chore(release): bump package version(s) [skip ci]

* Update prisma.md

The referenced official doc page describes how to fix the `warn(prisma-client) There are already 10 instances of Prisma Client actively running.` error in development mode.

* Update prisma.md

Implemented best practice for Prisma Client creation.

* Fixed typo in Prisma db filename.

apps/example-nextjs/pages/_app.tsx

@@ -2,12 +2,16 @@ import { SessionProvider } from "next-auth/react"
 import "./styles.css"
 
 import type { AppProps } from "next/app"
+import type { Session } from "next-auth"
 
 // Use of the <SessionProvider> is mandatory to allow components that call
 // `useSession()` anywhere in your application to access the `session` object.
-export default function App({ Component, pageProps }: AppProps) {
+export default function App({
+  Component,
+  pageProps: { session, ...pageProps },
+}: AppProps<{ session: Session }>) {
   return (
-    <SessionProvider session={pageProps.session} refetchInterval={0}>
+    <SessionProvider session={session}>
       <Component {...pageProps} />
     </SessionProvider>
   )

apps/example-nextjs/pages/protected.tsx

@@ -4,8 +4,7 @@ import Layout from "../components/layout"
 import AccessDenied from "../components/access-denied"
 
 export default function ProtectedPage() {
-  const { data: session, status } = useSession()
-  const loading = status === "loading"
+  const { data: session } = useSession()
   const [content, setContent] = useState()
 
   // Fetch content from protected route
@@ -19,9 +18,7 @@ export default function ProtectedPage() {
     }
     fetchData()
   }, [session])
-
-  // When rendering client side don't display anything until loading is complete
-  if (typeof window !== "undefined" && loading) return null
+ 
 
   // If no session exists, display access denied message
   if (!session) {

docs/docs/adapters/prisma.md

@@ -12,15 +12,24 @@ npm install next-auth @prisma/client @next-auth/prisma-adapter
 npm install prisma --save-dev
 ```
 
+Create a file with your Prisma Client:
+
+```javascript title="lib/prismadb.js"
+import { PrismaClient } from "@prisma/client"
+
+const client = globalThis.prisma || new PrismaClient()
+if (process.env.NODE_ENV !== "production") globalThis.prisma = client
+
+export default client
+```
+
 Configure your NextAuth.js to use the Prisma Adapter:
 
 ```javascript title="pages/api/auth/[...nextauth].js"
 import NextAuth from "next-auth"
 import GoogleProvider from "next-auth/providers/google"
 import { PrismaAdapter } from "@next-auth/prisma-adapter"
-import { PrismaClient } from "@prisma/client"
-
-const prisma = new PrismaClient()
+import prisma from "../../../lib/prismadb"
 
 export default NextAuth({
   adapter: PrismaAdapter(prisma),

docs/docs/configuration/options.md

@@ -114,6 +114,12 @@ session: {
   // Use it to limit write operations. Set to 0 to always update the database.
   // Note: This option is ignored if using JSON Web Tokens
   updateAge: 24 * 60 * 60, // 24 hours
+  
+  // The session token is usually either a random UUID or string, however if you
+  // need a more customized session token string, you can define your own generate function.
+  generateSessionToken: () => {
+    return randomUUID?.() ?? randomBytes(32).toString("hex")
+  }
 }
 ```
 

docs/docs/tutorials/securing-pages-and-api-routes.md

@@ -42,7 +42,7 @@ export default function Page() {
 
 ### Next.js (Middleware)
 
-With NextAuth.js 4.2.0 and Next.js 12, you can now protect your pages via the middleware pattern more easily. If you would like to protect all pages, you can create a `_middleware.js` file in your root `pages` directory which looks like this:
+With NextAuth.js 4.2.0 and Next.js 12, you can now protect your pages via the middleware pattern more easily. If you would like to protect all pages, you can create a `middleware.js` file in your root `pages` directory which looks like this:
 
 ```js title="/middleware.js"
 export { default } from "next-auth/middleware"
@@ -60,6 +60,12 @@ For the time being, the `withAuth` middleware only supports `"jwt"` as [session
 
 More details can be found [here](https://next-auth.js.org/configuration/nextjs#middleware).
 
+:::tip
+To inclue all `dashboard` nested routes (sub pages like `/dashboard/settings`, `/dashboard/profile`) you can pass `matcher: "/dashboard/:path*"` to `config`.
+
+For other patterns check out the [Next.js Middleware documentation](https://nextjs.org/docs/advanced-features/middleware#matcher).
+:::
+
 ### Server Side
 
 You can protect server side rendered pages using the `unstable_getServerSession` method. This is different from the old `getSession()` method, in that it does not do an extra fetch out over the internet to confirm data from itself, increasing performance significantly.

packages/adapter-upstash-redis/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@next-auth/upstash-redis-adapter",
-  "version": "3.0.1",
+  "version": "3.0.2",
   "description": "Upstash adapter for next-auth. It uses Upstash's connectionless (HTTP based) Redis client.",
   "homepage": "https://next-auth.js.org",
   "repository": "https://github.com/nextauthjs/next-auth",

packages/adapter-upstash-redis/src/index.ts

@@ -165,13 +165,20 @@ export function UpstashRedisAdapter(
     },
     async createVerificationToken(verificationToken) {
       await setObjectAsJson(
-        verificationTokenKeyPrefix + verificationToken.identifier,
+        verificationTokenKeyPrefix +
+          verificationToken.identifier +
+          ":" +
+          verificationToken.token,
         verificationToken
       )
       return verificationToken
     },
     async useVerificationToken(verificationToken) {
-      const tokenKey = verificationTokenKeyPrefix + verificationToken.identifier
+      const tokenKey =
+        verificationTokenKeyPrefix +
+        verificationToken.identifier +
+        ":" +
+        verificationToken.token
 
       const token = await client.get<VerificationToken>(tokenKey)
       if (!token) return null

packages/next-auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "next-auth",
-  "version": "4.11.0",
+  "version": "4.12.1",
   "description": "Authentication for Next.js",
   "homepage": "https://next-auth.js.org",
   "repository": "https://github.com/nextauthjs/next-auth.git",
@@ -70,7 +70,7 @@
     "@babel/runtime": "^7.16.3",
     "@panva/hkdf": "^1.0.1",
     "cookie": "^0.5.0",
-    "jose": "^4.3.7",
+    "jose": "^4.9.3",
     "oauth": "^0.9.15",
     "openid-client": "^5.1.0",
     "preact": "^10.6.3",
@@ -78,7 +78,7 @@
     "uuid": "^8.3.2"
   },
   "peerDependencies": {
-    "next": "12.2.5",
+    "next": "^12.2.5",
     "nodemailer": "^6.6.5",
     "react": "^17.0.2 || ^18",
     "react-dom": "^17.0.2 || ^18"

packages/next-auth/src/core/init.ts

@@ -1,3 +1,4 @@
+import { randomBytes, randomUUID } from "crypto"
 import { NextAuthOptions } from ".."
 import logger from "../utils/logger"
 import parseUrl from "../utils/parse-url"
@@ -86,6 +87,10 @@ export async function init({
       strategy: userOptions.adapter ? "database" : "jwt",
       maxAge,
       updateAge: 24 * 60 * 60,
+      generateSessionToken: () => {
+        // Use `randomUUID` if available. (Node 15.6+)
+        return randomUUID?.() ?? randomBytes(32).toString("hex")
+      },
       ...userOptions.session,
     },
     // JWT options

packages/next-auth/src/core/lib/callback-handler.ts

@@ -1,4 +1,3 @@
-import { randomBytes, randomUUID } from "crypto"
 import { AccountNotLinkedError } from "../errors"
 import { fromDate } from "./utils"
 
@@ -37,7 +36,7 @@ export default async function callbackHandler(params: {
     adapter,
     jwt,
     events,
-    session: { strategy: sessionStrategy },
+    session: { strategy: sessionStrategy, generateSessionToken },
   } = options
 
   // If no adapter is configured then we don't have a database and cannot
@@ -219,8 +218,3 @@ export default async function callbackHandler(params: {
     }
   }
 }
-
-function generateSessionToken() {
-  // Use `randomUUID` if available. (Node 15.6++)
-  return randomUUID?.() ?? randomBytes(32).toString("hex")
-}

packages/next-auth/src/core/types.ts

@@ -468,6 +468,13 @@ export interface SessionOptions {
    * @default 86400 // 1 day
    */
   updateAge: number
+  /**
+   * Generate a custom session token for database-based sessions.
+   * By default, a random UUID or string is generated depending on the Node.js version.
+   * However, you can specify your own custom string (such as CUID) to be used.
+   * @default `randomUUID` or `randomBytes.toHex` depending on the Node.js version
+   */
+  generateSessionToken: () => string
 }
 
 export interface DefaultUser {

pnpm-lock.yaml

@@ -433,7 +433,7 @@ importers:
       jest: ^28.1.1
       jest-environment-jsdom: ^28.1.1
       jest-watch-typeahead: ^1.1.0
-      jose: ^4.3.7
+      jose: ^4.9.3
       msw: ^0.42.3
       next: 12.2.5
       oauth: ^0.9.15
@@ -451,7 +451,7 @@ importers:
       '@babel/runtime': 7.18.3
       '@panva/hkdf': 1.0.2
       cookie: 0.5.0
-      jose: 4.8.1
+      jose: 4.9.3
       oauth: 0.9.15
       openid-client: 5.1.6
       preact: 10.8.2
@@ -15426,8 +15426,8 @@ packages:
       valid-url: 1.0.9
     dev: true
 
-  /jose/4.8.1:
-    resolution: {integrity: sha512-+/hpTbRcCw9YC0TOfN1W47pej4a9lRmltdOVdRLz5FP5UvUq3CenhXjQK7u/8NdMIIShMXYAh9VLPhc7TjhvFw==}
+  /jose/4.9.3:
+    resolution: {integrity: sha512-f8E/z+T3Q0kA9txzH2DKvH/ds2uggcw0m3vVPSB9HrSkrQ7mojjifvS7aR8cw+lQl2Fcmx9npwaHpM/M3GD8UQ==}
     dev: false
 
   /js-beautify/1.14.4:
@@ -17339,7 +17339,7 @@ packages:
     resolution: {integrity: sha512-HTFaXWdUHvLFw4GaEMgC0jXYBgpjgzQQNHW1pZsSqJorSgrXzxJ+4u/LWCGaClDEse5HLjXRV+zU5Bn3OefiZw==}
     engines: {node: ^12.19.0 || ^14.15.0 || ^16.13.0}
     dependencies:
-      jose: 4.8.1
+      jose: 4.9.3
       lru-cache: 6.0.0
       object-hash: 2.2.0
       oidc-token-hash: 5.0.1