correction

* chore(docs): Session management sample for Svelte

Added a code sample for managing the session through the $page store.
The sample demonstrates how to retrieve the session data in the root
+page.server.ts file and make it globally accessible through the $page
store, simplifying state management in the application. The previous
examples already used the data available in this store but did not show
how to set it.

* docs: Add authorization section to SvelteKit docs

This authorization section was added to make sure a few caveats with
SvelteKit were well documented to anyone using the library.

The problem is documented here: https://github.com/sveltejs/kit/issues/6315

Essentially, propagation of data between leafs is not guaranteed when
using the +layout.server.ts file as its load function is not guaranteed
to rerun every page change. The current approach to solve this is to do
authorization in each +page.server.ts file and additionally make sure to
grab the session data by awaiting the parent instead of directly
accessing the $page store, to make sure the information there is
current.

* docs: Fix small typesafety mistake in SvelteKit

PageLoad type should actually be PageServerLoad. Not setting this does
not actually generate any problems other than TypeScript complaining
that this type is not actually exported.

* docs: Add handle hook authorization management

Another way to handle authorization is through a path-based method. This
added part of the documentation uses the handle hook to protect certain
routes based on their path. The previous method which is per-component
is still present.

* docs: Simplify component approach for Svelte auth

Using event.locals.getSession() exposed by SvelteKitAuth instead of
relying in the root layout file making that available in the $page
store.

* docs: Complete SvelteKit authorization docs

Finalize the explanation for the URI-based approach and also clarify
interactions with the component-based approach.

* docs: Add formatting to vars in the SvelteKit docs

Format the variables like this: `var` so that it appears clearly as code
when reading the documentation.

Co-authored-by: Thang Vu <hi@thvu.dev>

.github/actions/issue-validator/src/index.mjs

@@ -41,13 +41,7 @@ async function run() {
       label: { name: newLabel },
     } = payload
 
-    if (
-      pull_request ||
-      !issue?.body ||
-      !process.env.GITHUB_TOKEN ||
-      !process.env.GITHUB_ACTION_PATH
-    )
-      return
+    if (pull_request || !issue?.body || !process.env.GITHUB_TOKEN) return
 
     const labels = issue.labels.map((l) => l.name)
     // const isBugReport =
@@ -78,7 +72,9 @@ async function run() {
         client.issues.createComment({
           ...issueCommon,
           body: readFileSync(
-            join(process.env.GITHUB_ACTION_PATH, "repro.md"),
+            join(
+              "/home/runner/work/next-auth/next-auth/.github/actions/issue-validator/repro.md"
+            ),
             "utf8"
           ),
         }),

apps/dev/nextjs/components/header.js

@@ -1,5 +1,5 @@
 import Link from "next/link"
-import { signIn, signOut, useSession } from "next-auth/react"
+import { useSession } from "next-auth/react"
 import styles from "./header.module.css"
 
 // The approach used in this component shows how to built a sign in and sign out
@@ -24,14 +24,7 @@ export default function Header() {
               <span className={styles.notSignedInText}>
                 You are not signed in
               </span>
-              <a
-                href="/api/auth/signin"
-                className={styles.buttonPrimary}
-                onClick={(e) => {
-                  e.preventDefault()
-                  signIn()
-                }}
-              >
+              <a href="/api/auth/signin" className={styles.buttonPrimary}>
                 Sign in
               </a>
             </>
@@ -47,14 +40,7 @@ export default function Header() {
                 <strong>{session.user.email} </strong>
                 {session.user.name ? `(${session.user.name})` : null}
               </span>
-              <a
-                href="/api/auth/signout"
-                className={styles.button}
-                onClick={(e) => {
-                  e.preventDefault()
-                  signOut()
-                }}
-              >
+              <a href="/api/auth/signout" className={styles.button}>
                 Sign out
               </a>
             </>

apps/examples/nextjs/README.md

@@ -1,9 +1,14 @@
-> The example repository is maintained from a [monorepo](https://github.com/nextauthjs/next-auth/tree/main/apps/example-nextjs). Pull Requests should be opened against [`nextauthjs/next-auth`](https://github.com/nextauthjs/next-auth).
+> The example repository is maintained from a [monorepo](https://github.com/nextauthjs/next-auth/tree/main/apps/examples/nextjs). Pull Requests should be opened against [`nextauthjs/next-auth`](https://github.com/nextauthjs/next-auth).
 
 <p align="center">
    <br/>
-   <a href="https://next-auth.js.org" target="_blank"><img width="150px" src="https://next-auth.js.org/img/logo/logo-sm.png" /></a>
-   <h3 align="center">NextAuth.js Example App</h3>
+   <a href="https://authjs.dev" target="_blank">
+   <img height="64" src="https://authjs.dev/img/logo/logo-sm.png" />
+   </a>
+   <a href="https://nextjs.org" target="_blank">
+   <img height="64" src="https://nextjs.org/static/favicon/android-chrome-192x192.png" />
+   </a>
+   <h3 align="center"><b>NextAuth.js</b> - Example App</h3>
    <p align="center">
    Open Source. Full Stack. Own Your Data.
    </p>
@@ -25,20 +30,14 @@
 
 ## Overview
 
-NextAuth.js is a complete open source authentication solution.
+NextAuth.js is a complete open-source authentication solution.
 
 This is an example application that shows how `next-auth` is applied to a basic Next.js app.
 
 The deployed version can be found at [`next-auth-example.vercel.app`](https://next-auth-example.vercel.app)
 
-### About NextAuth.js
-
-NextAuth.js is an easy to implement, full-stack (client/server) open source authentication library originally designed for [Next.js](https://nextjs.org) and [Serverless](https://vercel.com). Our goal is to [support even more frameworks](https://github.com/nextauthjs/next-auth/issues/2294) in the future.
-
 Go to [next-auth.js.org](https://next-auth.js.org) for more information and documentation.
 
-> _NextAuth.js is not officially associated with Vercel or Next.js._
-
 ## Getting Started
 
 ### 1. Clone the repository and install dependencies
@@ -98,15 +97,13 @@ npm run start
 
 ### 5. Preparing for Production
 
-Follow the [Deployment documentation](https://next-auth.js.org/deployment)
+Follow the [Deployment documentation](https://authjs.dev/guides/basics/deployment) or deploy the example instantly using [Vercel](https://vercel.com?utm_source=github&utm_medium=readme&utm_campaign=next-auth-example)
+
+[![Deploy with Vercel](https://vercel.com/button)](https://vercel.com/new/git/external?repository-url=https://github.com/nextauthjs/next-auth-example&project-name=next-auth-example&repository-name=next-auth-example)
 
 ## Acknowledgements
 
 <a href="https://vercel.com?utm_source=nextauthjs&utm_campaign=oss">
-<img width="170px" src="https://raw.githubusercontent.com/nextauthjs/next-auth/canary/www/static/img/powered-by-vercel.svg" alt="Powered By Vercel" />
+<img width="170px" src="https://raw.githubusercontent.com/nextauthjs/next-auth/main/docs/static/img/powered-by-vercel.svg" alt="Powered By Vercel" />
 </a>
-<p align="left">Thanks to Vercel sponsoring this project by allowing it to be deployed for free for the entire NextAuth.js Team</p>
-
-## License
-
-ISC
+<p align="left">Thanks to Vercel sponsoring this project by allowing it to be deployed for free for the entire Auth.js Team</p>

apps/examples/nextjs/pages/server.tsx

@@ -3,9 +3,10 @@ import { authOptions } from "./api/auth/[...nextauth]"
 import Layout from "../components/layout"
 
 import type { GetServerSidePropsContext } from "next"
-import type { Session } from "next-auth"
+import { useSession } from "next-auth/react"
 
-export default function ServerSidePage({ session }: { session: Session }) {
+export default function ServerSidePage() {
+  const { data: session } = useSession()
   // As this page uses Server Side Rendering, the `session` will be already
   // populated on render without needing to go through a loading stage.
   return (

apps/examples/solid-start/README.MD

@@ -1,16 +1,57 @@
-# Create JD App
+> The example repository is maintained from a [monorepo](https://github.com/nextauthjs/next-auth/tree/main/apps/examples/solid-start). Pull Requests should be opened against [`nextauthjs/next-auth`](https://github.com/nextauthjs/next-auth).
 
-This project was created using [Create JD App](https://github.com/OrJDev/create-jd-app)
+<p align="center">
+   <br/>
+   <a href="https://authjs.dev" target="_blank">
+   <img height="64" src="https://authjs.dev/img/logo/logo-sm.png" />
+   </a>
+   <a href="https://start.solidjs.com" target="_blank">
+   <img height="64" src="https://www.solidjs.com/assets/logo-123b04bc.svg" />
+   </a>
+   <h3 align="center"><b>SolidStart Auth</b> - Example App</h3>
+   <p align="center">
+   Open Source. Full Stack. Own Your Data.
+   </p>
+   <p align="center" style="align: center;">
+      <a href="https://npm.im/@auth/solid-start">
+        <img alt="npm" src="https://img.shields.io/npm/v/@auth/solid-start?color=green&label=@auth/solid-start&style=flat-square">
+      </a>
+      <a href="https://bundlephobia.com/result?p=@auth/solid-start">
+        <img src="https://img.shields.io/bundlephobia/minzip/@auth/solid-start?label=size&style=flat-square" alt="Bundle Size"/>
+      </a>
+      <a href="https://www.npmtrends.com/@auth/solid-start">
+        <img src="https://img.shields.io/npm/dm/@auth/solid-start?label=downloads&style=flat-square" alt="Downloads" />
+      </a>
+      <a href="https://npm.im/@auth/solid-start">
+        <img src="https://img.shields.io/badge/TypeScript-blue?style=flat-square" alt="TypeScript" />
+      </a>
+   </p>
+</p>
 
-## Deploying To Vercel
+## Overview
+
+This is the official SolidStart Auth example for [Auth.js](https://authjs.dev).
+
+
+## Getting started
+
+You can follow the guide below, or click the following button to deploy this example to [Vercel](https://vercel.com?utm_source=github&utm_medium=readme&utm_campaign=solid-start-auth-example).
+
+[![Deploy with Vercel](https://vercel.com/button)](https://vercel.com/new/git/external?repository-url=https://github.com/nextauthjs/solid-start-auth-example&project-name=solid-start-auth-example&repository-name=solid-start-auth-example)
 
 ### Installing
 
-```bash
-npm install solid-start-vercel@latest -D
+```sh
+pnpm add -D solid-start-vercel
+```
+```sh
+npm i -D solid-start-vercel
+```
+```sh
+yarn add -D solid-start-vercel
 ```
 
-### Adding to vite config
+### Adding to Vite config
 
 ```ts
 import solid from "solid-start/vite";
@@ -32,6 +73,13 @@ export default defineConfig(() => {
 
 - `ENABLE_VC_BUILD`=`1` .
 
-### You Are Done
+### Finishing up
 
-Create a github repo and push your code to it, then deploy it to vercel (:
+Create a GitHub repo and push the code to it, then deploy it to Vercel.
+
+## Acknowledgements
+
+<a href="https://vercel.com?utm_source=nextauthjs&utm_campaign=oss">
+<img width="170px" src="https://raw.githubusercontent.com/nextauthjs/next-auth/main/docs/static/img/powered-by-vercel.svg" alt="Powered By Vercel" />
+</a>
+<p align="left">Thanks to Vercel sponsoring this project by allowing it to be deployed for free for the entire Auth.js Team</p>

apps/examples/solid-start/src/routes/index.tsx

@@ -29,7 +29,7 @@ const Home: ParentComponent = () => {
           </A>{" "}
           with{" "}
           <A
-            href="https://authjs.dev/reference/solid-start/modules/main"
+            href="https://authjs.dev/reference/solidstart"
             class="text-blue-500 underline font-bold"
           >
             SolidStart Auth

apps/examples/sveltekit/README.md

@@ -1,9 +1,14 @@
-> The example repository is maintained from a [monorepo](https://github.com/nextauthjs/next-auth/tree/main/apps/example-sveltekit). Pull Requests should be opened against [`nextauthjs/next-auth`](https://github.com/nextauthjs/next-auth).
+> The example repository is maintained from a [monorepo](https://github.com/nextauthjs/next-auth/tree/main/apps/examples/sveltekit). Pull Requests should be opened against [`nextauthjs/next-auth`](https://github.com/nextauthjs/next-auth).
 
 <p align="center">
    <br/>
-   <a href="https://authjs.dev" target="_blank"><img width="150px" src="https://authjs.dev/img/logo/logo-sm.png" /></a>
-   <h3 align="center">Auth.js Example App with <a href="https://kit.svelte.dev">SvelteKit</a></h3>
+   <a href="https://authjs.dev" target="_blank">
+   <img height="64" src="https://authjs.dev/img/logo/logo-sm.png" />
+   </a>
+   <a href="https://kit.svelte.dev" target="_blank">
+   <img height="64" src="https://upload.wikimedia.org/wikipedia/commons/1/1b/Svelte_Logo.svg" />
+   </a>
+   <h3 align="center"><b>SvelteKit Auth</b> - Example App</h3>
    <p align="center">
    Open Source. Full Stack. Own Your Data.
    </p>
@@ -11,18 +16,25 @@
       <a href="https://npm.im/@auth/sveltekit">
         <img alt="npm" src="https://img.shields.io/npm/v/@auth/sveltekit?color=green&label=@auth/sveltekit&style=flat-square">
       </a>
-      <a href="https://bundlephobia.com/result?p=sveltekit-auth-example">
+      <a href="https://bundlephobia.com/result?p=@auth/sveltekit">
         <img src="https://img.shields.io/bundlephobia/minzip/@auth/sveltekit?label=size&style=flat-square" alt="Bundle Size"/>
       </a>
       <a href="https://www.npmtrends.com/@auth/sveltekit">
-        <img src="https://img.shields.io/npm/dm/@auth/sveltekit?label=%20downloads&style=flat-square" alt="Downloads" />
+        <img src="https://img.shields.io/npm/dm/@auth/sveltekit?label=downloads&style=flat-square" alt="Downloads" />
       </a>
-      <a href="https://npm.im/next-auth">
+      <a href="https://npm.im/@auth/sveltekit">
         <img src="https://img.shields.io/badge/TypeScript-blue?style=flat-square" alt="TypeScript" />
       </a>
    </p>
 </p>
 
-# Documentation
+## Overview
 
-- [sveltekit.authjs.dev](https://sveltekit.authjs.dev)
+This is the official SvelteKit Auth example for [Auth.js](https://sveltekit.authjs.dev).
+
+
+## Getting started
+
+You can instantly deploy this example to [Vercel](https://vercel.com?utm_source=github&utm_medium=readme&utm_campaign=sveltekit-auth-example) by clicking the following button.
+
+[![Deploy with Vercel](https://vercel.com/button)](https://vercel.com/new/git/external?repository-url=https://github.com/nextauthjs/sveltekit-auth-example&project-name=sveltekit-auth-example&repository-name=sveltekit-auth-example)

docs/docs/guides/03-basics/refresh-token-rotation.md

@@ -2,119 +2,203 @@
 title: Refresh token rotation
 ---
 
-While Auth.js doesn't automatically handle access token rotation for [OAuth providers](/reference/providers/oauth-builtin) yet, this functionality can be implemented using [callbacks](/guides/basics/callbacks).
+Refresh token rotation is the practice of updating an `access_token` on behalf of the user, without requiring interaction (eg.: re-sign in). `access_token`s are usually issued for a limited time. After they expire, the service verifying them will ignore the value. Instead of asking the user to sign in again to obtain a new `access_token`, certain providers support exchanging a `refresh_token` for a new `access_token`, renewing the expiry time. Let's see how this can be achieved.
 
-## Source Code
-
-A working example can be accessed [here](https://github.com/nextauthjs/next-auth-refresh-token-example).
+:::note
+Our goal is to add zero-config support for built-in providers eventually. Let us know if you would like to help.
+:::
 
 ## Implementation
 
+First, make sure that the provider you want to use supports `refresh_token`'s. Check out [The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-6) spec for more details.
+
 ### Server Side
 
-Using a [JWT callback](https://authjs.dev/guides/basics/callbacks#jwt-callback) and a [session callback](https://authjs.dev/guides/basics/callbacks#session-callback), we can persist OAuth tokens and refresh them when they expire.
+Depending on the session strategy, `refresh_token` can be persisted either in a database, or in a cookie, in an encrypted JWT.
+
+:::info
+Using a JWT to store the `refresh_token` is less secure than saving it in a database, and you need to evaluate based on your requirements which strategy you choose.
+:::
+
+#### JWT strategy
+
+Using the [jwt](../../reference/03-core/interfaces/types.CallbacksOptions.md#jwt) and [session](../../reference/03-core/interfaces/types.CallbacksOptions.md#session) callbacks, we can persist OAuth tokens and refresh them when they expire.
 
 Below is a sample implementation using Google's Identity Provider. Please note that the OAuth 2.0 request in the `refreshAccessToken()` function will vary between different providers, but the core logic should remain similar.
 
-```js title="pages/api/auth/[...nextauth].js"
-import NextAuth from "next-auth"
-import GoogleProvider from "next-auth/providers/google"
+```ts
+import { Auth } from "@auth/core"
+import { type TokenSet } from "@auth/core/types"
+import Google from "@auth/core/providers/google"
 
-const GOOGLE_AUTHORIZATION_URL =
-  "https://accounts.google.com/o/oauth2/v2/auth?" +
-  new URLSearchParams({
-    prompt: "consent",
-    access_type: "offline",
-    response_type: "code",
-  })
-
-/**
- * Takes a token, and returns a new token with updated
- * `accessToken` and `accessTokenExpires`. If an error occurs,
- * returns the old token and an error property
- */
-async function refreshAccessToken(token) {
-  try {
-    const url =
-      "https://oauth2.googleapis.com/token?" +
-      new URLSearchParams({
-        client_id: process.env.GOOGLE_CLIENT_ID,
-        client_secret: process.env.GOOGLE_CLIENT_SECRET,
-        grant_type: "refresh_token",
-        refresh_token: token.refreshToken,
-      })
-
-    const response = await fetch(url, {
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-      },
-      method: "POST",
-    })
-
-    const refreshedTokens = await response.json()
-
-    if (!response.ok) {
-      throw refreshedTokens
-    }
-
-    return {
-      ...token,
-      accessToken: refreshedTokens.access_token,
-      accessTokenExpires: Date.now() + refreshedTokens.expires_at * 1000,
-      refreshToken: refreshedTokens.refresh_token ?? token.refreshToken, // Fall back to old refresh token
-    }
-  } catch (error) {
-    console.log(error)
-
-    return {
-      ...token,
-      error: "RefreshAccessTokenError",
-    }
-  }
-}
-
-export default NextAuth({
+export default Auth(new Request("https://example.com"), {
   providers: [
-    GoogleProvider({
-      clientId: process.env.GOOGLE_CLIENT_ID,
-      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
-      authorization: GOOGLE_AUTHORIZATION_URL,
+    Google({
+      clientId: process.env.GOOGLE_ID,
+      clientSecret: process.env.GOOGLE_SECRET,
+      authorization: { params: { access_type: "offline", prompt: "consent" } },
     }),
   ],
   callbacks: {
-    async jwt({ token, user, account }) {
-      // Initial sign in
-      if (account && user) {
+    async jwt({ token, account }) {
+      if (account) {
+        // Save the access token and refresh token in the JWT on the initial login
         return {
-          accessToken: account.access_token,
-          accessTokenExpires: Date.now() + account.expires_at * 1000,
-          refreshToken: account.refresh_token,
-          user,
+          access_token: account.access_token,
+          expires_at: Date.now() + account.expires_in * 1000,
+          refresh_token: account.refresh_token,
+        }
+      } else if (Date.now() < token.expires_at) {
+        // If the access token has not expired yet, return it
+        return token
+      } else {
+        // If the access token has expired, try to refresh it
+        try {
+          // https://accounts.google.com/.well-known/openid-configuration
+          // We need the `token_endpoint`.
+          const response = await fetch("https://oauth2.googleapis.com/token", {
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: new URLSearchParams({
+              client_id: process.env.GOOGLE_ID,
+              client_secret: process.env.GOOGLE_SECRET,
+              grant_type: "refresh_token",
+              refresh_token: token.refresh_token,
+            }),
+            method: "POST",
+          })
+
+          const tokens: TokenSet = await response.json()
+
+          if (!response.ok) throw tokens
+
+          return {
+            ...token, // Keep the previous token properties
+            access_token: tokens.access_token,
+            expires_at: Date.now() + tokens.expires_in * 1000,
+            // Fall back to old refresh token, but note that
+            // many providers may only allow using a refresh token once.
+            refresh_token: tokens.refresh_token ?? token.refresh_token,
+          }
+        } catch (error) {
+          console.error("Error refreshing access token", error)
+          // The error property will be used client-side to handle the refresh token error
+          return { ...token, error: "RefreshAccessTokenError" as const }
         }
       }
-
-      // Return previous token if the access token has not expired yet
-      if (Date.now() < token.accessTokenExpires) {
-        return token
-      }
-
-      // Access token has expired, try to update it
-      return refreshAccessToken(token)
     },
     async session({ session, token }) {
-      session.user = token.user
-      session.accessToken = token.accessToken
       session.error = token.error
-
       return session
     },
   },
 })
+
+declare module "@auth/core/types" {
+  interface Session {
+    error?: "RefreshAccessTokenError"
+  }
+}
+
+declare module "@auth/core/jwt" {
+  interface JWT {
+    access_token: string
+    expires_at: number
+    refresh_token: string
+    error?: "RefreshAccessTokenError"
+  }
+}
+```
+
+#### Database strategy
+
+Using the database strategy is very similar, but instead of preserving the `access_token` and `refresh_token`, we save it, well, in the database.
+
+```ts
+import { Auth } from "@auth/core"
+import { type TokenSet } from "@auth/core/types"
+import Google from "@auth/core/providers/google"
+import { PrismaAdapter } from "@next-auth/prisma-adapter"
+import { PrismaClient } from "@prisma/client"
+
+const prisma = new PrismaClient()
+
+export default Auth(new Request("https://example.com"), {
+  adapter: PrismaAdapter(prisma),
+  providers: [
+    Google({
+      clientId: process.env.GOOGLE_ID,
+      clientSecret: process.env.GOOGLE_SECRET,
+      authorization: { params: { access_type: "offline", prompt: "consent" } },
+    }),
+  ],
+  callbacks: {
+    async session({ session, user }) {
+      const [google] = await prisma.account.findMany({
+        where: { userId: user.id, provider: "google" },
+      })
+      if (google.expires_at >= Date.now()) {
+        // If the access token has expired, try to refresh it
+        try {
+          // https://accounts.google.com/.well-known/openid-configuration
+          // We need the `token_endpoint`.
+          const response = await fetch("https://oauth2.googleapis.com/token", {
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: new URLSearchParams({
+              client_id: process.env.GOOGLE_ID,
+              client_secret: process.env.GOOGLE_SECRET,
+              grant_type: "refresh_token",
+              refresh_token: google.refresh_token,
+            }),
+            method: "POST",
+          })
+
+          const tokens: TokenSet = await response.json()
+
+          if (!response.ok) throw tokens
+
+          await prisma.account.update({
+            data: {
+              access_token: tokens.access_token,
+              expires_at: Date.now() + tokens.expires_in * 1000,
+              refresh_token: tokens.refresh_token ?? google.refresh_token,
+            },
+            where: {
+              provider_providerAccountId: {
+                provider: "google",
+                providerAccountId: google.providerAccountId,
+              },
+            },
+          })
+        } catch (error) {
+          console.error("Error refreshing access token", error)
+          // The error property will be used client-side to handle the refresh token error
+          session.error = "RefreshAccessTokenError"
+        }
+      }
+      return session
+    },
+  },
+})
+
+declare module "@auth/core/types" {
+  interface Session {
+    error?: "RefreshAccessTokenError"
+  }
+}
+
+declare module "@auth/core/jwt" {
+  interface JWT {
+    access_token: string
+    expires_at: number
+    refresh_token: string
+    error?: "RefreshAccessTokenError"
+  }
+}
 ```
 
 ### Client Side
 
-The `RefreshAccessTokenError` error that is caught in the `refreshAccessToken()` method is passed all the way to the client. This means that you can direct the user to the sign in flow if we cannot refresh their token.
+The `RefreshAccessTokenError` error that is caught in the `refreshAccessToken()` method is passed to the client. This means that you can direct the user to the sign-in flow if we cannot refresh their token.
 
 We can handle this functionality as a side effect:
 
@@ -134,3 +218,8 @@ const HomePage() {
 return (...)
 }
 ```
+
+## Source Code
+
+A working example can be accessed [here](https://github.com/nextauthjs/next-auth-refresh-token-example).
+

docs/docs/reference/04-providers/02-oauth-builtin.mdx

@@ -1,14 +1,14 @@
 ---
 title: Available OAuth providers
-sidebar_label: Oauth providers
+sidebar_label: OAuth providers
 ---
 
-Authentication Providers in **Auth.js** are services that can be used to sign in a user.
+Authentication Providers in **Auth.js** are services that can be used to sign a user in.
 
 Auth.js comes with a set of built-in providers. You can find them [here](https://github.com/nextauthjs/next-auth/tree/main/packages/core/src/providers). Each built-in provider has its own documentation page:
 
 :::note
-Auth.js is designed to work with any OAuth service, it supports **OAuth 1.0**, **1.0A**, **2.0** and **OpenID Connect (OIDC)** and has built-in support for most popular sign-in services.
+Auth.js supports any **2.x** and **OpenID Connect (OIDC)** compliant providers and has built-in support for the most popular services.
 :::
 
 <ul>

docs/docs/reference/04-solidstart/protected.md

@@ -70,7 +70,7 @@ export default Page;
 
 ## When Using CSR
 
-When using CSR, the `Protected` component will not work as expected and will cause the screen to flash, so I had to come up with a tricky solution, we will use a Solid-Start middleare:
+When using CSR, the `Protected` component will not work as expected and will cause the screen to flash, so I had to come up with a tricky solution, we will use a Solid-Start middleware:
 
 ```tsx
 // entry-server.tsx
@@ -116,4 +116,4 @@ export default () => {
 };
 ```
 
-**Note: the CSR method should also work when using SSR, the SSR method shouldn't work when using CSR**
+**Note: the CSR method should also work when using SSR, the SSR method shouldn't work when using CSR**

docs/docs/reference/05-oauth-providers/mattermost.md

@@ -0,0 +1,36 @@
+---
+id: mattermost
+title: Mattermost
+---
+
+## Documentation
+
+https://developers.mattermost.com/integrate/apps/authentication/oauth2
+
+## Configuration
+
+http://my-cool-server.cloud.mattermost.com/mycoolteam/integrations/oauth2-apps
+
+## Options
+
+The **Mattermost provider** comes with a set of default options:
+
+- [Mattermost Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/mattermost.ts)
+
+You can override any of the options to suit your own use case.
+
+## Example
+
+```ts
+import Mattermost from "@auth/core/providers/mattermost";
+...
+providers: [
+  Mattermost({
+    // The base url of your Mattermost instance. e.g https://my-cool-server.cloud.mattermost.com
+    clientId: env.MATTERMOST_ID,
+    clientSecret: env.MATTERMOST_SECRET,
+    issuer: env.MATTERMOST_ISSUER,
+  })
+]
+...
+```

docs/docs/reference/05-oauth-providers/strava.md

@@ -11,7 +11,7 @@ http://developers.strava.com/docs/reference/
 
 The **Strava Provider** comes with a set of default options:
 
-- [Strava Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/strava.js)
+- [Strava Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/strava.ts)
 
 You can override any of the options to suit your own use case.
 

docs/docs/reference/06-adapters/dynamodb.md

@@ -3,7 +3,7 @@ id: dynamodb
 title: DynamoDB
 ---
 
-This is the AWS DynamoDB Adapter for next-auth. This package can only be used in conjunction with the primary next-auth package. It is not a standalone package.
+This is the AWS DynamoDB Adapter for `next-auth`. This package can only be used in conjunction with the primary `next-auth` package. It is not a standalone package.
 
 By default, the adapter expects a table with a partition key `pk` and a sort key `sk`, as well as a global secondary index named `GSI1` with `GSI1PK` as partition key and `GSI1SK` as sorting key. To automatically delete sessions and verification requests after they expire using [dynamodb TTL](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/TTL.html) you should [enable the TTL](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/time-to-live-ttl-how-to.html) with attribute name 'expires'. You can set whatever you want as the table name and the billing method.
 
@@ -11,10 +11,10 @@ You can find the full schema in the table structure section below.
 
 ## Getting Started
 
-1. Install `next-auth` and `@next-auth/dynamodb-adapter`
+1. Install `next-auth`, `@next-auth/dynamodb-adapter`, `@aws-sdk/client-dynamodb` and `@aws-sdk/lib-dynamodb`
 
-```bash npm2yarn
-npm install next-auth @next-auth/dynamodb-adapter
+```bash npm2yarn2pnpm
+npm install next-auth @next-auth/dynamodb-adapter @aws-sdk/client-dynamodb @aws-sdk/lib-dynamodb
 ```
 
 2. Add this adapter to your `pages/api/auth/[...nextauth].js` next-auth configuration object.
@@ -23,7 +23,7 @@ You need to pass `DynamoDBDocument` client from the modular [`aws-sdk`](https://
 The default table name is `next-auth`, but you can customise that by passing `{ tableName: 'your-table-name' }` as the second parameter in the adapter.
 
 ```javascript title="pages/api/auth/[...nextauth].js"
-import { DynamoDB } from "@aws-sdk/client-dynamodb"
+import { DynamoDB, DynamoDBClientConfig } from "@aws-sdk/client-dynamodb"
 import { DynamoDBDocument } from "@aws-sdk/lib-dynamodb"
 import NextAuth from "next-auth";
 import Providers from "next-auth/providers";
@@ -73,7 +73,7 @@ The table respects the single table design pattern. This has many advantages:
 
 - Only one table to manage, monitor and provision.
 - Querying relations is faster than with multi-table schemas (for eg. retrieving all sessions for a user).
-- Only one table needs to be replicated, if you want to go multi-region.
+- Only one table needs to be replicated if you want to go multi-region.
 
 > This schema is adapted for use in DynamoDB and based upon our main [schema](/reference/adapters/models)
 
@@ -94,7 +94,7 @@ new dynamodb.Table(this, `NextAuthTable`, {
 })
 ```
 
-Alternatively you can use this cloudformation template:
+Alternatively, you can use this cloudformation template:
 
 ```yaml title=cloudformation.yaml
 NextAuthTable:

docs/docusaurus.config.js

@@ -46,7 +46,7 @@ const docusaurusConfig = {
       title: "Auth.js",
       logo: {
         alt: "Auth.js Logo",
-        src: "img/logo/logo-xs.png",
+        src: "img/logo/logo-xs.webp",
       },
       items: [
         {
@@ -101,7 +101,7 @@ const docusaurusConfig = {
     announcementBar: {
       id: "new-major-announcement",
       content:
-        "<a target='_blank' rel='noopener noreferrer' href='https://next-auth.js.org'>NextAuth.js</a> is becoming Auth.js! 🎉 We're creating Authentication for the Web. Everyone included. Starting with SvelteKit, check out the docs <a  href='/reference/sveltekit'>here</a>.",
+        "<a target='_blank' rel='noopener noreferrer' href='https://next-auth.js.org'>NextAuth.js</a> is becoming Auth.js! 🎉 We're creating Authentication for the Web. Everyone included. Starting with SvelteKit, check out <a href='/reference/sveltekit'>the docs</a>.",
       backgroundColor: "#000",
       textColor: "#fff",
     },
@@ -121,6 +121,7 @@ const docusaurusConfig = {
                 alt="Powered by Vercel"
                 style="margin-top: 8px"
                 height="32"
+                width="167"
                 src="https://raw.githubusercontent.com/nextauthjs/next-auth/main/docs/static/img/powered-by-vercel.svg"
               />
             </a>`,
@@ -181,7 +182,10 @@ const docusaurusConfig = {
           lastVersion: "current",
           showLastUpdateAuthor: true,
           showLastUpdateTime: true,
-          remarkPlugins: [require("@sapphire/docusaurus-plugin-npm2yarn2pnpm").npm2yarn2pnpm, require("remark-github")],
+          remarkPlugins: [
+            require("@sapphire/docusaurus-plugin-npm2yarn2pnpm").npm2yarn2pnpm,
+            require("remark-github"),
+          ],
           versions: {
             current: {
               label: "experimental",
@@ -201,7 +205,15 @@ const docusaurusConfig = {
         ...typedocConfig,
         id: "core",
         plugin: ["./tyepdoc"],
-        entryPoints: ["index.ts", "adapters.ts", "errors.ts", "jwt.ts", "types.ts"].map((e) => `${coreSrc}/${e}`).concat(providers),
+        entryPoints: [
+          "index.ts",
+          "adapters.ts",
+          "errors.ts",
+          "jwt.ts",
+          "types.ts",
+        ]
+          .map((e) => `${coreSrc}/${e}`)
+          .concat(providers),
         tsconfig: "../packages/core/tsconfig.json",
         out: "reference/03-core",
         watch: process.env.TYPEDOC_WATCH,
@@ -214,7 +226,9 @@ const docusaurusConfig = {
         ...typedocConfig,
         id: "sveltekit",
         plugin: ["./tyepdoc"],
-        entryPoints: ["index.ts", "client.ts"].map((e) => `../packages/frameworks-sveltekit/src/lib/${e}`),
+        entryPoints: ["index.ts", "client.ts"].map(
+          (e) => `../packages/frameworks-sveltekit/src/lib/${e}`
+        ),
         tsconfig: "../packages/frameworks-sveltekit/tsconfig.json",
         out: "reference/04-sveltekit",
         watch: process.env.TYPEDOC_WATCH,

docs/package.json

@@ -22,6 +22,7 @@
     "classnames": "^2.3.2",
     "mdx-mermaid": "1.2.2",
     "mermaid": "9.0.1",
+    "next-auth": "workspace:*",
     "prism-react-renderer": "1.3.5",
     "react": "^18.2.0",
     "react-dom": "^18.2.0",

docs/sidebars.js

@@ -58,9 +58,9 @@ module.exports = {
       label: "@auth/solid-start",
       link: {
         type: "doc",
-        id: "reference/solid-start/index",
+        id: "reference/solidstart/index",
       },
-      items: ["reference/solid-start/client", "reference/solid-start/protected"],
+      items: ["reference/solidstart/client", "reference/solidstart/protected"],
     },
     {
       type: "category",

docs/src/css/index.css

@@ -140,19 +140,19 @@ html[data-theme="dark"] hr {
   border-radius: 10rem;
   overflow: visible;
   box-shadow: 0 0 2rem rgba(0, 0, 0, 0.1);
-  background-image: url("/img/mesh-1.jpg");
+  background-image: url("/img/mesh-1.webp");
   background-size: cover;
   background-origin: center;
 }
 
 .home-main .section-features .row .col:nth-child(2) .feature-image-wrapper {
-  background-image: url("/img/mesh-2.jpg");
+  background-image: url("/img/mesh-2.webp");
   background-size: cover;
   background-origin: center;
 }
 
 .home-main .section-features .row .col:nth-child(3) .feature-image-wrapper {
-  background-image: url("/img/mesh-3.jpg");
+  background-image: url("/img/mesh-3.webp");
   background-size: cover;
   background-origin: center;
 }

docs/src/css/navbar.css

@@ -6,6 +6,11 @@
   margin-right: 1rem !important;
 }
 
+.navbar__logo {
+  width: 29px;
+  height: 32px;
+}
+
 .navbar__title {
   font-size: 1.2rem;
   margin-left: 0.2rem;

docs/src/pages/index.js

@@ -117,9 +117,11 @@ export default function Home() {
           <div className="container">
             <div className="hero-inner">
               <img
-                src="/img/logo/logo-sm.png"
+                src="/img/logo/logo-sm.webp"
                 alt="Shield with key icon"
                 className={styles.heroLogo}
+                height="142"
+                width="128"
               />
               <div className={styles.heroText}>
                 <h1 className="hero__title">{siteConfig.title}</h1>
@@ -214,9 +216,9 @@ export default function Home() {
               <div className="row">
                 <div className="col col--6">
                   <div className="code">
-                    <h4 className="code-heading">
+                    <div className="code-heading">
                       Next.js <span>/pages/api/auth/[...nextauth].ts</span>
-                    </h4>
+                    </div>
                     <CodeBlock className="prism-code language-js">
                       {nextJsCode}
                     </CodeBlock>
@@ -224,9 +226,9 @@ export default function Home() {
                 </div>
                 <div className="col col--6">
                   <div className="code">
-                    <h4 className="code-heading">
+                    <div className="code-heading">
                       SvelteKit <span>/hooks.server.ts</span>
-                    </h4>
+                    </div>
                     <CodeBlock className="prism-code language-js">
                       {svelteKitCode}
                     </CodeBlock>
@@ -234,9 +236,9 @@ export default function Home() {
                 </div>
                 <div className="col col--6">
                   <div className="code">
-                    <h4 className="code-heading">
+                    <div className="code-heading">
                       SolidStart <span>/routes/api/auth/[...solidauth].ts</span>
-                    </h4>
+                    </div>
                     <CodeBlock className="prism-code language-js">
                       {solidStartCode}
                     </CodeBlock>

docs/vercel.json

@@ -60,6 +60,11 @@
       "destination": "https://github.com/nextauthjs/next-auth/discussions/categories/questions",
       "permanent": true
     },
+    {
+      "source": "/reference/solid-start/:path*",
+      "destination": "/reference/solidstart/:path*",
+      "permanent": true
+    },
     {
       "source": "/",
       "has": [

package.json

@@ -5,6 +5,7 @@
   "repository": "https://github.com/nextauthjs/next-auth.git",
   "scripts": {
     "build:app": "turbo run build --filter=next-auth-app",
+    "build:docs": "turbo run build --filter=docs",
     "build": "turbo run build --filter=next-auth --filter=@next-auth/* --filter=@auth/* --no-deps",
     "test": "turbo run test --concurrency=1 --filter=[HEAD^1] --filter=./packages/* --filter=!*pouchdb-* --filter=!@*upstash* --filter=!*dynamodb-*",
     "clean": "turbo run clean --no-cache",
@@ -12,7 +13,7 @@
     "dev": "turbo run dev --parallel --continue --filter=next-auth-app... --filter=!./packages/adapter-*",
     "dev:kit": "turbo run dev --parallel --continue --filter=sveltekit-auth-app...",
     "dev:docs": "turbo run dev --filter=docs",
-    "email": "cd apps/dev && pnpm email",
+    "email": "cd apps/dev/nextjs && pnpm email",
     "eslint": "eslint --cache .",
     "lint": "prettier --check .",
     "format": "prettier --write .",

packages/adapter-dynamodb/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@next-auth/dynamodb-adapter",
   "repository": "https://github.com/nextauthjs/next-auth",
-  "version": "1.0.5",
+  "version": "1.0.6",
   "description": "AWS DynamoDB adapter for next-auth.",
   "keywords": [
     "next-auth",
@@ -31,6 +31,7 @@
   "author": "Pol Marnette",
   "license": "ISC",
   "peerDependencies": {
+    "@aws-sdk/client-dynamodb": "^3.36.1",
     "@aws-sdk/lib-dynamodb": "^3.36.1",
     "next-auth": "^4"
   },
@@ -43,4 +44,4 @@
     "jest": "^27.4.3",
     "next-auth": "workspace:*"
   }
-}
+}

packages/core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@auth/core",
-  "version": "0.2.4",
+  "version": "0.2.5",
   "description": "Authentication for the Web.",
   "keywords": [
     "authentication",
@@ -20,7 +20,7 @@
     "Balázs Orbán <info@balazsorban.com>",
     "Nico Domino <yo@ndo.dev>",
     "Lluis Agusti <hi@llu.lu>",
-    "Thang Huu Vu <thvu@hey.com>",
+    "Thang Huu Vu <hi@thvu.dev>",
     "Iain Collins <me@iaincollins.com"
   ],
   "type": "module",

packages/core/src/lib/oauth/authorization-url.ts

@@ -22,7 +22,8 @@ export async function getAuthorizationUrl(
   let url = provider.authorization?.url
   let as: o.AuthorizationServer | undefined
 
-  if (!url) {
+  // Falls back to authjs.dev if the user only passed params
+  if (!url || url.host === "authjs.dev") {
     // If url is undefined, we assume that issuer is always defined
     // We check this in assert.ts
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
@@ -48,9 +49,9 @@ export async function getAuthorizationUrl(
       redirect_uri: provider.callbackUrl,
       // @ts-expect-error TODO:
       ...provider.authorization?.params,
-    }, // Defaults
-    Object.fromEntries(authParams), // From provider config
-    query // From `signIn` call
+    },
+    Object.fromEntries(provider.authorization?.url.searchParams ?? []),
+    query
   )
 
   for (const k in params) authParams.set(k, params[k])

packages/core/src/lib/oauth/callback.ts

@@ -31,7 +31,12 @@ export async function handleOAuth(
   const { logger, provider } = options
   let as: o.AuthorizationServer
 
-  if (!provider.token?.url && !provider.userinfo?.url) {
+  const { token, userinfo } = provider
+  // Falls back to authjs.dev if the user only passed params
+  if (
+    (!token?.url || token.url.host === "authjs.dev") &&
+    (!userinfo?.url || userinfo.url.host === "authjs.dev")
+  ) {
     // We assume that issuer is always defined as this has been asserted earlier
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
     const issuer = new URL(provider.issuer!)
@@ -54,9 +59,9 @@ export async function handleOAuth(
     as = discoveredAs
   } else {
     as = {
-      issuer: provider.issuer ?? "https://a", // TODO: review fallback issuer
-      token_endpoint: provider.token?.url.toString(),
-      userinfo_endpoint: provider.userinfo?.url.toString(),
+      issuer: provider.issuer ?? "https://authjs.dev", // TODO: review fallback issuer
+      token_endpoint: token?.url.toString(),
+      userinfo_endpoint: userinfo?.url.toString(),
     }
   }
 
@@ -143,9 +148,9 @@ export async function handleOAuth(
       throw new Error("TODO: Handle OAuth 2.0 response body error")
     }
 
-    if (provider.userinfo?.request) {
-      profile = await provider.userinfo.request({ tokens, provider })
-    } else if (provider.userinfo?.url) {
+    if (userinfo?.request) {
+      profile = await userinfo.request({ tokens, provider })
+    } else if (userinfo?.url) {
       const userinfoResponse = await o.userInfoRequest(
         as,
         client,

packages/core/src/lib/pages/signin.tsx

@@ -87,10 +87,14 @@ export default function SigninPage(props: {
                     "--provider-dark-bg": provider.style?.bgDark ?? "",
                     "--provider-color": provider.style?.text ?? "",
                     "--provider-dark-color": provider.style?.textDark ?? "",
+                    gap: 8,
                   }}
                 >
                   {provider.style?.logo && (
                     <img
+                      loading="lazy"
+                      height={24}
+                      width={24}
                       id="provider-logo"
                       src={`${
                         provider.style.logo.startsWith("/") ? logos : ""
@@ -99,6 +103,9 @@ export default function SigninPage(props: {
                   )}
                   {provider.style?.logoDark && (
                     <img
+                      loading="lazy"
+                      height={24}
+                      width={24}
                       id="provider-logo-dark"
                       src={`${
                         provider.style.logo.startsWith("/") ? logos : ""

packages/core/src/lib/providers.ts

@@ -45,11 +45,11 @@ export default function parseProviders(params: {
   }
 }
 
+// TODO: Also add discovery here, if some endpoints/config are missing.
+// We should return both a client and authorization server config.
 function normalizeOAuth(
-  c?: OAuthConfig<any> | OAuthUserConfig<any>
+  c: OAuthConfig<any> | OAuthUserConfig<any>
 ): OAuthConfigInternal<any> | {} {
-  if (!c) return {}
-
   if (c.issuer) c.wellKnown ??= `${c.issuer}/.well-known/openid-configuration`
 
   const authorization = normalizeEndpoint(c.authorization, c.issuer)
@@ -84,18 +84,18 @@ function normalizeEndpoint(
   e?: OAuthConfig<any>[OAuthEndpointType],
   issuer?: string
 ): OAuthConfigInternal<any>[OAuthEndpointType] {
-  if (!e || issuer) return
+  if (!e && issuer) return
   if (typeof e === "string") {
     return { url: new URL(e) }
   }
-  // If v.url is undefined, it's because the provider config
+  // If e.url is undefined, it's because the provider config
   // assumes that we will use the issuer endpoint.
-  // The existence of either v.url or provider.issuer is checked in
-  // assert.ts
-  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-  const url = new URL(e.url!)
-  // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion
-  for (const k in e.params) url.searchParams.set(k, e.params[k] as any)
-
-  return { ...e, url }
+  // The existence of either e.url or provider.issuer is checked in
+  // assert.ts. We fallback to "https://authjs.dev" to be able to pass around
+  // a valid URL even if the user only provided params.
+  // NOTE: This need to be checked when constructing the URL
+  // for the authorization, token and userinfo endpoints.
+  const url = new URL(e?.url ?? "https://authjs.dev")
+  for (const k in e?.params) url.searchParams.set(k, e?.params[k])
+  return { url, request: e?.request }
 }

packages/core/src/lib/routes/callback.ts

@@ -2,7 +2,7 @@ import { handleLogin } from "../callback-handler.js"
 import { CallbackRouteError } from "../../errors.js"
 import { handleOAuth } from "../oauth/callback.js"
 import { createHash } from "../web.js"
-import { handleAuthorized } from "./shared.js"
+import { getAdapterUserFromEmail, handleAuthorized } from "./shared.js"
 
 import type { AdapterSession } from "../../adapters.js"
 import type {
@@ -10,6 +10,7 @@ import type {
   ResponseInternal,
   User,
   InternalOptions,
+  Account,
 } from "../../types.js"
 import type { Cookie, SessionStore } from "../cookie.js"
 
@@ -172,40 +173,40 @@ export async function callback(params: {
       }
 
       // @ts-expect-error -- Verified in `assertConfig`.
-      const profile = await getAdapterUserFromEmail(identifier, adapter)
+      const user = await getAdapterUserFromEmail(identifier, adapter)
 
-      const account = {
-        providerAccountId: profile.email,
+      const account: Account = {
+        providerAccountId: user.email,
+        userId: user.id,
         type: "email" as const,
         provider: provider.id,
       }
 
       // Check if user is allowed to sign in
       const unauthorizedOrError = await handleAuthorized(
-        { user: profile, account },
+        { user, account },
         options
       )
 
       if (unauthorizedOrError) return { ...unauthorizedOrError, cookies }
 
       // Sign user in
-      const { user, session, isNewUser } = await handleLogin(
-        sessionStore.value,
-        profile,
-        account,
-        options
-      )
+      const {
+        user: loggedInUser,
+        session,
+        isNewUser,
+      } = await handleLogin(sessionStore.value, user, account, options)
 
       if (useJwtSession) {
         const defaultToken = {
-          name: user.name,
-          email: user.email,
-          picture: user.image,
-          sub: user.id?.toString(),
+          name: loggedInUser.name,
+          email: loggedInUser.email,
+          picture: loggedInUser.image,
+          sub: loggedInUser.id?.toString(),
         }
         const token = await callbacks.jwt({
           token: defaultToken,
-          user,
+          user: loggedInUser,
           account,
           isNewUser,
         })
@@ -233,7 +234,7 @@ export async function callback(params: {
         })
       }
 
-      await events.signIn?.({ user, account, isNewUser })
+      await events.signIn?.({ user: loggedInUser, account, isNewUser })
 
       // Handle first logins on new accounts
       // e.g. option to send users to a new account landing page on initial login

packages/core/src/lib/routes/signin.ts

@@ -33,7 +33,7 @@ export async function signin(
 
       const account: Account = {
         providerAccountId: email,
-        userId: email,
+        userId: user.id,
         type: "email",
         provider: provider.id,
       }

packages/core/src/providers/mattermost.ts

@@ -0,0 +1,91 @@
+import type { OAuthConfig, OAuthUserConfig } from "./oauth"
+
+/** @see [Get a user](https://api.mattermost.com/#tag/users/operation/GetUser) */
+export interface MattermostProfile {
+  id: string
+  /** The time in milliseconds a user was created */
+  create_at: number
+  /** The time in milliseconds a user was last updated */
+  update_at: number
+  /** The time in milliseconds a user was deleted */
+  delete_at: number
+  username: string
+  auth_data: string
+  auth_service: string
+  email: string
+  email_verified: boolean
+  nickname: string
+  first_name: string
+  last_name: string
+  position: string
+  roles: string
+  notify_props: {
+    /** Set to "true" to enable channel-wide notifications (@channel, @all, etc.), "false" to disable. Defaults to "true". */
+    channel: string
+    comments: string
+    /** Set to "all" to receive desktop notifications for all activity, "mention" for mentions and direct messages only, and "none" to disable. Defaults to "all". */
+    desktop: string
+    /** Set to "true" to enable sound on desktop notifications, "false" to disable. Defaults to "true". */
+    desktop_sound: string
+    desktop_threads: string
+    /** Set to "true" to enable email notifications, "false" to disable. Defaults to "true". */
+    email: string
+    email_threads: string
+    /** Set to "true" to enable mentions for first name. Defaults to "true" if a first name is set, "false" otherwise. */
+    first_name: string
+    /** A comma-separated list of words to count as mentions. Defaults to username and @username. */
+    mention_keys: string
+    /** Set to "all" to receive push notifications for all activity, "mention" for mentions and direct messages only, and "none" to disable. Defaults to "mention". */
+    push: string
+    push_status: string
+    push_threads: string
+  }
+  last_password_update: number
+  locale: string
+  timezone: {
+    /** This value is set automatically when the "useAutomaticTimezone" is set to "true". */
+    automaticTimezone: string
+    /** Value when setting manually the timezone, i.e. "Europe/Berlin". */
+    manualTimezone: string
+    /** Set to "true" to use the browser/system timezone, "false" to set manually. Defaults to "true". */
+    useAutomaticTimezone: string
+  }
+  disable_welcome_email: boolean
+  /** ID of accepted terms of service, if any. This field is not present if empty. */
+  terms_of_service_id?: string
+  /** The time in milliseconds the user accepted the terms of service */
+  terms_of_service_create_at?: number
+}
+
+export default function Mattermost<P extends MattermostProfile>(
+  config: OAuthUserConfig<P> & { issuer: string }
+): OAuthConfig<P> {
+  const { issuer, ...rest } = config
+
+  return {
+    id: "mattermost",
+    name: "Mattermost",
+    type: "oauth",
+    client: { token_endpoint_auth_method: "client_secret_post" },
+    token: `${issuer}/oauth/access_token`,
+    authorization: `${issuer}/oauth/authorize`,
+    userinfo: `${issuer}/api/v4/users/me`,
+    profile(profile) {
+      return {
+        id: profile.id,
+        name: profile.username ?? `${profile.first_name} ${profile.last_name}`,
+        email: profile.email,
+        image: null,
+      }
+    },
+    style: {
+      logo: "/mattermost.svg",
+      logoDark: "/mattermost-dark.svg",
+      bg: "#fff",
+      text: "#000",
+      bgDark: "#000",
+      textDark: "#fff",
+    },
+    options: rest,
+  }
+}

packages/frameworks-sveltekit/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@auth/sveltekit",
-  "version": "0.1.11",
+  "version": "0.1.12",
   "description": "Authentication for SvelteKit.",
   "keywords": [
     "authentication",

packages/frameworks-sveltekit/src/lib/index.ts

@@ -18,7 +18,7 @@
  * ## Usage
  *
  * ```ts title="src/hooks.server.ts"
- * import SvelteKitAuth from "@auth/sveltekit"
+ * import { SvelteKitAuth } from "@auth/sveltekit"
  * import GitHub from "@auth/core/providers/github"
  * import { GITHUB_ID, GITHUB_SECRET } from "$env/static/private"
  *
@@ -38,6 +38,9 @@
  *
  * ## Signing in and signing out
  *
+ * The data for the current session in this example was made available through the `$page` store which can be set through you root `+page.server.ts` file.
+ * It is not necessary to store the data there, however, this makes it globally accessible throughout your application simplifying state management.
+ *
  * ```ts
  * <script>
  *   import { signIn, signOut } from "@auth/sveltekit/client"
@@ -65,6 +68,111 @@
  * </p>
  * ```
  *
+ * ## Managing the session
+ *
+ * The above example checks for a session available in `$page.data.session`, however that needs to be set by us somewhere.
+ * If you want this data to be available to all your routes you can add this to your root `+page.server.ts` file.
+ * The following code sets the session data in the `$page` store to be available to all routes.
+ *
+ * ```ts
+ * import type { LayoutServerLoad } from './$types';
+ *
+ * export const load: LayoutServerLoad = async (event) => {
+ *   return {
+ *     session: await event.locals.getSession()
+ *   };
+ * }; 
+ * ```
+ *
+ * What you return in the function `LayoutServerLoad` will be available inside the `$page` store, in the `data` property: `$page.data`.
+ * In this case we return an object with the 'session' property which is what we are accessing in the other code paths.
+ *
+ * ## Handling authorization
+ *
+ * In SvelteKit there are a few ways you could protect routes from unauthenticated users.
+ *
+ * ### Per component
+ *
+ * The simplest case is protecting a single page, in which case you should put the logic in the `+page.server.ts` file.
+ * Notice in this case that you could also await event.parent and grab the session from there, however this implementation works even if you haven't done the above in your root `+layout.server.ts`
+ *
+ * ```ts
+ * import { redirect } from '@sveltejs/kit';
+ * import type { PageServerLoad } from './$types';
+ *
+ * export const load: PageServerLoad = async (event) => {
+ *   const session = await event.locals.getSession();
+ *   if (!session?.user) throw redirect(303, '/auth');
+ *   return {};
+ * };
+ * ```
+ * 
+ * :::danger
+ * Make sure to ALWAYS grab the session information from the parent instead of using the store in the case of a `PageLoad`.
+ * Not doing so can lead to users being able to incorrectly access protected information in the case the `+layout.server.ts` does not run for that page load.
+ * This code sample already implements the correct method by using `const { session } = await parent();`
+ * :::
+ *
+ * You should NOT put authorization logic in a `+layout.server.ts` as the logic is not guaranteed to propragate to leafs in the tree.
+ * Prefer to manually protect each route through the `+page.server.ts` file to avoid mistakes.
+ * It is possible to force the layout file to run the load function on all routes, however that relies certain behaviours that can change and are not easily checked.
+ * For more information about these caveats make sure to read this issue in the SvelteKit repository: https://github.com/sveltejs/kit/issues/6315
+ *
+ * ### Per path
+ *
+ * Another method that's possible for handling authorization is by restricting certain URIs from being available.
+ * For many projects this is better because:
+ * - This automatically protects actions and api routes in those URIs
+ * - No code duplication between components
+ * - Very easy to modify
+ *
+ * The way to handle authorization through the URI is to override your handle hook.
+ * The handle hook, available in `hooks.server.ts`, is a function that receives ALL requests sent to your SvelteKit webapp.
+ * You may intercept them inside the handle hook, add and modify things in the request, block requests, etc.
+ * Some readers may notice we are already using this handle hook for SvelteKitAuth which returns a handle itself, so we are going to use SvelteKit's sequence to provide middleware-like functions that set the handle hook.
+ * 
+ * ```ts
+ * import { SvelteKitAuth } from '@auth/sveltekit';
+ * import GitHub from '@auth/core/providers/github';
+ * import { GITHUB_ID, GITHUB_SECRET } from '$env/static/private';
+ * import { redirect, type Handle } from '@sveltejs/kit';
+ * import { sequence } from '@sveltejs/kit/hooks';
+ * 
+ * async function authorization({ event, resolve }) {
+ * 	// Protect any routes under /authenticated
+ * 	if (event.url.pathname.startsWith('/authenticated')) {
+ *    const session = await event.locals.getSession();
+ * 		if (!session) {
+ * 			throw redirect(303, '/auth');
+ * 		}
+ * 	}
+ * 
+ * 	// If the request is still here, just proceed as normally
+ * 	const result = await resolve(event, {
+ * 		transformPageChunk: ({ html }) => html
+ * 	});
+ * 	return result;
+ * }
+ * 
+ * // First handle authentication, then authorization
+ * // Each function acts as a middleware, receiving the request handle
+ * // And returning a handle which gets passed to the next function
+ * export const handle: Handle = sequence(
+ * 	SvelteKitAuth({
+ * 		providers: [GitHub({ clientId: GITHUB_ID, clientSecret: GITHUB_SECRET })]
+ * 	}),
+ * 	authorization
+ * );
+ * ```
+ *
+ * :::info
+ * Learn more about SvelteKit's handle hooks and sequence [here](https://kit.svelte.dev/docs/modules#sveltejs-kit-hooks-sequence).
+ * :::
+ *
+ * Now any routes under `/authenticated` will be transparently protected by the handle hook.
+ * You may add more middleware-like functions to the sequence and also implement more complex authorization business logic inside this file.
+ * This can also be used along with the component-based approach in case you need a specific page to be protected and doing it by URI could be faulty.
+ *
  * ## Notes
  *
  * :::info

packages/next-auth/package.json

@@ -9,7 +9,7 @@
     "Balázs Orbán <info@balazsorban.com>",
     "Nico Domino <yo@ndo.dev>",
     "Lluis Agusti <hi@llu.lu>",
-    "Thang Huu Vu <thvu@hey.com>"
+    "Thang Huu Vu <hi@thvu.dev>"
   ],
   "main": "index.js",
   "module": "index.js",

packages/next-auth/provider-logos/mattermost-dark.svg

@@ -0,0 +1,4 @@
+<svg width="700" height="700" viewBox="0 0 700 700" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M496.909 147.716L499.54 200.779C542.559 248.303 559.539 315.609 538.125 378.865C506.159 473.292 400.753 522.93 302.694 489.735C204.635 456.54 151.057 353.081 183.023 258.653C204.508 195.186 259.171 151.953 322.48 140.505L356.685 100.091C249.969 97.2018 149.288 163.442 113.265 269.853C69.0048 400.598 139.114 542.468 269.859 586.729C400.604 630.99 542.474 560.88 586.735 430.135C622.7 323.895 583.148 210.308 496.909 147.716Z" fill="#dddddd"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M435.623 304.289L433.812 230.109L432.359 187.424L431.376 150.444C431.376 150.444 431.581 132.612 430.959 128.422C430.828 127.54 430.551 126.822 430.221 126.196C430.18 126.108 430.141 126.02 430.096 125.934C430.049 125.854 430.003 125.78 429.954 125.705C429.27 124.528 428.195 123.572 426.804 123.101C425.381 122.619 423.909 122.738 422.631 123.29C422.604 123.3 422.579 123.309 422.552 123.32C422.4 123.388 422.255 123.465 422.109 123.546C421.503 123.841 420.887 124.223 420.284 124.808C417.244 127.758 406.575 142.048 406.575 142.048L383.331 170.826L356.248 203.851L309.749 261.677C309.749 261.677 288.411 288.308 293.126 321.088C297.841 353.868 322.211 369.837 341.117 376.238C360.023 382.638 389.082 384.756 412.74 361.581C436.396 338.405 435.623 304.289 435.623 304.289Z" fill="#dddddd"/>
+</svg>

packages/next-auth/provider-logos/mattermost.svg

@@ -0,0 +1,4 @@
+<svg width="700" height="700" viewBox="0 0 700 700" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M496.909 147.716L499.54 200.779C542.559 248.303 559.539 315.609 538.125 378.865C506.159 473.292 400.753 522.93 302.694 489.735C204.635 456.54 151.057 353.081 183.023 258.653C204.508 195.186 259.171 151.953 322.48 140.505L356.685 100.091C249.969 97.2018 149.288 163.442 113.265 269.853C69.0048 400.598 139.114 542.468 269.859 586.729C400.604 630.99 542.474 560.88 586.735 430.135C622.7 323.895 583.148 210.308 496.909 147.716Z" fill="#222222"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M435.623 304.289L433.812 230.109L432.359 187.424L431.376 150.444C431.376 150.444 431.581 132.612 430.959 128.422C430.828 127.54 430.551 126.822 430.221 126.196C430.18 126.108 430.141 126.02 430.096 125.934C430.049 125.854 430.003 125.78 429.954 125.705C429.27 124.528 428.195 123.572 426.804 123.101C425.381 122.619 423.909 122.738 422.631 123.29C422.604 123.3 422.579 123.309 422.552 123.32C422.4 123.388 422.255 123.465 422.109 123.546C421.503 123.841 420.887 124.223 420.284 124.808C417.244 127.758 406.575 142.048 406.575 142.048L383.331 170.826L356.248 203.851L309.749 261.677C309.749 261.677 288.411 288.308 293.126 321.088C297.841 353.868 322.211 369.837 341.117 376.238C360.023 382.638 389.082 384.756 412.74 361.581C436.396 338.405 435.623 304.289 435.623 304.289Z" fill="#222222"/>
+</svg>

pnpm-lock.yaml

@@ -258,6 +258,7 @@ importers:
       docusaurus-plugin-typedoc: ^0.18.0
       mdx-mermaid: 1.2.2
       mermaid: 9.0.1
+      next-auth: workspace:*
       prism-react-renderer: 1.3.5
       react: ^18.2.0
       react-dom: ^18.2.0
@@ -272,6 +273,7 @@ importers:
       classnames: 2.3.2
       mdx-mermaid: 1.2.2_mermaid@9.0.1+react@18.2.0
       mermaid: 9.0.1
+      next-auth: link:../packages/next-auth
       prism-react-renderer: 1.3.5_react@18.2.0
       react: 18.2.0
       react-dom: 18.2.0_react@18.2.0
@@ -13604,7 +13606,7 @@ packages:
   /axios/0.21.4_debug@3.2.7:
     resolution: {integrity: sha512-ut5vewkiu8jjGBdqpM44XxjuCjq9LAKeHVmoVfHVzy8eHgxxq8SbAVQNovDA8mVi05kP0Ea/n/UzcSHcTJQfNg==}
     dependencies:
-      follow-redirects: 1.15.1
+      follow-redirects: 1.15.1_debug@3.2.7
     transitivePeerDependencies:
       - debug
     dev: false
@@ -19295,6 +19297,18 @@ packages:
       debug:
         optional: true
 
+  /follow-redirects/1.15.1_debug@3.2.7:
+    resolution: {integrity: sha512-yLAMQs+k0b2m7cVxpS1VKJVvoz7SS9Td1zss3XRwXj+ZDH00RJgnuLx7E44wx02kQLrdM3aOOy+FpzS7+8OizA==}
+    engines: {node: '>=4.0'}
+    peerDependencies:
+      debug: '*'
+    peerDependenciesMeta:
+      debug:
+        optional: true
+    dependencies:
+      debug: 3.2.7
+    dev: false
+
   /follow-redirects/1.15.1_debug@4.3.4:
     resolution: {integrity: sha512-yLAMQs+k0b2m7cVxpS1VKJVvoz7SS9Td1zss3XRwXj+ZDH00RJgnuLx7E44wx02kQLrdM3aOOy+FpzS7+8OizA==}
     engines: {node: '>=4.0'}

turbo.json

@@ -1,19 +1,29 @@
 {
   "$schema": "https://turborepo.org/schema.json",
   "pipeline": {
-    "docs#build": {
-      "dependsOn": [
-        "^build",
-        "next-auth#build",
-        "@auth/core#build",
-        "@auth/sveltekit#build"
-      ]
-    },
     "build": {
       "dependsOn": ["^build"]
     },
     "next-auth#build": {
-      "dependsOn": ["^build"]
+      "dependsOn": ["^build"],
+      "outputs": [
+        "client/**",
+        "core/**",
+        "css/**",
+        "jwt/**",
+        "next/**",
+        "providers/**",
+        "react/**",
+        "index.d.ts",
+        "index.js",
+        "adapters.d.ts",
+        "middleware.d.ts",
+        "middleware.js"
+      ]
+    },
+    "@auth/core#build": {
+      "dependsOn": ["^build"],
+      "outputs": ["lib/**", "providers/**", "*.js", "*.d.ts", "*.d.ts.map"]
     },
     "clean": {
       "cache": false