account || !OAuthProfile) {
         return { redirect: `${url}/signin`, cookies }
       }
 
@@ -83,7 +87,7 @@ export async function callback(params: {
       // Attempt to get Profile from OAuth provider details before invoking
       // signIn callback - but if no user object is returned, that is fine
       // (that just means it's a new user signing in for the first time).
-      let userOrProfile = profile
+      let userByAccountOrFromProvider
       if (adapter) {
         const { getUserByAccount } = adapter
         const userByAccount = await getUserByAccount({
@@ -91,11 +95,15 @@ export async function callback(params: {
           provider: provider.id,
         })
 
-        if (userByAccount) userOrProfile = userByAccount
+        if (userByAccount) userByAccountOrFromProvider = userByAccount
       }
 
       const unauthorizedOrError = await handleAuthorized(
-        { user: userOrProfile, account, profile: OAuthProfile },
+        {
+          user: userByAccountOrFromProvider,
+          account,
+          profile: OAuthProfile,
+        },
         options
       )
 
@@ -104,7 +112,7 @@ export async function callback(params: {
       // Sign user in
       const { user, session, isNewUser } = await handleLogin(
         sessionStore.value,
-        profile,
+        userFromProvider,
         account,
         options
       )
@@ -152,7 +160,7 @@ export async function callback(params: {
         })
       }
 
-      await events.signIn?.({ user, account, profile, isNewUser })
+      await events.signIn?.({ user, account, profile: OAuthProfile, isNewUser })
 
       // Handle first logins on new accounts
       // e.g. option to send users to a new account landing page on initial login
@@ -362,6 +370,7 @@ export async function callback(params: {
   } catch (e) {
     const error = new CallbackRouteError(e as Error, { provider: provider.id })
 
+    logger.debug("callback route error details", { method, query, body })
     logger.error(error)
     url.searchParams.set("error", CallbackRouteError.name)
     url.pathname += "/error"

packages/core/src/lib/routes/signin.ts

@@ -55,8 +55,9 @@ export async function signin(
   } catch (e) {
     const error = new SignInError(e as Error, { provider: provider.id })
     logger.error(error)
-    url.searchParams.set("error", error.name)
-    url.pathname += "/error"
+    const code = provider.type === "email" ? "EmailSignin" : "OAuthSignin"
+    url.searchParams.set("error", code)
+    url.pathname += "/signin"
     return { redirect: url.toString() }
   }
 }

packages/core/src/lib/web.ts

@@ -33,6 +33,8 @@ export async function toInternalRequest(
     // TODO: url.toString() should not include action and providerId
     // see init.ts
     const url = new URL(req.url.replace(/\/$/, ""))
+    // FIXME: Upstream issue in Next.js, pathname segments get included as part of the query string
+    url.searchParams.delete("nextauth")
     const { pathname } = url
 
     const action = actions.find((a) => pathname.includes(a))

packages/core/src/providers/email.ts

@@ -29,7 +29,7 @@ export interface SendVerificationRequestParams {
 export interface EmailConfig extends CommonProviderOptions {
   type: "email"
   // TODO: Make use of https://www.typescriptlang.org/docs/handbook/2/template-literal-types.html
-  server: string | SMTPTransportOptions
+  server?: string | SMTPTransportOptions
   /** @default `"Auth.js <no-reply@authjs.dev>"` */
   from?: string
   /**
@@ -72,7 +72,7 @@ export interface EmailConfig extends CommonProviderOptions {
    * By default, we treat email addresses as all lower case,
    * but you can override this function to change this behavior.
    *
-   * [Documentation](https://authjs.dev/guides/providers/email#normalizing-the-e-mail-address) | [RFC 2821](https://tools.ietf.org/html/rfc2821) | [Email syntax](https://en.wikipedia.org/wiki/Email_address#Syntax)
+   * [Normalizing the email address](https://authjs.dev/reference/core/providers_email#normalizing-the-email-address) | [RFC 2821](https://tools.ietf.org/html/rfc2821) | [Email syntax](https://en.wikipedia.org/wiki/Email_address#Syntax)
    */
   normalizeIdentifier?: (identifier: string) => string
 }
@@ -287,7 +287,7 @@ export type EmailProviderType = "email"
  * 
  * ## Normalizing the email address
  * 
- * By default, NextAuth.js will normalize the email address. It treats values as case-insensitive (which is technically not compliant to the [RFC 2821 spec](https://datatracker.ietf.org/doc/html/rfc2821), but in practice this causes more problems than it solves, eg. when looking up users by e-mail from databases.) and also removes any secondary email address that was passed in as a comma-separated list. You can apply your own normalization via the `normalizeIdentifier` method on the `EmailProvider`. The following example shows the default behavior:
+ * By default, Auth.js will normalize the email address. It treats values as case-insensitive (which is technically not compliant to the [RFC 2821 spec](https://datatracker.ietf.org/doc/html/rfc2821), but in practice this causes more problems than it solves, eg. when looking up users by e-mail from databases.) and also removes any secondary email address that was passed in as a comma-separated list. You can apply your own normalization via the `normalizeIdentifier` method on the `EmailProvider`. The following example shows the default behavior:
  * ```ts
  *   EmailProvider({
  *     // ...
@@ -301,7 +301,7 @@ export type EmailProviderType = "email"
  *       return `${local}@${domain}`
  * 
  *       // You can also throw an error, which will redirect the user
- *       // to the error page with error=EmailSignin in the URL
+ *       // to the sign-in page with error=EmailSignin in the URL
  *       // if (identifier.split("@").length > 2) {
  *       //   throw new Error("Only one email allowed")
  *       // }

packages/core/src/providers/eveonline.ts

@@ -52,7 +52,7 @@ export interface EVEOnlineProfile extends Record<string, any> {
  * :::
  *
  * :::tip
- * If using JWT for the session, you can add the `CharacterID` to the JWT token and session. Example:
+ * If using JWT for the session, you can add the `CharacterID` to the JWT and session. Example:
  * ```js
  * options: {
  *   jwt: {

packages/core/src/providers/oauth.ts

@@ -52,7 +52,10 @@ interface AdvancedEndpointHandler<P extends UrlParams, C, R> {
   conform?: (response: Response) => Awaitable<Response | undefined>
 }
 
-/** Either an URL (containing all the parameters) or an object with more granular control. */
+/**
+ * Either an URL (containing all the parameters) or an object with more granular control.
+ * @internal
+ */
 export type EndpointHandler<
   P extends UrlParams,
   C = any,
@@ -92,6 +95,8 @@ export type ProfileCallback<Profile> = (
   tokens: TokenSet
 ) => Awaitable<User>
 
+export type AccountCallback = (account: TokenSet) => TokenSet
+
 export interface OAuthProviderButtonStyles {
   logo: string
   logoDark: string
@@ -138,13 +143,25 @@ export interface OAuth2Config<Profile>
   userinfo?: string | UserinfoEndpointHandler
   type: "oauth"
   /**
-   * Receives the profile object returned by the OAuth provider, and returns the user object.
-   * This will be used to create the user in the database.
+   * Receives the full {@link Profile} returned by the OAuth provider, and returns a subset.
+   * It is used to create the user in the database.
+   *
    * Defaults to: `id`, `email`, `name`, `image`
    *
-   * [Documentation](https://authjs.dev/reference/adapters/models#user)
+   * @see [Database Adapter: User model](https://authjs.dev/reference/adapters#user)
    */
   profile?: ProfileCallback<Profile>
+  /**
+   * Receives the full {@link TokenSet} returned by the OAuth provider, and returns a subset.
+   * It is used to create the account associated with a user in the database.
+   *
+   * Defaults to: `access_token` and `id_token`
+   *
+   * @see [Database Adapter: Account model](https://authjs.dev/reference/adapters#account)
+   * @see https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
+   * @see https://www.ietf.org/rfc/rfc6749.html#section-5.1
+   */
+  account?: AccountCallback
   /**
    * The CSRF protection performed on the callback endpoint.
    * @default ["pkce"]
@@ -190,7 +207,11 @@ export interface OAuth2Config<Profile>
   options?: OAuthUserConfig<Profile>
 }
 
-/** TODO: Document */
+/**
+ * Extension of the {@link OAuth2Config}.
+ *
+ * @see https://openid.net/specs/openid-connect-core-1_0.html
+ */
 export interface OIDCConfig<Profile>
   extends Omit<OAuth2Config<Profile>, "type" | "checks"> {
   type: "oidc"
@@ -204,6 +225,7 @@ export type OAuthEndpointType = "authorization" | "token" | "userinfo"
 /**
  * We parsed `authorization`, `token` and `userinfo`
  * to always contain a valid `URL`, with the params
+ * @internal
  */
 export type OAuthConfigInternal<Profile> = Omit<
   OAuthConfig<Profile>,
@@ -229,7 +251,10 @@ export type OAuthConfigInternal<Profile> = Omit<
    *
    */
   redirectProxyUrl?: OAuth2Config<Profile>["redirectProxyUrl"]
-} & Pick<Required<OAuthConfig<Profile>>, "clientId" | "checks" | "profile">
+} & Pick<
+    Required<OAuthConfig<Profile>>,
+    "clientId" | "checks" | "profile" | "account"
+  >
 
 export type OIDCConfigInternal<Profile> = OAuthConfigInternal<Profile> & {
   checks: OIDCConfig<Profile>["checks"]

packages/core/src/types.ts

@@ -116,16 +116,58 @@ export interface Account extends Partial<OpenIDTokenEndpointResponse> {
   providerAccountId: string
   /** Provider's type for this account */
   type: ProviderType
-  /** id of the user this account belongs to */
+  /**
+   * id of the user this account belongs to
+   *
+   * @see https://authjs.dev/reference/adapters#user
+   */
   userId?: string
+  /**
+   * Calculated value based on {@link OAuth2TokenEndpointResponse.expires_in}.
+   *
+   * It is the absolute timestamp (in seconds) when the {@link OAuth2TokenEndpointResponse.access_token} expires.
+   *
+   * This value can be used for implementing token rotation together with {@link OAuth2TokenEndpointResponse.refresh_token}.
+   *
+   * @see https://authjs.dev/guides/basics/refresh-token-rotation#database-strategy
+   * @see https://www.rfc-editor.org/rfc/rfc6749#section-5.1
+   */
+  expires_at?: number
 }
 
-/** The OAuth profile returned from your provider */
+/**
+ * The user info returned from your OAuth provider.
+ *
+ * @see https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
+ */
 export interface Profile {
-  sub?: string | null
-  name?: string | null
-  email?: string | null
-  image?: string | null
+  sub: string
+  name?: string
+  given_name?: string
+  family_name?: string
+  middle_name?: string
+  nickname?: string
+  preferred_username?: string
+  profile?: string
+  picture?: string
+  website?: string
+  email?: string
+  email_verified?: boolean
+  gender?: string
+  birthdate?: string
+  zoneinfo?: string
+  locale?: string
+  phone_number?: string
+  updated_at?: number
+  address?: {
+    formatted?: string
+    street_address?: string
+    locality?: string
+    region?: string
+    postal_code?: string
+    country?: string
+  }
+  [claim: string]: unknown
 }
 
 /** [Documentation](https://authjs.dev/guides/basics/callbacks) */
@@ -262,7 +304,7 @@ export interface EventCallbacks {
   /**
    * The message object will contain one of these depending on
    * if you use JWT or database persisted sessions:
-   * - `token`: The JWT token for this session.
+   * - `token`: The JWT for this session.
    * - `session`: The session object from your adapter that is being ended.
    */
   signOut: (
@@ -280,7 +322,7 @@ export interface EventCallbacks {
   /**
    * The message object will contain one of these depending on
    * if you use JWT or database persisted sessions:
-   * - `token`: The JWT token for this session.
+   * - `token`: The JWT for this session.
    * - `session`: The session object from your adapter.
    */
   session: (message: { session: Session; token: JWT }) => Awaitable<void>
@@ -385,15 +427,40 @@ export type InternalProvider<T = ProviderType> = (T extends "oauth"
   callbackUrl: string
 }
 
+/**
+ * Supported actions by Auth.js. Each action map to a REST API endpoint.
+ * Some actions have a `GET` and `POST` variant, depending on if the action
+ * changes the state of the server.
+ *
+ * - **`"callback"`**:
+ *   - **`GET`**: Handles the callback from an [OAuth provider](https://authjs.dev/reference/core/providers_oauth).
+ *   - **`POST`**: Handles the callback from a [Credentials provider](https://authjs.dev/reference/core/providers_credentials).
+ * - **`"csrf"`**: Returns the raw CSRF token, which is saved in a cookie (encrypted).
+ * It is used for CSRF protection, implementing the [double submit cookie](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie) technique.
+ * :::note
+ * Some frameworks have built-in CSRF protection and can therefore disable this action. In this case, the corresponding endpoint will return a 404 response. Read more at [`skipCSRFCheck`](https://authjs.dev/reference/core#skipcsrfcheck).
+ * _⚠ We don't recommend manually disabling CSRF protection, unless you know what you're doing._
+ * :::
+ * - **`"error"`**: Renders the built-in error page.
+ * - **`"providers"`**: Returns a client-safe list of all configured providers.
+ * - **`"session"`**: Returns the user's session if it exists, otherwise `null`.
+ * - **`"signin"`**:
+ *   - **`GET`**: Renders the built-in sign-in page.
+ *   - **`POST`**: Initiates the sign-in flow.
+ * - **`"signout"`**:
+ *   - **`GET`**: Renders the built-in sign-out page.
+ *   - **`POST`**: Initiates the sign-out flow. This will invalidate the user's session (deleting the cookie, and if there is a session in the database, it will be deleted as well).
+ * - **`"verify-request"`**: Renders the built-in verification request page.
+ */
 export type AuthAction =
+  | "callback"
+  | "csrf"
+  | "error"
   | "providers"
   | "session"
-  | "csrf"
   | "signin"
   | "signout"
-  | "callback"
   | "verify-request"
-  | "error"
 
 /** @internal */
 export interface RequestInternal {

packages/next-auth/.npmrc

@@ -1 +0,0 @@
-//registry.npmjs.org/:_authToken=${NPM_TOKEN}

packages/next-auth/README.md

@@ -1,254 +0,0 @@
-<p align="center">
-   <br/>
-   <a href="https://next-auth.js.org" target="_blank"><img width="150px" src="https://next-auth.js.org/img/logo/logo-sm.png" /></a>
-   <h3 align="center">NextAuth.js</h3>
-   <p align="center">Authentication for Next.js</p>
-   <p align="center">
-   Open Source. Full Stack. Own Your Data.
-   </p>
-   <p align="center" style="align: center;">
-      <a href="https://github.com/nextauthjs/next-auth/actions/workflows/release.yml?query=workflow%3ARelease">
-        <img src="https://github.com/nextauthjs/next-auth/actions/workflows/release.yml/badge.svg" alt="Release" />
-      </a>
-      <a href="https://packagephobia.com/result?p=next-auth">
-        <img src="https://packagephobia.com/badge?p=next-auth" alt="Bundle Size"/>
-      </a>
-      <a href="https://www.npmtrends.com/next-auth">
-        <img src="https://img.shields.io/npm/dm/next-auth" alt="Downloads" />
-      </a>
-      <a href="https://github.com/nextauthjs/next-auth/stargazers">
-        <img src="https://img.shields.io/github/stars/nextauthjs/next-auth" alt="Github Stars" />
-      </a>
-      <a href="https://www.npmjs.com/package/next-auth">
-        <img src="https://img.shields.io/github/v/release/nextauthjs/next-auth?label=latest" alt="Github Stable Release" />
-      </a>
-   </p>
-</p>
-
-## Overview
-
-NextAuth.js is a complete open source authentication solution for [Next.js](http://nextjs.org/) applications.
-
-It is designed from the ground up to support Next.js and Serverless.
-
-This is a monorepo containing the following packages / projects:
-
-1. The primary `next-auth` package
-2. A development test application
-3. All `@next-auth/*-adapter` packages
-4. The documentation site
-
-## Getting Started
-
-```
-npm install next-auth
-```
-
-The easiest way to continue getting started, is to follow the [getting started](https://next-auth.js.org/getting-started/example) section in our docs.
-
-We also have a section of [tutorials](https://next-auth.js.org/tutorials) for those looking for more specific examples.
-
-See [next-auth.js.org](https://next-auth.js.org) for more information and documentation.
-
-## Features
-
-### Flexible and easy to use
-
-- Designed to work with any OAuth service, it supports OAuth 1.0, 1.0A and 2.0
-- Built-in support for [many popular sign-in services](https://next-auth.js.org/providers)
-- Supports email / passwordless authentication
-- Supports stateless authentication with any backend (Active Directory, LDAP, etc)
-- Supports both JSON Web Tokens and database sessions
-- Designed for Serverless but runs anywhere (AWS Lambda, Docker, Heroku, etc…)
-
-### Own your own data
-
-NextAuth.js can be used with or without a database.
-
-- An open source solution that allows you to keep control of your data
-- Supports Bring Your Own Database (BYOD) and can be used with any database
-- Built-in support for [MySQL, MariaDB, Postgres, Microsoft SQL Server, MongoDB and SQLite](https://next-auth.js.org/configuration/databases)
-- Works great with databases from popular hosting providers
-- Can also be used _without a database_ (e.g. OAuth + JWT)
-
-### Secure by default
-
-- Promotes the use of passwordless sign-in mechanisms
-- Designed to be secure by default and encourage best practices for safeguarding user data
-- Uses Cross-Site Request Forgery (CSRF) Tokens on POST routes (sign in, sign out)
-- Default cookie policy aims for the most restrictive policy appropriate for each cookie
-- When JSON Web Tokens are enabled, they are encrypted by default (JWE) with A256GCM
-- Auto-generates symmetric signing and encryption keys for developer convenience
-- Features tab/window syncing and session polling to support short lived sessions
-- Attempts to implement the latest guidance published by [Open Web Application Security Project](https://owasp.org)
-
-Advanced options allow you to define your own routines to handle controlling what accounts are allowed to sign in, for encoding and decoding JSON Web Tokens and to set custom cookie security policies and session properties, so you can control who is able to sign in and how often sessions have to be re-validated.
-
-### TypeScript
-
-NextAuth.js comes with built-in types. For more information and usage, check out
-the [TypeScript section](https://next-auth.js.org/getting-started/typescript) in the documentation.
-
-## Example
-
-### Add API Route
-
-```javascript
-// pages/api/auth/[...nextauth].js
-import NextAuth from "next-auth"
-import AppleProvider from "next-auth/providers/apple"
-import GoogleProvider from "next-auth/providers/google"
-import EmailProvider from "next-auth/providers/email"
-
-export default NextAuth({
-  secret: process.env.SECRET,
-  providers: [
-    // OAuth authentication providers
-    AppleProvider({
-      clientId: process.env.APPLE_ID,
-      clientSecret: process.env.APPLE_SECRET,
-    }),
-    GoogleProvider({
-      clientId: process.env.GOOGLE_ID,
-      clientSecret: process.env.GOOGLE_SECRET,
-    }),
-    // Sign in with passwordless email link
-    EmailProvider({
-      server: process.env.MAIL_SERVER,
-      from: "<no-reply@example.com>",
-    }),
-  ],
-})
-```
-
-### Add React Hook
-
-The `useSession()` React Hook in the NextAuth.js client is the easiest way to check if someone is signed in.
-
-```javascript
-import { useSession, signIn, signOut } from "next-auth/react"
-
-export default function Component() {
-  const { data: session } = useSession()
-  if (session) {
-    return (
-      <>
-        Signed in as {session.user.email} <br />
-        <button onClick={() => signOut()}>Sign out</button>
-      </>
-    )
-  }
-  return (
-    <>
-      Not signed in <br />
-      <button onClick={() => signIn()}>Sign in</button>
-    </>
-  )
-}
-```
-
-### Share/configure session state
-
-Use the `<SessionProvider>` to allow instances of `useSession()` to share the session object across components. It also takes care of keeping the session updated and synced between tabs/windows.
-
-```jsx title="pages/_app.js"
-import { SessionProvider } from "next-auth/react"
-
-export default function App({
-  Component,
-  pageProps: { session, ...pageProps },
-}) {
-  return (
-    <SessionProvider session={session}>
-      <Component {...pageProps} />
-    </SessionProvider>
-  )
-}
-```
-
-## Security
-
-If you think you have found a vulnerability (or not sure) in NextAuth.js or any of the related packages (i.e. Adapters), we ask you to have a read of our [Security Policy](https://github.com/nextauthjs/next-auth/blob/main/SECURITY.md) to reach out responsibly. Please do not open Pull Requests/Issues/Discussions before consulting with us.
-
-## Acknowledgments
-
-[NextAuth.js is made possible thanks to all of its contributors.](https://next-auth.js.org/contributors)
-
-<a href="https://github.com/nextauthjs/next-auth/graphs/contributors">
-  <img width="500px" src="https://contrib.rocks/image?repo=nextauthjs/next-auth" />
-</a>
-<div>
-<a href="https://vercel.com?utm_source=nextauthjs&utm_campaign=oss"></a>
-</div>
-
-### Support
-
-We're happy to announce we've recently created an [OpenCollective](https://opencollective.com/nextauth) for individuals and companies looking to contribute financially to the project!
-
-<!--sponsors start-->
-<table>
-  <tbody>
-    <tr>
-      <td align="center" valign="top">
-        <a href="https://vercel.com" target="_blank">
-          <img width="128px" src="https://avatars.githubusercontent.com/u/14985020?v=4" alt="Vercel Logo" />
-        </a><br />
-        <div>Vercel</div><br />
-        <sub>🥉 Bronze Financial Sponsor <br /> ☁️ Infrastructure Support</sub>
-      </td>
-      <td align="center" valign="top">
-        <a href="https://prisma.io" target="_blank">
-          <img width="128px" src="https://avatars.githubusercontent.com/u/17219288?v=4" alt="Prisma Logo" />
-        </a><br />
-        <div>Prisma</div><br />
-        <sub>🥉 Bronze Financial Sponsor</sub>
-      </td>
-      <td align="center" valign="top">
-        <a href="https://clerk.com" target="_blank">
-          <img width="128px" src="https://avatars.githubusercontent.com/u/49538330?s=200&v=4" alt="Clerk Logo" />
-        </a><br />
-        <div>Clerk</div><br />
-        <sub>🥉 Bronze Financial Sponsor</sub>
-      </td>
-      <td align="center" valign="top">
-        <a href="https://lowdefy.com" target="_blank">
-          <img width="128px" src="https://avatars.githubusercontent.com/u/47087496?s=200&v=4" alt="Lowdefy Logo" />
-        </a><br />
-        <div>Lowdefy</div><br />
-        <sub>🥉 Bronze Financial Sponsor</sub>
-      </td>
-      <td align="center" valign="top">
-        <a href="https://workos.com" target="_blank">
-          <img width="128px" src="https://avatars.githubusercontent.com/u/47638084?s=200&v=4" alt="WorkOS Logo" />
-        </a><br />
-        <div>WorkOS</div><br />
-        <sub>🥉 Bronze Financial Sponsor</sub>
-      </td>
-      <td align="center" valign="top">
-        <a href="https://checklyhq.com" target="_blank">
-          <img width="128px" src="https://avatars.githubusercontent.com/u/25982255?v=4" alt="Checkly Logo" />
-        </a><br />
-        <div>Checkly</div><br />
-        <sub>☁️ Infrastructure Support</sub>
-      </td>
-      <td align="center" valign="top">
-        <a href="https://superblog.ai/" target="_blank">
-          <img width="128px" src="https://d33wubrfki0l68.cloudfront.net/cdc4a3833bd878933fcc131655878dbf226ac1c5/10cd6/images/logo_bolt_small.png" alt="superblog Logo" />
-        </a><br />
-        <div>superblog</div><br />
-        <sub>☁️ Infrastructure Support</sub>
-      </td>
-    </tr><tr></tr>
-  </tbody>
-</table>
-<br />
-<!--sponsors end-->
-
-## Contributing
-
-We're open to all community contributions! If you'd like to contribute in any way, please first read
-our [Contributing Guide](https://github.com/nextauthjs/.github/blob/main/CONTRIBUTING.md).
-
-## License
-
-ISC

packages/next-auth/config/babel.config.js

@@ -1,62 +0,0 @@
-// @ts-check
-// We aim to have the same support as Next.js
-// https://nextjs.org/docs/getting-started#system-requirements
-// https://nextjs.org/docs/basic-features/supported-browsers-features
-
-/** @type {import("@babel/core").ConfigFunction} */
-module.exports = (api) => {
-  const isTest = api.env("test")
-  if (isTest) {
-    return {
-      presets: [
-        "@babel/preset-env",
-        ["@babel/preset-react", { runtime: "automatic" }],
-        ["@babel/preset-typescript", { isTSX: true, allExtensions: true }],
-      ],
-    }
-  }
-  return {
-    presets: [
-      ["@babel/preset-env", { targets: { node: 12 } }],
-      "@babel/preset-typescript",
-    ],
-    plugins: [
-      "@babel/plugin-proposal-optional-catch-binding",
-      "@babel/plugin-transform-runtime",
-    ],
-    ignore: [
-      "../src/**/__tests__/**",
-      "../src/adapters.ts",
-      "../src/providers/oauth-types.ts",
-    ],
-    comments: false,
-    overrides: [
-      {
-        test: [
-          "../src/react/index.tsx",
-          "../src/utils/logger.ts",
-          "../src/core/errors.ts",
-          "../src/client/**",
-        ],
-        presets: [
-          ["@babel/preset-env", { targets: { ie: 11 } }],
-          ["@babel/preset-react", { runtime: "automatic" }],
-        ],
-      },
-      {
-        test: ["../src/core/pages/*.tsx"],
-        presets: ["preact"],
-        plugins: [
-          [
-            "jsx-pragmatic",
-            {
-              module: "preact",
-              export: "h",
-              import: "h",
-            },
-          ],
-        ],
-      },
-    ],
-  }
-}

packages/next-auth/config/generate-providers.js

@@ -1,18 +0,0 @@
-const path = require("path")
-const fs = require("fs")
-
-const providersPath = path.join(process.cwd(), "src/providers")
-
-const files = fs.readdirSync(providersPath, "utf8")
-
-const providers = files.map((file) => {
-  const strippedProviderName = file.substring(0, file.indexOf("."))
-  return `"${strippedProviderName}"`
-})
-
-const result = `
-// THIS FILE IS AUTOGENERATED. DO NOT EDIT.
-export type OAuthProviderType = 
-  | ${providers.join("\n  | ")}`
-
-fs.writeFileSync(path.join(providersPath, "oauth-types.ts"), result)

packages/next-auth/config/jest-setup.js

@@ -1,3 +0,0 @@
-import "regenerator-runtime/runtime"
-import "@testing-library/jest-dom"
-import "whatwg-fetch"

packages/next-auth/config/jest.config.js

@@ -1,43 +0,0 @@
-const swcConfig = require("./swc.config")
-
-/** @type {import('jest').Config} */
-module.exports = {
-  projects: [
-    {
-      displayName: "core",
-      testMatch: ["<rootDir>/tests/**/*.test.ts"],
-      rootDir: ".",
-      transform: {
-        "\\.(js|jsx|ts|tsx)$": ["@swc/jest", swcConfig],
-      },
-      coveragePathIgnorePatterns: ["tests"],
-      testEnvironment: "@edge-runtime/jest-environment",
-      transformIgnorePatterns: ["node_modules/(?!uuid)/"],
-      /** @type {import("@edge-runtime/vm").EdgeVMOptions} */
-      testEnvironmentOptions: {
-        codeGeneration: {
-          strings: true,
-        },
-      },
-    },
-    {
-      displayName: "client",
-      testMatch: ["<rootDir>/src/client/**/*.test.js"],
-      setupFilesAfterEnv: ["./config/jest-setup.js"],
-      rootDir: ".",
-      transform: {
-        "\\.(js|jsx|ts|tsx)$": ["@swc/jest", swcConfig],
-      },
-      testEnvironment: "jsdom",
-      coveragePathIgnorePatterns: ["__tests__"],
-    },
-  ],
-  watchPlugins: [
-    "jest-watch-typeahead/filename",
-    "jest-watch-typeahead/testname",
-  ],
-  collectCoverage: true,
-  coverageDirectory: "../coverage",
-  coverageReporters: ["html", "text-summary"],
-  collectCoverageFrom: ["src/**/*.(js|jsx|ts|tsx)"],
-}

packages/next-auth/config/postcss.config.js

@@ -1,7 +0,0 @@
-module.exports = {
-  plugins: [
-    require('autoprefixer'),
-    require('postcss-nested'),
-    require('cssnano')({ preset: 'default' })
-  ]
-}

packages/next-auth/config/swc.config.js

@@ -1,18 +0,0 @@
-/** @type {import("@swc/core").Config} */
-module.exports = {
-  jsc: {
-    parser: {
-      syntax: "typescript",
-      tsx: true,
-    },
-    transform: {
-      react: {
-        runtime: "automatic",
-        pragma: "React.createElement",
-        pragmaFrag: "React.Fragment",
-        throwIfNamespace: true,
-        useBuiltins: true,
-      },
-    },
-  },
-}

packages/next-auth/config/wrap-css.js

@@ -1,17 +0,0 @@
-// Serverless target in Next.js does not work if you try to read in files at runtime
-// that are not JavaScript or JSON (e.g. CSS files).
-// https://github.com/nextauthjs/next-auth/issues/281
-//
-// To work around this issue, this script is a manual step that wraps CSS in a
-// JavaScript file that has the compiled CSS embedded in it, and exports only
-// a function that returns the CSS as a string.
-const fs = require("fs")
-const path = require("path")
-
-const pathToCss = path.join(__dirname, "../css/index.css")
-const css = fs.readFileSync(pathToCss, "utf8")
-const cssWithEscapedQuotes = css.replace(/"/gm, '\\"')
-
-const js = `module.exports = function() { return "${cssWithEscapedQuotes}" }`
-const pathToCssJs = path.join(__dirname, "../css/index.js")
-fs.writeFileSync(pathToCssJs, js)

packages/next-auth/package.json

@@ -2,7 +2,7 @@
   "name": "next-auth",
   "version": "4.22.1",
   "description": "Authentication for Next.js",
-  "homepage": "https://next-auth.js.org",
+  "homepage": "https://nextjs.authjs.dev",
   "repository": "https://github.com/nextauthjs/next-auth.git",
   "author": "Iain Collins <me@iaincollins.com>",
   "contributors": [
@@ -11,9 +11,6 @@
     "Lluis Agusti <hi@llu.lu>",
     "Thang Huu Vu <thvu@hey.com>"
   ],
-  "main": "index.js",
-  "module": "index.js",
-  "types": "index.d.ts",
   "keywords": [
     "react",
     "nodejs",
@@ -26,104 +23,59 @@
     "oidc",
     "nextauth"
   ],
+  "type": "module",
+  "types": "./index.d.ts",
   "exports": {
-    ".": "./index.js",
-    "./jwt": "./jwt/index.js",
-    "./react": "./react/index.js",
-    "./core": "./core/index.js",
-    "./next": "./next/index.js",
-    "./middleware": "./middleware.js",
-    "./client/_utils": "./client/_utils.js",
-    "./providers/*": "./providers/*.js"
+    ".": {
+      "types": "./index.d.ts",
+      "import": "./index.js"
+    },
+    "./adapters": {
+      "types": "./adapters.d.ts"
+    },
+    "./jwt": {
+      "types": "./jwt.d.ts",
+      "import": "./jwt.js"
+    },
+    "./middleware": {
+      "types": "./middleware.d.ts",
+      "import": "./middleware.js"
+    },
+    "./next": {
+      "types": "./next.d.ts",
+      "import": "./next.js"
+    },
+    "./providers": {
+      "types": "./providers.d.ts"
+    },
+    "./react": {
+      "types": "./react.d.ts",
+      "import": "./react.js"
+    },
+    "./package.json": "./package.json"
   },
   "scripts": {
-    "build": "pnpm clean && pnpm build:js && pnpm build:css",
-    "build:js": "pnpm clean && pnpm generate-providers && pnpm tsc --project tsconfig.json && babel --config-file ./config/babel.config.js src --out-dir . --extensions \".tsx,.ts,.js,.jsx\"",
-    "clean": "rm -rf coverage client css utils providers core jwt react next index.d.ts index.js adapters.d.ts middleware.d.ts middleware.js",
-    "build:css": "postcss --config config/postcss.config.js src/**/*.css --base src --dir . && node config/wrap-css.js",
-    "dev": "pnpm clean && pnpm generate-providers && concurrently \"pnpm watch:css\" \"pnpm watch:ts\"",
-    "watch:ts": "pnpm tsc --project tsconfig.dev.json",
-    "watch:css": "postcss --config config/postcss.config.js --watch src/**/*.css --base src --dir .",
-    "test": "jest --config ./config/jest.config.js",
-    "prepublishOnly": "pnpm build",
-    "generate-providers": "node ./config/generate-providers.js",
-    "lint": "eslint src config tests"
+    "dev": "tsc -w",
+    "clean": "rm -rf *.js *.d.ts lib",
+    "build": "pnpm clean && tsc"
   },
   "files": [
-    "client",
-    "core",
-    "css",
-    "jwt",
+    "*.js",
+    "*.d.ts",
     "lib",
-    "next",
-    "providers",
-    "react",
-    "src",
-    "utils",
-    "*.d.ts*",
-    "*.js"
+    "src"
   ],
+  "devDependencies": {
+    "@types/react": "18.0.37",
+    "typescript": "^4",
+    "next": "13.3.3"
+  },
   "license": "ISC",
   "dependencies": {
-    "@babel/runtime": "^7.20.13",
-    "@panva/hkdf": "^1.0.2",
-    "cookie": "^0.5.0",
-    "jose": "^4.11.4",
-    "oauth": "^0.9.15",
-    "openid-client": "^5.4.0",
-    "preact": "^10.6.3",
-    "preact-render-to-string": "^5.1.19",
-    "uuid": "^8.3.2"
+    "@auth/core": "workspace:*"
   },
   "peerDependencies": {
-    "next": "^12.2.5 || ^13",
-    "nodemailer": "^6.6.5",
-    "react": "^17.0.2 || ^18",
-    "react-dom": "^17.0.2 || ^18"
-  },
-  "peerDependenciesMeta": {
-    "nodemailer": {
-      "optional": true
-    }
-  },
-  "devDependencies": {
-    "@babel/cli": "^7.17.10",
-    "@babel/core": "^7.18.2",
-    "@babel/plugin-proposal-optional-catch-binding": "^7.16.7",
-    "@babel/plugin-transform-runtime": "^7.18.2",
-    "@babel/preset-env": "^7.18.2",
-    "@babel/preset-react": "^7.17.12",
-    "@babel/preset-typescript": "^7.17.12",
-    "@edge-runtime/jest-environment": "1.1.0-beta.35",
-    "@next-auth/tsconfig": "workspace:*",
-    "@swc/core": "^1.2.198",
-    "@swc/jest": "^0.2.21",
-    "@testing-library/dom": "^8.13.0",
-    "@testing-library/jest-dom": "^5.16.4",
-    "@testing-library/react": "^13.3.0",
-    "@testing-library/react-hooks": "^8.0.0",
-    "@testing-library/user-event": "^14.2.0",
-    "@types/jest": "^28.1.3",
-    "@types/node": "^17.0.42",
-    "@types/nodemailer": "^6.4.4",
-    "@types/oauth": "^0.9.1",
-    "@types/react": "18.0.37",
-    "@types/react-dom": "^18.0.6",
-    "autoprefixer": "^10.4.7",
-    "babel-plugin-jsx-pragmatic": "^1.0.2",
-    "babel-preset-preact": "^2.0.0",
-    "concurrently": "^7",
-    "cssnano": "^5.1.11",
-    "jest": "^28.1.1",
-    "jest-environment-jsdom": "^28.1.1",
-    "jest-watch-typeahead": "^1.1.0",
-    "msw": "^0.42.3",
-    "next": "13.3.0",
-    "postcss": "^8.4.14",
-    "postcss-cli": "^9.1.0",
-    "postcss-nested": "^5.0.6",
-    "react": "^18",
-    "react-dom": "^18",
-    "whatwg-fetch": "^3.6.2"
+    "next": "^13.3.3",
+    "react": "^18.2.0"
   }
 }

packages/next-auth/provider-logos/apple-dark.svg

@@ -1,4 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="4 32 376.4 449.4" width="32" height="32">
-  <title>Apple icon</title>
-  <path fill="#fff" d="M318.7 268.7c-.2-36.7 16.4-64.4 50-84.8-18.8-26.9-47.2-41.7-84.7-44.6-35.5-2.8-74.3 20.7-88.5 20.7-15 0-49.4-19.7-76.4-19.7C63.3 141.2 4 184.8 4 273.5q0 39.3 14.4 81.2c12.8 36.7 59 126.7 107.2 125.2 25.2-.6 43-17.9 75.8-17.9 31.8 0 48.3 17.9 76.4 17.9 48.6-.7 90.4-82.5 102.6-119.3-65.2-30.7-61.7-90-61.7-91.9zm-56.6-164.2c27.3-32.4 24.8-61.9 24-72.5-24.1 1.4-52 16.4-67.9 34.9-17.5 19.8-27.8 44.3-25.6 71.9 26.1 2 49.9-11.4 69.5-34.3z"/>
-</svg>

packages/next-auth/provider-logos/apple.svg

@@ -1,4 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="4 32 376.4 449.4" width="32" height="32">
-  <title>Apple icon</title>
-  <path d="M318.7 268.7c-.2-36.7 16.4-64.4 50-84.8-18.8-26.9-47.2-41.7-84.7-44.6-35.5-2.8-74.3 20.7-88.5 20.7-15 0-49.4-19.7-76.4-19.7C63.3 141.2 4 184.8 4 273.5q0 39.3 14.4 81.2c12.8 36.7 59 126.7 107.2 125.2 25.2-.6 43-17.9 75.8-17.9 31.8 0 48.3 17.9 76.4 17.9 48.6-.7 90.4-82.5 102.6-119.3-65.2-30.7-61.7-90-61.7-91.9zm-56.6-164.2c27.3-32.4 24.8-61.9 24-72.5-24.1 1.4-52 16.4-67.9 34.9-17.5 19.8-27.8 44.3-25.6 71.9 26.1 2 49.9-11.4 69.5-34.3z"/>
-</svg>

packages/next-auth/provider-logos/atlassian-dark.svg

@@ -1,8 +0,0 @@
-<svg viewBox="0.29136862699701993 -41.138268758326056 145.22149045698177 186.73799623391153" xmlns="http://www.w3.org/2000/svg" width="32" height="32">
-  <linearGradient id="a" gradientTransform="matrix(1 0 0 -1 0 228)" gradientUnits="userSpaceOnUse" x1="62.57" x2="25.03" y1="150.13" y2="85.11">
-    <stop offset="0" stop-color="#0052cc"/>
-    <stop offset=".92" stop-color="#2684ff"/>
-  </linearGradient>
-  <path d="M43 67a4.14 4.14 0 0 0-5.79-.78A4.29 4.29 0 0 0 36 67.73L.45 138.85a4.25 4.25 0 0 0 1.9 5.7 4.18 4.18 0 0 0 1.9.45h49.53a4.08 4.08 0 0 0 3.8-2.35C68.27 120.57 61.79 87 43 67z" fill="url(#a)"/>
-  <path d="M69.13 2.28a93.82 93.82 0 0 0-5.48 92.61l23.88 47.76a4.25 4.25 0 0 0 3.8 2.35h49.52a4.24 4.24 0 0 0 4.25-4.25 4.31 4.31 0 0 0-.44-1.9L76.36 2.26a4 4 0 0 0-7.23 0z" fill="#2684ff"/>
-</svg>

packages/next-auth/provider-logos/atlassian.svg

@@ -1,4 +0,0 @@
-<svg viewBox="0.29136862699701993 -41.138268758326056 145.22149045698177 186.73799623391153" xmlns="http://www.w3.org/2000/svg" width="32" height="32">
-  <path d="M43 67a4.14 4.14 0 0 0-5.79-.78A4.29 4.29 0 0 0 36 67.73L.45 138.85a4.25 4.25 0 0 0 1.9 5.7 4.18 4.18 0 0 0 1.9.45h49.53a4.08 4.08 0 0 0 3.8-2.35C68.27 120.57 61.79 87 43 67z" fill="#fff"/>
-  <path d="M69.13 2.28a93.82 93.82 0 0 0-5.48 92.61l23.88 47.76a4.25 4.25 0 0 0 3.8 2.35h49.52a4.24 4.24 0 0 0 4.25-4.25 4.31 4.31 0 0 0-.44-1.9L76.36 2.26a4 4 0 0 0-7.23 0z" fill="#fff"/>
-</svg>

packages/next-auth/provider-logos/auth0-dark.svg

@@ -1,12 +0,0 @@
-<svg width="32" height="32" viewBox="0 0 41 45" fill="none" xmlns="http://www.w3.org/2000/svg">
-  <g clip-path="url(#clip0)">
-    <path d="M35.3018 0H20.5L25.0737 14.076H39.8755L27.9009 22.4701L32.4746 36.6253C40.1827 31.081 42.7027 22.6883 39.8755 14.076L35.3018 0Z" fill="white"/>
-    <path d="M1.12504 14.076H15.9268L20.5005 0H5.69875L1.12504 14.076C-1.70213 22.6898 0.8178 31.081 8.52592 36.6253L13.0996 22.4701L1.12504 14.076Z" fill="white"/>
-    <path d="M8.52539 36.6251L20.5 44.9998L32.4746 36.6251L20.5 28.1084L8.52539 36.6251Z" fill="white"/>
-  </g>
-  <defs>
-    <clipPath id="clip0">
-      <rect width="41" height="45" fill="none"/>
-    </clipPath>
-  </defs>
-</svg>

packages/next-auth/provider-logos/auth0.svg

@@ -1,3 +0,0 @@
-<svg width="32" height="32" viewBox="0 0 256 287" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMinYMin meet">
-  <path d="M203.24 231.531l-28.73-88.434 75.208-54.64h-92.966L128.019.025l-.009-.024h92.98l28.74 88.446.002-.002.024-.013c16.69 51.31-.5 109.67-46.516 143.098zm-150.45 0l-.023.017 75.228 54.655 75.245-54.67-75.221-54.656-75.228 54.654zM6.295 88.434c-17.57 54.088 2.825 111.4 46.481 143.108l.007-.028 28.735-88.429-75.192-54.63h92.944L128.004.024 128.01 0H35.025L6.294 88.434z" fill="#EB5424"/>
-</svg>

packages/next-auth/provider-logos/azure-dark.svg

@@ -1,3 +0,0 @@
-<svg viewBox="0 0 59.242 47.271" width="32" height="32" xmlns="http://www.w3.org/2000/svg">
-  <path d="m32.368 0-17.468 15.145-14.9 26.75h13.437zm2.323 3.543-7.454 21.008 14.291 17.956-27.728 4.764h45.442z" fill="#fff"/>
-</svg>

packages/next-auth/provider-logos/azure.svg

@@ -1,3 +0,0 @@
-<svg viewBox="0 0 59.242 47.271" width="32" height="32" xmlns="http://www.w3.org/2000/svg">
-  <path d="m32.368 0-17.468 15.145-14.9 26.75h13.437zm2.323 3.543-7.454 21.008 14.291 17.956-27.728 4.764h45.442z" fill="#0072c6"/>
-</svg>

packages/next-auth/provider-logos/battlenet-dark.svg

@@ -1,3 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 600 580.44" width="32" height="32">
-  <path d="M473.49,197.63c-75.94-35.11-185.08-57.42-287.78-49.11,5.15-34,17.85-57.69,38.7-62.68,28.69-6.88,60,12,89.84,46.35,19.55,2.53,42.73,7,58.86,10.71C318.7,40.56,245.72-16.8,190.21,4.36,148,20.47,126.39,78.59,129,156.69c-55,11.7-97.87,32.49-125.31,62.39-1.39,1.61-4.53,5.67-3.41,7.61.85,1.47,3.65-.18,4.85-1,31.83-22.26,72.58-34.31,125.66-41.89,7.56,83.32,42.81,189,101.36,273.78-32,12.56-58.89,13.39-73.64-2.17-20.29-21.41-19.61-57.95-4.77-101-7.58-18.2-15.31-40.51-20.15-56.34C72.12,396.41,58.93,488.29,105,525.78c35.07,28.52,96.18,18.15,162.54-23.12,37.64,41.79,77.07,68.51,116.69,77.33,2.09.39,7.17,1.09,8.29-.85.85-1.47-2-3.08-3.28-3.71-35.19-16.44-66-45.71-99.1-87.88C358.53,439.34,432.42,356,476.57,262.88c26.9,21.47,41,44.3,34.94,64.85-8.4,28.29-40.38,46-85.06,54.63C414.48,398,399,415.86,387.74,428c115.84,4,202-30.47,211.43-89.12,7.17-44.64-32.37-92.38-101.3-129.21,17.38-53.49,20.8-101,8.63-139.72-.71-2-2.64-6.76-4.88-6.76-1.7,0-1.68,3.26-1.58,4.7C503.41,106.55,493.47,147.88,473.49,197.63ZM260.21,444.33c-49-78.61-77.24-171.21-77.06-264.84h0C275.71,176.39,370,198.2,451,245.17h0c-43.59,81.71-109.64,152.49-190.82,199.15Z" fill="#fff"/>
-</svg>

packages/next-auth/provider-logos/battlenet.svg

@@ -1,3 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 600 580.44" width="32" height="32">
-  <path d="M473.49,197.63c-75.94-35.11-185.08-57.42-287.78-49.11,5.15-34,17.85-57.69,38.7-62.68,28.69-6.88,60,12,89.84,46.35,19.55,2.53,42.73,7,58.86,10.71C318.7,40.56,245.72-16.8,190.21,4.36,148,20.47,126.39,78.59,129,156.69c-55,11.7-97.87,32.49-125.31,62.39-1.39,1.61-4.53,5.67-3.41,7.61.85,1.47,3.65-.18,4.85-1,31.83-22.26,72.58-34.31,125.66-41.89,7.56,83.32,42.81,189,101.36,273.78-32,12.56-58.89,13.39-73.64-2.17-20.29-21.41-19.61-57.95-4.77-101-7.58-18.2-15.31-40.51-20.15-56.34C72.12,396.41,58.93,488.29,105,525.78c35.07,28.52,96.18,18.15,162.54-23.12,37.64,41.79,77.07,68.51,116.69,77.33,2.09.39,7.17,1.09,8.29-.85.85-1.47-2-3.08-3.28-3.71-35.19-16.44-66-45.71-99.1-87.88C358.53,439.34,432.42,356,476.57,262.88c26.9,21.47,41,44.3,34.94,64.85-8.4,28.29-40.38,46-85.06,54.63C414.48,398,399,415.86,387.74,428c115.84,4,202-30.47,211.43-89.12,7.17-44.64-32.37-92.38-101.3-129.21,17.38-53.49,20.8-101,8.63-139.72-.71-2-2.64-6.76-4.88-6.76-1.7,0-1.68,3.26-1.58,4.7C503.41,106.55,493.47,147.88,473.49,197.63ZM260.21,444.33c-49-78.61-77.24-171.21-77.06-264.84h0C275.71,176.39,370,198.2,451,245.17h0c-43.59,81.71-109.64,152.49-190.82,199.15Z" fill="#148eff"/>
-</svg>

packages/next-auth/provider-logos/box-dark.svg

@@ -1,6 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" viewBox="0 0 444.893 245.414">
-  <g fill="#fff">
-    <path d="M239.038 72.43c-33.081 0-61.806 18.6-76.322 45.904-14.516-27.305-43.24-45.902-76.32-45.902-19.443 0-37.385 6.424-51.821 17.266V16.925h-.008C34.365 7.547 26.713 0 17.286 0 7.858 0 .208 7.547.008 16.925H0v143.333h.036c.768 47.051 39.125 84.967 86.359 84.967 33.08 0 61.805-18.603 76.32-45.908 14.517 27.307 43.241 45.906 76.321 45.906 47.715 0 86.396-38.684 86.396-86.396.001-47.718-38.682-86.397-86.394-86.397zM86.395 210.648c-28.621 0-51.821-23.201-51.821-51.82 0-28.623 23.201-51.823 51.821-51.823 28.621 0 51.822 23.2 51.822 51.823 0 28.619-23.201 51.82-51.822 51.82zm152.643 0c-28.622 0-51.821-23.201-51.821-51.822 0-28.623 23.2-51.821 51.821-51.821 28.619 0 51.822 23.198 51.822 51.821-.001 28.621-23.203 51.822-51.822 51.822z"/>
-    <path d="M441.651 218.033l-44.246-59.143 44.246-59.144-.008-.007c5.473-7.62 3.887-18.249-3.652-23.913-7.537-5.658-18.187-4.221-23.98 3.157l-.004-.002-38.188 51.047-38.188-51.047-.006.009c-5.793-7.385-16.441-8.822-23.981-3.16-7.539 5.664-9.125 16.293-3.649 23.911l-.008.005 44.245 59.144-44.245 59.143.008.005c-5.477 7.62-3.89 18.247 3.649 23.909 7.54 5.664 18.188 4.225 23.981-3.155l.006.007 38.188-51.049 38.188 51.049.004-.002c5.794 7.377 16.443 8.814 23.98 3.154 7.539-5.662 9.125-16.291 3.652-23.91l.008-.008z"/>
-  </g>
-</svg>

packages/next-auth/provider-logos/box.svg

@@ -1,6 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" viewBox="0 0 444.893 245.414">
-  <g fill="#0075C9">
-    <path d="M239.038 72.43c-33.081 0-61.806 18.6-76.322 45.904-14.516-27.305-43.24-45.902-76.32-45.902-19.443 0-37.385 6.424-51.821 17.266V16.925h-.008C34.365 7.547 26.713 0 17.286 0 7.858 0 .208 7.547.008 16.925H0v143.333h.036c.768 47.051 39.125 84.967 86.359 84.967 33.08 0 61.805-18.603 76.32-45.908 14.517 27.307 43.241 45.906 76.321 45.906 47.715 0 86.396-38.684 86.396-86.396.001-47.718-38.682-86.397-86.394-86.397zM86.395 210.648c-28.621 0-51.821-23.201-51.821-51.82 0-28.623 23.201-51.823 51.821-51.823 28.621 0 51.822 23.2 51.822 51.823 0 28.619-23.201 51.82-51.822 51.82zm152.643 0c-28.622 0-51.821-23.201-51.821-51.822 0-28.623 23.2-51.821 51.821-51.821 28.619 0 51.822 23.198 51.822 51.821-.001 28.621-23.203 51.822-51.822 51.822z"/>
-    <path d="M441.651 218.033l-44.246-59.143 44.246-59.144-.008-.007c5.473-7.62 3.887-18.249-3.652-23.913-7.537-5.658-18.187-4.221-23.98 3.157l-.004-.002-38.188 51.047-38.188-51.047-.006.009c-5.793-7.385-16.441-8.822-23.981-3.16-7.539 5.664-9.125 16.293-3.649 23.911l-.008.005 44.245 59.144-44.245 59.143.008.005c-5.477 7.62-3.89 18.247 3.649 23.909 7.54 5.664 18.188 4.225 23.981-3.155l.006.007 38.188-51.049 38.188 51.049.004-.002c5.794 7.377 16.443 8.814 23.98 3.154 7.539-5.662 9.125-16.291 3.652-23.91l.008-.008z"/>
-  </g>
-</svg>

packages/next-auth/provider-logos/cognito.svg

@@ -1,10 +0,0 @@
-<svg width="32" height="32" viewBox="0 0 256 299" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMidYMid">
-  <path d="M208.752 58.061l25.771-6.636.192.283.651 155.607-.843.846-5.31.227-20.159-3.138-.302-.794V58.061M59.705 218.971l.095.007 68.027 19.767.173.133.296.236-.096 59.232-.2.252-68.295-33.178v-46.449" fill="#7A3E65"/>
-  <path d="M208.752 204.456l-80.64 19.312-40.488-9.773-27.919 4.976L128 238.878l105.405-28.537 1.118-2.18-25.771-3.705" fill="#CFB2C1"/>
-  <path d="M196.295 79.626l-.657-.749-66.904-19.44-.734.283-.672-.343L22.052 89.734l-.575.703.845.463 24.075 3.53.851-.289 80.64-19.311 40.488 9.773 27.919-4.977" fill="#512843"/>
-  <path d="M47.248 240.537l-25.771 6.221-.045-.149-1.015-155.026 1.06-1.146 25.771 3.704v146.396" fill="#C17B9E"/>
-  <path d="M82.04 180.403l45.96 5.391.345-.515.187-71.887-.532-.589-45.96 5.392v62.208" fill="#7A3E65"/>
-  <path d="M173.96 180.403L128 185.794v-72.991l45.96 5.392v62.208M196.295 79.626L128 59.72V0l68.295 33.177v46.449" fill="#C17B9E"/>
-  <path d="M128 0L0 61.793v175.011l21.477 9.954V90.437L128 59.72V0" fill="#7A3E65"/>
-  <path d="M234.523 51.425v156.736L128 238.878v59.72l128-61.794V61.793l-21.477-10.368" fill="#C17B9E"/>
-</svg>

packages/next-auth/provider-logos/discord-dark.svg

@@ -1,3 +0,0 @@
-<svg width="32" height="32" viewBox="0 0 256 293" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMidYMid">
-  <path d="M226.011 0H29.99C13.459 0 0 13.458 0 30.135v197.778c0 16.677 13.458 30.135 29.989 30.135h165.888l-7.754-27.063 18.725 17.408 17.7 16.384L256 292.571V30.135C256 13.458 242.542 0 226.011 0zm-56.466 191.05s-5.266-6.291-9.655-11.85c19.164-5.413 26.478-17.408 26.478-17.408-5.998 3.95-11.703 6.73-16.823 8.63-7.314 3.073-14.336 5.12-21.211 6.291-14.044 2.633-26.917 1.902-37.888-.146-8.339-1.61-15.507-3.95-21.504-6.29-3.365-1.317-7.022-2.926-10.68-4.974-.438-.293-.877-.439-1.316-.732-.292-.146-.439-.292-.585-.438-2.633-1.463-4.096-2.487-4.096-2.487s7.022 11.703 25.6 17.261c-4.388 5.56-9.801 12.142-9.801 12.142-32.33-1.024-44.617-22.235-44.617-22.235 0-47.104 21.065-85.285 21.065-85.285 21.065-15.799 41.106-15.36 41.106-15.36l1.463 1.756C80.75 77.53 68.608 89.088 68.608 89.088s3.218-1.755 8.63-4.242c15.653-6.876 28.088-8.777 33.208-9.216.877-.147 1.609-.293 2.487-.293a123.776 123.776 0 0 1 29.55-.292c13.896 1.609 28.818 5.705 44.031 14.043 0 0-11.556-10.971-36.425-18.578l2.048-2.34s20.041-.44 41.106 15.36c0 0 21.066 38.18 21.066 85.284 0 0-12.435 21.211-44.764 22.235zm-68.023-68.316c-8.338 0-14.92 7.314-14.92 16.237 0 8.924 6.728 16.238 14.92 16.238 8.339 0 14.921-7.314 14.921-16.238.147-8.923-6.582-16.237-14.92-16.237m53.394 0c-8.339 0-14.922 7.314-14.922 16.237 0 8.924 6.73 16.238 14.922 16.238 8.338 0 14.92-7.314 14.92-16.238 0-8.923-6.582-16.237-14.92-16.237" fill="#fff"/>
-</svg>

packages/next-auth/provider-logos/discord.svg

@@ -1,3 +0,0 @@
-<svg width="32" height="32" viewBox="0 0 256 293" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMidYMid">
-  <path d="M226.011 0H29.99C13.459 0 0 13.458 0 30.135v197.778c0 16.677 13.458 30.135 29.989 30.135h165.888l-7.754-27.063 18.725 17.408 17.7 16.384L256 292.571V30.135C256 13.458 242.542 0 226.011 0zm-56.466 191.05s-5.266-6.291-9.655-11.85c19.164-5.413 26.478-17.408 26.478-17.408-5.998 3.95-11.703 6.73-16.823 8.63-7.314 3.073-14.336 5.12-21.211 6.291-14.044 2.633-26.917 1.902-37.888-.146-8.339-1.61-15.507-3.95-21.504-6.29-3.365-1.317-7.022-2.926-10.68-4.974-.438-.293-.877-.439-1.316-.732-.292-.146-.439-.292-.585-.438-2.633-1.463-4.096-2.487-4.096-2.487s7.022 11.703 25.6 17.261c-4.388 5.56-9.801 12.142-9.801 12.142-32.33-1.024-44.617-22.235-44.617-22.235 0-47.104 21.065-85.285 21.065-85.285 21.065-15.799 41.106-15.36 41.106-15.36l1.463 1.756C80.75 77.53 68.608 89.088 68.608 89.088s3.218-1.755 8.63-4.242c15.653-6.876 28.088-8.777 33.208-9.216.877-.147 1.609-.293 2.487-.293a123.776 123.776 0 0 1 29.55-.292c13.896 1.609 28.818 5.705 44.031 14.043 0 0-11.556-10.971-36.425-18.578l2.048-2.34s20.041-.44 41.106 15.36c0 0 21.066 38.18 21.066 85.284 0 0-12.435 21.211-44.764 22.235zm-68.023-68.316c-8.338 0-14.92 7.314-14.92 16.237 0 8.924 6.728 16.238 14.92 16.238 8.339 0 14.921-7.314 14.921-16.238.147-8.923-6.582-16.237-14.92-16.237m53.394 0c-8.339 0-14.922 7.314-14.922 16.237 0 8.924 6.73 16.238 14.922 16.238 8.338 0 14.92-7.314 14.92-16.238 0-8.923-6.582-16.237-14.92-16.237" fill="#7289DA"/>
-</svg>