* update surrealdb.js which fixes rest/http strategy
* uncomment rest test
* add docs
* update package dependencies
* run both strategies
* Apply suggestions from code review
* add fetch to jest globals
---------
Co-authored-by: Thang Vu <hi@thvu.dev>
* feat(adapter): Add Azure Table Storage DB adapter
* add newlines
* remove sessionByUserId together with the session
* include import in the readme file
* add types to response objects
* introduce contracts for the db entities
* Rename the lib in docs
Co-authored-by: Nico Domino <yo@ndo.dev>
* run prettier
* feat: azure tables adapter
---------
Co-authored-by: Nikita Dmitriev <nikitadmitry@gmail.com>
Co-authored-by: Nikita Dmitriev <106996965+nikitaclicks@users.noreply.github.com>
Co-authored-by: Nico Domino <yo@ndo.dev>
Improve performance by avoiding call to parseDataSourceConfig before checking if _dataSource was already initialized.
Co-authored-by: Thang Vu <hi@thvu.dev>
Fix crash in azure-ad-b2c.ts
Not all b2c-setups return a list of emails. This fixes the resulting crash by using defensive access when setting the profile email address field.
Co-authored-by: Thang Vu <hi@thvu.dev>
* Add vanilla Postgres adapter for NextAuth using the pg package.
All tests are passing.
* Fix typo in readme
* Add basic tsconfig
* Replace this.getUser with functio body as this is undef
* Change name from @next-auth/postgres-adapter to @next-auth/pg-adapter
* Fix package folder to be same as name
* Add package to issue template, labeller and PR labeller
* Commit pnpm lock change.
* Set next-auth version to ^4
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Return user id when updating user. Fixes#4897.
* chore: format PR
* chore: format PR
* chore: formatting
* fix: tests
* fix
---------
Co-authored-by: Jake Coppinger <jake@jakecoppinger.com>
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* cleaned everything up
* Added documentation
* fixed up d1 logo in docs
* cleaning out unused file
* changed to esm module
* formatting the PR
* update the deps
* update the deps
* ignore test
* ignore test
* fix deps
* add contributor
---------
Co-authored-by: Nico Domino <yo@ndo.dev>
Co-authored-by: Thang Vu <hi@thvu.dev>
BREAKING CHANGE:
The required minimum version of `mongodb` has been bumped to v6, make sure to upgrade it in your project via `npm i mongodb@latest` or the equivalent
* feat: click up provider created
* docs: ClickUp documentation
* Format
---------
Co-authored-by: Antonio Basile <antoniobasile2@eng.it>
Co-authored-by: Thang Vu <hi@thvu.dev>
Database adapters are not dependent on Next.js features, so it makes sense to republish them under the `@auth/*` scope.
This PR is part of a series to convert adapters, using `@auth/core` for types.
If you are coming from the previous adapter, change your `package.json`:
```diff
- "@next-auth/supabase-adapter": "0.0.0",
+ "@auth/supabase-adapter": "0.0.0",
```
And run `npm install`, `yarn install` or `pnpm install` respectively.
**Note:** This packages is published as ESM-only
Database adapters are not dependent on Next.js features, so it makes sense to republish them under the `@auth/*` scope.
This PR is part of a series to convert adapters, using `@auth/core` for types.
If you are coming from the previous adapter, change your `package.json`:
```diff
- "@next-auth/xata-adapter": "0.0.0",
+ "@auth/xata-adapter": "0.0.0",
```
And run `npm install`, `yarn install` or `pnpm install` respectively.
**Note:** This packages is published as ESM-only
Database adapters are not dependent on Next.js features, so it makes sense to republish them under the `@auth/*` scope.
This PR is part of a series to convert adapters, using `@auth/core` for types.
BREAKING CHANGE:
If you are coming from the previous adapter, change your `package.json`:
```diff
- "@next-auth/sequelize-adapter": "0.0.0",
+ "@auth/sequelize-adapter": "0.0.0",
```
And run `npm install`, `yarn install` or `pnpm install` respectively.
**Note:** This packages is published as ESM-only
Database adapters are not dependent on Next.js features, so it makes sense to republish them under the `@auth/*` scope.
This PR is part of a series to convert adapters, using `@auth/core` for types.
BREAKING CHANGE:
If you are coming from the previous adapter, change your `package.json`:
```diff
- "@next-auth/pouchdb-adapter": "0.0.0",
+ "@auth/pouchdb-adapter": "0.0.0",
```
And run `npm install`, `yarn install` or `pnpm install` respectively.
**Note:** This packages is published as ESM-only
This package assumes that `globalThis.crypto` is available.
In older Node.js versions, you can polyfill by adding:
`globalThis.crypto ??= require("node:crypto").webcrypto`
Database adapters are not dependent on Next.js features, so it makes sense to republish them under the `@auth/*` scope.
This PR is part of a series to convert adapters, using `@auth/core` for types.
BREAKING CHANGE:
If you are coming from the previous adapter, change your `package.json`:
```diff
- "@next-auth/neo4j-adapter": "0.0.0",
+ "@auth/neo4j-adapter": "0.0.0",
```
And run `npm install`, `yarn install` or `pnpm install` respectively.
**Note:** This packages is published as ESM-only
This package assumes that `globalThis.crypto` is available.
In older Node.js versions, you can polyfill by adding:
`globalThis.crypto ??= require("node:crypto").webcrypto`
Database adapters are not dependent on Next.js features, so it makes sense to republish them under the `@auth/*` scope.
This PR is part of a series to convert adapters, using `@auth/core` for types.
BREAKING CHANGE:
If you are coming from the previous adapter, change your `package.json`:
```diff
- "@next-auth/firebase-adapter": "0.0.0",
+ "@auth/firebase-adapter": "0.0.0",
```
And run `npm install`, `yarn install` or `pnpm install` respectively.
**Note:** This packages is published as ESM-only
* feat: introduce `@auth/fauna-adapter`
Database adapters are not dependent on Next.js features, so it makes sense to republish them under the `@auth/*` scope.
This PR is part of a series to convert adapters, using `@auth/core` for types.
BREAKING CHANGE:
If you are coming from the previous adapter, change your `package.json`:
```diff
- "@next-auth/fauna-adapter": "0.0.0",
+ "@auth/fauna-adapter": "0.0.0",
```
And run `npm install`, `yarn install` or `pnpm install` respectively.
**Note:** This packages is published as ESM-only
Database adapters are not dependent on Next.js features, so it makes sense to republish them under the `@auth/*` scope.
This PR is part of a series to convert adapters, using `@auth/core` for types.
BREAKING CHANGE:
If you are coming from the previous adapter, change your `package.json`:
```diff
- "@next-auth/mikro-orm-adapter": "0.0.0",
+ "@auth/mikro-orm-adapter": "0.0.0",
```
And run `npm install`, `yarn install` or `pnpm install` respectively.
**Note:** This packages is published as ESM-only
This package assumes that `globalThis.crypto` is available.
In older Node.js versions, you can polyfill by adding:
`globalThis.crypto ??= require("node:crypto").webcrypto`
Database adapters are not dependent on Next.js features, so it makes sense to republish them under the `@auth/*` scope.
This PR is part of a series to convert adapters, using `@auth/core` for types.
BREAKING CHANGE:
If you are coming from the previous adapter, change your `package.json`:
```diff
- "@next-auth/dynamodb-adapter": "0.0.0",
+ "@auth/dynamodb-adapter": "0.0.0",
```
And run `npm install`, `yarn install` or `pnpm install` respectively.
**Note:** This packages is published as ESM-only
This package assumes that `globalThis.crypto` is available.
In older Node.js versions, you can polyfill by adding:
`globalThis.crypto ??= require("node:crypto").webcrypto`
Database adapters are not dependent on Next.js features, so it makes sense to republish them under the `@auth/*` scope.
This PR is part of a series to convert adapters, using `@auth/core` for types.
BREAKING CHANGE:
If you are coming from the previous adapter, change your `package.json`:
```diff
- "@next-auth/dgraph-adapter": "0.0.0",
+ "@auth/dgraph-adapter": "0.0.0",
```
And run `npm install`, `yarn install` or `pnpm install` respectively.
**Note:** This packages is published as ESM-only
`fetch` is not polyfilled anymore.
In older Node.js versions, you can use the `--experimental-fetch` flag, or install `undici` and add the following line:
`globalThis.fetch ??= require("undici").fetch`
Database adapters are not dependent on Next.js features, so it makes sense to republish them under the `@auth/*` scope.
This PR is part of a series to convert adapters, using `@auth/core` for types.
BREAKING CHANGE:
If you are coming from the previous adapter, change your `package.json`:
```diff
- "@next-auth/upstash-redis-adapter": "0.0.0",
+ "@auth/upstash-redis-adapter": "0.0.0",
```
And run `npm install`, `yarn install` or `pnpm install` respectively.
**Note:** This packages is published as ESM-only
This package assumes that `globalThis.crypto` is available.
In older Node.js versions, you can polyfill by adding:
`globalThis.crypto ??= require("node:crypto").webcrypto`
Database adapters are not dependent on Next.js features, so it makes sense to republish them under the `@auth/*` scope.
This PR is part of a series to convert adapters, using `@auth/core` for types.
BREAKING CHANGE:
If you are coming from the previous adapter, change your `package.json`:
```diff
- "@next-auth/mongodb-adapter": "0.0.0",
+ "@auth/mongodb-adapter": "0.0.0",
```
And run `npm install`, `yarn install` or `pnpm install` respectively.
**Note:** This packages is published as ESM-only
BREAKING CHANGE:
If you are coming from the previous adapter, change your `package.json`:
```diff
- "@next-auth/typeorm-legacy-adapter": "0.0.0",
+ "@auth/typeorm-adapter": "0.0.0",
```
And run `npm install`, `yarn install` or `pnpm install` respectively.
**Note:** This packages is published as ESM-only
BREAKING CHANGE:
If you are coming from the previous adapter, change your `package.json`:
```diff
- "@next-auth/prisma-adapter": "0.0.0",
+ "@auth/prisma-adapter": "0.0.0",
```
And run `npm install`, `yarn install` or `pnpm install` respectively.
**Note:** This packages is published as ESM-only.
* upgrade neo4j-driver
* Correcting depdendency to also allow for ^4.0.0 and pnpm install
---------
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Update size of icons on load && on resize event
Added 'use client' since window object would only be defined on client side ( and using hooks );
Thought it'd be a cool feature to add :)
* Apply suggestions from code review
---------
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* fix#6935: show close button.
* fix(global-css): show close button on annoucement bar
dev and build were generating different results, adding `!important` fixed on build.
BREAKING CHANGE:
Complete rewrite of the package. It is now published as ESM-only and written for `next-auth@4`. `next-auth@3` support is removed.
---------
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* added optional dynamic sveltekit options
* changed dynamicOptions function to async
* converted dynamicOptions to a named type
* updated inline docs to show async capabilities
* Update packages/frameworks-sveltekit/src/lib/index.ts
Co-authored-by: Thang Vu <hi@thvu.dev>
* Update packages/frameworks-sveltekit/src/lib/index.ts
Co-authored-by: Thang Vu <hi@thvu.dev>
* Update packages/frameworks-sveltekit/src/lib/index.ts
Co-authored-by: Thang Vu <hi@thvu.dev>
* Update packages/frameworks-sveltekit/src/lib/index.ts
Co-authored-by: Thang Vu <hi@thvu.dev>
* Update packages/frameworks-sveltekit/src/lib/index.ts
Co-authored-by: Thang Vu <hi@thvu.dev>
* refined to a simpler function signature
* removed redundant return statement
* Apply suggestions from code review
---------
Co-authored-by: Thang Vu <hi@thvu.dev>
* fix(adapters): comply to Node.js native ESM resolver for Firebase adapter
* fix import
* use single file
---------
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Bump @panva/hkdf to v1.0.3
Fixes#6736
* Update to v1.0.4
v.1.0.3 failed to publish it seems
* update lockfile
---------
Co-authored-by: Balázs Orbán <info@balazsorban.com>
Co-authored-by: Balázs Orbán <info@balazsorban.com>
BREAKING CHANGE:
- This package now only ships ESM, as all maintained Node.js versions have native support
- Dropped the `crypto` Node.js import in favor of `uuid`. When `globalThis.crypto` is the default in the future, we can remove `uuid` again
* add notion provider along with logo and styles
"
* adjust notion documentation
* update issue template with Notion provider
* update docs and provider with code from TomYeoman
* feat: move Notion provider to core
* get it working
---------
Co-authored-by: Harrison Broadbent <harrisonbroadbent@gmail.com>
Co-authored-by: Harrison Broadbent <harrisonbroadbent@Harrisons-MacBook-Air.local>
Co-authored-by: Thang Vu <hi@thvu.dev>
* Fix token expiry comparision in database strategy
fixes the condition used for example
in database strategy
* Apply suggestions from code review
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* feat: e2e test init
* run e2e test on CI
* Add credentials to ci
* Update pnpm-lock.yaml
* move test to dev
* add dotenv
* remove in examples
* add e2e command
* revert
* add output cache for turbo e2e
* correct path for upload artifact
* Update release.yml
* feat(pages): Redesigned all default pages according to sketches discussed.
* chore(signin): Remove console.log
* fix(css): Makes cards scale down to 320px and have a fixed width on larger screens
* fix(styling): Adds margins on bottom and top of card.
* chore(docs): Change the documentation according to changes. Uploaded new images that reflect the new pages.
* fix(next-auth/core): Fixes correct styling of provider button across browsers.
* chore(docs): Add doc string to beta docs aswell
* feat: move changes to core
* revert change in next-auth
Co-authored-by: Nico Domino <yo@ndo.dev>
Co-authored-by: Thang Vu <hi@thvu.dev>
revert signin
* chore(docs): Session management sample for Svelte
Added a code sample for managing the session through the $page store.
The sample demonstrates how to retrieve the session data in the root
+page.server.ts file and make it globally accessible through the $page
store, simplifying state management in the application. The previous
examples already used the data available in this store but did not show
how to set it.
* docs: Add authorization section to SvelteKit docs
This authorization section was added to make sure a few caveats with
SvelteKit were well documented to anyone using the library.
The problem is documented here: https://github.com/sveltejs/kit/issues/6315
Essentially, propagation of data between leafs is not guaranteed when
using the +layout.server.ts file as its load function is not guaranteed
to rerun every page change. The current approach to solve this is to do
authorization in each +page.server.ts file and additionally make sure to
grab the session data by awaiting the parent instead of directly
accessing the $page store, to make sure the information there is
current.
* docs: Fix small typesafety mistake in SvelteKit
PageLoad type should actually be PageServerLoad. Not setting this does
not actually generate any problems other than TypeScript complaining
that this type is not actually exported.
* docs: Add handle hook authorization management
Another way to handle authorization is through a path-based method. This
added part of the documentation uses the handle hook to protect certain
routes based on their path. The previous method which is per-component
is still present.
* docs: Simplify component approach for Svelte auth
Using event.locals.getSession() exposed by SvelteKitAuth instead of
relying in the root layout file making that available in the $page
store.
* docs: Complete SvelteKit authorization docs
Finalize the explanation for the URI-based approach and also clarify
interactions with the component-based approach.
* docs: Add formatting to vars in the SvelteKit docs
Format the variables like this: `var` so that it appears clearly as code
when reading the documentation.
Co-authored-by: Thang Vu <hi@thvu.dev>
* added function overload to getToken
* use MissingSecret error instead
* had wrong import
* change in core
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* fix(core): update CallbacksOptions.jwt docstring
Change description to reflect that JWT is encrypted by default
* update in core
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* docs(sveltekit): autogenerate API reference
* feat(sveltekit): update to use latest `@auth/core`
* chore: format
* chore: add auth packages as docs dependency
* chore: format
* chore: more formatting
* chore: don't run build before tests
- Cleans up logging. Logs are now color-coded, added more debug logs, and errors can include some simple metadata (like provider id) to know which provider caused an issue.
- All errors are exposed via `@auth/core/errors`. Each error has a URL like: https://errors.authjs.dev#errorcode in the terminal, which points to the documentation explaining the problem in detail, suggesting a fix.
- Added a bunch of documentation that autogenerates the pages under https://authjs.dev/reference/core/modules/main
- Renames `AuthHandler` to `Auth` and `AuthOptions` to `AuthConfig`
- Throwing an error in `signIn` callback will now be caught as a general error and will redirect to `/error?error=Configuration`. If the callback returns `false`, it will redirect to `/error?error=AccessDenied`.
* Directions to deploy outside Vercel
An additional ENV variable is needed when deploying with another service.
* Updated as suggested, AUTH_TRUST_HOST is a boolean
Add AUTH_TRUST_HOST for deploy outside Vercel
* feat: add signin button styles
* fix: remove unnecessary spans
chore: rm comments
* Update packages/next-auth/src/core/pages/signin.tsx
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* feat: add provider svgs to repo
* fix: adjust SVG sizes
* fix: adjust provider btn to logo links
* feat: apple provider btn style
* fix: add apple-dark svg
* feat: atlassian logo and style
* feat: auth0 logo and style
* feat: azure logo and style
* fix: azure logo size
* feat: battlenet logo and style
* feat: box logo and style
* feat: cognito logo and style
* feat: discord logo and style
* feat: facebook logo and style
* feat: foursquare logo and style
* fix: foursquare logo size
* feat: freshbooks logo and style
* feat: gitlab logo and style
* fix: gitlab logo whitespace
* feat: hubspot logo and style
* feat: instagram logo and style
* feat: keycloak logo and style
* feat: keycloak logo resize
* feat: linkedin logo and style
* feat: mailchimp logo and style
* feat: okta logo and style
* feat: update okta logos
* feat: patreon logo and style
* fix: okta logo viewbox
* feat: slack logo and style
* feat: spotify logo and style
* feat: todoist logo and style
* fix: spotify logo size
* feat: trakt logo and style
* feat: twitch logo and style
* feat: twitter logo and style
* feat: vk logo and style
* feat: wikimedia logo and style
* feat: workos logo and style
* fix: wikimedia-dark logo + twitter (legacy)
* fix: button:active styling
* fix: ignore eslint inline css custom properties warning
* fix: improve darkmode default btn stylign
* fix: swap github btn colors
* fix: swap line btn theme colors
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* feat(next): support Server Components with `unstable_getServerSession`
* chore: remove `.entries`
* docs(next): add documentation for RSC
* update beta docs
* chore(dev): add app dir
* fix text
* only show second warning if using with RSC
* only delete expires for RSC case
* feat(client): add `refetchWhenOffline` option
* docs(client): document `refetchWhenOffline` option
* add TODO comment for next major
* feat: improve refetch hook logic
* fix: add todo back
* chore: small refactoring
Co-authored-by: Thang Vu <hi@thvu.dev>
* Non vercel-specific way to forward host header
* Update packages/next-auth/src/utils/detect-host.ts
Co-authored-by: Balázs Orbán <info@balazsorban.com>
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* fix(middleware): improve handling of custom nextjs basePath
* fix(middleware): improve extraction of nextjs base path from req.nextUrl
* adapt to req.nextUrl.basePath
* Fix indent
* Add middleware test for custom-base and simplified code a little bit
* Fix indent
* Add another test
* Rename basePath and nextJsBasePath
* Fix lint error
* Add user id to `session` and `jwt` callback
* Minor changes
- Notes on why the id is not exposed by default is already documented in the `session` section.
* Apply suggestions from code review
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* docs(adapters): Add prisma client docs for typescript users
Add documentation for connecting prisma client w/ prisma adapter for typescript users.
* docs(adapters): remove prismadb.js for prismadb.ts
remove prismadb.js as it is identical to the prismadb.ts
* Apply suggestions from code review
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Update prisma.md
The referenced official doc page describes how to fix the `warn(prisma-client) There are already 10 instances of Prisma Client actively running.` error in development mode.
* Update prisma.md
Implemented best practice for Prisma Client creation.
* Fixed typo in Prisma db filename.
* fix(middleware): use `includes()` for NextAuth pages
Some users could be setting their `signIn` and `error` pages option to
`/` to disable the automatically generated pages, as suggested in [1].
This commit reverts the behaviour for matching `signIn` and `error`
pages in `handleMiddleware` to pre-v4.10.3.
```
const signInPage = "/"
const errorPage = "/"
const publicPaths = [signInPage, errorPage, "/_next", "/favicon.ico"]
// pathname = "/" will return true
publicPaths.some((p) => pathname.startsWith(p))
```
Fixes: aedabc8d ("fix: avoid redirect on always public paths")
Reference [1]: https://github.com/nextauthjs/next-auth/discussions/2330#discussioncomment-1678298
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
* test(middleware): add tests for public paths
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Co-authored-by: Thang Vu <thvu@hey.com>
* clean up `package.json` files
* chore(ts): make sure `next-auth/next` does not conflict with `next`
* simplify `turbo.json`
* fix: apply suggestion
* simplify doc dev command
* ignore upstash redis again
* ignore mikro orm for now
* chore: dev command
* update lock file
* update css path for dev only
* Update apps/dev/package.json
Co-authored-by: Thang Vu <thvu@hey.com>
* Send client_id and client_secret to linkedin
Linkedin now requires client_id and client_secret to be
sent in the oauth callback. Fixes#5220
* Update linkedin.ts
Co-authored-by: Thang Vu <thvu@hey.com>
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* feat: added providing database name in options
* fix: added database name providing in readme
* Apply suggestions from code review
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* fix: return null in unstable_getServerSession if there's an error
* Remove status check and instead check body is not a string
* Combine similar tests
* Keep error from being logged twice
The same errors have been logged, firstly before throwing
OAuthCallbackError, later in the catch-clause of it.
This commit removes the former and lets the latter survive,
because logging functionality seems better to reside in the
same neighborhood.
* doc: Merge CALLBACK_OAUTH_ERROR to OAUTH_CALLBACK_ERROR
* doc: This particular error from openid-client comes with SIGNIN_OAUTH_ERROR
* Provide logger with `providerId`
Co-authored-by: Thang Vu <thvu@hey.com>
Co-authored-by: Thang Vu <thvu@hey.com>
* fix typo in faq
Added missing “not” in same root different subdomain config section warning text
* Apply suggestions from code review
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* feat: add nonce check type
* Update types import for nonce-handler.ts
* Update packages/next-auth/src/core/lib/oauth/callback.ts
Co-authored-by: Thang Vu <thvu@hey.com>
* Add further info to debug msg as per PR suggestion
* Cast OauthChecks as OpenIDCallbackChecks
* Update order of imports as per PR suggestion
Co-authored-by: Hamid Adelyar <hamid.adelyar@bjss.com>
Co-authored-by: hamidbjss <98807568+hamidbjss@users.noreply.github.com>
Co-authored-by: Thang Vu <thvu@hey.com>
Contains the following squashed commits:
* Added how to install next-auth
* Update docs/docs/getting-started/example.md
* Update docs/docs/getting-started/example.md
* Updated with suggestions in mind
* Update example.md
* type safe babel config
* avoid auth redirect for `_next`
* force render default error page on user miconfig
* add slash to _next path
* use `.some`
* add docs
* change from localhost
* add favicon to public path
Split a FAQ into two parts:
Before:
- Can I use NextAuth.js with a website that does not use Next.js?
After:
- Can I use NextAuth.js with a framework different than Next.js?
- Can session generated by NextAuth.js be used by another website?
Ports and refactors `@next-auth/firebase-adapter` to use the new Adapter API. Ported from this PR: nextauthjs/adapters#183
BREAKING CHANGE:
- Renames `FirebaseAdapter` export to `FirestoreAdpater`
- This adapter now requires firebase v9+
We haven't kept up with the recent TypeORM changes, and since they are still <1, it's likely that users kept upgrading, even if there were breaking changes.
BREAKING CHANGE:
[`typeorm`](https://github.com/typeorm/typeorm) is still in active development and has not yet published a stable release. Because of this, you can expect breaking changes in minor versions. This release of the adapter expects `typeorm@0.3.7` and is not validated against previous or future releases.
Run `npm i typeorm@latest` and make sure to read the [release notes](https://github.com/typeorm/typeorm/releases) for breaking changes in TypeORM
* ✨ provide secret via config
* 🐛 make secret optional
* 📝 docs for middleware and env var
* 📝 recommendation at the end of paragraph
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* chore: update docs regarding new server session API
* fix: add note about unstable_ API prefix
* Apply suggestions from code review
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* merge `main`, fix workspace dependencies
* chore(dev): use `matcher` in Middleware
* fix(middleware): support `cookies` as `Map`
* simplify
* chore(example): use new Middleware API
* chore(example): use `next-auth@latest`
* docs(middleware): document new Middleware API
* docs(ts): update inline example
* fix(ts): make cookies optional
* remove non-null assertion
* fix: signIn infer provider type
The "P" type it's not passed in any props, so the result type doesn't understand and return the false type always, Adding the "P" at provider type props.
* fix: P possibly undefined
Co-authored-by: arthurpedroti@gmail.com <arthurpedroti@LAPTOP-MVAK9RM5.localdomain>
in next Next.js versions, NextRequest.cookies will be an instance of NextCookies which is
some kind of a Map, instead of a plain object.
This commit checks whether there's a `get` function in req.cookies, and acts accordingly,
to make sure we will support newer Next.js versions with Edge Functions/Middleware
* Adding United Effects as a provider
* Update packages/next-auth/src/providers/united-effects.ts
* returning name and image as null in profile response
Co-authored-by: Lluis Agusti <hi@llu.lu>
The "P" type it's not passed in any props, so the result type doesn't understand and return the false type always, Adding the "P" at provider type props.
* feat: Add the support of custom cookieName on the next-auth/middleware
* chore: Only accept used params based on NextAuthConfig
* docs: Remove duplicated docs
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Use relative URL for middleware's signin callbackUrl
* Include params to callbackUrl if any
* For testing purpose, append params to existing link for test instead of create another one
* Update apps/dev/components/header.js
Co-authored-by: CODY Mai <nhan.mai@shiftasia.com>
Co-authored-by: Thang Vu <31528554+ThangHuuVu@users.noreply.github.com>
The Authentik provider already adds a `/` after the `issuer`, so this creates a double slash that causes a NextAuth `SIGNIN_OAUTH_ERROR` ("expected 200 OK, got: 301 Moved Permanently").
* chore(docs): add link to SIWE example app / tutorial
* chore(docs): add link to example signin page and cleanup
* chore: update copy for SIWE credentials provider example
* Add additional type
* do not cast to 'any' anymore
* add missing import
* import NextRequest from next/server
Co-authored-by: Lluis Agusti <hi@llu.lu>
* fix(core\pages\signin.tsx): set type of built-in email sign-in input to email for browse validation
* fix(core\pages\signin.tsx): add required attribute to built-in sign-in email input
Co-authored-by: Lluis Agusti <hi@llu.lu>
* docs: Update JWT docs to reflect JWE changes in v4
This PR https://github.com/nextauthjs/next-auth/pull/3039 changed the defaults for JWT tokens to be encrypted by default (JWE). We have conflicting documentation across the docs site and readme.
Additionatlly this PR https://github.com/nextauthjs/next-auth/pull/3783 made providing a secret required in production via NEXTAUTH_SECRET or an option.
* Missed a reference
* Update docs/docs/faq.md
Co-authored-by: Nico Domino <yo@ndo.dev>
* Update docs/docs/faq.md
Co-authored-by: Nico Domino <yo@ndo.dev>
Co-authored-by: Nico Domino <yo@ndo.dev>
* docs: fix Custom Client Session Handling example
It made reference to a useEffect call that was no longer needed.
* Update docs/docs/getting-started/client.md
Co-authored-by: Lluis Agusti <hi@llu.lu>
Co-authored-by: Lluis Agusti <hi@llu.lu>
* chore(docs): add carbon ads to docs page
* fix: add carbon-wrap element
* fix: script in docusaurus config object
* fix: add _carbonads_js id
* fix: add script directly to sidebar
* fix: carbon ads style
* chore: bump ad container down a bit
BREAKING CHANGE
From now on, you will need a minimum version of `@upstash/redis@v1` installed if you want to use this adapter.
You can upgrade by running `npm i @upstash/redis@latest` or `yarn add @upstash/redis@latest`
Until we migrate to v1 there might be people installing the latest
version of @upstash/redis and then encountering errors.
With this they will at least get a warning.
This is obsolete and should be updated once
https://github.com/nextauthjs/next-auth/issues/4183 is resolved.
Co-authored-by: Balázs Orbán <info@balazsorban.com>
I saw in the documentation that v4 now uses
session: {
strategy: "jwt"
},
instead of
session: {
jwt: true
},
also there was double ;; at the end of the return statement, fixing it
* added saml-jackson provider
* incorporated code review changes
* fixed SAMLJacksonProfile type
* trying to adjust code for monorepo
* cleanup from merge with main
* updated docs link
* added example
* consistent naming
* Incorporated code review changes:
- env var default values moved to env.local.example
- consistent naming and use of id
* email is guaranteed to be present
This field is already nullable in the database, so this should only
affect types.
Because the type is being widened, not narrowed, this should also be
fully backwards-compatible, since pre-existing custom entities of type
`string` will be substitutable for the new default type of `string |
null`.
See #4055 for more specifics on the impact.
* chore: separate build commands for core and app
* Move emitDeclarationOnly to next-auth
* Update release.yml
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* refactor(dev): moved dev app
* chore(dev): fix dev app
* fix(providers): WorkOS to TS, use `client_secret_post`
* chore: decrease test concurrency
* chore: remove org
* chore: run tests sequentially
* feat(providers): use `picture` in WorkOS if available
* fix labeler
* try fixing test runs in GitHub Actions
* pass flags to test command
* test version pr
* move versoin-pr action
* remove --dry-run flag
* re-enable testing, re-add semantic release for now
* add docs
* use `yarn.lock` and different docs port
* simplify dev app config
* fix coverage report
* fix provider source links
* fix more links
* fix(providers): properly warn when using Twitter OAuth 2
* refactor(providers): move Twitter OAuth2 warning to `assert`
* fix: use proper warning code
* refactor: only set boolean
* Fix: Add OpenID to authorization scope
* Fix: Check for valid profile picture response before converting to base64
* Update src/providers/azure-ad.ts
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Confirm that profile photo was returned
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* feat(providers): add support to Twitter OAuth 2.0
* docs: add docs comment
* chore: cleanup
* chore: remove comments
* chore: give warning for OAuth 2 for now
* Added patreon provider - tested and working
* Update src/providers/patreon.js
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Update src/providers/patreon.js
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Update src/providers/patreon.js
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Update src/providers/patreon.js
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Switched to TS, restore .env.local, restore package.json as per comments on the PR
* chore: ran Prettier
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* fix: add eslintIgnore in package.json
* Let eslint runs in app, config + js files
* Add a separate tsconfig.eslint.json file
We want to run the lint command on `app`, `src` and `config`, but at the same time want `tsc` to compile files in `src` only. A separate `tsconfig.eslint.json` is a suitable solution to satisfy both `eslint` and `tsc`: 04d1f3e549/packages/parser/README.md
* Update client.ts
Set custom.setHttpOptionsDefaults before Issuer.discover(.wellKnown). This allow discover the .wellKnown endpoint behind a proxy
* chore: address code review
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Update strava.js
Auth with Strava was throwing errors before, this works.
* Update strava.js
changed according to commenters' suggestions
* chore: run linter
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Ensure that GitHub provider always gives an email
* Update src/providers/github.js
Co-authored-by: Balázs Orbán <info@balazsorban.com>
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* fix(provider): correct authorization for Atlassian
* feat(providers): use wellKnown for better configuration
* fix(atlassian): switch back to raw config
* fix(providers): pass generic to `OAuthUserConfig`
Co-authored-by: Lluis Agusti <hi@llu.lu>
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* refactor EVEOnlineProvider into typescript, fix default scopes
* Update src/providers/eveonline.ts
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* update to new OIDC SSO endpoints
* set idToken: true
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Added support for zoom in beta
* Converted to typescript
* rename
* Now reflects response from Zoom
* chore: Prettier
Co-authored-by: Balázs Orbán <info@balazsorban.com>
If the expected cookie size would exceed the 4096 bytes most browsers allow, we split up the cookie value and put the content into multiple cookies, then assemble it upon reading it back. This eliminates the need for a database or user-land solutions in case the user wants to save more data or is constrained by their IdP for certain fields.
With no scope defined, it sets `openid` by default, which is an invalid 42 scope.
Co-authored-by: Alaa Zorkane <alaazorkane@gmail.com>
Co-authored-by: Alaa Zorkane <alaazorkane@gmail.com>
BREAKING CHANGE:
The `session.jwt: boolean` option has been renamed to `session.strategy: "jwt" | "database"`. The goal is to make the user's options more intuitive:
1. No adapter, `strategy: "jwt"`: This is the default. The session is saved in a cookie and never persisted anywhere.
2. With Adapter, `strategy: "database"`: If an Adapter is defined, this will be the implicit setting. No user config is needed.
3. With Adapter, `strategy: "jwt"`: The user can explicitly instruct `next-auth` to use JWT even if a database is available. This can result in faster lookups in compromise of lowered security. Read more about: https://next-auth.js.org/faq#json-web-tokens
Example:
```diff
session: {
- jwt: true,
+ strategy: "jwt",
}
```
* feat(react): preserve history on client-side navigation
* chore(deps): upgrade jest
* test(client): use absolute URL since `whatwg-*` refusing relative URLs
Updates the `jose` and `openid-client` packages.
BREAKING CHANGE:
The `jwt` option has been simplified and the NextAuth.js issued JWT is now encrypted by default.
If you want to override the defaults, you can still use the `encode` and `decode` functions. These are advanced options and they should only be used if you know what you are doing.
The default secret generation has been removed in this PR, which will be added back in a separate one. Remember, that is only for developer convenience, it is **highly** recommended to always create your own secret for production.
Spreading the object into the input tag allows developers to specify any attribute for the input tag used in the builtin sign-in page, such as 'autocomplete', 'autofocus', etc.
Removed the hardcoded attributes which just set the defaults of the 'input' tag and won't cause any behavior change in case they are absence from the object.
Signed-off-by: Gegham Zakaryan <zakaryan.2004@outlook.com>
* chore(dev): add CognitoProvider to dev app
* feat(log): log `error_description` in OAuth callback
* fix(providers): migrate Cognito to v4
* docs: mention superblog.ai for infra support
* fix: return profile picture for Cognito
* fix(ts): add picture to CognitoProfile
Add some very minimal customization to the built-in pages so people might not immediately need to replace them. This way they can customize some things with their brand color and add their company/project logo. We explicitly **do not** want to go overboard styling this page. This is not an authentication component library or Next.js app template!
Example:
```js
export default NextAuth({
providers: [...],
jwt: {...},
theme: {
colorScheme: 'auto',
brandColor: '#67b246',
logo: 'https://company.com/assets/logo.png'
}
})
```
BREAKING CHANGE:
`staleTime` (previously `clientMaxAge`) has been removed. Check out `refetchInterval` instead. It should cover most of the cases. If not, we can look into adding this back later on.
When using the default settings of the Github provider, with the "user" scope, it grants read/write access to profile info only. By changing to "read:user" and "user:email" it will only request read-only access https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps
BREAKING CHANGE:
By default, the GitHub Provider scope won't ask for full write access to user profiles. If you need that, you will now have to add the `user` scope to your configuration.
MS Docs has a lot of local language translations, so it's best to remove locale information from the URLs so that when someone follows them, they land on the right language version of the content.
BREAKING CHANGE:
`prisma-legacy` is now gone. Use `@next-auth/prisma-adapter`. Any features from the old adapter will be migrated over to the new one eventually. This is done so we can require the same default set of options from all the built-in providers, rather than allowing ambiguity on what an official adapter has to support.
The `TypeORM` adapter will probably be the only one migrated as-is, but in the future, we would like to break it down to lighter-weight adapters that only support single databases.
Adapters no longer have to return a `getAdapter()` method, they can return the actual adapter methods instead. All the values previously being provided through the arguments of `getAdapter` will now be available in a more digestible format directly in the concerning methods. This behavior was created so that connections could be handled more efficiently. Our review has shown that currently, the TypeORM adapter is the only one that does not handle connections out-of-the-box, so we are going to look into how we can create a wrapper/util function to make it work in the new version. For all other adapters, this will be a huge gain, as with this new API, methods are actually overrideable without creating a whole new custom adapter! 🥳
Example:
```js
function MySlightlyCustomAdapter(...args) {
const adapter = AdapterFromSomeoneElse(...args)
adapter.someMethodIWantToModify = (...args) => {
// Much better implementation goes here.
}
return adapter
}
```
**The following method names are changing:**
```diff
- getSession
+ getSessionAndUser
```
This method now requires that you return both the user and the session as `{user, session}`. If any of these could not be retrieved, you will have to return `null` instead. (In other words, this must be a transaction.) This requires one less database call, improving the user session retrieval. Any expiry logic included in the Adapter before is now done in the core as well.
```diff
- createVerificationRequest
+ createVerificationToken
```
Better describes the functionality. This method no longer needs to call `provider.sendVerificationRequest`, we are moving this into the core. This responsibility shouldn't have fallen to the adapter in the first place.
`createVerificationToken` will now receive a `VerificationToken` object, which looks like this:
```ts
interface VerificationToken {
identifier: string
expires: Date
token: string
}
```
The token provided is already hashed, so nothing has to be done, simply write it to your database. (Here we lift up the responsibility from the adapter to hash tokens)
```diff
- getVerificationRequest
+ useVerificationToken
```
Better describes the functionality. It now also has the responsibility to delete the used-up token from the database. Most ORMs should support retrieving the value while deleting it at the same time, so it will reduce the number of database calls.
``` diff
- deleteVerificationRequest
```
This method is gone. See `useVerificationToken`.
Most of the method signatures have been changed, have a look at the [TypeScript interface](ba4ec5faa3/types/adapters.d.ts) to get a better picture.
Adds a new way to import providers for modularity and better tree-shaking.
BREAKING CHANGE:
Providers now have to be imported one-by-one:
Example:
```diff
- import Provider from "next-auth/providers"
- Providers.Auth0({...})
+ import Auth0Provider from "next-auth/providers/auth0"
+ Auth0Provider({...})
```
> This touches on all OAuth providers, so there is a big potential for breaking by default. We have let new providers be added for contributors' specific needs, but from now on, we will require a more strict default on all new providers, so the basic behavior is predictable for everyone.
⚠ Unfortunately, we will not have the capacity to test each and every provider that has been added to the default providers, but we will do our best to test the most popular ones. (@ndom91 has worked on setting up the infrastructure for this). If you wish to make sure that the provider you are using will stay working, please reach out with your concerns and tell us how can you help us test that particular provider in the future. 🙏
That said, I will try my best to not break ANY of the currently built-in providers, or at least make the migration super easy. So hopefully, you won't have to change anything. It will most probably affect you if you defined a custom provider though.
We will monitor the default configuration much more closely, so the behavior will be more consistent across providers by default.
Closes#1846, Closes#1605, Closes#1607
BREAKING CHANGES:
Basecamp provider is removed. See the explanation [here](https://github.com/basecamp/api/blob/master/sections/authentication.md#on-authenticating-users-via-oauth)
**ALL** OAuth providers' `profile` callback is expected to only return these fields by default from now on: `id`, `name`, `email`, and `image` at most. Any of these missing values should be set to `null`.
The following new options are available:
1. `authorization` (replaces `authorizationUrl`, `authorizationParams`, `scope`)
2. `token` replaces (`accessTokenUrl`, `headers`, `params`)
3. `userinfo` (replaces `profileUrl`)
These three options map nicely to the OAuth spec's three endpoints for
1. initiating the login flow
2. retrieve OAuth tokens
3. retrieve user information
They all take the form of `EndpointHandler`:
```ts
type EndpointRequest<C, R> = (
context: C & {
/** `openid-client` Client */
client: Client
/** Provider is passed for convenience, ans also contains the `callbackUrl`. */
provider: OAuthConfig & {
signinUrl: string
callbackUrl: string
}
}
) => Awaitable<R>
/** Gives granular control of the request to the given endpoint */
type AdvancedEndpointHandler<P extends UrlParams, C, R> = {
/** Endpoint URL. Can contain parameters. Optionally, you can use `params`*/
url?: string
/** These will be prepended to the `url` */
params?: P
/**
* Control the corresponding OAuth endpoint request completely.
* Useful if your provider relies on some custom behavior
* or it diverges from the OAuth spec.
*
* - ⚠ **This is an advanced option.**
* You should **try to avoid using advanced options** unless you are very comfortable using them.
*/
request?: EndpointRequest<C, R>
}
/** Either an URL (containing all the parameters) or an object with more granular control. */
type EndpointHandler<P extends UrlParams, C = any, R = any> =
| string
| AdvancedEndpointHandler<P, C, R>
```
In case of `authorization`, the `EndpointHandler` can define the `params` as [`AuthorizationParameters`](51dc47d9ac/types/index.d.ts (L108-L143))
> Note: `authorization` does not implement `request` yet. We will have to see if there is demand for it.
From now on, instead of using the `...` spread operator when adding a new built-in provider, the user is expected to add `options` as a property at the end of the default config. This way, we can deep merge the user config with the default one. This is needed to let the user do something like this:
```js
MyProvider({
clientId: "",
clientSecret: "",
authorization: { params: {scope: ""} }
})
```
So even if the default config defines anything in `authorization`, only the user-defined parts will be overridden.
* chore(deps): add openid-client
* chore: merge in next
* refactor(provider): remove redundant requestUrl param
* feat(provider): make profile callback optional
* refactor: use openid-client for OAuth2/OIDC
* refactor: use openidClient in oauth signin handler
* refactor: use openidClient in oauth callback handler
* docs(warn): add async issuer/old config warnings
* chore(deps): remove jsonwebtoken
* chore: add issuer property for testing locally
* chore(dev): import providers one-by-one
* fix(oauth): handle when no user in body/query
* chore(deps): remove pkce-challenge
* chore(dev): change Auth0 protection
* refactor(oauth): simplify pkce/state
* refactor: split OAuth1 client, reduce openid client
will improve API in another PR
* chore: change comment, dev app
* chore: mention OIDC client config discovery
* fix: add new operator when creating OIDC client
* refactor: delete req.query.nextauth after use
* docs(ts): use `TokenSet` from `openid-client`
* chore: simplify/type signin route
* refactor: rename to client-legacy to indicate intnet of maintenance
* chore(deps): try setting `oauth` as optional peer dep
* chore(deps): add `oauth` back as regular dependency
* chore(deps): add @types/oauth as dev dependency
* chore: remove params kept for backwards compatibility
* chore: don't make breaking changes in this PR
* chore(core): use correct TS declarations
* refactor: move files/add more accurate types internally
* chore: remove TODO comment
* chore: catch all errors in authorization URL generation
Unified API for all of our user-facing methods.
NOTE: `events.error` has been removed. This method has never been called in the core, so it did actually nothing. If you want to log errors to a third-party, check out the [`logger`](https://next-auth.js.org/configuration/options#logger) option instead.
BREAKING CHANGE:
Two event signatures changed to use named params, `signOut` and `updateUser`:
```diff
// [...nextauth].js
...
events: {
- signOut(tokenOrSession),
+ signOut({ token, session }), // token if using JWT, session if DB persisted sessions.
- updateUser(user)
+ updateUser({ user })
}
```
Similar to #2342, this aims to unify the user-facing API and provide an easier way to extend in the future.
In addition, this PR also solves the problem when the `logger.error` method sometimes did not print results, because `Error` instances are not serializable and will be printed as empty objects `"{}"`.
After this PR, we make any `Error` instances serializable as described here: https://iaincollins.medium.com/error-handling-in-javascript-a6172ccdf9afCloses#1602
Achieved by adding a `client: true` flag when logs are coming from the frontend.
BREAKING CHANGE:
The main change is that instead of an unknown number of parameters, the log events have at most two, where the second parameter is usually an object. In the case of the `error` event, it can also be an `Error` instance (that is serializable by `JSON.stringify`). If it is an object, an `Error` instance will be available on `metadata.error`, and `message` will default to `metadata.error.message`. This is done so that an error event always provides some kind of a stack to see where the error happened
```diff
// [...nextauth.js]
import log from "some-logger-service"
...
logger: {
- error(code, ...message) {},
+ error(code, metadata) {},
- warn(code, ...message) {},
+ warn(code) {}
- debug(code, ...message) {}
+ debug(code, metadata) {}
}
```
This change aligns the API with `openid-client`'s `checks` https://github.com/panva/node-openid-client/blob/main/docs/README.md#clientcallbackredirecturi-parameters-checks-extras, a library which we intend to migrate to in the future. Aligning our API early, so people get used to it.
Also, objectively the name `protection` might not have been as clear as I first thought. `checks` better describe the intention.
BREAKING CHANGE:
The `state` option on OAuth providers is now deprecated. Use `checks: ["state"]` instead.
`protections` is renamed to `checks`, here is an example:
```diff
- protection: ["pkce"]
+ checks: ["pkece"]
```
Furthermore, string values are not supported anymore. This is to be able to handle fewer cases internally.
```diff
- checks: "state"
+ checks: ["state"]
```
A living session could be a requirement for specific pages (like dashboards). If it doesn’t exist, the user should be redirected to a page asking them to sign in again.
Sometimes, a user might log out by accident, or by deleting cookies on purpose. If that happens (e.g. on a separate tab), then `useSession({ required: true })` should detect the absence of a session cookie and always return a non-nullable Session object type.
When `required: true` is set, the default behavior will be to redirect the user to the sign-in page. This can be overridden by an `action()` callback:
```js
const session = useSession({
required: true,
action() {
// ....
}
})
if (session.status === "Loading") return "Loading or not authenticated..."
// session.data is always defined here.
```
Co-authored-by: Kristóf Poduszló <kripod@protonmail.com>
Co-authored-by: Lluis Agusti <hi@llu.lu>
BREAKING CHANGE:
The `useSession` hook now returns an object. Here is how to accommodate for this change:
```diff
- const [ session, loading ] = useSession()
+ const { data: session, status } = useSession()
+ const loading = status === "loading"
```
With the new `status` option, you can test states much more clearly.
Some of our user-facing callbacks come with a bunch of parameters, and it is not always the case that a user needs all of them. Picking out certain parameters from the end of the list would require the user to define params that they wouldn't even need.
Therefore this PR changes such callbacks so the user can only pick the necessary parameters.
This comes with the bonus of better TS support on the `session` and `signIn` callbacks, where some parameters historically could have been different types.
In the `session` callback, the second param could have been `token` (when using JWT sessions) or `user` (when using DB persisted sessions). Now they are separate parameters.
In the `signIn` callback, we now separate `profile` (OAuth), `email` (Email) and `credentials` (Credentials) provider params.
BREAKING CHANGE:
The `callbacks` method signatures are changing the following way:
```diff
- signIn(user, account, profileOrEmailOrCredentials)
+ signIn({ user, account, profile, email, credentials })
```
```diff
- redirect(url, baseUrl)
+ redirect({ url, baseUrl })
```
```diff
- session(session, tokenOrUser)
+ session({ session, token, user })
```
```diff
- jwt(token, user, account, OAuthProfile, isNewUser)
+ jwt({ token, user, account, profile, isNewUser })
```
> NOTE: You only need to define the params that you actually need (no more need for `_` params.)
This way, if you only need `token` and `account` in the `jwt` callback, you can write:
```js
jwt({ token, account }) {
if(account) {
token.accessToken = account.access_token
}
return token
}
```
Node 10 has reached end-of-life, Next.js stopped supporting it in Next 11. Since we are a Next.js library, it doesn't make sense for us to support anything lower than that either.
I also upgraded a bunch of dependencies and dropped some that weren't necessary anymore.
BREAKING CHANGE:
The lowest supported Node version is 12. (We still support IE11 in browsers, until that is not dropped by Next.js itself)
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Add useState dependency
I went to execute the signin.js file and received an error that useState was undefined. Was able to reconcile this by adding the dependency.
Co-authored-by: Balázs Orbán <info@balazsorban.com>
Co-authored-by: Sangwon Park <dev.psw@gmail.com>
* fix(docs): scope expects space separated string
Currently the docs list string[] as possible type for scope.
However, It only accepts a string (with space as separator).
Co-authored-by: Balázs Orbán <info@balazsorban.com>
commit 665445818e
Author: Balázs Orbán <info@balazsorban.com>
Date: Sat Jun 12 17:11:53 2021 +0200
docs(config): link to next documentation instead of canary
commit 67cf2a11bb
Author: ndom91 <yo@ndo.dev>
Date: Sat Jun 12 16:42:48 2021 +0200
docs: fix alt client provider example
**What**:
These changes ensure that we work more tightly with React that can also result in unforeseen performance boosts. In case we would decide on expanding to other libraries/frameworks, a new file per framework could be added.
**Why**:
Some performance issues (https://github.com/nextauthjs/next-auth/issues/844) could only be fixed by moving more of the client code into the `Provider`.
**How**:
Refactoring `next-auth/client`
Related: #1461, #1084, #1462
BREAKING CHANGE:
**1.** `next-auth/client` is renamed to `next-auth/react`.
**2.** In the past, we exposed most of the functions with different names for convenience. To simplify our source code, the new React specific client code exports only the following functions, listed with the necessary changes:
- `setOptions`: Not exposed anymore, use `SessionProvider` props
- `options`: Not exposed anymore, use `SessionProvider` props
- `session`: Rename to `getSession`
- `providers`: Rename to `getProviders`
- `csrfToken`: Rename to `getCsrfToken`
- `signin`: Rename to `signIn`
- `signout`: Rename to `signOut`
- `Provider`: Rename to `SessionProvider`
**3.** `Provider` changes.
- `Provider` is renamed to `SessionProvider`
- The `options` prop is now flattened as the props of `SessionProvider`.
- `clientMaxAge` has been renamed to `staleTime`.
- `keepAlive` has been renamed to `refetchInterval`.
An example of the changes:
```diff
- <Provider options={{clientMaxAge: 0, keepAlive: 0}}>{children}</Provider>
+ <SessionProvider staleTime={0} refetchInterval={0}>{children}</SessionProvider>
```
**4.** It is now **required** to wrap the part of your application that uses `useSession` into a `SessionProvider`.
Usually, the best place for this is in your `pages/_app.jsx` file:
```jsx
import { SessionProvider } from "next-auth/react"
export default function App({
Component,
pageProps: { session, ...pageProps }
}) {
return (
// `session` comes from `getServerSideProps` or `getInitialProps`.
// Avoids flickering/session loading on first load.
<SessionProvider session={session}>
<Component {...pageProps} />
</SessionProvider>
)
}
```
* feat(adapter): remove built-in adapters and database
BREAKING CHANGE:
From now on, you will have to import your own adapter
Check out https://github.com/nextauthjs/adapters
The migration is super easy and has HUGE advantages for those not using TypeORM.
```diff
// [...nextauth].js
+ import TypeORMAdapter from "@next-auth/typeorm-legacy-adapter"
import NextAuth from "next-auth"
...
export default NextAuth({
- database: "yourconnectionstring",
+ adapter: TypeORMAdapter("yourconnectionstring")
})
```
Co-authored-by: Lluis Agusti <hi@llu.lu>
Co-authored-by: Giovanni Carnel <479046+g10@users.noreply.github.com>
* feat(build): optionally include TypeORM
If the user doesn't use databases,
it shouldn't be necessary to iclude it in the bundle.
This can more than half the package size!
* feat(build): clean up in dependencies
Remove unused dependencies, move optional ones to be optional
* feat(build): add exports field
* fix: use peerDependenciesMeta instead of non-standard peerOptionalDependecns field
* fix: ts-standard string quotes
* fix: ts-standard string quotes
* refactor: use asnyc/await for sendVerificationRequest
* chore(deps): upgrade mongodb, remove require_optional
Co-authored-by: ndom91 <yo@ndo.dev>
BREAKING CHANGE:
`typeorm`, and `nodemailer` are no longer dependencies added by default.
If you need any of them, you will have to install them yourself in your project directory.
TypeOrm is the default adapter, so if you only provide an `adapter` configuration or a `database`, you will need `typeorm`. You could also check out `@next-auth/typeorm-adapter`. In case you are using the Email provider, you will have to install `nodemailer` (or you can use the choice of your library in the `sendVerificationRequest` callback to send out the e-mail.)
BREAKING CHANGE: adding `state: true` is already redundant
as `protection: "state` is the default value. `state: false`
can be substituted with `protection: "state"`
BREAKING CHANGE: We have supported throwing strings
for redirections, while we were showing a waring.
From now on, it is not possible. The user MUST return a string,
rather than throw it.
2021-02-15 21:47:35 +01:00
1158 changed files with 86162 additions and 79061 deletions
**NOTE:** Issues that are potentially security related should be reported to us by following the [Security guidelines](https://next-auth.js.org/security) rather than on GitHub.
Thanks for taking the time to fill out this issue after reading/searching through the [documentation](https://next-auth.js.org) first!
Is this your first time contributing? Check out this video: https://www.youtube.com/watch?v=cuoNzXFLitc
### Important :exclamation:
_Providing incorrect/insufficient information or skipping steps to reproduce the issue will result in closing the issue and/or converting to a discussion without further explanation._
If you have a generic question specific to your project, it is best asked in Discussions under the [Questions category](https://github.com/nextauthjs/next-auth/discussions/new?category=Questions)
# Let's wait with this until adoption in other frameworks.
# - type: dropdown
# attributes:
# label: Framework
# description: Which framework(s) is this issue related to?
# multiple: true
# options:
# - "Next.js"
# - "Other"
- type:textarea
attributes:
label:Environment
description:|
Run this command in your project's root folder and paste the result:
Alternatively, you can manually gather the version information from your package.json for these packages: "next", "react" and "next-auth". Please also mention your OS and Node.js version, as well as the browser you are using.
validations:
required:true
- type:input
attributes:
label:Reproduction URL
description:A URL to a repository/code that clearly reproduces your issue. You can use our [`next-auth-example`](https://github.com/nextauthjs/next-auth-example) template repository to get started more easily, or link to your project if it's public
validations:
required:true
- type:textarea
attributes:
label:Describe the issue
description:Describe us what the issue is and what have you tried so far to fix it. Add any extra useful information in this section. Feel free to use screenshots (but prefer [code blocks](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks#syntax-highlighting) over a picture of your code) or a video explanation.
validations:
required:true
- type:textarea
attributes:
label:How to reproduce
description:Explain with clear steps how to reproduce the issue
validations:
required:true
- type:textarea
attributes:
label:Expected behavior
description:Explain what should have happened instead of what actually happened
**NOTE:** Issues that are potentially security related should be reported to us by following the [Security guidelines](https://next-auth.js.org/security) rather than on GitHub.
Thanks for taking the time to fill out this [Provider](https://next-auth.js.org/providers/overview) related issue!
Is this your first time contributing? Check out this video: https://www.youtube.com/watch?v=cuoNzXFLitc
### Important :exclamation:
_Providing incorrect/insufficient information or skipping steps to reproduce the issue may result in closing the issue or converting to a discussion without further explanation._
If you have a generic question specific to your project, it is best asked in Discussions under the [Questions category](https://github.com/nextauthjs/next-auth/discussions/new?category=Questions)
- type:dropdown
attributes:
label:Provider type
description:Provider(s) this issue is related to
multiple:true
options:
- "Credentials"
- "Email"
- "Custom provider"
- "42 School"
- "Apple"
- "Asgardeo"
- "Atlassian"
- "Auth0"
- "Authentik"
- "Azure Active Directory"
- "Azure Active Directory B2C"
- "Azure DevOps"
- "Battlenet"
- "Beyond Identity"
- "Box"
- "Bungie"
- "ClickUp"
- "Cognito"
- "Coinbase"
- "Descope"
- "Discord"
- "Dribbble"
- "Dropbox"
- "EVE Online"
- "Facebook"
- "FACEIT"
- "Foursquare"
- "Freshbooks"
- "FusionAuth"
- "GitHub"
- "GitLab"
- "Google"
- "Identity Server 4"
- "Instagram"
- "Kakao"
- "Keycloak"
- "Line"
- "LinkedIn"
- "Mailchimp"
- "Mail.ru"
- "Mastodon"
- "Medium"
- "Naver"
- "Netlify"
- "Notion"
- "Okta"
- "OneLogin"
- "Osso"
- "Osu"
- "Patreon"
- "Pipedrive"
- "Reddit"
- "Salesforce"
- "Slack"
- "Spotify"
- "Strava"
- "Tiktok"
- "Todoist"
- "Trakt"
- "Twitch"
- "Twitter"
- "Vk"
- "Wordpress"
- "WorkOS"
- "Yandex"
- "Zoho"
- "Zoom"
validations:
required:true
- type:textarea
attributes:
label:Environment
description:|
Run this command in your project's root folder and paste the result:
Alternatively, you can manually gather the version information from your package.json for these packages: "next", "react" and "next-auth". Please also mention your OS and Node.js version, as well as the browser you are using.
validations:
required:true
- type:input
attributes:
label:Reproduction URL
description:A URL to a repository/code that clearly reproduces your issue. You can use our [`next-auth-example`](https://github.com/nextauthjs/next-auth-example) template repository to get started more easily, or link to your project if it's public
validations:
required:true
- type:textarea
attributes:
label:Describe the issue
description:Describe us what the issue is and what have you tried so far to fix it. Add any extra useful information in this section. Feel free to use screenshots (but prefer [code blocks](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks#syntax-highlighting) over a picture of your code) or a video explanation.
validations:
required:true
- type:textarea
attributes:
label:How to reproduce
description:Explain with clear steps how to reproduce the issue
validations:
required:true
- type:textarea
attributes:
label:Expected behavior
description:Explain what should have happened instead of what actually happened
**NOTE:** Issues that are potentially security related should be reported to us by following the [Security guidelines](https://next-auth.js.org/security) rather than on GitHub.
Thanks for taking the time to fill out this [Adapter](https://next-auth.js.org/adapters/overview) related issue!
Is this your first time contributing? Check out this video: https://www.youtube.com/watch?v=cuoNzXFLitc
### Important :exclamation:
_Providing incorrect/insufficient information or skipping steps to reproduce the issue may result in closing the issue or converting to a discussion without further explanation._
If you have a generic question specific to your project, it is best asked in Discussions under the [Questions category](https://github.com/nextauthjs/next-auth/discussions/new?category=Questions)
- type:dropdown
attributes:
label:Adapter type
description:Adapter(s) this issue is related to
multiple:true
options:
- "Custom adapter"
- "@auth/azure-tables-adapter"
- "@auth/edgedb-adapter"
- "@auth/d1-adapter"
- "@auth/dgraph-adapter"
- "@auth/drizzle-adapter"
- "@auth/dynamodb-adapter"
- "@auth/fauna-adapter"
- "@auth/firebase-adapter"
- "@auth/hasura-adapter"
- "@auth/kysely-adapter"
- "@auth/mikro-orm-adapter"
- "@auth/mongodb-adapter"
- "@auth/neo4j-adapter"
- "@auth/pg-adapter"
- "@auth/pouchdb-adapter"
- "@auth/prisma-adapter"
- "@auth/sequelize-adapter"
- "@auth/supabase-adapter"
- "@auth/typeorm-adapter"
- "@auth/upstash-redis-adapter"
- "@auth/xata-adapter"
validations:
required:true
- type:textarea
attributes:
label:Environment
description:|
Run this command in your project's root folder and paste the result:
Alternatively, if the above command did not work, we need the version of the following packages from your package.json: "next", "react", "next-auth" and your adapter. Please also mention your OS and Node.js version, as well as the browser you are using.
validations:
required:true
- type:input
attributes:
label:Reproduction URL
description:A URL to a repository/code that clearly reproduces your issue. You can use our [`next-auth-example`](https://github.com/nextauthjs/next-auth-example) template repository to get started more easily, or link to your project if it's public
validations:
required:true
- type:textarea
attributes:
label:Describe the issue
description:Describe us what the issue is and what have you tried so far to fix it. Add any extra useful information in this section. Feel free to use screenshots (but prefer [code blocks](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks#syntax-highlighting) over a picture of your code) or a video explanation.
validations:
required:true
- type:textarea
attributes:
label:How to reproduce
description:Explain with clear steps how to reproduce the issue
validations:
required:true
- type:textarea
attributes:
label:Expected behavior
description:Explain what should have happened instead of what actually happened
Thanks for taking the time to fill out this bug report! Please provide the following information:
- type:textarea
id:description
attributes:
label:Description 🐜
description:Please provide a clear and concise description of the bug in NextAuth.js
validations:
required:true
- type:dropdown
id:ownproject
attributes:
label:Is this a bug in your own project?
description:🚧 – _Do not report bugs with your own project here; ask for help [by raising a question instead](https://github.com/nextauthjs/next-auth/issues/new?assignees=&labels=question&template=question.md) or use the [Discussions tab](https://github.com/nextauthjs/next-auth/discussions) - this helps us reduce the maintenance overhead._
multiple:false
options:
- "Yes"
- "No"
validations:
required:true
- type:textarea
id:reproduction
attributes:
label:How to reproduce ☕️
description:Please provide a link or code snippets to a minimal reproduction of the bug
validations:
required:true
- type:markdown
attributes:
value:|
We encourage you to use one of the templates set up on **CodeSandbox** to reproduce your issue:
Thank you very much for reaching out to us regarding the awesome feature that you believe should be included in the NextAuth.js library. Please provide the following information:
- type:textarea
id:description
attributes:
label:Description 📓
description:Please provide a more in-depth description of the feature proposed.
validations:
required:true
- type:markdown
attributes:
value:|
Make sure you provide plenty of [links]() to external documentation and inline code examples like so:
```js
function myAwesomeNextAuthFeature() {
return 💚
}
```
Take time thinking about what you want to say and help us understand your proposal making sure that this description contains:
- **purpose of the feature**
- **potential problems**
- **potential alternatives**
- type:textarea
id:reproduction
attributes:
label:How to reproduce ☕️
description:If you have a CodeSandbox playground or some code snippets to help us visualize your idea better, please provide it here.
validations:
required:true
- type:markdown
attributes:
value:|
You can use one of the templates set up on **CodeSandbox** to better illustrate your idea:
description:Please provide an in-depth description of the question you have when using NextAuth.js on a Typescript project or when consuming the built-in types for `next-auth`.
validations:
required:true
- type:markdown
attributes:
value:|
Make sure you [link]() to external documentation if necessary and provide inline code examples like so:
```js
function myAwesomeNextAuthFeature() {
return 💚
}
```
**NOTE:** Questions will be converted to Discussions. You can find them [here](https://github.com/nextauthjs/next-auth/discussions)!
- type:textarea
id:codesandbox
attributes:
label:How to reproduce ☕️
description:Please provide a link to a minimal reproduction or code snippets that represents your question
validations:
required:true
- type:markdown
attributes:
value:|
We encourage you to use the template set-up on **CodeSandbox** as a playground to represent your question or doubt:
Thanks for your interest in the project. Bugs filed and PRs submitted are appreciated!
Please make sure that you are familiar with and follow the Code of Conduct for
this project (found in the CODE_OF_CONDUCT.md file).
Also, please make sure you're familiar with and follow the instructions in the
contributing guidelines (found in the CONTRIBUTING.md file).
If you're new to contributing to open source projects, you might find this free
video course helpful: https://kcd.im/pull-request
Please fill out the information below to expedite the review and (hopefully)
merge of your pull request!
-->
<!-- What changes are being made? (What feature/bug is being fixed here?) -->
> _NOTE_:
>
> - It's a good idea to open an issue first to discuss potential changes.
> - Please make sure that you are _NOT_ opening a PR to fix a potential security vulnerability. Instead, please follow the [Security guidelines](https://github.com/nextauthjs/.github/blob/main/SECURITY.md) to disclose the issue to us confidentially.
## Reasoning 💡
## ☕️ Reasoning
<!-- What changes are being made? What feature/bug is being fixed here? -->
## Checklist 🧢
<!-- Feel free cross items ( like this `~[] item~` ) if they're irrelevant to your changes.
To check an item, place an `x` in the box like so: `- [x] Documentation`. -->
## 🧢 Checklist
- [ ] Documentation
- [ ] Tests
- [ ] Ready to be merged
<!-- In your opinion, is this ready to be merged as soon as it's reviewed? -->
## 🎫 Affected issues
## Affected issues 🎟
<!--
Please [scout and link issues](https://github.com/nextauthjs/next-auth/issues) that might be solved by this PR.
If you write `"Fixes"` or `"Closes"` before the issue link like so:
Fixes: INSERT_ISSUE_LINK_HERE
```
Fixes #359
```
## 📌 Resources
the connected issue will be automatically closed once the PR is merged and hence help with maintenance of the library 😊
We could not detect a valid reproduction link. **Make sure to follow the bug report template carefully.**
### Why was this issue closed?
To be able to investigate, we need access to a reproduction to identify what triggered the issue. We need a link to a **public** GitHub repository. Example: ([NextAuth.js example repository](https://github.com/nextauthjs/next-auth-example)).
The bug template that you filled out has a section called "Reproduction URL", which is where you should provide the link to the reproduction.
- If you did not provide a link or the link you provided is not valid, we will close the issue.
- If you provide a link to a private repository, we will close the issue.
- If you provide a link to a repository but not in the correct section, we will close the issue.
### What should I do?
Depending on the reason the issue was closed, you can do the following:
- If you did not provide a link, please open a new issue with a link to a reproduction.
- If you provided a link to a private repository, please open a new issue with a link to a public repository.
- If you provided a link to a repository but not in the correct section, please open a new issue with a link to a reproduction in the correct section.
**In general, assume that we should not go through a lengthy onboarding process at your company code only to be able to verify an issue.**
### My repository is private and cannot make it public
In most cases, a private repo will not be a sufficient **minimal reproduction**, as this codebase might contain a lot of unrelated parts that would make our investigation take longer. Please do **not** make it public. Instead, create a new repository using the templates above, adding the relevant code to reproduce the issue. Common things to look out for:
- Remove any code that is not related to the issue. (pages, API Routes, components, etc.)
- Remove any dependencies that are not related to the issue.
- Remove any third-party service that would require us to sign up for an account to reproduce the issue.
- Remove any environment variables that are not related to the issue.
- Remove private packages that we do not have access to.
- If the issue is not related to a monorepo specifically, try to reproduce the issue without a complex monorepo setup
### I did not open this issue, but it is relevant to me, what can I do to help?
Anyone experiencing the same issue is welcome to provide a minimal reproduction following the above steps by opening a new issue.
### I think my reproduction is good enough, why aren't you looking into it quickly?
We look into every issue and monitor open issues for new comments.
However, sometimes we might miss a few due to the popularity/high traffic of the repository. We apologize, and kindly ask you to refrain from tagging core maintainers, as that will usually not result in increased priority.
Upvoting issues to show your interest will help us prioritize and address them as quickly as possible. That said, every issue is important to us, and if an issue gets closed by accident, we encourage you to open a new one linking to the old issue and we will look into it.
### Useful Resources
- [How to create a Minimal, Complete, and Verifiable example](https://stackoverflow.com/help/mcve)
Contributions and feedback on your experience of using this software are welcome.
This includes bug reports, feature requests, ideas, pull requests, and examples of how you have used this software.
Please see the [Code of Conduct](CODE_OF_CONDUCT.md) and follow any templates configured in GitHub when reporting bugs, requesting enhancements, or contributing code.
Please raise any significant new functionality or breaking change an issue for discussion before raising a Pull Request for it.
## For contributors
Anyone can be a contributor. Either you found a typo, or you have an awesome feature request you could implement, we encourage you to create a Pull Request.
### Pull Requests
- The latest changes are always in `main`, so please make your Pull Request against that branch.
- Pull Requests should be raised for any change
- Pull Requests need approval of a [core contributor](https://next-auth.js.org/contributors#core-team) before merging
- We use ESLint/Prettier for linting/formatting, so please run `npm run lint:fix` before committing to make resolving conflicts easier (VSCode users, check out [this ESLint extension](https://marketplace.visualstudio.com/items?itemName=dbaeumer.vscode-eslint) and [this Prettier extension](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode) to fix lint and formatting issues in development)
- We encourage you to test your changes, and if you have the opportunity, please make those tests part of the Pull Request
- If you add new functionality, please provide the corresponding documentation as well and make it part of the Pull Request
### Setting up local environment
A quick guide on how to setup _next-auth_ locally to work on it and test out any changes:
The dev application requires you to use `npm@7`.
1. Clone the repo:
```sh
git clone git@github.com:nextauthjs/next-auth.git
cd next-auth
```
2. Install packages, set up the dev application:
```sh
npm run dev:setup
```
3. Populate `.env.local`:
Copy `app/.env.local.example` to `app/.env.local`, and add your env variables for each provider you want to test.
> NOTE: You can add any environment variables to .env.local that you would like to use in your dev app.
> You can find the next-auth config under`app/pages/api/auth/[...nextauth].js`.
1. Start the dev application/server:
```sh
npm run dev
```
Your dev application will be available on `http://localhost:3000`
That's it! 🎉
If you need an example project to link to, you can use [next-auth-example](https://github.com/iaincollins/next-auth-example).
#### Hot reloading
When running `npm run dev`, you start a Next.js dev server on `http://localhost:3000`, which includes hot reloading out of the box. Make changes on any of the files in `src` and see the changes immediately.
> NOTE: When working on CSS, you will have to manually refresh the page after changes. The reason for this is our pages using CSS are server-side rendered. (Improving this through a PR is very welcome!)
> NOTE: The setup is as follows: The development application lives inside the `app` folder, and whenever you make a change to the `src` folder in the root (where next-auth is), it gets copied into `app` every time (gitignored), so Next.js can pick them up and apply hot reloading. This is to avoid some annoying issues with how symlinks are working with different React builds, and also to provide a super-fast feedback loop while developing core features.
#### Providers
If you think your custom provider might be useful to others, we encourage you to open a PR and add it to the built-in list so others can discover it much more easily! You only need to add two changes:
1. Add your config: [`src/providers/{provider}.js`](https://github.com/nextauthjs/next-auth/tree/main/src/providers) (Make sure you use a named default export, like `export default function YourProvider`!)
That's it! 🎉 Others will be able to discover this provider much more easily now!
You can look at the existing built-in providers for inspiration.
#### Databases
If you would like to contribute to an existing database adapter or help create a new one, head over to the [nextauthjs/adapters](https://www.github.com/nextauthjs/adapters) repository and follow the instructions provided there.
#### Testing
Tests can be run with `npm run test`.
Automated tests are currently crude and limited in functionality, but improvements are in development.
## For maintainers
We use [semantic-release](https://github.com/semantic-release/semantic-release) together with [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0) to automate releases. This makes the maintenance process easier and less error-prone to human error. Please study the "Conventional Commits" site to understand how to write a good commit message.
When accepting Pull Requests, make sure the following:
- Use "Squash and merge"
- Make sure you merge contributor PRs into `main`
- Rewrite the commit message to conform to the `Conventional Commits` style. Check the "Recommended Scopes" section for further advice.
- Optionally link issues the PR will resolve (You can add "close" in front of the issue numbers to close the issues automatically, when the PR is merged. `semantic-release` will also comment back to connected issues and PRs, notifying the users that a feature is added/bug fixed, etc.)
### Recommended Scopes
A typical conventional commit looks like this:
```
type(scope): title
body
```
Scope is the part that will help grouping the different commit types in the release notes.
Some recommended scopes are:
- **provider** - Provider related changes. (eg.: "feat(provider): add X provider", "docs(provider): fix typo in X documentation"
- **adapter** - Adapter related changes. (eg.: "feat(adapter): add X provider", "docs(provider): fix typo in X documentation"
- **db** - Database related changes. (eg.: "feat(db): add X database", "docs(db): fix typo in X documentation"
- **deps** - Adding/removing/updating a dependency (eg.: "chore(deps): add X")
> NOTE: If you are not sure which scope to use, you can simply ignore it. (eg.: "feat: add something"). Adding the correct type already helps a lot when analyzing the commit messages.
### Skipping a release
Every commit that contains [skip release] or [release skip] in their message will be excluded from the commit analysis and won't participate in the release type determination. This is useful, if the PR being merged should not trigger a new `npm` release.
Auth.js is a set of open-source packages that are built on Web Standard APIs for authentication in modern applications with any framework on any platform in any JS runtime.
NextAuth.js is a complete open source authentication solution for [Next.js](http://nextjs.org/) applications.
It is designed from the ground up to support Next.js and Serverless.
## Getting Started
```
npm install --save next-auth
```
The easiest way to continue getting started, is to follow the [getting started](https://next-auth.js.org/getting-started/example) section in our docs.
We also have a section of [tutorials](https://next-auth.js.org/tutorials) for those looking for more specific examples.
See [next-auth.js.org](https://next-auth.js.org) for more information and documentation.
See [authjs.dev](https://authjs.dev) for our framework-specific libraries, or check out [next-auth.js.org](https://next-auth.js.org) for `next-auth` (Next.js).
## Features
### Flexible and easy to use
- Designed to work with any OAuth service, it supports OAuth 1.0, 1.0A and 2.0
- Built-in support for [many popular sign-in services](https://next-auth.js.org/configuration/providers)
-Supports email / passwordless authentication
-Supports stateless authentication with any backend (Active Directory, LDAP, etc)
-Supports both JSON Web Tokens and database sessions
- Designed for Serverless but runs anywhere (AWS Lambda, Docker, Heroku, etc…)
- Designed to work with any OAuth service, it supports 2.0+, OIDC
- Built-in support for [many popular sign-in services](https://github.com/nextauthjs/next-auth/tree/main/packages/core/src/providers)
-Email/Passwordless authentication
-Bring Your Database - or none! - stateless authentication with any backend (Active Directory, LDAP, etc.)
NextAuth.js can be used with or without a database.
Auth.js can be used with or without a database.
- An opensource solution that allows you to keep control of your data
-Supports Bring Your Own Database (BYOD) and can be used with any database
- Built-in support for [MySQL, MariaDB, Postgres, Microsoft SQL Server, MongoDB and SQLite](https://next-auth.js.org/configuration/databases)
- An open-source solution that allows you to keep control of your data
-Built-in support for [MySQL, MariaDB, Postgres, Microsoft SQL Server, MongoDB, SQLite, etc.](https://adapters.authjs.dev)
- Works great with databases from popular hosting providers
- Can also be used _without a database_ (e.g. OAuth + JWT)
### Secure by default
- Promotes the use of passwordless signin mechanisms
- Designed to be secure by default and encourage best practice for safeguarding user data
- Uses CrossSite Request Forgery Tokens on POST routes (sign in, sign out)
- Promotes the use of passwordless sign-in mechanisms
- Designed to be secure by default and encourage best practices for safeguarding user data
- Uses Cross-Site Request Forgery (CSRF) Tokens on POST routes (sign in, sign out)
- Default cookie policy aims for the most restrictive policy appropriate for each cookie
- When JSON Web Tokens are enabled, they are signed by default (JWS) with HS512
-Use JWT encryption (JWE) by setting the option `encryption: true` (defaults to A256GCM)
- Auto-generates symmetric signing and encryption keys for developer convenience
- Features tab/window syncing and keepalive messages to support short lived sessions
- Attempts to implement the latest guidance published by [Open Web Application Security Project](https://owasp.org/)
- When JSON Web Tokens are used, they are encrypted by default (JWE) with A256GCM
-Features tab/window syncing and session polling to support short-lived sessions
- Attempts to implement the latest guidance published by [Open Web Application Security Project](https://owasp.org)
Advanced options allow you to define your own routines to handle controlling what accounts are allowed to sign in, for encoding and decoding JSON Web Tokens and to set custom cookie security policies and session properties, so you can control who is able to sign in and how often sessions have to be re-validated.
Advanced configuration allows you to define your routines to handle controlling what accounts are allowed to sign in, for encoding and decoding JSON Web Tokens and to set custom cookie security policies and session properties, so you can control who can sign in and how often sessions have to be re-validated.
### TypeScript
NextAuth.js comes with built-in types. For more information and usage, check out the [TypeScript section](https://next-auth.js.org/getting-started/typescript) in the documentation.
Auth.js libraries are written with type safety in mind. [Check out the docs](https://authjs.dev/getting-started/typescript) for more information.
The package at `@types/next-auth` is now deprecated.
## Security
## Example
If you think you have found a vulnerability (or are not sure) in Auth.js or any of the related packages (i.e. Adapters), we ask you to read our [Security Policy](https://authjs.dev/security) to reach out responsibly. Please do not open Pull Requests/Issues/Discussions before consulting with us.
We're happy to announce we've recently created an [OpenCollective](https://opencollective.org/nextauth) for individuals and companies looking to contribute financially to the project!
@@ -187,7 +154,8 @@ We're happy to announce we've recently created an [OpenCollective](https://openc
## Contributing
We're open to all community contributions! If you'd like to contribute in any way, please first read our [Contributing Guide](https://github.com/nextauthjs/next-auth/blob/canary/CONTRIBUTING.md).
We're open to all community contributions! If you'd like to contribute in any way, please first read
Security updates are only released for the current version.
Old releases are not maintained and do not receive updates.
## Reporting a Vulnerability
We request that you contact us directly to report serious issues that might impact the security of sites using NextAuth.js.
If you contact us regarding a serious issue:
- We will endeavor to get back to you within 72 hours.
- We will aim to publish a fix within 30 days.
- We will disclose the issue (and credit you, with your consent) once a fix to resolve the issue has been released.
- If 90 days has elapsed and we still don't have a fix, we will disclose the issue publicly.
Currently, the best way to report an issue is by contacting us via email at me@iaincollins.com or info@balazsorban.com and yo@ndo.dev.
For less serious issues (e.g. RFC compliance for unsupported flows or potential issues that may cause a problem future or default behaviour / options) it is appropriate to submit these these publically as bug reports or feature requests or to raise a question to open a discussion around them.
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
