fix(ts): allow scope as string array type (#2511)

* chore(docs): email contact update

* chore(docs): add me@iaincollins.com back

CODE_OF_CONDUCT.md

@@ -14,22 +14,22 @@ appearance, race, religion, or sexual identity and orientation.
 Examples of behavior that contributes to creating a positive environment
 include:
 
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
 
 Examples of unacceptable behavior by participants include:
 
-* The use of sexualized language or imagery and unwelcome sexual attention or
-advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic
-address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-professional setting
+- The use of sexualized language or imagery and unwelcome sexual attention or
+  advances
+- Trolling, insulting/derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+- Other conduct which could reasonably be considered inappropriate in a
+  professional setting
 
 ## Our Responsibilities
 
@@ -55,11 +55,11 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting me@iaincollins.com. All complaints will be reviewed and
-investigated and will result in a response that is deemed necessary and
-appropriate to the circumstances. The project team is obligated to maintain
-confidentiality with regard to the reporter of an incident. Further details of
-specific enforcement policies may be posted separately.
+reported by contacting me@iaincollins.com or info@balazsorban.com and yo@ndo.dev.
+All complaints will be reviewed and investigated and will result in a response
+that is deemed necessary and appropriate to the circumstances. The project team
+is obligated to maintain confidentiality with regard to the reporter of an
+incident. Further details of specific enforcement policies may be posted separately.
 
 Project maintainers who do not follow or enforce the Code of Conduct in good
 faith may face temporary or permanent repercussions as determined by other

README.md

@@ -38,7 +38,7 @@ It is designed from the ground up to support Next.js and Serverless.
 npm install --save next-auth
 ```
 
-The easiest way to continue getting started, is to follow the [getting started](https://next-auth.js.org/getting-started/example) section in our docs. 
+The easiest way to continue getting started, is to follow the [getting started](https://next-auth.js.org/getting-started/example) section in our docs.
 
 We also have a section of [tutorials](https://next-auth.js.org/tutorials) for those looking for more specific examples.
 
@@ -48,36 +48,36 @@ See [next-auth.js.org](https://next-auth.js.org) for more information and docume
 
 ### Flexible and easy to use
 
-* Designed to work with any OAuth service, it supports OAuth 1.0, 1.0A and 2.0
-* Built-in support for [many popular sign-in services](https://next-auth.js.org/configuration/providers)
-* Supports email / passwordless authentication
-* Supports stateless authentication with any backend (Active Directory, LDAP, etc)
-* Supports both JSON Web Tokens and database sessions
-* Designed for Serverless but runs anywhere (AWS Lambda, Docker, Heroku, etc…)
+- Designed to work with any OAuth service, it supports OAuth 1.0, 1.0A and 2.0
+- Built-in support for [many popular sign-in services](https://next-auth.js.org/configuration/providers)
+- Supports email / passwordless authentication
+- Supports stateless authentication with any backend (Active Directory, LDAP, etc)
+- Supports both JSON Web Tokens and database sessions
+- Designed for Serverless but runs anywhere (AWS Lambda, Docker, Heroku, etc…)
 
 ### Own your own data
 
 NextAuth.js can be used with or without a database.
 
-* An open source solution that allows you to keep control of your data
-* Supports Bring Your Own Database (BYOD) and can be used with any database
-* Built-in support for [MySQL, MariaDB, Postgres, Microsoft SQL Server, MongoDB and SQLite](https://next-auth.js.org/configuration/databases)
-* Works great with databases from popular hosting providers
-* Can also be used *without a database* (e.g. OAuth + JWT)
+- An open source solution that allows you to keep control of your data
+- Supports Bring Your Own Database (BYOD) and can be used with any database
+- Built-in support for [MySQL, MariaDB, Postgres, Microsoft SQL Server, MongoDB and SQLite](https://next-auth.js.org/configuration/databases)
+- Works great with databases from popular hosting providers
+- Can also be used _without a database_ (e.g. OAuth + JWT)
 
 ### Secure by default
 
-* Promotes the use of passwordless sign in mechanisms
-* Designed to be secure by default and encourage best practice for safeguarding user data
-* Uses Cross Site Request Forgery Tokens on POST routes (sign in, sign out)
-* Default cookie policy aims for the most restrictive policy appropriate for each cookie
-* When JSON Web Tokens are enabled, they are signed by default (JWS) with HS512
-* Use JWT encryption (JWE) by setting the option `encryption: true` (defaults to A256GCM)
-* Auto-generates symmetric signing and encryption keys for developer convenience
-* Features tab/window syncing and keepalive messages to support short lived sessions
-* Attempts to implement the latest guidance published by [Open Web Application Security Project](https://owasp.org/)
+- Promotes the use of passwordless sign in mechanisms
+- Designed to be secure by default and encourage best practice for safeguarding user data
+- Uses Cross Site Request Forgery Tokens on POST routes (sign in, sign out)
+- Default cookie policy aims for the most restrictive policy appropriate for each cookie
+- When JSON Web Tokens are enabled, they are signed by default (JWS) with HS512
+- Use JWT encryption (JWE) by setting the option `encryption: true` (defaults to A256GCM)
+- Auto-generates symmetric signing and encryption keys for developer convenience
+- Features tab/window syncing and keepalive messages to support short lived sessions
+- Attempts to implement the latest guidance published by [Open Web Application Security Project](https://owasp.org/)
 
-Advanced options allow you to define your own routines to handle controlling what accounts are allowed to sign in, for encoding and decoding JSON Web Tokens and to set custom cookie security policies and session properties, so you can control who is able to sign in and how often sessions have to be re-validated. 
+Advanced options allow you to define your own routines to handle controlling what accounts are allowed to sign in, for encoding and decoding JSON Web Tokens and to set custom cookie security policies and session properties, so you can control who is able to sign in and how often sessions have to be re-validated.
 
 ### TypeScript
 
@@ -90,50 +90,52 @@ The package at `@types/next-auth` is now deprecated.
 ### Add API Route
 
 ```javascript
-import NextAuth from 'next-auth'
-import Providers from 'next-auth/providers'
+import NextAuth from "next-auth"
+import Providers from "next-auth/providers"
 
 export default NextAuth({
   providers: [
     // OAuth authentication providers
     Providers.Apple({
       clientId: process.env.APPLE_ID,
-      clientSecret: process.env.APPLE_SECRET
+      clientSecret: process.env.APPLE_SECRET,
     }),
     Providers.Google({
       clientId: process.env.GOOGLE_ID,
-      clientSecret: process.env.GOOGLE_SECRET
+      clientSecret: process.env.GOOGLE_SECRET,
     }),
     // Sign in with passwordless email link
     Providers.Email({
       server: process.env.MAIL_SERVER,
-      from: '<no-reply@example.com>'
+      from: "<no-reply@example.com>",
     }),
   ],
   // SQL or MongoDB database (or leave empty)
-  database: process.env.DATABASE_URL
+  database: process.env.DATABASE_URL,
 })
 ```
 
 ### Add React Component
 
 ```javascript
-import {
-  useSession, signIn, signOut
-} from 'next-auth/client'
+import { useSession, signIn, signOut } from "next-auth/client"
 
 export default function Component() {
-  const [ session, loading ] = useSession()
-  if(session) {
-    return <>
-      Signed in as {session.user.email} <br/>
-      <button onClick={() => signOut()}>Sign out</button>
-    </>
+  const [session, loading] = useSession()
+  if (session) {
+    return (
+      <>
+        Signed in as {session.user.email} <br />
+        <button onClick={() => signOut()}>Sign out</button>
+      </>
+    )
   }
-  return <>
-    Not signed in <br/>
-    <button onClick={() => signIn()}>Sign in</button>
-  </>
+  return (
+    <>
+      Not signed in <br />
+      <button onClick={() => signIn()}>Sign in</button>
+    </>
+  )
 }
 ```
 
@@ -145,14 +147,44 @@ export default function Component() {
   <img width="500px" src="https://contrib.rocks/image?repo=nextauthjs/next-auth" />
 </a>
 <div>
-<a href="https://vercel.com?utm_source=nextauthjs&utm_campaign=oss">
-<img width="170px" src="https://raw.githubusercontent.com/nextauthjs/next-auth/canary/www/static/img/powered-by-vercel.svg" alt="Powered By Vercel" />
-</a>
-</div>
-<div>
-<p align="left">Thanks to Vercel sponsoring this project by allowing it to be deployed for free for the entire NextAuth.js Team</p>
+<a href="https://vercel.com?utm_source=nextauthjs&utm_campaign=oss"></a>
 </div>
 
+### Support
+
+We're happy to announce we've recently created an [OpenCollective](https://opencollective.org/nextauth) for individuals and companies looking to contribute financially to the project!
+
+<!--sponsors start-->
+<table>
+  <tbody>
+    <tr>
+      <td align="center" valign="top">
+        <a href="https://vercel.com" target="_blank">
+          <img width="128px" src="https://avatars.githubusercontent.com/u/14985020?v=4" alt="Vercel Logo" />
+        </a><br />
+        <div>Vercel</div><br />
+        <sub>🥉 Bronze Financial Sponsor <br /> ☁️ Infrastructure Support</sub>
+      </td>
+      <td align="center" valign="top">
+        <a href="https://prisma.io" target="_blank">
+          <img width="128px" src="https://avatars.githubusercontent.com/u/17219288?v=4" alt="Prisma Logo" />
+        </a><br />
+        <div>Prisma</div><br />
+        <sub>🥉 Bronze Financial Sponsor</sub>
+      </td>
+      <td align="center" valign="top">
+        <a href="https://checklyhq.com" target="_blank">
+          <img width="128px" src="https://avatars.githubusercontent.com/u/25982255?v=4" alt="Checkly Logo" />
+        </a><br />
+        <div>Checkly</div><br />
+        <sub>☁️ Infrastructure Support</sub>
+      </td>
+    </tr><tr></tr>
+  </tbody>
+</table>
+<br />
+<!--sponsors end-->
+
 ## Contributing
 
 We're open to all community contributions! If you'd like to contribute in any way, please first read our [Contributing Guide](https://github.com/nextauthjs/next-auth/blob/canary/CONTRIBUTING.md).

SECURITY.md

@@ -14,11 +14,11 @@ We request that you contact us directly to report serious issues that might impa
 
 If you contact us regarding a serious issue:
 
-* We will endeavor to get back to you within 72 hours.
-* We will aim to publish a fix within 30 days.
-* We will disclose the issue (and credit you, with your consent) once a fix to resolve the issue has been released.
-* If 90 days has elapsed and we still don't have a fix, we will disclose the issue publicly.
+- We will endeavor to get back to you within 72 hours.
+- We will aim to publish a fix within 30 days.
+- We will disclose the issue (and credit you, with your consent) once a fix to resolve the issue has been released.
+- If 90 days has elapsed and we still don't have a fix, we will disclose the issue publicly.
 
-Currently, the best way to report an issue is by emailing me@iaincollins.com
+Currently, the best way to report an issue is by contacting us via email at me@iaincollins.com or info@balazsorban.com and yo@ndo.dev.
 
 For less serious issues (e.g. RFC compliance for unsupported flows or potential issues that may cause a problem future or default behaviour / options) it is appropriate to submit these these publically as bug reports or feature requests or to raise a question to open a discussion around them.

src/providers/freshbooks.js

@@ -0,0 +1,20 @@
+export default function Freshbooks(options) {
+  return {
+  id: 'freshbooks',
+  name: 'Freshbooks',
+  type: 'oauth',
+  version: '2.0',
+  params: { grant_type: 'authorization_code' },
+  accessTokenUrl: 'https://api.freshbooks.com/auth/oauth/token',
+  authorizationUrl: 'https://auth.freshbooks.com/service/auth/oauth/authorize?response_type=code',
+  profileUrl: 'https://api.freshbooks.com/auth/api/v1/users/me',
+  async profile(profile) {
+    return {
+      id: profile.response.id,
+      name: `${profile.response.first_name} ${profile.response.last_name}`,
+      email: profile.response.email,
+    };
+  },
+  ...options
+  };
+}

src/providers/onelogin.js

@@ -0,0 +1,19 @@
+export default function OneLogin(options) {
+  return {
+    id: "onelogin",
+    name: "OneLogin",
+    type: "oauth",
+    version: "2.0",
+    scope: "openid profile name email",
+    params: { grant_type: "authorization_code" },
+    // These will be different depending on the Org.
+    accessTokenUrl: `https://${options.domain}/oidc/2/token`,
+    requestTokenUrl: `https://${options.domain}/oidc/2/auth`,
+    authorizationUrl: `https://${options.domain}/oidc/2/auth?response_type=code`,
+    profileUrl: `https://${options.domain}/oidc/2/me`,
+    profile(profile) {
+      return { ...profile, id: profile.sub }
+    },
+    ...options,
+  }
+}

src/server/lib/csrf-token-handler.js

@@ -3,7 +3,7 @@ import * as cookie from './cookie'
 
 /**
  * Ensure CSRF Token cookie is set for any subsequent requests.
- * Used as part of the strateigy for mitigation for CSRF tokens.
+ * Used as part of the strategy for mitigation for CSRF tokens.
  *
  * Creates a cookie like 'next-auth.csrf-token' with the value 'token|hash',
  * where 'token' is the CSRF token and 'hash' is a hash made of the token and

src/server/lib/oauth/pkce-handler.js

@@ -36,7 +36,11 @@ export async function handleCallback (req, res) {
       pkceLength: PKCE_LENGTH,
       method: PKCE_CODE_CHALLENGE_METHOD
     })
-    cookie.set(res, cookies.pkceCodeVerifier.name, null, { maxAge: 0 }) // remove PKCE after it has been used
+    // remove PKCE after it has been used
+    cookie.set(res, cookies.pkceCodeVerifier.name, "", { 
+      ...cookies.pkceCodeVerifier.options,
+      maxAge: 0 
+    })
   } catch (error) {
     logger.error('CALLBACK_OAUTH_ERROR', error)
     return res.redirect(`${baseUrl}${basePath}/error?error=OAuthCallback`)

types/providers.d.ts

@@ -27,7 +27,7 @@ export interface OAuthConfig<P extends Record<string, unknown> = Profile>
   headers?: Record<string, any>
   type: "oauth"
   version: string
-  scope: string
+  scope: string | string[]
   params: { grant_type: string }
   accessTokenUrl: string
   requestTokenUrl?: string
@@ -72,6 +72,7 @@ export type OAuthProviderType =
   | "FACEIT"
   | "FortyTwo"
   | "Foursquare"
+  | "Freshbooks"
   | "FusionAuth"
   | "GitHub"
   | "GitLab"
@@ -87,6 +88,7 @@ export type OAuthProviderType =
   | "Naver"
   | "Netlify"
   | "Okta"
+  | "OneLogin"
   | "Osso"
   | "Reddit"
   | "Salesforce"

types/tests/providers.test.ts

@@ -33,7 +33,7 @@ Providers.Credentials({
       type: "password",
     },
   },
-  authorize: async ({username, password}) => {
+  authorize: async ({ username, password }) => {
     const user = {
       /* fetched user */
     }
@@ -152,6 +152,13 @@ Providers.Okta({
   domain: "https://foo.auth0.com",
 })
 
+// $ExpectType OAuthConfig<Profile>
+Providers.OneLogin({
+  clientId: "foo123",
+  clientSecret: "bar123",
+  domain: "foo.onelogin.com",
+})
+
 // $ExpectType OAuthConfig<Profile>
 Providers.BattleNet({
   clientId: "foo123",
@@ -257,3 +264,9 @@ Providers.Zoho({
   clientId: "foo123",
   clientSecret: "bar123",
 })
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Freshbooks({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})

www/docs/adapters/fauna.md

@@ -49,6 +49,8 @@ export default NextAuth({
 
 ## Schema
 
+Run the following commands inside of the `Shell` tab in the Fauna dashboard to setup the appropriate collections and indexes.
+
 ```javascript
 CreateCollection({ name: "accounts" })
 CreateCollection({ name: "sessions" })
@@ -76,7 +78,7 @@ CreateIndex({
   terms: [{ field: ["data", "email"] }],
 })
 CreateIndex({
-  name: "verification_request_by_token",
+  name: "verification_request_by_token_and_identifier",
   source: Collection("verification_requests"),
   unique: true,
   terms: [{ field: ["data", "token"] }, { field: ["data", "identifier"] }],

www/docs/adapters/firebase.md

@@ -15,7 +15,7 @@ This is the Firebase Adapter for [`next-auth`](https://next-auth.js.org). This p
 npm install next-auth @next-auth/firebase-adapter
 ```
 
-2. Add this adapter to your `pages/api/[...nextauth].js` next-auth configuration object.
+2. Add this adapter to your `pages/api/auth/[...nextauth].js` next-auth configuration object.
 
 ```javascript title="pages/api/auth/[...nextauth].js"
 import NextAuth from "next-auth"

www/docs/configuration/callbacks.md

@@ -70,7 +70,7 @@ callbacks: {
   
   You can check for the `verificationRequest` property to avoid sending emails to addresses or domains on a blocklist (or to only explicitly generate them for email address in an allow list).
 
-* When using the **Credentials Provider** the `user` object is the response returned from the `authorization` callback and the `profile` object is the raw body of the `HTTP POST` submission.
+* When using the **Credentials Provider** the `user` object is the response returned from the `authorize` callback and the `profile` object is the raw body of the `HTTP POST` submission.
 
 :::note
 When using NextAuth.js with a database, the User object will be either a user object from the database (including the User ID) if the user has signed in before or a simpler prototype user object (i.e. name, email, image) for users who have not signed in before.

www/docs/configuration/options.md

@@ -123,27 +123,32 @@ jwt: {
   // Defaults to NextAuth.js secret if not explicitly specified.
   // This is used to generate the actual signingKey and produces a warning
   // message if not defined explicitly.
-  // secret: 'INp8IvdIyeMcoGAgFGoA61DdBglwwSqnXJZkgz8PSnw',
+  secret: 'INp8IvdIyeMcoGAgFGoA61DdBglwwSqnXJZkgz8PSnw',
   // You can generate a signing key using `jose newkey -s 512 -t oct -a HS512`
   // This gives you direct knowledge of the key used to sign the token so you can use it
   // to authenticate indirectly (eg. to a database driver)
-  // signingKey: {"kty":"oct","kid":"Dl893BEV-iVE-x9EC52TDmlJUgGm9oZ99_ZL025Hc5Q","alg":"HS512","k":"K7QqRmJOKRK2qcCKV_pi9PSBv3XP0fpTu30TP8xn4w01xR3ZMZM38yL2DnTVPVw6e4yhdh0jtoah-i4c_pZagA"},
+  signingKey: {
+     kty: "oct",
+     kid: "Dl893BEV-iVE-x9EC52TDmlJUgGm9oZ99_ZL025Hc5Q",
+     alg: "HS512",
+     k: "K7QqRmJOKRK2qcCKV_pi9PSBv3XP0fpTu30TP8xn4w01xR3ZMZM38yL2DnTVPVw6e4yhdh0jtoah-i4c_pZagA"
+  },
   // If you chose something other than the default algorithm for the signingKey (HS512)
   // you also need to configure the algorithm
-  // verificationOptions: {
-  //    algorithms: ['HS256']
-  // },
+  verificationOptions: {
+     algorithms: ['HS256']
+  },
   // Set to true to use encryption. Defaults to false (signing only).
-  // encryption: true,
-  // encryptionKey: "",
-  // decryptionKey = encryptionKey,
-  // decryptionOptions = {
-  //    algorithms: ['A256GCM']
-  // },
+  encryption: true,
+  encryptionKey: "",
+  // decryptionKey: encryptionKey,
+  decryptionOptions: {
+     algorithms: ['A256GCM']
+  },
   // You can define your own encode/decode functions for signing and encryption
   // if you want to override the default behaviour.
-  // async encode({ secret, token, maxAge }) {},
-  // async decode({ secret, token, maxAge }) {},
+  async encode({ secret, token, maxAge }) {},
+  async decode({ secret, token, maxAge }) {},
 }
 ```
 

www/docs/configuration/providers.md

@@ -187,7 +187,7 @@ You only need to add two changes:
 2. Add provider documentation: [`www/docs/providers/{provider}.md`](https://github.com/nextauthjs/next-auth/tree/main/www/docs/providers)
 3. Add it to our [provider types](https://github.com/nextauthjs/next-auth/blob/main/types/providers.d.ts) (for TS projects)<br />
    • you just need to add your new provider name to [this list](https://github.com/nextauthjs/next-auth/blob/main/types/providers.d.ts#L56-L97)<br />
-   • in case you new provider accepts some custom options, you can [add them here](https://github.com/nextauthjs/next-auth/blob/main/types/providers.d.ts#L48-L53)
+   • in case your new provider accepts some custom options, you can [add them here](https://github.com/nextauthjs/next-auth/blob/main/types/providers.d.ts#L48-L53)
 
 That's it! 🎉 Others will be able to discover this provider much more easily now!
 

www/docs/faq.md

@@ -23,13 +23,11 @@ You can use also NextAuth.js with any database using a custom database adapter,
 
 ### What authentication services does NextAuth.js support?
 
-
 <p>NextAuth.js includes built-in support for signing in with&nbsp;
 {Object.values(require("../providers.json")).sort().join(", ")}.
 (See also: <a href="/configuration/providers">Providers</a>)
 </p>
 
-
 NextAuth.js also supports email for passwordless sign in, which is useful for account recovery or for people who are not able to use an account with the configured OAuth services (e.g. due to service outage, account suspension or otherwise becoming locked out of an account).
 
 You can also use a custom based provider to support signing in with a username and password stored in an external database and/or using two factor authentication.
@@ -58,7 +56,6 @@ NextAuth.js is designed as a secure, confidential client and implements a server
 
 It is not intended to be used in native applications on desktop or mobile applications, which typically implement public clients (e.g. with client / secrets embedded in the application).
 
-
 ### Is NextAuth.js supporting TypeScript?
 
 Yes! Check out the [TypeScript docs](/getting-started/typescript)
@@ -83,9 +80,9 @@ If you are using a database with NextAuth.js, you can still explicitly enable JS
 
 ### Should I use a database?
 
-* Using NextAuth.js without a database works well for internal tools - where you need to control who is able to sign in, but when you do not need to create user accounts for them in your application.
+- Using NextAuth.js without a database works well for internal tools - where you need to control who is able to sign in, but when you do not need to create user accounts for them in your application.
 
-* Using NextAuth.js with a database is usually a better approach for a consumer facing application where you need to persist accounts (e.g. for billing, to contact customers, etc).
+- Using NextAuth.js with a database is usually a better approach for a consumer facing application where you need to persist accounts (e.g. for billing, to contact customers, etc).
 
 ### What database should I use?
 
@@ -93,16 +90,15 @@ Managed database solutions for MySQL, Postgres and MongoDB (and compatible datab
 
 If you are deploying directly to a particular cloud platform you may also want to consider serverless database offerings they have (e.g. [Amazon Aurora Serverless on AWS](https://aws.amazon.com/rds/aurora/serverless/)).
 
-
 ---
 
-## Security 
+## Security
 
 ### I think I've found a security problem, what should I do?
 
 Less serious or edge case issues (e.g. queries about compatibility with optional RFC specifications) can be raised as public issues on GitHub.
 
-If you discover what you think may be a potentially serious security problem, please contact a core team member via a private channel (e.g. via email to me@iaincollins.com) or raise a public issue requesting someone get in touch with you via whatever means you prefer for more details.
+If you discover what you think may be a potentially serious security problem, please contact a core team member via a private channel (e.g. via email to me@iaincollins.com or info@balazsorban.com and yo@ndo.dev) or raise a public issue requesting someone get in touch with you via whatever means you prefer for more details.
 
 ### What is the disclosure policy for NextAuth.js?
 
@@ -165,14 +161,14 @@ Ultimately if your request is not accepted or is not actively in development, yo
 
 ---
 
-## JSON Web Tokens 
+## JSON Web Tokens
 
 ### Does NextAuth.js use JSON Web Tokens?
 
 NextAuth.js supports both database session tokens and JWT session tokens.
 
-* If a database is specified, database session tokens will be used by default.
-* If no database is specified, JWT session tokens will be used by default.
+- If a database is specified, database session tokens will be used by default.
+- If no database is specified, JWT session tokens will be used by default.
 
 You can also choose to use JSON Web Tokens as session tokens with using a database, by explicitly setting the `session: { jwt: true }` option.
 
@@ -180,33 +176,33 @@ You can also choose to use JSON Web Tokens as session tokens with using a databa
 
 JSON Web Tokens can be used for session tokens, but are also used for lots of other things, such as sending signed objects between services in authentication flows.
 
-* Advantages of using a JWT as a session token include that they do not require a database to store sessions, this can be faster and cheaper to run and easier to scale.
+- Advantages of using a JWT as a session token include that they do not require a database to store sessions, this can be faster and cheaper to run and easier to scale.
 
-* JSON Web Tokens in NextAuth.js are secured using cryptographic signing (JWS) by default and it is easy for services and API endpoints to verify tokens without having to contact a database to verify them.
+- JSON Web Tokens in NextAuth.js are secured using cryptographic signing (JWS) by default and it is easy for services and API endpoints to verify tokens without having to contact a database to verify them.
 
-* You can enable encryption (JWE) to store include information directly in a JWT session token that you wish to keep secret and use the token to pass information between services / APIs on the same domain.
+- You can enable encryption (JWE) to store include information directly in a JWT session token that you wish to keep secret and use the token to pass information between services / APIs on the same domain.
 
-* You can use JWT to securely store information you do not mind the client knowing even without encryption, as the JWT is stored in a server-readable-only-token so data in the JWT is not accessible to third party JavaScript running on your site.
+- You can use JWT to securely store information you do not mind the client knowing even without encryption, as the JWT is stored in a server-readable-only-token so data in the JWT is not accessible to third party JavaScript running on your site.
 
 ### What are the disadvantages of JSON Web Tokens?
 
-* You cannot as easily expire a JSON Web Token - doing so requires maintaining a server side blocklist of invalid tokens (at least until they expire) and checking every token against the list every time a token is presented.
+- You cannot as easily expire a JSON Web Token - doing so requires maintaining a server side blocklist of invalid tokens (at least until they expire) and checking every token against the list every time a token is presented.
 
   Shorter session expiry times are used when using JSON Web Tokens as session tokens to allow sessions to be invalidated sooner and simplify this problem.
 
   NextAuth.js client includes advanced features to mitigate the downsides of using shorter session expiry times on the user experience, including automatic session token rotation, optionally sending keep alive messages to prevent short lived sessions from expiring if there is an window or tab open, background re-validation, and automatic tab/window syncing that keeps sessions in sync across windows any time session state changes or a window or tab gains or loses focus.
 
-* As with database session tokens, JSON Web Tokens are limited in the amount of data you can store in them. There is typically a limit of around 4096 bytes per cookie, though the exact limit varies between browsers, proxies and hosting services. If you want to support most browsers, then do not exceed 4096 bytes per cookie. If you want to save more data, you will need to persist your sessions in a database (Source: [browsercookielimits.iain.guru](http://browsercookielimits.iain.guru/))
+- As with database session tokens, JSON Web Tokens are limited in the amount of data you can store in them. There is typically a limit of around 4096 bytes per cookie, though the exact limit varies between browsers, proxies and hosting services. If you want to support most browsers, then do not exceed 4096 bytes per cookie. If you want to save more data, you will need to persist your sessions in a database (Source: [browsercookielimits.iain.guru](http://browsercookielimits.iain.guru/))
 
   The more data you try to store in a token and the more other cookies you set, the closer you will come to this limit. If you wish to store more than ~4 KB of data you're probably at the point where you need to store a unique ID in the token and persist the data elsewhere (e.g. in a server-side key/value store).
 
-* Data stored in an encrypted JSON Web Token (JWE) may be compromised at some point.
+- Data stored in an encrypted JSON Web Token (JWE) may be compromised at some point.
 
   Even if appropriately configured, information stored in an encrypted JWT should not be assumed to be impossible to decrypt at some point - e.g. due to the discovery of a defect or advances in technology.
 
   Avoid storing any data in a token that might be problematic if it were to be decrypted in the future.
 
-* If you do not explicitly specify a secret for for NextAuth.js, existing sessions will be invalidated any time your NextAuth.js configuration changes, as NextAuth.js will default to an auto-generated secret.
+- If you do not explicitly specify a secret for NextAuth.js, existing sessions will be invalidated any time your NextAuth.js configuration changes, as NextAuth.js will default to an auto-generated secret.
 
   If using JSON Web Token you should at least specify a secret and ideally configure public/private keys.
 
@@ -214,11 +210,11 @@ JSON Web Tokens can be used for session tokens, but are also used for lots of ot
 
 By default tokens are signed (JWS) but not encrypted (JWE), as encryption adds additional overhead and reduces the amount of space available to store data (total cookie size for a domain is limited to 4KB).
 
-* JSON Web Tokens in NextAuth.js use JWS and are signed using HS512 with an auto-generated key.
+- JSON Web Tokens in NextAuth.js use JWS and are signed using HS512 with an auto-generated key.
 
-* If encryption is enabled by setting `jwt: { encryption: true }` option then the JWT will _also_ use JWE to encrypt the token, using A256GCM with an auto-generated key.
+- If encryption is enabled by setting `jwt: { encryption: true }` option then the JWT will _also_ use JWE to encrypt the token, using A256GCM with an auto-generated key.
 
-You can specify other valid algorithms - [as specified in RFC 7518](https://tools.ietf.org/html/rfc7517) - with either a  secret (for symmetric encryption) or a public/private key pair (for a symmetric encryption).
+You can specify other valid algorithms - [as specified in RFC 7518](https://tools.ietf.org/html/rfc7517) - with either a secret (for symmetric encryption) or a public/private key pair (for a symmetric encryption).
 
 NextAuth.js will generate keys for you, but this will generate a warning at start up.
 
@@ -228,14 +224,14 @@ Using explicit public/private keys for signing is strongly recommended.
 
 NextAuth.js includes a largely complete implementation of JSON Object Signing and Encryption (JOSE):
 
-* [RFC 7515 - JSON Web Signature (JWS)](https://tools.ietf.org/html/rfc7515)
-* [RFC 7516 - JSON Web Encryption (JWE)](https://tools.ietf.org/html/rfc7516)
-* [RFC 7517 - JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517)
-* [RFC 7518 - JSON Web Algorithms (JWA)](https://tools.ietf.org/html/rfc7518)
-* [RFC 7519 - JSON Web Token (JWT)](https://tools.ietf.org/html/rfc7519)
+- [RFC 7515 - JSON Web Signature (JWS)](https://tools.ietf.org/html/rfc7515)
+- [RFC 7516 - JSON Web Encryption (JWE)](https://tools.ietf.org/html/rfc7516)
+- [RFC 7517 - JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517)
+- [RFC 7518 - JSON Web Algorithms (JWA)](https://tools.ietf.org/html/rfc7518)
+- [RFC 7519 - JSON Web Token (JWT)](https://tools.ietf.org/html/rfc7519)
 
 This incorporates support for:
 
-* [RFC 7638 - JSON Web Key Thumbprint](https://tools.ietf.org/html/rfc7638)
-* [RFC 7787 - JSON JWS Unencoded Payload Option](https://tools.ietf.org/html/rfc7797)
-* [RFC 8037 - CFRG Elliptic Curve ECDH and Signatures](https://tools.ietf.org/html/rfc8037)
+- [RFC 7638 - JSON Web Key Thumbprint](https://tools.ietf.org/html/rfc7638)
+- [RFC 7787 - JSON JWS Unencoded Payload Option](https://tools.ietf.org/html/rfc7797)
+- [RFC 8037 - CFRG Elliptic Curve ECDH and Signatures](https://tools.ietf.org/html/rfc8037)

www/docs/getting-started/client.md

@@ -274,7 +274,7 @@ The following parameters are always overridden server-side: `redirect_uri`, `sta
 - Client Side: **Yes**
 - Server Side: No
 
-Using the `signOut()` method ensures the user ends back on the page they started on after completing the sign out flow. It also handles CSRF tokens for you automatically.
+In order to logout, use the `signOut()` method to ensure the user ends back on the page they started on after completing the sign out flow. It also handles CSRF tokens for you automatically.
 
 It reloads the page in the browser when complete.
 
@@ -346,21 +346,22 @@ If every one of your pages needs to be protected, you can do this in `_app`, oth
 
 The session state is automatically synchronized across all open tabs/windows and they are all updated whenever they gain or lose focus or the state changes in any of them (e.g. a user signs in or out).
 
-If you have session expiry times of 30 days (the default) or more then you probably don't need to change any of the default options in the Provider. If you need to, you can can trigger an update of the session object across all tabs/windows by calling `getSession()` from a client side function.
+If you have session expiry times of 30 days (the default) or more then you probably don't need to change any of the default options in the Provider. If you need to, you can trigger an update of the session object across all tabs/windows by calling `getSession()` from a client side function.
 
 However, if you need to customise the session behaviour and/or are using short session expiry times, you can pass options to the provider to customise the behaviour of the `useSession()` hook.
 
 ```jsx title="pages/_app.js"
-import { Provider } from 'next-auth/client'
+import { Provider } from "next-auth/client"
 
-export default function App ({ Component, pageProps }) {
+export default function App({ Component, pageProps }) {
   return (
-    <Provider session={pageProps.session}
+    <Provider
+      session={pageProps.session}
       options={{
-        clientMaxAge: 60,     // Re-fetch session if cache is older than 60 seconds
-        keepAlive:    5 * 60 // Send keepAlive message every 5 minutes
+        clientMaxAge: 60, // Re-fetch session if cache is older than 60 seconds
+        keepAlive: 5 * 60, // Send keepAlive message every 5 minutes
       }}
-      >
+    >
       <Component {...pageProps} />
     </Provider>
   )

www/docs/providers/freshbooks.md

@@ -0,0 +1,33 @@
+---
+id: freshbooks
+title: Freshbooks
+---
+
+## Documentation
+
+https://www.freshbooks.com/api/authenticating-with-oauth-2-0-on-the-new-freshbooks-api
+
+## Configuration
+
+https://my.freshbooks.com/#/developer
+
+## Options
+
+The Freshbooks Provider comes with a set of default options:
+
+https://www.freshbooks.com/api/start
+
+You can override any of the options to suit your own use case.
+## Example
+
+```js
+import Providers from `next-auth/providers`
+...
+providers: [
+  Providers.Freshbooks({
+    clientId: process.env.FRESHBOOKS_CLIENT_ID,
+    clientSecret: process.env.FRESHBOOKS_CLIENT_SECRET,
+  })
+]
+...
+```

www/docs/providers/linkedin.md

@@ -19,7 +19,7 @@ From the Auth tab get the client ID and client secret. On the same tab, add redi
 
 The **LinkedIn Provider** comes with a set of default options:
 
-- [LinkedIn Provider options](https://github.com/nextauthjs/next-auth/blob/main/src/providers/linked-in.js)
+- [LinkedIn Provider options](https://github.com/nextauthjs/next-auth/blob/main/src/providers/linkedin.js)
 
 You can override any of the options to suit your own use case.
 

www/docs/providers/onelogin.md

@@ -0,0 +1,31 @@
+---
+id: onelogin
+title: OneLogin
+---
+
+## Documentation
+
+https://developers.onelogin.com/openid-connect
+
+## Options
+
+The **OneLogin Provider** comes with a set of default options:
+
+- [OneLogin Provider options](https://github.com/nextauthjs/next-auth/blob/main/src/providers/onelogin.js)
+
+You can override any of the options to suit your own use case.
+
+## Example
+
+```js
+import Providers from `next-auth/providers`
+...
+providers: [
+  Providers.OneLogin({
+    clientId: process.env.ONELOGIN_CLIENT_ID,
+    clientSecret: process.env.ONELOGIN_CLIENT_SECRET,
+    domain: process.env.ONELOGIN_DOMAIN
+  })
+]
+...
+```

www/docs/tutorials.md

@@ -94,3 +94,7 @@ This tutorial walks step by step on how to get Sign In with Apple working (both
 ### [How to Authenticate Next.js Apps with Twitter & NextAuth.js](https://spacejelly.dev/posts/how-to-authenticate-next-js-apps-with-twitter-nextauth-js/)
 
 Learn how to add Twitter authentication and login to a Next.js app both clientside and serverside with NextAuth.js.
+
+### [Using NextAuth.js with Magic links](https://dev.to/narciero/using-nextauth-js-with-magic-links-df4)
+
+Learn how to use [Magic](https://magic.link) link authentication with [NextAuth.js](https://next-auth.js.org) to enable passwordless authentication without a database.

www/docusaurus.config.js

@@ -68,10 +68,6 @@ module.exports = {
               label: "Introduction",
               to: "/getting-started/introduction",
             },
-            {
-              label: "Contributors",
-              to: "/contributors",
-            },
             {
               label: "Next documentation",
               to: "https://next-auth-git-next.nextauthjs.vercel.app",
@@ -95,8 +91,12 @@ module.exports = {
           title: "Acknowledgements",
           items: [
             {
-              label: "Docusaurus",
-              to: "https://v2.docusaurus.io/",
+              label: "Contributors",
+              to: "/contributors",
+            },
+            {
+              label: "Sponsors",
+              to: "https://opencollective.com/nextauth",
             },
             {
               label: "Images by unDraw",