chore(release): bump version [skip ci]

`sudo echo > /etc/hosts` attempts to write to /etc/hosts as a non-priv user, which will fail. `echo | sudo tee /etc/hosts` works.

docs/docs/configuration/nextjs.md

@@ -6,7 +6,7 @@ This method was renamed to `getServerSession`. See the documentation below.
 
 ## `getServerSession`
 
-When calling from server-side i.e. in API routes or in `getServerSideProps`, we recommend using this function instead of `getSession` to retrieve the `session` object. This method is especially useful when you are using NextAuth.js with a database. This method can _drastically_ reduce response time when used over `getSession` server-side, due to avoiding an extra `fetch` to an API Route (this is generally [not recommended in Next.js](https://nextjs.org/docs/basic-features/data-fetching/get-server-side-props#getserversideprops-or-api-routes)). In addition, `getServerSession` will correctly update the cookie expiry time and update the session content if `callbacks.jwt` or `callbacks.session` changed something.
+When calling from server-side i.e. in API routes or in `getServerSideProps`, we recommend using this function instead of `getSession` to retrieve the `session` object. This method is especially useful when you are using NextAuth.js with a database. This method can _drastically_ reduce response time when used over `getSession` on server-side, due to avoiding an extra `fetch` to an API Route (this is generally [not recommended in Next.js](https://nextjs.org/docs/basic-features/data-fetching/get-server-side-props#getserversideprops-or-api-routes)). In addition, `getServerSession` will correctly update the cookie expiry time and update the session content if `callbacks.jwt` or `callbacks.session` changed something.
 
 Otherwise, if you only want to get the session token, see [`getToken`](/tutorials/securing-pages-and-api-routes#using-gettoken).
 
@@ -84,7 +84,7 @@ export default async function Page() {
 ```
 
 :::warning
-Currently, the underlying Next.js `cookies()` method does [only provides read access](https://beta.nextjs.org/docs/api-reference/cookies) to the request cookies. This means that the `expires` value is stripped away from `session` in Server Components. Furthermore, there is a hard expiry on sessions, after which the user will be required to sign in again. (The default expiry is 30 days).
+Currently, the underlying Next.js `cookies()` method [only provides read access](https://beta.nextjs.org/docs/api-reference/cookies) to the request cookies. This means that the `expires` value is stripped away from `session` in Server Components. Furthermore, there is a hard expiry on sessions, after which the user will be required to sign in again. (The default expiry is 30 days).
 :::
 
 ## Middleware

docs/docs/configuration/pages.md

@@ -107,10 +107,10 @@ export async function getServerSideProps(context: GetServerSidePropsContext) {
     return { redirect: { destination: "/" } };
   }
 
-  const providers = await getProviders(context);
+  const providers = await getProviders();
   
   return {
-    props: { providers: Object.values(providers) ?? [] },
+    props: { providers: providers ?? [] },
   }
 }
 ```

docs/docs/configuration/providers/oauth.md

@@ -40,7 +40,7 @@ sequenceDiagram
     Note left of Browser: User inserts their<br/>credentials in Github
     Browser->>Auth Server (Github): Github validates the inserted credentials
     Auth Server (Github)->>Auth Server (Github): Generates one time access code<br/>and calls callback<br>URL defined in<br/>App settings
-    Auth Server (Github)->>App Server: GET<br/>"api/auth/github/callback?code=123"
+    Auth Server (Github)->>App Server: GET<br/>"api/auth/callback/github?code=123"
     App Server->>App Server: Grabs code<br/>to exchange it for<br/>access token
     App Server->>Auth Server (Github): POST<br/>"github.com/login/oauth/access_token"<br/>{code: 123}
     Auth Server (Github)->>Auth Server (Github): Verifies code is<br/>valid and generates<br/>access token
@@ -424,17 +424,3 @@ GoogleProvider({
   allowDangerousEmailAccountLinking: true,
 })
 ```
-
-### Adding a new built-in provider
-
-If you think your custom provider might be useful to others, we encourage you to open a PR and add it to the built-in list so others can discover it much more easily!
-
-You only need to add three changes:
-
-1. Add your config: [`src/providers/{provider}.ts`](https://github.com/nextauthjs/next-auth/tree/main/packages/next-auth/src/providers)<br />
-    - Make sure you use a named default export, like this: `export default function YourProvider`
-    - Add two SVG's of the provider logo, like `google-dark.svg` (dark mode) and `google.svg` (light mode), to the `/packages/next-auth/provider-logos/` directory as well as the styling config to the provider config object. See existing provider for example
-2. Add provider documentation: [`/docs/providers/{provider}.md`](https://github.com/nextauthjs/next-auth/tree/main/docs/docs/providers)
-3. Add the new provider name to the `Provider type` dropdown options in [`the provider issue template`](https://github.com/nextauthjs/next-auth/edit/main/.github/ISSUE_TEMPLATE/2_bug_provider.yml)
-
-That's it! 🎉 Others will be able to discover and use this provider much more easily now!

docs/docs/deployment.md

@@ -79,7 +79,7 @@ export default NextAuth({
 
 #### Using the branch based preview URL
 
-Preview deployments at Vercel are often available via multiple URLs. For example, PR's merged to `master` or `main`, will be available the commit and PR specific preview URLs, but also the branch specific preview URLs. This branch specific URL will obviously not change as long as you work with that same branch. Therefore, you could add to your OAuth provider your `{project}-git-main-{user}.vercel.app` preview URL. As this will stay constant for that branch, you can reuse that preview deployment / URL for testing any authentication related deployments.
+Preview deployments at Vercel are often available via multiple URLs. For example, PR's merged to `master` or `main`, will be available via commit and PR specific preview URLs, but also the branch specific preview URLs. This branch specific URL will obviously not change as long as you work with that same branch. Therefore, you could add to your OAuth provider your `{project}-git-main-{user}.vercel.app` preview URL. As this will stay constant for that branch, you can reuse that preview deployment / URL for testing any authentication related deployments.
 
 ## Netlify
 

docs/docs/faq.md

@@ -67,7 +67,7 @@ _If you use a custom credentials provider user accounts will not be persisted in
 </summary>
 <p>
 
-NextAuth.js was originally designed for use with Next.js and Serverless. However, today you could use the NextAuth.js core with any other framework. Checkout the examples for <a href="https://github.com/nextauthjs/next-auth/tree/main/apps/playground-gatsby" target="_blank">Gatsby</a> and <a href="https://sveltekit.authjs.dev/" target="_blank">SvelteKit</a>. If you would add another integration with other frameworks, feel free to work on it and send a pull request. Make sure to check if there's any on-going work before open a new issue.
+NextAuth.js was originally designed for use with Next.js and Serverless. However, today you could use the NextAuth.js core with any other framework. Checkout the examples for <a href="https://github.com/nextauthjs/next-auth/tree/main/apps/playground-gatsby" target="_blank">Gatsby</a> and <a href="https://sveltekit.authjs.dev/" target="_blank">SvelteKit</a>. If you would add another integration with other frameworks, feel free to work on it and send a pull request. Make sure to check if there's any on-going work before opening a new issue.
 
 </p>
 </details>

docs/docs/providers/apple.md

@@ -64,7 +64,7 @@ Edit your host file and point your site to `127.0.0.1`.
 _Linux/macOS_
 
 ```
-sudo echo '127.0.0.1 dev.example.com' >> /etc/hosts
+echo '127.0.0.1 dev.example.com' | sudo tee -a /etc/hosts
 ```
 
 _Windows_ (run PowerShell as administrator)

docs/docs/providers/duende-identity-server6.md

@@ -0,0 +1,53 @@
+---
+id: duende-identityserver6
+title: DuendeIdentityServer6
+---
+
+## Documentation
+
+https://docs.duendesoftware.com/identityserver/v6
+
+## Options
+
+The **DuendeIdentityServer6 Provider** comes with a set of default options:
+
+- [DuendeIdentityServer6 Provider options](https://github.com/nextauthjs/next-auth/blob/v4/packages/next-auth/src/providers/duende-identity-server6.ts)
+
+You can override any of the options to suit your own use case.
+
+## Example
+
+```js
+import DuendeIDS6Provider from "next-auth/providers/duende-identity-server6"
+
+...
+providers: [
+  DuendeIDS6Provider({
+    clientId: process.env.DUENDE_IDS6_ID,
+    clientSecret: process.env.DUENDE_IDS6_SECRET,
+    issuer: process.env.DUENDE_IDS6_ISSUER,
+  })
+]
+...
+```
+
+## Demo IdentityServer
+
+The configuration below is for the demo server at https://demo.duendesoftware.com/
+
+If you want to try it out, you can copy and paste the configuration below.
+
+You can sign in to the demo service with either <b>bob/bob</b> or <b>alice/alice</b>.
+
+```js
+import DuendeIDS6Provider from "next-auth/providers/duende-identity-server6"
+...
+providers: [
+  DuendeIDS6Provider({
+    clientId: "interactive.confidential",
+    clientSecret: "secret",
+    issuer: "https://demo.duendesoftware.com",
+  })
+]
+...
+```

docs/vercel.json

@@ -68,6 +68,11 @@
       "source": "/adapters/firebase",
       "destination": "https://authjs.dev/reference/adapter/firebase",
       "permanent": true
+    },
+    {
+      "source": "/tutorials/refresh-token-rotation",
+      "destination": "https://authjs.dev/guides/basics/refresh-token-rotation",
+      "permanent": true
     }
   ]
 }

packages/next-auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "next-auth",
-  "version": "4.19.2",
+  "version": "4.20.0",
   "description": "Authentication for Next.js",
   "homepage": "https://next-auth.js.org",
   "repository": "https://github.com/nextauthjs/next-auth.git",

packages/next-auth/src/core/lib/oauth/state-handler.ts

@@ -49,7 +49,9 @@ export async function useState(
 ): Promise<{ value: string; cookie: Cookie } | undefined> {
   const { cookies, provider, jwt } = options
 
-  if (!provider.checks?.includes("state") || !state) return
+  if (!provider.checks?.includes("state")) return
+
+  if (!state) throw new Error("No state provided")
 
   const value = (await jwt.decode({ ...options.jwt, token: state })) as any
 

packages/next-auth/src/core/pages/signin.tsx

@@ -107,6 +107,7 @@ export default function SigninPage(props: SignInServerPageParams) {
         />
       )}
       <div className="card">
+        {theme.logo && <img src={theme.logo} alt="Logo" className="logo" />}
         {error && (
           <div className="error">
             <p>{error}</p>

packages/next-auth/src/utils/detect-host.ts

@@ -1,5 +1,10 @@
 /** Extract the host from the environment */
 export function detectHost(forwardedHost: any) {
+  // if `NEXTAUTH_URL_INTERNAL` is set, it means NextAuth.js is deployed 
+  // behind a proxy - we prioritize it over `forwardedHost`.
+  if (process.env.NEXTAUTH_URL_INTERNAL) {
+    return process.env.NEXTAUTH_URL_INTERNAL
+  }
   // If we detect a Vercel environment, we can trust the host
   if (process.env.VERCEL ?? process.env.AUTH_TRUST_HOST)
     return forwardedHost