chore(release): bump versions [skip release]

chore: remove
feat(web): expose Web API compatible version of next-auth (#5536 )
2026-05-01 10:55:20 +00:00 · 2022-12-13 19:35:05 +01:00 · 2022-12-13 19:28:54 +01:00 · 2022-12-13 18:24:30 +00:00 · 2022-12-13 18:01:45 +01:00 · 2022-12-13 17:40:17 +01:00
305 changed files with 17424 additions and 3342 deletions
--- a/.github/ISSUE_TEMPLATE/3_bug_adapter.yml
+++ b/.github/ISSUE_TEMPLATE/3_bug_adapter.yml
@@ -31,6 +31,7 @@ body:
        - "@next-auth/pouchdb-adapter"
        - "@next-auth/prisma-adapter"
        - "@next-auth/sequelize-adapter"
+        - "@next-auth/supabase-adapter"
        - "@next-auth/typeorm-legacy-adapter"
        - "@next-auth/upstash-redis-adapter"
        - "@next-auth/xata-adapter"
--- a/.github/actions/issue-validator/.gitignore
+++ b/.github/actions/issue-validator/.gitignore
@@ -0,0 +1,2 @@
+!dist
+!package-lock.json
--- a/.github/actions/issue-validator/index.mjs
+++ b/.github/actions/issue-validator/index.mjs
--- a/.github/actions/issue-validator/licenses.txt
+++ b/.github/actions/issue-validator/licenses.txt
@@ -0,0 +1,652 @@
+@actions/core
+MIT
+The MIT License (MIT)
+
+Copyright 2019 GitHub
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+@actions/github
+MIT
+The MIT License (MIT)
+
+Copyright 2019 GitHub
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+@actions/http-client
+MIT
+Actions Http Client for Node.js
+
+Copyright (c) GitHub, Inc.
+
+All rights reserved.
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
+associated documentation files (the "Software"), to deal in the Software without restriction,
+including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
+@octokit/auth-token
+MIT
+The MIT License
+
+Copyright (c) 2019 Octokit contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+
+@octokit/core
+MIT
+The MIT License
+
+Copyright (c) 2019 Octokit contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+
+@octokit/endpoint
+MIT
+The MIT License
+
+Copyright (c) 2018 Octokit contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+
+@octokit/graphql
+MIT
+The MIT License
+
+Copyright (c) 2018 Octokit contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+
+@octokit/plugin-paginate-rest
+MIT
+MIT License Copyright (c) 2019 Octokit contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice (including the next paragraph) shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
+@octokit/plugin-rest-endpoint-methods
+MIT
+MIT License Copyright (c) 2019 Octokit contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice (including the next paragraph) shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
+@octokit/request
+MIT
+The MIT License
+
+Copyright (c) 2018 Octokit contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+
+@octokit/request-error
+MIT
+The MIT License
+
+Copyright (c) 2019 Octokit contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+
+@vercel/ncc
+MIT
+Copyright 2018 ZEIT, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+before-after-hook
+Apache-2.0
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2018 Gregor Martynus and other contributors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+
+deprecation
+ISC
+The ISC License
+
+Copyright (c) Gregor Martynus and contributors
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+
+is-plain-object
+MIT
+The MIT License (MIT)
+
+Copyright (c) 2014-2017, Jon Schlinkert.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+
+node-fetch
+MIT
+The MIT License (MIT)
+
+Copyright (c) 2016 David Frank
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
+
+once
+ISC
+The ISC License
+
+Copyright (c) Isaac Z. Schlueter and Contributors
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+
+root
+ISC License
+
+Copyright (c) 2018-2021, Iain Collins
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+tr46
+MIT
+
+tunnel
+MIT
+The MIT License (MIT)
+
+Copyright (c) 2012 Koichi Kobayashi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+
+universal-user-agent
+ISC
+# [ISC License](https://spdx.org/licenses/ISC)
+
+Copyright (c) 2018, Gregor Martynus (https://github.com/gr2m)
+
+Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+
+uuid
+MIT
+The MIT License (MIT)
+
+Copyright (c) 2010-2020 Robert Kieffer and other contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
+webidl-conversions
+BSD-2-Clause
+# The BSD 2-Clause License
+
+Copyright (c) 2014, Domenic Denicola
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+whatwg-url
+MIT
+The MIT License (MIT)
+
+Copyright (c) 2015–2016 Sebastian Mayr
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+
+wrappy
+ISC
+The ISC License
+
+Copyright (c) Isaac Z. Schlueter and Contributors
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--- a/.github/actions/issue-validator/package-lock.json
+++ b/.github/actions/issue-validator/package-lock.json
@@ -0,0 +1,445 @@
+{
+  "name": "issue-validator",
+  "lockfileVersion": 2,
+  "requires": true,
+  "packages": {
+    "": {
+      "dependencies": {
+        "@actions/core": "1.10.0",
+        "@actions/github": "5.1.1"
+      },
+      "devDependencies": {
+        "@vercel/ncc": "0.34.0"
+      }
+    },
+    "node_modules/@actions/core": {
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.0.tgz",
+      "integrity": "sha512-2aZDDa3zrrZbP5ZYg159sNoLRb61nQ7awl5pSvIq5Qpj81vwDzdMRKzkWJGJuwVvWpvZKx7vspJALyvaaIQyug==",
+      "dependencies": {
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
+      }
+    },
+    "node_modules/@actions/github": {
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz",
+      "integrity": "sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==",
+      "dependencies": {
+        "@actions/http-client": "^2.0.1",
+        "@octokit/core": "^3.6.0",
+        "@octokit/plugin-paginate-rest": "^2.17.0",
+        "@octokit/plugin-rest-endpoint-methods": "^5.13.0"
+      }
+    },
+    "node_modules/@actions/http-client": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
+      "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
+      "dependencies": {
+        "tunnel": "^0.0.6"
+      }
+    },
+    "node_modules/@octokit/auth-token": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-2.5.0.tgz",
+      "integrity": "sha512-r5FVUJCOLl19AxiuZD2VRZ/ORjp/4IN98Of6YJoJOkY75CIBuYfmiNHGrDwXr+aLGG55igl9QrxX3hbiXlLb+g==",
+      "dependencies": {
+        "@octokit/types": "^6.0.3"
+      }
+    },
+    "node_modules/@octokit/core": {
+      "version": "3.6.0",
+      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-3.6.0.tgz",
+      "integrity": "sha512-7RKRKuA4xTjMhY+eG3jthb3hlZCsOwg3rztWh75Xc+ShDWOfDDATWbeZpAHBNRpm4Tv9WgBMOy1zEJYXG6NJ7Q==",
+      "dependencies": {
+        "@octokit/auth-token": "^2.4.4",
+        "@octokit/graphql": "^4.5.8",
+        "@octokit/request": "^5.6.3",
+        "@octokit/request-error": "^2.0.5",
+        "@octokit/types": "^6.0.3",
+        "before-after-hook": "^2.2.0",
+        "universal-user-agent": "^6.0.0"
+      }
+    },
+    "node_modules/@octokit/endpoint": {
+      "version": "6.0.12",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-6.0.12.tgz",
+      "integrity": "sha512-lF3puPwkQWGfkMClXb4k/eUT/nZKQfxinRWJrdZaJO85Dqwo/G0yOC434Jr2ojwafWJMYqFGFa5ms4jJUgujdA==",
+      "dependencies": {
+        "@octokit/types": "^6.0.3",
+        "is-plain-object": "^5.0.0",
+        "universal-user-agent": "^6.0.0"
+      }
+    },
+    "node_modules/@octokit/graphql": {
+      "version": "4.8.0",
+      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-4.8.0.tgz",
+      "integrity": "sha512-0gv+qLSBLKF0z8TKaSKTsS39scVKF9dbMxJpj3U0vC7wjNWFuIpL/z76Qe2fiuCbDRcJSavkXsVtMS6/dtQQsg==",
+      "dependencies": {
+        "@octokit/request": "^5.6.0",
+        "@octokit/types": "^6.0.3",
+        "universal-user-agent": "^6.0.0"
+      }
+    },
+    "node_modules/@octokit/openapi-types": {
+      "version": "12.10.1",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-12.10.1.tgz",
+      "integrity": "sha512-P+SukKanjFY0ZhsK6wSVnQmxTP2eVPPE8OPSNuxaMYtgVzwJZgfGdwlYjf4RlRU4vLEw4ts2fsE2icG4nZ5ddQ=="
+    },
+    "node_modules/@octokit/plugin-paginate-rest": {
+      "version": "2.21.3",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-2.21.3.tgz",
+      "integrity": "sha512-aCZTEf0y2h3OLbrgKkrfFdjRL6eSOo8komneVQJnYecAxIej7Bafor2xhuDJOIFau4pk0i/P28/XgtbyPF0ZHw==",
+      "dependencies": {
+        "@octokit/types": "^6.40.0"
+      },
+      "peerDependencies": {
+        "@octokit/core": ">=2"
+      }
+    },
+    "node_modules/@octokit/plugin-rest-endpoint-methods": {
+      "version": "5.16.2",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-5.16.2.tgz",
+      "integrity": "sha512-8QFz29Fg5jDuTPXVtey05BLm7OB+M8fnvE64RNegzX7U+5NUXcOcnpTIK0YfSHBg8gYd0oxIq3IZTe9SfPZiRw==",
+      "dependencies": {
+        "@octokit/types": "^6.39.0",
+        "deprecation": "^2.3.1"
+      },
+      "peerDependencies": {
+        "@octokit/core": ">=3"
+      }
+    },
+    "node_modules/@octokit/request": {
+      "version": "5.6.3",
+      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-5.6.3.tgz",
+      "integrity": "sha512-bFJl0I1KVc9jYTe9tdGGpAMPy32dLBXXo1dS/YwSCTL/2nd9XeHsY616RE3HPXDVk+a+dBuzyz5YdlXwcDTr2A==",
+      "dependencies": {
+        "@octokit/endpoint": "^6.0.1",
+        "@octokit/request-error": "^2.1.0",
+        "@octokit/types": "^6.16.1",
+        "is-plain-object": "^5.0.0",
+        "node-fetch": "^2.6.7",
+        "universal-user-agent": "^6.0.0"
+      }
+    },
+    "node_modules/@octokit/request-error": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-2.1.0.tgz",
+      "integrity": "sha512-1VIvgXxs9WHSjicsRwq8PlR2LR2x6DwsJAaFgzdi0JfJoGSO8mYI/cHJQ+9FbN21aa+DrgNLnwObmyeSC8Rmpg==",
+      "dependencies": {
+        "@octokit/types": "^6.0.3",
+        "deprecation": "^2.0.0",
+        "once": "^1.4.0"
+      }
+    },
+    "node_modules/@octokit/types": {
+      "version": "6.40.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-6.40.0.tgz",
+      "integrity": "sha512-MFZOU5r8SwgJWDMhrLUSvyJPtVsqA6VnbVI3TNbsmw+Jnvrktzvq2fYES/6RiJA/5Ykdwq4mJmtlYUfW7CGjmw==",
+      "dependencies": {
+        "@octokit/openapi-types": "^12.10.0"
+      }
+    },
+    "node_modules/@vercel/ncc": {
+      "version": "0.34.0",
+      "resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.34.0.tgz",
+      "integrity": "sha512-G9h5ZLBJ/V57Ou9vz5hI8pda/YQX5HQszCs3AmIus3XzsmRn/0Ptic5otD3xVST8QLKk7AMk7AqpsyQGN7MZ9A==",
+      "dev": true,
+      "bin": {
+        "ncc": "dist/ncc/cli.js"
+      }
+    },
+    "node_modules/before-after-hook": {
+      "version": "2.2.2",
+      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.2.tgz",
+      "integrity": "sha512-3pZEU3NT5BFUo/AD5ERPWOgQOCZITni6iavr5AUw5AUwQjMlI0kzu5btnyD39AF0gUEsDPwJT+oY1ORBJijPjQ=="
+    },
+    "node_modules/deprecation": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/deprecation/-/deprecation-2.3.1.tgz",
+      "integrity": "sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ=="
+    },
+    "node_modules/is-plain-object": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-5.0.0.tgz",
+      "integrity": "sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/node-fetch": {
+      "version": "2.6.7",
+      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz",
+      "integrity": "sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==",
+      "dependencies": {
+        "whatwg-url": "^5.0.0"
+      },
+      "engines": {
+        "node": "4.x || >=6.0.0"
+      },
+      "peerDependencies": {
+        "encoding": "^0.1.0"
+      },
+      "peerDependenciesMeta": {
+        "encoding": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/once": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
+      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
+      "dependencies": {
+        "wrappy": "1"
+      }
+    },
+    "node_modules/tr46": {
+      "version": "0.0.3",
+      "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
+      "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw=="
+    },
+    "node_modules/tunnel": {
+      "version": "0.0.6",
+      "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+      "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
+      "engines": {
+        "node": ">=0.6.11 <=0.7.0 || >=0.7.3"
+      }
+    },
+    "node_modules/universal-user-agent": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.0.tgz",
+      "integrity": "sha512-isyNax3wXoKaulPDZWHQqbmIx1k2tb9fb3GGDBRxCscfYV2Ch7WxPArBsFEG8s/safwXTT7H4QGhaIkTp9447w=="
+    },
+    "node_modules/uuid": {
+      "version": "8.3.2",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
+      "bin": {
+        "uuid": "dist/bin/uuid"
+      }
+    },
+    "node_modules/webidl-conversions": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
+      "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ=="
+    },
+    "node_modules/whatwg-url": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
+      "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==",
+      "dependencies": {
+        "tr46": "~0.0.3",
+        "webidl-conversions": "^3.0.0"
+      }
+    },
+    "node_modules/wrappy": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
+      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="
+    }
+  },
+  "dependencies": {
+    "@actions/core": {
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.0.tgz",
+      "integrity": "sha512-2aZDDa3zrrZbP5ZYg159sNoLRb61nQ7awl5pSvIq5Qpj81vwDzdMRKzkWJGJuwVvWpvZKx7vspJALyvaaIQyug==",
+      "requires": {
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
+      }
+    },
+    "@actions/github": {
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz",
+      "integrity": "sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==",
+      "requires": {
+        "@actions/http-client": "^2.0.1",
+        "@octokit/core": "^3.6.0",
+        "@octokit/plugin-paginate-rest": "^2.17.0",
+        "@octokit/plugin-rest-endpoint-methods": "^5.13.0"
+      }
+    },
+    "@actions/http-client": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
+      "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
+      "requires": {
+        "tunnel": "^0.0.6"
+      }
+    },
+    "@octokit/auth-token": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-2.5.0.tgz",
+      "integrity": "sha512-r5FVUJCOLl19AxiuZD2VRZ/ORjp/4IN98Of6YJoJOkY75CIBuYfmiNHGrDwXr+aLGG55igl9QrxX3hbiXlLb+g==",
+      "requires": {
+        "@octokit/types": "^6.0.3"
+      }
+    },
+    "@octokit/core": {
+      "version": "3.6.0",
+      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-3.6.0.tgz",
+      "integrity": "sha512-7RKRKuA4xTjMhY+eG3jthb3hlZCsOwg3rztWh75Xc+ShDWOfDDATWbeZpAHBNRpm4Tv9WgBMOy1zEJYXG6NJ7Q==",
+      "requires": {
+        "@octokit/auth-token": "^2.4.4",
+        "@octokit/graphql": "^4.5.8",
+        "@octokit/request": "^5.6.3",
+        "@octokit/request-error": "^2.0.5",
+        "@octokit/types": "^6.0.3",
+        "before-after-hook": "^2.2.0",
+        "universal-user-agent": "^6.0.0"
+      }
+    },
+    "@octokit/endpoint": {
+      "version": "6.0.12",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-6.0.12.tgz",
+      "integrity": "sha512-lF3puPwkQWGfkMClXb4k/eUT/nZKQfxinRWJrdZaJO85Dqwo/G0yOC434Jr2ojwafWJMYqFGFa5ms4jJUgujdA==",
+      "requires": {
+        "@octokit/types": "^6.0.3",
+        "is-plain-object": "^5.0.0",
+        "universal-user-agent": "^6.0.0"
+      }
+    },
+    "@octokit/graphql": {
+      "version": "4.8.0",
+      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-4.8.0.tgz",
+      "integrity": "sha512-0gv+qLSBLKF0z8TKaSKTsS39scVKF9dbMxJpj3U0vC7wjNWFuIpL/z76Qe2fiuCbDRcJSavkXsVtMS6/dtQQsg==",
+      "requires": {
+        "@octokit/request": "^5.6.0",
+        "@octokit/types": "^6.0.3",
+        "universal-user-agent": "^6.0.0"
+      }
+    },
+    "@octokit/openapi-types": {
+      "version": "12.10.1",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-12.10.1.tgz",
+      "integrity": "sha512-P+SukKanjFY0ZhsK6wSVnQmxTP2eVPPE8OPSNuxaMYtgVzwJZgfGdwlYjf4RlRU4vLEw4ts2fsE2icG4nZ5ddQ=="
+    },
+    "@octokit/plugin-paginate-rest": {
+      "version": "2.21.3",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-2.21.3.tgz",
+      "integrity": "sha512-aCZTEf0y2h3OLbrgKkrfFdjRL6eSOo8komneVQJnYecAxIej7Bafor2xhuDJOIFau4pk0i/P28/XgtbyPF0ZHw==",
+      "requires": {
+        "@octokit/types": "^6.40.0"
+      }
+    },
+    "@octokit/plugin-rest-endpoint-methods": {
+      "version": "5.16.2",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-5.16.2.tgz",
+      "integrity": "sha512-8QFz29Fg5jDuTPXVtey05BLm7OB+M8fnvE64RNegzX7U+5NUXcOcnpTIK0YfSHBg8gYd0oxIq3IZTe9SfPZiRw==",
+      "requires": {
+        "@octokit/types": "^6.39.0",
+        "deprecation": "^2.3.1"
+      }
+    },
+    "@octokit/request": {
+      "version": "5.6.3",
+      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-5.6.3.tgz",
+      "integrity": "sha512-bFJl0I1KVc9jYTe9tdGGpAMPy32dLBXXo1dS/YwSCTL/2nd9XeHsY616RE3HPXDVk+a+dBuzyz5YdlXwcDTr2A==",
+      "requires": {
+        "@octokit/endpoint": "^6.0.1",
+        "@octokit/request-error": "^2.1.0",
+        "@octokit/types": "^6.16.1",
+        "is-plain-object": "^5.0.0",
+        "node-fetch": "^2.6.7",
+        "universal-user-agent": "^6.0.0"
+      }
+    },
+    "@octokit/request-error": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-2.1.0.tgz",
+      "integrity": "sha512-1VIvgXxs9WHSjicsRwq8PlR2LR2x6DwsJAaFgzdi0JfJoGSO8mYI/cHJQ+9FbN21aa+DrgNLnwObmyeSC8Rmpg==",
+      "requires": {
+        "@octokit/types": "^6.0.3",
+        "deprecation": "^2.0.0",
+        "once": "^1.4.0"
+      }
+    },
+    "@octokit/types": {
+      "version": "6.40.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-6.40.0.tgz",
+      "integrity": "sha512-MFZOU5r8SwgJWDMhrLUSvyJPtVsqA6VnbVI3TNbsmw+Jnvrktzvq2fYES/6RiJA/5Ykdwq4mJmtlYUfW7CGjmw==",
+      "requires": {
+        "@octokit/openapi-types": "^12.10.0"
+      }
+    },
+    "@vercel/ncc": {
+      "version": "0.34.0",
+      "resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.34.0.tgz",
+      "integrity": "sha512-G9h5ZLBJ/V57Ou9vz5hI8pda/YQX5HQszCs3AmIus3XzsmRn/0Ptic5otD3xVST8QLKk7AMk7AqpsyQGN7MZ9A==",
+      "dev": true
+    },
+    "before-after-hook": {
+      "version": "2.2.2",
+      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.2.tgz",
+      "integrity": "sha512-3pZEU3NT5BFUo/AD5ERPWOgQOCZITni6iavr5AUw5AUwQjMlI0kzu5btnyD39AF0gUEsDPwJT+oY1ORBJijPjQ=="
+    },
+    "deprecation": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/deprecation/-/deprecation-2.3.1.tgz",
+      "integrity": "sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ=="
+    },
+    "is-plain-object": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-5.0.0.tgz",
+      "integrity": "sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q=="
+    },
+    "node-fetch": {
+      "version": "2.6.7",
+      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz",
+      "integrity": "sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==",
+      "requires": {
+        "whatwg-url": "^5.0.0"
+      }
+    },
+    "once": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
+      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
+      "requires": {
+        "wrappy": "1"
+      }
+    },
+    "tr46": {
+      "version": "0.0.3",
+      "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
+      "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw=="
+    },
+    "tunnel": {
+      "version": "0.0.6",
+      "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+      "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="
+    },
+    "universal-user-agent": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.0.tgz",
+      "integrity": "sha512-isyNax3wXoKaulPDZWHQqbmIx1k2tb9fb3GGDBRxCscfYV2Ch7WxPArBsFEG8s/safwXTT7H4QGhaIkTp9447w=="
+    },
+    "uuid": {
+      "version": "8.3.2",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg=="
+    },
+    "webidl-conversions": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
+      "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ=="
+    },
+    "whatwg-url": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
+      "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==",
+      "requires": {
+        "tr46": "~0.0.3",
+        "webidl-conversions": "^3.0.0"
+      }
+    },
+    "wrappy": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
+      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="
+    }
+  }
+}
--- a/.github/actions/issue-validator/package.json
+++ b/.github/actions/issue-validator/package.json
@@ -0,0 +1,14 @@
+{
+  "private": true,
+  "exports": "./index.mjs",
+  "scripts": {
+    "build": "ncc -m -o . build src/index.mjs --license licenses.txt"
+  },
+  "devDependencies": {
+    "@vercel/ncc": "0.34.0"
+  },
+  "dependencies": {
+    "@actions/core": "1.10.0",
+    "@actions/github": "5.1.1"
+  }
+}
--- a/.github/actions/issue-validator/repro.md
+++ b/.github/actions/issue-validator/repro.md
@@ -0,0 +1,38 @@
+We cannot recreate the issue with the provided information. **Please add a reproduction in order for us to be able to investigate.**
+
+### **Why was this issue marked with the `incomplete` label?**
+
+To be able to investigate, we need access to a reproduction to identify what triggered the issue. We prefer a link to a public GitHub repository ([template](https://github.com/nextauthjs/next-auth-example)), but you can also use a tool like [CodeSandbox](https://codesandbox.io/s/github/nextauthjs/next-auth-example/tree/main) or [StackBlitz](https://stackblitz.com/fork/github/nextauthjs/next-auth-example).
+
+To make sure the issue is resolved as quickly as possible, please make sure that the reproduction is as **minimal** as possible. This means that you should **remove unnecessary code, files, and dependencies** that do not contribute to the issue.
+
+Please test your reproduction against the latest version of NextAuth.js (`next-auth@latest`) to make sure your issue has not already been fixed.
+
+### **I added a link, why was it still marked?**
+
+Ensure the link is pointing to a codebase that is accessible (e.g. not a private repository). "[example.com](http://example.com/)", "n/a", "will add later", etc. are not acceptable links -- we need to see a public codebase. See the above section for accepted links.
+
+### **What happens if I don't provide a sufficient minimal reproduction?**
+
+Issues with the `incomplete` label that receives no meaningful activity (e.g. new comments with a reproduction link) are automatically closed and locked after 30 days.
+
+If your issue has _not_ been resolved in that time and it has been closed/locked, please open a new issue with the required reproduction.
+
+### **I did not open this issue, but it is relevant to me, what can I do to help?**
+
+Anyone experiencing the same issue is welcome to provide a minimal reproduction following the above steps. Furthermore, you can upvote the issue using the :+1: reaction on the topmost comment (please **do not** comment "I have the same issue" without repro steps). Then, we can sort issues by votes to prioritize.
+
+### **I think my reproduction is good enough, why aren't you looking into it quicker?**
+
+We look into every NextAuth.js issue and constantly monitor open issues for new comments.
+
+However, sometimes we might miss one or two. We apologize, and kindly ask you to refrain from tagging core maintainers, as that will usually not result in increased priority.
+
+Upvoting issues to show your interest will help us prioritize and address them as quickly as possible. That said, every issue is important to us, and if an issue gets closed by accident, we encourage you to open a new one linking to the old issue and we will look into it.
+
+### **Useful Resources**
+
+- [How to create a Minimal, Complete, and Verifiable example](https://stackoverflow.com/help/mcve)
+- [Reporting a NextAuth.js bug](https://github.com/nextauthjs/next-auth/blob/main/.github/ISSUE_TEMPLATE/1_bug_framework.yml)
+- [How to Contribute to Open Source (Next.js)](https://www.youtube.com/watch?v=cuoNzXFLitc)
+
--- a/.github/actions/issue-validator/src/index.mjs
+++ b/.github/actions/issue-validator/src/index.mjs
@@ -0,0 +1,88 @@
+// @ts-check
+// @ts-expect-error
+import * as github from "@actions/github"
+// @ts-expect-error
+import * as core from "@actions/core"
+import { readFileSync } from "node:fs"
+import { join } from "node:path"
+
+const addReproductionLabel = "incomplete"
+const __dirname =
+  "/home/runner/work/nextauthjs/next-auth/.github/actions/issue-validator"
+
+/**
+ * @typedef {{
+ *  id :number
+ *  node_id :string
+ *  url :string
+ *  name :string
+ *  description :string
+ *  color :string
+ *  default :boolean
+ * }} Label
+ *
+ * @typedef {{
+ *  pull_request: any
+ *  issue?: {body: string, number: number, labels: Label[]}
+ *  label: Label
+ * }} Payload
+ *
+ * @typedef {{
+ *  payload: Payload
+ *  repo: any
+ * }} Context
+ */
+
+async function run() {
+  try {
+    /** @type {Context} */
+    const { payload, repo } = github.context
+    const {
+      issue,
+      pull_request,
+      label: { name: newLabel },
+    } = payload
+
+    if (pull_request || !issue?.body || !process.env.GITHUB_TOKEN) return
+
+    const labels = issue.labels.map((l) => l.name)
+    // const isBugReport =
+    //   labels.includes(bugLabel) || newLabel === bugLabel || !labels.length
+
+    if (
+      // !(isBugReport && issue.number > 43554) &&
+      ![addReproductionLabel].includes(newLabel) &&
+      !labels.includes(addReproductionLabel)
+    ) {
+      return core.info(
+        "Not a bug report or not manually labeled or already labeled."
+      )
+    }
+
+    const client = github.getOctokit(process.env.GITHUB_TOKEN).rest
+    const issueCommon = { ...repo, issue_number: issue.number }
+
+    if (
+      newLabel === addReproductionLabel
+      // || !hasValidRepro
+    ) {
+      await Promise.all([
+        client.issues.addLabels({
+          ...issueCommon,
+          labels: [addReproductionLabel],
+        }),
+        client.issues.createComment({
+          ...issueCommon,
+          body: readFileSync(join(__dirname, "repro.md"), "utf8"),
+        }),
+      ])
+      return core.info(
+        "Commented on issue, because it did not have a sufficient reproduction."
+      )
+    }
+  } catch (error) {
+    core.setFailed(error.message)
+  }
+}
+
+run()
--- a/.github/issue-labeler.yml
+++ b/.github/issue-labeler.yml
@@ -30,6 +30,9 @@ prisma:
 sequelize:
  - "@next-auth/sequelize-adapter"

+supabase:
+  - "@next-auth/supabase-adapter"
+
 typeorm-legacy:
  - "@next-auth/typeorm-legacy-adapter"

--- a/.github/pr-labeler.yml
+++ b/.github/pr-labeler.yml
@@ -42,6 +42,9 @@ prisma:
 sequelize:
  - packages/adapter-sequelize/**

+supabase:
+  - packages/adapter-supabase/**
+
 typeorm-legacy:
  - packages/adapter-typeorm-legacy/**

--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -18,10 +18,10 @@ jobs:
        language: ["javascript"]
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v2
        with:
          languages: ${{ matrix.language }}
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v2
--- a/.github/workflows/issue-labeler.yml
+++ b/.github/workflows/issue-labeler.yml
@@ -11,7 +11,7 @@ jobs:
    name: Triage
    runs-on: ubuntu-latest
    steps:
-      - uses: github/issue-labeler@v2.4.1
+      - uses: github/issue-labeler@v2.5
        with:
          repo-token: "${{ secrets.GITHUB_TOKEN }}"
          configuration-path: ".github/issue-labeler.yml"
--- a/.github/workflows/issue-validator.yml
+++ b/.github/workflows/issue-validator.yml
@@ -0,0 +1,17 @@
+name: Validate issue
+on:
+  issues:
+    types: [labeled]
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 18
+      - name: 'Run issue validator'
+        run: node ./.github/actions/issue-validator/index.mjs
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/pr-labeler.yml
+++ b/.github/workflows/pr-labeler.yml
@@ -10,7 +10,7 @@ jobs:
    name: Triage
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/labeler@v3
+      - uses: actions/labeler@v4
        with:
          repo-token: "${{ secrets.GITHUB_TOKEN }}"
          configuration-path: ".github/pr-labeler.yml"
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,11 +15,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Init
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 2
      - name: Install pnpm
-        uses: pnpm/action-setup@v2.2.1
+        uses: pnpm/action-setup@v2.2.4
        with:
          version: 7.5.1
      - name: Setup Node
@@ -49,11 +49,11 @@ jobs:
    environment: Production
    steps:
      - name: Init
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Install pnpm
-        uses: pnpm/action-setup@v2.2.1
+        uses: pnpm/action-setup@v2.2.4
        with:
          version: 7.5.1
      - name: Setup Node
@@ -81,9 +81,9 @@ jobs:
    environment: Preview
    steps:
      - name: Init
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Install pnpm
-        uses: pnpm/action-setup@v2.2.1
+        uses: pnpm/action-setup@v2.2.4
        with:
          version: 7.5.1
      - name: Setup Node
@@ -106,7 +106,7 @@ jobs:
        env:
          NPM_TOKEN: ${{ secrets.NPM_TOKEN_PKG }}
      - name: Comment version on PR
-        uses: NejcZdovc/comment-pr@v1
+        uses: NejcZdovc/comment-pr@v2
        with:
          message:
            "🎉 Experimental release [published 📦️ on npm](https://npmjs.com/package/next-auth/v/${{ env.VERSION }})!\n \
--- a/.github/workflows/sync-examples.yml
+++ b/.github/workflows/sync-examples.yml
@@ -9,7 +9,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Run GitHub File Sync
        # Can update to v1 when https://github.com/BetaHuhn/repo-file-sync-action/issues/168 is resolved
        uses: BetaHuhn/repo-file-sync-action@v1.16.5
--- a/.gitignore
+++ b/.gitignore
@@ -65,6 +65,7 @@ dev.db*
 packages/adapter-prisma/prisma/dev.db
 packages/adapter-prisma/prisma/migrations
 db.sqlite
+packages/adapter-supabase/supabase/.branches

 # Tests
 coverage
@@ -77,4 +78,11 @@ test.schema.gql

 # docusaurus
 docs/.docusaurus
-docs/providers.json
+docs/providers.json
+
+# Core
+packages/core/adapters.*
+packages/core/index.*
+packages/core/jwt
+packages/core/lib
+packages/core/providers
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +0,0 @@
-# CHANGELOG
-
-The changelog is automatically updated using
-[scripts/release/index.ts](https://github.com/nextauthjs/next-auth/tree/main/scripts/index.ts). You
-can see it on the [releases page](../../releases).
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -1,76 +0,0 @@
-# Contributor Covenant Code of Conduct
-
-## Our Pledge
-
-In the interest of fostering an open and welcoming environment, we as
-contributors and maintainers pledge to making participation in our project and
-our community a harassment-free experience for everyone, regardless of age, body
-size, disability, ethnicity, sex characteristics, gender identity and expression,
-level of experience, education, socio-economic status, nationality, personal
-appearance, race, religion, or sexual identity and orientation.
-
-## Our Standards
-
-Examples of behavior that contributes to creating a positive environment
-include:
-
- Using welcoming and inclusive language
- Being respectful of differing viewpoints and experiences
- Gracefully accepting constructive criticism
- Focusing on what is best for the community
- Showing empathy towards other community members
-
-Examples of unacceptable behavior by participants include:
-
- The use of sexualized language or imagery and unwelcome sexual attention or
-  advances
- Trolling, insulting/derogatory comments, and personal or political attacks
- Public or private harassment
- Publishing others' private information, such as a physical or electronic
-  address, without explicit permission
- Other conduct which could reasonably be considered inappropriate in a
-  professional setting
-
-## Our Responsibilities
-
-Project maintainers are responsible for clarifying the standards of acceptable
-behavior and are expected to take appropriate and fair corrective action in
-response to any instances of unacceptable behavior.
-
-Project maintainers have the right and responsibility to remove, edit, or
-reject comments, commits, code, wiki edits, issues, and other contributions
-that are not aligned to this Code of Conduct, or to ban temporarily or
-permanently any contributor for other behaviors that they deem inappropriate,
-threatening, offensive, or harmful.
-
-## Scope
-
-This Code of Conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community. Examples of
-representing a project or community include using an official project e-mail
-address, posting via an official social media account, or acting as an appointed
-representative at an online or offline event. Representation of a project may be
-further defined and clarified by project maintainers.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting hi@thvu.dev, info@balazsorban.com, yo@ndo.dev and me@iaincollins.com.
-All complaints will be reviewed and investigated and will result in a response
-that is deemed necessary and appropriate to the circumstances. The project team
-is obligated to maintain confidentiality with regard to the reporter of an
-incident. Further details of specific enforcement policies may be posted separately.
-
-Project maintainers who do not follow or enforce the Code of Conduct in good
-faith may face temporary or permanent repercussions as determined by other
-members of the project's leadership.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
-available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
-
-[homepage]: https://www.contributor-covenant.org
-
-For answers to common questions about this code of conduct, see
-https://www.contributor-covenant.org/faq
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,119 +0,0 @@
-# Contributing guide
-
-Contributions and feedback on your experience of using this software are welcome.
-
-This includes bug reports, feature requests, ideas, pull requests, and examples of how you have used this software.
-
-Please see the [Code of Conduct](CODE_OF_CONDUCT.md) and follow any templates configured in GitHub when reporting bugs, requesting enhancements, or contributing code.
-
-Please raise any significant new functionality or breaking change an issue for discussion before raising a Pull Request for it.
-
-## For contributors
-
-Anyone can be a contributor. Either you found a typo, or you have an awesome feature request you could implement, we encourage you to create a Pull Request.
-
-### Pull Requests
-
- The latest changes are always in `main`, so please make your Pull Request against that branch.
- Pull Requests should be raised for any change
- Pull Requests need approval of a [core contributor](https://next-auth.js.org/contributors#core-team) before merging
- We use ESLint/Prettier for linting/formatting, so please run `pnpm lint:fix` before committing to make resolving conflicts easier (VSCode users, check out [this ESLint extension](https://marketplace.visualstudio.com/items?itemName=dbaeumer.vscode-eslint) and [this Prettier extension](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode) to fix lint and formatting issues in development)
- We encourage you to test your changes, and if you have the opportunity, please make those tests part of the Pull Request
- If you add new functionality, please provide the corresponding documentation as well and make it part of the Pull Request
-
-### Setting up local environment
-
-
-A quick guide on how to setup _next-auth_ locally to work on it and test out any changes:
-
-1. Clone the repo:
-
-```sh
-git clone git@github.com:nextauthjs/next-auth.git
-cd next-auth
-```
-
-2. Set up the correct pnpm version, using [Corepack](https://nodejs.org/api/corepack.html). Run the following in the project'a root:
-
-```sh
-corepack enable pnpm
-```
-
-(Now, if you run `pnpm --version`, it should print the same verion as the `packageManager` property in the [`package.json` file](https://github.com/nextauthjs/next-auth/blob/main/package.json))
-
-3. Install packages. Developing requires Node.js v18:
-
-```sh
-pnpm install
-```
-
-4. Populate `.env.local`:
-
-Copy `apps/dev/.env.local.example` to `apps/dev/.env.local`, and add your env variables for each provider you want to test.
-
-```sh
-cd apps/dev
-cp .env.local.example .env.local
-```
-
-> NOTE: You can add any environment variables to .env.local that you would like to use in your dev app.
-> You can find the next-auth config under`apps/dev/pages/api/auth/[...nextauth].js`.
-
-5. Start the developer application/server:
-
-```sh
-pnpm dev
-```
-
-Your developer application will be available on `http://localhost:3000`
-
-That's it! 🎉
-
-If you need an example project to link to, you can use [next-auth-example](https://github.com/iaincollins/next-auth-example).
-
-#### Hot reloading
-
-When running `pnpm dev`, you start a Next.js developer server on `http://localhost:3000`, which includes hot reloading out-of-the-box. Make changes on any of the files in `src` and see the changes immediately.
-
-> NOTE: When working on CSS, you will have to manually refresh the page after changes. The reason for this is our pages using CSS are server-side rendered (using API routes). (Improving this through a PR is very welcome!)
-
-> NOTE: The setup is as follows: The development application lives inside the `app` folder, and whenever you make a change to the `src` folder in the root (where next-auth is), it gets copied into `app` every time (gitignored), so Next.js can pick them up and apply hot reloading. This is to avoid some annoying issues with how symlinks are working with different React builds, and also to provide a super-fast feedback loop while developing core features.
-
-#### Providers
-
-If you think your custom provider might be useful to others, we encourage you to open a PR and add it to the built-in list so others can discover it much more easily! You only need to add two changes:
-
-1. Add your config: [`src/providers/{provider}.js`](https://github.com/nextauthjs/next-auth/tree/main/packages/next-auth/src/providers) (Make sure you use a named default export, like `export default function YourProvider`!)
-2. Add provider documentation: [`www/docs/providers/{provider}.md`](https://github.com/nextauthjs/next-auth/tree/main/www/docs/providers)
-
-That's it! 🎉 Others will be able to discover this provider much more easily now!
-
-You can look at the existing built-in providers for inspiration.
-
-#### Databases
-
-If you would like to contribute to an existing database adapter or help create a new one, head over to the [nextauthjs/adapters](https://www.github.com/nextauthjs/adapters) repository and follow the instructions provided there.
-
-#### Testing
-
-Tests can be run with `pnpm test`.
-
-Automated tests are currently crude and limited in functionality, but improvements are in development.
-
-## For maintainers
-
-We use [a custom script](https://github.com/nextauthjs/next-auth/blob/main/scripts/release/index.ts) together with [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0) to automate releases. This makes the maintenance process easier and less error-prone. Please study the "Conventional Commits" site to understand how to write a good commit message.
-
-When accepting Pull Requests, make sure the following:
-
- Use "Squash and merge"
- Make sure you merge contributor PRs into `main`
- Rewrite the commit message to conform to the `Conventional Commits` style.
-  - Using `fix` releases a patch (x.x.1)
-  - Using `feat` releases a minor (x.1.x)
-  - Using `feat` when `BREAKING CHANGE` is present in the commit message releases a major (1.x.x)
- Optionally link issues the PR will resolve (You can add "close" in front of the issue numbers to close the issues automatically, when the PR is merged. `semantic-release` will also comment back to connected issues and PRs, notifying the users that a feature is added/bug fixed, etc.)
-
-### Skipping a release
-
-If a commit contains `[skip release]` in their message, it will be excluded from the commit analysis and won't participate in the release type determination. This is useful, if the PR being merged should not trigger a new `npm` release.
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,24 +0,0 @@
-# Security Policy
-
-NextAuth.js practices responsible disclosure.
-
-## Reporting a Vulnerability
-
-We request that you contact us directly to report serious issues that might impact the security of sites using NextAuth.js.
-
-If you contact us regarding a serious issue:
-
- We will endeavor to get back to you within 72 hours.
- We will aim to publish a fix within 30 days.
- We will disclose the issue (and credit you, with your consent) once a fix to resolve the issue has been released.
- If 90 days has elapsed and we still don't have a fix, we will disclose the issue publicly.
-
-The best way to report an issue is by contacting us via email at hi@thvu.dev, info@balazsorban.com, yo@ndo.dev and me@iaincollins.com, or raise a public issue requesting someone get in touch with you via whatever means you prefer for more details. (Please do not disclose sensitive details publicly at this stage.)
-
-> For less serious issues (e.g. RFC compliance for unsupported flows or potential issues that may cause a problem in the future) it is appropriate to submit these publicly as bug reports or feature requests or to raise a question to open a discussion around them.
-
-## Supported Versions
-
-Security updates are only released for the current version.
-
-Old releases are not maintained and do not receive updates.
--- a/apps/dev/.env.local.example
+++ b/apps/dev/.env.local.example
@@ -48,4 +48,11 @@ EMAIL_FROM=user@gmail.com
 DATABASE_URL=

 WIKIMEDIA_ID=
-WIKIMEDIA_SECRET=
+WIKIMEDIA_SECRET=
+
+# Supabase Example Configuration
+# Supabase Example Configuration
+# NEXT_PUBLIC_SUPABASE_URL=http://localhost:54321
+# SUPABASE_SERVICE_ROLE_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6InNlcnZpY2Vfcm9sZSJ9.vI9obAHOGyVVKa3pD--kJlyxp-Z2zV9UUMAhKpNLAcU
+# SUPABASE_JWT_SECRET=super-secret-jwt-token-with-at-least-32-characters-long
+# NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24ifQ.625_WdcF3KHqz5amU0x2X5WWHP-OEs_4qj0ssLNHzTs
--- a/apps/dev/components/header.js
+++ b/apps/dev/components/header.js
@@ -90,6 +90,12 @@ export default function Header() {
          <li className={styles.navItem}>
            <Link href="/middleware-protected">Middleware protected</Link>
          </li>
+          <li className={styles.navItem}>
+            <Link href="/supabase-client-rls">Supabase RLS</Link>
+          </li>
+          <li className={styles.navItem}>
+            <Link href="/supabase-ssr">Supabase RLS(SSR)</Link>
+          </li>
        </ul>
      </nav>
    </header>
--- a/apps/dev/package.json
+++ b/apps/dev/package.json
@@ -16,16 +16,20 @@
  "dependencies": {
    "@next-auth/fauna-adapter": "workspace:*",
    "@next-auth/prisma-adapter": "workspace:*",
+    "@next-auth/supabase-adapter": "workspace:*",
    "@next-auth/typeorm-legacy-adapter": "workspace:*",
    "@prisma/client": "^3",
+    "@supabase/supabase-js": "^2.0.5",
    "faunadb": "^4",
-    "next": "13.0.2",
+    "next": "13.0.6",
    "next-auth": "workspace:*",
+    "@auth/core": "workspace:*",
    "nodemailer": "^6",
    "react": "^18",
    "react-dom": "^18"
  },
  "devDependencies": {
+    "@types/jsonwebtoken": "^8.5.5",
    "@types/react": "^18.0.15",
    "@types/react-dom": "^18.0.6",
    "fake-smtp-server": "^0.8.0",
--- a/apps/dev/pages/api/auth/[...nextauth].ts
+++ b/apps/dev/pages/api/auth/[...nextauth].ts
@@ -1,45 +1,39 @@
-import NextAuth from "next-auth"
-import type { NextAuthOptions } from "next-auth"
+import { AuthHandler, type AuthOptions } from "@auth/core"

 // Providers
-import Apple from "next-auth/providers/apple"
-import Auth0 from "next-auth/providers/auth0"
-import AzureAD from "next-auth/providers/azure-ad"
-import AzureB2C from "next-auth/providers/azure-ad-b2c"
-import BoxyHQSAML from "next-auth/providers/boxyhq-saml"
-import Cognito from "next-auth/providers/cognito"
-import Credentials from "next-auth/providers/credentials"
-import Discord from "next-auth/providers/discord"
-import DuendeIDS6 from "next-auth/providers/duende-identity-server6"
-import Email from "next-auth/providers/email"
-import Facebook from "next-auth/providers/facebook"
-import Foursquare from "next-auth/providers/foursquare"
-import Freshbooks from "next-auth/providers/freshbooks"
-import GitHub from "next-auth/providers/github"
-import Gitlab from "next-auth/providers/gitlab"
-import Google from "next-auth/providers/google"
-import Hubspot from "next-auth/providers/hubspot"
-import IDS4 from "next-auth/providers/identity-server4"
-import Instagram from "next-auth/providers/instagram"
-import Keycloak from "next-auth/providers/keycloak"
-import Line from "next-auth/providers/line"
-import LinkedIn from "next-auth/providers/linkedin"
-import Mailchimp from "next-auth/providers/mailchimp"
-import Okta from "next-auth/providers/okta"
-import Osu from "next-auth/providers/osu"
-import Patreon from "next-auth/providers/patreon"
-import Slack from "next-auth/providers/slack"
-import Spotify from "next-auth/providers/spotify"
-import Todoist from "next-auth/providers/todoist"
-import Trakt from "next-auth/providers/trakt"
-import Twitch from "next-auth/providers/twitch"
-import Twitter, { TwitterLegacy } from "next-auth/providers/twitter"
-import Vk from "next-auth/providers/vk"
-import Wikimedia from "next-auth/providers/wikimedia"
-import WorkOS from "next-auth/providers/workos"
-import Zitadel from "next-auth/providers/zitadel"
-
-// Adapters
+import Apple from "@auth/core/providers/apple"
+import Auth0 from "@auth/core/providers/auth0"
+import AzureAD from "@auth/core/providers/azure-ad"
+import AzureB2C from "@auth/core/providers/azure-ad-b2c"
+import BoxyHQSAML from "@auth/core/providers/boxyhq-saml"
+// import Cognito from "@auth/core/providers/cognito"
+import Credentials from "@auth/core/providers/credentials"
+import Discord from "@auth/core/providers/discord"
+import DuendeIDS6 from "@auth/core/providers/duende-identity-server6"
+// import Email from "@auth/core/providers/email"
+import Facebook from "@auth/core/providers/facebook"
+import Foursquare from "@auth/core/providers/foursquare"
+import Freshbooks from "@auth/core/providers/freshbooks"
+import GitHub from "@auth/core/providers/github"
+import Gitlab from "@auth/core/providers/gitlab"
+import Google from "@auth/core/providers/google"
+// import IDS4 from "@auth/core/providers/identity-server4"
+import Instagram from "@auth/core/providers/instagram"
+// import Keycloak from "@auth/core/providers/keycloak"
+import Line from "@auth/core/providers/line"
+import LinkedIn from "@auth/core/providers/linkedin"
+import Mailchimp from "@auth/core/providers/mailchimp"
+// import Okta from "@auth/core/providers/okta"
+import Osu from "@auth/core/providers/osu"
+import Patreon from "@auth/core/providers/patreon"
+import Slack from "@auth/core/providers/slack"
+import Spotify from "@auth/core/providers/spotify"
+import Trakt from "@auth/core/providers/trakt"
+import Twitch from "@auth/core/providers/twitch"
+import Twitter from "@auth/core/providers/twitter"
+import Vk from "@auth/core/providers/vk"
+import Wikimedia from "@auth/core/providers/wikimedia"
+import WorkOS from "@auth/core/providers/workos"

 // // Prisma
 // import { PrismaClient } from "@prisma/client"
@@ -65,9 +59,16 @@ import Zitadel from "next-auth/providers/zitadel"
 //   synchronize: true,
 // })

-export const authOptions: NextAuthOptions = {
+// // Supabase
+// import { SupabaseAdapter } from "@next-auth/supabase-adapter"
+// const adapter = SupabaseAdapter({
+//   url: process.env.NEXT_PUBLIC_SUPABASE_URL,
+//   secret: process.env.SUPABASE_SERVICE_ROLE_KEY,
+// })
+
+export const authOptions: AuthOptions = {
  // adapter,
-  debug: process.env.NODE_ENV !== "production",
+  // debug: process.env.NODE_ENV !== "production",
  theme: {
    logo: "https://next-auth.js.org/img/logo/logo-sm.png",
    brandColor: "#1786fb",
@@ -77,15 +78,19 @@ export const authOptions: NextAuthOptions = {
      credentials: { password: { label: "Password", type: "password" } },
      async authorize(credentials) {
        if (credentials.password !== "pw") return null
-        return { name: "Fill Murray", email: "bill@fillmurray.com", image: "https://www.fillmurray.com/64/64" }
+        return { name: "Fill Murray", email: "bill@fillmurray.com", image: "https://www.fillmurray.com/64/64", id: "1", foo: "" }
      },
    }),
    Apple({ clientId: process.env.APPLE_ID, clientSecret: process.env.APPLE_SECRET }),
    Auth0({ clientId: process.env.AUTH0_ID, clientSecret: process.env.AUTH0_SECRET, issuer: process.env.AUTH0_ISSUER }),
-    AzureAD({ clientId: process.env.AZURE_AD_CLIENT_ID, clientSecret: process.env.AZURE_AD_CLIENT_SECRET, tenantId: process.env.AZURE_AD_TENANT_ID }),
+    AzureAD({
+      clientId: process.env.AZURE_AD_CLIENT_ID,
+      clientSecret: process.env.AZURE_AD_CLIENT_SECRET,
+      tenantId: process.env.AZURE_AD_TENANT_ID,
+    }),
    AzureB2C({ clientId: process.env.AZURE_B2C_ID, clientSecret: process.env.AZURE_B2C_SECRET, issuer: process.env.AZURE_B2C_ISSUER }),
    BoxyHQSAML({ issuer: "https://jackson-demo.boxyhq.com", clientId: "tenant=boxyhq.com&product=saml-demo.boxyhq.com", clientSecret: "dummy" }),
-    Cognito({ clientId: process.env.COGNITO_ID, clientSecret: process.env.COGNITO_SECRET, issuer: process.env.COGNITO_ISSUER }),
+    // Cognito({ clientId: process.env.COGNITO_ID, clientSecret: process.env.COGNITO_SECRET, issuer: process.env.COGNITO_ISSUER }),
    Discord({ clientId: process.env.DISCORD_ID, clientSecret: process.env.DISCORD_SECRET }),
    DuendeIDS6({ clientId: "interactive.confidential", clientSecret: "secret", issuer: "https://demo.duendesoftware.com" }),
    Facebook({ clientId: process.env.FACEBOOK_ID, clientSecret: process.env.FACEBOOK_SECRET }),
@@ -94,36 +99,56 @@ export const authOptions: NextAuthOptions = {
    GitHub({ clientId: process.env.GITHUB_ID, clientSecret: process.env.GITHUB_SECRET }),
    Gitlab({ clientId: process.env.GITLAB_ID, clientSecret: process.env.GITLAB_SECRET }),
    Google({ clientId: process.env.GOOGLE_ID, clientSecret: process.env.GOOGLE_SECRET }),
-    Hubspot({ clientId: process.env.HUBSPOT_ID, clientSecret: process.env.HUBSPOT_SECRET }),
-    IDS4({ clientId: process.env.IDS4_ID, clientSecret: process.env.IDS4_SECRET, issuer: process.env.IDS4_ISSUER }),
+    // IDS4({ clientId: process.env.IDS4_ID, clientSecret: process.env.IDS4_SECRET, issuer: process.env.IDS4_ISSUER }),
    Instagram({ clientId: process.env.INSTAGRAM_ID, clientSecret: process.env.INSTAGRAM_SECRET }),
-    Keycloak({ clientId: process.env.KEYCLOAK_ID, clientSecret: process.env.KEYCLOAK_SECRET, issuer: process.env.KEYCLOAK_ISSUER }),
+    // Keycloak({ clientId: process.env.KEYCLOAK_ID, clientSecret: process.env.KEYCLOAK_SECRET, issuer: process.env.KEYCLOAK_ISSUER }),
    Line({ clientId: process.env.LINE_ID, clientSecret: process.env.LINE_SECRET }),
    LinkedIn({ clientId: process.env.LINKEDIN_ID, clientSecret: process.env.LINKEDIN_SECRET }),
    Mailchimp({ clientId: process.env.MAILCHIMP_ID, clientSecret: process.env.MAILCHIMP_SECRET }),
-    Okta({ clientId: process.env.OKTA_ID, clientSecret: process.env.OKTA_SECRET, issuer: process.env.OKTA_ISSUER }),
+    // Okta({ clientId: process.env.OKTA_ID, clientSecret: process.env.OKTA_SECRET, issuer: process.env.OKTA_ISSUER }),
    Osu({ clientId: process.env.OSU_CLIENT_ID, clientSecret: process.env.OSU_CLIENT_SECRET }),
    Patreon({ clientId: process.env.PATREON_ID, clientSecret: process.env.PATREON_SECRET }),
    Slack({ clientId: process.env.SLACK_ID, clientSecret: process.env.SLACK_SECRET }),
    Spotify({ clientId: process.env.SPOTIFY_ID, clientSecret: process.env.SPOTIFY_SECRET }),
-    Todoist({ clientId: process.env.TODOIST_ID, clientSecret: process.env.TODOIST_SECRET }),
    Trakt({ clientId: process.env.TRAKT_ID, clientSecret: process.env.TRAKT_SECRET }),
    Twitch({ clientId: process.env.TWITCH_ID, clientSecret: process.env.TWITCH_SECRET }),
-    Twitter({ version: "2.0", clientId: process.env.TWITTER_ID, clientSecret: process.env.TWITTER_SECRET }),
-    TwitterLegacy({ clientId: process.env.TWITTER_LEGACY_ID, clientSecret: process.env.TWITTER_LEGACY_SECRET }),
+    Twitter({ clientId: process.env.TWITTER_ID, clientSecret: process.env.TWITTER_SECRET }),
+    // TwitterLegacy({ clientId: process.env.TWITTER_LEGACY_ID, clientSecret: process.env.TWITTER_LEGACY_SECRET }),
    Vk({ clientId: process.env.VK_ID, clientSecret: process.env.VK_SECRET }),
    Wikimedia({ clientId: process.env.WIKIMEDIA_ID, clientSecret: process.env.WIKIMEDIA_SECRET }),
    WorkOS({ clientId: process.env.WORKOS_ID, clientSecret: process.env.WORKOS_SECRET }),
-    Zitadel({ issuer: process.env.ZITADEL_ISSUER, clientId: process.env.ZITADEL_CLIENT_ID, clientSecret: process.env.ZITADEL_CLIENT_SECRET }),
  ],
 }

 if (authOptions.adapter) {
-  authOptions.providers.unshift(
-    // NOTE: You can start a fake e-mail server with `pnpm email`
-    // and then go to `http://localhost:1080` in the browser
-    Email({ server: "smtp://127.0.0.1:1025?tls.rejectUnauthorized=false" })
-  )
+  // TODO:
+  // authOptions.providers.unshift(
+  //   // NOTE: You can start a fake e-mail server with `pnpm email`
+  //   // and then go to `http://localhost:1080` in the browser
+  //   Email({ server: "smtp://127.0.0.1:1025?tls.rejectUnauthorized=false" })
+  // )
 }

-export default NextAuth(authOptions)
+// TODO: move to next-auth/edge
+function Auth(...args: any[]) {
+  const envSecret = process.env.AUTH_SECRET ?? process.env.NEXTAUTH_SECRET
+  const envTrustHost = !!(process.env.NEXTAUTH_URL ?? process.env.AUTH_TRUST_HOST ?? process.env.VERCEL ?? process.env.NODE_ENV !== "production")
+  if (args.length === 1) {
+    return async (req: Request) => {
+      args[0].secret ??= envSecret
+      args[0].trustHost ??= envTrustHost
+      return await AuthHandler(req, args[0])
+    }
+  }
+  args[1].secret ??= envSecret
+  args[1].trustHost ??= envTrustHost
+  return AuthHandler(args[0], args[1])
+}
+
+// export default Auth(authOptions)
+
+export default function handle(request: Request) {
+  return Auth(request, authOptions)
+}
+
+export const config = { runtime: "experimental-edge" }
--- a/apps/dev/pages/api/examples/supabase-rls.js
+++ b/apps/dev/pages/api/examples/supabase-rls.js
@@ -0,0 +1,30 @@
+// This is an example of how to query data from Supabase with RLS.
+// Learn more about Row Levele Security (RLS): https://supabase.com/docs/guides/auth/row-level-security
+import { unstable_getServerSession } from "next-auth/next"
+import { authOptions } from "../auth/[...nextauth]"
+import { createClient } from "@supabase/supabase-js"
+
+export default async (req, res) => {
+  const session = await unstable_getServerSession(req, res, authOptions)
+
+  if (!session)
+    return res.send(JSON.stringify({ error: "No session!" }, null, 2))
+
+  const { supabaseAccessToken } = session
+
+  const supabase = createClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY,
+    {
+      global: {
+        headers: {
+          Authorization: `Bearer ${supabaseAccessToken}`,
+        },
+      },
+    }
+  )
+  // Now you can query with RLS enabled.
+  const { data, error } = await supabase.from("users").select("*")
+
+  res.send(JSON.stringify({ supabaseAccessToken, data, error }, null, 2))
+}
--- a/apps/dev/pages/supabase-client-rls.js
+++ b/apps/dev/pages/supabase-client-rls.js
@@ -0,0 +1,49 @@
+import Layout from "../components/layout"
+import { useState, useEffect } from "react"
+import { useSession } from "next-auth/react"
+import { createClient } from "@supabase/supabase-js"
+
+export default function Page() {
+  const { data: session } = useSession()
+  const [data, setData] = useState(null)
+
+  useEffect(() => {
+    if (session) {
+      console.log(session)
+      // User is logged in, let's fetch their data.
+      const { supabaseAccessToken } = session
+      const supabase = createClient(
+        process.env.NEXT_PUBLIC_SUPABASE_URL,
+        process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY,
+        {
+          global: {
+            headers: { Authorization: `Bearer ${supabaseAccessToken}` },
+          },
+        }
+      )
+      // Fetch data with RLS enabled.
+      supabase
+        .from("users")
+        .select("*")
+        .then(({ data }) => setData(data))
+    }
+  }, [session])
+
+  return (
+    <Layout>
+      <h1>Fetch Data from Supabase with RLS</h1>
+      <h2>Client-side data fetching with RLS:</h2>
+      <pre>{JSON.stringify(data, null, 2)}</pre>
+      <h2>API Example</h2>
+      <p>
+        You can also use Supabase in API routes. See the code in the
+        `/pages/api/examples/supabase-rls.js` file.
+      </p>
+      <p>
+        <em>You must be signed in to see responses.</em>
+      </p>
+      <p>/api/examples/supabase-rls</p>
+      <iframe src="/api/examples/supabase-rls" />
+    </Layout>
+  )
+}
--- a/apps/dev/pages/supabase-ssr.js
+++ b/apps/dev/pages/supabase-ssr.js
@@ -0,0 +1,68 @@
+// This is an example of how to protect content using server rendering
+// and fetching data from Supabase with RLS enabled.
+import { unstable_getServerSession } from "next-auth/next"
+import { authOptions } from "./api/auth/[...nextauth]"
+import { createClient } from "@supabase/supabase-js"
+import Layout from "../components/layout"
+import AccessDenied from "../components/access-denied"
+
+export default function Page({ data, session }) {
+  // If no session exists, display access denied message
+  if (!session) {
+    return (
+      <Layout>
+        <AccessDenied />
+      </Layout>
+    )
+  }
+
+  // If session exists, display content
+  return (
+    <Layout>
+      <h1>Protected Page</h1>
+      <p>Data fetched during SSR from Supabase with RSL enabled:</p>
+      <pre>{JSON.stringify(data, null, 2)}</pre>
+    </Layout>
+  )
+}
+
+export async function getServerSideProps(context) {
+  const session = await unstable_getServerSession(
+    context.req,
+    context.res,
+    authOptions
+  )
+
+  if (!session)
+    return {
+      props: {
+        session,
+        data: null,
+        error: "No session",
+      },
+    }
+
+  const { supabaseAccessToken } = session
+
+  const supabase = createClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY,
+    {
+      global: {
+        headers: {
+          Authorization: `Bearer ${supabaseAccessToken}`,
+        },
+      },
+    }
+  )
+  // Now you can query with RLS enabled.
+  const { data, error } = await supabase.from("users").select("*")
+
+  return {
+    props: {
+      session,
+      data,
+      error,
+    },
+  }
+}
--- a/apps/dev/types/nextauth.d.ts
+++ b/apps/dev/types/nextauth.d.ts
@@ -6,6 +6,8 @@ declare module "next-auth" {
   * Returned by `useSession`, `getSession` and received as a prop on the `SessionProvider` React Context
   */
  interface Session {
+    // A JWT which can be used as Authorization header with supabase-js for RLS.
+    supabaseAccessToken?: string
    user: {
      /** The user's postal address. */
      address: string
--- a/docs/CODE_OF_CONDUCT.md
+++ b/docs/CODE_OF_CONDUCT.md
@@ -1,76 +0,0 @@
-# Contributor Covenant Code of Conduct
-
-## Our Pledge
-
-In the interest of fostering an open and welcoming environment, we as
-contributors and maintainers pledge to making participation in our project and
-our community a harassment-free experience for everyone, regardless of age, body
-size, disability, ethnicity, sex characteristics, gender identity and expression,
-level of experience, education, socio-economic status, nationality, personal
-appearance, race, religion, or sexual identity and orientation.
-
-## Our Standards
-
-Examples of behavior that contributes to creating a positive environment
-include:
-
- Using welcoming and inclusive language
- Being respectful of differing viewpoints and experiences
- Gracefully accepting constructive criticism
- Focusing on what is best for the community
- Showing empathy towards other community members
-
-Examples of unacceptable behavior by participants include:
-
- The use of sexualized language or imagery and unwelcome sexual attention or
-  advances
- Trolling, insulting/derogatory comments, and personal or political attacks
- Public or private harassment
- Publishing others' private information, such as a physical or electronic
-  address, without explicit permission
- Other conduct which could reasonably be considered inappropriate in a
-  professional setting
-
-## Our Responsibilities
-
-Project maintainers are responsible for clarifying the standards of acceptable
-behavior and are expected to take appropriate and fair corrective action in
-response to any instances of unacceptable behavior.
-
-Project maintainers have the right and responsibility to remove, edit, or
-reject comments, commits, code, wiki edits, issues, and other contributions
-that are not aligned to this Code of Conduct, or to ban temporarily or
-permanently any contributor for other behaviors that they deem inappropriate,
-threatening, offensive, or harmful.
-
-## Scope
-
-This Code of Conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community. Examples of
-representing a project or community include using an official project e-mail
-address, posting via an official social media account, or acting as an appointed
-representative at an online or offline event. Representation of a project may be
-further defined and clarified by project maintainers.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting me@iaincollins.com. All complaints will be reviewed and
-investigated and will result in a response that is deemed necessary and
-appropriate to the circumstances. The project team is obligated to maintain
-confidentiality with regard to the reporter of an incident. Further details of
-specific enforcement policies may be posted separately.
-
-Project maintainers who do not follow or enforce the Code of Conduct in good
-faith may face temporary or permanent repercussions as determined by other
-members of the project's leadership.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
-available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
-
-[homepage]: https://www.contributor-covenant.org
-
-For answers to common questions about this code of conduct, see
-https://www.contributor-covenant.org/faq
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -1,26 +0,0 @@
-# Contributing guide
-
-Contributions and feedback on your experience of using this software are welcome.
-
-This includes bug reports, feature requests, ideas, pull requests, and examples of how you have used this software.
-
-Please see the [Code of Conduct](CODE_OF_CONDUCT.md) and follow any templates configured in GitHub when reporting bugs, requesting enhancements, or contributing code.
-
-Please raise any significant new functionality or breaking change an issue for discussion before raising a Pull Request for it.
-
-## For contributors
-
-Anyone can be a contributor. Either you found a typo, or you have an awesome feature request you could implement, we encourage you to create a Pull Request.
-
-### Pull Requests
-
- The latest changes are always in `main`, so please make your Pull Request against that branch.
- Pull Requests should be raised for any change
-
-### Setting up local environment
-
-The local environment can be setup by doing the following.
-
-1. Clone the repository `$ git clone https://github.com/nextauthjs/docs.git`
-2. Install dependencies `$ npm install`
-3. Start development server `$ npm start`
--- a/docs/docs/adapters/mongodb.md
+++ b/docs/docs/adapters/mongodb.md
@@ -15,26 +15,23 @@ The MongoDB adapter does not handle connections automatically, so you will have
 npm install next-auth @next-auth/mongodb-adapter mongodb
 ```

-2. Add `lib/mongodb.js`
+2. Add `lib/mongodb.ts`

-```js
+```ts
 // This approach is taken from https://github.com/vercel/next.js/tree/canary/examples/with-mongodb
-import { MongoClient } from "mongodb"
-
-const uri = process.env.MONGODB_URI
-const options = {
-  useUnifiedTopology: true,
-  useNewUrlParser: true,
-}
-
-let client
-let clientPromise
+import { MongoClient } from 'mongodb'

 if (!process.env.MONGODB_URI) {
-  throw new Error("Please add your Mongo URI to .env.local")
+  throw new Error('Invalid/Missing environment variable: "MONGODB_URI"')
 }

-if (process.env.NODE_ENV === "development") {
+const uri = process.env.MONGODB_URI
+const options = {}
+
+let client
+let clientPromise: Promise<MongoClient>
+
+if (process.env.NODE_ENV === 'development') {
  // In development mode, use a global variable so that the value
  // is preserved across module reloads caused by HMR (Hot Module Replacement).
  if (!global._mongoClientPromise) {
--- a/docs/docs/adapters/overview.md
+++ b/docs/docs/adapters/overview.md
@@ -21,6 +21,7 @@ We have a list of official adapters that are distributed as their own packages u
 - [`neo4j`](./neo4j)
 - [`typeorm-legacy`](./typeorm)
 - [`sequelize`](./sequelize)
+- [`supabase`](./supabase)
 - [`dgraph`](./dgraph)
 - [`upstash-redis`](./upstash-redis)

--- a/docs/docs/adapters/supabase.md
+++ b/docs/docs/adapters/supabase.md
@@ -0,0 +1,309 @@
+---
+id: supabase
+title: Supabase
+---
+
+# Supabase
+
+This is the Supabase Adapter for [`next-auth`](https://next-auth.js.org). This package can only be used in conjunction with the primary `next-auth` package. It is not a standalone package.
+
+:::note
+This adapter is developed by the community and not officially maintained or supported by Supabase. It uses the Supabase Database to store user and session data in a separate `next_auth` schema. It is a standalone Auth server that does not interface with Supabase Auth and therefore provides a different feature set.
+
+If you’re looking for an officially maintained Auth server with additional features like [built-in email server](https://supabase.com/docs/guides/auth/auth-email#configure-email-settings?utm_source=next-auth-docs&medium=referral&campaign=next-auth), [phone auth](https://supabase.com/docs/guides/auth/auth-twilio?utm_source=next-auth-docs&medium=referral&campaign=next-auth), and [Multi Factor Authentication (MFA / 2FA)](https://supabase.com/contact/mfa?utm_source=next-auth-docs&medium=referral&campaign=next-auth), please use [Supabase Auth](https://supabase.com/auth) with the [Auth Helpers for Next.js](https://supabase.com/docs/guides/auth/auth-helpers/nextjs?utm_source=next-auth-docs&medium=referral&campaign=next-auth).
+:::
+
+## Getting Started
+
+1. Install `@supabase/supabase-js`, `next-auth` and `@next-auth/supabase-adapter`.
+
+```bash npm2yarn2pnpm
+npm install @supabase/supabase-js next-auth @next-auth/supabase-adapter
+```
+
+2. Add this adapter to your `pages/api/[...nextauth].js` next-auth configuration object.
+
+```js title="pages/api/auth/[...nextauth].js"
+import NextAuth from "next-auth"
+import { SupabaseAdapter } from "@next-auth/supabase-adapter"
+
+// For more information on each option (and a full list of options) go to
+// https://next-auth.js.org/configuration/options
+export default NextAuth({
+  // https://next-auth.js.org/configuration/providers
+  providers: [...],
+  adapter: SupabaseAdapter({
+    url: process.env.NEXT_PUBLIC_SUPABASE_URL,
+    secret: process.env.SUPABASE_SERVICE_ROLE_KEY,
+  }),
+  // ...
+})
+```
+
+## Setup
+
+### Create the `next_auth` schema in Supabase
+
+Setup your database as described in our main [schema](/adapters/models), by copying the SQL schema below in the Supabase [SQL Editor](https://app.supabase.com/project/_/sql).
+
+Alternatively you can select the NextAuth Quickstart card on the [SQL Editor page](https://app.supabase.com/project/_/sql), or [create a migration with the Supabase CLI](https://supabase.com/docs/guides/cli/local-development#database-migrations?utm_source=next-auth-docs&medium=referral&campaign=next-auth).
+
+```sql
+--
+-- Name: next_auth; Type: SCHEMA;
+--
+CREATE SCHEMA next_auth;
+
+GRANT USAGE ON SCHEMA next_auth TO service_role;
+GRANT ALL ON SCHEMA next_auth TO postgres;
+
+--
+-- Create users table
+--
+CREATE TABLE IF NOT EXISTS next_auth.users
+(
+    id uuid NOT NULL DEFAULT uuid_generate_v4(),
+    name text,
+    email text,
+    "emailVerified" timestamp with time zone,
+    image text,
+    CONSTRAINT users_pkey PRIMARY KEY (id),
+    CONSTRAINT email_unique UNIQUE (email)
+);
+
+GRANT ALL ON TABLE next_auth.users TO postgres;
+GRANT ALL ON TABLE next_auth.users TO service_role;
+
+--- uid() function to be used in RLS policies
+CREATE FUNCTION next_auth.uid() RETURNS uuid
+    LANGUAGE sql STABLE
+    AS $$
+  select
+  	coalesce(
+		nullif(current_setting('request.jwt.claim.sub', true), ''),
+		(nullif(current_setting('request.jwt.claims', true), '')::jsonb ->> 'sub')
+	)::uuid
+$$;
+
+--
+-- Create sessions table
+--
+CREATE TABLE IF NOT EXISTS  next_auth.sessions
+(
+    id uuid NOT NULL DEFAULT uuid_generate_v4(),
+    expires timestamp with time zone NOT NULL,
+    "sessionToken" text NOT NULL,
+    "userId" uuid,
+    CONSTRAINT sessions_pkey PRIMARY KEY (id),
+    CONSTRAINT sessionToken_unique UNIQUE ("sessionToken"),
+    CONSTRAINT "sessions_userId_fkey" FOREIGN KEY ("userId")
+        REFERENCES  next_auth.users (id) MATCH SIMPLE
+        ON UPDATE NO ACTION
+        ON DELETE CASCADE
+);
+
+GRANT ALL ON TABLE next_auth.sessions TO postgres;
+GRANT ALL ON TABLE next_auth.sessions TO service_role;
+
+--
+-- Create accounts table
+--
+CREATE TABLE IF NOT EXISTS  next_auth.accounts
+(
+    id uuid NOT NULL DEFAULT uuid_generate_v4(),
+    type text NOT NULL,
+    provider text NOT NULL,
+    "providerAccountId" text NOT NULL,
+    refresh_token text,
+    access_token text,
+    expires_at bigint,
+    token_type text,
+    scope text,
+    id_token text,
+    session_state text,
+    oauth_token_secret text,
+    oauth_token text,
+    "userId" uuid,
+    CONSTRAINT accounts_pkey PRIMARY KEY (id),
+    CONSTRAINT provider_unique UNIQUE (provider, "providerAccountId"),
+    CONSTRAINT "accounts_userId_fkey" FOREIGN KEY ("userId")
+        REFERENCES  next_auth.users (id) MATCH SIMPLE
+        ON UPDATE NO ACTION
+        ON DELETE CASCADE
+);
+
+GRANT ALL ON TABLE next_auth.accounts TO postgres;
+GRANT ALL ON TABLE next_auth.accounts TO service_role;
+
+--
+-- Create verification_tokens table
+--
+CREATE TABLE IF NOT EXISTS  next_auth.verification_tokens
+(
+    identifier text,
+    token text,
+    expires timestamp with time zone NOT NULL,
+    CONSTRAINT verification_tokens_pkey PRIMARY KEY (token),
+    CONSTRAINT token_unique UNIQUE (token),
+    CONSTRAINT token_identifier_unique UNIQUE (token, identifier)
+);
+
+GRANT ALL ON TABLE next_auth.verification_tokens TO postgres;
+GRANT ALL ON TABLE next_auth.verification_tokens TO service_role;
+```
+
+### Expose the `next_auth` schema in Supabase
+
+Expose the `next_auth` schema via the Serverless API in the [API settings](https://app.supabase.com/project/_/settings/api) by adding `next_auth` to the "Exposed schemas" list.
+
+When developing locally add `next_auth` to the `schemas` array in the `config.toml` file in the `supabase` folder that was generated by the [Supabase CLI](https://supabase.com/docs/guides/cli/local-development#initialize-your-project?utm_source=next-auth-docs&medium=referral&campaign=next-auth).
+
+## Enabling Row Level Security (RLS)
+
+Postgres provides a powerful feature called [Row Level Security (RLS)](https://supabase.com/docs/guides/auth/row-level-security?utm_source=next-auth-docs&medium=referral&campaign=next-auth) to limit access to data.
+
+This works by sending a signed JWT to your [Supabase Serverless API](https://supabase.com/docs/guides/api?utm_source=next-auth-docs&medium=referral&campaign=next-auth). There is two steps to make this work with NextAuth:
+
+### 1. Generate the Supabase `access_token` JWT in the session callback
+
+To sign the JWT use the `jsonwebtoken` package:
+
+```bash npm2yarn2pnpm
+npm install jsonwebtoken
+```
+
+Using the [NexthAuth Session callback](https://next-auth.js.org/configuration/callbacks#session-callback) create the Supabase `access_token` and append it to the `session` object.
+
+To sign the JWT use the Supabase JWT secret which can be found in the [API settings](https://app.supabase.com/project/_/settings/api)
+
+```js title="pages/api/auth/[...nextauth].js"
+import NextAuth from "next-auth"
+import { SupabaseAdapter } from "@next-auth/supabase-adapter"
+import jwt from "jsonwebtoken"
+
+// For more information on each option (and a full list of options) go to
+// https://next-auth.js.org/configuration/options
+export default NextAuth({
+  // https://next-auth.js.org/configuration/providers
+  providers: [...],
+  adapter: SupabaseAdapter({
+    url: process.env.NEXT_PUBLIC_SUPABASE_URL,
+    secret: process.env.SUPABASE_SERVICE_ROLE_KEY,
+  }),
+	callbacks: {
+    async session({ session, user }) {
+      const signingSecret = process.env.SUPABASE_JWT_SECRET
+      if (signingSecret) {
+        const payload = {
+          aud: "authenticated",
+          exp: Math.floor(new Date(session.expires).getTime() / 1000),
+          sub: user.id,
+          email: user.email,
+          role: "authenticated",
+        }
+        session.supabaseAccessToken = jwt.sign(payload, signingSecret)
+      }
+      return session
+    },
+  },
+  // ...
+})
+```
+
+### 2. Inject the Supabase `access_token` JWT into the Supabase Client
+
+For example, given the following public schema:
+
+```sql
+/**
+* USERS
+* Note: This table contains user data. Users should only be able to view and update their own data.
+*/
+create table users (
+  -- UUID from next_auth.users
+  id uuid not null primary key,
+  name text,
+  email text,
+  image text,
+  constraint "users_id_fkey" foreign key ("id")
+        references  next_auth.users (id) match simple
+        on update no action
+        on delete cascade -- if user is deleted in NextAuth they will also be deleted in our public table.
+);
+alter table users enable row level security;
+create policy "Can view own user data." on users for select using (next_auth.uid() = id);
+create policy "Can update own user data." on users for update using (next_auth.uid() = id);
+
+/**
+* This trigger automatically creates a user entry when a new user signs up via NextAuth.
+*/
+create function public.handle_new_user()
+returns trigger as $$
+begin
+  insert into public.users (id, name, email, image)
+  values (new.id, new.name, new.email, new.image);
+  return new;
+end;
+$$ language plpgsql security definer;
+create trigger on_auth_user_created
+  after insert on next_auth.users
+  for each row execute procedure public.handle_new_user();
+```
+
+The `supabaseAccessToken` is now available on the `session` object and can be passed to the supabase-js client. This works in any environment: client-side, server-side (API routes, SSR), as well as in middleware edge functions!
+
+```js
+// ...
+// Use `useSession()` or `unstable_getServerSession()` to get the NextAuth session.
+
+const { supabaseAccessToken } = session
+
+const supabase = createClient(
+  process.env.NEXT_PUBLIC_SUPABASE_URL,
+  process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY,
+  {
+    global: {
+      headers: {
+        Authorization: `Bearer ${supabaseAccessToken}`,
+      },
+    },
+  }
+)
+// Now you can query with RLS enabled.
+const { data, error } = await supabase.from("users").select("*")
+```
+
+## Usage with TypeScript
+
+You can pass types that were [generated with the Supabase CLI](/docs/reference/javascript/typescript-support#generating-types) to the Supabase Client to get enhanced type safety and auto completion.
+
+Creating a new supabase client object:
+
+```tsx
+import { createClient } from "@supabase/supabase-js"
+import { Database } from "../database.types"
+
+const supabase = createClient<Database>()
+```
+
+### Extend the session type with the `supabaseAccessToken`
+
+In order to extend the `session` object with the `supabaseAccessToken` we need to extend the `session` interface in a `types/next-auth.d.ts` file:
+
+```ts title="types/next-auth.d.ts"
+import NextAuth, { DefaultSession } from "next-auth"
+
+declare module "next-auth" {
+  /**
+   * Returned by `useSession`, `getSession` and received as a prop on the `SessionProvider` React Context
+   */
+  interface Session {
+    // A JWT which can be used as Authorization header with supabase-js for RLS.
+    supabaseAccessToken?: string
+    user: {
+      /** The user's postal address. */
+      address: string
+    } & DefaultSession["user"]
+  }
+}
+```
--- a/docs/docs/configuration/nextjs.md
+++ b/docs/docs/configuration/nextjs.md
@@ -75,9 +75,10 @@ You can also use `unstable_getServerSession` in Next.js' server components:

 ```tsx
 import { unstable_getServerSession } from "next-auth/next"
+import { authOptions } from "pages/api/auth/[...nextauth]"

 export default async function Page() {
-  const session = await unstable_getServerSession()
+  const session = await unstable_getServerSession(authOptions)
  return <pre>{JSON.stringify(session, null, 2)}</pre>
 }
 ```
--- a/docs/docs/configuration/options.md
+++ b/docs/docs/configuration/options.md
@@ -472,7 +472,8 @@ cookies: {
      httpOnly: true,
      sameSite: 'lax',
      path: '/',
-      secure: useSecureCookies
+      secure: useSecureCookies,
+      maxAge: 900
    }
  },
  state: {
@@ -482,6 +483,7 @@ cookies: {
      sameSite: "lax",
      path: "/",
      secure: useSecureCookies,
+      maxAge: 900
    },
  },
  nonce: {
--- a/docs/docs/configuration/providers/email.md
+++ b/docs/docs/configuration/providers/email.md
@@ -13,7 +13,7 @@ Adding support for signing in via email in addition to one or more OAuth service
 Configuration is similar to other providers, but the options are different:

 ```js title="pages/api/auth/[...nextauth].js"
-import EmailProvider from `next-auth/providers/email`
+import EmailProvider from "next-auth/providers/email"
 ...
 providers: [
  EmailProvider({
--- a/docs/docs/configuration/providers/oauth.md
+++ b/docs/docs/configuration/providers/oauth.md
@@ -174,6 +174,10 @@ interface OAuthConfig {
  issuer?: string
  client?: Partial<ClientMetadata>
  allowDangerousEmailAccountLinking?: boolean
+  /**
+   * Object containing the settings for the styling of the providers sign-in buttons
+   */
+  style: ProviderStyleType
 }
 ```

@@ -428,7 +432,8 @@ If you think your custom provider might be useful to others, we encourage you to
 You only need to add three changes:

 1. Add your config: [`src/providers/{provider}.ts`](https://github.com/nextauthjs/next-auth/tree/main/packages/next-auth/src/providers)<br />
-   • make sure you use a named default export, like this: `export default function YourProvider`
+    - Make sure you use a named default export, like this: `export default function YourProvider`
+    - Add two SVG's of the provider logo, like `google-dark.svg` (dark mode) and `google.svg` (light mode), to the `/packages/next-auth/provider-logos/` directory as well as the styling config to the provider config object. See existing provider for example
 2. Add provider documentation: [`/docs/providers/{provider}.md`](https://github.com/nextauthjs/next-auth/tree/main/docs/docs/providers)
 3. Add the new provider name to the `Provider type` dropdown options in [`the provider issue template`](<[http](https://github.com/nextauthjs/next-auth/edit/main/.github/ISSUE_TEMPLATE/2_bug_provider.yml)>)

--- a/docs/docs/providers/strava.md
+++ b/docs/docs/providers/strava.md
@@ -11,7 +11,7 @@ http://developers.strava.com/docs/reference/

 The **Strava Provider** comes with a set of default options:

- [Strava Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/strava.js)
+- [Strava Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/strava.ts)

 You can override any of the options to suit your own use case. Ensure the redirect_uri configuration fits your needs accordingly.

--- a/docs/docs/tutorials.md
+++ b/docs/docs/tutorials.md
@@ -46,6 +46,10 @@ title: Tutorials and Explainers
 - Learn how to use Sign-In With Ethereum to authenticate your users with their existing Ethereum wallets - identifiers they personally control.
 - Example application: [spruceid/siwe-next-auth-example](https://github.com/spruceid/siwe-next-auth-example)

+#### [Next.js Authentication with Okta and NextAuth.js 4.0](https://thetombomb.com/posts/nextjs-nextauth-okta) <svg xmlns="http://www.w3.org/2000/svg" style={{ marginLeft: '5px', marginBottom:'-6px'}} height="20" width="20" fill="none" viewBox="0 0 24 24" stroke="currentColor"><title>External</title> <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /> </svg>
+
+- Learn how to perform authentication with an OIDC Application in Okta and NextAuth.js.
+
 ## Fullstack

 #### [Build a FullStack App with Next.js, NextAuth.js, Supabase & Prisma](https://themodern.dev/courses/build-a-fullstack-app-with-nextjs-supabase-and-prisma-322389284337222224) <svg xmlns="http://www.w3.org/2000/svg" style={{ marginLeft: '5px', marginBottom:'-6px'}} height="20" width="20" fill="none" viewBox="0 0 24 24" stroke="currentColor"><title>External</title> <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /> </svg>
--- a/docs/docs/tutorials/securing-pages-and-api-routes.md
+++ b/docs/docs/tutorials/securing-pages-and-api-routes.md
@@ -61,7 +61,7 @@ For the time being, the `withAuth` middleware only supports `"jwt"` as [session
 More details can be found [here](https://next-auth.js.org/configuration/nextjs#middleware).

 :::tip
-To inclue all `dashboard` nested routes (sub pages like `/dashboard/settings`, `/dashboard/profile`) you can pass `matcher: "/dashboard/:path*"` to `config`.
+To include all `dashboard` nested routes (sub pages like `/dashboard/settings`, `/dashboard/profile`) you can pass `matcher: "/dashboard/:path*"` to `config`.

 For other patterns check out the [Next.js Middleware documentation](https://nextjs.org/docs/advanced-features/middleware#matcher).
 :::
--- a/docs/sidebars.js
+++ b/docs/sidebars.js
@@ -65,6 +65,7 @@ module.exports = {
        "adapters/neo4j",
        "adapters/typeorm",
        "adapters/sequelize",
+        "adapters/supabase",
        "adapters/mikro-orm",
        "adapters/dgraph",
        "adapters/upstash-redis",
--- a/docs/versioned_docs/version-beta/guides/09-resources.md
+++ b/docs/versioned_docs/version-beta/guides/09-resources.md
@@ -14,6 +14,10 @@ If you did not find a guide or tutorial covering your use case, please [open an
  - How to restrict access to pages and API routes.
 - [Usage with class components](/tutorials/usage-with-class-components)
  - How to use `useSession()` hook with class components.
+- [Next.js Authentication with Okta and NextAuth.js 4.0](https://thetombomb.com/posts/nextjs-nextauth-okta)
+  - Learn how to perform authentication with an OIDC Application in Okta and NextAuth.js.
+
+  

 ### Advanced

--- a/package.json
+++ b/package.json
@@ -18,7 +18,7 @@
  },
  "devDependencies": {
    "@actions/core": "^1.6.0",
-    "@balazsorban/monorepo-release": "0.0.5",
+    "@balazsorban/monorepo-release": "0.1.0",
    "@types/jest": "^28.1.3",
    "@types/node": "^17.0.25",
    "@typescript-eslint/eslint-plugin": "^5.10.2",
@@ -39,6 +39,11 @@
    "turbo": "1.3.1",
    "typescript": "4.8.4"
  },
+  "release": {
+    "packageDirectories": [
+      "packages"
+    ]
+  },
  "engines": {
    "node": "^12.19.0 || ^14.15.0 || ^16.13.0 || ^18.12.0"
  },
--- a/packages/adapter-firebase/package.json
+++ b/packages/adapter-firebase/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@next-auth/firebase-adapter",
-  "version": "1.0.2",
+  "version": "1.0.3",
  "description": "Firebase adapter for next-auth.",
  "homepage": "https://next-auth.js.org",
  "repository": "https://github.com/nextauthjs/next-auth",
@@ -29,7 +29,7 @@
  },
  "scripts": {
    "build": "tsc",
-    "test": "FIRESTORE_EMULATOR_HOST=localhost:8080 firebase emulators:exec --only firestore --project next-auth-test jest"
+    "test": "FIRESTORE_EMULATOR_HOST=localhost:8080 firebase --token '$FIREBASE_TOKEN' emulators:exec --only firestore --project next-auth-test jest"
  },
  "peerDependencies": {
    "firebase": "^9.7.0",
@@ -38,9 +38,9 @@
  "devDependencies": {
    "@next-auth/adapter-test": "workspace:*",
    "@next-auth/tsconfig": "workspace:*",
-    "firebase": "^9.7.0",
-    "firebase-tools": "^10.7.2",
+    "firebase": "^9.14.0",
+    "firebase-tools": "^11.16.1",
    "jest": "^27.4.3",
    "next-auth": "workspace:*"
  }
-}
+}
--- a/packages/adapter-firebase/src/index.ts
+++ b/packages/adapter-firebase/src/index.ts
@@ -86,10 +86,10 @@ export function FirestoreAdapter({
    async getUserByEmail(email) {
      const userQuery = query(Users, where("email", "==", email), limit(1))
      const userSnapshots = await getDocs(userQuery)
-      const userSnpashot = userSnapshots.docs[0]
+      const userSnapshot = userSnapshots.docs[0]

-      if (userSnpashot?.exists() && Users.converter) {
-        return Users.converter.fromFirestore(userSnpashot)
+      if (userSnapshot?.exists() && Users.converter) {
+        return Users.converter.fromFirestore(userSnapshot)
      }

      return null
--- a/packages/adapter-firebase/tsconfig.json
+++ b/packages/adapter-firebase/tsconfig.json
@@ -1,5 +1,5 @@
 {
-  "extends": "@next-auth/tsconfig/tsconfig.base.json",
+  "extends": "@next-auth/tsconfig/tsconfig.adapters.json",
  "compilerOptions": {
    "rootDir": "src",
    "outDir": "dist",
--- a/packages/adapter-pouchdb/package.json
+++ b/packages/adapter-pouchdb/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@next-auth/pouchdb-adapter",
-  "version": "0.1.4",
+  "version": "0.1.5",
  "description": "PouchDB adapter for next-auth.",
  "homepage": "https://next-auth.js.org",
  "repository": "https://github.com/nextauthjs/next-auth",
--- a/packages/adapter-pouchdb/tsconfig.json
+++ b/packages/adapter-pouchdb/tsconfig.json
@@ -1,5 +1,5 @@
 {
-  "extends": "@next-auth/tsconfig/tsconfig.base.json",
+  "extends": "@next-auth/tsconfig/tsconfig.adapters.json",
  "compilerOptions": {
    "rootDir": "src",
    "outDir": "dist",
--- a/packages/adapter-sequelize/package.json
+++ b/packages/adapter-sequelize/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@next-auth/sequelize-adapter",
-  "version": "1.0.6",
+  "version": "1.0.7",
  "description": "Sequelize adapter for next-auth.",
  "homepage": "https://next-auth.js.org",
  "repository": "https://github.com/nextauthjs/next-auth",
@@ -42,4 +42,4 @@
  "jest": {
    "preset": "@next-auth/adapter-test/jest"
  }
-}
+}
--- a/packages/adapter-sequelize/src/models.ts
+++ b/packages/adapter-sequelize/src/models.ts
@@ -14,7 +14,7 @@ export const Account = {
  expires_at: { type: DataTypes.INTEGER },
  token_type: { type: DataTypes.STRING },
  scope: { type: DataTypes.STRING },
-  id_token: { type: DataTypes.STRING },
+  id_token: { type: DataTypes.TEXT },
  session_state: { type: DataTypes.STRING },
  userId: { type: DataTypes.UUID },
 }
--- a/packages/adapter-supabase/.env.example
+++ b/packages/adapter-supabase/.env.example
@@ -0,0 +1,3 @@
+# Run `supabase start` in this directory to get the Supabase API URL and service role key!
+SUPABASE_URL=http://localhost:54321
+SUPABASE_SERVICE_ROLE_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6InNlcnZpY2Vfcm9sZSJ9.vI9obAHOGyVVKa3pD--kJlyxp-Z2zV9UUMAhKpNLAcU
--- a/packages/adapter-supabase/README.md
+++ b/packages/adapter-supabase/README.md
@@ -0,0 +1,57 @@
+<p align="center">
+	 <br/>
+	 <a href="https://next-auth.js.org" target="_blank">
+		<img height="64px" src="https://next-auth.js.org/img/logo/logo-sm.png" /></a><img height="64px" src="./logo.svg" />
+	 <h3 align="center"><b>Supabase Adapter</b> - NextAuth.js</h3>
+	 <p align="center">
+	 Open Source. Full Stack. Own Your Data.
+	 </p>
+	 <p align="center" style="align: center;">
+			<img src="https://github.com/nextauthjs/next-auth/actions/workflows/release.yml/badge.svg?branch=main" alt="Build Test" />
+			<img src="https://img.shields.io/bundlephobia/minzip/@next-auth/supabase-adapter/latest" alt="Bundle Size"/>
+			<img src="https://img.shields.io/npm/v/@next-auth/supabase-adapter" alt="@next-auth/supabase-adapter Version" />
+	 </p>
+</p>
+
+## Overview
+
+This is the Supabase Adapter for [`next-auth`](https://next-auth.js.org). This package can only be used in conjunction with the primary `next-auth` package. It is not a standalone package.
+
+You can find more Supabase information in the docs at [next-auth.js.org/adapters/supabase](https://next-auth.js.org/adapters/supabase).
+
+## Getting Started
+
+1. Install `@supabase/supabase-js`, `next-auth` and `@next-auth/supabase-adapter`.
+
+```js
+npm install @supabase/supabase-js next-auth @next-auth/supabase-adapter
+```
+
+2. Add this adapter to your `pages/api/[...nextauth].js` next-auth configuration object.
+
+```js
+import NextAuth from "next-auth"
+import { SupabaseAdapter } from "@next-auth/supabase-adapter"
+
+// For more information on each option (and a full list of options) go to
+// https://next-auth.js.org/configuration/options
+export default NextAuth({
+  // https://next-auth.js.org/configuration/providers
+  providers: [
+    // ...
+  ],
+  adapter: SupabaseAdapter({
+    url: process.env.NEXT_PUBLIC_SUPABASE_URL,
+    secret: process.env.SUPABASE_SERVICE_ROLE_KEY,
+  }),
+  // ...
+})
+```
+
+## Contributing
+
+We're open to all community contributions! If you'd like to contribute in any way, please read our [Contributing Guide](https://github.com/nextauthjs/next-auth/blob/main/CONTRIBUTING.md).
+
+## License
+
+ISC
--- a/packages/adapter-supabase/logo.svg
+++ b/packages/adapter-supabase/logo.svg
@@ -0,0 +1,15 @@
+<svg width="109" height="113" viewBox="0 0 109 113" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M63.7076 110.284C60.8481 113.885 55.0502 111.912 54.9813 107.314L53.9738 40.0627L99.1935 40.0627C107.384 40.0627 111.952 49.5228 106.859 55.9374L63.7076 110.284Z" fill="url(#paint0_linear)"/>
+<path d="M63.7076 110.284C60.8481 113.885 55.0502 111.912 54.9813 107.314L53.9738 40.0627L99.1935 40.0627C107.384 40.0627 111.952 49.5228 106.859 55.9374L63.7076 110.284Z" fill="url(#paint1_linear)" fill-opacity="0.2"/>
+<path d="M45.317 2.07103C48.1765 -1.53037 53.9745 0.442937 54.0434 5.041L54.4849 72.2922H9.83113C1.64038 72.2922 -2.92775 62.8321 2.1655 56.4175L45.317 2.07103Z" fill="#3ECF8E"/>
+<defs>
+<linearGradient id="paint0_linear" x1="53.9738" y1="54.974" x2="94.1635" y2="71.8295" gradientUnits="userSpaceOnUse">
+<stop stop-color="#249361"/>
+<stop offset="1" stop-color="#3ECF8E"/>
+</linearGradient>
+<linearGradient id="paint1_linear" x1="36.1558" y1="30.578" x2="54.4844" y2="65.0806" gradientUnits="userSpaceOnUse">
+<stop/>
+<stop offset="1" stop-opacity="0"/>
+</linearGradient>
+</defs>
+</svg>
--- a/packages/adapter-supabase/package.json
+++ b/packages/adapter-supabase/package.json
@@ -0,0 +1,40 @@
+{
+  "name": "@next-auth/supabase-adapter",
+  "version": "0.2.0",
+  "description": "Supabase adapter for next-auth.",
+  "homepage": "https://next-auth.js.org",
+  "repository": "https://github.com/nextauthjs/next-auth",
+  "bugs": {
+    "url": "https://github.com/nextauthjs/next-auth/issues"
+  },
+  "author": "Martin Sonnberger <martin.sonnberger@icloud.com>",
+  "main": "dist/index.js",
+  "keywords": [
+    "next-auth",
+    "next.js",
+    "supabase"
+  ],
+  "license": "ISC",
+  "private": false,
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc",
+    "test": "./tests/test.sh"
+  },
+  "peerDependencies": {
+    "@supabase/supabase-js": "^2.0.5",
+    "next-auth": "workspace:*"
+  },
+  "devDependencies": {
+    "@next-auth/adapter-test": "workspace:^0.0.0",
+    "@next-auth/tsconfig": "workspace:^0.0.0",
+    "@supabase/supabase-js": "^2.0.5",
+    "jest": "^27.4.3",
+    "next-auth": "workspace:*"
+  },
+  "jest": {
+    "preset": "@next-auth/adapter-test/jest"
+  }
+}
--- a/packages/adapter-supabase/src/database.types.ts
+++ b/packages/adapter-supabase/src/database.types.ts
@@ -0,0 +1,140 @@
+export type Json =
+  | string
+  | number
+  | boolean
+  | null
+  | { [key: string]: Json }
+  | Json[]
+
+export interface Database {
+  next_auth: {
+    Tables: {
+      accounts: {
+        Row: {
+          id: string
+          type: string | null
+          provider: string | null
+          providerAccountId: string | null
+          refresh_token: string | null
+          access_token: string | null
+          expires_at: number | null
+          token_type: string | null
+          scope: string | null
+          id_token: string | null
+          session_state: string | null
+          oauth_token_secret: string | null
+          oauth_token: string | null
+          userId: string | null
+        }
+        Insert: {
+          id?: string
+          type?: string | null
+          provider?: string | null
+          providerAccountId?: string | null
+          refresh_token?: string | null
+          access_token?: string | null
+          expires_at?: number | null
+          token_type?: string | null
+          scope?: string | null
+          id_token?: string | null
+          session_state?: string | null
+          oauth_token_secret?: string | null
+          oauth_token?: string | null
+          userId?: string | null
+        }
+        Update: {
+          id?: string
+          type?: string | null
+          provider?: string | null
+          providerAccountId?: string | null
+          refresh_token?: string | null
+          access_token?: string | null
+          expires_at?: number | null
+          token_type?: string | null
+          scope?: string | null
+          id_token?: string | null
+          session_state?: string | null
+          oauth_token_secret?: string | null
+          oauth_token?: string | null
+          userId?: string | null
+        }
+      }
+      sessions: {
+        Row: {
+          expires: string | null
+          sessionToken: string | null
+          userId: string | null
+          id: string
+        }
+        Insert: {
+          expires?: string | null
+          sessionToken?: string | null
+          userId?: string | null
+          id?: string
+        }
+        Update: {
+          expires?: string | null
+          sessionToken?: string | null
+          userId?: string | null
+          id?: string
+        }
+      }
+      users: {
+        Row: {
+          name: string | null
+          email: string | null
+          emailVerified: string | null
+          image: string | null
+          id: string
+        }
+        Insert: {
+          name?: string | null
+          email?: string | null
+          emailVerified?: string | null
+          image?: string | null
+          id?: string
+        }
+        Update: {
+          name?: string | null
+          email?: string | null
+          emailVerified?: string | null
+          image?: string | null
+          id?: string
+        }
+      }
+      verification_tokens: {
+        Row: {
+          id: number
+          identifier: string | null
+          token: string | null
+          expires: string | null
+        }
+        Insert: {
+          id?: number
+          identifier?: string | null
+          token?: string | null
+          expires?: string | null
+        }
+        Update: {
+          id?: number
+          identifier?: string | null
+          token?: string | null
+          expires?: string | null
+        }
+      }
+    }
+    Views: {
+      [_ in never]: never
+    }
+    Functions: {
+      uid: {
+        Args: Record<PropertyKey, never>
+        Returns: string
+      }
+    }
+    Enums: {
+      [_ in never]: never
+    }
+  }
+}
+
--- a/packages/adapter-supabase/src/index.ts
+++ b/packages/adapter-supabase/src/index.ts
@@ -0,0 +1,212 @@
+import { createClient } from "@supabase/supabase-js"
+import { Database } from "./database.types"
+import {
+  Adapter,
+  AdapterSession,
+  AdapterUser,
+  VerificationToken,
+} from "next-auth/adapters"
+
+function isDate(date: any) {
+  return (
+    new Date(date).toString() !== "Invalid Date" && !isNaN(Date.parse(date))
+  )
+}
+
+export function format<T>(obj: Record<string, any>): T {
+  for (const [key, value] of Object.entries(obj)) {
+    if (value === null) {
+      delete obj[key]
+    }
+
+    if (isDate(value)) {
+      obj[key] = new Date(value)
+    }
+  }
+
+  return obj as T
+}
+
+export const SupabaseAdapter = ({
+  url,
+  secret,
+}: {
+  url: string
+  secret: string
+}): Adapter => {
+  const supabase = createClient<Database, "next_auth">(url, secret, {
+    db: { schema: "next_auth" },
+    global: {
+      headers: { "X-Client-Info": "@next-auth/supabase-adapter@0.1.0" },
+    },
+  })
+  return {
+    async createUser(user) {
+      const { data, error } = await supabase
+        .from("users")
+        .insert({
+          ...user,
+          emailVerified: user.emailVerified?.toISOString(),
+        })
+        .select()
+        .single()
+
+      if (error) throw error
+
+      return format<AdapterUser>(data)
+    },
+    async getUser(id) {
+      const { data, error } = await supabase
+        .from("users")
+        .select()
+        .eq("id", id)
+        .maybeSingle()
+
+      if (error) throw error
+      if (!data) return null
+
+      return format<AdapterUser>(data)
+    },
+    async getUserByEmail(email) {
+      const { data, error } = await supabase
+        .from("users")
+        .select()
+        .eq("email", email)
+        .maybeSingle()
+
+      if (error) throw error
+      if (!data) return null
+
+      return format<AdapterUser>(data)
+    },
+    async getUserByAccount({ providerAccountId, provider }) {
+      const { data, error } = await supabase
+        .from("accounts")
+        .select("users (*)")
+        .match({ provider, providerAccountId })
+        .maybeSingle()
+
+      if (error) throw error
+      if (!data || !data.users) return null
+
+      return format<AdapterUser>(data.users)
+    },
+    async updateUser(user) {
+      const { data, error } = await supabase
+        .from("users")
+        .update({
+          ...user,
+          emailVerified: user.emailVerified?.toISOString(),
+        })
+        .eq("id", user.id)
+        .select()
+        .single()
+
+      if (error) throw error
+
+      return format<AdapterUser>(data)
+    },
+    async deleteUser(userId) {
+      const { error } = await supabase.from("users").delete().eq("id", userId)
+
+      if (error) throw error
+    },
+    async linkAccount(account) {
+      const { error } = await supabase.from("accounts").insert(account)
+
+      if (error) throw error
+    },
+    async unlinkAccount({ providerAccountId, provider }) {
+      const { error } = await supabase
+        .from("accounts")
+        .delete()
+        .match({ provider, providerAccountId })
+
+      if (error) throw error
+    },
+    async createSession({ sessionToken, userId, expires }) {
+      const { data, error } = await supabase
+        .from("sessions")
+        .insert({ sessionToken, userId, expires: expires.toISOString() })
+        .select()
+        .single()
+
+      if (error) throw error
+
+      return format<AdapterSession>(data)
+    },
+    async getSessionAndUser(sessionToken) {
+      const { data, error } = await supabase
+        .from("sessions")
+        .select("*, users(*)")
+        .eq("sessionToken", sessionToken)
+        .maybeSingle()
+
+      if (error) throw error
+      if (!data) return null
+
+      const { users: user, ...session } = data
+
+      return {
+        user: format<AdapterUser>(
+          user as Database["next_auth"]["Tables"]["users"]["Row"]
+        ),
+        session: format<AdapterSession>(session),
+      }
+    },
+    async updateSession(session) {
+      const { data, error } = await supabase
+        .from("sessions")
+        .update({
+          ...session,
+          expires: session.expires?.toISOString(),
+        })
+        .eq("sessionToken", session.sessionToken)
+        .select()
+        .single()
+
+      if (error) throw error
+
+      return format<AdapterSession>(data)
+    },
+    async deleteSession(sessionToken) {
+      const { error } = await supabase
+        .from("sessions")
+        .delete()
+        .eq("sessionToken", sessionToken)
+
+      if (error) throw error
+    },
+    async createVerificationToken(token) {
+      const { data, error } = await supabase
+        .from("verification_tokens")
+        .insert({
+          ...token,
+          expires: token.expires.toISOString(),
+        })
+        .select()
+        .single()
+
+      if (error) throw error
+
+      const { id, ...verificationToken } = data
+
+      return format<VerificationToken>(verificationToken)
+    },
+    async useVerificationToken({ identifier, token }) {
+      const { data, error } = await supabase
+        .from("verification_tokens")
+        .delete()
+        .match({ identifier, token })
+        .select()
+        .maybeSingle()
+
+      if (error) throw error
+      if (!data) return null
+
+      const { id, ...verificationToken } = data
+
+      return format<VerificationToken>(verificationToken)
+    },
+  }
+}
--- a/packages/adapter-supabase/supabase/config.toml
+++ b/packages/adapter-supabase/supabase/config.toml
@@ -0,0 +1,44 @@
+# A string used to distinguish different Supabase projects on the same host. Defaults to the working
+# directory name when running `supabase init`.
+project_id = "nextauth"
+
+[api]
+# Port to use for the API URL.
+port = 54321
+# Schemas to expose in your API. Tables, views and stored procedures in this schema will get API
+# endpoints. public and storage are always included.
+schemas = ["next_auth"]
+# Extra schemas to add to the search_path of every request.
+extra_search_path = ["extensions"]
+# The maximum number of rows returns from a view, table, or stored procedure. Limits payload size
+# for accidental or malicious requests.
+max_rows = 1000
+
+[db]
+# Port to use for the local database URL.
+port = 54322
+# The database major version to use. This has to be the same as your remote database's. Run `SHOW
+# server_version;` on the remote database to check.
+major_version = 14
+
+[studio]
+# Port to use for Supabase Studio.
+port = 54323
+
+# Email testing server. Emails sent with the local dev setup are not actually sent - rather, they
+# are monitored, and you can view the emails that would have been sent from the web interface.
+[inbucket]
+# Port to use for the email testing server web interface.
+port = 54324
+
+[auth]
+# The base URL of your website. Used as an allow-list for redirects and for constructing URLs used
+# in emails.
+site_url = "http://localhost:3000"
+# A list of *exact* URLs that auth providers are permitted to redirect to post authentication.
+additional_redirect_urls = ["https://localhost:3000"]
+# How long tokens are valid for, in seconds. Defaults to 3600 (1 hour), maximum 604,800 seconds (one
+# week).
+jwt_expiry = 3600
+# Allow/disallow new user signups to your project.
+enable_signup = true
--- a/packages/adapter-supabase/supabase/migrations/20221108043803_create_next_auth_schema.sql
+++ b/packages/adapter-supabase/supabase/migrations/20221108043803_create_next_auth_schema.sql
@@ -0,0 +1,101 @@
+--
+-- Name: next_auth; Type: SCHEMA;
+--
+CREATE SCHEMA next_auth;
+
+GRANT USAGE ON SCHEMA next_auth TO service_role;
+GRANT ALL ON SCHEMA next_auth TO postgres;
+
+--
+-- Create users table
+--
+CREATE TABLE IF NOT EXISTS next_auth.users
+(
+    id uuid NOT NULL DEFAULT uuid_generate_v4(),
+    name text,
+    email text,
+    "emailVerified" timestamp with time zone,
+    image text,
+    CONSTRAINT users_pkey PRIMARY KEY (id),
+    CONSTRAINT email_unique UNIQUE (email)
+);
+
+GRANT ALL ON TABLE next_auth.users TO postgres;
+GRANT ALL ON TABLE next_auth.users TO service_role;
+
+--- uid() function to be used in RLS policies
+CREATE FUNCTION next_auth.uid() RETURNS uuid
+    LANGUAGE sql STABLE
+    AS $$
+  select 
+  	coalesce(
+		nullif(current_setting('request.jwt.claim.sub', true), ''),
+		(nullif(current_setting('request.jwt.claims', true), '')::jsonb ->> 'sub')
+	)::uuid
+$$;
+
+--
+-- Create sessions table
+--
+CREATE TABLE IF NOT EXISTS  next_auth.sessions
+(
+    id uuid NOT NULL DEFAULT uuid_generate_v4(),
+    expires timestamp with time zone NOT NULL,
+    "sessionToken" text NOT NULL,
+    "userId" uuid,
+    CONSTRAINT sessions_pkey PRIMARY KEY (id),
+    CONSTRAINT sessionToken_unique UNIQUE ("sessionToken"),
+    CONSTRAINT "sessions_userId_fkey" FOREIGN KEY ("userId")
+        REFERENCES  next_auth.users (id) MATCH SIMPLE
+        ON UPDATE NO ACTION
+        ON DELETE CASCADE
+);
+
+GRANT ALL ON TABLE next_auth.sessions TO postgres;
+GRANT ALL ON TABLE next_auth.sessions TO service_role;
+
+--
+-- Create accounts table
+--
+CREATE TABLE IF NOT EXISTS  next_auth.accounts
+(
+    id uuid NOT NULL DEFAULT uuid_generate_v4(),
+    type text NOT NULL,
+    provider text NOT NULL,
+    "providerAccountId" text NOT NULL,
+    refresh_token text,
+    access_token text,
+    expires_at bigint,
+    token_type text,
+    scope text,
+    id_token text,
+    session_state text,
+    oauth_token_secret text,
+    oauth_token text,
+    "userId" uuid,
+    CONSTRAINT accounts_pkey PRIMARY KEY (id),
+    CONSTRAINT provider_unique UNIQUE (provider, "providerAccountId"),
+    CONSTRAINT "accounts_userId_fkey" FOREIGN KEY ("userId")
+        REFERENCES  next_auth.users (id) MATCH SIMPLE
+        ON UPDATE NO ACTION
+        ON DELETE CASCADE
+);
+
+GRANT ALL ON TABLE next_auth.accounts TO postgres;
+GRANT ALL ON TABLE next_auth.accounts TO service_role;
+
+--
+-- Create verification_tokens table
+--
+CREATE TABLE IF NOT EXISTS  next_auth.verification_tokens
+(
+    identifier text,
+    token text,
+    expires timestamp with time zone NOT NULL,
+    CONSTRAINT verification_tokens_pkey PRIMARY KEY (token),
+    CONSTRAINT token_unique UNIQUE (token),
+    CONSTRAINT token_identifier_unique UNIQUE (token, identifier)
+);
+
+GRANT ALL ON TABLE next_auth.verification_tokens TO postgres;
+GRANT ALL ON TABLE next_auth.verification_tokens TO service_role;
--- a/packages/adapter-supabase/supabase/migrations/20221108044627_create_public_users_table.sql
+++ b/packages/adapter-supabase/supabase/migrations/20221108044627_create_public_users_table.sql
@@ -0,0 +1,33 @@
+/** 
+* USERS
+* Note: This table contains user data. Users should only be able to view and update their own data.
+*/
+create table users (
+  -- UUID from next_auth.users
+  id uuid not null primary key,
+  name text,
+  email text,
+  image text,
+  constraint "users_id_fkey" foreign key ("id")
+        references  next_auth.users (id) match simple
+        on update no action
+        on delete cascade -- if user is deleted in NextAuth they will also be deleted in our public table.
+);
+alter table users enable row level security;
+create policy "Can view own user data." on users for select using (next_auth.uid() = id);
+create policy "Can update own user data." on users for update using (next_auth.uid() = id);
+
+/**
+* This trigger automatically creates a user entry when a new user signs up via NextAuth.
+*/ 
+create function public.handle_new_user() 
+returns trigger as $$
+begin
+  insert into public.users (id, name, email, image)
+  values (new.id, new.name, new.email, new.image);
+  return new;
+end;
+$$ language plpgsql security definer;
+create trigger on_auth_user_created
+  after insert on next_auth.users
+  for each row execute procedure public.handle_new_user();
--- a/packages/adapter-supabase/tests/index.test.ts
+++ b/packages/adapter-supabase/tests/index.test.ts
@@ -0,0 +1,76 @@
+import { runBasicTests } from "@next-auth/adapter-test"
+import { format, SupabaseAdapter } from "../src"
+import { createClient } from "@supabase/supabase-js"
+import type {
+  AdapterSession,
+  AdapterUser,
+  VerificationToken,
+} from "next-auth/adapters"
+import type { Account } from "next-auth"
+
+const supabase = createClient(
+  process.env.SUPABASE_URL ?? "http://localhost:54321",
+  process.env.SUPABASE_SERVICE_ROLE_KEY ??
+    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6InNlcnZpY2Vfcm9sZSJ9.vI9obAHOGyVVKa3pD--kJlyxp-Z2zV9UUMAhKpNLAcU",
+  { db: { schema: "next_auth" } }
+)
+
+runBasicTests({
+  adapter: SupabaseAdapter({
+    url: process.env.SUPABASE_URL ?? "http://localhost:54321",
+    secret:
+      process.env.SUPABASE_SERVICE_ROLE_KEY ??
+      "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6InNlcnZpY2Vfcm9sZSJ9.vI9obAHOGyVVKa3pD--kJlyxp-Z2zV9UUMAhKpNLAcU",
+  }),
+  db: {
+    async session(sessionToken) {
+      const { data, error } = await supabase
+        .from("sessions")
+        .select()
+        .eq("sessionToken", sessionToken)
+        .maybeSingle()
+
+      if (error) throw error
+      if (!data) return null
+
+      return format<AdapterSession>(data)
+    },
+    async user(id) {
+      const { data, error } = await supabase
+        .from("users")
+        .select()
+        .eq("id", id)
+        .maybeSingle()
+
+      if (error) throw error
+      if (!data) return null
+
+      return format<AdapterUser>(data)
+    },
+    async account({ provider, providerAccountId }) {
+      const { data, error } = await supabase
+        .from("accounts")
+        .select()
+        .match({ provider, providerAccountId })
+        .maybeSingle()
+
+      if (error) throw error
+      if (!data) return null
+
+      return format<Account>(data)
+    },
+    async verificationToken({ identifier, token }) {
+      const { data, error } = await supabase
+        .from("verification_tokens")
+        .select()
+        .match({ identifier, token })
+        .single()
+
+      if (error) throw error
+
+      const { id, ...verificationToken } = data
+
+      return format<VerificationToken>(verificationToken)
+    },
+  },
+})
--- a/packages/adapter-supabase/tests/test.sh
+++ b/packages/adapter-supabase/tests/test.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+# install Supabase CLI when run on CI
+if [ "$CI" = true ]; then
+	wget -O supabase.deb https://github.com/supabase/cli/releases/download/v0.29.0/supabase_0.29.0_linux_amd64.deb
+	sudo dpkg -i supabase.deb
+fi
+
+# Start Supabase, grep key and set it as SUPABASE_SERVICE_ROLE_KEY environment variable
+line=$(supabase start | grep 'service_role key')
+IFS=':'; arr=($line); unset IFS;
+export SUPABASE_SERVICE_ROLE_KEY=${arr[1]}
+
+# Always stop Supabase, but exit with 1 when tests are failing
+if npx jest; then
+	supabase stop
+else
+	supabase stop && exit 1
+fi
--- a/packages/adapter-supabase/tsconfig.json
+++ b/packages/adapter-supabase/tsconfig.json
@@ -0,0 +1,8 @@
+{
+  "extends": "@next-auth/tsconfig/tsconfig.adapters.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist"
+  },
+  "exclude": ["tests", "dist", "jest.config.js"]
+}
--- a/packages/core/package.json
+++ b/packages/core/package.json
@@ -0,0 +1,75 @@
+{
+  "name": "@auth/core",
+  "version": "0.1.0",
+  "description": "Authentication for the web.",
+  "homepage": "https://next-auth.js.org",
+  "repository": "https://github.com/nextauthjs/next-auth.git",
+  "author": "Balázs Orbán <info@balazsorban.com>",
+  "contributors": [
+    "Balázs Orbán <info@balazsorban.com>",
+    "Nico Domino <yo@ndo.dev>",
+    "Lluis Agusti <hi@llu.lu>",
+    "Thang Huu Vu <thvu@hey.com>",
+    "Iain Collins <me@iaincollins.com"
+  ],
+  "type": "module",
+  "types": "./index.d.ts",
+  "files": [
+    "adapters.*",
+    "index.*",
+    "jwt",
+    "lib",
+    "providers",
+    "src"
+  ],
+  "exports": {
+    ".": {
+      "types": "./index.d.ts",
+      "import": "./index.js"
+    },
+    "./adapters": {
+      "types": "./adapters.d.ts"
+    },
+    "./jwt": {
+      "types": "./jwt/index.d.ts",
+      "import": "./jwt/index.js"
+    },
+    "./providers/*": {
+      "types": "./providers/*.d.ts",
+      "import": "./providers/*.js"
+    }
+  },
+  "license": "ISC",
+  "dependencies": {
+    "@panva/hkdf": "1.0.2",
+    "cookie": "0.5.0",
+    "jose": "4.11.1",
+    "oauth4webapi": "2.0.4",
+    "preact": "10.11.3",
+    "preact-render-to-string": "5.2.3"
+  },
+  "peerDependencies": {
+    "nodemailer": "6.8.0"
+  },
+  "peerDependenciesMeta": {
+    "nodemailer": {
+      "optional": true
+    }
+  },
+  "scripts": {
+    "build": "pnpm clean && tsc && pnpm css",
+    "clean": "rm -rf adapters.* index.* jwt lib providers",
+    "css": "node ./scripts/generate-css.js",
+    "dev": "pnpm css && tsc -w"
+  },
+  "devDependencies": {
+    "@next-auth/tsconfig": "workspace:*",
+    "@types/node": "18.11.10",
+    "@types/nodemailer": "6.4.6",
+    "@types/react": "18.0.26",
+    "autoprefixer": "10.4.13",
+    "cssnano": "5.1.14",
+    "postcss": "8.4.19",
+    "postcss-nested": "6.0.0"
+  }
+}
--- a/packages/core/scripts/generate-css.js
+++ b/packages/core/scripts/generate-css.js
@@ -0,0 +1,22 @@
+import fs from "fs"
+import path from "path"
+import postcss from "postcss"
+
+import autoprefixer from "autoprefixer"
+import postCssNested from "postcss-nested"
+import cssNano from "cssnano"
+
+const from = path.join(process.cwd(), "src/lib/styles/index.css")
+const css = fs.readFileSync(from)
+
+const processedCss = await postcss([
+  autoprefixer,
+  postCssNested,
+  cssNano({ preset: "default" }),
+]).process(css, { from })
+
+fs.writeFileSync(
+  path.join(process.cwd(), "src/lib/styles/index.ts"),
+  `export default \`${processedCss.css}\`
+// Generated by \`pnpm css\``
+)
--- a/packages/core/src/adapters.ts
+++ b/packages/core/src/adapters.ts
@@ -0,0 +1,130 @@
+import type { Account, Awaitable, User } from "."
+
+export interface AdapterUser extends User {
+  id: string
+  email: string
+  emailVerified: Date | null
+}
+
+export interface AdapterAccount extends Account {
+  userId: string
+}
+
+export interface AdapterSession {
+  /** A randomly generated value that is used to get hold of the session. */
+  sessionToken: string
+  /** Used to connect the session to a particular user */
+  userId: string
+  expires: Date
+}
+
+export interface VerificationToken {
+  identifier: string
+  expires: Date
+  token: string
+}
+
+/**
+ * Using a custom adapter you can connect to any database backend or even several different databases.
+ * Custom adapters created and maintained by our community can be found in the adapters repository.
+ * Feel free to add a custom adapter from your project to the repository,
+ * or even become a maintainer of a certain adapter.
+ * Custom adapters can still be created and used in a project without being added to the repository.
+ *
+ * **Required methods**
+ *
+ * _(These methods are required for all sign in flows)_
+ * - `createUser`
+ * - `getUser`
+ * - `getUserByEmail`
+ * - `getUserByAccount`
+ * - `linkAccount`
+ * - `createSession`
+ * - `getSessionAndUser`
+ * - `updateSession`
+ * - `deleteSession`
+ * - `updateUser`
+ *
+ * _(Required to support email / passwordless sign in)_
+ *
+ * - `createVerificationToken`
+ * - `useVerificationToken`
+ *
+ * **Unimplemented methods**
+ *
+ * _(These methods will be required in a future release, but are not yet invoked)_
+ * - `deleteUser`
+ * - `unlinkAccount`
+ *
+ * [Adapters Overview](https://next-auth.js.org/adapters/overview) |
+ * [Create a custom adapter](https://next-auth.js.org/tutorials/creating-a-database-adapter)
+ */
+export type Adapter<WithVerificationToken = boolean> = DefaultAdapter &
+  (WithVerificationToken extends true
+    ? {
+        createVerificationToken: (
+          verificationToken: VerificationToken
+        ) => Awaitable<VerificationToken | null | undefined>
+        /**
+         * Return verification token from the database
+         * and delete it so it cannot be used again.
+         */
+        useVerificationToken: (params: {
+          identifier: string
+          token: string
+        }) => Awaitable<VerificationToken | null>
+      }
+    : {})
+
+export interface DefaultAdapter {
+  createUser: (user: Omit<AdapterUser, "id">) => Awaitable<AdapterUser>
+  getUser: (id: string) => Awaitable<AdapterUser | null>
+  getUserByEmail: (email: string) => Awaitable<AdapterUser | null>
+  /** Using the provider id and the id of the user for a specific account, get the user. */
+  getUserByAccount: (
+    providerAccountId: Pick<AdapterAccount, "provider" | "providerAccountId">
+  ) => Awaitable<AdapterUser | null>
+  updateUser: (user: Partial<AdapterUser>) => Awaitable<AdapterUser>
+  /** @todo Implement */
+  deleteUser?: (
+    userId: string
+  ) => Promise<void> | Awaitable<AdapterUser | null | undefined>
+  linkAccount: (
+    account: AdapterAccount
+  ) => Promise<void> | Awaitable<AdapterAccount | null | undefined>
+  /** @todo Implement */
+  unlinkAccount?: (
+    providerAccountId: Pick<AdapterAccount, "provider" | "providerAccountId">
+  ) => Promise<void> | Awaitable<AdapterAccount | undefined>
+  /** Creates a session for the user and returns it. */
+  createSession: (session: {
+    sessionToken: string
+    userId: string
+    expires: Date
+  }) => Awaitable<AdapterSession>
+  getSessionAndUser: (
+    sessionToken: string
+  ) => Awaitable<{ session: AdapterSession; user: AdapterUser } | null>
+  updateSession: (
+    session: Partial<AdapterSession> & Pick<AdapterSession, "sessionToken">
+  ) => Awaitable<AdapterSession | null | undefined>
+  /**
+   * Deletes a session from the database.
+   * It is preferred that this method also returns the session
+   * that is being deleted for logging purposes.
+   */
+  deleteSession: (
+    sessionToken: string
+  ) => Promise<void> | Awaitable<AdapterSession | null | undefined>
+  createVerificationToken?: (
+    verificationToken: VerificationToken
+  ) => Awaitable<VerificationToken | null | undefined>
+  /**
+   * Return verification token from the database
+   * and delete it so it cannot be used again.
+   */
+  useVerificationToken?: (params: {
+    identifier: string
+    token: string
+  }) => Awaitable<VerificationToken | null>
+}
--- a/packages/core/src/index.ts
+++ b/packages/core/src/index.ts
@@ -0,0 +1,287 @@
+import { init } from "./lib/init"
+import { assertConfig } from "./lib/assert"
+import { SessionStore } from "./lib/cookie"
+import { toInternalRequest, toResponse } from "./lib/web"
+import renderPage from "./lib/pages"
+import * as routes from "./lib/routes"
+import logger, { setLogger } from "./lib/utils/logger"
+
+import type { ErrorType } from "./lib/pages/error"
+import type {
+  AuthOptions,
+  RequestInternal,
+  ResponseInternal,
+} from "./lib/types"
+import { UntrustedHost } from "./lib/errors"
+
+export * from "./lib/types"
+
+const configErrorMessage =
+  "There is a problem with the server configuration. Check the server logs for more information."
+
+async function AuthHandlerInternal<
+  Body extends string | Record<string, any> | any[]
+>(params: {
+  req: RequestInternal
+  options: AuthOptions
+  /** REVIEW: Is this the best way to skip parsing the body in Node.js? */
+  parsedBody?: any
+}): Promise<ResponseInternal<Body>> {
+  const { options: authOptions, req } = params
+
+  const assertionResult = assertConfig({ options: authOptions, req })
+
+  if (Array.isArray(assertionResult)) {
+    assertionResult.forEach(logger.warn)
+  } else if (assertionResult instanceof Error) {
+    // Bail out early if there's an error in the user config
+    logger.error(assertionResult.code, assertionResult)
+
+    const htmlPages = ["signin", "signout", "error", "verify-request"]
+    if (!htmlPages.includes(req.action) || req.method !== "GET") {
+      return {
+        status: 500,
+        headers: { "Content-Type": "application/json" },
+        body: { message: configErrorMessage } as any,
+      }
+    }
+    const { pages, theme } = authOptions
+
+    const authOnErrorPage =
+      pages?.error && req.query?.callbackUrl?.startsWith(pages.error)
+
+    if (!pages?.error || authOnErrorPage) {
+      if (authOnErrorPage) {
+        logger.error(
+          "AUTH_ON_ERROR_PAGE_ERROR",
+          new Error(
+            `The error page ${pages?.error} should not require authentication`
+          )
+        )
+      }
+      const render = renderPage({ theme })
+      return render.error({ error: "configuration" })
+    }
+
+    return {
+      redirect: `${pages.error}?error=Configuration`,
+    }
+  }
+
+  const { action, providerId, error, method } = req
+
+  const { options, cookies } = await init({
+    authOptions,
+    action,
+    providerId,
+    url: req.url,
+    callbackUrl: req.body?.callbackUrl ?? req.query?.callbackUrl,
+    csrfToken: req.body?.csrfToken,
+    cookies: req.cookies,
+    isPost: method === "POST",
+  })
+
+  const sessionStore = new SessionStore(
+    options.cookies.sessionToken,
+    req,
+    options.logger
+  )
+
+  if (method === "GET") {
+    const render = renderPage({ ...options, query: req.query, cookies })
+    const { pages } = options
+    switch (action) {
+      case "providers":
+        return (await routes.providers(options.providers)) as any
+      case "session": {
+        const session = await routes.session({ options, sessionStore })
+        if (session.cookies) cookies.push(...session.cookies)
+        // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion
+        return { ...session, cookies } as any
+      }
+      case "csrf":
+        return {
+          headers: { "Content-Type": "application/json" },
+          body: { csrfToken: options.csrfToken } as any,
+          cookies,
+        }
+      case "signin":
+        if (pages.signIn) {
+          let signinUrl = `${pages.signIn}${
+            pages.signIn.includes("?") ? "&" : "?"
+          }callbackUrl=${encodeURIComponent(options.callbackUrl)}`
+          if (error)
+            signinUrl = `${signinUrl}&error=${encodeURIComponent(error)}`
+          return { redirect: signinUrl, cookies }
+        }
+
+        return render.signin()
+      case "signout":
+        if (pages.signOut) return { redirect: pages.signOut, cookies }
+
+        return render.signout()
+      case "callback":
+        if (options.provider) {
+          const callback = await routes.callback({
+            body: req.body,
+            query: req.query,
+            headers: req.headers,
+            cookies: req.cookies,
+            method,
+            options,
+            sessionStore,
+          })
+          if (callback.cookies) cookies.push(...callback.cookies)
+          return { ...callback, cookies }
+        }
+        break
+      case "verify-request":
+        if (pages.verifyRequest) {
+          return { redirect: pages.verifyRequest, cookies }
+        }
+        return render.verifyRequest()
+      case "error":
+        // These error messages are displayed in line on the sign in page
+        if (
+          [
+            "Signin",
+            "OAuthSignin",
+            "OAuthCallback",
+            "OAuthCreateAccount",
+            "EmailCreateAccount",
+            "Callback",
+            "OAuthAccountNotLinked",
+            "EmailSignin",
+            "CredentialsSignin",
+            "SessionRequired",
+          ].includes(error as string)
+        ) {
+          return { redirect: `${options.url}/signin?error=${error}`, cookies }
+        }
+
+        if (pages.error) {
+          return {
+            redirect: `${pages.error}${
+              pages.error.includes("?") ? "&" : "?"
+            }error=${error}`,
+            cookies,
+          }
+        }
+
+        return render.error({ error: error as ErrorType })
+      default:
+    }
+  } else if (method === "POST") {
+    switch (action) {
+      case "signin":
+        // Verified CSRF Token required for all sign in routes
+        if (options.csrfTokenVerified && options.provider) {
+          const signin = await routes.signin({
+            query: req.query,
+            body: req.body,
+            options,
+          })
+          if (signin.cookies) cookies.push(...signin.cookies)
+          return { ...signin, cookies }
+        }
+
+        return { redirect: `${options.url}/signin?csrf=true`, cookies }
+      case "signout":
+        // Verified CSRF Token required for signout
+        if (options.csrfTokenVerified) {
+          const signout = await routes.signout({ options, sessionStore })
+          if (signout.cookies) cookies.push(...signout.cookies)
+          return { ...signout, cookies }
+        }
+        return { redirect: `${options.url}/signout?csrf=true`, cookies }
+      case "callback":
+        if (options.provider) {
+          // Verified CSRF Token required for credentials providers only
+          if (
+            options.provider.type === "credentials" &&
+            !options.csrfTokenVerified
+          ) {
+            return { redirect: `${options.url}/signin?csrf=true`, cookies }
+          }
+
+          const callback = await routes.callback({
+            body: req.body,
+            query: req.query,
+            headers: req.headers,
+            cookies: req.cookies,
+            method,
+            options,
+            sessionStore,
+          })
+          if (callback.cookies) cookies.push(...callback.cookies)
+          return { ...callback, cookies }
+        }
+        break
+      case "_log":
+        if (authOptions.logger) {
+          try {
+            const { code, level, ...metadata } = req.body ?? {}
+            logger[level](code, metadata)
+          } catch (error) {
+            // If logging itself failed...
+            logger.error("LOGGER_ERROR", error as Error)
+          }
+        }
+        return {}
+      default:
+    }
+  }
+
+  return {
+    status: 400,
+    body: `Error: This action with HTTP ${method} is not supported by NextAuth.js` as any,
+  }
+}
+
+/**
+ * The core functionality of Auth.js.
+ * It receives a standard [`Request`](https://developer.mozilla.org/en-US/docs/Web/API/Request)
+ * and returns a standard [`Response`](https://developer.mozilla.org/en-US/docs/Web/API/Response).
+ */
+export async function AuthHandler(
+  request: Request,
+  options: AuthOptions
+): Promise<Response> {
+  setLogger(options.logger, options.debug)
+
+  if (!options.trustHost) {
+    const error = new UntrustedHost(
+      `Host must be trusted. URL was: ${request.url}`
+    )
+    logger.error(error.code, error)
+
+    return new Response(JSON.stringify({ message: configErrorMessage }), {
+      status: 500,
+      headers: { "Content-Type": "application/json" },
+    })
+  }
+
+  const req = await toInternalRequest(request)
+  if (req instanceof Error) {
+    logger.error((req as any).code, req)
+    return new Response(
+      `Error: This action with HTTP ${request.method} is not supported.`,
+      { status: 400 }
+    )
+  }
+  const internalResponse = await AuthHandlerInternal({ req, options })
+
+  const response = await toResponse(internalResponse)
+
+  // If the request expects a return URL, send it as JSON
+  // instead of doing an actual redirect.
+  const redirect = response.headers.get("Location")
+  if (request.headers.has("X-Auth-Return-Redirect") && redirect) {
+    response.headers.delete("Location")
+    response.headers.set("Content-Type", "application/json")
+    return new Response(JSON.stringify({ url: redirect }), {
+      headers: response.headers,
+    })
+  }
+  return response
+}
--- a/packages/core/src/jwt/index.ts
+++ b/packages/core/src/jwt/index.ts
@@ -0,0 +1,127 @@
+import { EncryptJWT, jwtDecrypt } from "jose"
+import hkdf from "@panva/hkdf"
+import { SessionStore } from "../lib/cookie"
+import type { JWT, JWTDecodeParams, JWTEncodeParams, JWTOptions } from "./types"
+import type { LoggerInstance } from ".."
+
+export * from "./types"
+
+const DEFAULT_MAX_AGE = 30 * 24 * 60 * 60 // 30 days
+
+const now = () => (Date.now() / 1000) | 0
+
+/** Issues a JWT. By default, the JWT is encrypted using "A256GCM". */
+export async function encode(params: JWTEncodeParams) {
+  const { token = {}, secret, maxAge = DEFAULT_MAX_AGE } = params
+  const encryptionSecret = await getDerivedEncryptionKey(secret)
+  return await new EncryptJWT(token)
+    .setProtectedHeader({ alg: "dir", enc: "A256GCM" })
+    .setIssuedAt()
+    .setExpirationTime(now() + maxAge)
+    .setJti(crypto.randomUUID())
+    .encrypt(encryptionSecret)
+}
+
+/** Decodes a NextAuth.js issued JWT. */
+export async function decode(params: JWTDecodeParams): Promise<JWT | null> {
+  const { token, secret } = params
+  if (!token) return null
+  const encryptionSecret = await getDerivedEncryptionKey(secret)
+  const { payload } = await jwtDecrypt(token, encryptionSecret, {
+    clockTolerance: 15,
+  })
+  return payload
+}
+
+export interface GetTokenParams<R extends boolean = false> {
+  /** The request containing the JWT either in the cookies or in the `Authorization` header. */
+  req:
+    | Request
+    | { cookies: Record<string, string>; headers: Record<string, string> }
+  /**
+   * Use secure prefix for cookie name, unless URL in `NEXTAUTH_URL` is http://
+   * or not set (e.g. development or test instance) case use unprefixed name
+   */
+  secureCookie?: boolean
+  /** If the JWT is in the cookie, what name `getToken()` should look for. */
+  cookieName?: string
+  /**
+   * `getToken()` will return the raw JWT if this is set to `true`
+   * @default false
+   */
+  raw?: R
+  /**
+   * The same `secret` used in the `NextAuth` configuration.
+   * Defaults to the `NEXTAUTH_SECRET` environment variable.
+   */
+  secret?: string
+  decode?: JWTOptions["decode"]
+  logger?: LoggerInstance | Console
+}
+
+/**
+ * Takes a NextAuth.js request (`req`) and returns either the NextAuth.js issued JWT's payload,
+ * or the raw JWT string. We look for the JWT in the either the cookies, or the `Authorization` header.
+ * [Documentation](https://next-auth.js.org/tutorials/securing-pages-and-api-routes#using-gettoken)
+ */
+export async function getToken<R extends boolean = false>(
+  params: GetTokenParams<R>
+): Promise<R extends true ? string : JWT | null> {
+  const {
+    req,
+    secureCookie = process.env.NEXTAUTH_URL?.startsWith("https://") ??
+      !!process.env.VERCEL,
+    cookieName = secureCookie
+      ? "__Secure-next-auth.session-token"
+      : "next-auth.session-token",
+    raw,
+    decode: _decode = decode,
+    logger = console,
+    secret = process.env.NEXTAUTH_SECRET,
+  } = params
+
+  if (!req) throw new Error("Must pass `req` to JWT getToken()")
+
+  const sessionStore = new SessionStore(
+    { name: cookieName, options: { secure: secureCookie } },
+    // @ts-expect-error
+    { cookies: req.cookies, headers: req.headers },
+    logger
+  )
+
+  let token = sessionStore.value
+
+  const authorizationHeader =
+    req.headers instanceof Headers
+      ? req.headers.get("authorization")
+      : req.headers.authorization
+
+  if (!token && authorizationHeader?.split(" ")[0] === "Bearer") {
+    const urlEncodedToken = authorizationHeader.split(" ")[1]
+    token = decodeURIComponent(urlEncodedToken)
+  }
+
+  // @ts-expect-error
+  if (!token) return null
+
+  // @ts-expect-error
+  if (raw) return token
+
+  try {
+    // @ts-expect-error
+    return await _decode({ token, secret })
+  } catch {
+    // @ts-expect-error
+    return null
+  }
+}
+
+async function getDerivedEncryptionKey(secret: string | Buffer) {
+  return await hkdf(
+    "sha256",
+    secret,
+    "",
+    "NextAuth.js Generated Encryption Key",
+    32
+  )
+}
--- a/packages/core/src/jwt/types.ts
+++ b/packages/core/src/jwt/types.ts
@@ -0,0 +1,54 @@
+import type { Awaitable } from ".."
+
+export interface DefaultJWT extends Record<string, unknown> {
+  name?: string | null
+  email?: string | null
+  picture?: string | null
+  sub?: string
+}
+
+/**
+ * Returned by the `jwt` callback and `getToken`, when using JWT sessions
+ *
+ * [`jwt` callback](https://next-auth.js.org/configuration/callbacks#jwt-callback) | [`getToken`](https://next-auth.js.org/tutorials/securing-pages-and-api-routes#using-gettoken)
+ */
+export interface JWT extends Record<string, unknown>, DefaultJWT {}
+
+export interface JWTEncodeParams {
+  /** The JWT payload. */
+  token?: JWT
+  /** The secret used to encode the NextAuth.js issued JWT. */
+  secret: string | Buffer
+  /**
+   * The maximum age of the NextAuth.js issued JWT in seconds.
+   * @default 30 * 24 * 30 * 60 // 30 days
+   */
+  maxAge?: number
+}
+
+export interface JWTDecodeParams {
+  /** The NextAuth.js issued JWT to be decoded */
+  token?: string
+  /** The secret used to decode the NextAuth.js issued JWT. */
+  secret: string | Buffer
+}
+
+export interface JWTOptions {
+  /**
+   * The secret used to encode/decode the NextAuth.js issued JWT.
+   * @deprecated  Set the `NEXTAUTH_SECRET` environment vairable or
+   * use the top-level `secret` option instead
+   */
+  secret: string
+  /**
+   * The maximum age of the NextAuth.js issued JWT in seconds.
+   * @default 30 * 24 * 30 * 60 // 30 days
+   */
+  maxAge: number
+  /** Override this method to control the NextAuth.js issued JWT encoding. */
+  encode: (params: JWTEncodeParams) => Awaitable<string>
+  /** Override this method to control the NextAuth.js issued JWT decoding. */
+  decode: (params: JWTDecodeParams) => Awaitable<JWT | null>
+}
+
+export type Secret = string | Buffer
--- a/packages/core/src/lib/assert.ts
+++ b/packages/core/src/lib/assert.ts
@@ -0,0 +1,157 @@
+import {
+  InvalidCallbackUrl,
+  InvalidEndpoints,
+  MissingAdapter,
+  MissingAdapterMethods,
+  MissingAPIRoute,
+  MissingAuthorize,
+  MissingSecret,
+  UnsupportedStrategy,
+} from "./errors"
+import { defaultCookies } from "./cookie"
+
+import type { AuthOptions, RequestInternal } from ".."
+import type { WarningCode } from "./utils/logger"
+
+type ConfigError =
+  | MissingAdapter
+  | MissingAdapterMethods
+  | MissingAPIRoute
+  | MissingAuthorize
+  | MissingSecret
+  | InvalidCallbackUrl
+  | UnsupportedStrategy
+  | InvalidEndpoints
+  | UnsupportedStrategy
+
+let warned = false
+
+function isValidHttpUrl(url: string, baseUrl: string) {
+  try {
+    return /^https?:/.test(
+      new URL(url, url.startsWith("/") ? baseUrl : undefined).protocol
+    )
+  } catch {
+    return false
+  }
+}
+
+/**
+ * Verify that the user configured Auth.js correctly.
+ * Good place to mention deprecations as well.
+ *
+ * REVIEW: Make some of these and corresponding docs less Next.js specific?
+ */
+export function assertConfig(params: {
+  options: AuthOptions
+  req: RequestInternal
+}): ConfigError | WarningCode[] {
+  const { options, req } = params
+  const { url } = req
+  const warnings: WarningCode[] = []
+
+  if (!warned) {
+    if (!url.origin) warnings.push("NEXTAUTH_URL")
+    if (options.debug) warnings.push("DEBUG_ENABLED")
+  }
+
+  if (!options.secret) {
+    return new MissingSecret("Please define a `secret` in production.")
+  }
+
+  // req.query isn't defined when asserting `unstable_getServerSession` for example
+  if (!req.query?.nextauth && !req.action) {
+    return new MissingAPIRoute(
+      "Cannot find [...nextauth].{js,ts} in `/pages/api/auth`. Make sure the filename is written correctly."
+    )
+  }
+
+  const callbackUrlParam = req.query?.callbackUrl as string | undefined
+
+  if (callbackUrlParam && !isValidHttpUrl(callbackUrlParam, url.origin)) {
+    return new InvalidCallbackUrl(
+      `Invalid callback URL. Received: ${callbackUrlParam}`
+    )
+  }
+
+  const { callbackUrl: defaultCallbackUrl } = defaultCookies(
+    options.useSecureCookies ?? url.protocol === "https://"
+  )
+  const callbackUrlCookie =
+    req.cookies?.[options.cookies?.callbackUrl?.name ?? defaultCallbackUrl.name]
+
+  if (callbackUrlCookie && !isValidHttpUrl(callbackUrlCookie, url.origin)) {
+    return new InvalidCallbackUrl(
+      `Invalid callback URL. Received: ${callbackUrlCookie}`
+    )
+  }
+
+  let hasCredentials, hasEmail
+
+  for (const provider of options.providers) {
+    if (
+      (provider.type === "oauth" || provider.type === "oidc") &&
+      !(provider.issuer ?? provider.options?.issuer)
+    ) {
+      const { authorization: a, token: t, userinfo: u } = provider
+
+      let key
+      if (typeof a !== "string" && !a?.url) key = "authorization"
+      else if (typeof t !== "string" && !t?.url) key = "token"
+      else if (typeof u !== "string" && !u?.url) key = "userinfo"
+
+      if (key) {
+        return new InvalidEndpoints(
+          `Provider "${provider.id}" is missing both \`issuer\` and \`${key}\` endpoint config. At least one of them is required.`
+        )
+      }
+    }
+
+    if (provider.type === "credentials") hasCredentials = true
+    else if (provider.type === "email") hasEmail = true
+  }
+
+  if (hasCredentials) {
+    const dbStrategy = options.session?.strategy === "database"
+    const onlyCredentials = !options.providers.some(
+      (p) => p.type !== "credentials"
+    )
+    if (dbStrategy && onlyCredentials) {
+      return new UnsupportedStrategy(
+        "Signin in with credentials only supported if JWT strategy is enabled"
+      )
+    }
+
+    const credentialsNoAuthorize = options.providers.some(
+      (p) => p.type === "credentials" && !p.authorize
+    )
+    if (credentialsNoAuthorize) {
+      return new MissingAuthorize(
+        "Must define an authorize() handler to use credentials authentication provider"
+      )
+    }
+  }
+
+  if (hasEmail) {
+    const { adapter } = options
+    if (!adapter) {
+      return new MissingAdapter("E-mail login requires an adapter.")
+    }
+
+    const missingMethods = [
+      "createVerificationToken",
+      "useVerificationToken",
+      "getUserByEmail",
+    ].filter((method) => !adapter[method])
+
+    if (missingMethods.length) {
+      return new MissingAdapterMethods(
+        `Required adapter methods were missing: ${missingMethods.join(", ")}`
+      )
+    }
+  }
+
+  if (!warned) warned = true
+
+  return warnings
+}
--- a/packages/core/src/lib/callback-handler.ts
+++ b/packages/core/src/lib/callback-handler.ts
@@ -0,0 +1,228 @@
+import { AccountNotLinkedError } from "./errors"
+import { fromDate } from "./utils/date"
+
+import type { Account, InternalOptions, User } from ".."
+import type { AdapterSession, AdapterUser } from "../adapters"
+import type { JWT } from "../jwt"
+import type { OAuthConfig } from "../providers"
+import type { SessionToken } from "./cookie"
+
+/**
+ * This function handles the complex flow of signing users in, and either creating,
+ * linking (or not linking) accounts depending on if the user is currently logged
+ * in, if they have account already and the authentication mechanism they are using.
+ *
+ * It prevents insecure behaviour, such as linking OAuth accounts unless a user is
+ * signed in and authenticated with an existing valid account.
+ *
+ * All verification (e.g. OAuth flows or email address verificaiton flows) are
+ * done prior to this handler being called to avoid additonal complexity in this
+ * handler.
+ */
+export default async function callbackHandler(params: {
+  sessionToken?: SessionToken
+  profile: User | AdapterUser | { email: string }
+  account: Account | null
+  options: InternalOptions
+}) {
+  const { sessionToken, profile: _profile, account, options } = params
+  // Input validation
+  if (!account?.providerAccountId || !account.type)
+    throw new Error("Missing or invalid provider account")
+  if (!["email", "oauth", "oidc"].includes(account.type))
+    throw new Error("Provider not supported")
+
+  const {
+    adapter,
+    jwt,
+    events,
+    session: { strategy: sessionStrategy, generateSessionToken },
+  } = options
+
+  // If no adapter is configured then we don't have a database and cannot
+  // persist data; in this mode we just return a dummy session object.
+  if (!adapter) {
+    return { user: _profile as User, account }
+  }
+
+  const profile = _profile as AdapterUser
+
+  const {
+    createUser,
+    updateUser,
+    getUser,
+    getUserByAccount,
+    getUserByEmail,
+    linkAccount,
+    createSession,
+    getSessionAndUser,
+    deleteSession,
+  } = adapter
+
+  let session: AdapterSession | JWT | null = null
+  let user: AdapterUser | null = null
+  let isNewUser = false
+
+  const useJwtSession = sessionStrategy === "jwt"
+
+  if (sessionToken) {
+    if (useJwtSession) {
+      try {
+        session = await jwt.decode({ ...jwt, token: sessionToken })
+        if (session && "sub" in session && session.sub) {
+          user = await getUser(session.sub)
+        }
+      } catch {
+        // If session can't be verified, treat as no session
+      }
+    } else {
+      const userAndSession = await getSessionAndUser(sessionToken)
+      if (userAndSession) {
+        session = userAndSession.session
+        user = userAndSession.user
+      }
+    }
+  }
+
+  if (account.type === "email") {
+    // If signing in with an email, check if an account with the same email address exists already
+    const userByEmail = await getUserByEmail(profile.email)
+    if (userByEmail) {
+      // If they are not already signed in as the same user, this flow will
+      // sign them out of the current session and sign them in as the new user
+      if (user?.id !== userByEmail.id && !useJwtSession && sessionToken) {
+        // Delete existing session if they are currently signed in as another user.
+        // This will switch user accounts for the session in cases where the user was
+        // already logged in with a different account.
+        await deleteSession(sessionToken)
+      }
+
+      // Update emailVerified property on the user object
+      user = await updateUser({ id: userByEmail.id, emailVerified: new Date() })
+      await events.updateUser?.({ user })
+    } else {
+      const { id: _, ...newUser } = { ...profile, emailVerified: new Date() }
+      // Create user account if there isn't one for the email address already
+      user = await createUser(newUser)
+      await events.createUser?.({ user })
+      isNewUser = true
+    }
+
+    // Create new session
+    session = useJwtSession
+      ? {}
+      : await createSession({
+          sessionToken: generateSessionToken(),
+          userId: user.id,
+          expires: fromDate(options.session.maxAge),
+        })
+
+    return { session, user, isNewUser }
+  } else if (account.type === "oauth") {
+    // If signing in with OAuth account, check to see if the account exists already
+    const userByAccount = await getUserByAccount({
+      providerAccountId: account.providerAccountId,
+      provider: account.provider,
+    })
+    if (userByAccount) {
+      if (user) {
+        // If the user is already signed in with this account, we don't need to do anything
+        if (userByAccount.id === user.id) {
+          return { session, user, isNewUser }
+        }
+        // If the user is currently signed in, but the new account they are signing in
+        // with is already associated with another user, then we cannot link them
+        // and need to return an error.
+        throw new AccountNotLinkedError(
+          "The account is already associated with another user"
+        )
+      }
+      // If there is no active session, but the account being signed in with is already
+      // associated with a valid user then create session to sign the user in.
+      session = useJwtSession
+        ? {}
+        : await createSession({
+            sessionToken: generateSessionToken(),
+            userId: userByAccount.id,
+            expires: fromDate(options.session.maxAge),
+          })
+
+      return { session, user: userByAccount, isNewUser }
+    } else {
+      if (user) {
+        // If the user is already signed in and the OAuth account isn't already associated
+        // with another user account then we can go ahead and link the accounts safely.
+        await linkAccount({ ...account, userId: user.id })
+        await events.linkAccount?.({ user, account, profile })
+
+        // As they are already signed in, we don't need to do anything after linking them
+        return { session, user, isNewUser }
+      }
+
+      // If the user is not signed in and it looks like a new OAuth account then we
+      // check there also isn't an user account already associated with the same
+      // email address as the one in the OAuth profile.
+      //
+      // This step is often overlooked in OAuth implementations, but covers the following cases:
+      //
+      // 1. It makes it harder for someone to accidentally create two accounts.
+      //    e.g. by signin in with email, then again with an oauth account connected to the same email.
+      // 2. It makes it harder to hijack a user account using a 3rd party OAuth account.
+      //    e.g. by creating an oauth account then changing the email address associated with it.
+      //
+      // It's quite common for services to automatically link accounts in this case, but it's
+      // better practice to require the user to sign in *then* link accounts to be sure
+      // someone is not exploiting a problem with a third party OAuth service.
+      //
+      // OAuth providers should require email address verification to prevent this, but in
+      // practice that is not always the case; this helps protect against that.
+      const userByEmail = profile.email
+        ? await getUserByEmail(profile.email)
+        : null
+      if (userByEmail) {
+        const provider = options.provider as OAuthConfig<any>
+        if (provider?.allowDangerousEmailAccountLinking) {
+          // If you trust the oauth provider to correctly verify email addresses, you can opt-in to
+          // account linking even when the user is not signed-in.
+          user = userByEmail
+        } else {
+          // We end up here when we don't have an account with the same [provider].id *BUT*
+          // we do already have an account with the same email address as the one in the
+          // OAuth profile the user has just tried to sign in with.
+          //
+          // We don't want to have two accounts with the same email address, and we don't
+          // want to link them in case it's not safe to do so, so instead we prompt the user
+          // to sign in via email to verify their identity and then link the accounts.
+          throw new AccountNotLinkedError(
+            "Another account already exists with the same e-mail address"
+          )
+        }
+      } else {
+        // If the current user is not logged in and the profile isn't linked to any user
+        // accounts (by email or provider account id)...
+        //
+        // If no account matching the same [provider].id or .email exists, we can
+        // create a new account for the user, link it to the OAuth acccount and
+        // create a new session for them so they are signed in with it.
+        const { id: _, ...newUser } = { ...profile, emailVerified: null }
+        user = await createUser(newUser)
+      }
+      await events.createUser?.({ user })
+
+      await linkAccount({ ...account, userId: user.id })
+      await events.linkAccount?.({ user, account, profile })
+
+      session = useJwtSession
+        ? {}
+        : await createSession({
+            sessionToken: generateSessionToken(),
+            userId: user.id,
+            expires: fromDate(options.session.maxAge),
+          })
+
+      return { session, user, isNewUser: true }
+    }
+  }
+
+  throw new Error("Unsupported account type")
+}
--- a/packages/core/src/lib/callback-url.ts
+++ b/packages/core/src/lib/callback-url.ts
@@ -0,0 +1,42 @@
+import type { InternalOptions } from ".."
+
+interface CreateCallbackUrlParams {
+  options: InternalOptions
+  /** Try reading value from request body (POST) then from query param (GET) */
+  paramValue?: string
+  cookieValue?: string
+}
+
+/**
+ * Get callback URL based on query param / cookie + validation,
+ * and add it to `req.options.callbackUrl`.
+ */
+export async function createCallbackUrl({
+  options,
+  paramValue,
+  cookieValue,
+}: CreateCallbackUrlParams) {
+  const { url, callbacks } = options
+
+  let callbackUrl = url.origin
+
+  if (paramValue) {
+    // If callbackUrl form field or query parameter is passed try to use it if allowed
+    callbackUrl = await callbacks.redirect({
+      url: paramValue,
+      baseUrl: url.origin,
+    })
+  } else if (cookieValue) {
+    // If no callbackUrl specified, try using the value from the cookie if allowed
+    callbackUrl = await callbacks.redirect({
+      url: cookieValue,
+      baseUrl: url.origin,
+    })
+  }
+
+  return {
+    callbackUrl,
+    // Save callback URL in a cookie so that it can be used for subsequent requests in signin/signout/callback flow
+    callbackUrlCookie: callbackUrl !== cookieValue ? callbackUrl : undefined,
+  }
+}
--- a/packages/core/src/lib/cookie.ts
+++ b/packages/core/src/lib/cookie.ts
@@ -0,0 +1,236 @@
+import type {
+  CookieOption,
+  CookiesOptions,
+  LoggerInstance,
+  SessionStrategy,
+} from ".."
+
+// Uncomment to recalculate the estimated size
+// of an empty session cookie
+// import { serialize } from "cookie"
+// console.log(
+//   "Cookie estimated to be ",
+//   serialize(`__Secure.next-auth.session-token.0`, "", {
+//     expires: new Date(),
+//     httpOnly: true,
+//     maxAge: Number.MAX_SAFE_INTEGER,
+//     path: "/",
+//     sameSite: "strict",
+//     secure: true,
+//     domain: "example.com",
+//   }).length,
+//   " bytes"
+// )
+
+const ALLOWED_COOKIE_SIZE = 4096
+// Based on commented out section above
+const ESTIMATED_EMPTY_COOKIE_SIZE = 163
+const CHUNK_SIZE = ALLOWED_COOKIE_SIZE - ESTIMATED_EMPTY_COOKIE_SIZE
+
+// REVIEW: Is there any way to defer two types of strings?
+
+/** Stringified form of `JWT`. Extract the content with `jwt.decode` */
+export type JWTString = string
+
+export type SetCookieOptions = Partial<CookieOption["options"]> & {
+  expires?: Date | string
+  encode?: (val: unknown) => string
+}
+
+/**
+ * If `options.session.strategy` is set to `jwt`, this is a stringified `JWT`.
+ * In case of `strategy: "database"`, this is the `sessionToken` of the session in the database.
+ */
+export type SessionToken<T extends SessionStrategy = "jwt"> = T extends "jwt"
+  ? JWTString
+  : string
+
+/**
+ * Use secure cookies if the site uses HTTPS
+ * This being conditional allows cookies to work non-HTTPS development URLs
+ * Honour secure cookie option, which sets 'secure' and also adds '__Secure-'
+ * prefix, but enable them by default if the site URL is HTTPS; but not for
+ * non-HTTPS URLs like http://localhost which are used in development).
+ * For more on prefixes see https://googlechrome.github.io/samples/cookie-prefixes/
+ *
+ * @TODO Review cookie settings (names, options)
+ */
+export function defaultCookies(useSecureCookies: boolean): CookiesOptions {
+  const cookiePrefix = useSecureCookies ? "__Secure-" : ""
+  return {
+    // default cookie options
+    sessionToken: {
+      name: `${cookiePrefix}next-auth.session-token`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: useSecureCookies,
+      },
+    },
+    callbackUrl: {
+      name: `${cookiePrefix}next-auth.callback-url`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: useSecureCookies,
+      },
+    },
+    csrfToken: {
+      // Default to __Host- for CSRF token for additional protection if using useSecureCookies
+      // NB: The `__Host-` prefix is stricter than the `__Secure-` prefix.
+      name: `${useSecureCookies ? "__Host-" : ""}next-auth.csrf-token`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: useSecureCookies,
+      },
+    },
+    pkceCodeVerifier: {
+      name: `${cookiePrefix}next-auth.pkce.code_verifier`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: useSecureCookies,
+        maxAge: 60 * 15, // 15 minutes in seconds
+      },
+    },
+    state: {
+      name: `${cookiePrefix}next-auth.state`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: useSecureCookies,
+        maxAge: 60 * 15, // 15 minutes in seconds
+      },
+    },
+    nonce: {
+      name: `${cookiePrefix}next-auth.nonce`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: useSecureCookies,
+      },
+    },
+  }
+}
+
+export interface Cookie extends CookieOption {
+  value: string
+}
+
+type Chunks = Record<string, string>
+
+export class SessionStore {
+  #chunks: Chunks = {}
+  #option: CookieOption
+  #logger: LoggerInstance | Console
+
+  constructor(
+    option: CookieOption,
+    req: Partial<{ cookies: any; headers: any }>,
+    logger: LoggerInstance | Console
+  ) {
+    this.#logger = logger
+    this.#option = option
+
+    const { cookies } = req
+    const { name: cookieName } = option
+
+    if (typeof cookies?.getAll === "function") {
+      // Next.js ^v13.0.1 (Edge Env)
+      for (const { name, value } of cookies.getAll()) {
+        if (name.startsWith(cookieName)) {
+          this.#chunks[name] = value
+        }
+      }
+    } else if (cookies instanceof Map) {
+      for (const name of cookies.keys()) {
+        if (name.startsWith(cookieName)) this.#chunks[name] = cookies.get(name)
+      }
+    } else {
+      for (const name in cookies) {
+        if (name.startsWith(cookieName)) this.#chunks[name] = cookies[name]
+      }
+    }
+  }
+
+  get value() {
+    return Object.values(this.#chunks)?.join("")
+  }
+
+  /** Given a cookie, return a list of cookies, chunked to fit the allowed cookie size. */
+  #chunk(cookie: Cookie): Cookie[] {
+    const chunkCount = Math.ceil(cookie.value.length / CHUNK_SIZE)
+
+    if (chunkCount === 1) {
+      this.#chunks[cookie.name] = cookie.value
+      return [cookie]
+    }
+
+    const cookies: Cookie[] = []
+    for (let i = 0; i < chunkCount; i++) {
+      const name = `${cookie.name}.${i}`
+      const value = cookie.value.substr(i * CHUNK_SIZE, CHUNK_SIZE)
+      cookies.push({ ...cookie, name, value })
+      this.#chunks[name] = value
+    }
+
+    this.#logger.debug("CHUNKING_SESSION_COOKIE", {
+      message: `Session cookie exceeds allowed ${ALLOWED_COOKIE_SIZE} bytes.`,
+      emptyCookieSize: ESTIMATED_EMPTY_COOKIE_SIZE,
+      valueSize: cookie.value.length,
+      chunks: cookies.map((c) => c.value.length + ESTIMATED_EMPTY_COOKIE_SIZE),
+    })
+
+    return cookies
+  }
+
+  /** Returns cleaned cookie chunks. */
+  #clean(): Record<string, Cookie> {
+    const cleanedChunks: Record<string, Cookie> = {}
+    for (const name in this.#chunks) {
+      delete this.#chunks?.[name]
+      cleanedChunks[name] = {
+        name,
+        value: "",
+        options: { ...this.#option.options, maxAge: 0 },
+      }
+    }
+    return cleanedChunks
+  }
+
+  /**
+   * Given a cookie value, return new cookies, chunked, to fit the allowed cookie size.
+   * If the cookie has changed from chunked to unchunked or vice versa,
+   * it deletes the old cookies as well.
+   */
+  chunk(value: string, options: Partial<Cookie["options"]>): Cookie[] {
+    // Assume all cookies should be cleaned by default
+    const cookies: Record<string, Cookie> = this.#clean()
+
+    // Calculate new chunks
+    const chunked = this.#chunk({
+      name: this.#option.name,
+      value,
+      options: { ...this.#option.options, ...options },
+    })
+
+    // Update stored chunks / cookies
+    for (const chunk of chunked) {
+      cookies[chunk.name] = chunk
+    }
+
+    return Object.values(cookies)
+  }
+
+  /** Returns a list of cookies that should be cleaned. */
+  clean(): Cookie[] {
+    return Object.values(this.#clean())
+  }
+}
--- a/packages/core/src/lib/csrf-token.ts
+++ b/packages/core/src/lib/csrf-token.ts
@@ -0,0 +1,54 @@
+import { createHash, randomString } from "./web"
+import type { InternalOptions } from "./types"
+
+interface CreateCSRFTokenParams {
+  options: InternalOptions
+  cookieValue?: string
+  isPost: boolean
+  bodyValue?: string
+}
+
+/**
+ * Ensure CSRF Token cookie is set for any subsequent requests.
+ * Used as part of the strategy for mitigation for CSRF tokens.
+ *
+ * Creates a cookie like 'next-auth.csrf-token' with the value 'token|hash',
+ * where 'token' is the CSRF token and 'hash' is a hash made of the token and
+ * the secret, and the two values are joined by a pipe '|'. By storing the
+ * value and the hash of the value (with the secret used as a salt) we can
+ * verify the cookie was set by the server and not by a malicous attacker.
+ *
+ * For more details, see the following OWASP links:
+ * https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie
+ * https://owasp.org/www-chapter-london/assets/slides/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf
+ */
+export async function createCSRFToken({
+  options,
+  cookieValue,
+  isPost,
+  bodyValue,
+}: CreateCSRFTokenParams) {
+  if (cookieValue) {
+    const [csrfToken, csrfTokenHash] = cookieValue.split("|")
+
+    const expectedCsrfTokenHash = await createHash(
+      `${csrfToken}${options.secret}`
+    )
+
+    if (csrfTokenHash === expectedCsrfTokenHash) {
+      // If hash matches then we trust the CSRF token value
+      // If this is a POST request and the CSRF Token in the POST request matches
+      // the cookie we have already verified is the one we have set, then the token is verified!
+      const csrfTokenVerified = isPost && csrfToken === bodyValue
+
+      return { csrfTokenVerified, csrfToken }
+    }
+  }
+
+  // New CSRF token
+  const csrfToken = randomString(32)
+  const csrfTokenHash = await createHash(`${csrfToken}${options.secret}`)
+  const cookie = `${csrfToken}|${csrfTokenHash}`
+
+  return { cookie, csrfToken }
+}
--- a/packages/core/src/lib/default-callbacks.ts
+++ b/packages/core/src/lib/default-callbacks.ts
@@ -0,0 +1,18 @@
+import type { CallbacksOptions } from ".."
+
+export const defaultCallbacks: CallbacksOptions = {
+  signIn() {
+    return true
+  },
+  redirect({ url, baseUrl }) {
+    if (url.startsWith("/")) return `${baseUrl}${url}`
+    else if (new URL(url).origin === baseUrl) return url
+    return baseUrl
+  },
+  session({ session }) {
+    return session
+  },
+  jwt({ token }) {
+    return token
+  },
+}
--- a/packages/core/src/lib/email/getUserFromEmail.ts
+++ b/packages/core/src/lib/email/getUserFromEmail.ts
@@ -0,0 +1,20 @@
+import type { AdapterUser } from "../../adapters"
+import type { InternalOptions } from "../.."
+
+/**
+ * Query the database for a user by email address.
+ * If is an existing user return a user object (otherwise use placeholder).
+ */
+export default async function getAdapterUserFromEmail({
+  email,
+  adapter,
+}: {
+  email: string
+  adapter: InternalOptions<"email">["adapter"]
+}): Promise<AdapterUser> {
+  const { getUserByEmail } = adapter
+  const adapterUser = email ? await getUserByEmail(email) : null
+  if (adapterUser) return adapterUser
+
+  return { id: email, email, emailVerified: null }
+}
--- a/packages/core/src/lib/email/signin.ts
+++ b/packages/core/src/lib/email/signin.ts
@@ -0,0 +1,49 @@
+import { randomString, createHash } from "../web"
+import type { InternalOptions } from "../.."
+
+/**
+ * Starts an e-mail login flow, by generating a token,
+ * and sending it to the user's e-mail (with the help of a DB adapter)
+ */
+export default async function email(
+  identifier: string,
+  options: InternalOptions<"email">
+): Promise<string> {
+  const { url, adapter, provider, callbackUrl, theme } = options
+  // Generate token
+  const token =
+    (await provider.generateVerificationToken?.()) ?? randomString(32)
+
+  const ONE_DAY_IN_SECONDS = 86400
+  const expires = new Date(
+    Date.now() + (provider.maxAge ?? ONE_DAY_IN_SECONDS) * 1000
+  )
+
+  // Generate a link with email, unhashed token and callback url
+  const params = new URLSearchParams({ callbackUrl, token, email: identifier })
+  const _url = `${url}/callback/${provider.id}?${params}`
+
+  const secret = provider.secret ?? options.secret
+  await Promise.all([
+    // Send to user
+    provider.sendVerificationRequest({
+      identifier,
+      token,
+      expires,
+      url: _url,
+      provider,
+      theme,
+    }),
+    // Save in database
+    adapter.createVerificationToken({
+      identifier,
+      token: await createHash(`${token}${secret}`),
+      expires,
+    }),
+  ])
+
+  return `${url}/verify-request?${new URLSearchParams({
+    provider: provider.id,
+    type: provider.type,
+  })}`
+}
--- a/packages/core/src/lib/errors.ts
+++ b/packages/core/src/lib/errors.ts
@@ -0,0 +1,141 @@
+import type { EventCallbacks, LoggerInstance } from "./types"
+
+/**
+ * Same as the default `Error`, but it is JSON serializable.
+ * @source https://iaincollins.medium.com/error-handling-in-javascript-a6172ccdf9af
+ */
+export class UnknownError extends Error {
+  code: string
+  constructor(error: Error | string) {
+    // Support passing error or string
+    super((error as Error)?.message ?? error)
+    this.name = "UnknownError"
+    this.code = (error as any).code
+    if (error instanceof Error) {
+      this.stack = error.stack
+    }
+  }
+
+  toJSON() {
+    return {
+      name: this.name,
+      message: this.message,
+      stack: this.stack,
+    }
+  }
+}
+
+export class OAuthCallbackError extends UnknownError {
+  name = "OAuthCallbackError"
+}
+
+/**
+ * Thrown when an Email address is already associated with an account
+ * but the user is trying an OAuth account that is not linked to it.
+ */
+export class AccountNotLinkedError extends UnknownError {
+  name = "AccountNotLinkedError"
+}
+
+export class MissingAPIRoute extends UnknownError {
+  name = "MissingAPIRouteError"
+  code = "MISSING_NEXTAUTH_API_ROUTE_ERROR"
+}
+
+export class MissingSecret extends UnknownError {
+  name = "MissingSecretError"
+  code = "NO_SECRET"
+}
+
+export class MissingAuthorize extends UnknownError {
+  name = "MissingAuthorizeError"
+  code = "CALLBACK_CREDENTIALS_HANDLER_ERROR"
+}
+
+export class MissingAdapter extends UnknownError {
+  name = "MissingAdapterError"
+  code = "EMAIL_REQUIRES_ADAPTER_ERROR"
+}
+
+export class MissingAdapterMethods extends UnknownError {
+  name = "MissingAdapterMethodsError"
+  code = "MISSING_ADAPTER_METHODS_ERROR"
+}
+
+export class UnsupportedStrategy extends UnknownError {
+  name = "UnsupportedStrategyError"
+  code = "CALLBACK_CREDENTIALS_JWT_ERROR"
+}
+
+export class InvalidCallbackUrl extends UnknownError {
+  name = "InvalidCallbackUrlError"
+  code = "INVALID_CALLBACK_URL_ERROR"
+}
+
+export class InvalidEndpoints extends UnknownError {
+  name = "InvalidEndpoints"
+  code = "INVALID_ENDPOINTS_ERROR"
+}
+export class UnknownAction extends UnknownError {
+  name = "UnknownAction"
+  code = "UNKNOWN_ACTION_ERROR"
+}
+
+export class UntrustedHost extends UnknownError {
+  name = "UntrustedHost"
+  code = "UNTRUST_HOST_ERROR"
+}
+
+type Method = (...args: any[]) => Promise<any>
+
+export function upperSnake(s: string) {
+  return s.replace(/([A-Z])/g, "_$1").toUpperCase()
+}
+
+export function capitalize(s: string) {
+  return `${s[0].toUpperCase()}${s.slice(1)}`
+}
+
+/**
+ * Wraps an object of methods and adds error handling.
+ */
+export function eventsErrorHandler(
+  methods: Partial<EventCallbacks>,
+  logger: LoggerInstance
+): Partial<EventCallbacks> {
+  return Object.keys(methods).reduce<any>((acc, name) => {
+    acc[name] = async (...args: any[]) => {
+      try {
+        const method: Method = methods[name as keyof Method]
+        return await method(...args)
+      } catch (e) {
+        logger.error(`${upperSnake(name)}_EVENT_ERROR`, e as Error)
+      }
+    }
+    return acc
+  }, {})
+}
+
+/** Handles adapter induced errors. */
+export function adapterErrorHandler<TAdapter>(
+  adapter: TAdapter | undefined,
+  logger: LoggerInstance
+): TAdapter | undefined {
+  if (!adapter) return
+
+  return Object.keys(adapter).reduce<any>((acc, name) => {
+    acc[name] = async (...args: any[]) => {
+      try {
+        logger.debug(`adapter_${name}`, { args })
+        const method: Method = adapter[name as keyof Method]
+        return await method(...args)
+      } catch (error) {
+        logger.error(`adapter_error_${name}`, error as Error)
+        const e = new UnknownError(error as Error)
+        e.name = `${capitalize(name)}Error`
+        throw e
+      }
+    }
+    return acc
+  }, {})
+}
--- a/packages/core/src/lib/init.ts
+++ b/packages/core/src/lib/init.ts
@@ -0,0 +1,152 @@
+import { adapterErrorHandler, eventsErrorHandler } from "./errors"
+import * as jwt from "../jwt"
+import { createCallbackUrl } from "./callback-url"
+import * as cookie from "./cookie"
+import { createCSRFToken } from "./csrf-token"
+import { defaultCallbacks } from "./default-callbacks"
+import parseProviders from "./providers"
+import logger from "./utils/logger"
+import parseUrl from "./utils/parse-url"
+
+import type { AuthOptions, InternalOptions, RequestInternal } from ".."
+
+interface InitParams {
+  url: URL
+  authOptions: AuthOptions
+  providerId?: string
+  action: InternalOptions["action"]
+  /** Callback URL value extracted from the incoming request. */
+  callbackUrl?: string
+  /** CSRF token value extracted from the incoming request. From body if POST, from query if GET */
+  csrfToken?: string
+  /** Is the incoming request a POST request? */
+  isPost: boolean
+  cookies: RequestInternal["cookies"]
+}
+
+/** Initialize all internal options and cookies. */
+export async function init({
+  authOptions,
+  providerId,
+  action,
+  url: reqUrl,
+  cookies: reqCookies,
+  callbackUrl: reqCallbackUrl,
+  csrfToken: reqCsrfToken,
+  isPost,
+}: InitParams): Promise<{
+  options: InternalOptions
+  cookies: cookie.Cookie[]
+}> {
+  // TODO: move this to web.ts
+  const parsed = parseUrl(
+    reqUrl.origin +
+      reqUrl.pathname.replace(`/${action}`, "").replace(`/${providerId}`, "")
+  )
+  const url = new URL(parsed.toString())
+
+  const { providers, provider } = parseProviders({
+    providers: authOptions.providers,
+    url,
+    providerId,
+  })
+
+  const maxAge = 30 * 24 * 60 * 60 // Sessions expire after 30 days of being idle by default
+
+  // User provided options are overriden by other options,
+  // except for the options with special handling above
+  const options: InternalOptions = {
+    debug: false,
+    pages: {},
+    theme: {
+      colorScheme: "auto",
+      logo: "",
+      brandColor: "",
+      buttonText: "",
+    },
+    // Custom options override defaults
+    ...authOptions,
+    // These computed settings can have values in userOptions but we override them
+    // and are request-specific.
+    url,
+    action,
+    // @ts-expect-errors
+    provider,
+    cookies: {
+      ...cookie.defaultCookies(
+        authOptions.useSecureCookies ?? url.protocol === "https:"
+      ),
+      // Allow user cookie options to override any cookie settings above
+      ...authOptions.cookies,
+    },
+    providers,
+    // Session options
+    session: {
+      // If no adapter specified, force use of JSON Web Tokens (stateless)
+      strategy: authOptions.adapter ? "database" : "jwt",
+      maxAge,
+      updateAge: 24 * 60 * 60,
+      generateSessionToken: crypto.randomUUID,
+      ...authOptions.session,
+    },
+    // JWT options
+    jwt: {
+      // Asserted in assert.ts
+      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+      secret: authOptions.secret!,
+      maxAge, // same as session maxAge,
+      encode: jwt.encode,
+      decode: jwt.decode,
+      ...authOptions.jwt,
+    },
+    // Event messages
+    events: eventsErrorHandler(authOptions.events ?? {}, logger),
+    adapter: adapterErrorHandler(authOptions.adapter, logger),
+    // Callback functions
+    callbacks: { ...defaultCallbacks, ...authOptions.callbacks },
+    logger,
+    callbackUrl: url.origin,
+  }
+
+  // Init cookies
+
+  const cookies: cookie.Cookie[] = []
+
+  const {
+    csrfToken,
+    cookie: csrfCookie,
+    csrfTokenVerified,
+  } = await createCSRFToken({
+    options,
+    cookieValue: reqCookies?.[options.cookies.csrfToken.name],
+    isPost,
+    bodyValue: reqCsrfToken,
+  })
+
+  options.csrfToken = csrfToken
+  options.csrfTokenVerified = csrfTokenVerified
+
+  if (csrfCookie) {
+    cookies.push({
+      name: options.cookies.csrfToken.name,
+      value: csrfCookie,
+      options: options.cookies.csrfToken.options,
+    })
+  }
+
+  const { callbackUrl, callbackUrlCookie } = await createCallbackUrl({
+    options,
+    cookieValue: reqCookies?.[options.cookies.callbackUrl.name],
+    paramValue: reqCallbackUrl,
+  })
+  options.callbackUrl = callbackUrl
+  if (callbackUrlCookie) {
+    cookies.push({
+      name: options.cookies.callbackUrl.name,
+      value: callbackUrlCookie,
+      options: options.cookies.callbackUrl.options,
+    })
+  }
+
+  return { options, cookies }
+}
--- a/packages/core/src/lib/oauth/authorization-url.ts
+++ b/packages/core/src/lib/oauth/authorization-url.ts
@@ -0,0 +1,147 @@
+import * as o from "oauth4webapi"
+
+import type {
+  CookiesOptions,
+  InternalOptions,
+  RequestInternal,
+  ResponseInternal,
+} from "../.."
+import type { Cookie } from "../cookie"
+
+/**
+ * Generates an authorization/request token URL.
+ *
+ * [OAuth 2](https://www.oauth.com/oauth2-servers/authorization/the-authorization-request/)
+ */
+export async function getAuthorizationUrl({
+  options,
+  query,
+}: {
+  options: InternalOptions<"oauth">
+  query: RequestInternal["query"]
+}): Promise<ResponseInternal> {
+  const { logger, provider } = options
+
+  let url = provider.authorization?.url
+  let as: o.AuthorizationServer | undefined
+
+  if (!url) {
+    // If url is undefined, we assume that issuer is always defined
+    // We check this in assert.ts
+    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+    const issuer = new URL(provider.issuer!)
+    const discoveryResponse = await o.discoveryRequest(issuer)
+    const as = await o.processDiscoveryResponse(issuer, discoveryResponse)
+
+    if (!as.authorization_endpoint) {
+      throw new TypeError(
+        "Authorization server did not provide an authorization endpoint."
+      )
+    }
+
+    url = new URL(as.authorization_endpoint)
+  }
+
+  const authParams = url.searchParams
+  const params = Object.assign(
+    {
+      response_type: "code",
+      // clientId can technically be undefined, should we check this in assert.ts or rely on the Authorization Server to do it?
+      client_id: provider.clientId,
+      redirect_uri: provider.callbackUrl,
+      // @ts-expect-error TODO:
+      ...provider.authorization?.params,
+    }, // Defaults
+    Object.fromEntries(authParams), // From provider config
+    query // From `signIn` call
+  )
+
+  for (const k in params) authParams.set(k, params[k])
+
+  const cookies: Cookie[] = []
+
+  if (provider.checks?.includes("state")) {
+    const { value, raw } = await createState(options)
+    authParams.set("state", raw)
+    cookies.push(value)
+  }
+
+  if (provider.checks?.includes("pkce")) {
+    if (as && !as.code_challenge_methods_supported?.includes("S256")) {
+      // We assume S256 PKCE support, if the server does not advertise that,
+      // a random `nonce` must be used for CSRF protection.
+      provider.checks = ["nonce"]
+    } else {
+      const { code_challenge, pkce } = await createPKCE(options)
+      authParams.set("code_challenge", code_challenge)
+      authParams.set("code_challenge_method", "S256")
+      cookies.push(pkce)
+    }
+  }
+
+  if (provider.checks?.includes("nonce")) {
+    const nonce = await createNonce(options)
+    authParams.set("nonce", nonce.value)
+    cookies.push(nonce)
+  }
+
+  url.searchParams.delete("nextauth")
+
+  // TODO: This does not work in normalizeOAuth because authorization endpoint can come from discovery
+  // Need to make normalizeOAuth async
+  if (provider.type === "oidc" && !url.searchParams.has("scope")) {
+    url.searchParams.set("scope", "openid profile email")
+  }
+
+  logger.debug("GET_AUTHORIZATION_URL", { url, cookies, provider })
+  return { redirect: url, cookies }
+}
+
+/** Returns a signed cookie. */
+export async function signCookie(
+  type: keyof CookiesOptions,
+  value: string,
+  maxAge: number,
+  options: InternalOptions<"oauth">
+): Promise<Cookie> {
+  const { cookies, jwt, logger } = options
+
+  logger.debug(`CREATE_${type.toUpperCase()}`, { value, maxAge })
+
+  const expires = new Date()
+  expires.setTime(expires.getTime() + maxAge * 1000)
+  return {
+    name: cookies[type].name,
+    value: await jwt.encode({ ...jwt, maxAge, token: { value } }),
+    options: { ...cookies[type].options, expires },
+  }
+}
+
+const STATE_MAX_AGE = 60 * 15 // 15 minutes in seconds
+async function createState(options: InternalOptions<"oauth">) {
+  const raw = o.generateRandomState()
+  const maxAge = STATE_MAX_AGE
+  const value = await signCookie("state", raw, maxAge, options)
+  return { value, raw }
+}
+
+const PKCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
+async function createPKCE(options: InternalOptions<"oauth">) {
+  const code_verifier = o.generateRandomCodeVerifier()
+  const code_challenge = await o.calculatePKCECodeChallenge(code_verifier)
+  const maxAge = PKCE_MAX_AGE
+  const pkce = await signCookie(
+    "pkceCodeVerifier",
+    code_verifier,
+    maxAge,
+    options
+  )
+  return { code_challenge, pkce }
+}
+
+const NONCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
+async function createNonce(options: InternalOptions<"oauth">) {
+  const raw = o.generateRandomNonce()
+  const maxAge = NONCE_MAX_AGE
+  return await signCookie("nonce", raw, maxAge, options)
+}
--- a/packages/core/src/lib/oauth/callback.ts
+++ b/packages/core/src/lib/oauth/callback.ts
@@ -0,0 +1,221 @@
+import { OAuthCallbackError } from "../errors"
+import { useNonce } from "./nonce-handler"
+import { usePKCECodeVerifier } from "./pkce-handler"
+import { useState } from "./state-handler"
+import * as o from "oauth4webapi"
+
+import type {
+  InternalOptions,
+  LoggerInstance,
+  Profile,
+  RequestInternal,
+  TokenSet,
+} from "../.."
+import type { OAuthConfigInternal } from "../../providers"
+import type { Cookie } from "../cookie"
+
+export async function handleOAuthCallback(params: {
+  options: InternalOptions<"oauth">
+  query: RequestInternal["query"]
+  body: RequestInternal["body"]
+  cookies: RequestInternal["cookies"]
+}) {
+  const { options, query, body, cookies } = params
+  const { logger, provider } = options
+
+  const errorMessage = body?.error ?? query?.error
+  if (errorMessage) {
+    const error = new Error(errorMessage)
+    logger.error("OAUTH_CALLBACK_HANDLER_ERROR", {
+      error,
+      error_description: query?.error_description,
+      providerId: provider.id,
+    })
+    logger.debug("OAUTH_CALLBACK_HANDLER_ERROR", { body })
+    throw error
+  }
+
+  try {
+    let as: o.AuthorizationServer
+
+    if (!provider.token?.url && !provider.userinfo?.url) {
+      // We assume that issuer is always defined as this has been asserted earlier
+      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+      const issuer = new URL(provider.issuer!)
+      const discoveryResponse = await o.discoveryRequest(issuer)
+      const discoveredAs = await o.processDiscoveryResponse(
+        issuer,
+        discoveryResponse
+      )
+
+      if (!discoveredAs.token_endpoint)
+        throw new TypeError(
+          "TODO: Authorization server did not provide a token endpoint."
+        )
+
+      if (!discoveredAs.userinfo_endpoint)
+        throw new TypeError(
+          "TODO: Authorization server did not provide a userinfo endpoint."
+        )
+
+      as = discoveredAs
+    } else {
+      as = {
+        issuer: provider.issuer ?? "https://a", // TODO: review fallback issuer
+        token_endpoint: provider.token?.url.toString(),
+        userinfo_endpoint: provider.userinfo?.url.toString(),
+      }
+    }
+
+    const client: o.Client = {
+      client_id: provider.clientId,
+      client_secret: provider.clientSecret,
+      ...provider.client,
+    }
+
+    const resCookies: Cookie[] = []
+
+    const state = await useState(cookies?.[options.cookies.state.name], options)
+    if (state) resCookies.push(state.cookie)
+
+    const codeVerifier = await usePKCECodeVerifier(
+      cookies?.[options.cookies.pkceCodeVerifier.name],
+      options
+    )
+    if (codeVerifier) resCookies.push(codeVerifier.cookie)
+
+    // TODO:
+    const nonce = await useNonce(cookies?.[options.cookies.nonce.name], options)
+    if (nonce && provider.type === "oidc") {
+      resCookies.push(nonce.cookie)
+    }
+
+    const parameters = o.validateAuthResponse(
+      as,
+      client,
+      new URLSearchParams(query),
+      provider.checks.includes("state") ? state?.value : o.skipStateCheck
+    )
+
+    if (o.isOAuth2Error(parameters)) {
+      console.log("error", parameters)
+      throw new Error("TODO: Handle OAuth 2.0 redirect error")
+    }
+
+    const codeGrantResponse = await o.authorizationCodeGrantRequest(
+      as,
+      client,
+      parameters,
+      provider.callbackUrl,
+      codeVerifier?.codeVerifier ?? "auth" // TODO: review fallback code verifier
+    )
+
+    let challenges: o.WWWAuthenticateChallenge[] | undefined
+    if ((challenges = o.parseWwwAuthenticateChallenges(codeGrantResponse))) {
+      for (const challenge of challenges) {
+        console.log("challenge", challenge)
+      }
+      throw new Error("TODO: Handle www-authenticate challenges as needed")
+    }
+
+    let profile: Profile = {}
+    let tokens: TokenSet
+
+    if (provider.type === "oidc") {
+      const result = await o.processAuthorizationCodeOpenIDResponse(
+        as,
+        client,
+        codeGrantResponse
+      )
+
+      if (o.isOAuth2Error(result)) {
+        console.log("error", result)
+        throw new Error("TODO: Handle OIDC response body error")
+      }
+
+      profile = o.getValidatedIdTokenClaims(result)
+      tokens = result
+    } else {
+      tokens = await o.processAuthorizationCodeOAuth2Response(
+        as,
+        client,
+        codeGrantResponse
+      )
+      if (o.isOAuth2Error(tokens as any)) {
+        console.log("error", tokens)
+        throw new Error("TODO: Handle OAuth 2.0 response body error")
+      }
+
+      if (provider.userinfo?.request) {
+        profile = await provider.userinfo.request({ tokens, provider })
+      } else if (provider.userinfo?.url) {
+        const userinfoResponse = await o.userInfoRequest(
+          as,
+          client,
+          (tokens as any).access_token
+        )
+        profile = await userinfoResponse.json()
+      }
+    }
+
+    const profileResult = await getProfile({
+      profile,
+      provider,
+      tokens,
+      logger,
+    })
+
+    return { ...profileResult, cookies: resCookies }
+  } catch (error) {
+    throw new OAuthCallbackError(error as Error)
+  }
+}
+
+interface GetProfileParams {
+  profile: Profile
+  tokens: TokenSet
+  provider: OAuthConfigInternal<any>
+  logger: LoggerInstance
+}
+
+/** Returns profile, raw profile and auth provider details */
+async function getProfile({
+  profile: OAuthProfile,
+  tokens,
+  provider,
+  logger,
+}: GetProfileParams) {
+  try {
+    logger.debug("PROFILE_DATA", { OAuthProfile })
+    const profile = await provider.profile(OAuthProfile, tokens)
+    profile.email = profile.email?.toLowerCase()
+    if (!profile.id)
+      throw new TypeError(
+        `Profile id is missing in ${provider.name} OAuth profile response`
+      )
+
+    // Return profile, raw profile and auth provider details
+    return {
+      profile,
+      account: {
+        provider: provider.id,
+        type: provider.type,
+        providerAccountId: profile.id.toString(),
+        ...tokens,
+      },
+      OAuthProfile,
+    }
+  } catch (error) {
+    // If we didn't get a response either there was a problem with the provider
+    // response *or* the user cancelled the action with the provider.
+    //
+    // Unfortuately, we can't tell which - at least not in a way that works for
+    // all providers, so we return an empty object; the user should then be
+    // redirected back to the sign up page. We log the error to help developers
+    // who might be trying to debug this when configuring a new provider.
+    logger.error("OAUTH_PARSE_PROFILE_ERROR", {
+      error: error as Error,
+      OAuthProfile,
+    })
+  }
+}
--- a/packages/core/src/lib/oauth/nonce-handler.ts
+++ b/packages/core/src/lib/oauth/nonce-handler.ts
@@ -0,0 +1,76 @@
+import * as o from "oauth4webapi"
+import * as jwt from "../../jwt"
+
+import type { InternalOptions } from "../.."
+import type { Cookie } from "../cookie"
+
+const NONCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
+
+/**
+ * Returns nonce if the provider supports it
+ * and saves it in a cookie */
+export async function createNonce(options: InternalOptions<"oauth">): Promise<
+  | undefined
+  | {
+      value: string
+      cookie: Cookie
+    }
+> {
+  const { cookies, logger, provider } = options
+  if (!provider.checks?.includes("nonce")) {
+    // Provider does not support nonce, return nothing.
+    return
+  }
+
+  const nonce = o.generateRandomNonce()
+
+  const expires = new Date()
+  expires.setTime(expires.getTime() + NONCE_MAX_AGE * 1000)
+
+  // Encrypt nonce and save it to an encrypted cookie
+  const encryptedNonce = await jwt.encode({
+    ...options.jwt,
+    maxAge: NONCE_MAX_AGE,
+    token: { nonce },
+  })
+
+  logger.debug("CREATE_ENCRYPTED_NONCE", {
+    nonce,
+    maxAge: NONCE_MAX_AGE,
+  })
+
+  return {
+    cookie: {
+      name: cookies.nonce.name,
+      value: encryptedNonce,
+      options: { ...cookies.nonce.options, expires },
+    },
+    value: nonce,
+  }
+}
+
+/**
+ * Returns nonce from if the provider supports nonce,
+ * and clears the container cookie afterwards.
+ */
+export async function useNonce(
+  nonce: string | undefined,
+  options: InternalOptions<"oauth">
+): Promise<{ value: string; cookie: Cookie } | undefined> {
+  const { cookies, provider } = options
+
+  if (!provider?.checks?.includes("nonce") || !nonce) {
+    return
+  }
+
+  const value = (await jwt.decode({ ...options.jwt, token: nonce })) as any
+
+  return {
+    value: value?.value ?? undefined,
+    cookie: {
+      name: cookies.nonce.name,
+      value: "",
+      options: { ...cookies.nonce.options, maxAge: 0 },
+    },
+  }
+}
--- a/packages/core/src/lib/oauth/pkce-handler.ts
+++ b/packages/core/src/lib/oauth/pkce-handler.ts
@@ -0,0 +1,87 @@
+import * as o from "oauth4webapi"
+import * as jwt from "../../jwt"
+
+import type { InternalOptions } from "../.."
+import type { Cookie } from "../cookie"
+
+const PKCE_CODE_CHALLENGE_METHOD = "S256"
+const PKCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
+
+/**
+ * Returns `code_challenge` and `code_challenge_method`
+ * and saves them in a cookie.
+ */
+export async function createPKCE(options: InternalOptions<"oauth">): Promise<
+  | undefined
+  | {
+      code_challenge: string
+      code_challenge_method: "S256"
+      cookie: Cookie
+    }
+> {
+  const { cookies, logger, provider } = options
+  if (!provider.checks?.includes("pkce")) {
+    // Provider does not support PKCE, return nothing.
+    return
+  }
+  const code_verifier = o.generateRandomCodeVerifier()
+  const code_challenge = await o.calculatePKCECodeChallenge(code_verifier)
+
+  const maxAge = cookies.pkceCodeVerifier.options.maxAge ?? PKCE_MAX_AGE
+
+  const expires = new Date()
+  expires.setTime(expires.getTime() + maxAge * 1000)
+
+  // Encrypt code_verifier and save it to an encrypted cookie
+  const encryptedCodeVerifier = await jwt.encode({
+    ...options.jwt,
+    maxAge,
+    token: { code_verifier },
+  })
+
+  logger.debug("CREATE_PKCE_CHALLENGE_VERIFIER", {
+    code_challenge,
+    code_challenge_method: PKCE_CODE_CHALLENGE_METHOD,
+    code_verifier,
+    maxAge,
+  })
+
+  return {
+    code_challenge,
+    code_challenge_method: PKCE_CODE_CHALLENGE_METHOD,
+    cookie: {
+      name: cookies.pkceCodeVerifier.name,
+      value: encryptedCodeVerifier,
+      options: { ...cookies.pkceCodeVerifier.options, expires },
+    },
+  }
+}
+
+/**
+ * Returns code_verifier if provider uses PKCE,
+ * and clears the container cookie afterwards.
+ */
+export async function usePKCECodeVerifier(
+  codeVerifier: string | undefined,
+  options: InternalOptions<"oauth">
+): Promise<{ codeVerifier: string; cookie: Cookie } | undefined> {
+  const { cookies, provider } = options
+
+  if (!provider?.checks?.includes("pkce") || !codeVerifier) {
+    return
+  }
+
+  const pkce = (await jwt.decode({
+    ...options.jwt,
+    token: codeVerifier,
+  })) as any
+
+  return {
+    codeVerifier: pkce?.value ?? undefined,
+    cookie: {
+      name: cookies.pkceCodeVerifier.name,
+      value: "",
+      options: { ...cookies.pkceCodeVerifier.options, maxAge: 0 },
+    },
+  }
+}
--- a/packages/core/src/lib/oauth/state-handler.ts
+++ b/packages/core/src/lib/oauth/state-handler.ts
@@ -0,0 +1,63 @@
+import type { InternalOptions } from "../.."
+import type { Cookie } from "../cookie"
+import * as o from "oauth4webapi"
+
+const STATE_MAX_AGE = 60 * 15 // 15 minutes in seconds
+
+/** Returns state if the provider supports it */
+export async function createState(
+  options: InternalOptions<"oauth">
+): Promise<{ cookie: Cookie; value: string } | undefined> {
+  const { logger, provider, jwt, cookies } = options
+
+  if (!provider.checks?.includes("state")) {
+    // Provider does not support state, return nothing
+    return
+  }
+
+  const state = o.generateRandomState()
+  const maxAge = cookies.state.options.maxAge ?? STATE_MAX_AGE
+
+  const encodedState = await jwt.encode({
+    ...jwt,
+    maxAge,
+    token: { state },
+  })
+
+  logger.debug("CREATE_STATE", { state, maxAge })
+
+  const expires = new Date()
+  expires.setTime(expires.getTime() + maxAge * 1000)
+  return {
+    value: state,
+    cookie: {
+      name: cookies.state.name,
+      value: encodedState,
+      options: { ...cookies.state.options, expires },
+    },
+  }
+}
+
+/**
+ * Returns state from if the provider supports states,
+ * and clears the container cookie afterwards.
+ */
+export async function useState(
+  state: string | undefined,
+  options: InternalOptions<"oauth">
+): Promise<{ value: string; cookie: Cookie } | undefined> {
+  const { cookies, provider, jwt } = options
+
+  if (!provider.checks?.includes("state") || !state) return
+
+  const value = (await jwt.decode({ ...options.jwt, token: state })) as any
+
+  return {
+    value: value?.value ?? undefined,
+    cookie: {
+      name: cookies.state.name,
+      value: "",
+      options: { ...cookies.pkceCodeVerifier.options, maxAge: 0 },
+    },
+  }
+}
--- a/packages/core/src/lib/pages/error.tsx
+++ b/packages/core/src/lib/pages/error.tsx
@@ -0,0 +1,113 @@
+import type { Theme } from "../.."
+
+/**
+ * The following errors are passed as error query parameters to the default or overridden error page.
+ *
+ * [Documentation](https://next-auth.js.org/configuration/pages#error-page) */
+export type ErrorType =
+  | "default"
+  | "configuration"
+  | "accessdenied"
+  | "verification"
+
+export interface ErrorProps {
+  url?: URL
+  theme?: Theme
+  error?: ErrorType
+}
+
+interface ErrorView {
+  status: number
+  heading: string
+  message: JSX.Element
+  signin?: JSX.Element
+}
+
+/** Renders an error page. */
+export default function ErrorPage(props: ErrorProps) {
+  const { url, error = "default", theme } = props
+  const signinPageUrl = `${url}/signin`
+
+  const errors: Record<ErrorType, ErrorView> = {
+    default: {
+      status: 200,
+      heading: "Error",
+      message: (
+        <p>
+          <a className="site" href={url?.origin}>
+            {url?.host}
+          </a>
+        </p>
+      ),
+    },
+    configuration: {
+      status: 500,
+      heading: "Server error",
+      message: (
+        <div>
+          <p>There is a problem with the server configuration.</p>
+          <p>Check the server logs for more information.</p>
+        </div>
+      ),
+    },
+    accessdenied: {
+      status: 403,
+      heading: "Access Denied",
+      message: (
+        <div>
+          <p>You do not have permission to sign in.</p>
+          <p>
+            <a className="button" href={signinPageUrl}>
+              Sign in
+            </a>
+          </p>
+        </div>
+      ),
+    },
+    verification: {
+      status: 403,
+      heading: "Unable to sign in",
+      message: (
+        <div>
+          <p>The sign in link is no longer valid.</p>
+          <p>It may have been used already or it may have expired.</p>
+        </div>
+      ),
+      signin: (
+        <p>
+          <a className="button" href={signinPageUrl}>
+            Sign in
+          </a>
+        </p>
+      ),
+    },
+  }
+
+  const { status, heading, message, signin } =
+    errors[error.toLowerCase()] ?? errors.default
+
+  return {
+    status,
+    html: (
+      <div className="error">
+        {theme?.brandColor && (
+          <style
+            dangerouslySetInnerHTML={{
+              __html: `
+        :root {
+          --brand-color: ${theme?.brandColor}
+        }
+      `,
+            }}
+          />
+        )}
+        {theme?.logo && <img src={theme.logo} alt="Logo" className="logo" />}
+        <div className="card">
+          <h1>{heading}</h1>
+          <div className="message">{message}</div>
+          {signin}
+        </div>
+      </div>
+    ),
+  }
+}
--- a/packages/core/src/lib/pages/index.ts
+++ b/packages/core/src/lib/pages/index.ts
@@ -0,0 +1,87 @@
+import renderToString from "preact-render-to-string"
+import css from "../styles"
+import ErrorPage from "./error"
+import SigninPage from "./signin"
+import SignoutPage from "./signout"
+import VerifyRequestPage from "./verify-request"
+
+import type { InternalOptions, RequestInternal, ResponseInternal } from "../.."
+import type { Cookie } from "../cookie"
+import type { ErrorType } from "./error"
+
+type RenderPageParams = {
+  query?: RequestInternal["query"]
+  cookies?: Cookie[]
+} & Partial<
+  Pick<
+    InternalOptions,
+    "url" | "callbackUrl" | "csrfToken" | "providers" | "theme"
+  >
+>
+
+/**
+ * Unless the user defines their [own pages](https://next-auth.js.org/configuration/pages),
+ * we render a set of default ones, using Preact SSR.
+ */
+export default function renderPage(params: RenderPageParams) {
+  const { url, theme, query, cookies } = params
+
+  function send({ html, title, status }: any): ResponseInternal {
+    return {
+      cookies,
+      status,
+      headers: { "Content-Type": "text/html" },
+      body: `<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0"><style>${css}</style><title>${title}</title></head><body class="__next-auth-theme-${
+        theme?.colorScheme ?? "auto"
+      }"><div class="page">${renderToString(html)}</div></body></html>`,
+    }
+  }
+
+  return {
+    signin(props?: any) {
+      return send({
+        html: SigninPage({
+          csrfToken: params.csrfToken,
+          // We only want to render providers
+          providers: params.providers?.filter(
+            (provider) =>
+              // Always render oauth and email type providers
+              ["email", "oauth", "oidc"].includes(provider.type) ||
+              // Only render credentials type provider if credentials are defined
+              (provider.type === "credentials" && provider.credentials) ||
+              // Don't render other provider types
+              false
+          ),
+          callbackUrl: params.callbackUrl,
+          theme,
+          ...query,
+          ...props,
+        }),
+        title: "Sign In",
+      })
+    },
+    signout(props?: any) {
+      return send({
+        html: SignoutPage({
+          csrfToken: params.csrfToken,
+          url,
+          theme,
+          ...props,
+        }),
+        title: "Sign Out",
+      })
+    },
+    verifyRequest(props?: any) {
+      return send({
+        html: VerifyRequestPage({ url, theme, ...props }),
+        title: "Verify Request",
+      })
+    },
+    error(props?: { error?: ErrorType }) {
+      return send({
+        ...ErrorPage({ url, theme, ...props }),
+        title: "Error",
+      })
+    },
+  }
+}
--- a/packages/core/src/lib/pages/signin.tsx
+++ b/packages/core/src/lib/pages/signin.tsx
@@ -0,0 +1,184 @@
+import type { InternalProvider, Theme } from "../.."
+import type { CSSProperties } from "react"
+
+/**
+ * The following errors are passed as error query parameters to the default or overridden sign-in page.
+ *
+ * [Documentation](https://next-auth.js.org/configuration/pages#sign-in-page) */
+export type SignInErrorTypes =
+  | "Signin"
+  | "OAuthSignin"
+  | "OAuthCallback"
+  | "OAuthCreateAccount"
+  | "EmailCreateAccount"
+  | "Callback"
+  | "OAuthAccountNotLinked"
+  | "EmailSignin"
+  | "CredentialsSignin"
+  | "SessionRequired"
+  | "default"
+
+export interface SignInServerPageParams {
+  csrfToken: string
+  providers: InternalProvider[]
+  callbackUrl: string
+  email: string
+  error: SignInErrorTypes
+  theme: Theme
+}
+
+export default function SigninPage(props: SignInServerPageParams) {
+  const {
+    csrfToken,
+    providers = [],
+    callbackUrl,
+    theme,
+    email,
+    error: errorType,
+  } = props
+
+  if (typeof document !== "undefined" && theme.brandColor) {
+    document.documentElement.style.setProperty(
+      "--brand-color",
+      theme.brandColor
+    )
+  }
+
+  const errors: Record<SignInErrorTypes, string> = {
+    Signin: "Try signing in with a different account.",
+    OAuthSignin: "Try signing in with a different account.",
+    OAuthCallback: "Try signing in with a different account.",
+    OAuthCreateAccount: "Try signing in with a different account.",
+    EmailCreateAccount: "Try signing in with a different account.",
+    Callback: "Try signing in with a different account.",
+    OAuthAccountNotLinked:
+      "To confirm your identity, sign in with the same account you used originally.",
+    EmailSignin: "The e-mail could not be sent.",
+    CredentialsSignin:
+      "Sign in failed. Check the details you provided are correct.",
+    SessionRequired: "Please sign in to access this page.",
+    default: "Unable to sign in.",
+  }
+
+  const error = errorType && (errors[errorType] ?? errors.default)
+
+  // TODO: move logos
+  const logos =
+    "https://raw.githubusercontent.com/nextauthjs/next-auth/main/packages/next-auth/provider-logos"
+  return (
+    <div className="signin">
+      {theme.brandColor && (
+        <style
+          dangerouslySetInnerHTML={{
+            __html: `:root {--brand-color: ${theme.brandColor}}`,
+          }}
+        />
+      )}
+      {theme.logo && <img src={theme.logo} alt="Logo" className="logo" />}
+      <div className="card">
+        {error && (
+          <div className="error">
+            <p>{error}</p>
+          </div>
+        )}
+        {providers.map((provider, i) => (
+          <div key={provider.id} className="provider">
+            {provider.type === "oauth" || provider.type === "oidc" ? (
+              <form action={provider.signinUrl} method="POST">
+                <input type="hidden" name="csrfToken" value={csrfToken} />
+                {callbackUrl && (
+                  <input type="hidden" name="callbackUrl" value={callbackUrl} />
+                )}
+                <button
+                  type="submit"
+                  className="button"
+                  style={
+                    // eslint-disable-next-line
+                    {
+                      "--provider-bg": provider.style?.bg ?? "",
+                      "--provider-dark-bg": provider.style?.bgDark ?? "",
+                      "--provider-color": provider.style?.text ?? "",
+                      "--provider-dark-color": provider.style?.textDark ?? "",
+                    } as CSSProperties
+                  }
+                >
+                  {provider.style?.logo && (
+                    <img
+                      id="provider-logo"
+                      src={`${
+                        provider.style.logo.startsWith("/") ? logos : ""
+                      }${provider.style.logo}`}
+                    />
+                  )}
+                  {provider.style?.logoDark && (
+                    <img
+                      id="provider-logo-dark"
+                      src={`${
+                        provider.style.logo.startsWith("/") ? logos : ""
+                      }${provider.style.logoDark}`}
+                    />
+                  )}
+                  <span>Sign in with {provider.name}</span>
+                </button>
+              </form>
+            ) : null}
+            {(provider.type === "email" || provider.type === "credentials") &&
+              i > 0 &&
+              providers[i - 1].type !== "email" &&
+              providers[i - 1].type !== "credentials" && <hr />}
+            {provider.type === "email" && (
+              <form action={provider.signinUrl} method="POST">
+                <input type="hidden" name="csrfToken" value={csrfToken} />
+                <label
+                  className="section-header"
+                  htmlFor={`input-email-for-${provider.id}-provider`}
+                >
+                  Email
+                </label>
+                <input
+                  id={`input-email-for-${provider.id}-provider`}
+                  autoFocus
+                  type="email"
+                  name="email"
+                  value={email}
+                  placeholder="email@example.com"
+                  required
+                />
+                <button type="submit">Sign in with {provider.name}</button>
+              </form>
+            )}
+            {provider.type === "credentials" && (
+              <form action={provider.callbackUrl} method="POST">
+                <input type="hidden" name="csrfToken" value={csrfToken} />
+                {Object.keys(provider.credentials).map((credential) => {
+                  return (
+                    <div key={`input-group-${provider.id}`}>
+                      <label
+                        className="section-header"
+                        htmlFor={`input-${credential}-for-${provider.id}-provider`}
+                      >
+                        {provider.credentials[credential].label ?? credential}
+                      </label>
+                      <input
+                        name={credential}
+                        id={`input-${credential}-for-${provider.id}-provider`}
+                        type={provider.credentials[credential].type ?? "text"}
+                        placeholder={
+                          provider.credentials[credential].placeholder ?? ""
+                        }
+                        {...provider.credentials[credential]}
+                      />
+                    </div>
+                  )
+                })}
+                <button type="submit">Sign in with {provider.name}</button>
+              </form>
+            )}
+            {(provider.type === "email" || provider.type === "credentials") &&
+              i + 1 < providers.length && <hr />}
+          </div>
+        ))}
+      </div>
+    </div>
+  )
+}
--- a/packages/core/src/lib/pages/signout.tsx
+++ b/packages/core/src/lib/pages/signout.tsx
@@ -0,0 +1,36 @@
+import type { Theme } from "../.."
+
+export interface SignoutProps {
+  url: URL
+  csrfToken: string
+  theme: Theme
+}
+
+export default function SignoutPage(props: SignoutProps) {
+  const { url, csrfToken, theme } = props
+
+  return (
+    <div className="signout">
+      {theme.brandColor && (
+        <style
+          dangerouslySetInnerHTML={{
+            __html: `
+        :root {
+          --brand-color: ${theme.brandColor}
+        }
+      `,
+          }}
+        />
+      )}
+      {theme.logo && <img src={theme.logo} alt="Logo" className="logo" />}
+      <div className="card">
+        <h1>Signout</h1>
+        <p>Are you sure you want to sign out?</p>
+        <form action={`${url}/signout`} method="POST">
+          <input type="hidden" name="csrfToken" value={csrfToken} />
+          <button type="submit">Sign out</button>
+        </form>
+      </div>
+    </div>
+  )
+}
--- a/packages/core/src/lib/pages/verify-request.tsx
+++ b/packages/core/src/lib/pages/verify-request.tsx
@@ -0,0 +1,36 @@
+import type { Theme } from "../.."
+
+interface VerifyRequestPageProps {
+  url: URL
+  theme: Theme
+}
+
+export default function VerifyRequestPage(props: VerifyRequestPageProps) {
+  const { url, theme } = props
+
+  return (
+    <div className="verify-request">
+      {theme.brandColor && (
+        <style
+          dangerouslySetInnerHTML={{
+            __html: `
+        :root {
+          --brand-color: ${theme.brandColor}
+        }
+      `,
+          }}
+        />
+      )}
+      {theme.logo && <img src={theme.logo} alt="Logo" className="logo" />}
+      <div className="card">
+        <h1>Check your email</h1>
+        <p>A sign in link has been sent to your email address.</p>
+        <p>
+          <a className="site" href={url.origin}>
+            {url.host}
+          </a>
+        </p>
+      </div>
+    </div>
+  )
+}
--- a/packages/core/src/lib/providers.ts
+++ b/packages/core/src/lib/providers.ts
@@ -0,0 +1,101 @@
+import { merge } from "./utils/merge"
+
+import type { InternalProvider } from ".."
+import type {
+  OAuthConfig,
+  OAuthConfigInternal,
+  OAuthEndpointType,
+  OAuthUserConfig,
+  Provider,
+} from "../providers"
+
+/**
+ * Adds `signinUrl` and `callbackUrl` to each provider
+ * and deep merge user-defined options.
+ */
+export default function parseProviders(params: {
+  providers: Provider[]
+  url: URL
+  providerId?: string
+}): {
+  providers: InternalProvider[]
+  provider?: InternalProvider
+} {
+  const { url, providerId } = params
+
+  const providers = params.providers.map((provider) => {
+    const { options: userOptions, ...defaults } = provider
+
+    const id = (userOptions?.id ?? defaults.id) as string
+    const merged = merge(defaults, userOptions, {
+      signinUrl: `${url}/signin/${id}`,
+      callbackUrl: `${url}/callback/${id}`,
+    })
+
+    if (provider.type === "oauth" || provider.type === "oidc") {
+      return normalizeOAuth(merged)
+    }
+
+    return merged
+  })
+
+  return {
+    providers,
+    provider: providers.find(({ id }) => id === providerId),
+  }
+}
+
+function normalizeOAuth(
+  c?: OAuthConfig<any> | OAuthUserConfig<any>
+): OAuthConfigInternal<any> | {} {
+  if (!c) return {}
+
+  if (c.issuer) c.wellKnown ??= `${c.issuer}/.well-known/openid-configuration`
+
+  const authorization = normalizeEndpoint(c.authorization, c.issuer)
+  if (authorization && !authorization.url?.searchParams.has("scope")) {
+    authorization.url.searchParams.set("scope", "openid profile email")
+  }
+
+  const token = normalizeEndpoint(c.token, c.issuer)
+
+  const userinfo = normalizeEndpoint(c.userinfo, c.issuer)
+
+  return {
+    ...c,
+    authorization,
+    token,
+    checks: c.checks ?? ["pkce"],
+    userinfo,
+    profile: c.profile ?? defaultProfile,
+  }
+}
+
+function defaultProfile(profile: any) {
+  return {
+    id: profile.sub ?? profile.id,
+    name:
+      profile.name ?? profile.nickname ?? profile.preferred_username ?? null,
+    email: profile.email ?? null,
+    image: profile.picture ?? null,
+  }
+}
+function normalizeEndpoint(
+  e?: OAuthConfig<any>[OAuthEndpointType],
+  issuer?: string
+): OAuthConfigInternal<any>[OAuthEndpointType] {
+  if (!e || issuer) return
+  if (typeof e === "string") {
+    return { url: new URL(e) }
+  }
+  // If v.url is undefined, it's because the provider config
+  // assumes that we will use the issuer endpoint.
+  // The existence of either v.url or provider.issuer is checked in
+  // assert.ts
+  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+  const url = new URL(e.url!)
+  // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion
+  for (const k in e.params) url.searchParams.set(k, e.params[k] as any)
+
+  return { url }
+}
--- a/packages/core/src/lib/routes/callback.ts
+++ b/packages/core/src/lib/routes/callback.ts
@@ -0,0 +1,420 @@
+import callbackHandler from "../callback-handler"
+import getAdapterUserFromEmail from "../email/getUserFromEmail"
+import { handleOAuthCallback } from "../oauth/callback"
+import { createHash } from "../web"
+
+import type { RequestInternal, ResponseInternal, User } from "../.."
+import type { AdapterSession } from "../../adapters"
+import type { Cookie, SessionStore } from "../cookie"
+import type { InternalOptions } from "../types"
+
+/** Handle callbacks from login services */
+export async function callback(params: {
+  options: InternalOptions
+  query: RequestInternal["query"]
+  method: Required<RequestInternal>["method"]
+  body: RequestInternal["body"]
+  headers: RequestInternal["headers"]
+  cookies: RequestInternal["cookies"]
+  sessionStore: SessionStore
+}): Promise<ResponseInternal> {
+  const { options, query, body, method, headers, sessionStore } = params
+  const {
+    provider,
+    adapter,
+    url,
+    callbackUrl,
+    pages,
+    jwt,
+    events,
+    callbacks,
+    session: { strategy: sessionStrategy, maxAge: sessionMaxAge },
+    logger,
+  } = options
+
+  const cookies: Cookie[] = []
+
+  const useJwtSession = sessionStrategy === "jwt"
+
+  if (provider.type === "oauth" || provider.type === "oidc") {
+    try {
+      const {
+        profile,
+        account,
+        OAuthProfile,
+        cookies: oauthCookies,
+      } = await handleOAuthCallback({
+        query,
+        body,
+        options,
+        cookies: params.cookies,
+      })
+
+      if (oauthCookies.length) cookies.push(...oauthCookies)
+
+      try {
+        // Make it easier to debug when adding a new provider
+        logger.debug("OAUTH_CALLBACK_RESPONSE", {
+          profile,
+          account,
+          OAuthProfile,
+        })
+
+        // If we don't have a profile object then either something went wrong
+        // or the user cancelled signing in. We don't know which, so we just
+        // direct the user to the signin page for now. We could do something
+        // else in future.
+        //
+        // Note: In oAuthCallback an error is logged with debug info, so it
+        // should at least be visible to developers what happened if it is an
+        // error with the provider.
+        if (!profile || !account || !OAuthProfile) {
+          return { redirect: `${url}/signin`, cookies }
+        }
+
+        // Check if user is allowed to sign in
+        // Attempt to get Profile from OAuth provider details before invoking
+        // signIn callback - but if no user object is returned, that is fine
+        // (that just means it's a new user signing in for the first time).
+        let userOrProfile = profile
+        if (adapter) {
+          const { getUserByAccount } = adapter
+          const userByAccount = await getUserByAccount({
+            providerAccountId: account.providerAccountId,
+            provider: provider.id,
+          })
+
+          if (userByAccount) userOrProfile = userByAccount
+        }
+
+        try {
+          const isAllowed = await callbacks.signIn({
+            user: userOrProfile,
+            account,
+            profile: OAuthProfile,
+          })
+          if (!isAllowed) {
+            return { redirect: `${url}/error?error=AccessDenied`, cookies }
+          } else if (typeof isAllowed === "string") {
+            return { redirect: isAllowed, cookies }
+          }
+        } catch (error) {
+          return {
+            redirect: `${url}/error?error=${encodeURIComponent(
+              (error as Error).message
+            )}`,
+            cookies,
+          }
+        }
+
+        // Sign user in
+        const { user, session, isNewUser } = await callbackHandler({
+          sessionToken: sessionStore.value,
+          profile,
+          account,
+          options,
+        })
+
+        if (useJwtSession) {
+          const defaultToken = {
+            name: user.name,
+            email: user.email,
+            picture: user.image,
+            sub: user.id?.toString(),
+          }
+          const token = await callbacks.jwt({
+            token: defaultToken,
+            user,
+            account,
+            profile: OAuthProfile,
+            isNewUser,
+          })
+
+          // Encode token
+          const newToken = await jwt.encode({ ...jwt, token })
+
+          // Set cookie expiry date
+          const cookieExpires = new Date()
+          cookieExpires.setTime(cookieExpires.getTime() + sessionMaxAge * 1000)
+
+          const sessionCookies = sessionStore.chunk(newToken, {
+            expires: cookieExpires,
+          })
+          cookies.push(...sessionCookies)
+        } else {
+          // Save Session Token in cookie
+          cookies.push({
+            name: options.cookies.sessionToken.name,
+            value: (session as AdapterSession).sessionToken,
+            options: {
+              ...options.cookies.sessionToken.options,
+              expires: (session as AdapterSession).expires,
+            },
+          })
+        }
+
+        // @ts-expect-error
+        await events.signIn?.({ user, account, profile, isNewUser })
+
+        // Handle first logins on new accounts
+        // e.g. option to send users to a new account landing page on initial login
+        // Note that the callback URL is preserved, so the journey can still be resumed
+        if (isNewUser && pages.newUser) {
+          return {
+            redirect: `${pages.newUser}${
+              pages.newUser.includes("?") ? "&" : "?"
+            }callbackUrl=${encodeURIComponent(callbackUrl)}`,
+            cookies,
+          }
+        }
+
+        // Callback URL is already verified at this point, so safe to use if specified
+        return { redirect: callbackUrl, cookies }
+      } catch (error) {
+        if ((error as Error).name === "AccountNotLinkedError") {
+          // If the email on the account is already linked, but not with this OAuth account
+          return {
+            redirect: `${url}/error?error=OAuthAccountNotLinked`,
+            cookies,
+          }
+        } else if ((error as Error).name === "CreateUserError") {
+          return { redirect: `${url}/error?error=OAuthCreateAccount`, cookies }
+        }
+        logger.error("OAUTH_CALLBACK_HANDLER_ERROR", error as Error)
+        return { redirect: `${url}/error?error=Callback`, cookies }
+      }
+    } catch (error) {
+      if ((error as Error).name === "OAuthCallbackError") {
+        logger.error("OAUTH_CALLBACK_ERROR", {
+          error: error as Error,
+          providerId: provider.id,
+        })
+        return { redirect: `${url}/error?error=OAuthCallback`, cookies }
+      }
+      logger.error("OAUTH_CALLBACK_ERROR", error as Error)
+      return { redirect: `${url}/error?error=Callback`, cookies }
+    }
+  } else if (provider.type === "email") {
+    try {
+      const token = query?.token as string | undefined
+      const identifier = query?.email as string | undefined
+
+      // If these are missing, the sign-in URL was manually opened without these params or the `sendVerificationRequest` method did not send the link correctly in the email.
+      if (!token || !identifier) {
+        return { redirect: `${url}/error?error=configuration`, cookies }
+      }
+
+      const secret = provider.secret ?? options.secret
+      // @ts-expect-error -- Verified in `assertConfig`. adapter: Adapter<true>
+      const invite = await adapter.useVerificationToken({
+        identifier,
+        token: await createHash(`${token}${secret}`),
+      })
+
+      const invalidInvite = !invite || invite.expires.valueOf() < Date.now()
+      if (invalidInvite) {
+        return { redirect: `${url}/error?error=Verification`, cookies }
+      }
+
+      const profile = await getAdapterUserFromEmail({
+        email: identifier,
+        // @ts-expect-error -- Verified in `assertConfig`. adapter: Adapter<true>
+        adapter,
+      })
+
+      const account = {
+        providerAccountId: profile.email,
+        type: "email" as const,
+        provider: provider.id,
+      }
+
+      // Check if user is allowed to sign in
+      try {
+        const signInCallbackResponse = await callbacks.signIn({
+          user: profile,
+          account,
+        })
+        if (!signInCallbackResponse) {
+          return { redirect: `${url}/error?error=AccessDenied`, cookies }
+        } else if (typeof signInCallbackResponse === "string") {
+          return { redirect: signInCallbackResponse, cookies }
+        }
+      } catch (error) {
+        return {
+          redirect: `${url}/error?error=${encodeURIComponent(
+            (error as Error).message
+          )}`,
+          cookies,
+        }
+      }
+
+      // Sign user in
+      const { user, session, isNewUser } = await callbackHandler({
+        sessionToken: sessionStore.value,
+        profile,
+        account,
+        options,
+      })
+
+      if (useJwtSession) {
+        const defaultToken = {
+          name: user.name,
+          email: user.email,
+          picture: user.image,
+          sub: user.id?.toString(),
+        }
+        const token = await callbacks.jwt({
+          token: defaultToken,
+          user,
+          account,
+          isNewUser,
+        })
+
+        // Encode token
+        const newToken = await jwt.encode({ ...jwt, token })
+
+        // Set cookie expiry date
+        const cookieExpires = new Date()
+        cookieExpires.setTime(cookieExpires.getTime() + sessionMaxAge * 1000)
+
+        const sessionCookies = sessionStore.chunk(newToken, {
+          expires: cookieExpires,
+        })
+        cookies.push(...sessionCookies)
+      } else {
+        // Save Session Token in cookie
+        cookies.push({
+          name: options.cookies.sessionToken.name,
+          value: (session as AdapterSession).sessionToken,
+          options: {
+            ...options.cookies.sessionToken.options,
+            expires: (session as AdapterSession).expires,
+          },
+        })
+      }
+
+      await events.signIn?.({ user, account, isNewUser })
+
+      // Handle first logins on new accounts
+      // e.g. option to send users to a new account landing page on initial login
+      // Note that the callback URL is preserved, so the journey can still be resumed
+      if (isNewUser && pages.newUser) {
+        return {
+          redirect: `${pages.newUser}${
+            pages.newUser.includes("?") ? "&" : "?"
+          }callbackUrl=${encodeURIComponent(callbackUrl)}`,
+          cookies,
+        }
+      }
+
+      // Callback URL is already verified at this point, so safe to use if specified
+      return { redirect: callbackUrl, cookies }
+    } catch (error) {
+      if ((error as Error).name === "CreateUserError") {
+        return { redirect: `${url}/error?error=EmailCreateAccount`, cookies }
+      }
+      logger.error("CALLBACK_EMAIL_ERROR", error as Error)
+      return { redirect: `${url}/error?error=Callback`, cookies }
+    }
+  } else if (provider.type === "credentials" && method === "POST") {
+    const credentials = body
+
+    let user: User | null
+    try {
+      user = await provider.authorize(credentials, {
+        query,
+        body,
+        headers,
+        method,
+      })
+      if (!user) {
+        return {
+          status: 401,
+          redirect: `${url}/error?${new URLSearchParams({
+            error: "CredentialsSignin",
+            provider: provider.id,
+          })}`,
+          cookies,
+        }
+      }
+    } catch (error) {
+      return {
+        status: 401,
+        redirect: `${url}/error?error=${encodeURIComponent(
+          (error as Error).message
+        )}`,
+        cookies,
+      }
+    }
+
+    /** @type {import("src").Account} */
+    const account = {
+      providerAccountId: user.id,
+      type: "credentials",
+      provider: provider.id,
+    }
+
+    try {
+      const isAllowed = await callbacks.signIn({
+        user,
+        // @ts-expect-error
+        account,
+        credentials,
+      })
+      if (!isAllowed) {
+        return {
+          status: 403,
+          redirect: `${url}/error?error=AccessDenied`,
+          cookies,
+        }
+      } else if (typeof isAllowed === "string") {
+        return { redirect: isAllowed, cookies }
+      }
+    } catch (error) {
+      return {
+        redirect: `${url}/error?error=${encodeURIComponent(
+          (error as Error).message
+        )}`,
+        cookies,
+      }
+    }
+
+    const defaultToken = {
+      name: user.name,
+      email: user.email,
+      picture: user.image,
+      sub: user.id?.toString(),
+    }
+
+    const token = await callbacks.jwt({
+      token: defaultToken,
+      user,
+      // @ts-expect-error
+      account,
+      isNewUser: false,
+    })
+
+    // Encode token
+    const newToken = await jwt.encode({ ...jwt, token })
+
+    // Set cookie expiry date
+    const cookieExpires = new Date()
+    cookieExpires.setTime(cookieExpires.getTime() + sessionMaxAge * 1000)
+
+    const sessionCookies = sessionStore.chunk(newToken, {
+      expires: cookieExpires,
+    })
+
+    cookies.push(...sessionCookies)
+
+    // @ts-expect-error
+    await events.signIn?.({ user, account })
+
+    return { redirect: callbackUrl, cookies }
+  }
+  return {
+    status: 500,
+    body: `Error: Callback for provider type ${provider.type} not supported`,
+    cookies,
+  }
+}
--- a/packages/core/src/lib/routes/index.ts
+++ b/packages/core/src/lib/routes/index.ts
@@ -0,0 +1,5 @@
+export { callback } from "./callback"
+export { providers } from "./providers"
+export { session } from "./session"
+export { signin } from "./signin"
+export { signout } from "./signout"
--- a/packages/core/src/lib/routes/providers.ts
+++ b/packages/core/src/lib/routes/providers.ts
@@ -0,0 +1,29 @@
+import type { InternalProvider, ResponseInternal } from "../.."
+
+export interface PublicProvider {
+  id: string
+  name: string
+  type: string
+  signinUrl: string
+  callbackUrl: string
+}
+
+/**
+ * Return a JSON object with a list of all OAuth providers currently configured
+ * and their signin and callback URLs. This makes it possible to automatically
+ * generate buttons for all providers when rendering client side.
+ */
+export function providers(
+  providers: InternalProvider[]
+): ResponseInternal<Record<string, PublicProvider>> {
+  return {
+    headers: { "Content-Type": "application/json" },
+    body: providers.reduce<Record<string, PublicProvider>>(
+      (acc, { id, name, type, signinUrl, callbackUrl }) => {
+        acc[id] = { id, name, type, signinUrl, callbackUrl }
+        return acc
+      },
+      {}
+    ),
+  }
+}
--- a/packages/core/src/lib/routes/session.ts
+++ b/packages/core/src/lib/routes/session.ts
@@ -0,0 +1,165 @@
+import { fromDate } from "../utils/date"
+
+import type { InternalOptions, ResponseInternal, Session } from "../.."
+import type { Adapter } from "../../adapters"
+import type { SessionStore } from "../cookie"
+
+interface SessionParams {
+  options: InternalOptions
+  sessionStore: SessionStore
+}
+
+/**
+ * Return a session object (without any private fields)
+ * for Single Page App clients
+ */
+
+export async function session(
+  params: SessionParams
+): Promise<ResponseInternal<Session | {}>> {
+  const { options, sessionStore } = params
+  const {
+    adapter,
+    jwt,
+    events,
+    callbacks,
+    logger,
+    session: { strategy: sessionStrategy, maxAge: sessionMaxAge },
+  } = options
+
+  const response: ResponseInternal<Session | {}> = {
+    body: {},
+    headers: { "Content-Type": "application/json" },
+    cookies: [],
+  }
+
+  const sessionToken = sessionStore.value
+
+  if (!sessionToken) return response
+
+  if (sessionStrategy === "jwt") {
+    try {
+      const decodedToken = await jwt.decode({
+        ...jwt,
+        token: sessionToken,
+      })
+
+      const newExpires = fromDate(sessionMaxAge)
+
+      // By default, only exposes a limited subset of information to the client
+      // as needed for presentation purposes (e.g. "you are logged in as...").
+      const session = {
+        user: {
+          name: decodedToken?.name,
+          email: decodedToken?.email,
+          image: decodedToken?.picture,
+        },
+        expires: newExpires.toISOString(),
+      }
+
+      // @ts-expect-error
+      const token = await callbacks.jwt({ token: decodedToken })
+      // @ts-expect-error
+      const newSession = await callbacks.session({ session, token })
+
+      // Return session payload as response
+      response.body = newSession
+
+      // Refresh JWT expiry by re-signing it, with an updated expiry date
+      const newToken = await jwt.encode({
+        ...jwt,
+        token,
+        maxAge: options.session.maxAge,
+      })
+
+      // Set cookie, to also update expiry date on cookie
+      const sessionCookies = sessionStore.chunk(newToken, {
+        expires: newExpires,
+      })
+
+      response.cookies?.push(...sessionCookies)
+
+      await events.session?.({ session: newSession, token })
+    } catch (error) {
+      // If JWT not verifiable, make sure the cookie for it is removed and return empty object
+      logger.error("JWT_SESSION_ERROR", error as Error)
+
+      response.cookies?.push(...sessionStore.clean())
+    }
+  } else {
+    try {
+      const { getSessionAndUser, deleteSession, updateSession } =
+        adapter as Adapter
+      let userAndSession = await getSessionAndUser(sessionToken)
+
+      // If session has expired, clean up the database
+      if (
+        userAndSession &&
+        userAndSession.session.expires.valueOf() < Date.now()
+      ) {
+        await deleteSession(sessionToken)
+        userAndSession = null
+      }
+
+      if (userAndSession) {
+        const { user, session } = userAndSession
+
+        const sessionUpdateAge = options.session.updateAge
+        // Calculate last updated date to throttle write updates to database
+        // Formula: ({expiry date} - sessionMaxAge) + sessionUpdateAge
+        //     e.g. ({expiry date} - 30 days) + 1 hour
+        const sessionIsDueToBeUpdatedDate =
+          session.expires.valueOf() -
+          sessionMaxAge * 1000 +
+          sessionUpdateAge * 1000
+
+        const newExpires = fromDate(sessionMaxAge)
+        // Trigger update of session expiry date and write to database, only
+        // if the session was last updated more than {sessionUpdateAge} ago
+        if (sessionIsDueToBeUpdatedDate <= Date.now()) {
+          await updateSession({ sessionToken, expires: newExpires })
+        }
+
+        // Pass Session through to the session callback
+        // @ts-expect-error
+        const sessionPayload = await callbacks.session({
+          // By default, only exposes a limited subset of information to the client
+          // as needed for presentation purposes (e.g. "you are logged in as...").
+          session: {
+            user: {
+              name: user.name,
+              email: user.email,
+              image: user.image,
+            },
+            expires: session.expires.toISOString(),
+          },
+          user,
+        })
+
+        // Return session payload as response
+        response.body = sessionPayload
+
+        // Set cookie again to update expiry
+        response.cookies?.push({
+          name: options.cookies.sessionToken.name,
+          value: sessionToken,
+          options: {
+            ...options.cookies.sessionToken.options,
+            expires: newExpires,
+          },
+        })
+
+        // @ts-expect-error
+        await events.session?.({ session: sessionPayload })
+      } else if (sessionToken) {
+        // If `sessionToken` was found set but it's not valid for a session then
+        // remove the sessionToken cookie from browser.
+        response.cookies?.push(...sessionStore.clean())
+      }
+    } catch (error) {
+      logger.error("SESSION_ERROR", error as Error)
+    }
+  }
+
+  return response
+}
--- a/packages/core/src/lib/routes/signin.ts
+++ b/packages/core/src/lib/routes/signin.ts
@@ -0,0 +1,103 @@
+import getAdapterUserFromEmail from "../email/getUserFromEmail"
+import emailSignin from "../email/signin"
+import { getAuthorizationUrl } from "../oauth/authorization-url"
+
+import type {
+  Account,
+  InternalOptions,
+  RequestInternal,
+  ResponseInternal,
+} from "../.."
+
+/** Handle requests to /api/auth/signin */
+export async function signin(params: {
+  options: InternalOptions<"oauth" | "email">
+  query: RequestInternal["query"]
+  body: RequestInternal["body"]
+}): Promise<ResponseInternal> {
+  const { options, query, body } = params
+  const { url, callbacks, logger, provider } = options
+
+  if (!provider.type) {
+    return {
+      status: 500,
+      // @ts-expect-error
+      text: `Error: Type not specified for ${provider.name}`,
+    }
+  }
+
+  if (provider.type === "oauth" || provider.type === "oidc") {
+    try {
+      return await getAuthorizationUrl({ options, query })
+    } catch (error) {
+      logger.error("SIGNIN_OAUTH_ERROR", {
+        error: error as Error,
+        providerId: provider.id,
+      })
+      return { redirect: `${url}/error?error=OAuthSignin` }
+    }
+  } else if (provider.type === "email") {
+    let email: string = body?.email
+    if (!email) return { redirect: `${url}/error?error=EmailSignin` }
+    const normalizer: (identifier: string) => string =
+      provider.normalizeIdentifier ??
+      ((identifier) => {
+        // Get the first two elements only,
+        // separated by `@` from user input.
+        let [local, domain] = identifier.toLowerCase().trim().split("@")
+        // The part before "@" can contain a ","
+        // but we remove it on the domain part
+        domain = domain.split(",")[0]
+        return `${local}@${domain}`
+      })
+
+    try {
+      email = normalizer(body?.email)
+    } catch (error) {
+      logger.error("SIGNIN_EMAIL_ERROR", { error, providerId: provider.id })
+      return { redirect: `${url}/error?error=EmailSignin` }
+    }
+
+    const user = await getAdapterUserFromEmail({
+      email,
+      // @ts-expect-error -- Verified in `assertConfig`. adapter: Adapter<true>
+      adapter: options.adapter,
+    })
+
+    const account: Account = {
+      providerAccountId: email,
+      userId: email,
+      type: "email",
+      provider: provider.id,
+    }
+
+    // Check if user is allowed to sign in
+    try {
+      const signInCallbackResponse = await callbacks.signIn({
+        user,
+        account,
+        email: { verificationRequest: true },
+      })
+      if (!signInCallbackResponse) {
+        return { redirect: `${url}/error?error=AccessDenied` }
+      } else if (typeof signInCallbackResponse === "string") {
+        return { redirect: signInCallbackResponse }
+      }
+    } catch (error) {
+      return {
+        redirect: `${url}/error?${new URLSearchParams({
+          error: error as string,
+        })}`,
+      }
+    }
+
+    try {
+      const redirect = await emailSignin(email, options)
+      return { redirect }
+    } catch (error) {
+      logger.error("SIGNIN_EMAIL_ERROR", { error, providerId: provider.id })
+      return { redirect: `${url}/error?error=EmailSignin` }
+    }
+  }
+  return { redirect: `${url}/signin` }
+}
--- a/packages/core/src/lib/routes/signout.ts
+++ b/packages/core/src/lib/routes/signout.ts
@@ -0,0 +1,44 @@
+import type { InternalOptions, ResponseInternal } from "../.."
+import type { Adapter } from "../../adapters"
+import type { SessionStore } from "../cookie"
+
+/** Handle requests to /api/auth/signout */
+export async function signout(params: {
+  options: InternalOptions
+  sessionStore: SessionStore
+}): Promise<ResponseInternal> {
+  const { options, sessionStore } = params
+  const { adapter, events, jwt, callbackUrl, logger, session } = options
+
+  const sessionToken = sessionStore?.value
+  if (!sessionToken) {
+    return { redirect: callbackUrl }
+  }
+
+  if (session.strategy === "jwt") {
+    // Dispatch signout event
+    try {
+      const decodedJwt = await jwt.decode({ ...jwt, token: sessionToken })
+      // @ts-expect-error
+      await events.signOut?.({ token: decodedJwt })
+    } catch (error) {
+      // Do nothing if decoding the JWT fails
+      logger.error("SIGNOUT_ERROR", error)
+    }
+  } else {
+    try {
+      const session = await (adapter as Adapter).deleteSession(sessionToken)
+      // Dispatch signout event
+      // @ts-expect-error
+      await events.signOut?.({ session })
+    } catch (error) {
+      // If error, log it but continue
+      logger.error("SIGNOUT_ERROR", error as Error)
+    }
+  }
+
+  // Remove Session Token
+  const sessionCookies = sessionStore.clean()
+
+  return { redirect: callbackUrl, cookies: sessionCookies }
+}
--- a/packages/core/src/lib/styles/index.css
+++ b/packages/core/src/lib/styles/index.css
@@ -0,0 +1,290 @@
+:root {
+  --border-width: 1px;
+  --border-radius: 0.5rem;
+  --color-error: #c94b4b;
+  --color-info: #157efb;
+  --color-info-text: #fff;
+}
+
+.__next-auth-theme-auto,
+.__next-auth-theme-light {
+  --color-background: #fff;
+  --color-text: #000;
+  --color-primary: #444;
+  --color-control-border: #bbb;
+  --color-button-active-background: #f9f9f9;
+  --color-button-active-border: #aaa;
+  --color-seperator: #ccc;
+}
+
+.__next-auth-theme-dark {
+  --color-background: #000;
+  --color-text: #fff;
+  --color-primary: #ccc;
+  --color-control-border: #555;
+  --color-button-active-background: #060606;
+  --color-button-active-border: #666;
+  --color-seperator: #444;
+}
+
+@media (prefers-color-scheme: dark) {
+  .__next-auth-theme-auto {
+    --color-background: #000;
+    --color-text: #fff;
+    --color-primary: #ccc;
+    --color-control-border: #555;
+    --color-button-active-background: #060606;
+    --color-button-active-border: #666;
+    --color-seperator: #444;
+  }
+}
+
+body {
+  background-color: var(--color-background);
+  margin: 0;
+  padding: 0;
+  font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont,
+    "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif,
+    "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
+}
+
+h1 {
+  font-weight: 400;
+  margin-bottom: 1.5rem;
+  padding: 0 1rem;
+  color: var(--color-text);
+}
+
+p {
+  color: var(--color-text);
+}
+
+form {
+  margin: 0;
+  padding: 0;
+}
+
+label {
+  font-weight: 500;
+  text-align: left;
+  margin-bottom: 0.25rem;
+  display: block;
+  color: var(--color-text);
+}
+
+input[type] {
+  box-sizing: border-box;
+  display: block;
+  width: 100%;
+  padding: 0.5rem 1rem;
+  border: var(--border-width) solid var(--color-control-border);
+  background: var(--color-background);
+  font-size: 1rem;
+  border-radius: var(--border-radius);
+  box-shadow: inset 0 0.1rem 0.2rem rgba(0, 0, 0, 0.2);
+  color: var(--color-text);
+
+  &:focus {
+    box-shadow: none;
+  }
+}
+
+p {
+  margin: 0 0 1.5rem 0;
+  padding: 0 1rem;
+  font-size: 1.1rem;
+  line-height: 2rem;
+}
+
+a.button {
+  text-decoration: none;
+  line-height: 1rem;
+
+  &:link,
+  &:visited {
+    background-color: var(--color-background);
+    color: var(--color-primary);
+  }
+}
+
+button,
+a.button {
+  margin: 0 0 0.75rem 0;
+  padding: 0.75rem 1rem;
+  color: var(--provider-color, var(--color-primary));
+  background-color: var(--provider-bg, var(--color-background));
+  font-size: 1.1rem;
+  min-height: 62px;
+  border-color: rgba(0, 0, 0, 0.1);
+  border-radius: var(--border-radius);
+  transition: all 0.1s ease-in-out;
+  box-shadow: #000 0px 0px 0px 0px, #000 0px 0px 0px 0px,
+    rgba(0, 0, 0, 0.2) 0px 10px 15px -3px, rgba(0, 0, 0, 0.1) 0px 4px 6px -4px;
+  font-weight: 500;
+  position: relative;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+
+  &:has(img) {
+    justify-content: unset;
+    span {
+      flex-grow: 1;
+    }
+  }
+  &:hover {
+    cursor: pointer;
+  }
+  &:active {
+    box-shadow: 0 0.15rem 0.3rem rgba(0, 0, 0, 0.15),
+      inset 0 0.1rem 0.2rem var(--color-background),
+      inset 0 -0.1rem 0.1rem rgba(0, 0, 0, 0.1);
+    cursor: pointer;
+  }
+  #provider-logo {
+    display: block;
+  }
+  #provider-logo-dark {
+    display: none;
+  }
+}
+
+@media (prefers-color-scheme: dark) {
+  button,
+  a.button {
+    color: var(--provider-dark-color, var(--color-primary));
+    background-color: var(--provider-dark-bg, var(--color-background));
+    border: 1px solid #0d0d0d;
+    box-shadow: #000 0px 0px 0px 0px, #ccc 0px 0px 0px 0px,
+      rgba(255, 255, 255, 0.01) 0px 5px 5px -3px,
+      rgba(255, 255, 255, 0.05) 0px 4px 6px -4px;
+  }
+  #provider-logo {
+    display: none !important;
+  }
+  #provider-logo-dark {
+    display: block !important;
+  }
+}
+
+a.site {
+  color: var(--color-primary);
+  text-decoration: none;
+  font-size: 1rem;
+  line-height: 2rem;
+
+  &:hover {
+    text-decoration: underline;
+  }
+}
+
+.page {
+  position: absolute;
+  width: 100%;
+  height: 100%;
+  display: grid;
+  place-items: center;
+  margin: 0;
+  padding: 0;
+
+  > div {
+    text-align: center;
+    padding: 0.5rem;
+  }
+}
+
+.error {
+  a.button {
+    display: inline-block;
+    padding-left: 2rem;
+    padding-right: 2rem;
+    margin-top: 0.5rem;
+  }
+
+  .message {
+    margin-bottom: 1.5rem;
+  }
+}
+
+.signin {
+  input[type="text"] {
+    margin-left: auto;
+    margin-right: auto;
+    display: block;
+  }
+
+  hr {
+    display: block;
+    border: 0;
+    border-top: 1px solid var(--color-seperator);
+    margin: 1.5em auto 0 auto;
+    overflow: visible;
+
+    &::before {
+      content: "or";
+      background: var(--color-background);
+      color: #888;
+      padding: 0 0.4rem;
+      position: relative;
+      top: -0.6rem;
+    }
+  }
+
+  .error {
+    background: #f5f5f5;
+    font-weight: 500;
+    border-radius: 0.3rem;
+    background: var(--color-info);
+
+    p {
+      text-align: left;
+      padding: 0.5rem 1rem;
+      font-size: 0.9rem;
+      line-height: 1.2rem;
+      color: var(--color-info-text);
+    }
+  }
+
+  > div,
+  form {
+    display: block;
+
+    input[type] {
+      margin-bottom: 0.5rem;
+    }
+
+    button {
+      width: 100%;
+    }
+
+    max-width: 300px;
+  }
+}
+.signout {
+  .message {
+    margin-bottom: 1.5rem;
+  }
+}
+
+.logo {
+  display: inline-block;
+  margin-top: 100px;
+  max-width: 300px;
+  max-height: 150px;
+}
+
+.card {
+  max-width: max-content;
+  border: 1px solid var(--color-control-border);
+  border-radius: 5px;
+  padding: 20px 50px;
+  margin: 50px auto;
+
+  .header {
+    color: var(--color-primary);
+  }
+}
+
+.section-header {
+  color: var(--brand-color, var(--color-text));
+}
--- a/packages/core/src/lib/styles/index.ts
+++ b/packages/core/src/lib/styles/index.ts
@@ -0,0 +1,2 @@
+export default `:root{--border-width:1px;--border-radius:0.5rem;--color-error:#c94b4b;--color-info:#157efb;--color-info-text:#fff}.__next-auth-theme-auto,.__next-auth-theme-light{--color-background:#fff;--color-text:#000;--color-primary:#444;--color-control-border:#bbb;--color-button-active-background:#f9f9f9;--color-button-active-border:#aaa;--color-seperator:#ccc}.__next-auth-theme-dark{--color-background:#000;--color-text:#fff;--color-primary:#ccc;--color-control-border:#555;--color-button-active-background:#060606;--color-button-active-border:#666;--color-seperator:#444}@media (prefers-color-scheme:dark){.__next-auth-theme-auto{--color-background:#000;--color-text:#fff;--color-primary:#ccc;--color-control-border:#555;--color-button-active-background:#060606;--color-button-active-border:#666;--color-seperator:#444}}body{background-color:var(--color-background);font-family:ui-sans-serif,system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji;margin:0;padding:0}h1{font-weight:400;margin-bottom:1.5rem;padding:0 1rem}h1,p{color:var(--color-text)}form{margin:0;padding:0}label{font-weight:500;margin-bottom:.25rem;text-align:left}input[type],label{color:var(--color-text);display:block}input[type]{background:var(--color-background);border:var(--border-width) solid var(--color-control-border);border-radius:var(--border-radius);box-shadow:inset 0 .1rem .2rem rgba(0,0,0,.2);box-sizing:border-box;font-size:1rem;padding:.5rem 1rem;width:100%}input[type]:focus{box-shadow:none}p{font-size:1.1rem;line-height:2rem;margin:0 0 1.5rem;padding:0 1rem}a.button{line-height:1rem;text-decoration:none}a.button:link,a.button:visited{background-color:var(--color-background);color:var(--color-primary)}a.button,button{align-items:center;background-color:var(--provider-bg,var(--color-background));border-color:rgba(0,0,0,.1);border-radius:var(--border-radius);box-shadow:0 0 0 0 #000,0 0 0 0 #000,0 10px 15px -3px rgba(0,0,0,.2),0 4px 6px -4px rgba(0,0,0,.1);color:var(--provider-color,var(--color-primary));display:flex;font-size:1.1rem;font-weight:500;justify-content:center;margin:0 0 .75rem;min-height:62px;padding:.75rem 1rem;position:relative;transition:all .1s ease-in-out}a.button:has(img),button:has(img){justify-content:unset}a.button:has(img) span,button:has(img) span{flex-grow:1}a.button:hover,button:hover{cursor:pointer}a.button:active,button:active{box-shadow:0 .15rem .3rem rgba(0,0,0,.15),inset 0 .1rem .2rem var(--color-background),inset 0 -.1rem .1rem rgba(0,0,0,.1);cursor:pointer}a.button #provider-logo,button #provider-logo{display:block}a.button #provider-logo-dark,button #provider-logo-dark{display:none}@media (prefers-color-scheme:dark){a.button,button{background-color:var(--provider-dark-bg,var(--color-background));border:1px solid #0d0d0d;box-shadow:0 0 0 0 #000,0 0 0 0 #ccc,0 5px 5px -3px hsla(0,0%,100%,.01),0 4px 6px -4px hsla(0,0%,100%,.05);color:var(--provider-dark-color,var(--color-primary))}#provider-logo{display:none!important}#provider-logo-dark{display:block!important}}a.site{color:var(--color-primary);font-size:1rem;line-height:2rem;text-decoration:none}a.site:hover{text-decoration:underline}.page{display:grid;height:100%;margin:0;padding:0;place-items:center;position:absolute;width:100%}.page>div{padding:.5rem;text-align:center}.error a.button{display:inline-block;margin-top:.5rem;padding-left:2rem;padding-right:2rem}.error .message{margin-bottom:1.5rem}.signin input[type=text]{display:block;margin-left:auto;margin-right:auto}.signin hr{border:0;border-top:1px solid var(--color-seperator);display:block;margin:1.5em auto 0;overflow:visible}.signin hr:before{background:var(--color-background);color:#888;content:"or";padding:0 .4rem;position:relative;top:-.6rem}.signin .error{background:#f5f5f5;background:var(--color-info);border-radius:.3rem;font-weight:500}.signin .error p{color:var(--color-info-text);font-size:.9rem;line-height:1.2rem;padding:.5rem 1rem;text-align:left}.signin form,.signin>div{display:block}.signin form input[type],.signin>div input[type]{margin-bottom:.5rem}.signin form button,.signin>div button{width:100%}.signin form,.signin>div{max-width:300px}.signout .message{margin-bottom:1.5rem}.logo{display:inline-block;margin-top:100px;max-height:150px;max-width:300px}.card{border:1px solid var(--color-control-border);border-radius:5px;margin:50px auto;max-width:-moz-max-content;max-width:max-content;padding:20px 50px}.card .header{color:var(--color-primary)}.section-header{color:var(--brand-color,var(--color-text))}`
+// Generated by `pnpm css`
--- a/packages/core/src/lib/types.ts
+++ b/packages/core/src/lib/types.ts
@@ -0,0 +1,578 @@
+import type { CookieSerializeOptions } from "cookie"
+import type { Adapter, AdapterUser } from "../adapters"
+import type {
+  CredentialInput,
+  CredentialsConfig,
+  EmailConfig,
+  OAuthConfigInternal,
+  Provider,
+  ProviderType,
+} from "../providers"
+import type {
+  OAuth2TokenEndpointResponse,
+  OpenIDTokenEndpointResponse,
+} from "oauth4webapi"
+import type { JWT, JWTOptions } from "../jwt"
+import type { Cookie } from "./cookie"
+import type { LoggerInstance } from "./utils/logger"
+
+/** @internal */
+export type Awaitable<T> = T | PromiseLike<T>
+
+export type { LoggerInstance }
+
+/**
+ * Configure your NextAuth instance
+ *
+ * [Documentation](https://next-auth.js.org/configuration/options#options)
+ */
+export interface AuthOptions {
+  /**
+   * An array of authentication providers for signing in
+   * (e.g. Google, Facebook, Twitter, GitHub, Email, etc) in any order.
+   * This can be one of the built-in providers or an object with a custom provider.
+   * * **Default value**: `[]`
+   * * **Required**: *Yes*
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#providers) | [Providers documentation](https://next-auth.js.org/configuration/providers)
+   */
+  providers: Provider[]
+  /**
+   * A random string used to hash tokens, sign cookies and generate cryptographic keys.
+   * If not specified, it falls back to `AUTH_SECRET` or `NEXTAUTH_SECRET` from environment variables.
+   * To generate a random string, you can use the following command:
+   *
+   * On Unix systems: `openssl rand -hex 32`
+   * Or go to https://generate-secret.vercel.app/32
+   *
+   * @default process.env.AUTH_SECRET ?? process.env.NEXTAUTH_SECRET
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#secret)
+   */
+  secret?: string
+  /**
+   * Configure your session like if you want to use JWT or a database,
+   * how long until an idle session expires, or to throttle write operations in case you are using a database.
+   * * **Default value**: See the documentation page
+   * * **Required**: No
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#session)
+   */
+  session?: Partial<SessionOptions>
+  /**
+   * JSON Web Tokens are enabled by default if you have not specified an adapter.
+   * JSON Web Tokens are encrypted (JWE) by default. We recommend you keep this behaviour.
+   * * **Default value**: See the documentation page
+   * * **Required**: *No*
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#jwt)
+   */
+  jwt?: Partial<JWTOptions>
+  /**
+   * Specify URLs to be used if you want to create custom sign in, sign out and error pages.
+   * Pages specified will override the corresponding built-in page.
+   * * **Default value**: `{}`
+   * * **Required**: *No*
+   * @example
+   *
+   * ```js
+   *   pages: {
+   *     signIn: '/auth/signin',
+   *     signOut: '/auth/signout',
+   *     error: '/auth/error',
+   *     verifyRequest: '/auth/verify-request',
+   *     newUser: '/auth/new-user'
+   *   }
+   * ```
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#pages) | [Pages documentation](https://next-auth.js.org/configuration/pages)
+   */
+  pages?: Partial<PagesOptions>
+  /**
+   * Callbacks are asynchronous functions you can use to control what happens when an action is performed.
+   * Callbacks are *extremely powerful*, especially in scenarios involving JSON Web Tokens
+   * as they **allow you to implement access controls without a database** and to **integrate with external databases or APIs**.
+   * * **Default value**: See the Callbacks documentation
+   * * **Required**: *No*
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#callbacks) | [Callbacks documentation](https://next-auth.js.org/configuration/callbacks)
+   */
+  callbacks?: Partial<CallbacksOptions>
+  /**
+   * Events are asynchronous functions that do not return a response, they are useful for audit logging.
+   * You can specify a handler for any of these events below - e.g. for debugging or to create an audit log.
+   * The content of the message object varies depending on the flow
+   * (e.g. OAuth or Email authentication flow, JWT or database sessions, etc),
+   * but typically contains a user object and/or contents of the JSON Web Token
+   * and other information relevant to the event.
+   * * **Default value**: `{}`
+   * * **Required**: *No*
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#events) | [Events documentation](https://next-auth.js.org/configuration/events)
+   */
+  events?: Partial<EventCallbacks>
+  /**
+   * You can use the adapter option to pass in your database adapter.
+   *
+   * * **Required**: *No*
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#adapter) |
+   * [Adapters Overview](https://next-auth.js.org/adapters/overview)
+   */
+  adapter?: Adapter
+  /**
+   * Set debug to true to enable debug messages for authentication and database operations.
+   * * **Default value**: `false`
+   * * **Required**: *No*
+   *
+   * - ⚠ If you added a custom `logger`, this setting is ignored.
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#debug) | [Logger documentation](https://next-auth.js.org/configuration/options#logger)
+   */
+  debug?: boolean
+  /**
+   * Override any of the logger levels (`undefined` levels will use the built-in logger),
+   * and intercept logs in NextAuth. You can use this option to send NextAuth logs to a third-party logging service.
+   * * **Default value**: `console`
+   * * **Required**: *No*
+   *
+   * @example
+   *
+   * ```js
+   * // /pages/api/auth/[...nextauth].js
+   * import log from "logging-service"
+   * export default NextAuth({
+   *   logger: {
+   *     error(code, ...message) {
+   *       log.error(code, message)
+   *     },
+   *     warn(code, ...message) {
+   *       log.warn(code, message)
+   *     },
+   *     debug(code, ...message) {
+   *       log.debug(code, message)
+   *     }
+   *   }
+   * })
+   * ```
+   *
+   * - ⚠ When set, the `debug` option is ignored
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#logger) |
+   * [Debug documentation](https://next-auth.js.org/configuration/options#debug)
+   */
+  logger?: Partial<LoggerInstance>
+  /**
+   * Changes the theme of pages.
+   * Set to `"light"` if you want to force pages to always be light.
+   * Set to `"dark"` if you want to force pages to always be dark.
+   * Set to `"auto"`, (or leave this option out)if you want the pages to follow the preferred system theme.
+   * * **Default value**: `"auto"`
+   * * **Required**: *No*
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#theme) | [Pages documentation]("https://next-auth.js.org/configuration/pages")
+   */
+  theme?: Theme
+  /**
+   * When set to `true` then all cookies set by NextAuth.js will only be accessible from HTTPS URLs.
+   * This option defaults to `false` on URLs that start with `http://` (e.g. http://localhost:3000) for developer convenience.
+   * You can manually set this option to `false` to disable this security feature and allow cookies
+   * to be accessible from non-secured URLs (this is not recommended).
+   * * **Default value**: `true` for HTTPS and `false` for HTTP sites
+   * * **Required**: No
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#usesecurecookies)
+   *
+   * - ⚠ **This is an advanced option.** Advanced options are passed the same way as basic options,
+   * but **may have complex implications** or side effects.
+   * You should **try to avoid using advanced options** unless you are very comfortable using them.
+   */
+  useSecureCookies?: boolean
+  /**
+   * You can override the default cookie names and options for any of the cookies used by NextAuth.js.
+   * You can specify one or more cookies with custom properties,
+   * but if you specify custom options for a cookie you must provide all the options for that cookie.
+   * If you use this feature, you will likely want to create conditional behavior
+   * to support setting different cookies policies in development and production builds,
+   * as you will be opting out of the built-in dynamic policy.
+   * * **Default value**: `{}`
+   * * **Required**: No
+   *
+   * - ⚠ **This is an advanced option.** Advanced options are passed the same way as basic options,
+   * but **may have complex implications** or side effects.
+   * You should **try to avoid using advanced options** unless you are very comfortable using them.
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#cookies) | [Usage example](https://next-auth.js.org/configuration/options#example)
+   */
+  cookies?: Partial<CookiesOptions>
+  /**
+   * If set to `true`, NextAuth.js will use either the `x-forwarded-host` or `host` headers,
+   * instead of `NEXTAUTH_URL`
+   * Make sure that reading `x-forwarded-host` on your hosting platform can be trusted.
+   * - ⚠ **This is an advanced option.** Advanced options are passed the same way as basic options,
+   * but **may have complex implications** or side effects.
+   * You should **try to avoid using advanced options** unless you are very comfortable using them.
+   * @default Boolean(process.env.NEXTAUTH_URL ?? process.env.AUTH_TRUST_HOST ?? process.env.VERCEL)
+   */
+  trustHost?: boolean
+}
+
+/**
+ * Change the theme of the built-in pages.
+ *
+ * [Documentation](https://next-auth.js.org/configuration/options#theme) |
+ * [Pages](https://next-auth.js.org/configuration/pages)
+ */
+export interface Theme {
+  colorScheme?: "auto" | "dark" | "light"
+  logo?: string
+  brandColor?: string
+  buttonText?: string
+}
+
+/**
+ * Different tokens returned by OAuth Providers.
+ * Some of them are available with different casing,
+ * but they refer to the same value.
+ */
+export type TokenSet = Partial<
+  OAuth2TokenEndpointResponse | OpenIDTokenEndpointResponse
+>
+
+/**
+ * Usually contains information about the provider being used
+ * and also extends `TokenSet`, which is different tokens returned by OAuth Providers.
+ */
+export interface Account extends Partial<OpenIDTokenEndpointResponse> {
+  /**
+   * This value depends on the type of the provider being used to create the account.
+   * - oauth: The OAuth account's id, returned from the `profile()` callback.
+   * - email: The user's email address.
+   * - credentials: `id` returned from the `authorize()` callback
+   */
+  providerAccountId: string
+  /** id of the user this account belongs to. */
+  userId?: string
+  /** id of the provider used for this account */
+  provider: string
+  /** Provider's type for this account */
+  type: ProviderType
+}
+
+/** The OAuth profile returned from your provider */
+export interface Profile {
+  sub?: string
+  name?: string
+  email?: string
+  image?: string
+}
+
+/** [Documentation](https://next-auth.js.org/configuration/callbacks) */
+export interface CallbacksOptions<P = Profile, A = Account> {
+  /**
+   * Use this callback to control if a user is allowed to sign in.
+   * Returning true will continue the sign-in flow.
+   * Throwing an error or returning a string will stop the flow, and redirect the user.
+   *
+   * [Documentation](https://next-auth.js.org/configuration/callbacks#sign-in-callback)
+   */
+  signIn: (params: {
+    user: User | AdapterUser
+    account: A | null
+    /**
+     * If OAuth provider is used, it contains the full
+     * OAuth profile returned by your provider.
+     */
+    profile?: P
+    /**
+     * If Email provider is used, on the first call, it contains a
+     * `verificationRequest: true` property to indicate it is being triggered in the verification request flow.
+     * When the callback is invoked after a user has clicked on a sign in link,
+     * this property will not be present. You can check for the `verificationRequest` property
+     * to avoid sending emails to addresses or domains on a blocklist or to only explicitly generate them
+     * for email address in an allow list.
+     */
+    email?: {
+      verificationRequest?: boolean
+    }
+    /** If Credentials provider is used, it contains the user credentials */
+    credentials?: Record<string, CredentialInput>
+  }) => Awaitable<string | boolean>
+  /**
+   * This callback is called anytime the user is redirected to a callback URL (e.g. on signin or signout).
+   * By default only URLs on the same URL as the site are allowed,
+   * you can use this callback to customise that behaviour.
+   *
+   * [Documentation](https://next-auth.js.org/configuration/callbacks#redirect-callback)
+   */
+  redirect: (params: {
+    /** URL provided as callback URL by the client */
+    url: string
+    /** Default base URL of site (can be used as fallback) */
+    baseUrl: string
+  }) => Awaitable<string>
+  /**
+   * This callback is called whenever a session is checked.
+   * (Eg.: invoking the `/api/session` endpoint, using `useSession` or `getSession`)
+   *
+   * ⚠ By default, only a subset (email, name, image)
+   * of the token is returned for increased security.
+   *
+   * If you want to make something available you added to the token through the `jwt` callback,
+   * you have to explicitly forward it here to make it available to the client.
+   *
+   * [Documentation](https://next-auth.js.org/configuration/callbacks#session-callback) |
+   * [`jwt` callback](https://next-auth.js.org/configuration/callbacks#jwt-callback) |
+   * [`useSession`](https://next-auth.js.org/getting-started/client#usesession) |
+   * [`getSession`](https://next-auth.js.org/getting-started/client#getsession) |
+   *
+   */
+  session: (params: {
+    session: Session
+    user: User | AdapterUser
+    token: JWT
+  }) => Awaitable<Session>
+  /**
+   * This callback is called whenever a JSON Web Token is created (i.e. at sign in)
+   * or updated (i.e whenever a session is accessed in the client).
+   * Its content is forwarded to the `session` callback,
+   * where you can control what should be returned to the client.
+   * Anything else will be kept from your front-end.
+   *
+   * ⚠ By default the JWT is signed, but not encrypted.
+   *
+   * [Documentation](https://next-auth.js.org/configuration/callbacks#jwt-callback) |
+   * [`session` callback](https://next-auth.js.org/configuration/callbacks#session-callback)
+   */
+  jwt: (params: {
+    token: JWT
+    user?: User | AdapterUser
+    account?: A | null
+    profile?: P
+    isNewUser?: boolean
+  }) => Awaitable<JWT>
+}
+
+/** [Documentation](https://next-auth.js.org/configuration/options#cookies) */
+export interface CookieOption {
+  name: string
+  options: CookieSerializeOptions
+}
+
+/** [Documentation](https://next-auth.js.org/configuration/options#cookies) */
+export interface CookiesOptions {
+  sessionToken: CookieOption
+  callbackUrl: CookieOption
+  csrfToken: CookieOption
+  pkceCodeVerifier: CookieOption
+  state: CookieOption
+  nonce: CookieOption
+}
+
+/**
+ *  The various event callbacks you can register for from next-auth
+ *
+ * [Documentation](https://next-auth.js.org/configuration/events)
+ */
+export interface EventCallbacks {
+  /**
+   * If using a `credentials` type auth, the user is the raw response from your
+   * credential provider.
+   * For other providers, you'll get the User object from your adapter, the account,
+   * and an indicator if the user was new to your Adapter.
+   */
+  signIn: (message: {
+    user: User
+    account: Account | null
+    profile?: Profile
+    isNewUser?: boolean
+  }) => Awaitable<void>
+  /**
+   * The message object will contain one of these depending on
+   * if you use JWT or database persisted sessions:
+   * - `token`: The JWT token for this session.
+   * - `session`: The session object from your adapter that is being ended.
+   */
+  signOut: (message: { session: Session; token: JWT }) => Awaitable<void>
+  createUser: (message: { user: User }) => Awaitable<void>
+  updateUser: (message: { user: User }) => Awaitable<void>
+  linkAccount: (message: {
+    user: User | AdapterUser
+    account: Account
+    profile: User | AdapterUser
+  }) => Awaitable<void>
+  /**
+   * The message object will contain one of these depending on
+   * if you use JWT or database persisted sessions:
+   * - `token`: The JWT token for this session.
+   * - `session`: The session object from your adapter.
+   */
+  session: (message: { session: Session; token: JWT }) => Awaitable<void>
+}
+
+export type EventType = keyof EventCallbacks
+
+/** [Documentation](https://next-auth.js.org/configuration/pages) */
+export interface PagesOptions {
+  signIn: string
+  signOut: string
+  /** Error code passed in query string as ?error= */
+  error: string
+  verifyRequest: string
+  /** If set, new users will be directed here on first sign in */
+  newUser: string
+}
+
+type ISODateString = string
+
+export interface DefaultSession {
+  user?: {
+    name?: string | null
+    email?: string | null
+    image?: string | null
+  }
+  expires: ISODateString
+}
+
+/**
+ * Returned by `useSession`, `getSession`, returned by the `session` callback
+ * and also the shape received as a prop on the `SessionProvider` React Context
+ *
+ * [`useSession`](https://next-auth.js.org/getting-started/client#usesession) |
+ * [`getSession`](https://next-auth.js.org/getting-started/client#getsession) |
+ * [`SessionProvider`](https://next-auth.js.org/getting-started/client#sessionprovider) |
+ * [`session` callback](https://next-auth.js.org/configuration/callbacks#jwt-callback)
+ */
+export interface Session extends DefaultSession {}
+
+export type SessionStrategy = "jwt" | "database"
+
+/** [Documentation](https://next-auth.js.org/configuration/options#session) */
+export interface SessionOptions {
+  /**
+   * Choose how you want to save the user session.
+   * The default is `"jwt"`, an encrypted JWT (JWE) in the session cookie.
+   *
+   * If you use an `adapter` however, we default it to `"database"` instead.
+   * You can still force a JWT session by explicitly defining `"jwt"`.
+   *
+   * When using `"database"`, the session cookie will only contain a `sessionToken` value,
+   * which is used to look up the session in the database.
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#session) | [Adapter](https://next-auth.js.org/configuration/options#adapter) | [About JSON Web Tokens](https://next-auth.js.org/faq#json-web-tokens)
+   */
+  strategy: SessionStrategy
+  /**
+   * Relative time from now in seconds when to expire the session
+   * @default 2592000 // 30 days
+   */
+  maxAge: number
+  /**
+   * How often the session should be updated in seconds.
+   * If set to `0`, session is updated every time.
+   * @default 86400 // 1 day
+   */
+  updateAge: number
+  /**
+   * Generate a custom session token for database-based sessions.
+   * By default, a random UUID or string is generated depending on the Node.js version.
+   * However, you can specify your own custom string (such as CUID) to be used.
+   * @default `randomUUID` or `randomBytes.toHex` depending on the Node.js version
+   */
+  generateSessionToken: () => string
+}
+
+export interface DefaultUser {
+  id: string
+  name?: string | null
+  email?: string | null
+  image?: string | null
+}
+
+/**
+ * The shape of the returned object in the OAuth providers' `profile` callback,
+ * available in the `jwt` and `session` callbacks,
+ * or the second parameter of the `session` callback, when using a database.
+ *
+ * [`signIn` callback](https://next-auth.js.org/configuration/callbacks#sign-in-callback) |
+ * [`session` callback](https://next-auth.js.org/configuration/callbacks#jwt-callback) |
+ * [`jwt` callback](https://next-auth.js.org/configuration/callbacks#jwt-callback) |
+ * [`profile` OAuth provider callback](https://next-auth.js.org/configuration/providers#using-a-custom-provider)
+ */
+export interface User extends DefaultUser {}
+
+// Below are types that are only supposed be used by next-auth internally
+
+/** @internal */
+export type InternalProvider<T = ProviderType> = (T extends "oauth"
+  ? OAuthConfigInternal<any>
+  : T extends "email"
+  ? EmailConfig
+  : T extends "credentials"
+  ? CredentialsConfig
+  : never) & {
+  signinUrl: string
+  callbackUrl: string
+}
+
+export type AuthAction =
+  | "providers"
+  | "session"
+  | "csrf"
+  | "signin"
+  | "signout"
+  | "callback"
+  | "verify-request"
+  | "error"
+  | "_log"
+
+/** @internal */
+export interface RequestInternal {
+  url: URL
+  method?: string
+  cookies?: Partial<Record<string, string>>
+  headers?: Record<string, any>
+  query?: Record<string, any>
+  body?: Record<string, any>
+  action: AuthAction
+  providerId?: string
+  error?: string
+}
+
+/** @internal */
+export interface ResponseInternal<
+  Body extends string | Record<string, any> | any[] = any
+> {
+  status?: number
+  headers?: Headers | HeadersInit
+  body?: Body
+  redirect?: URL | string
+  cookies?: Cookie[]
+}
+
+/** @internal */
+export interface InternalOptions<
+  TProviderType = ProviderType,
+  WithVerificationToken = TProviderType extends "email" ? true : false
+> {
+  providers: InternalProvider[]
+  url: URL
+  action: AuthAction
+  provider: InternalProvider<TProviderType>
+  csrfToken?: string
+  csrfTokenVerified?: boolean
+  secret: string
+  theme: Theme
+  debug: boolean
+  logger: LoggerInstance
+  session: Required<SessionOptions>
+  pages: Partial<PagesOptions>
+  jwt: JWTOptions
+  events: Partial<EventCallbacks>
+  adapter: WithVerificationToken extends true
+    ? Adapter<WithVerificationToken>
+    : Adapter<WithVerificationToken> | undefined
+  callbacks: CallbacksOptions
+  cookies: CookiesOptions
+  callbackUrl: string
+}
--- a/packages/core/src/lib/utils/date.ts
+++ b/packages/core/src/lib/utils/date.ts
@@ -0,0 +1,8 @@
+/**
+ * Takes a number in seconds and returns the date in the future.
+ * Optionally takes a second date parameter. In that case
+ * the date in the future will be calculated from that date instead of now.
+ */
+export function fromDate(time: number, date = Date.now()) {
+  return new Date(date + time * 1000)
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Balázs Orbán	6680860293	chore(release): bump versions [skip release]	2022-12-13 19:35:05 +01:00
Balázs Orbán	c7d93c61e0	chore: remove	2022-12-13 19:28:54 +01:00
Balázs Orbán	a7b6a29773	feat(web): expose Web API compatible version of `next-auth` (#5536 ) * WIP use `Request` and `Response` for core * bump Next.js * rename ts types * refactor * simplify * upgrade Next.js * implement body reader * use `Request`/`Response` in `next-auth/next` * make linter happy * revert * fix tests * remove workaround for middleware return type * return session in protected api route example * don't export internal handler * fall back host to localhost * refactor `getBody` * refactor `next-auth/next` * chore: add `@edge-runtime/jest-environment` * fix tests, using Node 18 as runtime * fix test * remove patch * upgrade/add dependencies * type and default import on one line * don't import all adapters by default in dev * simplify internal endpoint config Instead of passing url and params around as a string and an object, we parse them into a `URL` instance. * assert if both endpoint and issuer config is missing * allow internal redirect to be `URL` * mark clientId as always internally, fix comments * add web-compatible authorization URL handling * fix type * fix neo4j build * remove new-line * reduce file changes in the PR * simplify types * refactor `crypto` usage In Node.js, inject `globalThis.crypto` instead of import * add `next-auth/web` * refactor * send header instead of body to indicate redirect response * fix eslint * fix tests * chore: upgrade dep * fix import * refactor: more renames * wip core * support OIDC * remove `openid-client` * temprarily remove duplicate logos * revert * move redirect logic to core * wip fix css * revert Logo component * output ESM * fix logout * deprecate OAuth 1, simplify internals, improve defaults * refactor providers, test facebook * fix providers * target es2020 * fix CSS * update lock file * make logos optional * sync with `next-auth` * clean up `next-auth/edge` * sync * remove uuid * make secret required in dev * remove todo comments * pass through OAuth client options * generate declaration map * default env secret to AUTH_SECRET * temporary Headers fix * move pages to lib * move errors to lib * move pages/index to lib * move routes to lib * move init to lib * move styles to lib * move types to lib * move utils to lib * fix imports * update ignore/clean patterns * fix imports * update styles ts * update gitignore * update exports field * revert `next-auth` * remove extra tsconfig files * remove `private` from package.json * remove unused file, expose type * move gitignore, reduce exposed types * add back tsconfig files * remove leftover * revert gitignore * remove test script	2022-12-13 18:24:30 +00:00
Balázs Orbán	092ab9c128	chore: update release script	2022-12-13 18:01:45 +01:00
Balázs Orbán	36f44a869a	chore: move files to `nextuahtjs/.github`	2022-12-13 17:40:17 +01:00
Balázs Orbán	2913fbac3b	chore(release): bump package version(s) [skip ci]	2022-12-12 14:53:01 +01:00
Balázs Orbán	2875b49f11	fix(core): preserve incoming set cookies (#6029 ) * fix(core): preserve `set-cookie` by the user * add test * improve req/res mocking * refactor * fix comment typo	2022-12-12 13:47:34 +00:00
Balázs Orbán	5259d247a2	fix(next): correctly bundle next-auth/middleware fixes #6025	2022-12-12 11:59:37 +01:00
Balázs Orbán	d1d93fd75e	chore(release): bump package version(s) [skip ci]	2022-12-11 15:52:57 +01:00
Balázs Orbán	62f672ae30	fix(core): host detection/NEXTAUTH_URL (#6007 ) * rename `host` to `origin` internally * rename `userOptions` to `authOptions` internally * use object for `headers` internally * default `method` to GET * simplify `unstable_getServerSession` * allow optional headers * revert middleware * wip getURL * revert host detection * use old `detectHost` * fix/add some tests wip * move more to core, refactor getURL * better type auth actions * fix custom path support (w/ api/auth) * add `getURL` tests * fix email tests * fix assert tests * custom base without api/auth, with trailing slash * remove parseUrl from assert.ts * return 400 when wrong url * fix tests * refactor * fix protocol in dev * fix tests * fix custom url handling * add todo comments	2022-12-11 14:48:28 +00:00
Balázs Orbán	2c669b32fc	fix(core): correct status code when returning redirects (#6004 ) * fix(core): correctly set status when returning redirect * update tests * forward other headers * update test * remove default 200 status	2022-12-11 12:55:16 +00:00
Cyril Perraud	2dea8919e5	fix(sequelize): increase sequelize `id_token` column length (#5929 ) Co-authored-by: Nico Domino <yo@ndo.dev>	2022-12-10 12:34:45 +01:00
Balázs Orbán	6fdb0da6eb	chore(release): bump package version(s) [skip ci]	2022-12-09 00:34:31 +01:00
Balázs Orbán	5c4a9a697d	fix(core): handle `Request` -> `Response` regressions (#5991 ) * fix(next): don't override `Content-Type` by `unstable_getServerSession` * fix(core): handle `,` while setting `set-cookie`	2022-12-08 23:29:25 +00:00
Thomas Desmond	eddd8fd7f9	chore(docs): add new tutorial (#5604 ) Co-authored-by: Nico Domino <yo@ndo.dev>	2022-12-08 18:24:58 +01:00
Balázs Orbán	b74bfc68e8	chore(release): bump package version(s) [skip ci]	2022-12-08 05:16:10 +01:00
Balázs Orbán	0a140cdf87	test(core): fix test	2022-12-08 05:11:37 +01:00
Balázs Orbán	157269e0fb	fix(core): throw error if no action can be determined	2022-12-08 05:10:26 +01:00
Balázs Orbán	221bc8e99c	fix(core): add protocol if missing	2022-12-08 04:54:42 +01:00
Balázs Orbán	f856363ac8	chore(release): bump package version(s) [skip ci]	2022-12-08 04:38:03 +01:00
Balázs Orbán	f3291025e6	fix(core): properly construct url (#5984 )	2022-12-08 04:33:20 +01:00
Balázs Orbán	bc0912cc71	chore(release): bump package version(s) [skip ci]	2022-12-08 00:08:09 +01:00
Branden Cash	b19b2bcb3f	fix(core): don't mutate authOptions in unstable_getServerSession (#5973 )	2022-12-07 22:04:53 +01:00
Balázs Orbán	63c2a15717	Update nextjs.md	2022-12-07 14:39:57 +01:00
Balázs Orbán	9209b48dbe	chore: add issue validator	2022-12-06 12:21:42 +01:00
Balázs Orbán	0fcc6a0d04	refactor: more renames	2022-12-05 13:38:29 +01:00
Balázs Orbán	cbf8c7a59f	refactor: rename	2022-12-03 15:51:38 +01:00
Balázs Orbán	0e6c51adec	refactor: rename	2022-12-03 15:41:39 +01:00
Balázs Orbán	c4352a7d56	chore(dev): upgrade dev app and deps Conflicts: apps/dev/pages/api/auth/[...nextauth].ts	2022-12-03 15:33:49 +01:00
Balázs Orbán	7e91d7df54	refactor(core): use standard `Request` and `Response` (#4769 ) * WIP use `Request` and `Response` for core * bump Next.js * rename ts types * refactor * simplify * upgrade Next.js * implement body reader * use `Request`/`Response` in `next-auth/next` * make linter happy * revert * fix tests * remove workaround for middleware return type * return session in protected api route example * don't export internal handler * fall back host to localhost * refactor `getBody` * refactor `next-auth/next` * chore: add `@edge-runtime/jest-environment` * fix tests, using Node 18 as runtime * fix test * remove patch * fix neo4j build * remove new-line * reduce file changes in the PR * fix tests * fix tests * refactor * refactor * add host tests * refactor tests * fix body reading * fix tests * use 302 * fix test * fix again * fix tests * handle when body is `Buffer` * move comment	2022-12-03 13:39:08 +00:00
Balázs Orbán	c1424136db	chore(dev): don't load all adapters in dev app	2022-12-03 13:45:06 +01:00
Balázs Orbán	f2a07932b9	chore(release): bump package version(s) [skip ci]	2022-12-03 12:38:32 +01:00
Balázs Orbán	25c7ce1d2b	chore: revert sync-example action	2022-12-03 12:31:22 +01:00
Vedant	227a233bd8	chore(adapters): update firebase sdk version in firebase adapter (#5902 ) * Update firebase SDK version * Update pnpm-lock.yaml * add `--debug` * move flag * add `FIREBASE_TOKEN` * chore: upgrade `firebase-tools` * revert peer dep change * remove --debug flag Co-authored-by: Balázs Orbán <info@balazsorban.com>	2022-12-03 11:29:09 +00:00
Vedant	cf9f133aa3	fix(adapters): tsconfig for firebase and pouchdb (#5945 ) * Update tsconfig.json * Update tsconfig.json	2022-12-03 09:48:55 +01:00
Arnaud Zheng	2301c1be44	chore(types): fix typo in comment (#5815 ) Co-authored-by: Nico Domino <yo@ndo.dev>	2022-12-02 16:39:28 +01:00
jintak0401	6e408e24bf	fix(provider): modify response.name to response.nickname (Naver) (#5915 ) fix(provider): modify response.name to response.nickname (Naver Provider) Co-authored-by: Thang Vu <hi@thvu.dev>	2022-12-01 08:12:16 +07:00
Jason Brady	f277989c69	feat(core): make pkce and state maxAge configurable on the cookies (#4719 ) * feat(cookies): make pkce and state maxAge configurable on the cookies (#4660) * added tests for pkce and state handlers	2022-12-01 08:02:42 +07:00
Nico Domino	6146e93288	chore(docs): add new provider styling notes to CONTRIBUTING.md (#5900 )	2022-11-30 15:44:50 +01:00
Nico Domino	1ff565da6c	chore(docs): update oauth.md styling docs (#5899 ) * chore(docs): update oauth.md styling docs * chore: add note about styling object * chore: typo * chore: filename typos	2022-11-30 15:43:55 +01:00
Nico Domino	41f75cf870	chore(actions): version bump all deps (#5903 )	2022-11-28 11:10:15 +00:00
Justin W Hall	dd591ed8d0	chore(docs): fix path Strava provider file (#5853 ) Co-authored-by: Nico Domino <yo@ndo.dev>	2022-11-27 14:04:17 +01:00
koolskateguy89	297bc2317f	chore(docs): fix spelling in docs (#5867 ) Co-authored-by: Nico Domino <yo@ndo.dev>	2022-11-27 13:44:35 +01:00
Tormod Flesjø	b170138e70	chore: update mongodb.md with typescript filetypes (#5889 )	2022-11-27 13:11:54 +01:00
Balázs Orbán	a307079e0f	fix(ts): improve `unstable_getServerSession` return type (#5792 ) Co-authored-by: Thang Vu <hi@thvu.dev>	2022-11-24 15:13:05 +01:00
Jacob Penny	d52b7a6b7d	chore(adapters): fix typo on Firebase Adapter (#5813 )	2022-11-24 14:31:43 +01:00
Jake Mulley	30b69a07eb	chore: fix import statement for `next-auth/providers/email` (#5860 )	2022-11-21 12:07:09 +01:00
Balázs Orbán	0d1757814f	fix(next): improve dev environment variable handling (#5763 ) * fix(next): HIDE `NEXTAUTH_URL` warning locally * refactor: move out `process.env` from core * fix tests * simplify * swap	2022-11-20 09:08:10 +00:00
Thang Vu	068f9b50b8	chore(release): bump package version(s) [skip ci]	2022-11-19 21:29:28 +07:00
Martin Sonnberger	dac490b7a1	feat(adapters): Add Supabase adapter (#5050 ) * Add Supabase adapter * Add Supabase adapter * Add schema setup to docs * supabase config changes * chore: update to supabase-js v2. * chore: migrate to next_auth schema. * feat: add supabase examples. * chore: update docs. * chore: add telemetry. * fix: resolve issues after merge. * chore: extend session type. * typo * chore: remove unnecessary grants. * fix: schema constraints. Co-authored-by: thorwebdev <thor@supabase.io> Co-authored-by: Thor 雷神 Schaeff <5748289+thorwebdev@users.noreply.github.com> Co-authored-by: Thang Vu <hi@thvu.dev>	2022-11-19 20:56:20 +07:00
Gregor Adams	c0f51669e2	docs: upadte mongodb guide (#5809 ) Co-authored-by: Nico Domino <yo@ndo.dev>	2022-11-16 16:38:55 +01:00
Nico Domino	cbf8ce3510	chore: fix signin btns svg URLs to 'main' (#5826 )	2022-11-15 22:07:30 +01:00
Nico Domino	1c19cc71df	chore: add tour de source link to CONTRIBUTING.md (#5820 )	2022-11-15 16:47:15 +00:00
Nico Domino	9d962a0056	feat: add signin button styles (#5802 ) * feat: add signin button styles * fix: remove unnecessary spans chore: rm comments * Update packages/next-auth/src/core/pages/signin.tsx Co-authored-by: Balázs Orbán <info@balazsorban.com> * feat: add provider svgs to repo * fix: adjust SVG sizes * fix: adjust provider btn to logo links * feat: apple provider btn style * fix: add apple-dark svg * feat: atlassian logo and style * feat: auth0 logo and style * feat: azure logo and style * fix: azure logo size * feat: battlenet logo and style * feat: box logo and style * feat: cognito logo and style * feat: discord logo and style * feat: facebook logo and style * feat: foursquare logo and style * fix: foursquare logo size * feat: freshbooks logo and style * feat: gitlab logo and style * fix: gitlab logo whitespace * feat: hubspot logo and style * feat: instagram logo and style * feat: keycloak logo and style * feat: keycloak logo resize * feat: linkedin logo and style * feat: mailchimp logo and style * feat: okta logo and style * feat: update okta logos * feat: patreon logo and style * fix: okta logo viewbox * feat: slack logo and style * feat: spotify logo and style * feat: todoist logo and style * fix: spotify logo size * feat: trakt logo and style * feat: twitch logo and style * feat: twitter logo and style * feat: vk logo and style * feat: wikimedia logo and style * feat: workos logo and style * fix: wikimedia-dark logo + twitter (legacy) * fix: button:active styling * fix: ignore eslint inline css custom properties warning * fix: improve darkmode default btn stylign * fix: swap github btn colors * fix: swap line btn theme colors Co-authored-by: Balázs Orbán <info@balazsorban.com>	2022-11-15 16:46:42 +00:00
Håkon Collett Bjørgan	8387c78e3f	fix(core): update JSDoc for `jwt` in `NextAuthOptions` (#5804 )	2022-11-13 07:55:35 +01:00