Delete index.md

Fixes https://github.com/nextauthjs/next-auth/issues/6597

.eslintignore

@@ -23,8 +23,8 @@ pnpm-lock.yaml
 
 .docusaurus
 build
-docs/docs/reference/03-core
-docs/docs/reference/04-sveltekit
+docs/docs/reference/core
+docs/docs/reference/sveltekit
 static
 
 # --------------- Packages ---------------

.github/ISSUE_TEMPLATE/1_bug_framework.yml

@@ -30,7 +30,7 @@ body:
         Run this command in your project's root folder and paste the result:
 
         ```sh
-        npx envinfo --system --binaries --browsers --npmPackages "next,react,next-auth"
+        npx envinfo --system --binaries --browsers --npmPackages "next,react,next-auth,@auth/*"
         ```
         Alternatively, you can manually gather the version information from your package.json for these packages: "next", "react" and "next-auth". Please also mention your OS and Node.js version, as well as the browser you are using.
     validations:

.github/ISSUE_TEMPLATE/2_bug_provider.yml

@@ -58,6 +58,7 @@ body:
         - "Medium"
         - "Naver"
         - "Netlify"
+        - "Notion"
         - "Okta"
         - "OneLogin"
         - "Osso"
@@ -88,7 +89,7 @@ body:
         Run this command in your project's root folder and paste the result:
 
         ```sh
-        npx envinfo --system --binaries --browsers --npmPackages "next,react,next-auth"
+        npx envinfo --system --binaries --browsers --npmPackages "next,react,next-auth,@auth/*"
         ```
         Alternatively, you can manually gather the version information from your package.json for these packages: "next", "react" and "next-auth". Please also mention your OS and Node.js version, as well as the browser you are using.
     validations:

.github/ISSUE_TEMPLATE/3_bug_adapter.yml

@@ -44,7 +44,7 @@ body:
         Run this command in your project's root folder and paste the result:
 
         ```sh
-        npx envinfo --system --binaries --browsers --npmPackages "next,react,next-auth" && npx envinfo --npmPackages "@next-auth/*"
+        npx envinfo --system --binaries --browsers --npmPackages "next,react,next-auth,@auth/*" && npx envinfo --npmPackages "@next-auth/*"
         ```
         Alternatively, if the above command did not work, we need the version of the following packages from your package.json: "next", "react", "next-auth" and your adapter. Please also mention your OS and Node.js version, as well as the browser you are using.
     validations:

.github/workflows/release.yml

@@ -35,23 +35,22 @@ jobs:
           UPSTASH_REDIS_KEY: ${{ secrets.UPSTASH_REDIS_KEY }}
           TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
           TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
-      - name: Run E2E tests
-        if: github.repository == 'nextauthjs/next-auth'
-        run: pnpm e2e
-        timeout-minutes: 15
-        env:
-          AUTH0_USERNAME: ${{ secrets.AUTH0_USERNAME }}
-          AUTH0_PASSWORD: ${{ secrets.AUTH0_PASSWORD }}
-          TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
-          TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
-      - name: Upload E2E artifacts
-        if: github.repository == 'nextauthjs/next-auth'
-        uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: playwright-report
-          path: apps/dev/nextjs/playwright-report/
-          retention-days: 30
+      # - name: Run E2E tests
+      #   if: github.repository == 'nextauthjs/next-auth'
+      #   run: pnpm e2e
+      #   timeout-minutes: 15
+      #   env:
+      #     AUTH0_USERNAME: ${{ secrets.AUTH0_USERNAME }}
+      #     AUTH0_PASSWORD: ${{ secrets.AUTH0_PASSWORD }}
+      #     TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
+      #     TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
+      # - name: Upload E2E artifacts
+      #   if: github.repository == 'nextauthjs/next-auth'
+      #   uses: actions/upload-artifact@v3
+      #   with:
+      #     name: playwright-report
+      #     path: apps/dev/nextjs/playwright-report/
+      #     retention-days: 30
       # - name: Coverage
       #   uses: codecov/codecov-action@v1
       #   with:

.gitignore

@@ -34,13 +34,10 @@ packages/next-auth/utils
 packages/next-auth/core
 packages/next-auth/jwt
 packages/next-auth/react
-packages/next-auth/adapters.d.ts
-packages/next-auth/adapters.js
-packages/next-auth/index.d.ts
-packages/next-auth/index.js
 packages/next-auth/next
-packages/next-auth/middleware.d.ts
-packages/next-auth/middleware.js
+packages/*/*.js
+packages/*/*.d.ts
+packages/*/*.d.ts.map
 
 # Development app
 apps/dev/src/css
@@ -84,11 +81,12 @@ docs/providers.json
 packages/core/*.js
 packages/core/*.d.ts
 packages/core/*.d.ts.map
+packages/core/src/providers/oauth-types.ts
 packages/core/lib
 packages/core/providers
 packages/core/src/lib/pages/styles.ts
-docs/docs/reference/03-core
-docs/docs/reference/04-sveltekit
+docs/docs/reference/core
+docs/docs/reference/sveltekit
 
 
 # SvelteKit

.prettierignore

@@ -20,8 +20,8 @@ pnpm-lock.yaml
 
 .docusaurus
 build
-docs/docs/reference/03-core
-docs/docs/reference/04-sveltekit
+docs/docs/reference/core
+docs/docs/reference/sveltekit
 static
 docs/providers.json
 

apps/dev/nextjs/.env.local.example

@@ -21,6 +21,10 @@ KEYCLOAK_ID=
 KEYCLOAK_SECRET=
 KEYCLOAK_ISSUER=
 
+NOTION_ID=
+NOTION_SECRET=
+NOTION_REDIRECT_URI=
+
 IDS4_ID=
 IDS4_SECRET=
 IDS4_ISSUER=

apps/dev/nextjs/pages/api/auth/[...nextauth].ts

@@ -24,6 +24,7 @@ import Instagram from "@auth/core/providers/instagram"
 import Line from "@auth/core/providers/line"
 import LinkedIn from "@auth/core/providers/linkedin"
 import Mailchimp from "@auth/core/providers/mailchimp"
+import Notion from "@auth/core/providers/notion"
 // import Okta from "@auth/core/providers/okta"
 import Osu from "@auth/core/providers/osu"
 import Patreon from "@auth/core/providers/patreon"
@@ -69,7 +70,7 @@ import WorkOS from "@auth/core/providers/workos"
 
 export const authConfig: AuthConfig = {
   // adapter,
-  // debug: process.env.NODE_ENV !== "production",
+  debug: process.env.NODE_ENV !== "production",
   theme: {
     logo: "https://next-auth.js.org/img/logo/logo-sm.png",
     brandColor: "#1786fb",
@@ -107,6 +108,7 @@ export const authConfig: AuthConfig = {
     Line({ clientId: process.env.LINE_ID, clientSecret: process.env.LINE_SECRET }),
     LinkedIn({ clientId: process.env.LINKEDIN_ID, clientSecret: process.env.LINKEDIN_SECRET }),
     Mailchimp({ clientId: process.env.MAILCHIMP_ID, clientSecret: process.env.MAILCHIMP_SECRET }),
+    Notion({ clientId: process.env.NOTION_ID, clientSecret: process.env.NOTION_SECRET, redirectUri: process.env.NOTION_REDIRECT_URI }),
     // Okta({ clientId: process.env.OKTA_ID, clientSecret: process.env.OKTA_SECRET, issuer: process.env.OKTA_ISSUER }),
     Osu({ clientId: process.env.OSU_CLIENT_ID, clientSecret: process.env.OSU_CLIENT_SECRET }),
     Patreon({ clientId: process.env.PATREON_ID, clientSecret: process.env.PATREON_SECRET }),

apps/dev/sveltekit/package.json

@@ -19,8 +19,8 @@
     "vite": "4.0.1"
   },
   "dependencies": {
-    "@auth/core": "0.2.5",
-    "@auth/sveltekit": "0.1.12"
+    "@auth/core": "workspace:*",
+    "@auth/sveltekit": "workspace:*"
   },
   "type": "module"
 }

apps/playgrounds/nuxt/package.json

@@ -2,11 +2,10 @@
   "name": "playground-nuxt",
   "private": true,
   "scripts": {
-    "build": "nuxt build",
-    "dev": "export NODE_OPTIONS='--no-experimental-fetch' && nuxt dev",
+    "build": "nuxt prepare && nuxt build",
+    "dev": "nuxt prepare &&  export NODE_OPTIONS='--no-experimental-fetch' && nuxt dev",
     "generate": "nuxt generate",
-    "preview": "nuxt preview",
-    "postinstall": "nuxt prepare"
+    "preview": "nuxt preview"
   },
   "devDependencies": {
     "@nuxt/eslint-config": "^0.1.1",

docs/docs/guides/03-basics/refresh-token-rotation.md

@@ -22,7 +22,7 @@ Using a JWT to store the `refresh_token` is less secure than saving it in a data
 
 #### JWT strategy
 
-Using the [jwt](../../reference/03-core/interfaces/types.CallbacksOptions.md#jwt) and [session](../../reference/03-core/interfaces/types.CallbacksOptions.md#session) callbacks, we can persist OAuth tokens and refresh them when they expire.
+Using the [jwt](../../reference/core/interfaces/types.CallbacksOptions.md#jwt) and [session](../../reference/core/interfaces/types.CallbacksOptions.md#session) callbacks, we can persist OAuth tokens and refresh them when they expire.
 
 Below is a sample implementation using Google's Identity Provider. Please note that the OAuth 2.0 request in the `refreshAccessToken()` function will vary between different providers, but the core logic should remain similar.
 

docs/docs/reference/04-providers/04-email.md

@@ -16,4 +16,4 @@ sidebar_label: Email options
 See our guides on magic links authentication for further tips on how to customize this provider:
 
 - [Tutorial](/getting-started/email-tutorial)
-- [Guide deep-dive](guides/providers/email)
+- [Guide deep-dive](/guides/providers/email)

docs/docs/reference/06-adapters/prisma.md

@@ -139,9 +139,10 @@ Prisma supports MongoDB, and so does Auth.js. Following the instructions of the
 id  String  @id @default(auto()) @map("_id") @db.ObjectId
 ```
 
-2. The Native database type attribute to `@db.String` from `@db.Text`.
+2. The Native database type attribute to `@db.String` from `@db.Text` and userId to `@db.ObjectId`.
 
 ```prisma
+user_id            String   @db.ObjectId
 refresh_token      String?  @db.String
 access_token       String?  @db.String
 id_token           String?  @db.String

docs/docs/reference/index.md

@@ -1,25 +0,0 @@
----
-title: Overview
-sidebar_label: Overview
-sidebar_position: 0
----
-
-## Core
-
-## Providers
-
-- OAuth/OIDC
-- Email/Passwordless
-- Credentials
-
-## Database Adapters
-
-## Frameworks
-
-- Next.js
-- SvelteKit
-- SolidStart
-- Remix
-- Nuxt
-- Gatsby
-- etc.

docs/docusaurus.config.js

@@ -62,7 +62,7 @@ const docusaurusConfig = {
           position: "left",
         },
         {
-          to: "/reference/core/modules/main",
+          to: "/reference/core",
           // TODO: change to this when the overview page looks better.
           // to: "/reference",
           activeBasePath: "/reference",
@@ -101,7 +101,7 @@ const docusaurusConfig = {
     announcementBar: {
       id: "new-major-announcement",
       content:
-        "<a target='_blank' rel='noopener noreferrer' href='https://next-auth.js.org'>NextAuth.js</a> is becoming Auth.js! 🎉 We're creating Authentication for the Web. Everyone included. Starting with SvelteKit, check out <a href='/reference/sveltekit'>the docs</a>.",
+        "<a target='_blank' rel='noopener noreferrer' href='https://next-auth.js.org'>NextAuth.js</a> is becoming Auth.js! 🎉 We're creating Authentication for the Web. Everyone included. Starting with SvelteKit, check out <a href='/reference/sveltekit'>the docs</a>. Note, this site is under active development.",
       backgroundColor: "#000",
       textColor: "#fff",
     },
@@ -182,10 +182,7 @@ const docusaurusConfig = {
           lastVersion: "current",
           showLastUpdateAuthor: true,
           showLastUpdateTime: true,
-          remarkPlugins: [
-            require("@sapphire/docusaurus-plugin-npm2yarn2pnpm").npm2yarn2pnpm,
-            require("remark-github"),
-          ],
+          remarkPlugins: [require("@sapphire/docusaurus-plugin-npm2yarn2pnpm").npm2yarn2pnpm],
           versions: {
             current: {
               label: "experimental",
@@ -204,20 +201,14 @@ const docusaurusConfig = {
       {
         ...typedocConfig,
         id: "core",
-        plugin: ["./tyepdoc"],
-        entryPoints: [
-          "index.ts",
-          "adapters.ts",
-          "errors.ts",
-          "jwt.ts",
-          "types.ts",
-        ]
-          .map((e) => `${coreSrc}/${e}`)
-          .concat(providers),
-        tsconfig: "../packages/core/tsconfig.json",
-        out: "reference/03-core",
+        plugin: [require.resolve("./typedoc-mdn-links")],
         watch: process.env.TYPEDOC_WATCH,
-        includeExtension: false,
+        entryPoints: ["index.ts", "adapters.ts", "errors.ts", "jwt.ts", "types.ts"].map((e) => `${coreSrc}/${e}`).concat(providers),
+        tsconfig: "../packages/core/tsconfig.json",
+        out: "reference/core",
+        sidebar: {
+          indexLabel: "index",
+        },
       },
     ],
     [
@@ -225,14 +216,14 @@ const docusaurusConfig = {
       {
         ...typedocConfig,
         id: "sveltekit",
-        plugin: ["./tyepdoc"],
-        entryPoints: ["index.ts", "client.ts"].map(
-          (e) => `../packages/frameworks-sveltekit/src/lib/${e}`
-        ),
-        tsconfig: "../packages/frameworks-sveltekit/tsconfig.json",
-        out: "reference/04-sveltekit",
+        plugin: [require.resolve("./typedoc-mdn-links")],
         watch: process.env.TYPEDOC_WATCH,
-        includeExtension: false,
+        entryPoints: ["index.ts", "client.ts"].map((e) => `../packages/frameworks-sveltekit/src/lib/${e}`),
+        tsconfig: "../packages/frameworks-sveltekit/tsconfig.json",
+        out: "reference/sveltekit",
+        sidebar: {
+          indexLabel: "index",
+        },
       },
     ],
   ],

docs/package.json

@@ -3,7 +3,7 @@
   "repository": "https://github.com/nextauthjs/next-auth",
   "name": "docs",
   "scripts": {
-    "start": "TYPEDOC_WATCH=true docusaurus start --no-open --port 8000",
+    "start": "TYPEDOC_WATCH=true docusaurus start --no-open",
     "dev": "pnpm providers && pnpm snippets && pnpm start",
     "build": "pnpm providers && docusaurus build",
     "docusaurus": "docusaurus",
@@ -27,7 +27,6 @@
     "react": "^18.2.0",
     "react-dom": "^18.2.0",
     "react-marquee-slider": "^1.1.5",
-    "remark-github": "10.1.0",
     "styled-components": "5.3.6"
   },
   "devDependencies": {
@@ -37,7 +36,9 @@
     "@docusaurus/preset-classic": "2.2.0",
     "@docusaurus/theme-common": "2.2.0",
     "@docusaurus/types": "2.2.0",
-    "docusaurus-plugin-typedoc": "^0.18.0"
+    "docusaurus-plugin-typedoc": "1.0.0-next.2",
+    "typedoc": "^0.23.24",
+    "typedoc-plugin-markdown": "4.0.0-next.2"
   },
   "browserslist": {
     "production": [

docs/sidebars.js

@@ -14,61 +14,28 @@ module.exports = {
     },
   ],
   referenceSidebar: [
-    "reference/index",
     {
       type: "category",
       label: "@auth/core",
-      link: {
-        type: "doc",
-        id: "reference/core/modules/main",
-      },
-      items: [
-        {
-          type: "autogenerated",
-          dirName: "reference/03-core/modules",
-          // See: https://github.com/facebook/docusaurus/issues/5689
-          // exclude: ["index"],
-        },
-        {
-          type: "category",
-          label: "Reflections",
-          collapsed: true,
-          className: "reflection-category", // See src/index.css
-          items: [{ type: "autogenerated", dirName: "reference/03-core" }],
-        },
-      ],
+      link: { type: "doc", id: "reference/core/index" },
+      items: [{ type: "autogenerated", dirName: "reference/core" }],
     },
     {
       type: "category",
       label: "@auth/sveltekit",
-      link: { type: "doc", id: "reference/sveltekit/modules/main" },
-      items: [
-        { type: "autogenerated", dirName: "reference/04-sveltekit/modules" },
-        {
-          type: "category",
-          label: "Reflections",
-          collapsed: true,
-          className: "reflection-category", // See src/index.css
-          items: [{ type: "autogenerated", dirName: "reference/04-sveltekit" }],
-        },
-      ],
+      link: { type: "doc", id: "reference/sveltekit/index" },
+      items: [{ type: "autogenerated", dirName: "reference/sveltekit" }],
     },
     {
       type: "category",
       label: "@auth/solid-start",
-      link: {
-        type: "doc",
-        id: "reference/solidstart/index",
-      },
-      items: ["reference/solidstart/client", "reference/solidstart/protected"],
+      link: { type: "doc", id: "reference/solidstart/index" },
+      items: [{ type: "autogenerated", dirName: "reference/04-solidstart" }],
     },
     {
       type: "category",
       label: "@auth/nextjs",
-      link: {
-        type: "doc",
-        id: "reference/nextjs/index",
-      },
+      link: { type: "doc", id: "reference/nextjs/index" },
       items: [
         "reference/nextjs/client",
         {

docs/src/css/index.css

@@ -272,27 +272,4 @@ html[data-theme="dark"] #carbonads > span {
 html[data-theme="dark"] #carbonads .carbon-poweredby {
   color: #aaa;
   background: #1e2021;
-}
-
-/* 
-  This is a hack to hide the "Reflection" category and "main" module from the sidebar.
-  This is because:
-  1. opening any page under the "Reflection" category would hide the entire sidebar.
-  2. the "main" module would show up twice.
-  See sidebars.js
-*/
-.reflection-category,
-.theme-doc-sidebar-item-link-level-2 [href="/reference/core/modules/main"],
-.theme-doc-sidebar-item-link-level-2
-  [href="/reference/sveltekit/modules/main"] {
-  display: none;
-}
-
-/*
- HACK: to hide the "Classes" header and duplicate items together with the "typedoc-plugin-markdown" patch.
- See: https://github.com/TypeStrong/typedoc/issues/2006
-*/
-/* h3.anchor + p:has(code, strong), */ /** hack did not work as it hides property types elsewhere */
-#classes {
-  display: none;
-}
+}

docs/static/img/providers/notion.svg

@@ -0,0 +1,5 @@
+<svg width="32" height="32" viewBox="0 0 100 100" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <title>Notion icon</title>
+  <path d="M6.017 4.313l55.333 -4.087c6.797 -0.583 8.543 -0.19 12.817 2.917l17.663 12.443c2.913 2.14 3.883 2.723 3.883 5.053v68.243c0 4.277 -1.553 6.807 -6.99 7.193L24.467 99.967c-4.08 0.193 -6.023 -0.39 -8.16 -3.113L3.3 79.94c-2.333 -3.113 -3.3 -5.443 -3.3 -8.167V11.113c0 -3.497 1.553 -6.413 6.017 -6.8z" fill="#fff"/>
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M61.35 0.227l-55.333 4.087C1.553 4.7 0 7.617 0 11.113v60.66c0 2.723 0.967 5.053 3.3 8.167l13.007 16.913c2.137 2.723 4.08 3.307 8.16 3.113l64.257 -3.89c5.433 -0.387 6.99 -2.917 6.99 -7.193V20.64c0 -2.21 -0.873 -2.847 -3.443 -4.733L74.167 3.143c-4.273 -3.107 -6.02 -3.5 -12.817 -2.917zM25.92 19.523c-5.247 0.353 -6.437 0.433 -9.417 -1.99L8.927 11.507c-0.77 -0.78 -0.383 -1.753 1.557 -1.947l53.193 -3.887c4.467 -0.39 6.793 1.167 8.54 2.527l9.123 6.61c0.39 0.197 1.36 1.36 0.193 1.36l-54.933 3.307 -0.68 0.047zM19.803 88.3V30.367c0 -2.53 0.777 -3.697 3.103 -3.893L86 22.78c2.14 -0.193 3.107 1.167 3.107 3.693v57.547c0 2.53 -0.39 4.67 -3.883 4.863l-60.377 3.5c-3.493 0.193 -5.043 -0.97 -5.043 -4.083zm59.6 -54.827c0.387 1.75 0 3.5 -1.75 3.7l-2.91 0.577v42.773c-2.527 1.36 -4.853 2.137 -6.797 2.137 -3.107 0 -3.883 -0.973 -6.21 -3.887l-19.03 -29.94v28.967l6.02 1.363s0 3.5 -4.857 3.5l-13.39 0.777c-0.39 -0.78 0 -2.723 1.357 -3.11l3.497 -0.97v-38.3L30.48 40.667c-0.39 -1.75 0.58 -4.277 3.3 -4.473l14.367 -0.967 19.8 30.327v-26.83l-5.047 -0.58c-0.39 -2.143 1.163 -3.7 3.103 -3.89l13.4 -0.78z" fill="#000"/>
+</svg>

docs/typedoc.json

@@ -1,23 +1,16 @@
 {
-  "excludeNotDocumented": true,
   "$schema": "https://typedoc.org/schema.json",
-  "allReflectionsHaveOwnDocument": true,
+  "cleanOutputDir": true,
   "disableSources": true,
-  "hideBreadcrumbs": true,
   "excludeExternals": true,
   "excludeInternal": true,
+  "excludeNotDocumented": true,
   "excludePrivate": true,
-  "cleanOutputDir": true,
   "excludeProtected": true,
+  "hideHierarchy": true,
   "gitRevision": "main",
+  "hideBreadcrumbs": true,
   "hideGenerator": true,
-  "intentionallyNotExported": [
-    "ReturnTypes",
-    "CallbackParameters",
-    "JsonValue"
-  ],
-  "readme": "none",
-  "sort": ["kind", "static-first", "required-first", "alphabetical"],
   "kindSortOrder": [
     "Function",
     "TypeAlias",
@@ -41,5 +34,13 @@
     "IndexSignature",
     "GetSignature",
     "SetSignature"
-  ]
-}
+  ],
+  "readme": "none",
+  "sort": [
+    "kind",
+    "static-first",
+    "required-first",
+    "alphabetical"
+  ],
+  "symbolsWithOwnFile": "none"
+}

package.json

@@ -41,8 +41,6 @@
     "prettier": "2.8.1",
     "prettier-plugin-svelte": "^2.8.1",
     "turbo": "1.6.3",
-    "typedoc": "^0.23.22",
-    "typedoc-plugin-markdown": "^3.14.0",
     "typescript": "4.9.4"
   },
   "engines": {
@@ -64,7 +62,6 @@
       "undici": "5.11.0"
     },
     "patchedDependencies": {
-      "typedoc-plugin-markdown@3.14.0": "patches/typedoc-plugin-markdown@3.14.0.patch",
       "@balazsorban/monorepo-release@0.1.8": "patches/@balazsorban__monorepo-release@0.1.8.patch"
     }
   }

packages/adapter-dynamodb/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@next-auth/dynamodb-adapter",
   "repository": "https://github.com/nextauthjs/next-auth",
-  "version": "1.0.6",
+  "version": "1.2.0",
   "description": "AWS DynamoDB adapter for next-auth.",
   "keywords": [
     "next-auth",

packages/adapter-firebase/src/getFirebase.ts

@@ -0,0 +1,11 @@
+import { initializeApp, getApps, FirebaseOptions } from "firebase/app"
+
+export default function getFirebase(firebaseOptions: FirebaseOptions) {
+  const apps = getApps()
+  const app = apps.find((app) => app.name === firebaseOptions.projectId)
+  if (app) {
+    return app
+  } else {
+    return initializeApp(firebaseOptions)
+  }
+}

packages/adapter-firebase/src/index.ts

@@ -25,6 +25,7 @@ import type {
 } from "next-auth/adapters"
 
 import { getConverter } from "./converter"
+import getFirebase from "./getFirebase"
 
 export type IndexableObject = Record<string, unknown>
 
@@ -39,7 +40,7 @@ export function FirestoreAdapter({
   emulator,
   ...firebaseOptions
 }: FirebaseOptions & FirestoreAdapterOptions): Adapter {
-  const firebaseApp = initializeApp(firebaseOptions)
+  const firebaseApp = getFirebase(firebaseOptions)
   const db = getFirestore(firebaseApp)
 
   if (emulator) {

packages/adapter-xata/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@next-auth/xata-adapter",
-  "version": "0.2.0",
+  "version": "0.2.2",
   "description": "Xata adapter for next-auth.",
   "homepage": "https://authjs.dev",
   "repository": "https://github.com/nextauthjs/next-auth",
@@ -43,4 +43,4 @@
   "jest": {
     "preset": "@next-auth/adapter-test/jest"
   }
-}
+}

packages/core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@auth/core",
-  "version": "0.2.5",
+  "version": "0.3.0",
   "description": "Authentication for the Web.",
   "keywords": [
     "authentication",
@@ -69,7 +69,7 @@
     "preact-render-to-string": "5.2.3"
   },
   "peerDependencies": {
-    "nodemailer": "6.8.0"
+    "nodemailer": "^6.8.0"
   },
   "peerDependenciesMeta": {
     "nodemailer": {
@@ -77,10 +77,11 @@
     }
   },
   "scripts": {
-    "build": "pnpm css && tsc",
+    "build": "pnpm css && pnpm providers && tsc",
     "clean": "rm -rf *.js *.d.ts* lib providers",
     "css": "node scripts/generate-css",
-    "dev": "pnpm css && tsc -w"
+    "dev": "pnpm css && pnpm providers && tsc -w",
+    "providers": "node scripts/generate-providers"
   },
   "devDependencies": {
     "@next-auth/tsconfig": "workspace:*",

packages/core/scripts/generate-providers.js

@@ -0,0 +1,18 @@
+import { join } from "path"
+import { readdirSync, writeFileSync } from "fs"
+
+const providersPath = join(process.cwd(), "src/providers")
+
+const files = readdirSync(providersPath, "utf8")
+
+const providers = files.map((file) => {
+  const strippedProviderName = file.substring(0, file.indexOf("."))
+  return `"${strippedProviderName}"`
+}).filter((provider) => provider !== '"oauth-types"' && provider !== '"index"')
+
+const result = `
+// THIS FILE IS AUTOGENERATED. DO NOT EDIT.
+export type OAuthProviderType = 
+  | ${providers.join("\n  | ")}`
+
+writeFileSync(join(providersPath, "oauth-types.ts"), result)

packages/core/src/index.ts

@@ -27,14 +27,14 @@
  * ## Resources
  *
  * - [Getting started](https://authjs.dev/getting-started/introduction)
- * - [Most common use case guides](https://authjs.dev/guides/overview)
+ * - [Most common use case guides](https://authjs.dev/guides)
  *
- * @module main
+ * @module index
  */
 
 import { assertConfig } from "./lib/assert.js"
 import { ErrorPageLoop } from "./errors.js"
-import { AuthInternal } from "./lib/index.js"
+import { AuthInternal, skipCSRFCheck } from "./lib/index.js"
 import renderPage from "./lib/pages/index.js"
 import { logger, setLogger, type LoggerInstance } from "./lib/utils/logger.js"
 import { toInternalRequest, toResponse } from "./lib/web.js"
@@ -51,6 +51,8 @@ import type {
 import type { Provider } from "./providers/index.js"
 import { JWTOptions } from "./jwt.js"
 
+export { skipCSRFCheck }
+
 /**
  * Core functionality provided by Auth.js.
  *
@@ -298,14 +300,3 @@ export interface AuthConfig {
   trustHost?: boolean
   skipCSRFCheck?: typeof skipCSRFCheck
 }
-
-/**
- * :::danger
- * This option is inteded for framework authors.
- * :::
- *
- * Auth.js comes with built-in {@link https://authjs.dev/concepts/security#csrf CSRF} protection, but
- * if you are implementing a framework that is already protected against CSRF attacks, you can skip this check by
- * passing this value to {@link AuthConfig.skipCSRFCheck}.
- */
-export const skipCSRFCheck = Symbol("skip-csrf-check")

packages/core/src/lib/index.ts

@@ -1,5 +1,4 @@
 import { UnknownAction } from "../errors.js"
-import { skipCSRFCheck } from "../index.js"
 import { SessionStore } from "./cookie.js"
 import { init } from "./init.js"
 import renderPage from "./pages/index.js"
@@ -72,9 +71,9 @@ export async function AuthInternal<
         if (pages.signIn) {
           let signinUrl = `${pages.signIn}${
             pages.signIn.includes("?") ? "&" : "?"
-          }callbackUrl=${encodeURIComponent(options.callbackUrl)}`
+          }${new URLSearchParams({ callbackUrl: options.callbackUrl })}`
           if (error)
-            signinUrl = `${signinUrl}&error=${encodeURIComponent(error)}`
+            signinUrl = `${signinUrl}&${new URLSearchParams({ error })}`
           return { redirect: signinUrl, cookies }
         }
 
@@ -186,3 +185,14 @@ export async function AuthInternal<
   }
   throw new UnknownAction(`Cannot handle action: ${action}`)
 }
+
+/**
+ * :::danger
+ * This option is intended for framework authors.
+ * :::
+ *
+ * Auth.js comes with built-in {@link https://authjs.dev/concepts/security#csrf CSRF} protection, but
+ * if you are implementing a framework that is already protected against CSRF attacks, you can skip this check by
+ * passing this value to {@link AuthConfig.skipCSRFCheck}.
+ */
+export const skipCSRFCheck = Symbol("skip-csrf-check")

packages/core/src/lib/oauth/authorization-url.ts

@@ -1,7 +1,7 @@
+import * as checks from "./checks.js"
 import * as o from "oauth4webapi"
 
 import type {
-  CookiesOptions,
   InternalOptions,
   RequestInternal,
   ResponseInternal,
@@ -58,10 +58,10 @@ export async function getAuthorizationUrl(
 
   const cookies: Cookie[] = []
 
-  if (provider.checks?.includes("state")) {
-    const { value, raw } = await createState(options)
-    authParams.set("state", raw)
-    cookies.push(value)
+  const state = await checks.state.create(options)
+  if (state) {
+    authParams.set("state", state.value)
+    cookies.push(state.cookie)
   }
 
   if (provider.checks?.includes("pkce")) {
@@ -70,17 +70,17 @@ export async function getAuthorizationUrl(
       // a random `nonce` must be used for CSRF protection.
       provider.checks = ["nonce"]
     } else {
-      const { code_challenge, pkce } = await createPKCE(options)
-      authParams.set("code_challenge", code_challenge)
+      const { value, cookie } = await checks.pkce.create(options)
+      authParams.set("code_challenge", value)
       authParams.set("code_challenge_method", "S256")
-      cookies.push(pkce)
+      cookies.push(cookie)
     }
   }
 
-  if (provider.checks?.includes("nonce")) {
-    const nonce = await createNonce(options)
+  const nonce = await checks.nonce.create(options)
+  if (nonce) {
     authParams.set("nonce", nonce.value)
-    cookies.push(nonce)
+    cookies.push(nonce.cookie)
   }
 
   // TODO: This does not work in normalizeOAuth because authorization endpoint can come from discovery
@@ -90,54 +90,5 @@ export async function getAuthorizationUrl(
   }
 
   logger.debug("authorization url is ready", { url, cookies, provider })
-  return { redirect: url, cookies }
-}
-
-/** Returns a signed cookie. */
-export async function signCookie(
-  type: keyof CookiesOptions,
-  value: string,
-  maxAge: number,
-  options: InternalOptions<"oauth">
-): Promise<Cookie> {
-  const { cookies, jwt, logger } = options
-
-  logger.debug(`CREATE_${type.toUpperCase()}`, { value, maxAge })
-
-  const expires = new Date()
-  expires.setTime(expires.getTime() + maxAge * 1000)
-  return {
-    name: cookies[type].name,
-    value: await jwt.encode({ ...jwt, maxAge, token: { value } }),
-    options: { ...cookies[type].options, expires },
-  }
-}
-
-const STATE_MAX_AGE = 60 * 15 // 15 minutes in seconds
-async function createState(options: InternalOptions<"oauth">) {
-  const raw = o.generateRandomState()
-  const maxAge = STATE_MAX_AGE
-  const value = await signCookie("state", raw, maxAge, options)
-  return { value, raw }
-}
-
-const PKCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
-async function createPKCE(options: InternalOptions<"oauth">) {
-  const code_verifier = o.generateRandomCodeVerifier()
-  const code_challenge = await o.calculatePKCECodeChallenge(code_verifier)
-  const maxAge = PKCE_MAX_AGE
-  const pkce = await signCookie(
-    "pkceCodeVerifier",
-    code_verifier,
-    maxAge,
-    options
-  )
-  return { code_challenge, pkce }
-}
-
-const NONCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
-async function createNonce(options: InternalOptions<"oauth">) {
-  const raw = o.generateRandomNonce()
-  const maxAge = NONCE_MAX_AGE
-  return await signCookie("nonce", raw, maxAge, options)
+  return { redirect: url.toString(), cookies }
 }

packages/core/src/lib/oauth/callback.ts

@@ -1,8 +1,6 @@
+import * as checks from "./checks.js"
 import * as o from "oauth4webapi"
 import { OAuthCallbackError, OAuthProfileParseError } from "../../errors.js"
-import { useNonce } from "./nonce-handler.js"
-import { usePKCECodeVerifier } from "./pkce-handler.js"
-import { useState } from "./state-handler.js"
 
 import type {
   InternalOptions,
@@ -73,7 +71,7 @@ export async function handleOAuth(
 
   const resCookies: Cookie[] = []
 
-  const state = await useState(cookies, resCookies, options)
+  const state = await checks.state.use(cookies, resCookies, options)
 
   const parameters = o.validateAuthResponse(
     as,
@@ -91,7 +89,7 @@ export async function handleOAuth(
     throw new OAuthCallbackError(parameters.error)
   }
 
-  const codeVerifier = await usePKCECodeVerifier(
+  const codeVerifier = await checks.pkce.use(
     cookies?.[options.cookies.pkceCodeVerifier.name],
     options
   )
@@ -99,7 +97,10 @@ export async function handleOAuth(
   if (codeVerifier) resCookies.push(codeVerifier.cookie)
 
   // TODO:
-  const nonce = await useNonce(cookies?.[options.cookies.nonce.name], options)
+  const nonce = await checks.nonce.use(
+    cookies?.[options.cookies.nonce.name],
+    options
+  )
   if (nonce && provider.type === "oidc") {
     resCookies.push(nonce.cookie)
   }
@@ -202,7 +203,7 @@ async function getProfile(
     // If we didn't get a response either there was a problem with the provider
     // response *or* the user cancelled the action with the provider.
     //
-    // Unfortuately, we can't tell which - at least not in a way that works for
+    // Unfortunately, we can't tell which - at least not in a way that works for
     // all providers, so we return an empty object; the user should then be
     // redirected back to the sign up page. We log the error to help developers
     // who might be trying to debug this when configuring a new provider.

packages/core/src/lib/oauth/checks.ts

@@ -0,0 +1,155 @@
+import * as o from "oauth4webapi"
+import * as jwt from "../../jwt.js"
+
+import type {
+  InternalOptions,
+  RequestInternal,
+  CookiesOptions,
+} from "../../types.js"
+import type { Cookie } from "../cookie.js"
+
+import { InvalidState } from "../../errors.js"
+
+/** Returns a signed cookie. */
+export async function signCookie(
+  type: keyof CookiesOptions,
+  value: string,
+  maxAge: number,
+  options: InternalOptions<"oauth">
+): Promise<Cookie> {
+  const { cookies, logger } = options
+
+  logger.debug(`CREATE_${type.toUpperCase()}`, { value, maxAge })
+
+  const expires = new Date()
+  expires.setTime(expires.getTime() + maxAge * 1000)
+  return {
+    name: cookies[type].name,
+    value: await jwt.encode({ ...options.jwt, maxAge, token: { value } }),
+    options: { ...cookies[type].options, expires },
+  }
+}
+
+const PKCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
+export const pkce = {
+  async create(options: InternalOptions<"oauth">) {
+    const code_verifier = o.generateRandomCodeVerifier()
+    const value = await o.calculatePKCECodeChallenge(code_verifier)
+    const maxAge = PKCE_MAX_AGE
+    const cookie = await signCookie(
+      "pkceCodeVerifier",
+      code_verifier,
+      maxAge,
+      options
+    )
+    return { cookie, value }
+  },
+
+  /**
+   * Returns code_verifier if provider uses PKCE,
+   * and clears the container cookie afterwards.
+   */
+  async use(
+    codeVerifier: string | undefined,
+    options: InternalOptions<"oauth">
+  ): Promise<{ codeVerifier: string; cookie: Cookie } | undefined> {
+    const { cookies, provider } = options
+
+    if (!provider?.checks?.includes("pkce") || !codeVerifier) {
+      return
+    }
+
+    const pkce = (await jwt.decode({
+      ...options.jwt,
+      token: codeVerifier,
+    })) as any
+
+    return {
+      codeVerifier: pkce?.value ?? undefined,
+      cookie: {
+        name: cookies.pkceCodeVerifier.name,
+        value: "",
+        options: { ...cookies.pkceCodeVerifier.options, maxAge: 0 },
+      },
+    }
+  },
+}
+
+const STATE_MAX_AGE = 60 * 15 // 15 minutes in seconds
+export const state = {
+  async create(options: InternalOptions<"oauth">) {
+    if (!options.provider.checks.includes("state")) return
+    // TODO: support customizing the state
+    const value = o.generateRandomState()
+    const maxAge = STATE_MAX_AGE
+    const cookie = await signCookie("state", value, maxAge, options)
+    return { cookie, value }
+  },
+  /**
+   * Returns state from the saved cookie
+   * if the provider supports states,
+   * and clears the container cookie afterwards.
+   */
+  async use(
+    cookies: RequestInternal["cookies"],
+    resCookies: Cookie[],
+    options: InternalOptions<"oauth">
+  ): Promise<string | undefined> {
+    const { provider, jwt } = options
+    if (!provider.checks.includes("state")) return
+
+    const state = cookies?.[options.cookies.state.name]
+
+    if (!state) throw new InvalidState("State was missing from the cookies.")
+
+    // IDEA: Let the user do something with the returned state
+    const value = (await jwt.decode({ ...options.jwt, token: state })) as any
+
+    if (!value?.value) throw new InvalidState("Could not parse state cookie.")
+
+    // Clear the state cookie after use
+    resCookies.push({
+      name: options.cookies.state.name,
+      value: "",
+      options: { ...options.cookies.state.options, maxAge: 0 },
+    })
+
+    return value.value
+  },
+}
+
+const NONCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
+export const nonce = {
+  async create(options: InternalOptions<"oauth">) {
+    if (!options.provider.checks.includes("nonce")) return
+    const value = o.generateRandomNonce()
+    const maxAge = NONCE_MAX_AGE
+    const cookie = await signCookie("nonce", value, maxAge, options)
+    return { cookie, value }
+  },
+  /**
+   * Returns nonce from if the provider supports nonce,
+   * and clears the container cookie afterwards.
+   */
+  async use(
+    nonce: string | undefined,
+    options: InternalOptions<"oauth">
+  ): Promise<{ value: string; cookie: Cookie } | undefined> {
+    const { cookies, provider } = options
+
+    if (!provider?.checks?.includes("nonce") || !nonce) {
+      return
+    }
+
+    const value = (await jwt.decode({ ...options.jwt, token: nonce })) as any
+
+    return {
+      value: value?.value ?? undefined,
+      cookie: {
+        name: cookies.nonce.name,
+        value: "",
+        options: { ...cookies.nonce.options, maxAge: 0 },
+      },
+    }
+  },
+}

packages/core/src/lib/oauth/nonce-handler.ts

@@ -1,77 +0,0 @@
-import * as o from "oauth4webapi"
-import * as jwt from "../../jwt.js"
-
-import type { InternalOptions } from "../../types.js"
-import type { Cookie } from "../cookie.js"
-
-const NONCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
-
-/**
- * Returns nonce if the provider supports it
- * and saves it in a cookie
- */
-export async function createNonce(options: InternalOptions<"oauth">): Promise<
-  | undefined
-  | {
-      value: string
-      cookie: Cookie
-    }
-> {
-  const { cookies, logger, provider } = options
-  if (!provider.checks?.includes("nonce")) {
-    // Provider does not support nonce, return nothing.
-    return
-  }
-
-  const nonce = o.generateRandomNonce()
-
-  const expires = new Date()
-  expires.setTime(expires.getTime() + NONCE_MAX_AGE * 1000)
-
-  // Encrypt nonce and save it to an encrypted cookie
-  const encryptedNonce = await jwt.encode({
-    ...options.jwt,
-    maxAge: NONCE_MAX_AGE,
-    token: { nonce },
-  })
-
-  logger.debug("CREATE_ENCRYPTED_NONCE", {
-    nonce,
-    maxAge: NONCE_MAX_AGE,
-  })
-
-  return {
-    cookie: {
-      name: cookies.nonce.name,
-      value: encryptedNonce,
-      options: { ...cookies.nonce.options, expires },
-    },
-    value: nonce,
-  }
-}
-
-/**
- * Returns nonce from if the provider supports nonce,
- * and clears the container cookie afterwards.
- */
-export async function useNonce(
-  nonce: string | undefined,
-  options: InternalOptions<"oauth">
-): Promise<{ value: string; cookie: Cookie } | undefined> {
-  const { cookies, provider } = options
-
-  if (!provider?.checks?.includes("nonce") || !nonce) {
-    return
-  }
-
-  const value = (await jwt.decode({ ...options.jwt, token: nonce })) as any
-
-  return {
-    value: value?.value ?? undefined,
-    cookie: {
-      name: cookies.nonce.name,
-      value: "",
-      options: { ...cookies.nonce.options, maxAge: 0 },
-    },
-  }
-}

packages/core/src/lib/oauth/pkce-handler.ts

@@ -1,87 +0,0 @@
-import * as o from "oauth4webapi"
-import * as jwt from "../../jwt.js"
-
-import type { InternalOptions } from "../../types.js"
-import type { Cookie } from "../cookie.js"
-
-const PKCE_CODE_CHALLENGE_METHOD = "S256"
-const PKCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
-
-/**
- * Returns `code_challenge` and `code_challenge_method`
- * and saves them in a cookie.
- */
-export async function createPKCE(options: InternalOptions<"oauth">): Promise<
-  | undefined
-  | {
-      code_challenge: string
-      code_challenge_method: "S256"
-      cookie: Cookie
-    }
-> {
-  const { cookies, logger, provider } = options
-  if (!provider.checks?.includes("pkce")) {
-    // Provider does not support PKCE, return nothing.
-    return
-  }
-  const code_verifier = o.generateRandomCodeVerifier()
-  const code_challenge = await o.calculatePKCECodeChallenge(code_verifier)
-
-  const maxAge = cookies.pkceCodeVerifier.options.maxAge ?? PKCE_MAX_AGE
-
-  const expires = new Date()
-  expires.setTime(expires.getTime() + maxAge * 1000)
-
-  // Encrypt code_verifier and save it to an encrypted cookie
-  const encryptedCodeVerifier = await jwt.encode({
-    ...options.jwt,
-    maxAge,
-    token: { code_verifier },
-  })
-
-  logger.debug("CREATE_PKCE_CHALLENGE_VERIFIER", {
-    code_challenge,
-    code_challenge_method: PKCE_CODE_CHALLENGE_METHOD,
-    code_verifier,
-    maxAge,
-  })
-
-  return {
-    code_challenge,
-    code_challenge_method: PKCE_CODE_CHALLENGE_METHOD,
-    cookie: {
-      name: cookies.pkceCodeVerifier.name,
-      value: encryptedCodeVerifier,
-      options: { ...cookies.pkceCodeVerifier.options, expires },
-    },
-  }
-}
-
-/**
- * Returns code_verifier if provider uses PKCE,
- * and clears the container cookie afterwards.
- */
-export async function usePKCECodeVerifier(
-  codeVerifier: string | undefined,
-  options: InternalOptions<"oauth">
-): Promise<{ codeVerifier: string; cookie: Cookie } | undefined> {
-  const { cookies, provider } = options
-
-  if (!provider?.checks?.includes("pkce") || !codeVerifier) {
-    return
-  }
-
-  const pkce = (await jwt.decode({
-    ...options.jwt,
-    token: codeVerifier,
-  })) as any
-
-  return {
-    codeVerifier: pkce?.value ?? undefined,
-    cookie: {
-      name: cookies.pkceCodeVerifier.name,
-      value: "",
-      options: { ...cookies.pkceCodeVerifier.options, maxAge: 0 },
-    },
-  }
-}

packages/core/src/lib/oauth/state-handler.ts

@@ -1,72 +0,0 @@
-import * as o from "oauth4webapi"
-import type { InternalOptions, RequestInternal } from "../../types.js"
-import type { Cookie } from "../cookie.js"
-import { InvalidState } from "../../errors.js"
-
-const STATE_MAX_AGE = 60 * 15 // 15 minutes in seconds
-
-/** Returns state if the provider supports it */
-export async function createState(
-  options: InternalOptions<"oauth">
-): Promise<{ cookie: Cookie; value: string } | undefined> {
-  const { logger, provider, jwt, cookies } = options
-
-  if (!provider.checks?.includes("state")) {
-    // Provider does not support state, return nothing
-    return
-  }
-
-  const state = o.generateRandomState()
-  const maxAge = cookies.state.options.maxAge ?? STATE_MAX_AGE
-
-  const encodedState = await jwt.encode({
-    ...jwt,
-    maxAge,
-    token: { state },
-  })
-
-  logger.debug("CREATE_STATE", { state, maxAge })
-
-  const expires = new Date()
-  expires.setTime(expires.getTime() + maxAge * 1000)
-  return {
-    value: state,
-    cookie: {
-      name: cookies.state.name,
-      value: encodedState,
-      options: { ...cookies.state.options, expires },
-    },
-  }
-}
-
-/**
- * Returns state from the saved cookie
- * if the provider supports states,
- * and clears the container cookie afterwards.
- */
-export async function useState(
-  cookies: RequestInternal["cookies"],
-  resCookies: Cookie[],
-  options: InternalOptions<"oauth">
-): Promise<string | undefined> {
-  const { provider, jwt } = options
-  if (!provider.checks.includes("state")) return
-
-  const state = cookies?.[options.cookies.state.name]
-
-  if (!state) throw new InvalidState("State was missing from the cookies.")
-
-  // IDEA: Let the user do something with the returned state
-  const value = (await jwt.decode({ ...options.jwt, token: state })) as any
-
-  if (!value?.value) throw new InvalidState("Could not parse state cookie.")
-
-  // Clear the state cookie after use
-  resCookies.push({
-    name: options.cookies.state.name,
-    value: "",
-    options: { ...options.cookies.state.options, maxAge: 0 },
-  })
-
-  return value.value
-}

packages/core/src/lib/routes/callback.ts

@@ -53,7 +53,7 @@ export async function callback(params: {
         cookies.push(...authorizationResult.cookies)
       }
 
-      logger.debug("authroization result", authorizationResult)
+      logger.debug("authorization result", authorizationResult)
 
       const { profile, account, OAuthProfile } = authorizationResult
 
@@ -149,7 +149,7 @@ export async function callback(params: {
         return {
           redirect: `${pages.newUser}${
             pages.newUser.includes("?") ? "&" : "?"
-          }callbackUrl=${encodeURIComponent(callbackUrl)}`,
+          }${new URLSearchParams({ callbackUrl })}`,
           cookies,
         }
       }
@@ -256,7 +256,7 @@ export async function callback(params: {
         return {
           redirect: `${pages.newUser}${
             pages.newUser.includes("?") ? "&" : "?"
-          }callbackUrl=${encodeURIComponent(callbackUrl)}`,
+          }${new URLSearchParams({ callbackUrl })}`,
           cookies,
         }
       }
@@ -350,6 +350,6 @@ export async function callback(params: {
     logger.error(error)
     url.searchParams.set("error", CallbackRouteError.name)
     url.pathname += "/error"
-    return { redirect: url, cookies }
+    return { redirect: url.toString(), cookies }
   }
 }

packages/core/src/lib/routes/shared.ts

@@ -7,19 +7,20 @@ export async function handleAuthorized(
   params: any,
   { url, logger, callbacks: { signIn } }: InternalOptions
 ) {
-  url.pathname += "/error"
   try {
     const authorized = await signIn(params)
     if (!authorized) {
+      url.pathname += "/error"
       logger.debug("User not authorized", params)
       url.searchParams.set("error", "AccessDenied")
-      return { status: 403 as const, redirect: url }
+      return { status: 403 as const, redirect: url.toString() }
     }
   } catch (e) {
+    url.pathname += "/error"
     const error = new AuthorizedCallbackError(e as Error)
     logger.error(error)
     url.searchParams.set("error", "Configuration")
-    return { status: 500 as const, redirect: url }
+    return { status: 500 as const, redirect: url.toString() }
   }
 }
 

packages/core/src/lib/routes/signin.ts

@@ -54,7 +54,7 @@ export async function signin(
     logger.error(error)
     url.searchParams.set("error", error.name)
     url.pathname += "/error"
-    return { redirect: url }
+    return { redirect: url.toString() }
   }
 }
 

packages/core/src/lib/routes/signout.ts

@@ -8,7 +8,7 @@ import type { SessionStore } from "../cookie.js"
  * If the session strategy is database,
  * The session is also deleted from the database.
  * In any case, the session cookie is cleared and
- * an `events.signOut` is emitted.
+ * {@link EventCallbacks.signOut} is emitted.
  */
 export async function signout(
   sessionStore: SessionStore,

packages/core/src/lib/web.ts

@@ -76,27 +76,22 @@ export function toResponse(res: ResponseInternal): Response {
   res.cookies?.forEach((cookie) => {
     const { name, value, options } = cookie
     const cookieHeader = serialize(name, value, options)
-    if (headers.has("Set-Cookie")) {
-      headers.append("Set-Cookie", cookieHeader)
-    } else {
-      headers.set("Set-Cookie", cookieHeader)
-    }
+    if (headers.has("Set-Cookie")) headers.append("Set-Cookie", cookieHeader)
+    else headers.set("Set-Cookie", cookieHeader)
     // headers.set("Set-Cookie", cookieHeader) // TODO: Remove. Seems to be a bug with Headers in the runtime
   })
 
-  const body =
-    headers.get("content-type") === "application/json"
-      ? JSON.stringify(res.body)
-      : res.body
+  let body = res.body
 
-  const response = new Response(body, {
-    headers,
-    status: res.redirect ? 302 : res.status ?? 200,
-  })
+  if (headers.get("content-type") === "application/json")
+    body = JSON.stringify(res.body)
+  else if (headers.get("content-type") === "application/x-www-form-urlencoded")
+    body = new URLSearchParams(res.body).toString()
 
-  if (res.redirect) {
-    response.headers.set("Location", res.redirect.toString())
-  }
+  const status = res.redirect ? 302 : res.status ?? 200
+  const response = new Response(body, { headers, status })
+
+  if (res.redirect) response.headers.set("Location", res.redirect)
 
   return response
 }

packages/core/src/providers/azure-ad.ts

@@ -34,22 +34,21 @@ export default function AzureAD<P extends AzureADProfile>(
       )
 
       // Confirm that profile photo was returned
-      if (response.ok) {
-        const pictureBuffer = await response.arrayBuffer()
-        const pictureBase64 = Buffer.from(pictureBuffer).toString("base64")
-        return {
-          id: profile.sub,
-          name: profile.name,
-          email: profile.email,
-          image: `data:image/jpeg;base64, ${pictureBase64}`,
-        }
-      } else {
-        return {
-          id: profile.sub,
-          name: profile.name,
-          email: profile.email,
-          image: null,
-        }
+      let image
+      // TODO: Do this without Buffer
+      if (response.ok && typeof Buffer !== "undefined") {
+        try {
+          const pictureBuffer = await response.arrayBuffer()
+          const pictureBase64 = Buffer.from(pictureBuffer).toString("base64")
+          image = `data:image/jpeg;base64, ${pictureBase64}`
+        } catch {}
+      }
+
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email,
+        image: image ?? null,
       }
     },
     style: {

packages/core/src/providers/credentials.ts

@@ -49,10 +49,6 @@ export interface CredentialsConfig<
 
 export type CredentialsProviderType = "Credentials"
 
-export type CredentialsConfigInternal<
-  C extends Record<string, CredentialInput> = Record<string, CredentialInput>
-> = CredentialsConfig<C> & { options: CredentialsConfig<C> }
-
 /**
  * The Credentials provider allows you to handle signing in with arbitrary credentials,
  * such as a username and password, domain, or two factor authentication or hardware device (e.g. YubiKey U2F / FIDO).

packages/core/src/providers/discord.ts

@@ -1,21 +1,77 @@
 import type { OAuthConfig, OAuthUserConfig } from "./index.js"
 
+/**
+ * Corresponds to the user structure documented here:
+ * https://discord.com/developers/docs/resources/user#user-object-user-structure
+ */
 export interface DiscordProfile extends Record<string, any> {
-  accent_color: number
-  avatar: string
-  banner: string
-  banner_color: string
-  discriminator: string
-  email: string
-  flags: number
+  /** the user's id (i.e. the numerical snowflake) */
   id: string
-  image_url: string
-  locale: string
-  mfa_enabled: boolean
-  premium_type: number
-  public_flags: number
+  /** the user's username, not unique across the platform */
   username: string
+  /** the user's 4-digit discord-tag */
+  discriminator: string
+  /**
+   * the user's avatar hash:
+   * https://discord.com/developers/docs/reference#image-formatting
+   */
+  avatar: string | null
+  /** whether the user belongs to an OAuth2 application */
+  bot?: boolean
+  /**
+   * whether the user is an Official Discord System user (part of the urgent
+   * message system)
+   */
+  system?: boolean
+  /** whether the user has two factor enabled on their account */
+  mfa_enabled: boolean
+  /**
+   * the user's banner hash:
+   * https://discord.com/developers/docs/reference#image-formatting
+   */
+  banner: string | null
+
+  /** the user's banner color encoded as an integer representation of hexadecimal color code */
+  accent_color: number | null
+
+  /**
+   * the user's chosen language option:
+   * https://discord.com/developers/docs/reference#locales
+   */
+  locale: string
+  /** whether the email on this account has been verified */
   verified: boolean
+  /** the user's email */
+  email: string | null
+  /**
+   * the flags on a user's account:
+   * https://discord.com/developers/docs/resources/user#user-object-user-flags
+   */
+  flags: number
+  /**
+   * the type of Nitro subscription on a user's account:
+   * https://discord.com/developers/docs/resources/user#user-object-premium-types
+   */
+  premium_type: number
+  /**
+   * the public flags on a user's account:
+   * https://discord.com/developers/docs/resources/user#user-object-user-flags
+   */
+  public_flags: number
+  /** undocumented field; corresponds to the user's custom nickname */
+  display_name: string | null
+  /**
+   * undocumented field; corresponds to the Discord feature where you can e.g.
+   * put your avatar inside of an ice cube
+   */
+  avatar_decoration: string | null
+  /**
+   * undocumented field; corresponds to the premium feature where you can
+   * select a custom banner color
+   */
+  banner_color: string | null
+  /** undocumented field; the CDN URL of their profile picture */
+  image_url: string
 }
 
 export default function Discord<P extends DiscordProfile>(

packages/core/src/providers/index.ts

@@ -65,12 +65,16 @@ export type Provider<P extends Profile = Profile> = (
   | EmailConfig
   | CredentialsConfig
 ) & {
+  /**
+   * Used to deep merge user-provided config with the default config
+   * @internal
+   */
   options: Record<string, unknown>
 }
 
 export type BuiltInProviders = Record<
   OAuthProviderType,
-  (options: Partial<OAuthConfig<any>>) => OAuthConfig<any>
+  (config: Partial<OAuthConfig<any>>) => OAuthConfig<any>
 > &
   Record<CredentialsProviderType, typeof CredentialsProvider> &
   Record<EmailProviderType, typeof EmailProvider>

packages/core/src/providers/notion.ts

@@ -0,0 +1,166 @@
+/**
+ * <div style={{backgroundColor: "#000", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>Notion</b> integration.</span>
+ * <a href="https://notion.so">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/notion.svg" height="48" width="48"/>
+ * </a>
+ * </div>
+ *
+ * ---
+ * @module providers/notion
+ */
+
+import type { OAuthConfig, OAuthUserConfig } from "."
+
+export interface Person extends Record<string, any> {
+  email: string
+}
+
+// https://developers.notion.com/reference/user
+export interface User extends Record<string, any> {
+  object: "user" | "bot"
+  id: string
+  type: string
+  name: string
+  avatar_url: null | string
+  person: Person
+  owner?: {
+    type: "workspace" | "user"
+    workspace: string
+  }
+  workspace_name?: string | null
+}
+
+export interface Owner {
+  type: string
+  user: User
+}
+
+// Notion responds with an access_token + some additional information, which we define here
+// More info -  https://developers.notion.com/docs/authorization#step-4-notion-responds-with-an-access_token-and-some-additional-information
+export interface NotionProfile extends Record<string, any> {
+  access_token: string
+  bot_id: string
+  duplicated_template_id: string
+  owner?: Owner
+  workspace_icon: string
+  workspace_id: number
+  workspace_name: string
+}
+
+// Any config required that isn't part of the `OAuthUserConfig` spec should belong here
+// For example, we must pass a `redirectUri` to the Notion API when requesting tokens, therefore we add it here
+interface AdditionalConfig {
+  redirectUri: string
+}
+
+const NOTION_HOST = "https://api.notion.com"
+const NOTION_API_VERSION = "2022-06-28"
+
+/**
+ * Add Notion login to your page.
+ *
+ * ## Example
+ *
+ * ```ts
+ * import { Auth } from "@auth/core"
+ * import Notion from "@auth/core/providers/notion"
+ *
+ * const request = new Request("https://example.com")
+ * const response = await Auth(request, {
+ *   providers: [Notion({ clientId: "", clientSecret: "", redirectUri: "" })],
+ * })
+ * ```
+ *
+ * ---
+ *
+ * ## Resources
+ * - [Notion Docs](https://developers.notion.com/docs)
+ * - [Notion Authorization Docs](https://developers.notion.com/docs/authorization)
+ * - [Notion Integrations](https://www.notion.so/my-integrations)
+ *
+ * ---
+ *
+ * ## Notes
+ * You need to select "Public Integration" on the configuration page to get an `oauth_id` and `oauth_secret`. Private integrations do not provide these details. 
+ * You must provide a `clientId` and `clientSecret` to use this provider, as-well as a redirect URI (due to this being required by Notion endpoint to fetch tokens).
+ *
+ * :::tip
+ *
+ * The Notion provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/notion.ts).
+ * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/providers/custom-provider#override-default-options).
+ *
+ * :::
+ *
+ * :::info **Disclaimer**
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ *
+ * :::
+ */
+export default function NotionProvider<P extends NotionProfile>(
+  options: OAuthUserConfig<P> & AdditionalConfig
+): OAuthConfig<P> {
+  return {
+    id: "notion",
+    name: "Notion",
+    type: "oauth",
+    token: {
+      url: `${NOTION_HOST}/v1/oauth/token`,
+    },
+    userinfo: {
+      url: `${NOTION_HOST}/v1/users`,
+
+      // The result of this method will be the input to the `profile` callback.
+      // We use a custom request handler, since we need to do things such as pass the "Notion-Version" header
+      // More info: https://next-auth.js.org/configuration/providers/oauth
+      async request(context) {
+        const profile = await fetch(`${NOTION_HOST}/v1/users/me`, {
+          headers: {
+            Authorization: `Bearer ${context.tokens.access_token}`,
+            "Notion-Version": NOTION_API_VERSION,
+          },
+        })
+
+        const {
+          bot: {
+            owner: { user },
+          },
+        } = await profile.json()
+
+        return user
+      },
+    },
+    authorization: {
+      params: {
+        client_id: options.clientId,
+        response_type: "code",
+        owner: "user",
+        redirect_uri: options.redirectUri,
+      },
+      url: `${NOTION_HOST}/v1/oauth/authorize`,
+    },
+
+    async profile(profile, tokens) {
+      return {
+        id: profile.id,
+        name: profile.name,
+        email: profile.person.email,
+        image: profile.avatar_url,
+      }
+    },
+    style: {
+      logo: "/notion.svg",
+      logoDark: "/notion.svg",
+      bg: "#fff",
+      text: "#000",
+      bgDark: "#fff",
+      textDark: "#000",
+    },
+    options,
+  }
+}

packages/core/src/providers/oauth-types.ts

@@ -1,69 +0,0 @@
-// THIS FILE IS AUTOGENERATED. DO NOT EDIT.
-export type OAuthProviderType =
-  | "42-school"
-  | "apple"
-  | "atlassian"
-  | "auth0"
-  | "authentik"
-  | "azure-ad-b2c"
-  | "azure-ad"
-  | "battlenet"
-  | "box"
-  | "boxyhq-saml"
-  | "bungie"
-  | "cognito"
-  | "coinbase"
-  | "credentials"
-  | "discord"
-  | "dropbox"
-  | "duende-identity-server6"
-  | "email"
-  | "eveonline"
-  | "facebook"
-  | "faceit"
-  | "foursquare"
-  | "freshbooks"
-  | "fusionauth"
-  | "github"
-  | "gitlab"
-  | "google"
-  | "hubspot"
-  | "identity-server4"
-  | "index"
-  | "instagram"
-  | "kakao"
-  | "keycloak"
-  | "line"
-  | "linkedin"
-  | "mailchimp"
-  | "mailru"
-  | "medium"
-  | "naver"
-  | "netlify"
-  | "oauth-types.js"
-  | "oauth"
-  | "okta"
-  | "onelogin"
-  | "osso"
-  | "osu"
-  | "patreon"
-  | "pinterest"
-  | "pipedrive"
-  | "reddit"
-  | "salesforce"
-  | "slack"
-  | "spotify"
-  | "strava"
-  | "todoist"
-  | "trakt"
-  | "twitch"
-  | "twitter"
-  | "united-effects"
-  | "vk"
-  | "wikimedia"
-  | "wordpress"
-  | "workos"
-  | "yandex"
-  | "zitadel"
-  | "zoho"
-  | "zoom"

packages/core/src/providers/oauth.ts

@@ -66,7 +66,7 @@ export type TokenEndpointHandler = EndpointHandler<
     params: CallbackParamsType
     /**
      * When using this custom flow, make sure to do all the necessary security checks.
-     * Thist object contains parameters you have to match against the request to make sure it is valid.
+     * This object contains parameters you have to match against the request to make sure it is valid.
      */
     checks: OAuthChecks
   },

packages/core/src/types.ts

@@ -203,7 +203,7 @@ export interface CallbacksOptions<P = Profile, A = Account> {
    * Its content is forwarded to the `session` callback,
    * where you can control what should be returned to the client.
    * Anything else will be kept inaccessible from the client.
-   * 
+   *
    * Returning `null` will invalidate the JWT session by clearing
    * the user's cookies. You'll still have to monitor and invalidate
    * unexpired tokens from future requests yourself to prevent
@@ -220,7 +220,7 @@ export interface CallbacksOptions<P = Profile, A = Account> {
     account?: A | null
     profile?: P
     isNewUser?: boolean
-  }) => Awaitable<JWT|null>
+  }) => Awaitable<JWT | null>
 }
 
 /** [Documentation](https://authjs.dev/reference/configuration/auth-config#cookies) */
@@ -452,7 +452,7 @@ export interface ResponseInternal<
   status?: number
   headers?: Headers | HeadersInit
   body?: Body
-  redirect?: URL | string
+  redirect?: string
   cookies?: Cookie[]
 }
 

packages/frameworks-sveltekit/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@auth/sveltekit",
-  "version": "0.1.12",
+  "version": "0.2.0",
   "description": "Authentication for SvelteKit.",
   "keywords": [
     "authentication",
@@ -69,4 +69,4 @@
     },
     "./package.json": "./package.json"
   }
-}
+}

packages/frameworks-sveltekit/scripts/postbuild.js

@@ -1,8 +1,16 @@
 // After build, copy the files in ./package to the root directory, excluding the package.json file.
+
 import fs from "fs/promises"
 import path from "path"
 
-const __dirname = path.dirname(new URL(import.meta.url).pathname)
+let __dirname = path.dirname(new URL(import.meta.url).pathname)
+
+// The above hack to polyfill "__dirname" for ESM does not work on Windows computers,
+// so we might have to manually perform more steps.
+__dirname = __dirname.split(path.sep).join(path.posix.sep)
+if (__dirname.match(/^\/\w:\//)) {
+  __dirname = __dirname.slice(3) // Remove the drive prefix.
+}
 
 const root = path.join(__dirname, "..")
 const pkgDir = path.join(root, "package")

packages/frameworks-sveltekit/src/lib/index.ts

@@ -81,7 +81,7 @@
  *   return {
  *     session: await event.locals.getSession()
  *   };
- * }; 
+ * };
  * ```
  *
  * What you return in the function `LayoutServerLoad` will be available inside the `$page` store, in the `data` property: `$page.data`.
@@ -106,7 +106,7 @@
  *   return {};
  * };
  * ```
- * 
+ *
  * :::danger
  * Make sure to ALWAYS grab the session information from the parent instead of using the store in the case of a `PageLoad`.
  * Not doing so can lead to users being able to incorrectly access protected information in the case the `+layout.server.ts` does not run for that page load.
@@ -130,14 +130,14 @@
  * The handle hook, available in `hooks.server.ts`, is a function that receives ALL requests sent to your SvelteKit webapp.
  * You may intercept them inside the handle hook, add and modify things in the request, block requests, etc.
  * Some readers may notice we are already using this handle hook for SvelteKitAuth which returns a handle itself, so we are going to use SvelteKit's sequence to provide middleware-like functions that set the handle hook.
- * 
+ *
  * ```ts
  * import { SvelteKitAuth } from '@auth/sveltekit';
  * import GitHub from '@auth/core/providers/github';
  * import { GITHUB_ID, GITHUB_SECRET } from '$env/static/private';
  * import { redirect, type Handle } from '@sveltejs/kit';
  * import { sequence } from '@sveltejs/kit/hooks';
- * 
+ *
  * async function authorization({ event, resolve }) {
  * 	// Protect any routes under /authenticated
  * 	if (event.url.pathname.startsWith('/authenticated')) {
@@ -146,14 +146,14 @@
  * 			throw redirect(303, '/auth');
  * 		}
  * 	}
- * 
+ *
  * 	// If the request is still here, just proceed as normally
  * 	const result = await resolve(event, {
  * 		transformPageChunk: ({ html }) => html
  * 	});
  * 	return result;
  * }
- * 
+ *
  * // First handle authentication, then authorization
  * // Each function acts as a middleware, receiving the request handle
  * // And returning a handle which gets passed to the next function
@@ -183,7 +183,7 @@
  * PRs to improve this documentation are welcome! See [this file](https://github.com/nextauthjs/next-auth/blob/main/packages/frameworks-sveltekit/src/lib/index.ts).
  * :::
  *
- * @module main
+ * @module index
  */
 
 /// <reference types="@sveltejs/kit" />

packages/next-auth/package.json

@@ -126,5 +126,8 @@
     "react": "^18",
     "react-dom": "^18",
     "whatwg-fetch": "^3.6.2"
+  },
+  "engines": {
+    "node": "^12.19.0 || ^14.15.0 || ^16.13.0 || ^18.12.0"
   }
 }

patches/typedoc-plugin-markdown@3.14.0.patch

@@ -1,23 +0,0 @@
-diff --git a/dist/theme.js b/dist/theme.js
-index 1483a4b4ec69583aa3086eac83b2b31ae8bb6777..c30e7a4f7785fc230099e8b904040dd4aa57c38e 100644
---- a/dist/theme.js
-+++ b/dist/theme.js
-@@ -221,12 +221,12 @@ class MarkdownTheme extends typedoc_1.Theme {
-                 directory: 'enums',
-                 template: this.getReflectionTemplate(),
-             },
--            {
--                kind: [typedoc_1.ReflectionKind.Class],
--                isLeaf: false,
--                directory: 'classes',
--                template: this.getReflectionTemplate(),
--            },
-+            // {
-+            //     kind: [typedoc_1.ReflectionKind.Class],
-+            //     isLeaf: false,
-+            //     directory: 'classes',
-+            //     template: this.getReflectionTemplate(),
-+            // },
-             {
-                 kind: [typedoc_1.ReflectionKind.Interface],
-                 isLeaf: false,

turbo.json

@@ -25,6 +25,10 @@
       "dependsOn": ["^build"],
       "outputs": ["lib/**", "providers/**", "*.js", "*.d.ts", "*.d.ts.map"]
     },
+    "@auth/sveltekit#build": {
+      "dependsOn": ["^build"],
+      "outputs": ["client.*", "index.*"]
+    },
     "clean": {
       "cache": false
     },
@@ -39,6 +43,10 @@
     },
     "@next-auth/upstash-redis-adapter#test": {
       "env": ["UPSTASH_REDIS_KEY", "UPSTASH_REDIS_URL"]
+    },
+    "docs#dev": {
+      "dependsOn": ["^build"],
+      "cache": false
     }
   }
 }