Merge branch 'main' into next

feat(provider): remove state property
BREAKING CHANGE: adding `state: true` is already redundant as `protection: "state` is the default value. `state: false` can be substituted with `protection: "state"`
2026-05-01 10:55:20 +00:00 · 2021-02-15 21:52:37 +01:00 · 2021-02-15 21:47:47 +01:00 · 2021-02-15 21:47:35 +01:00
11 changed files with 43 additions and 104 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,7 +2,7 @@ name: Release
 on:
  push:
    branches:
-      - 'main'
+      - 'master'
      - 'next'
      - '3.x'
  pull_request:
@@ -23,4 +23,4 @@ jobs:
      - run: npx semantic-release@17
        env:
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
-          NPM_TOKEN: ${{secrets.NPM_TOKEN}}
+          NPM_TOKEN: ${{secrets.NPM_TOKEN}}
--- a/FUNDING.yml
+++ b/FUNDING.yml
@@ -1,3 +0,0 @@
-# https://docs.github.com/en/github/administering-a-repository/displaying-a-sponsor-button-in-your-repository
-
-github: [balazsorban44]
--- a/README.md
+++ b/README.md
@@ -7,25 +7,12 @@
   Open Source. Full Stack. Own Your Data.
   </p>
   <p align="center" style="align: center;">
-      <a href="https://github.com/nextauthjs/next-auth/actions?query=workflow%3ARelease">
-        <img src="https://github.com/nextauthjs/next-auth/workflows/Release/badge.svg" alt="Release" />
-      </a>
-      <a href="https://github.com/nextauthjs/next-auth/actions?query=workflow%3A%22Integration+Test%22">
-        <img src="https://github.com/nextauthjs/next-auth/workflows/Integration%20Test/badge.svg" alt="Integration Test" />
-      </a>
-      <a href="https://bundlephobia.com/result?p=next-auth">
-        <img src="https://img.shields.io/bundlephobia/minzip/next-auth" alt="Bundle Size"/>
-      </a>
-      <a href="https://www.npmtrends.com/next-auth">
-        <img src="https://img.shields.io/npm/dm/next-auth" alt="Downloads" />
-      </a>
-      <a href="https://github.com/nextauthjs/next-auth/stargazers">
-        <img src="https://img.shields.io/github/stars/nextauthjs/next-auth" alt="Github Stars" />
-      </a>
-      <a href="https://www.npmjs.com/package/next-auth">
-        <img src="https://img.shields.io/github/v/release/nextauthjs/next-auth" alt="Github Stable Release" />
-      </a>
-      <img src="https://img.shields.io/github/v/release/nextauthjs/next-auth?include_prereleases" alt="Github Prelease" />
+      <img src="https://github.com/nextauthjs/next-auth/workflows/Build%20Test/badge.svg" alt="Build Test" />
+      <img src="https://github.com/nextauthjs/next-auth/workflows/Integration%20Test/badge.svg" alt="Integration Test" />
+      <img src="https://img.shields.io/bundlephobia/minzip/next-auth" alt="Bundle Size"/>
+      <img src="https://img.shields.io/npm/dm/next-auth" alt="Downloads" />
+      <img src="https://img.shields.io/github/stars/nextauthjs/next-auth" alt="Github Stars" />
+      <img src="https://img.shields.io/github/v/release/nextauthjs/next-auth?include_prereleases" alt="Github Release" />
   </p>
 </p>

@@ -167,3 +154,4 @@ We're open to all community contributions! If you'd like to contribute in any wa
 ## License

 ISC
+
--- a/package.json
+++ b/package.json
@@ -108,11 +108,5 @@
    "globals": [
      "fetch"
    ]
-  },
-  "funding": [
-    {
-      "type" : "github",
-      "url" : "https://github.com/sponsors/balazsorban44"
-    }
-  ]
+  }
 }
--- a/release.config.js
+++ b/release.config.js
@@ -2,6 +2,9 @@ module.exports = {
  branches: [
    '+([0-9])?(.{+([0-9]),x}).x',
    'main',
-    { name: 'next', prerelease: true }
+    'next',
+    'next-major',
+    { name: 'beta', prerelease: true },
+    { name: 'alpha', prerelease: true }
  ]
 }
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -72,11 +72,13 @@ async function NextAuthHandler (req, res, userOptions) {
    const providers = parseProviders({ providers: userOptions.providers, baseUrl, basePath })
    const provider = providers.find(({ id }) => id === providerId)

-    if (provider &&
-      provider.type === 'oauth' && provider.version?.startsWith('2') &&
-       (!provider.protection && provider.state !== false)
+    if (
+      provider?.type === 'oauth' &&
+      provider?.version?.startsWith('2') &&
+      !provider?.protection
    ) {
-      provider.protection = 'state' // Default to state, as we did in 3.1 REVIEW: should we use "pkce" or "none" as default?
+      // Default to state, as we did in 3.1 REVIEW: should we use "pkce" or "none" as default?
+      provider.protection = 'state'
    }

    const maxAge = 30 * 24 * 60 * 60 // Sessions expire after 30 days of being idle
--- a/src/server/routes/callback.js
+++ b/src/server/routes/callback.js
@@ -65,18 +65,13 @@ export default async function callback (req, res) {

        try {
          const signInCallbackResponse = await callbacks.signIn(userOrProfile, account, OAuthProfile)
-          if (signInCallbackResponse === false) {
+          if (!signInCallbackResponse) {
            return res.redirect(`${baseUrl}${basePath}/error?error=AccessDenied`)
          } else if (typeof signInCallbackResponse === 'string') {
            return res.redirect(signInCallbackResponse)
          }
        } catch (error) {
-          if (error instanceof Error) {
-            return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
-          }
-          // TODO: Remove in a future major release
-          logger.warn('SIGNIN_CALLBACK_REJECT_REDIRECT')
-          return res.redirect(error)
+          return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
        }

        // Sign user in
@@ -161,18 +156,13 @@ export default async function callback (req, res) {
      // Check if user is allowed to sign in
      try {
        const signInCallbackResponse = await callbacks.signIn(profile, account, { email })
-        if (signInCallbackResponse === false) {
+        if (!signInCallbackResponse) {
          return res.redirect(`${baseUrl}${basePath}/error?error=AccessDenied`)
        } else if (typeof signInCallbackResponse === 'string') {
          return res.redirect(signInCallbackResponse)
        }
      } catch (error) {
-        if (error instanceof Error) {
-          return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
-        }
-        // TODO: Remove in a future major release
-        logger.warn('SIGNIN_CALLBACK_REJECT_REDIRECT')
-        return res.redirect(error)
+        return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
      }

      // Sign user in
@@ -236,12 +226,11 @@ export default async function callback (req, res) {
      userObjectReturnedFromAuthorizeHandler = await provider.authorize(credentials)
      if (!userObjectReturnedFromAuthorizeHandler) {
        return res.status(401).redirect(`${baseUrl}${basePath}/error?error=CredentialsSignin&provider=${encodeURIComponent(provider.id)}`)
+      } else if (typeof userObjectReturnedFromAuthorizeHandler === 'string') {
+        return res.redirect(userObjectReturnedFromAuthorizeHandler)
      }
    } catch (error) {
-      if (error instanceof Error) {
-        return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
-      }
-      return res.redirect(error)
+      return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
    }

    const user = userObjectReturnedFromAuthorizeHandler
@@ -249,14 +238,13 @@ export default async function callback (req, res) {

    try {
      const signInCallbackResponse = await callbacks.signIn(user, account, credentials)
-      if (signInCallbackResponse === false) {
+      if (!signInCallbackResponse) {
        return res.status(403).redirect(`${baseUrl}${basePath}/error?error=AccessDenied`)
+      } else if (typeof signInCallbackResponse === 'string') {
+        return res.redirect(signInCallbackResponse)
      }
    } catch (error) {
-      if (error instanceof Error) {
-        return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
-      }
-      return res.redirect(error)
+      return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
    }

    const defaultJwtPayload = {
--- a/src/server/routes/signin.js
+++ b/src/server/routes/signin.js
@@ -45,18 +45,13 @@ export default async function signin (req, res) {
    // Check if user is allowed to sign in
    try {
      const signInCallbackResponse = await callbacks.signIn(profile, account, { email, verificationRequest: true })
-      if (signInCallbackResponse === false) {
+      if (!signInCallbackResponse) {
        return res.redirect(`${baseUrl}${basePath}/error?error=AccessDenied`)
      } else if (typeof signInCallbackResponse === 'string') {
        return res.redirect(signInCallbackResponse)
      }
    } catch (error) {
-      if (error instanceof Error) {
-        return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
-      }
-      // TODO: Remove in a future major release
-      logger.warn('SIGNIN_CALLBACK_REJECT_REDIRECT')
-      return res.redirect(error)
+      return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
    }

    try {
--- a/www/docs/contributors.md
+++ b/www/docs/contributors.md
@@ -5,14 +5,14 @@ title: Contributors

 ## Core Team

-* [Iain Collins](https://github.com/iaincollins)
-* [Lori Karikari](https://github.com/LoriKarikari)
-* [Nico Domino](https://github.com/ndom91)
-* [Fredrik Pettersen](https://github.com/Fumler)
-* [Gerald Nolan](https://github.com/geraldnolan)
-* [Lluis Agusti](https://github.com/lluia)
-* [Jefferson Bledsoe](https://github.com/JeffersonBledsoe)
-* [Balázs Orbán](https://github.com/sponsors/balazsorban44)
+* <a href="https://github.com/iaincollins">Iain Collins</a>
+* <a href="https://github.com/LoriKarikari">Lori Karikari</a>
+* <a href="https://github.com/ndom91">Nico Domino</a>
+* <a href="https://github.com/Fumler">Fredrik Pettersen</a>
+* <a href="https://github.com/geraldnolan">Gerald Nolan</a>
+* <a href="https://github.com/lluia">Lluis Agusti</a>
+* <a href="https://github.com/JeffersonBledsoe">Jefferson Bledsoe</a>
+* <a href="https://github.com/balazsorban44">Balázs Orbán</a>

 _Special thanks to Lori Karikari for creating most of the providers, to Nico Domino for creating this site, to Fredrik Pettersen for creating the Prisma adapter, to Gerald Nolan for adding support for Sign in with Apple, to Lluis Agusti for work to add TypeScript definitions and to Jefferson Bledsoe for working on automating testing._

--- a/www/docs/warnings.md
+++ b/www/docs/warnings.md
@@ -46,32 +46,4 @@ You can use [node-jose-tools](https://www.npmjs.com/package/node-jose-tools) to

 **Option 2**: Specify custom encode/decode functions on the jwt object. This gives you complete control over signing / verification / etc.

-#### JWT_AUTO_GENERATED_ENCRYPTION_KEY
-
-#### SIGNIN_CALLBACK_REJECT_REDIRECT
-
-You returned something in the `signIn` callback, that is being deprecated.
-
-You probably had something similar in the callback:
-```js
-  return Promise.reject("/some/url")
-```
-
-or
-
-```js
-  throw "/some/url"
-```
-
-To remedy this, simply return the url instead:
-
-```js
-  return "/some/url"
-```
-
-
-#### STATE_OPTION_DEPRECATION
-You provided `state: true` or `state: false` as a provider option. This is being deprecated in a later release in favour of `protection: "state"` and `protection: "none"` respectively. To remedy this warning:
-
- If you use `state: true`, just simply remove it. The default is `protection: "state"` already..
- If you use `state: false`, set `protection: "none"`.
+#### JWT_AUTO_GENERATED_ENCRYPTION_KEY
--- a/www/package.json
+++ b/www/package.json
@@ -2,7 +2,7 @@
  "name": "next-auth-docs",
  "version": "0.1.1",
  "scripts": {
-    "start": "npm run generate-providers && docusaurus start",
+    "start": "docusaurus start",
    "build": "npm run generate-providers && docusaurus build",
    "swizzle": "docusaurus swizzle",
    "deploy": "docusaurus deploy",