chore(release): bump package version(s) [skip ci]

* rewrite github provider in typescript

* rename md js endings

* Update packages/next-auth/src/providers/github.ts

Co-authored-by: Balázs Orbán <info@balazsorban.com>

* add eslint disable next line

Co-authored-by: Balázs Orbán <info@balazsorban.com>

.github/workflows/release.yml

@@ -21,7 +21,7 @@ jobs:
       - name: Install pnpm
         uses: pnpm/action-setup@v2.2.1
         with:
-          version: 6.32.8
+          version: 7.5.1
       - name: Setup Node
         uses: actions/setup-node@v3
         with:
@@ -55,7 +55,7 @@ jobs:
       - name: Install pnpm
         uses: pnpm/action-setup@v2.2.1
         with:
-          version: 6.32.8
+          version: 7.5.1
       - name: Setup Node
         uses: actions/setup-node@v3
         with:
@@ -70,6 +70,7 @@ jobs:
           pnpm release
         env:
           RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
           NPM_TOKEN_PKG: ${{ secrets.NPM_TOKEN_PKG }}
           NPM_TOKEN_ORG: ${{ secrets.NPM_TOKEN_ORG }}
   release-pr:
@@ -84,7 +85,7 @@ jobs:
       - name: Install pnpm
         uses: pnpm/action-setup@v2.2.1
         with:
-          version: 6.32.8
+          version: 7.5.1
       - name: Setup Node
         uses: actions/setup-node@v3
         with:

.gitignore

@@ -44,6 +44,7 @@ packages/next-auth/middleware.js
 # Development app
 apps/dev/src/css
 apps/dev/prisma/migrations
+apps/dev/typeorm
 
 # VS
 /.vs/slnx.sqlite-journal

CONTRIBUTING.md

@@ -17,7 +17,7 @@ Anyone can be a contributor. Either you found a typo, or you have an awesome fea
 - The latest changes are always in `main`, so please make your Pull Request against that branch.
 - Pull Requests should be raised for any change
 - Pull Requests need approval of a [core contributor](https://next-auth.js.org/contributors#core-team) before merging
-- We use ESLint/Prettier for linting/formatting, so please run `yarn lint:fix` before committing to make resolving conflicts easier (VSCode users, check out [this ESLint extension](https://marketplace.visualstudio.com/items?itemName=dbaeumer.vscode-eslint) and [this Prettier extension](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode) to fix lint and formatting issues in development)
+- We use ESLint/Prettier for linting/formatting, so please run `pnpm lint:fix` before committing to make resolving conflicts easier (VSCode users, check out [this ESLint extension](https://marketplace.visualstudio.com/items?itemName=dbaeumer.vscode-eslint) and [this Prettier extension](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode) to fix lint and formatting issues in development)
 - We encourage you to test your changes, and if you have the opportunity, please make those tests part of the Pull Request
 - If you add new functionality, please provide the corresponding documentation as well and make it part of the Pull Request
 
@@ -37,7 +37,7 @@ cd next-auth
 1. Install packages. Developing requires Node.js v16:
 
 ```sh
-yarn
+pnpm install
 ```
 
 3. Populate `.env.local`:
@@ -55,7 +55,7 @@ cp .env.local.example .env.local
 4. Start the developer application/server:
 
 ```sh
-yarn dev:app
+pnpm dev
 ```
 Your developer application will be available on `http://localhost:3000`
 
@@ -65,7 +65,7 @@ If you need an example project to link to, you can use [next-auth-example](https
 
 #### Hot reloading
 
-When running `yarn dev:app`, you start a Next.js developer server on `http://localhost:3000`, which includes hot reloading out of the box. Make changes on any of the files in `src` and see the changes immediately.
+When running `pnpm dev`, you start a Next.js developer server on `http://localhost:3000`, which includes hot reloading out-of-the-box. Make changes on any of the files in `src` and see the changes immediately.
 
 > NOTE: When working on CSS, you will have to manually refresh the page after changes. The reason for this is our pages using CSS are server-side rendered (using API routes). (Improving this through a PR is very welcome!)
 
@@ -75,7 +75,7 @@ When running `yarn dev:app`, you start a Next.js developer server on `http://loc
 
 If you think your custom provider might be useful to others, we encourage you to open a PR and add it to the built-in list so others can discover it much more easily! You only need to add two changes:
 
-1. Add your config: [`src/providers/{provider}.js`](https://github.com/nextauthjs/next-auth/tree/main/src/providers) (Make sure you use a named default export, like `export default function YourProvider`!)
+1. Add your config: [`src/providers/{provider}.js`](https://github.com/nextauthjs/next-auth/tree/main/packages/next-auth/src/providers) (Make sure you use a named default export, like `export default function YourProvider`!)
 2. Add provider documentation: [`www/docs/providers/{provider}.md`](https://github.com/nextauthjs/next-auth/tree/main/www/docs/providers)
 
 That's it! 🎉 Others will be able to discover this provider much more easily now!
@@ -88,13 +88,13 @@ If you would like to contribute to an existing database adapter or help create a
 
 #### Testing
 
-Tests can be run with `yarn test`.
+Tests can be run with `pnpm test`.
 
 Automated tests are currently crude and limited in functionality, but improvements are in development.
 
 ## For maintainers
 
-We use [a custom script](https://github.com/nextauthjs/next-auth/tree/main/scripts/index.ts) together with [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0) to automate releases. This makes the maintenance process easier and less error-prone. Please study the "Conventional Commits" site to understand how to write a good commit message.
+We use [a custom script](https://github.com/nextauthjs/next-auth/blob/main/scripts/release/index.ts) together with [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0) to automate releases. This makes the maintenance process easier and less error-prone. Please study the "Conventional Commits" site to understand how to write a good commit message.
 
 When accepting Pull Requests, make sure the following:
 
@@ -103,9 +103,9 @@ When accepting Pull Requests, make sure the following:
 - Rewrite the commit message to conform to the `Conventional Commits` style.
   - Using `fix` releases a patch (x.x.1)
   - Using `feat` releases a minor (x.1.x)
-  - Using `feat` when `BREAKING CHANGE` is present in the commit messgae releases a major (1.x.x)
+  - Using `feat` when `BREAKING CHANGE` is present in the commit message releases a major (1.x.x)
 - Optionally link issues the PR will resolve (You can add "close" in front of the issue numbers to close the issues automatically, when the PR is merged. `semantic-release` will also comment back to connected issues and PRs, notifying the users that a feature is added/bug fixed, etc.)
 
 ### Skipping a release
 
-If a commit contains `[skip release]` in their message will be excluded from the commit analysis and won't participate in the release type determination. This is useful, if the PR being merged should not trigger a new `npm` release.
+If a commit contains `[skip release]` in their message, it will be excluded from the commit analysis and won't participate in the release type determination. This is useful, if the PR being merged should not trigger a new `npm` release.

apps/dev/.env.local.example

@@ -50,3 +50,6 @@ DATABASE_URL=
 BOXYHQSAML_ISSUER="https://jackson-demo.boxyhq.com"
 BOXYHQSAML_ID="tenant=boxyhq.com&product=saml-demo.boxyhq.com"
 BOXYHQSAML_SECRET="dummy"
+
+WIKIMEDIA_ID=
+WIKIMEDIA_SECRET=

apps/dev/package.json

@@ -16,21 +16,25 @@
   },
   "license": "ISC",
   "dependencies": {
-    "@next-auth/fauna-adapter": "^1",
-    "@next-auth/prisma-adapter": "^1",
+    "@next-auth/fauna-adapter": "workspace:*",
+    "@next-auth/prisma-adapter": "workspace:*",
+    "@next-auth/typeorm-legacy-adapter": "workspace:*",
     "@prisma/client": "^3",
     "faunadb": "^4",
-    "next": "12.1.7-canary.51",
+    "next": "12.2.0",
     "nodemailer": "^6",
     "react": "^18",
     "react-dom": "^18"
   },
   "devDependencies": {
-    "@types/react": "^18",
-    "@types/react-dom": "^18",
+    "@types/react": "^18.0.15",
+    "@types/react-dom": "^18.0.6",
     "concurrently": "^7",
     "cpx": "^1.5.0",
     "fake-smtp-server": "^0.8.0",
-    "prisma": "^3"
+    "pg": "^8.7.3",
+    "prisma": "^3",
+    "sqlite3": "^5.0.8",
+    "typeorm": "0.3.7"
   }
 }

apps/dev/pages/api/auth/[...nextauth].ts

@@ -4,10 +4,11 @@ import GitHubProvider from "next-auth/providers/github"
 import Auth0Provider from "next-auth/providers/auth0"
 import KeycloakProvider from "next-auth/providers/keycloak"
 import TwitterProvider, {
-  TwitterLegacy as TwitterLegacyProvider,
+  // TwitterLegacy as TwitterLegacyProvider,
 } from "next-auth/providers/twitter"
 import CredentialsProvider from "next-auth/providers/credentials"
 import IDS4Provider from "next-auth/providers/identity-server4"
+import DuendeIDS6Provider from "next-auth/providers/duende-identity-server6"
 import Twitch from "next-auth/providers/twitch"
 import GoogleProvider from "next-auth/providers/google"
 import FacebookProvider from "next-auth/providers/facebook"
@@ -31,20 +32,39 @@ import PatreonProvider from "next-auth/providers/patreon"
 import TraktProvider from "next-auth/providers/trakt"
 import WorkOSProvider from "next-auth/providers/workos"
 import BoxyHQSAMLProvider from "next-auth/providers/boxyhq-saml"
+import WikimediaProvider from "next-auth/providers/wikimedia"
+import VkProvider from "next-auth/providers/vk"
 
+// TypeORM
+// import { TypeORMLegacyAdapter } from "@next-auth/typeorm-legacy-adapter"
+// const adapter = TypeORMLegacyAdapter({
+//   type: "sqlite",
+//   name: "next-auth-test-memory",
+//   database: "./typeorm/dev.db",
+//   synchronize: true,
+// })
+
+// // Prisma
 // import { PrismaAdapter } from "@next-auth/prisma-adapter"
 // import { PrismaClient } from "@prisma/client"
 // const prisma = new PrismaClient()
 // const adapter = PrismaAdapter(prisma)
 
+// // Fauna
 // import { Client as FaunaClient } from "faunadb"
 // import { FaunaAdapter } from "@next-auth/fauna-adapter"
-
 // const client = new FaunaClient({
 //   secret: process.env.FAUNA_SECRET,
 //   domain: process.env.FAUNA_DOMAIN,
 // })
 // const adapter = FaunaAdapter(client)
+
+// // Dummy
+// const adapter: any = {
+//   getUserByEmail: (email) => ({ id: "1", email, emailVerified: null }),
+//   createVerificationToken: (token) => token,
+// }
+
 export const authOptions: NextAuthOptions = {
   // adapter,
   providers: [
@@ -147,6 +167,11 @@ export const authOptions: NextAuthOptions = {
       clientSecret: process.env.IDS4_SECRET,
       issuer: process.env.IDS4_ISSUER,
     }),
+    DuendeIDS6Provider({
+      clientId: "interactive.confidential",
+      clientSecret: "secret",
+      issuer: "https://demo.duendesoftware.com",
+    }),
     DiscordProvider({
       clientId: process.env.DISCORD_ID,
       clientSecret: process.env.DISCORD_SECRET,
@@ -202,10 +227,18 @@ export const authOptions: NextAuthOptions = {
       clientSecret: process.env.WORKOS_SECRET,
     }),
     BoxyHQSAMLProvider({
-      issuer: process.env.BOXYHQSAML_ISSUER,
+      issuer: process.env.BOXYHQSAML_ISSUER ?? "https://example.com",
       clientId: process.env.BOXYHQSAML_ID,
       clientSecret: process.env.BOXYHQSAML_SECRET,
     }),
+    WikimediaProvider({
+      clientId: process.env.WIKIMEDIA_ID,
+      clientSecret: process.env.WIKIMEDIA_SECRET,
+    }),
+    VkProvider({
+      clientId: process.env.VK_ID,
+      clientSecret: process.env.VK_SECRET
+    }),
   ],
   debug: true,
   theme: {

apps/example-nextjs/package.json

@@ -1,19 +1,15 @@
 {
-  "name": "next-auth-example",
-  "version": "0.0.0",
   "private": true,
-  "description": "An example project for NextAuth.js",
+  "description": "An example project for NextAuth.js with Next.js",
   "repository": "https://github.com/nextauthjs/next-auth-example.git",
   "bugs": {
     "url": "https://github.com/nextauthjs/next-auth/issues"
   },
   "homepage": "https://next-auth-example.vercel.app",
-  "main": "",
   "scripts": {
     "dev": "next",
     "build": "next build",
-    "start": "next start",
-    "types": "tsc --noEmit"
+    "start": "next start"
   },
   "author": "Iain Collins <me@iaincollins.com>",
   "contributors": [
@@ -21,20 +17,16 @@
     "Nico Domino <yo@ndo.dev>",
     "Lluis Agusti <hi@llu.lu>"
   ],
-  "license": "ISC",
   "dependencies": {
-    "next": "12.1.7-canary.51",
+    "next": "latest",
     "next-auth": "latest",
     "nodemailer": "^6",
-    "react": "^18",
-    "react-dom": "^18"
+    "react": "^18.2.0",
+    "react-dom": "^18.2.0"
   },
   "devDependencies": {
     "@types/node": "^17",
-    "@types/react": "^18",
+    "@types/react": "^18.0.15",
     "typescript": "^4"
-  },
-  "prettier": {
-    "semi": false
   }
 }

apps/example-nextjs/pages/_app.tsx

@@ -1,7 +1,8 @@
 import { SessionProvider } from "next-auth/react"
-import type { AppProps } from "next/app"
 import "./styles.css"
 
+import type { AppProps } from "next/app"
+
 // Use of the <SessionProvider> is mandatory to allow components that call
 // `useSession()` anywhere in your application to access the `session` object.
 export default function App({ Component, pageProps }: AppProps) {

apps/example-nextjs/pages/api/examples/jwt.ts

@@ -1,10 +1,14 @@
 // This is an example of how to read a JSON Web Token from an API route
 import { getToken } from "next-auth/jwt"
+
 import type { NextApiRequest, NextApiResponse } from "next"
 
 const secret = process.env.NEXTAUTH_SECRET
 
-export default async (req: NextApiRequest, res: NextApiResponse) => {
+export default async function handler(
+  req: NextApiRequest,
+  res: NextApiResponse
+) {
   const token = await getToken({ req, secret })
   res.send(JSON.stringify(token, null, 2))
 }

apps/example-nextjs/pages/api/examples/protected.ts

@@ -1,19 +1,23 @@
 // This is an example of to protect an API route
 import { unstable_getServerSession } from "next-auth/next"
+import { authOptions } from "../auth/[...nextauth]"
+
 import type { NextApiRequest, NextApiResponse } from "next"
 
-export default async (req: NextApiRequest, res: NextApiResponse) => {
+export default async function handler(
+  req: NextApiRequest,
+  res: NextApiResponse
+) {
   const session = await unstable_getServerSession(req, res, authOptions)
 
   if (session) {
-    res.send({
+    return res.send({
       content:
         "This is protected content. You can access this content because you are signed in.",
     })
-  } else {
-    res.send({
-      error:
-        "You must be signed in to view the protected content on this page.",
-    })
   }
+
+  res.send({
+    error: "You must be signed in to view the protected content on this page.",
+  })
 }

apps/example-nextjs/pages/api/examples/session.ts

@@ -1,8 +1,13 @@
 // This is an example of how to access a session from an API route
-import { getSession } from "next-auth/react"
+import { unstable_getServerSession } from "next-auth"
+import { authOptions } from "../auth/[...nextauth]"
+
 import type { NextApiRequest, NextApiResponse } from "next"
 
-export default async (req: NextApiRequest, res: NextApiResponse) => {
-  const session = await getSession({ req })
+export default async function handler(
+  req: NextApiRequest,
+  res: NextApiResponse
+) {
+  const session = await unstable_getServerSession(req, res, authOptions)
   res.send(JSON.stringify(session, null, 2))
 }

apps/example-nextjs/pages/server.tsx

@@ -1,12 +1,13 @@
 import { unstable_getServerSession } from "next-auth/next"
 import { authOptions } from "./api/auth/[...nextauth]"
 import Layout from "../components/layout"
-import type { NextPageContext } from "next"
 
-export default function ServerSidePage({ session }) {
+import type { GetServerSidePropsContext } from "next"
+import type { Session } from "next-auth"
+
+export default function ServerSidePage({ session }: { session: Session }) {
   // As this page uses Server Side Rendering, the `session` will be already
   // populated on render without needing to go through a loading stage.
-
   return (
     <Layout>
       <h1>Server Side Rendering</h1>
@@ -28,15 +29,20 @@ export default function ServerSidePage({ session }) {
         The disadvantage of Server Side Rendering is that this page is slower to
         render.
       </p>
+      <pre>{JSON.stringify(session, null, 2)}</pre>
     </Layout>
   )
 }
 
 // Export the `session` prop to use sessions with Server Side Rendering
-export async function getServerSideProps(context: NextPageContext) {
+export async function getServerSideProps(context: GetServerSidePropsContext) {
   return {
     props: {
-      session: await unstable_getServerSession(context.req, context.res, authOptions),
+      session: await unstable_getServerSession(
+        context.req,
+        context.res,
+        authOptions
+      ),
     },
   }
 }

apps/playground-sveltekit/yarn.lock

@@ -1232,10 +1232,10 @@ natural-compare@^1.4.0:
   resolved "https://registry.yarnpkg.com/natural-compare/-/natural-compare-1.4.0.tgz#4abebfeed7541f2c27acfb29bdbbd15c8d5ba4f7"
   integrity sha1-Sr6/7tdUHywnrPspvbvRXI1bpPc=
 
-next-auth@^4.5.0:
-  version "4.5.0"
-  resolved "https://registry.yarnpkg.com/next-auth/-/next-auth-4.5.0.tgz#2df57287fddc705b8971c88c60bad44a89ac6dd1"
-  integrity sha512-B6gYRIbqtj8nlDsx3y2Ruwp/mvZnItPs7VUULY43QYw+M9xtDPIM9EBZ3ryd/wNYA3MDteBJlzGm/ivseXcmJA==
+"next-auth@workspace:*":
+  version "4.9.0"
+  resolved "https://registry.yarnpkg.com/next-auth/-/next-auth-4.9.0.tgz#0d8cabcb22a976744131a2e68d5f08756f322593"
+  integrity sha512-/4S5dFeyNg2nXlD7g/Sh5A4WZWnUMDpEf8x/x+gzmAf5cAY2SjDM6sLk9u4XRmsndsxQpIMWDw03sUTAD+Yzog==
   dependencies:
     "@babel/runtime" "^7.16.3"
     "@panva/hkdf" "^1.0.1"

docs/docs/adapters/dgraph.md

@@ -11,7 +11,7 @@ This is the Dgraph Adapter for [`next-auth`](https://next-auth.js.org).
 
 1. Install the necessary packages
 
-```bash npm2yarn
+```bash npm2yarn2pnpm
 npm install next-auth @next-auth/dgraph-adapter
 ```
 
@@ -226,22 +226,22 @@ database you must customize next-auth `encode` and `decode` functions, as the de
 further customize the jwt with roles if you want to implement [`RBAC logic`](https://dgraph.io/docs/graphql/authorization/directive/#role-based-access-control).
 
 ```js
-import * as jwt from "jsonwebtoken";
+import * as jwt from "jsonwebtoken"
 export default NextAuth({
   session: {
-    strategy: "jwt"
+    strategy: "jwt",
   },
   jwt: {
     secret: process.env.SECRET,
     encode: async ({ secret, token }) => {
-      return jwt.sign({...token, userId: token.id}, secret, {
+      return jwt.sign({ ...token, userId: token.id }, secret, {
         algorithm: "HS256",
         expiresIn: 30 * 24 * 60 * 60, // 30 days
-      });
+      })
     },
     decode: async ({ secret, token }) => {
-      return jwt.verify(token, secret, { algorithms: ["HS256"] });
-    }
+      return jwt.verify(token, secret, { algorithms: ["HS256"] })
+    },
   },
 })
 ```

docs/docs/adapters/dynamodb.md

@@ -15,7 +15,7 @@ You can find the full schema in the table structure section below.
 
 1. Install `next-auth` and `@next-auth/dynamodb-adapter`
 
-```bash npm2yarn
+```bash npm2yarn2pnpm
 npm install next-auth @next-auth/dynamodb-adapter
 ```
 

docs/docs/adapters/fauna.md

@@ -13,7 +13,7 @@ You can find the Fauna schema and seed information in the docs at [next-auth.js.
 
 1. Install the necessary packages
 
-```bash npm2yarn
+```bash npm2yarn2pnpm
 npm install next-auth @next-auth/fauna-adapter faunadb
 ```
 

docs/docs/adapters/firebase.md

@@ -5,18 +5,14 @@ title: Firebase
 
 # Firebase
 
-:::warning
-This adapter is still experimental and does not work with NextAuth.js 4 or newer. If you would like to help out upgrading it, please visit [this PR](https://github.com/nextauthjs/next-auth/pull/3873)
-:::
-
-This is the Firebase Adapter for [`next-auth`](https://next-auth.js.org). This package can only be used in conjunction with the primary `next-auth` package. It is not a standalone package.
+This is the Firebase (Firestore) Adapter for [`next-auth`](https://next-auth.js.org). This package can only be used in conjunction with the primary `next-auth` package. It is not a standalone package.
 
 ## Getting Started
 
 1. Install the necessary packages
 
-```bash npm2yarn
-npm install next-auth @next-auth/firebase-adapter@experimental
+```bash npm2yarn2pnpm
+npm install next-auth @next-auth/firebase-adapter
 ```
 
 2. Add this adapter to your `pages/api/auth/[...nextauth].js` next-auth configuration object.
@@ -24,14 +20,7 @@ npm install next-auth @next-auth/firebase-adapter@experimental
 ```javascript title="pages/api/auth/[...nextauth].js"
 import NextAuth from "next-auth"
 import GoogleProvider from "next-auth/providers/google"
-import { FirebaseAdapter } from "@next-auth/firebase-adapter"
-
-import firebase from "firebase/app"
-import "firebase/firestore"
-
-const firestore = (
-  firebase.apps[0] ?? firebase.initializeApp(/* your config */)
-).firestore()
+import { FirestoreAdapter } from "@next-auth/firebase-adapter"
 
 // For more information on each option (and a full list of options) go to
 // https://next-auth.js.org/configuration/options
@@ -43,9 +32,19 @@ export default NextAuth({
       clientSecret: process.env.GOOGLE_SECRET,
     }),
   ],
-  adapter: FirebaseAdapter(firestore),
-  ...
-})
+  adapter: FirestoreAdapter({
+    apiKey: process.env.FIREBASE_API_KEY,
+    appId: process.env.FIREBASE_APP_ID,
+    authDomain: process.env.FIREBASE_AUTH_DOMAIN,
+    databaseURL: process.env.FIREBASE_DATABASE_URL,
+    projectId: process.env.FIREBASE_PROJECT_ID,
+    storageBucket: process.env.FIREBASE_STORAGE_BUCKET,
+    messagingSenderId: process.env.FIREBASE_MESSAGING_SENDER_ID,
+    // Optional emulator config (see below for options)
+    emulator: {},
+  }),
+  // ...
+});
 ```
 
 ## Options
@@ -69,6 +68,21 @@ const firebaseConfig = {
 
 See [firebase.google.com/docs/web/setup](https://firebase.google.com/docs/web/setup) for more details.
 
+You can optionally pass in emulator options to automatically connect to your local Firebase emulator.
+
+```js
+FirestoreAdapter({
+  // ...
+  // Passing in an enable object will enable the emulator
+  emulator: {
+    // Optional host, defaults to `localhost`
+    host: 'localhost',
+  // Optional port, defaults to `3001`
+    port: 3001,
+  },
+}),
+```
+
 :::tip **From Firebase**
 
 **Caution**: We do not recommend manually modifying an app's Firebase config file or object. If you initialize an app with invalid or missing values for any of these required "Firebase options", then your end users may experience serious issues.

docs/docs/adapters/mikro-orm.md

@@ -5,7 +5,7 @@ title: MikroORM
 
 To use this Adapter, you need to install Mikro ORM, the driver that suits your database, and the separate `@next-auth/mikro-orm-adapter` package:
 
-```bash npm2yarn
+```bash npm2yarn2pnpm
 npm install next-auth @next-auth/mikro-orm-adapter @mikro-orm/core @mikro-orm/[YOUR DRIVER]
 ```
 

docs/docs/adapters/mongodb.md

@@ -11,7 +11,7 @@ The MongoDB adapter does not handle connections automatically, so you will have
 
 1. Install the necessary packages
 
-```bash npm2yarn
+```bash npm2yarn2pnpm
 npm install next-auth @next-auth/mongodb-adapter mongodb
 ```
 

docs/docs/adapters/neo4j.md

@@ -11,7 +11,7 @@ This is the Neo4j Adapter for [`next-auth`](https://next-auth.js.org). This pack
 
 1. Install the necessary packages
 
-```bash npm2yarn
+```bash npm2yarn2pnpm
 npm install next-auth @next-auth/neo4j-adapter neo4j-driver
 ```
 

docs/docs/adapters/pouchdb.md

@@ -19,7 +19,7 @@ Depending on your architecture you can use PouchDB's http adapter to reach any d
 
 1. Install `next-auth` and `@next-auth/pouchdb-adapter`
 
-```bash npm2yarn
+```bash npm2yarn2pnpm
 npm install next-auth @next-auth/pouchdb-adapter
 ```
 

docs/docs/adapters/prisma.md

@@ -7,7 +7,7 @@ title: Prisma
 
 To use this Adapter, you need to install Prisma Client, Prisma CLI, and the separate `@next-auth/prisma-adapter` package:
 
-```bash npm2yarn
+```bash npm2yarn2pnpm
 npm install next-auth @prisma/client @next-auth/prisma-adapter
 npm install prisma --save-dev
 ```

docs/docs/adapters/sequelize.md

@@ -11,7 +11,7 @@ This is the Sequelize Adapter for [`next-auth`](https://next-auth.js.org).
 
 1. Install the necessary packages
 
-```bash npm2yarn
+```bash npm2yarn2pnpm
 npm install next-auth @next-auth/sequelize-adapter sequelize
 ```
 

docs/docs/adapters/typeorm.md

@@ -5,21 +5,25 @@ title: TypeORM
 
 # TypeORM
 
-This Adapter is used to support SQL-flavored databases (like SQLite, MySQL, MSSQL, MariaDB, CockroachDB, etc.) through [TypeORM](https://typeorm.io), and mostly kept around for legacy reasons. (See the warning below.)
+This Adapter is used to support SQL-flavored databases (like SQLite, MySQL, MSSQL, MariaDB, CockroachDB, etc.) through [TypeORM](https://typeorm.io).
 
 :::note
 If you previously used this Adapter with MongoDB, check out the [MongoDB Adapter](/adapters/mongodb) instead.
 :::
 
-:::warning
+:::note
 In the future, we might split up this adapter to support single flavors of SQL for easier maintenance and reduced bundle size.
 :::
 
 ## Usage
 
+:::warning
+[`typeorm`](https://github.com/typeorm/typeorm) is still in active development and has not yet published a stable release. Because of this, you can expect breaking changes in minor versions. This adapter expects `typeorm@0.3.7` and is not validated against previous or future releases.
+:::
+
 To use this Adapter, you need to install the following packages:
 
-```bash npm2yarn
+```bash npm2yarn2pnpm
 npm install next-auth @next-auth/typeorm-legacy-adapter typeorm
 ```
 
@@ -36,7 +40,7 @@ export default NextAuth({
 })
 ```
 
-`TypeORMLegacyAdapter` takes either a connection string, or a [`ConnectionOptions`](https://github.com/typeorm/typeorm/blob/master/docs/connection-options.md) object as its first parameter.
+`TypeORMLegacyAdapter` takes either a connection string, or a [`DataSourceOptions`](https://github.com/typeorm/typeorm/blob/master/docs/data-source-options.md) object as its first parameter.
 
 ## Custom models
 
@@ -217,9 +221,9 @@ For example, you can add the naming convention option to the connection object i
 import NextAuth from "next-auth"
 import { TypeORMLegacyAdapter } from "@next-auth/typeorm-legacy-adapter"
 import { SnakeNamingStrategy } from 'typeorm-naming-strategies'
-import { ConnectionOptions } from "typeorm"
 
-const connection: ConnectionOptions = {
+export default NextAuth({
+  adapter: TypeORMLegacyAdapter({
     type: "mysql",
     host: "localhost",
     port: 3306,
@@ -227,10 +231,7 @@ const connection: ConnectionOptions = {
     password: "test",
     database: "test",
     namingStrategy: new SnakeNamingStrategy()
-}
-
-export default NextAuth({
-  adapter: TypeORMLegacyAdapter(connection),
+  }),
   ...
 })
 ```

docs/docs/adapters/upstash-redis.md

@@ -7,7 +7,7 @@ title: Upstash Redis
 
 To use this Adapter, you need to install `@upstash/redis` and `@next-auth/upstash-redis-adapter` package:
 
-```bash npm2yarn
+```bash npm2yarn2pnpm
 npm install @upstash/redis @next-auth/upstash-redis-adapter
 ```
 

docs/docs/configuration/nextjs.md

@@ -8,7 +8,7 @@ This feature is experimental and may be removed or changed in the future.
 
 When calling from server-side i.e. in API routes or in `getServerSideProps`, we recommend using this function instead of `getSession` to retrieve the `session` object. This method is especially useful when you are using NextAuth.js with a database. This method can _drastically_ reduce response time when used over `getSession` server-side, due to avoiding an extra `fetch` to an API Route (this is generally [not recommended in Next.js](https://nextjs.org/docs/basic-features/data-fetching/get-server-side-props#getserversideprops-or-api-routes)). In addition, `unstable_getServerSession` will correctly update the cookie expiry time and update the session content if `callbacks.jwt` or `callbacks.session` changed something.
 
-Otherwise, if you only want to get the session token, see [`getToken`](tutorials/securing-pages-and-api-routes#using-gettoken).
+Otherwise, if you only want to get the session token, see [`getToken`](/tutorials/securing-pages-and-api-routes#using-gettoken).
 
 `unstable_getServerSession` requires passing the same object you would pass to `NextAuth` when initializing NextAuth.js. To do so, you can export your NextAuth.js options in the following way:
 
@@ -80,10 +80,11 @@ You can get the `withAuth` middleware function from `next-auth/middleware` eithe
 
 ### Prerequisites
 
-You must set the [`NEXTAUTH_SECRET`](/configuration/options#nextauth_secret) environment variable when using this middleware. If you are using the [`secret` option](/configuration/options#secret) this value must match.
+You must set the same secret in the middleware that you use in NextAuth. The easiest way is to set the [`NEXTAUTH_SECRET`](/configuration/options#nextauth_secret) environment variable. It will be picked up by both the [NextAuth config](/configuration/options#options), as well as the middleware config.
 
-**We strongly recommend** replacing the `secret` value completely with this `NEXTAUTH_SECRET` environment variable. This environment variable will be picked up by both the [NextAuth config](/configuration/options#options), as well as the middleware config.
+Alternatively, you can provide the secret using the [`secret`](#secret) option in the middleware config.
 
+**We strongly recommend** replacing the `secret` value completely with this `NEXTAUTH_SECRET` environment variable.
 
 ### Basic usage
 
@@ -93,7 +94,7 @@ The most simple usage is when you want to require authentication for your entire
 export { default } from "next-auth/middleware"
 ```
 
-That's it! Your application is not secured. 🎉
+That's it! Your application is now secured. 🎉
 
 If you only want to secure certain pages, export a `config` object with a `matcher`:
 
@@ -149,6 +150,22 @@ See the documentation for the [pages option](/configuration/pages) for more info
 
 ---
 
+### `secret`
+
+- **Required**: _No_
+
+#### Description
+
+The same `secret` used in the [NextAuth config](/configuration/options#options).
+
+#### Example (default value)
+
+```js
+secret: process.env.NEXTAUTH_SECRET
+```
+
+---
+
 ### Advanced usage
 
 NextAuth.js Middleware is very flexible, there are multiple ways to use it.

docs/docs/configuration/options.md

@@ -13,19 +13,22 @@ When deploying to production, set the `NEXTAUTH_URL` environment variable to the
 NEXTAUTH_URL=https://example.com
 ```
 
-If your Next.js application uses a custom base path, specify the route to the API endpoint in full.
+If your Next.js application uses a custom base path, specify the route to the API endpoint in full. More informations about the usage of custom base path [here](/getting-started/client#custom-base-path).
 
 _e.g. `NEXTAUTH_URL=https://example.com/custom-route/api/auth`_
 
+:::tip
+When you're using a custom base path, you will need to pass the `basePath` page prop to the `<SessionProvider>`. More informations [here](/getting-started/client#custom-base-path).
+:::
+
 :::note
 Using [System Environment Variables](https://vercel.com/docs/concepts/projects/environment-variables#system-environment-variables) we automatically detect when you deploy to [Vercel](https://vercel.com) so you don't have to define this variable. Make sure **Automatically expose System Environment Variables** is checked in your Project Settings.
 :::
 
 ### NEXTAUTH_SECRET
 
-Used to encrypt the NextAuth.js JWT, and to hash [email verification tokens](/adapters/models#verification-token). This is the default value for the [`secret`](/configuration/options#secret) option. The `secret` option might be removed in the future in favor of this.
+Used to encrypt the NextAuth.js JWT, and to hash [email verification tokens](/adapters/models#verification-token). This is the default value for the `secret` option in [NextAuth](/configuration/options#secret) and [Middleware](/configuration/nextjs#secret).
 
-If you are using [Middleware](/configuration/nextjs#prerequisites) this environment variable must be set.
 
 ### NEXTAUTH_URL_INTERNAL
 
@@ -366,11 +369,14 @@ Changes the color scheme theme of [pages](/configuration/pages) as well as allow
 
 In addition, you can define a logo URL in `theme.logo` which will be rendered above the main card in the default signin/signout/error/verify-request pages, as well as a `theme.brandColor` which will affect the accent color of these pages.
 
+The sign-in button's background color will match the `brandColor` and defaults to `"#346df1"`. The text color is `#fff` by default, but if your brand color gives a weak contrast, correct it with the `buttonText` color option.
+
 ```js
 theme: {
   colorScheme: "auto", // "auto" | "dark" | "light"
   brandColor: "", // Hex color code
-  logo: "" // Absolute URL to image
+  logo: "", // Absolute URL to image
+  buttonText: "" // Hex color code
 }
 ```
 

docs/docs/configuration/providers/oauth.md

@@ -350,7 +350,7 @@ providers: [
 
 ## Built-in providers
 
-NextAuth.js comes with a set of built-in providers. You can find them [here](https://github.com/nextauthjs/next-auth/tree/main/src/providers). Each built-in provider has its own documentation page:
+NextAuth.js comes with a set of built-in providers. You can find them [here](https://github.com/nextauthjs/next-auth/tree/main/packages/next-auth/src/providers). Each built-in provider has its own documentation page:
 
 <div className="provider-name-list">
 {Object.entries(require("../../../providers.json"))

docs/docs/getting-started/client.md

@@ -165,6 +165,12 @@ See repository [`README`](https://github.com/nextauthjs/react-query) for more de
 
 NextAuth.js provides a `getSession()` helper which should be called **client side only** to return the current active session.
 
+On the server side, **this is still available to use**, however, we recommend using `unstable_getServerSession` going forward. The idea behind this is to avoid an additional unnecessary `fetch` call on the server side. For more information, please check out [this issue](https://github.com/nextauthjs/next-auth/issues/1535).
+
+:::note
+The `unstable_getServerSession` only has the prefix `unstable_` at the moment, because the API may change in the future. There are no known bugs at the moment and it is safe to use. If you discover any issues, please do report them as a [GitHub Issue](https://github.com/nextauthjs/next-auth/issues) and we will patch them as soon as possible.
+:::
+
 This helper is helpful in case you want to read the session outside of the context of React.
 
 When called, `getSession()` will send a request to `/api/auth/session` and returns a promise with a [session object](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/core/types.ts#L407-L425), or `null` if no session exists.
@@ -421,13 +427,14 @@ This only works on pages where you provide the correct `pageProps`, however. Thi
 
 ```js title="pages/index.js"
 import { unstable_getServerSession } from "next-auth/next"
+import { authOptions } from './api/auth/[...nextauth]'
 
 ...
 
-export async function getServerSideProps(ctx) {
+export async function getServerSideProps({ req, res }) {
   return {
     props: {
-      session: await unstable_getServerSession(ctx)
+      session: await unstable_getServerSession(req, res, authOptions)
     }
   }
 }
@@ -499,3 +506,29 @@ However, if it was set to `false`, it stops re-fetching the session and the comp
 :::note
 See [**the Next.js documentation**](https://nextjs.org/docs/advanced-features/custom-app) for more information on **\_app.js** in Next.js applications.
 :::
+
+### Custom base path
+When your Next.js application uses a custom base path, set the `NEXTAUTH_URL` environment variable to the route to the API endpoint in full - as in the example below and as explained [here](/configuration/options#nextauth_url).
+
+Also, make sure to pass the `basePath` page prop to the `<SessionProvider>` – as in the example below – so your custom base path is fully configured and used by NextAuth.js.
+
+#### Example
+In this example, the custom base path used is `/custom-route`.
+
+```
+NEXTAUTH_URL=https://example.com/custom-route/api/auth
+```
+
+```jsx title="pages/_app.js"
+import { SessionProvider } from "next-auth/react"
+export default function App({
+  Component,
+  pageProps: { session, ...pageProps },
+}) {
+  return (
+    <SessionProvider session={session} basePath="/custom-route/api/auth">
+      <Component {...pageProps} />
+    </SessionProvider>
+  )
+}
+```

docs/docs/getting-started/example.md

@@ -97,6 +97,7 @@ To protect an API Route, you can use the [`unstable_getServerSession()`](/config
 
 ```javascript title="pages/api/restricted.js" showLineNumbers
 import { unstable_getServerSession } from "next-auth/next"
+import { authOptions } from "./api/auth/[...nextauth]"
 
 export default async (req, res) => {
   const session = await unstable_getServerSession(req, res, authOptions)

docs/docs/getting-started/upgrade-to-v4.md

@@ -13,7 +13,7 @@ We encourage users to try it out and report any and all issues they come across.
 
 You can upgrade to the new version by running:
 
-```bash npm2yarn
+```bash npm2yarn2pnpm
 npm install next-auth
 ```
 

docs/docs/providers/email.md

@@ -124,67 +124,74 @@ providers: [
 The following code shows the complete source for the built-in `sendVerificationRequest()` method:
 
 ```js
-import nodemailer from "nodemailer"
+import { createTransport } from "nodemailer"
 
-async function sendVerificationRequest({
-  identifier: email,
-  url,
-  provider: { server, from },
-}) {
+async function sendVerificationRequest(params) {
+  const { identifier, url, provider, theme } = params
   const { host } = new URL(url)
-  const transport = nodemailer.createTransport(server)
-  await transport.sendMail({
-    to: email,
-    from,
+  // NOTE: You are not required to use `nodemailer`, use whatever you want.
+  const transport = createTransport(provider.server)
+  const result = await transport.sendMail({
+    to: identifier,
+    from: provider.from,
     subject: `Sign in to ${host}`,
     text: text({ url, host }),
-    html: html({ url, host, email }),
+    html: html({ url, host, theme }),
   })
+  const failed = result.rejected.concat(result.pending).filter(Boolean)
+  if (failed.length) {
+    throw new Error(`Email(s) (${failed.join(", ")}) could not be sent`)
+  }
 }
 
-// Email HTML body
-function html({ url, host, email }: Record<"url" | "host" | "email", string>) {
-  // Insert invisible space into domains and email address to prevent both the
-  // email address and the domain from being turned into a hyperlink by email
-  // clients like Outlook and Apple mail, as this is confusing because it seems
-  // like they are supposed to click on their email address to sign in.
-  const escapedEmail = `${email.replace(/\./g, "&#8203;.")}`
-  const escapedHost = `${host.replace(/\./g, "&#8203;.")}`
+/**
+ * Email HTML body
+ * Insert invisible space into domains from being turned into a hyperlink by email
+ * clients like Outlook and Apple mail, as this is confusing because it seems
+ * like they are supposed to click on it to sign in.
+ *
+ * @note We don't add the email address to avoid needing to escape it, if you do, remember to sanitize it!
+ */
+function html(params: { url: string; host: string; theme: Theme }) {
+  const { url, host, theme } = params
 
-  // Some simple styling options
-  const backgroundColor = "#f9f9f9"
-  const textColor = "#444444"
-  const mainBackgroundColor = "#ffffff"
-  const buttonBackgroundColor = "#346df1"
-  const buttonBorderColor = "#346df1"
-  const buttonTextColor = "#ffffff"
+  const escapedHost = host.replace(/\./g, "&#8203;.")
+
+  const brandColor = theme.brandColor || "#346df1"
+  const color = {
+    background: "#f9f9f9",
+    text: "#444",
+    mainBackground: "#fff",
+    buttonBackground: brandColor,
+    buttonBorder: brandColor,
+    buttonText: theme.buttonText || "#fff",
+  }
 
   return `
-<body style="background: ${backgroundColor};">
-  <table width="100%" border="0" cellspacing="0" cellpadding="0">
+<body style="background: ${color.background};">
+  <table width="100%" border="0" cellspacing="20" cellpadding="0"
+    style="background: ${color.mainBackground}; max-width: 600px; margin: auto; border-radius: 10px;">
     <tr>
-      <td align="center" style="padding: 10px 0px 20px 0px; font-size: 22px; font-family: Helvetica, Arial, sans-serif; color: ${textColor};">
-        <strong>${escapedHost}</strong>
-      </td>
-    </tr>
-  </table>
-  <table width="100%" border="0" cellspacing="20" cellpadding="0" style="background: ${mainBackgroundColor}; max-width: 600px; margin: auto; border-radius: 10px;">
-    <tr>
-      <td align="center" style="padding: 10px 0px 0px 0px; font-size: 18px; font-family: Helvetica, Arial, sans-serif; color: ${textColor};">
-        Sign in as <strong>${escapedEmail}</strong>
+      <td align="center"
+        style="padding: 10px 0px; font-size: 22px; font-family: Helvetica, Arial, sans-serif; color: ${color.text};">
+        Sign in to <strong>${escapedHost}</strong>
       </td>
     </tr>
     <tr>
       <td align="center" style="padding: 20px 0;">
         <table border="0" cellspacing="0" cellpadding="0">
           <tr>
-            <td align="center" style="border-radius: 5px;" bgcolor="${buttonBackgroundColor}"><a href="${url}" target="_blank" style="font-size: 18px; font-family: Helvetica, Arial, sans-serif; color: ${buttonTextColor}; text-decoration: none; border-radius: 5px; padding: 10px 20px; border: 1px solid ${buttonBorderColor}; display: inline-block; font-weight: bold;">Sign in</a></td>
+            <td align="center" style="border-radius: 5px;" bgcolor="${color.buttonBackground}"><a href="${url}"
+                target="_blank"
+                style="font-size: 18px; font-family: Helvetica, Arial, sans-serif; color: ${color.buttonText}; text-decoration: none; border-radius: 5px; padding: 10px 20px; border: 1px solid ${color.buttonBorder}; display: inline-block; font-weight: bold;">Sign
+                in</a></td>
           </tr>
         </table>
       </td>
     </tr>
     <tr>
-      <td align="center" style="padding: 0px 0px 10px 0px; font-size: 16px; line-height: 22px; font-family: Helvetica, Arial, sans-serif; color: ${textColor};">
+      <td align="center"
+        style="padding: 0px 0px 10px 0px; font-size: 16px; line-height: 22px; font-family: Helvetica, Arial, sans-serif; color: ${color.text};">
         If you did not request this email you can safely ignore it.
       </td>
     </tr>
@@ -193,8 +200,8 @@ function html({ url, host, email }: Record<"url" | "host" | "email", string>) {
 `
 }
 
-// Email Text body (fallback for email clients that don't render HTML, e.g. feature phones)
-function text({ url, host }: Record<"url" | "host", string>) {
+/** Email Text body (fallback for email clients that don't render HTML, e.g. feature phones) */
+function text({ url, host }: { url: string; host: string }) {
   return `Sign in to ${host}\n${url}\n\n`
 }
 ```

docs/docs/providers/github.md

@@ -19,7 +19,7 @@ https://github.com/settings/apps
 
 The **GitHub Provider** comes with a set of default options:
 
-- [GitHub Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/github.js)
+- [GitHub Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/github.ts)
 
 You can override any of the options to suit your own use case.
 

docs/docs/providers/index.md

@@ -5,7 +5,7 @@ title: Overview
 
 Authentication Providers in **NextAuth.js** are services that can be used to sign in a user.
 
-There's four ways a user can be signed in:
+There are four ways a user can be signed in:
 
 - [Using a built-in OAuth Provider](/configuration/providers/oauth) (e.g Github, Twitter, Google, etc...)
 - [Using a custom OAuth Provider](/configuration/providers/oauth#using-a-custom-provider)

docs/docs/providers/wikimedia.md

@@ -0,0 +1,50 @@
+---
+id: wikimedia
+title: Wikimedia
+---
+
+## Documentation
+
+https://www.mediawiki.org/wiki/Extension:OAuth
+
+This provider also supports all Wikimedia projects:
+
+- Wikipedia
+- Wikidata
+- Wikibooks
+- Wiktionary
+- etc..
+
+Please be aware that Wikimedia accounts do not have to have an associated email address. So you may want to add check if the user has an email address before allowing them to login.
+
+## Configuration
+
+1. Go to and accept the Consumer Registration doc: https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration
+2. Request a new OAuth 2.0 consumer to get the `clientId` and `clientSecret`: https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/propose/oauth2
+  2a. Add the following redirect URL into the console `http://<your-next-app-url>/api/auth/callback/wikimedia`
+  2b. Do not check the box next to `This consumer is only for [your username]`
+  2c. Unless you explicitly need a larger scope, feel free to select the radio button labelled `User identity verification only - no ability to read pages or act on the users behalf.`
+
+After registration, you can initally test your application only with your own Wikimedia account. You may have to wait several days for the application to be approved for it to be used by everyone.
+
+## Options
+
+The **Wikimedia Provider** comes with a set of default options:
+
+- [Wikimedia Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/wikimedia.ts)
+
+You can override any of the options to suit your own use case.
+
+## Example
+
+```js
+import WikimediaProvider from "next-auth/providers/wikimedia";
+...
+providers: [
+  WikimediaProvider({
+    clientId: process.env.WIKIMEDIA_CLIENT_ID,
+    clientSecret: process.env.WIKIMEDIA_CLIENT_SECRET
+  })
+]
+...
+```

docs/docs/tutorials/ldap-auth.md

@@ -7,7 +7,7 @@ NextAuth.js provides the ability to setup a [custom Credential provider](/config
 
 You will need an additional dependency, `ldapjs`, which you can install by running
 
-```bash npm2yarn
+```bash npm2yarn2pnpm
 npm install ldapjs
 ```
 

docs/docs/tutorials/securing-pages-and-api-routes.md

@@ -44,7 +44,7 @@ export default function Page() {
 
 With NextAuth.js 4.2.0 and Next.js 12, you can now protect your pages via the middleware pattern more easily. If you would like to protect all pages, you can create a `_middleware.js` file in your root `pages` directory which looks like this.
 
-```js title="/pages/_middleware.js"
+```js title="/middleware.js"
 export { default } from "next-auth/middleware"
 ```
 
@@ -58,10 +58,11 @@ More details can be found [here](https://next-auth.js.org/configuration/nextjs#m
 
 You can protect server side rendered pages using the `unstable_getServerSession` method. This is different from the old `getSession()` method, in that it does not do an extra fetch out over the internet to confirm data from itself, increasing performance significantly.
 
-You need to add this to every server rendered page you want to protect.
+You need to add this to every server rendered page you want to protect. Be aware, `unstable_getServerSession` takes slightly different arguments than the method it is replacing, `getSession`.
 
 ```js title="pages/server-side-example.js"
 import { useSession, unstable_getServerSession } from "next-auth/next"
+import { authOptions } from "./api/auth/[...nextauth]"
 
 export default function Page() {
   const { data: session } = useSession()
@@ -82,7 +83,11 @@ export default function Page() {
 export async function getServerSideProps(context) {
   return {
     props: {
-      session: await unstable_getServerSession(context.req, context.res, authOptions),
+      session: await unstable_getServerSession(
+        context.req,
+        context.res,
+        authOptions
+      ),
     },
   }
 }
@@ -116,6 +121,7 @@ You can protect API routes using the `unstable_getServerSession()` method.
 
 ```js title="pages/api/get-session-example.js"
 import { unstable_getServerSession } from "next-auth/next"
+import { authOptions } from "./api/auth/[...nextauth]"
 
 export default async (req, res) => {
   const session = await unstable_getServerSession(req, res, authOptions)

docs/docs/tutorials/testing-with-cypress.md

@@ -9,7 +9,7 @@ To test an implementation of NextAuth.js, we encourage you to use [Cypress](http
 
 To get started, install the dependencies:
 
-```bash npm2yarn
+```bash npm2yarn2pnpm
 npm install --save-dev cypress cypress-social-logins @testing-library/cypress
 ```
 

docs/docusaurus.config.js

@@ -155,9 +155,9 @@ module.exports = {
           showLastUpdateAuthor: true,
           showLastUpdateTime: true,
           remarkPlugins: [
+            require("@sapphire/docusaurus-plugin-npm2yarn2pnpm").npm2yarn2pnpm,
             require("remark-github"),
             require("mdx-mermaid"),
-            [require("@docusaurus/remark-plugin-npm2yarn"), { sync: true }],
           ],
           versions: {
             current: {

docs/package.json

@@ -21,9 +21,9 @@
   "dependencies": {
     "@docusaurus/core": "^2.0.0-beta.21",
     "@docusaurus/preset-classic": "^2.0.0-beta.21",
-    "@docusaurus/remark-plugin-npm2yarn": "^2.0.0-beta.21",
     "@docusaurus/theme-common": "2.0.0-beta.21",
     "@mdx-js/react": "1.6.22",
+    "@sapphire/docusaurus-plugin-npm2yarn2pnpm": "1.1.3",
     "classnames": "^2.3.1",
     "mdx-mermaid": "^1.2.2",
     "mermaid": "^9.0.1",

docs/versioned_docs/version-v3/configuration/providers.md

@@ -181,7 +181,7 @@ If you think your custom provider might be useful to others, we encourage you to
 
 You only need to add two changes:
 
-1. Add your config: [`src/providers/{provider}.js`](https://github.com/nextauthjs/next-auth/tree/main/src/providers)<br />
+1. Add your config: [`src/providers/{provider}.js`](https://github.com/nextauthjs/next-auth/tree/main/packages/next-auth/src/providers)<br />
    • make sure you use a named default export, like this: `export default function YourProvider`
 2. Add provider documentation: [`www/docs/providers/{provider}.md`](https://github.com/nextauthjs/next-auth/tree/ead715219a5d7a6e882a6ba27fa56b03954d062d/www/docs/providers)
 3. Add it to our [provider types](https://github.com/nextauthjs/next-auth/blob/ead715219a5d7a6e882a6ba27fa56b03954d062d/types/providers.d.ts) (for TS projects)<br />

docs/versioned_docs/version-v3/providers/duende-identity-server6.md

@@ -0,0 +1,53 @@
+---
+id: duende-identityserver6
+title: DuendeIdentityServer6
+---
+
+## Documentation
+
+https://docs.duendesoftware.com/identityserver/v6
+
+## Options
+
+The **DuendeIdentityServer6 Provider** comes with a set of default options:
+
+- [DuendeIdentityServer6 Provider options](https://github.com/nextauthjs/next-auth/tree/main/packages/next-auth/src/providers/duende-identity-server6.ts)
+
+You can override any of the options to suit your own use case.
+
+## Example
+
+```js
+import DuendeIDS6Provider from "next-auth/providers/duende-identity-server6"
+
+...
+providers: [
+  DuendeIDS6Provider({
+    clientId: process.env.DUENDE_IDS6_ID,
+    clientSecret: process.env.DUENDE_IDS6_SECRET,
+    issuer: process.env.DUENDE_IDS6_ISSUER,
+  })
+]
+...
+```
+
+## Demo IdentityServer
+
+The configuration below is for the demo server at https://demo.duendesoftware.com/
+
+If you want to try it out, you can copy and paste the configuration below.
+
+You can sign in to the demo service with either <b>bob/bob</b> or <b>alice/alice</b>.
+
+```js
+import DuendeIDS6Provider from "next-auth/providers/duende-identity-server6"
+...
+providers: [
+  DuendeIDS6Provider({
+    clientId: "interactive.confidential",
+    clientSecret: "secret",
+    issuer: "https://demo.duendesoftware.com",
+  })
+]
+...
+```

docs/versioned_docs/version-v3/providers/github.md

@@ -15,7 +15,7 @@ https://github.com/settings/apps
 
 The **Github Provider** comes with a set of default options:
 
-- [Github Provider options](https://github.com/nextauthjs/next-auth/blob/main/src/providers/github.js)
+- [Github Provider options](https://github.com/nextauthjs/next-auth/blob/main/src/providers/github.ts)
 
 You can override any of the options to suit your own use case.
 

docs/versioned_docs/version-v3/providers/identity-server4.md

@@ -54,6 +54,6 @@ providers: [
     clientSecret: "secret",
     protection: "pkce"
   })
-}
+]
 ...
 ```

package.json

@@ -36,8 +36,9 @@
     "pretty-quick": "^3.1.2",
     "semver": "7.3.5",
     "stream-to-array": "2.3.0",
-    "ts-node": "10.5.0",
-    "turbo": "^1.2.5",
+    "ts-node": "10.8.2",
+    "turbo": "1.3.1",
+    "type-fest": "2.16.0",
     "typescript": "^4.5.2"
   },
   "engines": {
@@ -97,7 +98,7 @@
     "**/tests",
     "**/__tests__"
   ],
-  "packageManager": "pnpm@6.32.8",
+  "packageManager": "pnpm@7.5.1",
   "funding": [
     {
       "type": "github",

packages/adapter-firebase/README.md

@@ -32,14 +32,13 @@ npm install next-auth @next-auth/firebase-adapter
 ```js
 import NextAuth from "next-auth"
 import Providers from "next-auth/providers"
-import { FirebaseAdapter } from "@next-auth/firebase-adapter"
+import { FirestoreAdapter } from "@next-auth/firebase-adapter"
 
-import firebase from "firebase/app"
-import "firebase/firestore"
+import { initializeApp } from "firebase/app";
+import { getFirestore } from "firebase/firestore"
 
-const firestore = (
-  firebase.apps[0] ?? firebase.initializeApp(/* your config */)
-).firestore()
+const app = initializeApp({ projectId: "next-auth-test" });
+const firestore = getFirestore(app);
 
 // For more information on each option (and a full list of options) go to
 // https://next-auth.js.org/configuration/options
@@ -51,7 +50,7 @@ export default NextAuth({
       clientSecret: process.env.GOOGLE_SECRET,
     }),
   ],
-  adapter: FirebaseAdapter(firestore),
+  adapter: FirestoreAdapter(firestore),
   ...
 })
 ```

packages/adapter-firebase/jest.config.js

@@ -1 +1 @@
-module.exports = require("@next-auth/adapter-test/jest.config")
+module.exports = require("@next-auth/adapter-test/jest/jest-preset")

packages/adapter-firebase/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@next-auth/firebase-adapter",
-  "version": "0.1.3",
+  "version": "1.0.0",
   "description": "Firebase adapter for next-auth.",
   "homepage": "https://next-auth.js.org",
   "repository": "https://github.com/nextauthjs/next-auth",
@@ -28,18 +28,18 @@
     "access": "public"
   },
   "scripts": {
-    "build:wip": "tsc",
-    "test:wip": "FIRESTORE_EMULATOR_HOST=localhost:8080 firebase emulators:exec --only firestore --project next-auth-test jest"
+    "build": "tsc",
+    "test": "FIRESTORE_EMULATOR_HOST=localhost:8080 firebase emulators:exec --only firestore --project next-auth-test jest"
   },
   "peerDependencies": {
-    "firebase": "^8.6.2",
+    "firebase": "^9.7.0",
     "next-auth": "workspace:*"
   },
   "devDependencies": {
     "@next-auth/adapter-test": "workspace:^0.0.0",
     "@next-auth/tsconfig": "workspace:^0.0.0",
-    "firebase": "^8.6.2",
-    "firebase-tools": "^9.11.0",
+    "firebase": "^9.7.0",
+    "firebase-tools": "^10.7.2",
     "jest": "^27.4.3",
     "next-auth": "workspace:*"
   }

packages/adapter-firebase/src/converter.ts

@@ -0,0 +1,58 @@
+import { Timestamp } from "firebase/firestore"
+import type {
+  FirestoreDataConverter,
+  QueryDocumentSnapshot,
+  WithFieldValue,
+} from "firebase/firestore"
+
+const isTimestamp = (value: unknown): value is Timestamp =>
+  typeof value === "object" && value !== null && value instanceof Timestamp
+
+interface GetConverterOptions {
+  excludeId?: boolean
+}
+
+export const getConverter = <Document extends Record<string, unknown>>(
+  options?: GetConverterOptions
+): FirestoreDataConverter<Document> => ({
+  // `PartialWithFieldValue` implicitly types `object` as `any`, so we want to explicitly type it
+  toFirestore(object: WithFieldValue<Document>) {
+    const document: Record<string, unknown> = {}
+
+    Object.keys(object).forEach((key) => {
+      if (object[key] !== undefined) {
+        document[key] = object[key]
+      }
+    })
+
+    return document
+  },
+  // We need to explicitly type `snapshot` since it uses `DocumentData` for generic type
+  fromFirestore(snapshot: QueryDocumentSnapshot<Document>) {
+    if (!snapshot.exists()) {
+      return snapshot
+    }
+
+    let document: Document = snapshot.data()
+
+    if (!options?.excludeId) {
+      document = {
+        ...document,
+        id: snapshot.id,
+      }
+    }
+
+    for (const key in document) {
+      const value = document[key]
+
+      if (isTimestamp(value)) {
+        document = {
+          ...document,
+          [key]: value.toDate(),
+        }
+      }
+    }
+
+    return document
+  },
+})

packages/adapter-firebase/src/index.ts

@@ -1,283 +1,289 @@
-import type firebase from "firebase"
-import { createHash, randomBytes } from "crypto"
-import { Adapter } from "next-auth/adapters"
+import { initializeApp } from "firebase/app"
+import type { FirebaseOptions } from "firebase/app"
 import {
-  querySnapshotToObject,
-  docSnapshotToObject,
-  stripUndefined,
-} from "./utils"
-import { Profile, Session, User } from "next-auth"
+  addDoc,
+  collection,
+  deleteDoc,
+  doc,
+  getDoc,
+  getDocs,
+  getFirestore,
+  limit,
+  query,
+  runTransaction,
+  setDoc,
+  where,
+  connectFirestoreEmulator,
+} from "firebase/firestore"
+import type { Account } from "next-auth"
+import type {
+  Adapter,
+  AdapterSession,
+  AdapterUser,
+  VerificationToken,
+} from "next-auth/adapters"
 
-interface FirebaseVerificationRequest {
-  id: string
-  identifier: string
-  token: string
-  expires: Date
+import { getConverter } from "./converter"
+
+type IndexableObject = Record<string, unknown>
+
+export interface FirestoreAdapterOptions {
+  emulator?: {
+    host?: string
+    port?: number
+  }
 }
 
-export type FirebaseSession = Session & {
-  id: string
-  expires: Date
-}
+export function FirestoreAdapter({
+  emulator,
+  ...firebaseOptions
+}: FirebaseOptions & FirestoreAdapterOptions): Adapter {
+  const firebaseApp = initializeApp(firebaseOptions)
+  const db = getFirestore(firebaseApp)
+
+  if (emulator) {
+    connectFirestoreEmulator(
+      db,
+      emulator?.host ?? "localhost",
+      emulator?.port ?? 3001
+    )
+  }
+
+  const Users = collection(db, "users").withConverter(
+    getConverter<AdapterUser>()
+  )
+  const Sessions = collection(db, "sessions").withConverter(
+    getConverter<AdapterSession & IndexableObject>()
+  )
+  const Accounts = collection(db, "accounts").withConverter(
+    getConverter<Account>()
+  )
+  const VerificationTokens = collection(db, "verificationTokens").withConverter(
+    getConverter<VerificationToken & IndexableObject>({ excludeId: true })
+  )
 
-// @ts-expect-error
-export const FirebaseAdapter: Adapter<
-  firebase.firestore.Firestore,
-  never,
-  User & { id: string },
-  Profile,
-  FirebaseSession
-> = (client) => {
   return {
-    async getAdapter({ session, secret, ...appOptions }) {
-      const sessionMaxAge = session.maxAge * 1000 // default is 30 days
-      const sessionUpdateAge = session.updateAge * 1000 // default is 1 day
-      /**
-       * @todo Move this to core package
-       * @todo Use bcrypt or a more secure method
-       */
-      const hashToken = (token: string) =>
-        createHash("sha256").update(`${token}${secret}`).digest("hex")
+    async createUser(newUser) {
+      const userRef = await addDoc(Users, newUser)
+      const userSnapshot = await getDoc(userRef)
 
-      return {
-        displayName: "FIREBASE",
-        async createUser(profile) {
-          const userRef = await client.collection("users").add(
-            stripUndefined({
-              name: profile.name,
-              email: profile.email,
-              image: profile.image,
-              emailVerified: profile.emailVerified ?? null,
-            })
-          )
-          const snapshot = await userRef.get()
-          const user = docSnapshotToObject(snapshot)
-          return user
-        },
-
-        async getUser(id) {
-          const snapshot = await client.collection("users").doc(id).get()
-          const user = docSnapshotToObject(snapshot)
-          return user
-        },
-
-        async getUserByEmail(email) {
-          if (!email) return null
-
-          const snapshot = await client
-            .collection("users")
-            .where("email", "==", email)
-            .limit(1)
-            .get()
-
-          const user = querySnapshotToObject(snapshot)
-          return user
-        },
-
-        async getUserByProviderAccountId(providerId, providerAccountId) {
-          const accountSnapshot = await client
-            .collection("accounts")
-            .where("providerId", "==", providerId)
-            .where("providerAccountId", "==", providerAccountId)
-            .limit(1)
-            .get()
-
-          if (accountSnapshot.empty) return null
-
-          const userId = accountSnapshot.docs[0].data().userId
-
-          const userSnapshot = await client
-            .collection("users")
-            .doc(userId)
-            .get()
-
-          // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion
-          return { ...userSnapshot.data(), id: userSnapshot.id } as any
-        },
-
-        async updateUser(user) {
-          await client
-            .collection("users")
-            .doc(user.id)
-            .update(stripUndefined(user))
-
-          return user
-        },
-
-        async deleteUser(userId) {
-          await client.collection("users").doc(userId).delete()
-        },
-
-        async linkAccount(
-          userId,
-          providerId,
-          providerType,
-          providerAccountId,
-          refreshToken,
-          accessToken,
-          accessTokenExpires
-        ) {
-          const accountRef = await client.collection("accounts").add(
-            stripUndefined({
-              userId,
-              providerId,
-              providerType,
-              providerAccountId,
-              refreshToken,
-              accessToken,
-              accessTokenExpires,
-            })
-          )
-
-          const accountSnapshot = await accountRef.get()
-          const account = docSnapshotToObject(accountSnapshot)
-          return account
-        },
-
-        async unlinkAccount(userId, providerId, providerAccountId) {
-          const snapshot = await client
-            .collection("accounts")
-            .where("userId", "==", userId)
-            .where("providerId", "==", providerId)
-            .where("providerAccountId", "==", providerAccountId)
-            .limit(1)
-            .get()
-
-          const accountId = snapshot.docs[0].id
-
-          await client.collection("accounts").doc(accountId).delete()
-        },
-
-        async createSession(user) {
-          const sessionRef = await client.collection("sessions").add({
-            userId: user.id,
-            expires: new Date(Date.now() + sessionMaxAge),
-            sessionToken: randomBytes(32).toString("hex"),
-            accessToken: randomBytes(32).toString("hex"),
-          })
-          const snapshot = await sessionRef.get()
-          const session = docSnapshotToObject(snapshot)
-          return session
-        },
-
-        async getSession(sessionToken) {
-          const snapshot = await client
-            .collection("sessions")
-            .where("sessionToken", "==", sessionToken)
-            .limit(1)
-            .get()
-
-          const session = querySnapshotToObject<FirebaseSession>(snapshot)
-          if (!session) return null
-
-          // if the session has expired
-          if (session.expires < new Date()) {
-            // delete the session
-            await client.collection("sessions").doc(session.id).delete()
-            return null
-          }
-          // return already existing session
-          return session
-        },
-
-        async updateSession(session, force) {
-          if (
-            !force &&
-            Number(session.expires) - sessionMaxAge + sessionUpdateAge >
-              Date.now()
-          ) {
-            return null
-          }
-
-          // Update the item in the database
-          await client
-            .collection("sessions")
-            .doc(session.id)
-            .update({
-              expires: new Date(Date.now() + sessionMaxAge),
-            })
-
-          return session
-        },
-
-        async deleteSession(sessionToken) {
-          const snapshot = await client
-            .collection("sessions")
-            .where("sessionToken", "==", sessionToken)
-            .limit(1)
-            .get()
-
-          const session = querySnapshotToObject<FirebaseSession>(snapshot)
-          if (!session) return
-
-          await client.collection("sessions").doc(session.id).delete()
-        },
-
-        async createVerificationRequest(identifier, url, token, _, provider) {
-          const verificationRequestRef = await client
-            .collection("verificationRequests")
-            .add({
-              identifier,
-              token: hashToken(token),
-              expires: new Date(Date.now() + provider.maxAge * 1000),
-            })
-
-          // With the verificationCallback on a provider, you can send an email, or queue
-          // an email to be sent, or perform some other action (e.g. send a text message)
-          await provider.sendVerificationRequest({
-            identifier,
-            url,
-            token,
-            baseUrl: appOptions.baseUrl,
-            provider,
-          })
-
-          const snapshot = await verificationRequestRef.get()
-          return docSnapshotToObject<FirebaseVerificationRequest>(snapshot)
-        },
-
-        async getVerificationRequest(identifier, token) {
-          const snapshot = await client
-            .collection("verificationRequests")
-            .where("token", "==", hashToken(token))
-            .where("identifier", "==", identifier)
-            .limit(1)
-            .get()
-
-          const verificationRequest =
-            querySnapshotToObject<FirebaseVerificationRequest>(snapshot)
-          if (!verificationRequest) return null
-
-          if (verificationRequest.expires < new Date()) {
-            // Delete verification entry so it cannot be used again
-            await client
-              .collection("verificationRequests")
-              .doc(verificationRequest.id)
-              .delete()
-            return null
-          }
-          return verificationRequest
-        },
-
-        async deleteVerificationRequest(identifier, token) {
-          const snapshot = await client
-            .collection("verificationRequests")
-            .where("token", "==", hashToken(token))
-            .where("identifier", "==", identifier)
-            .limit(1)
-            .get()
-
-          const verificationRequest =
-            querySnapshotToObject<FirebaseVerificationRequest>(snapshot)
-
-          if (!verificationRequest) return null
-
-          await client
-            .collection("verificationRequests")
-            .doc(verificationRequest.id)
-            .delete()
-        },
+      if (userSnapshot.exists() && Users.converter) {
+        return Users.converter.fromFirestore(userSnapshot)
       }
+
+      throw new Error("[createUser] Failed to create user")
+    },
+    async getUser(id) {
+      const userSnapshot = await getDoc(doc(Users, id))
+
+      if (userSnapshot.exists() && Users.converter) {
+        return Users.converter.fromFirestore(userSnapshot)
+      }
+
+      return null
+    },
+    async getUserByEmail(email) {
+      const userQuery = query(Users, where("email", "==", email), limit(1))
+      const userSnapshots = await getDocs(userQuery)
+      const userSnpashot = userSnapshots.docs[0]
+
+      if (userSnpashot?.exists() && Users.converter) {
+        return Users.converter.fromFirestore(userSnpashot)
+      }
+
+      return null
+    },
+    async getUserByAccount({ provider, providerAccountId }) {
+      const accountQuery = query(
+        Accounts,
+        where("provider", "==", provider),
+        where("providerAccountId", "==", providerAccountId),
+        limit(1)
+      )
+      const accountSnapshots = await getDocs(accountQuery)
+      const accountSnapshot = accountSnapshots.docs[0]
+
+      if (accountSnapshot?.exists()) {
+        const { userId } = accountSnapshot.data()
+        const userDoc = await getDoc(doc(Users, userId))
+
+        if (userDoc.exists() && Users.converter) {
+          return Users.converter.fromFirestore(userDoc)
+        }
+      }
+
+      return null
+    },
+
+    async updateUser(partialUser) {
+      const userRef = doc(Users, partialUser.id)
+
+      await setDoc(userRef, partialUser, { merge: true })
+
+      const userSnapshot = await getDoc(userRef)
+
+      if (userSnapshot.exists() && Users.converter) {
+        return Users.converter.fromFirestore(userSnapshot)
+      }
+
+      throw new Error("[updateUser] Failed to update user")
+    },
+
+    async deleteUser(userId) {
+      const userRef = doc(Users, userId)
+      const accountsQuery = query(Accounts, where("userId", "==", userId))
+      const sessionsQuery = query(Sessions, where("userId", "==", userId))
+
+      // TODO: May be better to use events instead of transactions?
+      await runTransaction(db, async (transaction) => {
+        const accounts = await getDocs(accountsQuery)
+        const sessions = await getDocs(sessionsQuery)
+
+        transaction.delete(userRef)
+        accounts.forEach((account) => transaction.delete(account.ref))
+        sessions.forEach((session) => transaction.delete(session.ref))
+      })
+    },
+
+    async linkAccount(account) {
+      const accountRef = await addDoc(Accounts, account)
+      const accountSnapshot = await getDoc(accountRef)
+
+      if (accountSnapshot.exists() && Accounts.converter) {
+        return Accounts.converter.fromFirestore(accountSnapshot)
+      }
+    },
+
+    async unlinkAccount({ provider, providerAccountId }) {
+      const accountQuery = query(
+        Accounts,
+        where("provider", "==", provider),
+        where("providerAccountId", "==", providerAccountId),
+        limit(1)
+      )
+      const accountSnapshots = await getDocs(accountQuery)
+      const accountSnapshot = accountSnapshots.docs[0]
+
+      if (accountSnapshot?.exists()) {
+        await deleteDoc(accountSnapshot.ref)
+      }
+    },
+
+    async createSession(session) {
+      const sessionRef = await addDoc(Sessions, session)
+      const sessionSnapshot = await getDoc(sessionRef)
+
+      if (sessionSnapshot.exists() && Sessions.converter) {
+        return Sessions.converter.fromFirestore(sessionSnapshot)
+      }
+
+      throw new Error("[createSession] Failed to create session")
+    },
+
+    async getSessionAndUser(sessionToken) {
+      const sessionQuery = query(
+        Sessions,
+        where("sessionToken", "==", sessionToken),
+        limit(1)
+      )
+      const sessionSnapshots = await getDocs(sessionQuery)
+      const sessionSnapshot = sessionSnapshots.docs[0]
+
+      if (sessionSnapshot?.exists() && Sessions.converter) {
+        const session = Sessions.converter.fromFirestore(sessionSnapshot)
+        const userDoc = await getDoc(doc(Users, session.userId))
+
+        if (userDoc.exists() && Users.converter) {
+          const user = Users.converter.fromFirestore(userDoc)
+
+          return { session, user }
+        }
+      }
+
+      return null
+    },
+
+    async updateSession(partialSession) {
+      const sessionQuery = query(
+        Sessions,
+        where("sessionToken", "==", partialSession.sessionToken),
+        limit(1)
+      )
+      const sessionSnapshots = await getDocs(sessionQuery)
+      const sessionSnapshot = sessionSnapshots.docs[0]
+
+      if (sessionSnapshot?.exists()) {
+        await setDoc(sessionSnapshot.ref, partialSession, { merge: true })
+
+        const sessionDoc = await getDoc(sessionSnapshot.ref)
+
+        if (sessionDoc?.exists() && Sessions.converter) {
+          const session = Sessions.converter.fromFirestore(sessionDoc)
+
+          return session
+        }
+      }
+
+      return null
+    },
+
+    async deleteSession(sessionToken) {
+      const sessionQuery = query(
+        Sessions,
+        where("sessionToken", "==", sessionToken),
+        limit(1)
+      )
+      const sessionSnapshots = await getDocs(sessionQuery)
+      const sessionSnapshot = sessionSnapshots.docs[0]
+
+      if (sessionSnapshot?.exists()) {
+        await deleteDoc(sessionSnapshot.ref)
+      }
+    },
+
+    async createVerificationToken(verificationToken) {
+      const verificationTokenRef = await addDoc(
+        VerificationTokens,
+        verificationToken
+      )
+      const verificationTokenSnapshot = await getDoc(verificationTokenRef)
+
+      if (verificationTokenSnapshot.exists() && VerificationTokens.converter) {
+        const {
+          id,
+          ...verificationToken
+        } = VerificationTokens.converter.fromFirestore(
+          verificationTokenSnapshot
+        )
+
+        return verificationToken
+      }
+    },
+
+    async useVerificationToken({ identifier, token }) {
+      const verificationTokensQuery = query(
+        VerificationTokens,
+        where("identifier", "==", identifier),
+        where("token", "==", token),
+        limit(1)
+      )
+      const verificationTokenSnapshots = await getDocs(verificationTokensQuery)
+      const verificationTokenSnapshot = verificationTokenSnapshots.docs[0]
+
+      if (verificationTokenSnapshot?.exists() && VerificationTokens.converter) {
+        await deleteDoc(verificationTokenSnapshot.ref)
+
+        const {
+          id,
+          ...verificationToken
+        } = VerificationTokens.converter.fromFirestore(
+          verificationTokenSnapshot
+        )
+
+        return verificationToken
+      }
+
+      return null
     },
   }
 }

packages/adapter-firebase/src/utils.ts

@@ -1,40 +0,0 @@
-import type firebase from "firebase"
-
-/**
- * Takes in a snapshot and returns all of its `data()`,
- * as well as `id` and `createdAt` and `updatedAt` `Date`
- */
-export function docSnapshotToObject<T>(
-  snapshot: firebase.firestore.DocumentSnapshot<firebase.firestore.DocumentData>
-): T | null {
-  if (!snapshot.exists) {
-    return null
-  }
-  const data: any = snapshot.data()
-  if (data.expires) {
-    data.expires = data.expires.toDate()
-  }
-  return { id: snapshot.id, ...data }
-}
-
-export function querySnapshotToObject<T>(
-  snapshot: firebase.firestore.QuerySnapshot<firebase.firestore.DocumentData>
-): T | null {
-  if (snapshot.empty) {
-    return null
-  }
-  const doc = snapshot.docs[0]
-
-  const data: any = doc.data()
-  if (data.expires) {
-    data.expires = data.expires.toDate()
-  }
-  return { id: doc.id, ...data }
-}
-
-/** Firebase does not like `undefined` values */
-export function stripUndefined(obj: any) {
-  return Object.fromEntries(
-    Object.entries(obj).filter(([, value]) => typeof value !== "undefined")
-  )
-}

packages/adapter-firebase/tests/index.test.ts

@@ -1,67 +1,77 @@
 import { runBasicTests } from "@next-auth/adapter-test"
-import { FirebaseAdapter } from "../src"
-import { docSnapshotToObject, querySnapshotToObject } from "../src/utils"
+import { FirestoreAdapter } from "../src"
 
-import firebase from "firebase/app"
-import "firebase/firestore"
+import { getFirestore, connectFirestoreEmulator, terminate, collection, query, where, limit, getDocs, getDoc, doc } from "firebase/firestore"
+import { initializeApp } from "firebase/app";
+import { getConverter } from "../src/converter";
+import type { AdapterSession, AdapterUser, VerificationToken } from "next-auth/adapters";
+import type { Account } from "next-auth";
 
-const firestore = (
-  firebase.apps[0] ?? firebase.initializeApp({ projectId: "next-auth-test" })
-).firestore()
-firestore.useEmulator("localhost", 8080)
+const app = initializeApp({ projectId: "next-auth-test" });
+const firestore = getFirestore(app);
+
+connectFirestoreEmulator(firestore, 'localhost', 8080);
+
+type IndexableObject = Record<string, unknown>;
+
+const Users = collection(firestore, 'users').withConverter(getConverter<AdapterUser>());
+const Sessions = collection(firestore, 'sessions').withConverter(getConverter<AdapterSession & IndexableObject>());
+const Accounts = collection(firestore, 'accounts').withConverter(getConverter<Account>());
+const VerificationTokens = collection(firestore, 'verificationTokens').withConverter(getConverter<VerificationToken & IndexableObject>({ excludeId: true }));
 
 runBasicTests({
-  adapter: FirebaseAdapter(firestore),
+  adapter: FirestoreAdapter({ projectId: "next-auth-test" }),
   db: {
     async disconnect() {
-      await firestore.terminate()
+      await terminate(firestore);
     },
     async session(sessionToken) {
-      const snapshot = await firestore
-        .collection("sessions")
-        .where("sessionToken", "==", sessionToken)
-        .limit(1)
-        .get()
-      return querySnapshotToObject(snapshot)
-    },
-    async expireSession(sessionToken, expires) {
-      const snapshot = await firestore
-        .collection("sessions")
-        .where("sessionToken", "==", sessionToken)
-        .limit(1)
-        .get()
+      const snapshotQuery = query(Sessions, where("sessionToken", "==", sessionToken), limit(1));
+      const snapshots = await getDocs(snapshotQuery);
+      const snapshot = snapshots.docs[0];
 
-      if (snapshot.empty) {
-        console.error(sessionToken, expires)
-        throw new Error("Could not expire session")
+      if (snapshot?.exists() && Sessions.converter) {
+        const session = Sessions.converter.fromFirestore(snapshot);
+
+        return session;
       }
 
-      return await firestore
-        .collection("sessions")
-        .doc(snapshot.docs[0].id)
-        .update({ expires })
+      return null;
     },
     async user(id) {
-      const snapshot = await firestore.collection("users").doc(id).get()
-      return docSnapshotToObject(snapshot)
+      const snapshot = await getDoc(doc(Users, id));
+
+      if (snapshot?.exists() && Users.converter) {
+        const user = Users.converter.fromFirestore(snapshot);
+
+        return user;
+      }
+
+      return null;
     },
-    async account(providerId, providerAccountId) {
-      const snapshot = await firestore
-        .collection("accounts")
-        .where("providerId", "==", providerId)
-        .where("providerAccountId", "==", providerAccountId)
-        .limit(1)
-        .get()
-      return querySnapshotToObject(snapshot)
+    async account({ provider, providerAccountId }) {
+      const snapshotQuery = query(Accounts, where("provider", "==", provider), where("providerAccountId", "==", providerAccountId), limit(1));
+      const snapshots = await getDocs(snapshotQuery);
+      const snapshot = snapshots.docs[0];
+
+      if (snapshot?.exists() && Accounts.converter) {
+        const account = Accounts.converter.fromFirestore(snapshot);
+
+        return account;
+      }
+
+      return null;
     },
-    async verificationRequest(identifier, token) {
-      const snapshot = await firestore
-        .collection("verificationRequests")
-        .where("identifier", "==", identifier)
-        .where("token", "==", token)
-        .limit(1)
-        .get()
-      return querySnapshotToObject(snapshot)
+    async verificationToken({ identifier, token }) {
+      const snapshotQuery = query(VerificationTokens, where("identifier", "==", identifier), where("token", "==", token), limit(1));
+      const snapshots = await getDocs(snapshotQuery);
+      const snapshot = snapshots.docs[0];
+
+      if (snapshot?.exists() && VerificationTokens.converter) {
+        const verificationToken = VerificationTokens.converter.fromFirestore(snapshot);
+
+        return verificationToken;
+      }
     },
   },
 })

packages/adapter-firebase/tsconfig.json

@@ -1,8 +1,10 @@
 {
-  "extends": "@next-auth/tsconfig/base.json",
+  "extends": "@next-auth/tsconfig/adapters.json",
   "compilerOptions": {
     "rootDir": "src",
-    "outDir": "dist"
+    "outDir": "dist",
+    "strict": true,
+    "noUncheckedIndexedAccess": true
   },
   "exclude": ["tests", "dist", "jest.config.js"]
 }

packages/adapter-mikro-orm/package.json

@@ -33,17 +33,21 @@
   ],
   "peerDependencies": {
     "@mikro-orm/core": "^5.0.2",
-    "next-auth": "workspace:*"
+    "next-auth": "^4"
   },
   "devDependencies": {
     "@mikro-orm/core": "^5.0.2",
     "@mikro-orm/sqlite": "^5.0.2",
     "@next-auth/adapter-test": "workspace:^0.0.0",
     "@next-auth/tsconfig": "workspace:^0.0.0",
+    "@types/uuid": "^8.3.3",
     "jest": "^27.4.3",
     "next-auth": "workspace:*"
   },
   "jest": {
     "preset": "@next-auth/adapter-test/jest"
+  },
+  "dependencies": {
+    "uuid": "^8.3.2"
   }
 }

packages/adapter-sequelize/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@next-auth/sequelize-adapter",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "description": "Sequelize adapter for next-auth.",
   "homepage": "https://next-auth.js.org",
   "repository": "https://github.com/nextauthjs/next-auth",
@@ -29,7 +29,7 @@
     "dist"
   ],
   "peerDependencies": {
-    "next-auth": "workspace:*",
+    "next-auth": "^4",
     "sequelize": "^6.6.5"
   },
   "devDependencies": {

packages/adapter-test/jest/jest-preset.js

@@ -1,7 +1,13 @@
+const swcConfig = {
+  jsc: {
+    parser: { syntax: "typescript", decorators: true },
+    transform: { legacyDecorator: true, decoratorMetadata: true },
+  },
+}
 module.exports = {
   transform: {
-    ".(ts|tsx)$": "@swc/jest",
-    ".(js|jsx)$": "@swc/jest", // jest's default
+    ".(ts|tsx)$": ["@swc/jest", swcConfig],
+    ".(js|jsx)$": ["@swc/jest", swcConfig],
   },
   transformIgnorePatterns: ["[/\\\\]node_modules[/\\\\].+\\.(js|jsx)$"],
   moduleFileExtensions: ["ts", "tsx", "js", "jsx", "json", "node"],

packages/adapter-typeorm-legacy/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@next-auth/typeorm-legacy-adapter",
-  "version": "1.0.3",
+  "version": "2.0.0",
   "description": "TypeORM (legacy) adapter for next-auth.",
   "homepage": "https://next-auth.js.org",
   "repository": "https://github.com/nextauthjs/next-auth",
@@ -37,24 +37,25 @@
     "sqlite": "tests/sqlite/test.sh"
   },
   "devDependencies": {
-    "@next-auth/adapter-test": "workspace:^0.0.0",
-    "@next-auth/tsconfig": "workspace:^0.0.0",
+    "@next-auth/adapter-test": "workspace:*",
+    "@next-auth/tsconfig": "workspace:*",
     "jest": "^27.4.3",
     "mssql": "^7.2.1",
     "mysql": "^2.18.1",
     "next-auth": "workspace:*",
-    "pg": "^8.7.1",
-    "sqlite3": "^5.0.2",
-    "typeorm": "^0.2.37",
-    "typeorm-naming-strategies": "^2.0.0"
+    "pg": "^8.7.3",
+    "sqlite3": "^5.0.8",
+    "typeorm": "0.3.7",
+    "typeorm-naming-strategies": "^4.1.0",
+    "typescript": "^4.7.4"
   },
   "peerDependencies": {
     "mssql": "^6.2.1 || 7",
     "mysql": "^2.18.1",
-    "next-auth": "workspace:*",
+    "next-auth": "^4",
     "pg": "^8.2.1",
     "sqlite3": "^5.0.2",
-    "typeorm": "^0.2.31"
+    "typeorm": "0.3.7"
   },
   "peerDependenciesMeta": {
     "mysql": {

packages/adapter-typeorm-legacy/src/index.ts

@@ -1,13 +1,8 @@
-import { Adapter, AdapterSession, AdapterUser } from "next-auth/adapters"
-import {
-  Connection,
-  ConnectionOptions,
-  EntityManager,
-  getConnectionManager,
-} from "typeorm"
-import { Account } from "next-auth"
+import type { Adapter, AdapterSession, AdapterUser } from "next-auth/adapters"
+import { DataSourceOptions, DataSource, EntityManager } from "typeorm"
+import type { Account } from "next-auth"
 import * as defaultEntities from "./entities"
-import { parseConnectionConfig, updateConnectionEntities } from "./utils"
+import { parseDataSourceConfig, updateConnectionEntities } from "./utils"
 
 export const entities = defaultEntities
 
@@ -17,43 +12,40 @@ export interface TypeORMLegacyAdapterOptions {
   entities?: Entities
 }
 
-let _connection: Connection
+let _dataSource: DataSource | undefined
 
 export async function getManager(options: {
-  connection: string | ConnectionOptions
+  dataSource: string | DataSourceOptions
   entities: Entities
 }): Promise<EntityManager> {
-  const { connection, entities } = options
+  const { dataSource, entities } = options
 
   const config = {
-    ...parseConnectionConfig(connection),
+    ...parseDataSourceConfig(dataSource),
     entities: Object.values(entities),
   }
 
-  const connectionManager = getConnectionManager()
+  if (!_dataSource) _dataSource = new DataSource(config)
 
-  if (connectionManager.has(config.name ?? "default")) {
-    _connection = connectionManager.get(config.name ?? "default")
+  const manager = _dataSource?.manager
 
-    if (_connection.isConnected) return _connection.manager
-
-    if (process.env.NODE_ENV !== "production") {
-      await updateConnectionEntities(_connection, config.entities)
-    }
-  } else {
-    _connection = await connectionManager.create(config).connect()
+  if (!manager.connection.isInitialized) {
+    await manager.connection.initialize()
   }
 
-  return _connection.manager
+  if (process.env.NODE_ENV !== "production") {
+    await updateConnectionEntities(_dataSource, config.entities)
+  }
+  return manager
 }
 
 export function TypeORMLegacyAdapter(
-  connection: string | ConnectionOptions,
+  dataSource: string | DataSourceOptions,
   options?: TypeORMLegacyAdapterOptions
 ): Adapter {
   const entities = options?.entities
   const c = {
-    connection,
+    dataSource,
     entities: {
       UserEntity: entities?.UserEntity ?? defaultEntities.UserEntity,
       SessionEntity: entities?.SessionEntity ?? defaultEntities.SessionEntity,
@@ -82,14 +74,14 @@ export function TypeORMLegacyAdapter(
     // @ts-expect-error
     async getUser(id) {
       const m = await getManager(c)
-      const user = await m.findOne("UserEntity", { id })
+      const user = await m.findOne("UserEntity", { where: { id } })
       if (!user) return null
       return { ...user }
     },
     // @ts-expect-error
     async getUserByEmail(email) {
       const m = await getManager(c)
-      const user = await m.findOne("UserEntity", { email })
+      const user = await m.findOne("UserEntity", { where: { email } })
       if (!user) return null
       return { ...user }
     },
@@ -97,8 +89,7 @@ export function TypeORMLegacyAdapter(
       const m = await getManager(c)
       const account = await m.findOne<Account & { user: AdapterUser }>(
         "AccountEntity",
-        provider_providerAccountId,
-        { relations: ["user"] }
+        { where: provider_providerAccountId, relations: ["user"] }
       )
       if (!account) return null
       return account.user ?? null
@@ -136,7 +127,7 @@ export function TypeORMLegacyAdapter(
       const m = await getManager(c)
       const sessionAndUser = await m.findOne<
         AdapterSession & { user: AdapterUser }
-      >("SessionEntity", { sessionToken }, { relations: ["user"] })
+      >("SessionEntity", { where: { sessionToken }, relations: ["user"] })
 
       if (!sessionAndUser) return null
       const { user, ...session } = sessionAndUser
@@ -162,10 +153,9 @@ export function TypeORMLegacyAdapter(
     // @ts-expect-error
     async useVerificationToken(identifier_token) {
       const m = await getManager(c)
-      const verificationToken = await m.findOne(
-        "VerificationTokenEntity",
-        identifier_token
-      )
+      const verificationToken = await m.findOne("VerificationTokenEntity", {
+        where: identifier_token,
+      })
       if (!verificationToken) {
         return null
       }

packages/adapter-typeorm-legacy/src/utils.ts

@@ -1,10 +1,10 @@
-import { Connection, ConnectionOptions } from "typeorm"
+import type { DataSource, DataSourceOptions } from "typeorm"
 import * as defaultEntities from "./entities"
 
 /** Ensure configOrString is normalized to an object. */
-export function parseConnectionConfig(
-  configOrString: string | ConnectionOptions
-): ConnectionOptions {
+export function parseDataSourceConfig(
+  configOrString: string | DataSourceOptions
+): DataSourceOptions {
   if (typeof configOrString !== "string") {
     return {
       ...configOrString,
@@ -89,22 +89,22 @@ function entitiesChanged(
 }
 
 export async function updateConnectionEntities(
-  connection: Connection,
+  dataSource: DataSource,
   entities: any[]
 ) {
-  if (!entitiesChanged(connection.options.entities, entities)) return
+  if (!entitiesChanged(dataSource.entityMetadatas, entities)) return
 
   // @ts-expect-error
-  connection.options.entities = entities
+  dataSource.entityMetadatas = entities
 
   // @ts-expect-error
-  connection.buildMetadatas()
+  dataSource.buildMetadatas()
 
-  if (connection.options.synchronize !== false) {
+  if (dataSource.options.synchronize !== false) {
     console.warn(
       "[next-auth][warn][adapter_typeorm_updating_entities]",
       "\nhttps://next-auth.js.org/warnings#adapter_typeorm_updating_entities"
     )
-    await connection.synchronize()
+    await dataSource.synchronize()
   }
 }

packages/adapter-typeorm-legacy/tests/helpers.ts

@@ -1,46 +1,49 @@
-import { ConnectionManager, ConnectionOptions } from "typeorm"
-import { TestOptions } from "@next-auth/adapter-test"
+import { DataSource } from "typeorm"
+import type { DataSourceOptions } from "typeorm"
+import type { TestOptions } from "@next-auth/adapter-test"
 import * as defaultEntities from "../src/entities"
-import { parseConnectionConfig } from "../src/utils"
+import { parseDataSourceConfig } from "../src/utils"
 
 export { defaultEntities }
 
+console.warn = jest.fn()
+
 /** Set up Test Database */
 export function db(
-  config: string | ConnectionOptions,
+  config: string | DataSourceOptions,
   entities: typeof defaultEntities = defaultEntities
 ): TestOptions["db"] {
-  const connection = new ConnectionManager().create({
-    ...parseConnectionConfig(config),
+  const connection = new DataSource({
+    ...parseDataSourceConfig(config),
     entities: Object.values(entities),
-  })
+  }).manager.connection
 
   const m = connection.manager
   return {
-    connect: async () => await connection.connect(),
-    disconnect: async () => await connection.close(),
+    connect: async () => await connection.initialize(),
+    disconnect: async () => await connection.destroy(),
     async user(id) {
-      const user = await m.findOne(entities.UserEntity, id)
+      const user = await m.findOne(entities.UserEntity, { where: { id } })
       return user ?? null
     },
     async account(provider_providerAccountId) {
-      const account = await m.findOne(
-        entities.AccountEntity,
-        provider_providerAccountId
-      )
+      const account = await m.findOne(entities.AccountEntity, {
+        where: provider_providerAccountId,
+      })
       return account ?? null
     },
     async session(sessionToken) {
-      const session = await m.findOne(entities.SessionEntity, { sessionToken })
+      const session = await m.findOne(entities.SessionEntity, {
+        where: { sessionToken },
+      })
       return session ?? null
     },
     async verificationToken(token_identifier) {
       const verificationToken = await m.findOne(
         entities.VerificationTokenEntity,
-        token_identifier
+        { where: token_identifier }
       )
       if (!verificationToken) return null
-      // @ts-expect-error
       const { id: _, ...rest } = verificationToken
       return rest
     },

packages/adapter-typeorm-legacy/tests/index.test.ts

@@ -1,11 +1,9 @@
-// eslint-disable-next-line @typescript-eslint/prefer-ts-expect-error
-// @ts-ignore
-import { parseConnectionString } from "../src/lib/config"
+import { parseDataSourceConfig } from "../src/utils"
 
 const connectionString = "mysql://root:password@localhost:3306/next-auth"
 
 test("could parse connection string", () => {
-  expect(parseConnectionString(connectionString)).toEqual(
+  expect(parseDataSourceConfig(connectionString)).toEqual(
     expect.objectContaining({
       type: "mysql",
       host: "localhost",

packages/adapter-typeorm-legacy/tests/sqlite/index.test.ts

@@ -3,9 +3,9 @@ import { TypeORMLegacyAdapter } from "../../src"
 import { db } from "../helpers"
 import { SnakeNamingStrategy } from "typeorm-naming-strategies"
 
-import type { ConnectionOptions } from "typeorm"
+import type { DataSourceOptions } from "typeorm"
 
-const sqliteConfig: ConnectionOptions = {
+const sqliteConfig: DataSourceOptions = {
   type: "sqlite" as const,
   name: "next-auth-test-memory",
   database: "./tests/sqlite/dev.db",

packages/next-auth/README.md

@@ -166,6 +166,10 @@ export default function App({
 }
 ```
 
+## Security
+
+If you think you have found a vulnerability (or not sure) in NextAuth.js or any of the related packages (i.e. Adapters), we ask you to have a read of our [Security Policy](https://github.com/nextauthjs/next-auth/blob/main/SECURITY.md) to reach out responsibly. Please do not open Pull Requests/Issues/Discussions before consulting with us.
+
 ## Acknowledgments
 
 [NextAuth.js is made possible thanks to all of its contributors.](https://next-auth.js.org/contributors)

packages/next-auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "next-auth",
-  "version": "4.6.1",
+  "version": "4.10.0",
   "description": "Authentication for Next.js",
   "homepage": "https://next-auth.js.org",
   "repository": "https://github.com/nextauthjs/next-auth.git",
@@ -107,8 +107,8 @@
     "@types/node": "^17.0.42",
     "@types/nodemailer": "^6.4.4",
     "@types/oauth": "^0.9.1",
-    "@types/react": "^18.0.2",
-    "@types/react-dom": "^18.0.5",
+    "@types/react": "^18.0.15",
+    "@types/react-dom": "^18.0.6",
     "autoprefixer": "^10.4.7",
     "babel-plugin-jsx-pragmatic": "^1.0.2",
     "babel-preset-preact": "^2.0.0",
@@ -117,7 +117,7 @@
     "jest-environment-jsdom": "^28.1.1",
     "jest-watch-typeahead": "^1.1.0",
     "msw": "^0.42.3",
-    "next": "12.1.7-canary.51",
+    "next": "12.2.0",
     "postcss": "^8.4.14",
     "postcss-cli": "^9.1.0",
     "postcss-nested": "^5.0.6",

packages/next-auth/src/core/index.ts

@@ -9,6 +9,7 @@ import { SessionStore } from "./lib/cookie"
 import type { NextAuthAction, NextAuthOptions } from "./types"
 import type { Cookie } from "./lib/cookie"
 import type { ErrorType } from "./pages/error"
+import { parse as parseCookie } from "cookie"
 
 export interface RequestInternal {
   /** @default "http://localhost:3000" */
@@ -68,7 +69,7 @@ async function toInternalRequest(
       method: req.method,
       headers,
       body: await getBody(req),
-      cookies: {},
+      cookies: parseCookie(req.headers.get("cookie") ?? ""),
       providerId: nextauth[1],
       error: url.searchParams.get("error") ?? nextauth[1],
       host: detectHost(headers["x-forwarded-host"] ?? headers.host),

packages/next-auth/src/core/init.ts

@@ -62,6 +62,7 @@ export async function init({
       colorScheme: "auto",
       logo: "",
       brandColor: "",
+      buttonText: "",
     },
     // Custom options override defaults
     ...userOptions,

packages/next-auth/src/core/lib/email/signin.ts

@@ -10,7 +10,7 @@ export default async function email(
   identifier: string,
   options: InternalOptions<"email">
 ) {
-  const { url, adapter, provider, logger, callbackUrl } = options
+  const { url, adapter, provider, logger, callbackUrl, theme } = options
 
   // Generate token
   const token =
@@ -42,6 +42,7 @@ export default async function email(
       expires,
       url: _url,
       provider,
+      theme,
     })
   } catch (error) {
     logger.error("SEND_VERIFICATION_EMAIL_ERROR", {

packages/next-auth/src/core/routes/signin.ts

@@ -30,12 +30,16 @@ export default async function signin(params: {
       return { redirect: `${url}/error?error=OAuthSignin` }
     }
   } else if (provider.type === "email") {
-    // Note: Technically the part of the email address local mailbox element
-    // (everything before the @ symbol) should be treated as 'case sensitive'
-    // according to RFC 2821, but in practice this causes more problems than
-    // it solves. We treat email addresses as all lower case. If anyone
-    // complains about this we can make strict RFC 2821 compliance an option.
-    const email = body?.email?.toLowerCase() ?? null
+    /**
+     * @note Technically the part of the email address local mailbox element
+     * (everything before the @ symbol) should be treated as 'case sensitive'
+     * according to RFC 2821, but in practice this causes more problems than
+     * it solves. We treat email addresses as all lower case. If anyone
+     * complains about this we can make strict RFC 2821 compliance an option.
+     */
+    const email = body?.email?.toLowerCase()
+
+    if (!email) return { redirect: `${url}/error?error=EmailSignin` }
 
     // Verified in `assertConfig`
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion

packages/next-auth/src/core/types.ts

@@ -214,9 +214,10 @@ export interface NextAuthOptions {
  * [Pages](https://next-auth.js.org/configuration/pages)
  */
 export interface Theme {
-  colorScheme: "auto" | "dark" | "light"
+  colorScheme?: "auto" | "dark" | "light"
   logo?: string
   brandColor?: string
+  buttonText?: string
 }
 
 /**

packages/next-auth/src/next/index.ts

@@ -83,20 +83,28 @@ function NextAuth(
 
 export default NextAuth
 
+let experimentalWarningShown = false
 export async function unstable_getServerSession(
   ...args:
-    | [GetServerSidePropsContext['req'], GetServerSidePropsContext['res'], NextAuthOptions]
+    | [
+        GetServerSidePropsContext["req"],
+        GetServerSidePropsContext["res"],
+        NextAuthOptions
+      ]
     | [NextApiRequest, NextApiResponse, NextAuthOptions]
 ): Promise<Session | null> {
-  console.warn(
-    "[next-auth][warn][EXPERIMENTAL_API]",
-    "\n`unstable_getServerSession` is experimental and may be removed or changed in the future, as the name suggested.",
-    `\nhttps://next-auth.js.org/configuration/nextjs#unstable_getServerSession}`,
-    `\nhttps://next-auth.js.org/warnings#EXPERIMENTAL_API`
+  if (!experimentalWarningShown && process.env.NODE_ENV !== "production") {
+    console.warn(
+      "[next-auth][warn][EXPERIMENTAL_API]",
+      "\n`unstable_getServerSession` is experimental and may be removed or changed in the future, as the name suggested.",
+      `\nhttps://next-auth.js.org/configuration/nextjs#unstable_getServerSession}`,
+      `\nhttps://next-auth.js.org/warnings#EXPERIMENTAL_API`
     )
+    experimentalWarningShown = true
+  }
+
+  const [req, res, options] = args
 
-  const [req, res, options] = args;
-  
   options.secret = options.secret ?? process.env.NEXTAUTH_SECRET
 
   const session = await NextAuthHandler<Session | {}>({

packages/next-auth/src/next/middleware.ts

@@ -84,6 +84,12 @@ export interface NextAuthMiddlewareOptions {
      */
     authorized?: AuthorizedCallback
   }
+
+  /**
+   * The same `secret` used in the `NextAuth` configuration.
+   * Defaults to the `NEXTAUTH_SECRET` environment variable.
+   */
+  secret?: string
 }
 
 async function handleMiddleware(
@@ -102,7 +108,8 @@ async function handleMiddleware(
     return
   }
 
-  if (!process.env.NEXTAUTH_SECRET) {
+  const secret = options?.secret ?? process.env.NEXTAUTH_SECRET
+  if (!secret) {
     console.error(
       `[next-auth][error][NO_SECRET]`,
       `\nhttps://next-auth.js.org/errors#no_secret`
@@ -118,6 +125,7 @@ async function handleMiddleware(
     req,
     decode: options?.jwt?.decode,
     cookieName: options?.cookies?.sessionToken?.name,
+    secret,
   })
 
   const isAuthorized =

packages/next-auth/src/providers/azure-ad.ts

@@ -2,7 +2,7 @@ import type { OAuthConfig, OAuthUserConfig } from "."
 
 export interface AzureADProfile extends Record<string, any> {
   sub: string
-  nicname: string
+  nickname: string
   email: string
   picture: string
 }

packages/next-auth/src/providers/duende-identity-server6.ts

@@ -0,0 +1,31 @@
+import type { OAuthConfig, OAuthUserConfig } from "./oauth"
+
+export interface DuendeISUser extends Record<string, any> {
+  email: string
+  id: string
+  name: string
+  verified: boolean
+}
+
+export default function DuendeIdentityServer6<P extends DuendeISUser>(
+  options: OAuthUserConfig<P>
+): OAuthConfig<P> {
+  return {
+    id: "duende-identityserver6",
+    name: "DuendeIdentityServer6",
+    type: "oauth",
+    wellKnown: `${options.issuer}/.well-known/openid-configuration`,
+    authorization: { params: { scope: "openid profile email" } },
+    checks: ["pkce", "state"],
+    idToken: true,
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email,
+        image: null,
+      }
+    },
+    options,
+  }
+}

packages/next-auth/src/providers/email.ts

@@ -1,13 +1,23 @@
 import { createTransport } from "nodemailer"
 
 import type { CommonProviderOptions } from "."
-import type { Options as SMTPConnectionOptions } from "nodemailer/lib/smtp-connection"
+import type { Options as SMTPTransportOptions } from "nodemailer/lib/smtp-transport"
 import type { Awaitable } from ".."
+import type { Theme } from "../core/types"
+
+export interface SendVerificationRequestParams {
+  identifier: string
+  url: string
+  expires: Date
+  provider: EmailConfig
+  token: string
+  theme: Theme
+}
 
 export interface EmailConfig extends CommonProviderOptions {
   type: "email"
   // TODO: Make use of https://www.typescriptlang.org/docs/handbook/2/template-literal-types.html
-  server: string | SMTPConnectionOptions
+  server: string | SMTPTransportOptions
   /** @default "NextAuth <no-reply@example.com>" */
   from?: string
   /**
@@ -16,13 +26,10 @@ export interface EmailConfig extends CommonProviderOptions {
    * @default 86400
    */
   maxAge?: number
-  sendVerificationRequest: (params: {
-    identifier: string
-    url: string
-    expires: Date
-    provider: EmailConfig
-    token: string
-  }) => Awaitable<void>
+  /** [Documentation](https://next-auth.js.org/providers/email#customizing-emails) */
+  sendVerificationRequest: (
+    params: SendVerificationRequestParams
+  ) => Awaitable<void>
   /**
    * By default, we are generating a random verification token.
    * You can make it predictable or modify it as you like with this method.
@@ -56,78 +63,81 @@ export default function Email(options: EmailUserConfig): EmailConfig {
     type: "email",
     name: "Email",
     // Server can be an SMTP connection string or a nodemailer config object
-    server: {
-      host: "localhost",
-      port: 25,
-      auth: {
-        user: "",
-        pass: "",
-      },
-    },
+    server: { host: "localhost", port: 25, auth: { user: "", pass: "" } },
     from: "NextAuth <no-reply@example.com>",
     maxAge: 24 * 60 * 60,
-    async sendVerificationRequest({
-      identifier: email,
-      url,
-      provider: { server, from },
-    }) {
+    async sendVerificationRequest(params) {
+      const { identifier, url, provider, theme } = params
       const { host } = new URL(url)
-      const transport = createTransport(server)
-      await transport.sendMail({
-        to: email,
-        from,
+      const transport = createTransport(provider.server)
+      const result = await transport.sendMail({
+        to: identifier,
+        from: provider.from,
         subject: `Sign in to ${host}`,
         text: text({ url, host }),
-        html: html({ url, host, email }),
+        html: html({ url, host, theme }),
       })
+      const failed = result.rejected.concat(result.pending).filter(Boolean)
+      if (failed.length) {
+        throw new Error(`Email(s) (${failed.join(", ")}) could not be sent`)
+      }
     },
     options,
   }
 }
 
-// Email HTML body
-function html({ url, host, email }: Record<"url" | "host" | "email", string>) {
-  // Insert invisible space into domains and email address to prevent both the
-  // email address and the domain from being turned into a hyperlink by email
-  // clients like Outlook and Apple mail, as this is confusing because it seems
-  // like they are supposed to click on their email address to sign in.
-  const escapedEmail = `${email.replace(/\./g, "&#8203;.")}`
-  const escapedHost = `${host.replace(/\./g, "&#8203;.")}`
+/**
+ * Email HTML body
+ * Insert invisible space into domains from being turned into a hyperlink by email
+ * clients like Outlook and Apple mail, as this is confusing because it seems
+ * like they are supposed to click on it to sign in.
+ *
+ * @note We don't add the email address to avoid needing to escape it, if you do, remember to sanitize it!
+ */
+function html(params: { url: string; host: string; theme: Theme }) {
+  const { url, host, theme } = params
 
-  // Some simple styling options
-  const backgroundColor = "#f9f9f9"
-  const textColor = "#444444"
-  const mainBackgroundColor = "#ffffff"
-  const buttonBackgroundColor = "#346df1"
-  const buttonBorderColor = "#346df1"
-  const buttonTextColor = "#ffffff"
+  const escapedHost = host.replace(/\./g, "&#8203;.")
+
+  // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing
+  const brandColor = theme.brandColor || "#346df1"
+  // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing
+  const buttonText = theme.buttonText || "#fff"
+
+  const color = {
+    background: "#f9f9f9",
+    text: "#444",
+    mainBackground: "#fff",
+    buttonBackground: brandColor,
+    buttonBorder: brandColor,
+    buttonText,
+  }
 
   return `
-<body style="background: ${backgroundColor};">
-  <table width="100%" border="0" cellspacing="0" cellpadding="0">
+<body style="background: ${color.background};">
+  <table width="100%" border="0" cellspacing="20" cellpadding="0"
+    style="background: ${color.mainBackground}; max-width: 600px; margin: auto; border-radius: 10px;">
     <tr>
-      <td align="center" style="padding: 10px 0px 20px 0px; font-size: 22px; font-family: Helvetica, Arial, sans-serif; color: ${textColor};">
-        <strong>${escapedHost}</strong>
-      </td>
-    </tr>
-  </table>
-  <table width="100%" border="0" cellspacing="20" cellpadding="0" style="background: ${mainBackgroundColor}; max-width: 600px; margin: auto; border-radius: 10px;">
-    <tr>
-      <td align="center" style="padding: 10px 0px 0px 0px; font-size: 18px; font-family: Helvetica, Arial, sans-serif; color: ${textColor};">
-        Sign in as <strong>${escapedEmail}</strong>
+      <td align="center"
+        style="padding: 10px 0px; font-size: 22px; font-family: Helvetica, Arial, sans-serif; color: ${color.text};">
+        Sign in to <strong>${escapedHost}</strong>
       </td>
     </tr>
     <tr>
       <td align="center" style="padding: 20px 0;">
         <table border="0" cellspacing="0" cellpadding="0">
           <tr>
-            <td align="center" style="border-radius: 5px;" bgcolor="${buttonBackgroundColor}"><a href="${url}" target="_blank" style="font-size: 18px; font-family: Helvetica, Arial, sans-serif; color: ${buttonTextColor}; text-decoration: none; border-radius: 5px; padding: 10px 20px; border: 1px solid ${buttonBorderColor}; display: inline-block; font-weight: bold;">Sign in</a></td>
+            <td align="center" style="border-radius: 5px;" bgcolor="${color.buttonBackground}"><a href="${url}"
+                target="_blank"
+                style="font-size: 18px; font-family: Helvetica, Arial, sans-serif; color: ${color.buttonText}; text-decoration: none; border-radius: 5px; padding: 10px 20px; border: 1px solid ${color.buttonBorder}; display: inline-block; font-weight: bold;">Sign
+                in</a></td>
           </tr>
         </table>
       </td>
     </tr>
     <tr>
-      <td align="center" style="padding: 0px 0px 10px 0px; font-size: 16px; line-height: 22px; font-family: Helvetica, Arial, sans-serif; color: ${textColor};">
+      <td align="center"
+        style="padding: 0px 0px 10px 0px; font-size: 16px; line-height: 22px; font-family: Helvetica, Arial, sans-serif; color: ${color.text};">
         If you did not request this email you can safely ignore it.
       </td>
     </tr>
@@ -136,7 +146,7 @@ function html({ url, host, email }: Record<"url" | "host" | "email", string>) {
 `
 }
 
-// Email Text body (fallback for email clients that don't render HTML, e.g. feature phones)
-function text({ url, host }: Record<"url" | "host", string>) {
+/** Email Text body (fallback for email clients that don't render HTML, e.g. feature phones) */
+function text({ url, host }: { url: string; host: string }) {
   return `Sign in to ${host}\n${url}\n\n`
 }

packages/next-auth/src/providers/github.js

@@ -1,44 +0,0 @@
-/** @type {import(".").OAuthProvider} */
-export default function GitHub(options) {
-  return {
-    id: "github",
-    name: "GitHub",
-    type: "oauth",
-    authorization: "https://github.com/login/oauth/authorize?scope=read:user+user:email",
-    token: "https://github.com/login/oauth/access_token",
-    userinfo: {
-      url: "https://api.github.com/user",
-      async request({ client, tokens }) {
-        // Get base profile
-        const profile = await client.userinfo(tokens)
-
-        // If user has email hidden, get their primary email from the GitHub API
-        if (!profile.email) {
-          const emails = await (
-            await fetch("https://api.github.com/user/emails", {
-              headers: { Authorization: `token ${tokens.access_token}` },
-            })
-          ).json()
-
-          if (emails?.length > 0) {
-            // Get primary email
-            profile.email = emails.find(email => email.primary)?.email;
-            // And if for some reason it doesn't exist, just use the first
-            if (!profile.email) profile.email = emails[0].email;
-          }
-        }
-
-        return profile
-      },
-    },
-    profile(profile) {
-      return {
-        id: profile.id.toString(),
-        name: profile.name || profile.login,
-        email: profile.email,
-        image: profile.avatar_url,
-      }
-    },
-    options,
-  }
-}

packages/next-auth/src/providers/github.ts

@@ -0,0 +1,109 @@
+import type { OAuthConfig, OAuthUserConfig } from "."
+
+/**
+ * Source https://docs.github.com/en/rest/users/users#get-the-authenticated-user
+ */
+export interface GithubProfile extends Record<string, any> {
+  login: string
+  id: number
+  node_id: string
+  avatar_url: string
+  gravatar_id: string | null
+  url: string
+  html_url: string
+  followers_url: string
+  following_url: string
+  gists_url: string
+  starred_url: string
+  subscriptions_url: string
+  organizations_url: string
+  repos_url: string
+  events_url: string
+  received_events_url: string
+  type: string
+  site_admin: boolean
+  name: string | null
+  company: string | null
+  blog: string | null
+  location: string | null
+  email: string | null
+  hireable: boolean | null
+  bio: string | null
+  twitter_username?: string | null
+  public_repos: number
+  public_gists: number
+  followers: number
+  following: number
+  created_at: string
+  updated_at: string
+  private_gists?: number
+  total_private_repos?: number
+  owned_private_repos?: number
+  disk_usage?: number
+  suspended_at?: string | null
+  collaborators?: number
+  two_factor_authentication: boolean
+  plan?: {
+    collaborators: number
+    name: string
+    space: number
+    private_repos: number
+  }
+}
+
+export interface GithubEmail extends Record<string, any> {
+  email: string
+  primary: boolean
+  verified: boolean
+  visibility: string | null
+}
+
+export default function Github<P extends GithubProfile>(
+  options: OAuthUserConfig<P>
+): OAuthConfig<P> {
+  return {
+    id: "github",
+    name: "GitHub",
+    type: "oauth",
+    authorization: {
+      url: "https://github.com/login/oauth/authorize",
+      params: { scope: "read:user+user:email" },
+    },
+    token: "https://github.com/login/oauth/access_token",
+    userinfo: {
+      url: "https://api.github.com/user",
+      async request({ client, tokens }) {
+        // Get base profile
+        // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+        const profile = await client.userinfo(tokens.access_token!)
+
+        // If user has email hidden, get their primary email from the GitHub API
+        if (!profile.email) {
+          const emails: GithubEmail[] = await (
+            await fetch("https://api.github.com/user/emails", {
+              headers: { Authorization: `token ${tokens.access_token}` },
+            })
+          ).json()
+
+          if (emails?.length > 0) {
+            // Get primary email
+            profile.email = emails.find((email) => email.primary)?.email
+            // And if for some reason it doesn't exist, just use the first
+            if (!profile.email) profile.email = emails[0].email
+          }
+        }
+
+        return profile
+      },
+    },
+    profile(profile) {
+      return {
+        id: profile.id.toString(),
+        name: profile.name ?? profile.login,
+        email: profile.email,
+        image: profile.avatar_url,
+      }
+    },
+    options,
+  }
+}

packages/next-auth/src/providers/vk.js

@@ -1,23 +0,0 @@
-/** @type {import(".").OAuthProvider} */
-export default function VK(options) {
-  const apiVersion = "5.126" // https://vk.com/dev/versions
-
-  return {
-    id: "vk",
-    name: "VK",
-    type: "oauth",
-    authorization: `https://oauth.vk.com/authorize?scope=email&v=${apiVersion}`,
-    token: `https://oauth.vk.com/access_token?v=${apiVersion}`,
-    userinfo: `https://api.vk.com/method/users.get?fields=photo_100&v=${apiVersion}`,
-    profile(result) {
-      const profile = result.response?.[0] ?? {}
-      return {
-        id: profile.id,
-        name: [profile.first_name, profile.last_name].filter(Boolean).join(" "),
-        email: profile.email,
-        image: profile.photo_100,
-      }
-    },
-    options,
-  }
-}

packages/next-auth/src/providers/vk.ts

@@ -0,0 +1,285 @@
+import type { OAuthConfig, OAuthUserConfig } from "."
+
+export interface VkProfile {
+  // https://dev.vk.com/reference/objects/user
+  response: Array<{
+    id: number
+    first_name: string
+    last_name: string
+    photo_100: string
+    can_access_closed: boolean
+    is_closed: boolean
+    deactivated?: string
+    sex?: 0 | 1 | 2
+    screen_name?: string
+    photo_50?: string
+    online?: 0 | 1
+    online_mobile?: 0 | 1
+    online_app?: number
+    verified?: 0 | 1
+    trending?: 0 | 1
+    friend_status?: 0 | 1 | 2 | 3
+    first_name_nom?: string
+    first_name_gen?: string
+    first_name_dat?: string
+    first_name_acc?: string
+    first_name_ins?: string
+    first_name_abl?: string
+    last_name_nom?: string
+    last_name_gen?: string
+    last_name_dat?: string
+    last_name_acc?: string
+    last_name_ins?: string
+    last_name_abl?: string
+    nickname?: string
+    maiden_name?: string
+    domain?: string
+    bdate?: string
+    city?: {
+      id: number
+      title: string
+    }
+    country?: {
+      id: number
+      title: string
+    }
+    timezone?: number
+    photo_200?: string
+    photo_max?: string
+    photo_200_orig?: string
+    photo_400_orig?: string
+    photo_max_orig?: string
+    photo_id?: string
+    has_photo?: 0 | 1
+    has_mobile?: 0 | 1
+    is_friend?: 0 | 1
+    can_post?: 0 | 1
+    can_see_all_posts?: 0 | 1
+    can_see_audio?: 0 | 1
+    connections?: {
+      facebook?: string
+      skype?: string
+      twitter?: string
+      livejournal?: string
+      instagram?: string
+    }
+    photo_400?: string
+    wall_default?: 'owner' | 'all'
+    interests?: string
+    books?: string
+    tv?: string
+    quotes?: string
+    about?: string
+    games?: string
+    movies?: string
+    activities?: string
+    music?: string
+    can_write_private_message?: 0 | 1
+    can_send_friend_request?: 0 | 1
+    contacts?: {
+      mobile_phone?: string
+      home_phone?: string
+    }
+    site?: string
+    status_audio?: {
+      access_key?: string
+      artist: string
+      id: number
+      owner_id: number
+      title: string
+      url?: string
+      duration: number
+      date?: number
+      album_id?: number
+      genre_id?: number
+      performer?: string
+    }
+    status?: string
+    last_seen?: {
+      platform?: 1 | 2 | 3 | 4 | 5 | 6 | 7
+      time?: number
+    }
+    exports?: {
+      facebook?: number
+      livejournal?: number
+      twitter?: number
+      instagram?: number
+    }
+    crop_photo?: {
+      photo: {
+        access_key?: string
+        album_id: number
+        date: number
+        height?: number
+        id: number
+        images?: Array<{
+          height?: number
+          type?: 's' | 'm' | 'x' | 'l' | 'o' | 'p' | 'q' | 'r' | 'y' | 'z' | 'w'
+          url?: string
+          width?: number
+        }>
+        lat?: number
+        long?: number
+        owner_id: number
+        photo_256?: string
+        can_comment?: 0 | 1
+        place?: string
+        post_id?: number
+        sizes?: Array<{
+          height: number
+          url: string
+          src?: string
+          type: 's' | 'm' | 'x' | 'o' | 'p' | 'q' | 'r' | 'k' | 'l' | 'y' | 'z' | 'c' | 'w' | 'a' | 'b' | 'e' | 'i' | 'd' | 'j' | 'temp' | 'h' | 'g' | 'n' | 'f' | 'max'
+          width: number
+        }>
+        text?: string
+        user_id?: number
+        width?: number
+        has_tags: boolean
+      }
+      crop: {
+        x: number
+        y: number
+        x2: number
+        y2: number
+      }
+      rect: {
+        x: number
+        y: number
+        x2: number
+        y2: number
+      }
+    }
+    followers_count?: number
+    blacklisted?: 0 | 1
+    blacklisted_by_me?: 0 | 1
+    is_favorite?: 0 | 1
+    is_hidden_from_feed?: 0 | 1
+    common_count?: number
+    occupation?: {
+      id?: number
+      name?: string
+      type?: 'work' | 'school' | 'university'
+    }
+    career?: {
+      group_id?: number
+      company?: string
+      country_id?: number
+      city_id?: number
+      city_name?: string
+      from?: number
+      until?: number
+      position?: string
+    }
+    military?: {
+      country_id: number
+      from?: number
+      unit: string
+      unit_id: number
+      until?: number
+    }
+    education?: {
+      university?: number
+      university_name?: string
+      faculty?: number
+      faculty_name?: string
+      graduation?: number
+    }
+    home_town?: string
+    relation?: 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8
+    relation_partner?: {
+      deactivated?: string
+      first_name: string
+      hidden?: number
+      id: number
+      last_name: string
+      can_access_closed?: boolean
+      is_closed?: boolean
+    }
+    personal?: {
+      alcohol?: 1 | 2 | 3 | 4 | 5
+      inspired_by?: string
+      langs?: string[]
+      life_main?: 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8
+      people_main?: 1 | 2 | 3 | 4 | 5 | 6
+      political?: 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
+      religion?: string
+      smoking?: 1 | 2 | 3 | 4 | 5
+    }
+    universities?: Array<{
+      chair?: number
+      chair_name?: string
+      city?: number
+      country?: number
+      education_form?: string
+      education_status?: string
+      faculty?: number
+      faculty_name?: string
+      graduation?: number
+      id?: number
+      name?: string
+      university_group_id?: number
+    }>
+    schools?: Array<{
+      city?: number
+      class?: string
+      country?: number
+      id?: string
+      name?: string
+      type?: number
+      type_str?: string
+      year_from?: number
+      year_graduated?: number
+      year_to?: number
+      speciality?: string
+    }>
+    relatives?: Array<{
+      id?: number
+      name?: string
+      type: 'parent' | 'child' | 'grandparent' | 'grandchild' | 'sibling'
+    }>
+    counters?: {
+      albums?: number
+      videos?: number
+      audios?: number
+      photos?: number
+      notes?: number
+      friends?: number
+      groups?: number
+      online_friends?: number
+      mutual_friends?: number
+      user_videos?: number
+      followers?: number
+      pages?: number
+    }
+    is_no_index?: 0 | 1
+  }>
+}
+
+export default function VK<
+  P extends Record<string, any> = VkProfile
+>(options: OAuthUserConfig<P>): OAuthConfig<P> {
+  const apiVersion = "5.131" // https://vk.com/dev/versions
+
+  return {
+    id: "vk",
+    name: "VK",
+    type: "oauth",
+    authorization: `https://oauth.vk.com/authorize?scope=email&v=${apiVersion}`,
+    client: {
+      token_endpoint_auth_method: "client_secret_post",
+    },
+    token: `https://oauth.vk.com/access_token?v=${apiVersion}`,
+    userinfo: `https://api.vk.com/method/users.get?fields=photo_100&v=${apiVersion}`,
+    profile(result: P) {
+      const profile = result.response?.[0] ?? {}
+      return {
+        id: profile.id,
+        name: [profile.first_name, profile.last_name].filter(Boolean).join(" "),
+        email: null,
+        image: profile.photo_100,
+      }
+    },
+    options,
+  }
+}

packages/next-auth/src/providers/wikimedia.ts

@@ -0,0 +1,185 @@
+import type { OAuthConfig, OAuthUserConfig } from "."
+
+export type WikimediaGroup =
+  | "*"
+  | "user"
+  | "autoconfirmed"
+  | "extendedconfirmed"
+  | "bot"
+  | "sysop"
+  | "bureaucrat"
+  | "steward"
+  | "accountcreator"
+  | "import"
+  | "transwiki"
+  | "ipblock-exempt"
+  | "oversight"
+  | "rollbacker"
+  | "propertycreator"
+  | "wikidata-staff"
+  | "flood"
+  | "translationadmin"
+  | "confirmed"
+  | "flow-bot"
+  | "checkuser"
+
+export type WikimediaGrant =
+  | "basic"
+  | "blockusers"
+  | "checkuser"
+  | "createaccount"
+  | "delete"
+  | "editinterface"
+  | "editmycssjs"
+  | "editmyoptions"
+  | "editmywatchlist"
+  | "editpage"
+  | "editprotected"
+  | "editsiteconfig"
+  | "globalblock"
+  | "highvolume"
+  | "import"
+  | "mergehistory"
+  | "oath"
+  | "oversight"
+  | "patrol"
+  | "privateinfo"
+  | "protect"
+  | "rollback"
+  | "sendemail"
+  | "shortenurls"
+  | "uploadfile"
+  | "viewdeleted"
+  | "viewmywatchlist"
+
+export type WikimediaRight =
+  | "abusefilter-log"
+  | "apihighlimits"
+  | "applychangetags"
+  | "autoconfirmed"
+  | "autopatrol"
+  | "autoreview"
+  | "bigdelete"
+  | "block"
+  | "blockemail"
+  | "bot"
+  | "browsearchive"
+  | "changetags"
+  | "checkuser"
+  | "checkuser-log"
+  | "createaccount"
+  | "createpage"
+  | "createpagemainns"
+  | "createtalk"
+  | "delete"
+  | "delete-redirect"
+  | "deletedhistory"
+  | "deletedtext"
+  | "deletelogentry"
+  | "deleterevision"
+  | "edit"
+  | "edit-legal"
+  | "editinterface"
+  | "editmyoptions"
+  | "editmyusercss"
+  | "editmyuserjs"
+  | "editmyuserjson"
+  | "editmywatchlist"
+  | "editprotected"
+  | "editsemiprotected"
+  | "editsitecss"
+  | "editsitejs"
+  | "editsitejson"
+  | "editusercss"
+  | "edituserjs"
+  | "edituserjson"
+  | "globalblock"
+  | "import"
+  | "importupload"
+  | "ipblock-exempt"
+  | "item-merge"
+  | "item-redirect"
+  | "item-term"
+  | "markbotedits"
+  | "massmessage"
+  | "mergehistory"
+  | "minoredit"
+  | "move"
+  | "move-subpages"
+  | "movefile"
+  | "movestable"
+  | "mwoauth-authonlyprivate"
+  | "nominornewtalk"
+  | "noratelimit"
+  | "nuke"
+  | "patrol"
+  | "patrolmarks"
+  | "property-create"
+  | "property-term"
+  | "protect"
+  | "purge"
+  | "read"
+  | "reupload"
+  | "reupload-own"
+  | "reupload-shared"
+  | "rollback"
+  | "sendemail"
+  | "skipcaptcha"
+  | "suppressionlog"
+  | "tboverride"
+  | "templateeditor"
+  | "torunblocked"
+  | "transcode-reset"
+  | "translate"
+  | "undelete"
+  | "unwatchedpages"
+  | "upload"
+  | "upload_by_url"
+  | "viewmywatchlist"
+  | "viewsuppressed"
+  | "writeapi"
+
+export interface WikimediaProfile extends Record<string, any> {
+  sub: string
+  username: string
+  editcount: number
+  confirmed_email: boolean
+  blocked: boolean
+  registered: string
+  groups: WikimediaGroup[]
+  rights: WikimediaRight[]
+  grants: WikimediaGrant[]
+  realname: string
+  email: string
+}
+
+/**
+ * Wikimedia OAuth2 provider.
+ * All Wikimedia wikis are supported. Wikipedia, Wikidata, etc...
+ *
+ * (Register)[https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration]
+ * (Documentation)[https://www.mediawiki.org/wiki/Extension:OAuth]
+ */
+export default function Wikimedia<P extends WikimediaProfile>(
+  options: OAuthUserConfig<P>
+): OAuthConfig<P> {
+  return {
+    id: "wikimedia",
+    name: "Wikimedia",
+    type: "oauth",
+    token: "https://meta.wikimedia.org/w/rest.php/oauth2/access_token",
+    userinfo: "https://meta.wikimedia.org/w/rest.php/oauth2/resource/profile",
+    authorization: {
+      url: "https://meta.wikimedia.org/w/rest.php/oauth2/authorize",
+      params: { scope: "" },
+    },
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.username,
+        email: profile.email,
+      }
+    },
+    options,
+  }
+}

packages/next-auth/tests/getServerSession.test.ts

@@ -50,4 +50,19 @@ describe("Treat secret correctly", () => {
     expect(logger.error).toBeCalledTimes(1)
     expect(logger.error).toBeCalledWith("NO_SECRET", expect.any(MissingSecret))
   })
+
+  it("Only logs warning once and in development", async () => {
+    // Expect console.warn to NOT be called due to NODE_ENV=production
+    await unstable_getServerSession(req, res, { providers: [], logger })
+    expect(console.warn).toBeCalledTimes(0)
+
+    // Expect console.warn to be called ONCE due to NODE_ENV=development
+    process.env.NODE_ENV = "development"
+    await unstable_getServerSession(req, res, { providers: [], logger })
+    expect(console.warn).toBeCalledTimes(1)
+
+    // Expect console.warn to be still only be called ONCE
+    await unstable_getServerSession(req, res, { providers: [], logger })
+    expect(console.warn).toBeCalledTimes(1)
+  })
 })

packages/next-auth/tests/lib.ts

@@ -1,3 +1,4 @@
+import { createHash } from "crypto"
 import type { LoggerInstance, NextAuthOptions } from "../src"
 import { NextAuthHandler } from "../src/core"
 
@@ -7,17 +8,16 @@ export const mockLogger: () => LoggerInstance = () => ({
   debug: jest.fn(() => {}),
 })
 
+interface HandlerOptions {
+  prod?: boolean
+  path?: string
+  params?: URLSearchParams | Record<string, string>
+  requestInit?: RequestInit
+}
+
 export async function handler(
   options: NextAuthOptions,
-  {
-    prod,
-    path,
-    params,
-  }: {
-    prod?: boolean
-    path?: string
-    params?: URLSearchParams | Record<string, string>
-  }
+  { prod, path, params, requestInit }: HandlerOptions
 ) {
   // @ts-ignore
   if (prod) process.env.NODE_ENV = "production"
@@ -27,11 +27,7 @@ export async function handler(
       params ?? {}
     )}`
   )
-  const req = new Request(url, {
-    headers: {
-      host: "",
-    },
-  })
+  const req = new Request(url, { headers: { host: "" }, ...requestInit })
   const logger = mockLogger()
   const response = await NextAuthHandler({
     req,
@@ -49,3 +45,14 @@ export async function handler(
     log: logger,
   }
 }
+
+export function createCSRF() {
+  const secret = "secret"
+  const value = "csrf"
+  const token = createHash("sha256").update(`${value}${secret}`).digest("hex")
+
+  return {
+    secret,
+    csrf: { value, token, cookie: `next-auth.csrf-token=${value}|${token}` },
+  }
+}

scripts/release/analyze.ts

@@ -1,11 +1,13 @@
-import type { Commit, GroupedCommits, PackageToRelease } from "./types"
+import type {
+  Commit,
+  GroupedCommits as GrouppedCommits,
+  PackageToRelease,
+} from "./types"
 
 import { debug, pkgJson, execSync } from "./utils"
 import semver from "semver"
 import parseCommit from "@commitlint/parse"
-// @ts-ignore
 import gitLog from "git-log-parser"
-// @ts-ignore
 import streamToArray from "stream-to-array"
 
 export async function analyze(options: {
@@ -14,14 +16,12 @@ export async function analyze(options: {
   BREAKING_COMMIT_MSG: string
   RELEASE_COMMIT_MSG: string
   RELEASE_COMMIT_TYPES: string[]
-  SKIP_RELEASE_MSG: string
 }): Promise<PackageToRelease[]> {
   const {
     packages,
     BREAKING_COMMIT_MSG,
     RELEASE_COMMIT_MSG,
     RELEASE_COMMIT_TYPES,
-    SKIP_RELEASE_MSG,
   } = options
 
   const packageFolders = Object.values(options.packages)
@@ -65,12 +65,7 @@ export async function analyze(options: {
   )
 
   const lastCommit = commitsSinceLatestTag[0]
-  if (lastCommit?.parsed.raw.includes(SKIP_RELEASE_MSG)) {
-    console.log(
-      `Last commit contained ${SKIP_RELEASE_MSG}, skipping release...`
-    )
-    return []
-  }
+
   if (lastCommit?.parsed.raw === RELEASE_COMMIT_MSG) {
     debug("Already released...")
     return []
@@ -132,7 +127,7 @@ export async function analyze(options: {
       }
     }
     return acc
-  }, {} as Record<string, GroupedCommits>)
+  }, {} as Record<string, GrouppedCommits>)
 
   if (packagesNeedRelease.length) {
     console.log(

scripts/release/config.ts

@@ -17,9 +17,12 @@ export const config = {
     "@next-auth/typeorm-legacy-adapter": "packages/adapter-typeorm-legacy",
   },
   rootDir: process.cwd(),
-  RELEASE_COMMIT_MSG: "chore(release): bump version",
-  BREAKING_COMMIT_MSG: "BREAKING CHANGE",
-  SKIP_RELEASE_MSG: "[skip release]",
+  BREAKING_COMMIT_MSG: "BREAKING CHANGE:",
+  RELEASE_COMMIT_MSG: "chore(release): bump package version(s) [skip ci]",
   RELEASE_COMMIT_TYPES: ["feat", "fix"],
-  dryRun: !process.env.CI || !!process.env.DRY_RUN,
+  dryRun:
+    !process.env.CI ||
+    !!process.env.DRY_RUN ||
+    process.argv.includes("--dry-run"),
+  verbose: !!process.env.VERBOSE || process.argv.includes("--verbose"),
 }

scripts/release/index.ts

@@ -31,7 +31,7 @@ async function run() {
         JSON.stringify(
           {
             ...p,
-            commits: `${p.commits.features.length} feature(s), ${p.commits.bugfixes.length} bugfixe(s), ${p.commits.other.length} othe(r) and ${p.commits.breaking.length} breaking change(s)`,
+            commits: `${p.commits.features.length} feature(s), ${p.commits.bugfixes.length} bugfixe(s), ${p.commits.other.length} other(s) and ${p.commits.breaking.length} breaking change(s)`,
           },
           null,
           2

scripts/release/publish.ts

@@ -1,4 +1,3 @@
-import { createHash } from "crypto"
 import type { Commit, PackageToRelease } from "./types"
 
 import { debug, pkgJson, execSync } from "./utils"
@@ -15,11 +14,11 @@ export async function publish(options: {
   for await (const pkg of packages) {
     if (dryRun) {
       console.log(
-        `Dry run, npm publish for package ${pkg.name} will show the wrong version (${pkg.oldVersion}). In normal run, it would be ${pkg.newVersion}`
+        `Dry run, \`npm publish\` would have released package \`${pkg.name}\` with version "${pkg.newVersion}".`
       )
     } else {
       console.log(
-        `Writing version ${pkg.newVersion} to package.json for package ${pkg.name}`
+        `Writing version "${pkg.newVersion}" to package.json for package \`${pkg.name}\``
       )
       await pkgJson.update(pkg.path, { version: pkg.newVersion })
       console.log("package.json file has been written, publishing...")
@@ -35,8 +34,10 @@ export async function publish(options: {
     }
 
     if (dryRun) {
-      console.log(`Dry run, skip npm publish for package ${pkg.name}...`)
-      npmPublish += " --dry-run"
+      console.log(
+        `Dry run, skip \`npm publish\` for package \`${pkg.name}\`...\n`
+      )
+      npmPublish += " --dry-run --silent"
     } else {
       execSync(
         "echo '//registry.npmjs.org/:_authToken=${NPM_TOKEN}' > .npmrc",
@@ -58,13 +59,15 @@ export async function publish(options: {
     const { name, oldVersion, newVersion } = pkg
     const gitTag = `${name}@v${newVersion}`
 
-    console.log(`${name} ${oldVersion} -> ${newVersion}`)
+    console.log(
+      `\n\n-------------------------------\n${name} ${oldVersion} -> ${newVersion}`
+    )
 
     const changelog = createChangelog(pkg)
-    debug(`Generated changelog for package ${name}`, changelog)
+    debug("Changelog generated", changelog)
 
     if (dryRun) {
-      console.log(`Dry run, skip git tag/release notes for package ${name}`)
+      console.log(`Dry run, skip git tag/release notes for package \`${name}\``)
     } else {
       console.log(`Creating git tag...`)
       execSync(`git tag ${gitTag}`)
@@ -83,7 +86,7 @@ function createChangelog(pkg: PackageToRelease) {
   const {
     commits: { features, breaking, bugfixes, other },
   } = pkg
-  console.log(`Creating changelog for package ${pkg.name}...`)
+  console.log(`Creating changelog for package \`${pkg.name}\`...`)
 
   let changelog = ``
   changelog += listGroup("Features", features)

scripts/release/tsconfig.json

@@ -1,21 +1,12 @@
 {
   "compilerOptions": {
-    "target": "ES2018",
-    "module": "commonjs",
+    "target": "ESNext",
+    "module": "NodeNext",
     "esModuleInterop": true,
-    "forceConsistentCasingInFileNames": true,
-    "strict": true,
-    "noImplicitAny": true,
     "skipLibCheck": true,
-    "checkJs": true,
-    "resolveJsonModule": true
+    "skipDefaultLibCheck": true
   },
   "ts-node": {
-    "transpileOnly": true,
-    "files": true,
-    "compilerOptions": {
-      "sourceMap": true,
-      "inlineSources": true
-    }
+    "swc": true
   }
 }

scripts/release/utils.ts

@@ -3,6 +3,7 @@ import type { PackageJson } from "type-fest"
 import fs from "node:fs/promises"
 import path from "node:path"
 import { execSync as nodeExecSync } from "node:child_process"
+import { config } from "./config"
 
 async function read(directory: string): Promise<PackageJson> {
   const content = await fs.readFile(
@@ -28,7 +29,7 @@ async function update(
 export const pkgJson = { read, update }
 
 export function debug(...args: any[]): void {
-  if (!process.env.DEBUG) return
+  if (!config.verbose) return
   const [first, ...rest] = args
   console.log(`\n[debug] ${first}\n`, ...rest, "\n")
 }