fix(provider): add sub to defaultJwtPayload for credentials provider. (#1725 )

Co-authored-by: Joseph Chen <jchen@dogomedia.com>
chore(deps): bump jose from 1.27.2 to 1.28.1 (#1772 )
2026-05-01 10:55:20 +00:00 · 2021-04-20 12:59:48 +02:00 · 2021-04-20 12:56:07 +02:00 · 2021-04-20 12:20:43 +02:00 · 2021-04-17 12:40:50 +02:00 · 2021-04-14 21:26:15 +02:00
98 changed files with 10363 additions and 5844 deletions
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -9,7 +9,7 @@ assignees: ''
 A clear and concise description of the feature being proposed.

 **Purpose of proposed feature**
-A clear and concise description description of why this feature is necessary and what problems it solves.
+A clear and concise description of why this feature is necessary and what problems it solves.

 **Detail about proposed feature**
 A detailed description of how the proposal might work (if you have one).
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -1,5 +1,6 @@
 test:
  - test/**/*
+  - types/tests/**/*

 documentation:
  - www/**/*
@@ -32,4 +33,7 @@ client:

 pages:
  - src/server/pages/**/*
-  - www/docs/configuration/pages.md
+  - www/docs/configuration/pages.md
+
+TypeScript:
+  - types/**/*
--- a/.github/stale.yml
+++ b/.github/stale.yml
@@ -7,6 +7,7 @@ exemptLabels:
  - pinned
  - security
  - priority
+  - bug
 # Label to use when marking an issue as stale
 staleLabel: stale
 # Comment to post when marking an issue as stale. Set to `false` to disable
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,10 +6,12 @@ on:
  push:
    branches: 
     - main
+     - beta
     - next
  pull_request:
    branches:
     - main
+     - beta
     - next

 jobs:
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -13,7 +13,7 @@ name: "CodeQL"

 on:
  push:
-    branches: [ main, next ]
+    branches: [ main, beta, next ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ main ]
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -2,9 +2,10 @@ name: Integration Test

 on:
  push:
-    branches: 
-     - main
-     - next
+    branches:
+      - main
+      - beta
+      - next
  pull_request:

 jobs:
@@ -17,7 +18,7 @@ jobs:
    if: github.event.pull_request.head.repo.full_name == github.repository

    # We use self-hosted runners as cloud based runnners (e.g. AWS, GPC)
-    # fail due to IP Address checks done by providers, which enforce 
+    # fail due to IP Address checks done by providers, which enforce
    # CAPTCHA checks on login request from cloud compute IP addresses to
    # prevent abuse.
    runs-on: self-hosted
@@ -45,7 +46,7 @@ jobs:
      - run: npm test
        # TODO Tests should exit out if env vars not set (currently hangs)
        env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}} 
+          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
          NEXTAUTH_TWITTER_ID: ${{secrets.NEXTAUTH_TWITTER_ID}}
          NEXTAUTH_TWITTER_SECRET: ${{secrets.NEXTAUTH_TWITTER_SECRET}}
          NEXTAUTH_TWITTER_USERNAME: ${{secrets.NEXTAUTH_TWITTER_USERNAME}}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,6 +3,7 @@ on:
  push:
    branches:
      - 'main'
+      - 'beta'
      - 'next'
      - '3.x'
  pull_request:
--- a/.github/workflows/types.yml
+++ b/.github/workflows/types.yml
@@ -0,0 +1,25 @@
+name: Types
+
+on:
+  push:
+    branches:
+      - main
+      - beta
+      - next
+  pull_request:
+    branches:
+      - main
+      - beta
+      - next
+
+jobs:
+  lint-and-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Use Node.js
+        uses: actions/setup-node@v1
+      - name: Install dependencies
+        uses: bahmutov/npm-install@v1
+      - name: Check types
+        run: npm run test:types
--- a/.gitignore
+++ b/.gitignore
@@ -11,6 +11,8 @@ npm-debug.log*
 yarn-debug.log*
 yarn-error.log*

+yarn.lock
+
 # Dependencies
 node_modules

@@ -37,4 +39,4 @@ www/providers.json
 /_work

 # Prisma migrations
-/prisma/migrations
+/prisma/migrations
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -16,7 +16,7 @@ Anyone can be a contributor. Either you found a typo, or you have an awesome fea
 * The latest changes are always in `main`, so please make your Pull Request against that branch.
 * Pull Requests should be raised for any change
 * Pull Requests need approval of a [core contributor](https://next-auth.js.org/contributors#core-team) before merging
-* Run `npm run lint:fix` before committing to make resolving conflicts easier (VSCode users, check out [this extension](https://marketplace.visualstudio.com/items?itemName=chenxsan.vscode-standardjs) to fix lint issues in development)
+* We use ESLint/Prettier for linting/formatting, so please run `npm run lint:fix` before committing to make resolving conflicts easier (VSCode users, check out [this ESLint extension](https://marketplace.visualstudio.com/items?itemName=dbaeumer.vscode-eslint) and [this Prettier extension](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode) to fix lint and formatting issues in development)
 * We encourage you to test your changes, and if you have the opportunity, please make those tests part of the Pull Request
 * If you add new functionality, please provide the corresponding documentation as well and make it part of the Pull Request

@@ -42,7 +42,7 @@ npm i
 > NOTE: You can add any environment variables to .env.local that you would like to use in your dev app.
 > You can find the next-auth config under`pages/api/auth/[...nextauth].js`.

-1. Start the dev application/server and CSS watching:
+1. Start the dev application/server:
 ```sh
 npm run dev
 ```
--- a/README.md
+++ b/README.md
@@ -84,13 +84,9 @@ Advanced options allow you to define your own routines to handle controlling wha

 ### TypeScript

-You can install the appropriate types via the following command:
+NextAuth.js comes with built-in types. For more information and usage, check out the [TypeScript section](https://next-auth.js.org/getting-started/typescript) in the documentaion.

-```
-npm install --save-dev @types/next-auth
-```
-
-As of now, TypeScript is a community effort. If you encounter any problems with the types package, please create an issue at [DefinitelyTyped](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/next-auth). Alternatively, you can open a pull request directly with your fixes there. We welcome anyone to start a discussion on migrating this package to TypeScript, or how to improve the TypeScript experience in general.
+The package at `@types/next-auth` is now deprecated.

 ## Example

--- a/adapters.js
+++ b/adapters.js
@@ -1 +0,0 @@
-module.exports = require('./dist/adapters').default
--- a/client.js
+++ b/client.js
@@ -1 +0,0 @@
-module.exports = require('./dist/client').default
--- a/components/header.js
+++ b/components/header.js
@@ -100,6 +100,11 @@ export default function Header () {
              <a>Credentials</a>
            </Link>
          </li>
+          <li className={styles.navItem}>
+            <Link href='/email'>
+              <a>Email</a>
+            </Link>
+          </li>
        </ul>
      </nav>
    </header>
--- a/config/build.js
+++ b/config/build.js
@@ -0,0 +1,45 @@
+const fs = require("fs-extra")
+const path = require("path")
+
+const MODULE_ENTRIES = {
+  SERVER: "index",
+  CLIENT: "client",
+  PROVIDERS: "providers",
+  ADAPTERS: "adapters",
+  JWT: "jwt",
+}
+
+const BUILD_TARGETS = {
+  [`${MODULE_ENTRIES.SERVER}.js`]: "module.exports = require('./dist/server').default\n",
+  [`${MODULE_ENTRIES.CLIENT}.js`]: "module.exports = require('./dist/client').default\n",
+  [`${MODULE_ENTRIES.ADAPTERS}.js`]: "module.exports = require('./dist/adapters').default\n",
+  [`${MODULE_ENTRIES.PROVIDERS}.js`]: "module.exports = require('./dist/providers').default\n",
+  [`${MODULE_ENTRIES.JWT}.js`]: "module.exports = require('./dist/lib/jwt').default\n",
+}
+
+Object.entries(BUILD_TARGETS).forEach(([target, content]) => {
+  fs.writeFile(path.join(process.cwd(), target), content, (err) => {
+    if (err) throw err
+    console.log(`[build] created "${target}" in root folder`)
+  })
+})
+
+const TYPES_TARGETS = [
+  `${MODULE_ENTRIES.SERVER}.d.ts`,
+  `${MODULE_ENTRIES.CLIENT}.d.ts`,
+  `${MODULE_ENTRIES.ADAPTERS}.d.ts`,
+  `${MODULE_ENTRIES.PROVIDERS}.d.ts`,
+  `${MODULE_ENTRIES.JWT}.d.ts`,
+  "internals",
+]
+
+TYPES_TARGETS.forEach((target) => {
+  fs.copy(
+    path.resolve("types", target),
+    path.join(process.cwd(), target),
+    (err) => {
+      if (err) throw err
+      console.log(`[build-types] copying "${target}" to root folder`)
+    }
+  )
+})
--- a/index.js
+++ b/index.js
@@ -1 +0,0 @@
-module.exports = require('./dist/server')
--- a/jwt.js
+++ b/jwt.js
@@ -1 +0,0 @@
-module.exports = require('./dist/lib/jwt').default
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -8,37 +8,45 @@
  "main": "index.js",
  "scripts": {
    "build": "npm run build:js && npm run build:css",
-    "build:js": "babel --config-file ./config/babel.config.json src --out-dir dist",
+    "build:js": "babel --config-file ./config/babel.config.json src --out-dir dist && node ./config/build.js",
    "build:css": "postcss --config config/postcss.config.js src/**/*.css --base src --dir dist && node config/wrap-css.js",
-    "dev": "next | npm run watch:css",
+    "dev:with-css": "next | npm run watch:css",
+    "dev": "next",
    "watch": "npm run watch:js | npm run watch:css",
    "watch:js": "babel --config-file ./config/babel.config.json --watch src --out-dir dist",
    "watch:css": "postcss --config config/postcss.config.js --watch src/**/*.css --base src --dir dist",
    "test:app:start": "docker-compose -f test/docker/app.yml up -d",
    "test:app:rebuild": "npm run build && docker-compose -f test/docker/app.yml up -d --build",
    "test:app:stop": "docker-compose -f test/docker/app.yml down",
-    "test": "npm run test:app:rebuild && npm run test:integration && npm run test:app:stop",
+    "test": "npm run test:app:rebuild && npm run test:integration && npm run test:app:stop && npm run test:types",
    "test:db": "npm run test:db:mysql && npm run test:db:postgres && npm run test:db:mongodb && npm run test:db:mssql",
    "test:db:mysql": "node test/mysql.js",
    "test:db:postgres": "node test/postgres.js",
    "test:db:mongodb": "node test/mongodb.js",
    "test:db:mssql": "node test/mssql.js",
    "test:integration": "mocha test/integration",
+    "test:types": "dtslint types",
    "db:start": "docker-compose -f test/docker/databases.yml up -d",
    "db:stop": "docker-compose -f test/docker/databases.yml down",
    "prepublishOnly": "npm run build",
    "publish:beta": "npm publish --tag beta",
    "publish:canary": "npm publish --tag canary",
-    "lint": "ts-standard",
-    "lint:fix": "ts-standard --fix"
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix"
  },
  "files": [
    "dist",
    "index.js",
+    "index.d.ts",
    "providers.js",
+    "providers.d.ts",
    "adapters.js",
+    "adapters.d.ts",
    "client.js",
-    "jwt.js"
+    "client.d.ts",
+    "jwt.js",
+    "jwt.d.ts",
+    "internals"
  ],
  "license": "ISC",
  "dependencies": {
@@ -50,14 +58,14 @@
    "oauth": "^0.9.15",
    "pkce-challenge": "^2.1.0",
    "preact": "^10.4.1",
-    "preact-render-to-string": "^5.1.7",
+    "preact-render-to-string": "^5.1.14",
    "querystring": "^0.2.0",
    "require_optional": "^1.0.1",
    "typeorm": "^0.2.30"
  },
  "peerDependencies": {
    "react": "^16.13.1 || ^17",
-    "react-dom": "^16.13.1 || ^17"
+    "react-dom": "16.13.1 || ^17"
  },
  "peerOptionalDependencies": {
    "mongodb": "^3.5.9",
@@ -76,12 +84,21 @@
    "@semantic-release/npm": "7.0.8",
    "@semantic-release/release-notes-generator": "^9.0.1",
    "@types/react": "^17.0.0",
+    "@typescript-eslint/eslint-plugin": "^4.22.0",
+    "@typescript-eslint/parser": "^4.22.0",
    "autoprefixer": "^9.7.6",
    "babel-preset-preact": "^2.0.0",
    "conventional-changelog-conventionalcommits": "4.4.0",
    "cssnano": "^4.1.10",
    "dotenv": "^8.2.0",
+    "dtslint": "^4.0.8",
    "eslint": "^7.19.0",
+    "eslint-config-prettier": "^8.2.0",
+    "eslint-config-standard-with-typescript": "^19.0.1",
+    "eslint-plugin-import": "^2.22.1",
+    "eslint-plugin-node": "^11.1.0",
+    "eslint-plugin-promise": "^4.3.1",
+    "eslint-plugin-standard": "^5.0.0",
    "mocha": "^8.1.3",
    "mongodb": "^3.5.9",
    "mssql": "^6.2.1",
@@ -90,29 +107,46 @@
    "pg": "^8.2.1",
    "postcss-cli": "^7.1.1",
    "postcss-nested": "^4.2.1",
+    "prettier": "^2.2.1",
    "prisma": "^2.16.1",
    "puppeteer": "^5.2.1",
    "puppeteer-extra": "^3.1.15",
    "puppeteer-extra-plugin-stealth": "^2.6.1",
    "react": "^17.0.1",
    "react-dom": "^17.0.1",
-    "ts-standard": "^10.0.0",
    "typescript": "^4.1.3"
  },
-  "ts-standard": {
-    "project": "./tsconfig.json",
-    "ignore": [
-      "test/",
-      "next-env.d.ts"
+  "prettier": {
+    "semi": false
+  },
+  "eslintConfig": {
+    "parser": "@typescript-eslint/parser",
+    "parserOptions": {
+      "project": "./tsconfig.json"
+    },
+    "extends": [
+      "standard-with-typescript",
+      "prettier"
    ],
-    "globals": [
-      "fetch"
-    ]
+    "ignorePatterns": [
+      "node_modules",
+      "test",
+      "next-env.d.ts",
+      "types",
+      "www",
+      ".next",
+      "dist"
+    ],
+    "globals": {
+      "localStorage": "readonly",
+      "location": "readonly",
+      "fetch": "readonly"
+    }
  },
  "funding": [
    {
-      "type" : "github",
-      "url" : "https://github.com/sponsors/balazsorban44"
+      "type": "github",
+      "url": "https://github.com/sponsors/balazsorban44"
    }
  ]
 }
--- a/pages/api/auth/[...nextauth].js
+++ b/pages/api/auth/[...nextauth].js
@@ -6,6 +6,27 @@ import Providers from 'next-auth/providers'
 // const prisma = new PrismaClient()

 export default NextAuth({
+  // Used to debug https://github.com/nextauthjs/next-auth/issues/1664
+  // cookies: {
+  //   csrfToken: {
+  //     name: 'next-auth.csrf-token',
+  //     options: {
+  //       httpOnly: true,
+  //       sameSite: 'none',
+  //       path: '/',
+  //       secure: true
+  //     }
+  //   },
+  //   pkceCodeVerifier: {
+  //     name: 'next-auth.pkce.code_verifier',
+  //     options: {
+  //       httpOnly: true,
+  //       sameSite: 'none',
+  //       path: '/',
+  //       secure: true
+  //     }
+  //   }
+  // },
  providers: [
    Providers.Email({
      server: process.env.EMAIL_SERVER,
@@ -19,6 +40,11 @@ export default NextAuth({
      clientId: process.env.AUTH0_ID,
      clientSecret: process.env.AUTH0_SECRET,
      domain: process.env.AUTH0_DOMAIN,
+      // Used to debug https://github.com/nextauthjs/next-auth/issues/1664
+      // protection: ["pkce", "state"],
+      // authorizationParams: {
+      //   response_mode: 'form_post'
+      // }
      protection: 'pkce'
    }),
    Providers.Twitter({
--- a/pages/credentials.js
+++ b/pages/credentials.js
@@ -1,3 +1,4 @@
+// eslint-disable-next-line no-use-before-define
 import * as React from 'react'
 import { signIn, signOut, useSession } from 'next-auth/client'
 import Layout from 'components/layout'
--- a/pages/email.js
+++ b/pages/email.js
@@ -0,0 +1,67 @@
+// eslint-disable-next-line no-use-before-define
+import * as React from 'react'
+import { signIn, signOut, useSession } from 'next-auth/client'
+import Layout from 'components/layout'
+
+export default function Page () {
+  const [response, setResponse] = React.useState(null)
+  const [email, setEmail] = React.useState('')
+
+  const handleChange = (event) => {
+    setEmail(event.target.value)
+  }
+
+  const handleLogin = (options) => async (event) => {
+    event.preventDefault()
+
+    if (options.redirect) {
+      return signIn('email', options)
+    }
+    const response = await signIn('email', options)
+    setResponse(response)
+  }
+
+  const handleLogout = (options) => async (event) => {
+    if (options.redirect) {
+      return signOut(options)
+    }
+    const response = await signOut(options)
+    setResponse(response)
+  }
+
+  const [session] = useSession()
+
+  if (session) {
+    return (
+      <Layout>
+        <h1>Test different flows for Email logout</h1>
+        <span className='spacing'>Default:</span>
+        <button onClick={handleLogout({ redirect: true })}>Logout</button><br />
+        <span className='spacing'>No redirect:</span>
+        <button onClick={handleLogout({ redirect: false })}>Logout</button><br />
+        <p>Response:</p>
+        <pre style={{ background: '#eee', padding: 16 }}>{JSON.stringify(response, null, 2)}</pre>
+      </Layout>
+    )
+  }
+
+  return (
+    <Layout>
+      <h1>Test different flows for Email login</h1>
+      <label className='spacing'>
+        Email address:{' '}
+        <input type='text' id='email' name='email' value={email} onChange={handleChange} />
+      </label><br />
+      <form onSubmit={handleLogin({ redirect: true, email })}>
+        <span className='spacing'>Default:</span>
+        <button type='submit'>Sign in with Email</button>
+      </form>
+      <form onSubmit={handleLogin({ redirect: false, email })}>
+        <span className='spacing'>No redirect:</span>
+        <button type='submit'>Sign in with Email</button>
+      </form>
+      <p>Response:</p>
+      <pre style={{ background: '#eee', padding: 16 }}>{JSON.stringify(response, null, 2)}</pre>
+    </Layout>
+  )
+}
--- a/providers.js
+++ b/providers.js
@@ -1 +0,0 @@
-module.exports = require('./dist/providers').default
--- a/release.config.js
+++ b/release.config.js
@@ -2,6 +2,7 @@ module.exports = {
  branches: [
    '+([0-9])?(.{+([0-9]),x}).x',
    'main',
+    { name: 'beta', prerelease: true },
    { name: 'next', prerelease: true }
  ]
 }
--- a/src/client/index.js
+++ b/src/client/index.js
@@ -1,5 +1,3 @@
-/// Note: fetch() is built in to Next.js 9.4
-//
 // Note about signIn() and signOut() methods:
 //
 // On signIn() and signOut() we pass 'json: true' to request a response in JSON
@@ -20,167 +18,75 @@ import parseUrl from '../lib/parse-url'
 //    relative URLs are valid in that context and so defaults to empty.
 // 2. When invoked server side the value is picked up from an environment
 //    variable and defaults to 'http://localhost:3000'.
+/** @type {import("types/internals/client").NextAuthConfig} */
 const __NEXTAUTH = {
  baseUrl: parseUrl(process.env.NEXTAUTH_URL || process.env.VERCEL_URL).baseUrl,
  basePath: parseUrl(process.env.NEXTAUTH_URL).basePath,
-  keepAlive: 0, // 0 == disabled (don't send); 60 == send every 60 seconds
-  clientMaxAge: 0, // 0 == disabled (only use cache); 60 == sync if last checked > 60 seconds ago
+  baseUrlServer: parseUrl(process.env.NEXTAUTH_URL_INTERNAL || process.env.NEXTAUTH_URL || process.env.VERCEL_URL).baseUrl,
+  basePathServer: parseUrl(process.env.NEXTAUTH_URL_INTERNAL || process.env.NEXTAUTH_URL).basePath,
+  keepAlive: 0,
+  clientMaxAge: 0,
  // Properties starting with _ are used for tracking internal app state
-  _clientLastSync: 0, // used for timestamp since last sycned (in seconds)
-  _clientSyncTimer: null, // stores timer for poll interval
-  _eventListenersAdded: false, // tracks if event listeners have been added,
-  _clientSession: undefined, // stores last session response from hook,
-  // Generate a unique ID to make it possible to identify when a message
-  // was sent from this tab/window so it can be ignored to avoid event loops.
-  _clientId: Math.random().toString(36).substring(2) + Date.now().toString(36),
-  // Used to store to function export by getSession() hook
+  _clientLastSync: 0,
+  _clientSyncTimer: null,
+  _eventListenersAdded: false,
+  _clientSession: undefined,
  _getSession: () => {}
 }

 const logger = proxyLogger(_logger, __NEXTAUTH.basePath)

+const broadcast = BroadcastChannel()
+
 // Add event listners on load
-if (typeof window !== 'undefined') {
-  if (__NEXTAUTH._eventListenersAdded === false) {
-    __NEXTAUTH._eventListenersAdded = true
+if (typeof window !== 'undefined' && !__NEXTAUTH._eventListenersAdded) {
+  __NEXTAUTH._eventListenersAdded = true
+  // Listen for storage events and update session if event fired from
+  // another window (but suppress firing another event to avoid a loop)
+  // Fetch new session data but tell it to not to fire another event to
+  // avoid an infinite loop.
+  // Note: We could pass session data through and do something like
+  // `setData(message.data)` but that can cause problems depending
+  // on how the session object is being used in the client; it is
+  // more robust to have each window/tab fetch it's own copy of the
+  // session object rather than share it across instances.
+  broadcast.receive(() => __NEXTAUTH._getSession({ event: 'storage' }))

-    // Listen for storage events and update session if event fired from
-    // another window (but suppress firing another event to avoid a loop)
-    window.addEventListener('storage', async (event) => {
-      if (event.key === 'nextauth.message') {
-        const message = JSON.parse(event.newValue)
-        if (message?.event === 'session' && message.data) {
-          // Ignore storage events fired from the same window that created them
-          if (__NEXTAUTH._clientId === message.clientId) {
-            return
-          }
-
-          // Fetch new session data but pass 'true' to it not to fire an event to
-          // avoid an infinite loop.
-          //
-          // Note: We could pass session data through and do something like
-          // `setData(message.data)` but that can cause problems depending
-          // on how the session object is being used in the client; it is
-          // more robust to have each window/tab fetch it's own copy of the
-          // session object rather than share it across instances.
-          await __NEXTAUTH._getSession({ event: 'storage' })
-        }
-      }
-    })
-
-    // Listen for document visibilitychange events
-    let hidden, visibilityChange
-    if (typeof document.hidden !== 'undefined') { // Opera 12.10 and Firefox 18 and later support
-      hidden = 'hidden'
-      visibilityChange = 'visibilitychange'
-    } else if (typeof document.msHidden !== 'undefined') {
-      hidden = 'msHidden'
-      visibilityChange = 'msvisibilitychange'
-    } else if (typeof document.webkitHidden !== 'undefined') {
-      hidden = 'webkitHidden'
-      visibilityChange = 'webkitvisibilitychange'
-    }
-    const handleVisibilityChange = () => !document[hidden] && __NEXTAUTH._getSession({ event: visibilityChange })
-    document.addEventListener('visibilitychange', handleVisibilityChange, false)
-  }
-}
-
-// Method to set options. The documented way is to use the provider, but this
-// method is being left in as an alternative, that will be helpful if/when we
-// expose a vanilla JavaScript version that doesn't depend on React.
-const setOptions = ({
-  baseUrl,
-  basePath,
-  clientMaxAge,
-  keepAlive
-} = {}) => {
-  if (baseUrl) { __NEXTAUTH.baseUrl = baseUrl }
-  if (basePath) { __NEXTAUTH.basePath = basePath }
-  if (clientMaxAge) { __NEXTAUTH.clientMaxAge = clientMaxAge }
-  if (keepAlive) {
-    __NEXTAUTH.keepAlive = keepAlive
-
-    if (typeof window !== 'undefined' && keepAlive > 0) {
-      // Clear existing timer (if there is one)
-      if (__NEXTAUTH._clientSyncTimer !== null) { clearTimeout(__NEXTAUTH._clientSyncTimer) }
-
-      // Set next timer to trigger in number of seconds
-      __NEXTAUTH._clientSyncTimer = setTimeout(async () => {
-        // Only invoke keepalive when a session exists
-        if (__NEXTAUTH._clientSession) {
-          await __NEXTAUTH._getSession({ event: 'timer' })
-        }
-      }, keepAlive * 1000)
-    }
-  }
-}
-
-// Universal method (client + server)
-// If passed 'appContext' via getInitialProps() in _app.js then get the req
-// object from ctx and use that for the req value to allow getSession() to
-// work seemlessly in getInitialProps() on server side pages *and* in _app.js.
-export async function getSession ({ ctx, req = ctx?.req, triggerEvent = true } = {}) {
-  const baseUrl = _apiBaseUrl()
-  const fetchOptions = req ? { headers: { cookie: req.headers.cookie } } : {}
-  const session = await _fetchData(`${baseUrl}/session`, fetchOptions)
-  if (triggerEvent) {
-    _sendMessage({ event: 'session', data: { trigger: 'getSession' } })
-  }
-  return session
-}
-
-// Universal method (client + server)
-// If passed 'appContext' via getInitialProps() in _app.js then get the req
-// object from ctx and use that for the req value to allow getCsrfToken() to
-// work seemlessly in getInitialProps() on server side pages *and* in _app.js.
-async function getCsrfToken ({ ctx, req = ctx?.req } = {}) {
-  const baseUrl = _apiBaseUrl()
-  const fetchOptions = req ? { headers: { cookie: req.headers.cookie } } : {}
-  const data = await _fetchData(`${baseUrl}/csrf`, fetchOptions)
-  return data && data.csrfToken ? data.csrfToken : null
-}
-
-// Universal method (client + server); does not require request headers
-const getProviders = async () => {
-  const baseUrl = _apiBaseUrl()
-  return _fetchData(`${baseUrl}/providers`)
+  // Listen for document visibility change events and
+  // if visibility of the document changes, re-fetch the session.
+  document.addEventListener('visibilitychange', () => {
+    !document.hidden && __NEXTAUTH._getSession({ event: 'visibilitychange' })
+  }, false)
 }

 // Context to store session data globally
+/** @type {import("types/internals/client").SessionContext} */
 const SessionContext = createContext()

-// Client side method
-export const useSession = (session) => {
-  // Try to use context if we can
-  const value = useContext(SessionContext)
-
-  // If we have no Provider in the tree, call the actual hook
-  if (value === undefined) {
-    return _useSessionHook(session)
-  }
-
-  return value
+export function useSession (session) {
+  const context = useContext(SessionContext)
+  if (context) return context
+  return _useSessionHook(session)
 }

-// Internal hook for getting session from the api.
-const _useSessionHook = (session) => {
+function _useSessionHook (session) {
  const [data, setData] = useState(session)
-  const [loading, setLoading] = useState(true)
+  const [loading, setLoading] = useState(!data)

  useEffect(() => {
-    const _getSession = async ({ event = null } = {}) => {
+    __NEXTAUTH._getSession = async ({ event = null } = {}) => {
      try {
-        const triggredByEvent = (event !== null)
-        const triggeredByStorageEvent = !!((event && event === 'storage'))
+        const triggredByEvent = event !== null
+        const triggeredByStorageEvent = event === 'storage'

        const clientMaxAge = __NEXTAUTH.clientMaxAge
        const clientLastSync = parseInt(__NEXTAUTH._clientLastSync)
-        const currentTime = Math.floor(new Date().getTime() / 1000)
+        const currentTime = _now()
        const clientSession = __NEXTAUTH._clientSession

        // Updates triggered by a storage event *always* trigger an update and we
        // always update if we don't have any value for the current session state.
-        if (triggeredByStorageEvent === false && clientSession !== undefined) {
+        if (!triggeredByStorageEvent && clientSession !== undefined) {
          if (clientMaxAge === 0 && triggredByEvent !== true) {
            // If there is no time defined for when a session should be considered
            // stale, then it's okay to use the value we have until an event is
@@ -204,13 +110,14 @@ const _useSessionHook = (session) => {
        // Update clientLastSync before making response to avoid repeated
        // invokations that would otherwise be triggered while we are still
        // waiting for a response.
-        __NEXTAUTH._clientLastSync = Math.floor(new Date().getTime() / 1000)
+        __NEXTAUTH._clientLastSync = _now()

        // If this call was invoked via a storage event (i.e. another window) then
        // tell getSession not to trigger an event when it calls to avoid an
        // infinate loop.
-        const triggerEvent = (triggeredByStorageEvent === false)
-        const newClientSessionData = await getSession({ triggerEvent })
+        const newClientSessionData = await getSession({
+          triggerEvent: !triggeredByStorageEvent
+        })

        // Save session state internally, just so we can track that we've checked
        // if a session exists at least once.
@@ -220,28 +127,32 @@ const _useSessionHook = (session) => {
        setLoading(false)
      } catch (error) {
        logger.error('CLIENT_USE_SESSION_ERROR', error)
+        setLoading(false)
      }
    }

-    __NEXTAUTH._getSession = _getSession
-
-    _getSession()
+    __NEXTAUTH._getSession()
  })
+
  return [data, loading]
 }

-/**
- * Client-side method to initiate a signin flow
- * or send the user to the signin page listing all possible providers.
- * (Automatically adds the CSRF token to the request)
- * @see https://next-auth.js.org/getting-started/client#signin
- * @param {string} [provider]
- * @param {SignInOptions} [options]
- * @param {object} [authorizationParams]
- * @return {Promise<SignInResponse | undefined>}
- * @typedef {{callbackUrl?: string; redirect?: boolean}} SignInOptions
- * @typedef {{error: string | null; status: number; ok: boolean}} SignInResponse
- */
+export async function getSession (ctx) {
+  const session = await _fetchData('session', ctx)
+  if (ctx?.triggerEvent ?? true) {
+    broadcast.post({ event: 'session', data: { trigger: 'getSession' } })
+  }
+  return session
+}
+
+async function getCsrfToken (ctx) {
+  return (await _fetchData('csrf', ctx))?.csrfToken
+}
+
+export async function getProviders () {
+  return _fetchData('providers')
+}
+
 export async function signIn (provider, options = {}, authorizationParams = {}) {
  const {
    callbackUrl = window.location,
@@ -258,6 +169,9 @@ export async function signIn (provider, options = {}, authorizationParams = {})
    return
  }
  const isCredentials = providers[provider].type === 'credentials'
+  const isEmail = providers[provider].type === 'email'
+  const canRedirectBeDisabled = isCredentials || isEmail
+
  const signInUrl = isCredentials
    ? `${baseUrl}/callback/${provider}`
    : `${baseUrl}/signin/${provider}`
@@ -279,7 +193,7 @@ export async function signIn (provider, options = {}, authorizationParams = {})
  const _signInUrl = `${signInUrl}?${new URLSearchParams(authorizationParams)}`
  const res = await fetch(_signInUrl, fetchOptions)
  const data = await res.json()
-  if (redirect || !isCredentials) {
+  if (redirect || !canRedirectBeDisabled) {
    const url = data.url ?? callbackUrl
    window.location = url
    // If url contains a hash, the browser does not reload the page. We reload manually
@@ -302,13 +216,6 @@ export async function signIn (provider, options = {}, authorizationParams = {})
  }
 }

-/**
- * Signs the user out, by removing the session cookie.
- * (Automatically adds the CSRF token to the request)
- * @param {SignOutOptions} [options]
- * @returns {Promise<{url?: string} | undefined>}
- * @typedef {{callbackUrl?: string; redirect?: boolean;}} SignOutOptions
- */
 export async function signOut (options = {}) {
  const {
    callbackUrl = window.location,
@@ -328,7 +235,7 @@ export async function signOut (options = {}) {
  }
  const res = await fetch(`${baseUrl}/signout`, fetchOptions)
  const data = await res.json()
-  _sendMessage({ event: 'session', data: { trigger: 'signout' } })
+  broadcast.post({ event: 'session', data: { trigger: 'signout' } })
  if (redirect) {
    const url = data.url ?? callbackUrl
    window.location = url
@@ -342,40 +249,109 @@ export async function signOut (options = {}) {
  return data
 }

-// Provider to wrap the app in to make session data available globally
-export const Provider = ({ children, session, options }) => {
-  setOptions(options)
-  return createElement(SessionContext.Provider, { value: useSession(session) }, children)
-}
+// Method to set options. The documented way is to use the provider, but this
+// method is being left in as an alternative, that will be helpful if/when we
+// expose a vanilla JavaScript version that doesn't depend on React.
+export function setOptions ({ baseUrl, basePath, clientMaxAge, keepAlive } = {}) {
+  if (baseUrl) __NEXTAUTH.baseUrl = baseUrl
+  if (basePath) __NEXTAUTH.basePath = basePath
+  if (clientMaxAge) __NEXTAUTH.clientMaxAge = clientMaxAge
+  if (keepAlive) {
+    __NEXTAUTH.keepAlive = keepAlive
+    if (typeof window === 'undefined') return

-const _fetchData = async (url, options = {}) => {
-  try {
-    const res = await fetch(url, options)
-    const data = await res.json()
-    return Promise.resolve(Object.keys(data).length > 0 ? data : null) // Return null if data empty
-  } catch (error) {
-    logger.error('CLIENT_FETCH_ERROR', url, error)
-    return Promise.resolve(null)
+    // Clear existing timer (if there is one)
+    if (__NEXTAUTH._clientSyncTimer !== null) {
+      clearTimeout(__NEXTAUTH._clientSyncTimer)
+    }
+
+    // Set next timer to trigger in number of seconds
+    __NEXTAUTH._clientSyncTimer = setTimeout(async () => {
+      // Only invoke keepalive when a session exists
+      if (!__NEXTAUTH._clientSession) return
+      await __NEXTAUTH._getSession({ event: 'timer' })
+    }, keepAlive * 1000)
  }
 }

-const _apiBaseUrl = () => {
+export function Provider ({ children, session, options }) {
+  setOptions(options)
+  return createElement(
+    SessionContext.Provider,
+    { value: useSession(session) },
+    children
+  )
+}
+
+/**
+ * If passed 'appContext' via getInitialProps() in _app.js
+ * then get the req object from ctx and use that for the
+ * req value to allow _fetchData to
+ * work seemlessly in getInitialProps() on server side
+ * pages *and* in _app.js.
+ */
+async function _fetchData (path, { ctx, req = ctx?.req } = {}) {
+  try {
+    const baseUrl = await _apiBaseUrl()
+    const options = req ? { headers: { cookie: req.headers.cookie } } : {}
+    const res = await fetch(`${baseUrl}/${path}`, options)
+    const data = await res.json()
+    return Object.keys(data).length > 0 ? data : null // Return null if data empty
+  } catch (error) {
+    logger.error('CLIENT_FETCH_ERROR', path, error)
+    return null
+  }
+}
+
+function _apiBaseUrl () {
  if (typeof window === 'undefined') {
    // NEXTAUTH_URL should always be set explicitly to support server side calls - log warning if not set
-    if (!process.env.NEXTAUTH_URL) { logger.warn('NEXTAUTH_URL', 'NEXTAUTH_URL environment variable not set') }
+    if (!process.env.NEXTAUTH_URL) {
+      logger.warn('NEXTAUTH_URL', 'NEXTAUTH_URL environment variable not set')
+    }

    // Return absolute path when called server side
-    return `${__NEXTAUTH.baseUrl}${__NEXTAUTH.basePath}`
-  } else {
-    // Return relative path when called client side
-    return __NEXTAUTH.basePath
+    return `${__NEXTAUTH.baseUrlServer}${__NEXTAUTH.basePathServer}`
  }
+  // Return relative path when called client side
+  return __NEXTAUTH.basePath
 }

-const _sendMessage = (message) => {
-  if (typeof localStorage !== 'undefined') {
-    const timestamp = Math.floor(new Date().getTime() / 1000)
-    localStorage.setItem('nextauth.message', JSON.stringify({ ...message, clientId: __NEXTAUTH._clientId, timestamp })) // eslint-disable-line
+/** Returns the number of seconds elapsed since January 1, 1970 00:00:00 UTC. */
+function _now () {
+  return Math.floor(Date.now() / 1000)
+}
+
+/**
+ * Inspired by [Broadcast Channel API](https://developer.mozilla.org/en-US/docs/Web/API/Broadcast_Channel_API)
+ * Only not using it directly, because Safari does not support it.
+ *
+ * https://caniuse.com/?search=broadcastchannel
+ */
+function BroadcastChannel (name = 'nextauth.message') {
+  return {
+    /**
+     * Get notified by other tabs/windows.
+     * @param {(message: import("types/internals/client").BroadcastMessage) => void} onReceive
+     */
+    receive (onReceive) {
+      if (typeof window === 'undefined') return
+      window.addEventListener('storage', async (event) => {
+        if (event.key !== name) return
+        /** @type {import("types/internals/client").BroadcastMessage} */
+        const message = JSON.parse(event.newValue)
+        if (message?.event !== 'session' || !message?.data) return
+
+        onReceive(message)
+      })
+    },
+    /** Notify other tabs/windows. */
+    post (message) {
+      if (typeof localStorage === 'undefined') return
+      localStorage.setItem(name,
+        JSON.stringify({ ...message, timestamp: _now() })
+      )
+    }
  }
 }

--- a/src/lib/jwt.js
+++ b/src/lib/jwt.js
@@ -106,7 +106,8 @@ async function getToken (params) {
    // or not set (e.g. development or test instance) case use unprefixed name
    secureCookie = !(!process.env.NEXTAUTH_URL || process.env.NEXTAUTH_URL.startsWith('http://')),
    cookieName = (secureCookie) ? '__Secure-next-auth.session-token' : 'next-auth.session-token',
-    raw = false
+    raw = false,
+    decode: _decode = decode
  } = params
  if (!req) throw new Error('Must pass `req` to JWT getToken()')

@@ -126,7 +127,7 @@ async function getToken (params) {
  }

  try {
-    return decode({ token, ...params })
+    return _decode({ token, ...params })
  } catch {
    return null
  }
--- a/src/lib/logger.d.ts
+++ b/src/lib/logger.d.ts
@@ -1,5 +0,0 @@
-export interface LoggerInstance {
-  warn: (code?: string, ...message: unknown[]) => void
-  error: (code?: string, ...message: unknown[]) => void
-  debug: (code?: string, ...message: unknown[]) => void
-}
--- a/src/lib/logger.js
+++ b/src/lib/logger.js
@@ -1,4 +1,4 @@
-/** @type {import("./logger").LoggerInstance} */
+/** @type {import("types").LoggerInstance} */
 const _logger = {
  error (code, ...message) {
    console.error(
@@ -26,7 +26,7 @@ const _logger = {
 /**
 * Override the built-in logger.
 * Any `undefined` level will use the default logger.
- * @param {Partial<import("./logger").LoggerInstance>} newLogger
+ * @param {Partial<import("types").LoggerInstance>} newLogger
 */
 export function setLogger (newLogger = {}) {
  if (newLogger.error) _logger.error = newLogger.error
@@ -38,9 +38,9 @@ export default _logger

 /**
 * Serializes client-side log messages and sends them to the server
- * @param {import("./logger").LoggerInstance} logger
+ * @param {import("types").LoggerInstance} logger
 * @param {string} basePath
- * @return {import("./logger").LoggerInstance}
+ * @return {import("types").LoggerInstance}
 */
 export function proxyLogger (logger = _logger, basePath) {
  try {
@@ -48,7 +48,7 @@ export function proxyLogger (logger = _logger, basePath) {
      return logger
    }

-    const clientLogger = {}
+    const clientLogger = console
    for (const level in logger) {
      clientLogger[level] = (code, ...message) => {
        _logger[level](code, ...message) // Log on client as usual
--- a/src/providers/discord.js
+++ b/src/providers/discord.js
@@ -14,7 +14,7 @@ export default (options) => {
        const defaultAvatarNumber = parseInt(profile.discriminator) % 5
        profile.image_url = `https://cdn.discordapp.com/embed/avatars/${defaultAvatarNumber}.png`
      } else {
-        const format = profile.premium_type === 1 || profile.premium_type === 2 ? 'gif' : 'png'
+        const format = profile.avatar.startsWith('a_') ? 'gif' : 'png'
        profile.image_url = `https://cdn.discordapp.com/avatars/${profile.id}/${profile.avatar}.${format}`
      }
      return {
--- a/src/providers/faceit.js
+++ b/src/providers/faceit.js
@@ -0,0 +1,25 @@
+export default (options) => {
+  return {
+    id: 'faceit',
+    name: 'FACEIT',
+    type: 'oauth',
+    version: '2.0',
+    params: { grant_type: 'authorization_code' },
+    headers: {
+      Authorization: `Basic ${Buffer.from(`${options.clientId}:${options.clientSecret}`).toString('base64')}`
+    },
+    accessTokenUrl: 'https://api.faceit.com/auth/v1/oauth/token',
+    authorizationUrl: 'https://accounts.faceit.com/accounts?redirect_popup=true&response_type=code',
+    profileUrl: 'https://api.faceit.com/auth/v1/resources/userinfo',
+    profile (profile) {
+      const { guid: id, nickname: name, email, picture: image } = profile
+      return {
+        id,
+        name,
+        email,
+        image
+      }
+    },
+    ...options
+  }
+}
--- a/src/providers/index.js
+++ b/src/providers/index.js
@@ -12,18 +12,22 @@ import Discord from './discord'
 import Email from './email'
 import EVEOnline from './eveonline'
 import Facebook from './facebook'
+import FACEIT from './faceit'
 import Foursquare from './foursquare'
 import FusionAuth from './fusionauth'
 import GitHub from './github'
 import GitLab from './gitlab'
 import Google from './google'
 import IdentityServer4 from './identity-server4'
+import Instagram from './instagram'
+import Kakao from './kakao'
 import LINE from './line'
 import LinkedIn from './linkedin'
 import MailRu from './mailru'
 import Medium from './medium'
 import Netlify from './netlify'
 import Okta from './okta'
+import Osso from './osso'
 import Reddit from './reddit'
 import Salesforce from './salesforce'
 import Slack from './slack'
@@ -33,6 +37,7 @@ import Twitch from './twitch'
 import Twitter from './twitter'
 import VK from './vk'
 import Yandex from './yandex'
+import Zoho from './zoho'

 export default {
  Apple,
@@ -49,18 +54,22 @@ export default {
  Email,
  EVEOnline,
  Facebook,
+  FACEIT,
  Foursquare,
  FusionAuth,
  GitHub,
  GitLab,
  Google,
  IdentityServer4,
+  Instagram,
+  Kakao,
  LINE,
  LinkedIn,
  MailRu,
  Medium,
  Netlify,
  Okta,
+  Osso,
  Reddit,
  Salesforce,
  Slack,
@@ -69,5 +78,6 @@ export default {
  Twitch,
  Twitter,
  VK,
-  Yandex
+  Yandex,
+  Zoho
 }
--- a/src/providers/instagram.js
+++ b/src/providers/instagram.js
@@ -0,0 +1,50 @@
+/**
+ * @type {import("types/providers").OAuthProvider} options
+ * @example
+ *
+ * ```js
+ * // pages/api/auth/[...nextauth].js
+ * import Providers from `next-auth/providers`
+ * ...
+ * providers: [
+ *   Providers.Instagram({
+ *     clientId: process.env.INSTAGRAM_CLIENT_ID,
+ *     clientSecret: process.env.INSTAGRAM_CLIENT_SECRET
+ *   })
+ * ]
+ * ...
+ *
+ * // pages/index
+ * import { signIn } from "next-auth/client"
+ * ...
+ * <button onClick={() => signIn("instagram")}>
+ *   Sign in
+ * </button>
+ * ...
+ * ```
+ * [NextAuth.js Documentation](https://next-auth.js.org/providers/instagram) | [Instagram Documentation](https://developers.facebook.com/docs/instagram-basic-display-api/getting-started) | [Configuration](https://developers.facebook.com/apps)
+ */
+export default function Instagram(options) {
+  return {
+    id: "instagram",
+    name: "Instagram",
+    type: "oauth",
+    version: "2.0",
+    scope: "user_profile",
+    params: { grant_type: "authorization_code" },
+    accessTokenUrl: "https://api.instagram.com/oauth/access_token",
+    authorizationUrl:
+      "https://api.instagram.com/oauth/authorize?response_type=code",
+    profileUrl:
+      "https://graph.instagram.com/me?fields=id,username,account_type,name",
+    async profile(profile) {
+      return {
+        id: profile.id,
+        name: profile.username,
+        email: null,
+        image: null,
+      }
+    },
+    ...options,
+  }
+}
--- a/src/providers/kakao.js
+++ b/src/providers/kakao.js
@@ -0,0 +1,21 @@
+export default (options) => {
+  return {
+    id: 'kakao',
+    name: 'Kakao',
+    type: 'oauth',
+    version: '2.0',
+    params: { grant_type: 'authorization_code' },
+    accessTokenUrl: 'https://kauth.kakao.com/oauth/token',
+    authorizationUrl: 'https://kauth.kakao.com/oauth/authorize?response_type=code',
+    profileUrl: 'https://kapi.kakao.com/v2/user/me',
+    profile: (profile) => {
+      return {
+        id: profile.id,
+        name: profile.kakao_account?.profile.nickname,
+        email: profile.kakao_account?.email,
+        image: profile.kakao_account?.profile.profile_image_url
+      }
+    },
+    ...options
+  }
+}
--- a/src/providers/osso.js
+++ b/src/providers/osso.js
@@ -0,0 +1,20 @@
+export default (options) => {
+  return {
+    id: 'osso',
+    name: 'SAML SSO',
+    type: 'oauth',
+    version: '2.0',
+    params: { grant_type: 'authorization_code' },
+    accessTokenUrl: `https://${options.domain}/oauth/token`,
+    authorizationUrl: `https://${options.domain}/oauth/authorize?response_type=code`,
+    profileUrl: `https://${options.domain}/oauth/me`,
+    profile: (profile) => {
+      return {
+        id: profile.id,
+        name: profile.name || profile.email,
+        email: profile.email
+      }
+    },
+    ...options
+  }
+}
--- a/src/providers/zoho.js
+++ b/src/providers/zoho.js
@@ -0,0 +1,22 @@
+export default (options) => {
+  return {
+    id: 'zoho',
+    name: 'Zoho',
+    type: 'oauth',
+    version: '2.0',
+    scope: 'AaaServer.profile.Read',
+    params: { grant_type: 'authorization_code' },
+    accessTokenUrl: 'https://accounts.zoho.com/oauth/v2/token',
+    authorizationUrl: 'https://accounts.zoho.com/oauth/v2/auth?response_type=code',
+    profileUrl: 'https://accounts.zoho.com/oauth/user/info',
+    profile: (profile) => {
+      return {
+        id: profile.ZUID,
+        name: `${profile.First_Name} ${profile.Last_Name}`,
+        email: profile.Email,
+        image: null
+      }
+    },
+    ...options
+  }
+}
--- a/src/server/index.d.ts
+++ b/src/server/index.d.ts
@@ -82,6 +82,7 @@ export interface NextAuthInternalOptions extends Pick<NextAuthOptions, NextAuthS
  basePath?: string
  action?: string
  csrfToken?: string
+  csrfTokenVerified?: boolean
 }

 export interface NextAuthRequest extends NextApiRequest {
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -6,12 +6,12 @@ import * as cookie from './lib/cookie'
 import * as defaultEvents from './lib/default-events'
 import * as defaultCallbacks from './lib/default-callbacks'
 import parseProviders from './lib/providers'
-import callbackUrlHandler from './lib/callback-url-handler'
-import extendRes from './lib/extend-req'
 import * as routes from './routes'
 import renderPage from './pages'
-import csrfTokenHandler from './lib/csrf-token-handler'
 import createSecret from './lib/create-secret'
+import callbackUrlHandler from './lib/callback-url-handler'
+import extendRes from './lib/extend-res'
+import csrfTokenHandler from './lib/csrf-token-handler'
 import * as pkce from './lib/oauth/pkce-handler'
 import * as state from './lib/oauth/state-handler'

@@ -24,7 +24,7 @@ if (!process.env.NEXTAUTH_URL) {
 /**
 * @param {import("next").NextApiRequest} req
 * @param {import("next").NextApiResponse} res
- * @param {import(".").NextAuthOptions} userOptions
+ * @param {import("types").NextAuthOptions} userOptions
 */
 async function NextAuthHandler (req, res, userOptions) {
  if (userOptions.logger) {
@@ -67,16 +67,18 @@ async function NextAuthHandler (req, res, userOptions) {

    const secret = createSecret({ userOptions, basePath, baseUrl })

-    const { csrfToken, csrfTokenVerified } = csrfTokenHandler(req, res, cookies, secret)
-
    const providers = parseProviders({ providers: userOptions.providers, baseUrl, basePath })
    const provider = providers.find(({ id }) => id === providerId)

-    if (provider &&
-      provider.type === 'oauth' && provider.version?.startsWith('2') &&
-       (!provider.protection && provider.state !== false)
-    ) {
-      provider.protection = 'state' // Default to state, as we did in 3.1 REVIEW: should we use "pkce" or "none" as default?
+    // Protection only works on OAuth 2.x providers
+    if (provider?.type === 'oauth' && provider.version?.startsWith('2')) {
+      // When provider.state is undefined, we still want this to pass
+      if (!provider.protection && provider.state !== false) {
+        // Default to state, as we did in 3.1 REVIEW: should we use "pkce" or "none" as default?
+        provider.protection = ['state']
+      } else if (typeof provider.protection === 'string') {
+        provider.protection = [provider.protection]
+      }
    }

    const maxAge = 30 * 24 * 60 * 60 // Sessions expire after 30 days of being idle
@@ -103,7 +105,6 @@ async function NextAuthHandler (req, res, userOptions) {
      provider,
      cookies,
      secret,
-      csrfToken,
      providers,
      // Session options
      session: {
@@ -134,6 +135,7 @@ async function NextAuthHandler (req, res, userOptions) {
      logger
    }

+    csrfTokenHandler(req, res)
    await callbackUrlHandler(req, res)

    const render = renderPage(req, res)
@@ -146,7 +148,7 @@ async function NextAuthHandler (req, res, userOptions) {
        case 'session':
          return routes.session(req, res)
        case 'csrf':
-          return res.json({ csrfToken })
+          return res.json({ csrfToken: req.options.csrfToken })
        case 'signin':
          if (pages.signIn) {
            let signinUrl = `${pages.signIn}${pages.signIn.includes('?') ? '&' : '?'}callbackUrl=${req.options.callbackUrl}`
@@ -199,7 +201,7 @@ async function NextAuthHandler (req, res, userOptions) {
      switch (action) {
        case 'signin':
          // Verified CSRF Token required for all sign in routes
-          if (csrfTokenVerified && provider) {
+          if (req.options.csrfTokenVerified && provider) {
            if (await pkce.handleSignin(req, res)) return
            if (await state.handleSignin(req, res)) return
            return routes.signin(req, res)
@@ -208,14 +210,14 @@ async function NextAuthHandler (req, res, userOptions) {
          return res.redirect(`${baseUrl}${basePath}/signin?csrf=true`)
        case 'signout':
          // Verified CSRF Token required for signout
-          if (csrfTokenVerified) {
+          if (req.options.csrfTokenVerified) {
            return routes.signout(req, res)
          }
          return res.redirect(`${baseUrl}${basePath}/signout?csrf=true`)
        case 'callback':
          if (provider) {
            // Verified CSRF Token required for credentials providers only
-            if (provider.type === 'credentials' && !csrfTokenVerified) {
+            if (provider.type === 'credentials' && !req.options.csrfTokenVerified) {
              return res.redirect(`${baseUrl}${basePath}/signin?csrf=true`)
            }

@@ -225,18 +227,19 @@ async function NextAuthHandler (req, res, userOptions) {
          }
          break
        case '_log':
-          try {
-            if (!userOptions.logger) return
-            const {
-              code = 'CLIENT_ERROR',
-              level = 'error',
-              message = '[]'
-            } = req.body
+          if (userOptions.logger) {
+            try {
+              const {
+                code = 'CLIENT_ERROR',
+                level = 'error',
+                message = '[]'
+              } = req.body

-            logger[level](code, ...JSON.parse(message))
-          } catch (error) {
-            // If logging itself failed...
-            logger.error('LOGGER_ERROR', error)
+              logger[level](code, ...JSON.parse(message))
+            } catch (error) {
+              // If logging itself failed...
+              logger.error('LOGGER_ERROR', error)
+            }
          }
          return res.end()
        default:
--- a/src/server/lib/callbacks.d.ts
+++ b/src/server/lib/callbacks.d.ts
@@ -1,7 +0,0 @@
-
-export interface CallbacksOptions {
-  signIn?: (user: any, account: any, profile: any) => Promise<never | string>
-  jwt?: (token: any, user: any, account: any, profile: any, isNewUser?: boolean) => Promise<any>
-  session?: (session: any, userOrToken: any) => Promise<any>
-  redirect?: (url: string, baseUrl: string) => Promise<string>
-}
--- a/src/server/lib/cookie.d.ts
+++ b/src/server/lib/cookie.d.ts
@@ -1,16 +0,0 @@
-export interface CookieOption {
-  name: string
-  options: {
-    httpOnly: boolean
-    sameSite: string
-    path?: string
-    secure: boolean
-  }
-}
-
-export interface CookiesOptions {
-  sessionToken: CookieOption
-  callbackUrl: CookieOption
-  csrfToken: CookieOption
-  pkceCodeVerifier: CookieOption
-}
--- a/src/server/lib/cookie.js
+++ b/src/server/lib/cookie.js
@@ -9,7 +9,8 @@
 * (with fixes for specific issues) to keep dependancy size down.
 */
 export function set (res, name, value, options = {}) {
-  const stringValue = typeof value === 'object' ? 'j:' + JSON.stringify(value) : String(value)
+  const stringValue =
+    typeof value === 'object' ? 'j:' + JSON.stringify(value) : String(value)

  if ('maxAge' in options) {
    options.expires = new Date(Date.now() + options.maxAge)
@@ -19,7 +20,9 @@ export function set (res, name, value, options = {}) {
  // Preserve any existing cookies that have already been set in the same session
  let setCookieHeader = res.getHeader('Set-Cookie') || []
  // If not an array (i.e. a string with a single cookie) convert it into an array
-  if (!Array.isArray(setCookieHeader)) { setCookieHeader = [setCookieHeader] }
+  if (!Array.isArray(setCookieHeader)) {
+    setCookieHeader = [setCookieHeader]
+  }
  setCookieHeader.push(_serialize(name, String(stringValue), options))
  res.setHeader('Set-Cookie', setCookieHeader)
 }
@@ -30,32 +33,44 @@ function _serialize (name, val, options) {
  const opt = options || {}
  const enc = opt.encode || encodeURIComponent

-  if (typeof enc !== 'function') { throw new TypeError('option encode is invalid') }
+  if (typeof enc !== 'function') {
+    throw new TypeError('option encode is invalid')
+  }

-  if (!fieldContentRegExp.test(name)) { throw new TypeError('argument name is invalid') }
+  if (!fieldContentRegExp.test(name)) {
+    throw new TypeError('argument name is invalid')
+  }

  const value = enc(val)

-  if (value && !fieldContentRegExp.test(value)) { throw new TypeError('argument val is invalid') }
+  if (value && !fieldContentRegExp.test(value)) {
+    throw new TypeError('argument val is invalid')
+  }

  let str = name + '=' + value

  if (opt.maxAge != null) {
    const maxAge = opt.maxAge - 0

-    if (isNaN(maxAge) || !isFinite(maxAge)) { throw new TypeError('option maxAge is invalid') }
+    if (isNaN(maxAge) || !isFinite(maxAge)) {
+      throw new TypeError('option maxAge is invalid')
+    }

    str += '; Max-Age=' + Math.floor(maxAge)
  }

  if (opt.domain) {
-    if (!fieldContentRegExp.test(opt.domain)) { throw new TypeError('option domain is invalid') }
+    if (!fieldContentRegExp.test(opt.domain)) {
+      throw new TypeError('option domain is invalid')
+    }

    str += '; Domain=' + opt.domain
  }

  if (opt.path) {
-    if (!fieldContentRegExp.test(opt.path)) { throw new TypeError('option path is invalid') }
+    if (!fieldContentRegExp.test(opt.path)) {
+      throw new TypeError('option path is invalid')
+    }

    str += '; Path=' + opt.path
  } else {
@@ -73,12 +88,19 @@ function _serialize (name, val, options) {
    str += '; Expires=' + expires
  }

-  if (opt.httpOnly) { str += '; HttpOnly' }
+  if (opt.httpOnly) {
+    str += '; HttpOnly'
+  }

-  if (opt.secure) { str += '; Secure' }
+  if (opt.secure) {
+    str += '; Secure'
+  }

  if (opt.sameSite) {
-    const sameSite = typeof opt.sameSite === 'string' ? opt.sameSite.toLowerCase() : opt.sameSite
+    const sameSite =
+      typeof opt.sameSite === 'string'
+        ? opt.sameSite.toLowerCase()
+        : opt.sameSite

    switch (sameSite) {
      case true:
@@ -110,7 +132,7 @@ function _serialize (name, val, options) {
 * For more on prefixes see https://googlechrome.github.io/samples/cookie-prefixes/
 *
 * @TODO Review cookie settings (names, options)
- * @return {import("./cookie").CookiesOptions}
+ * @return {import("types").CookiesOptions}
 */
 export function defaultCookies (useSecureCookies) {
  const cookiePrefix = useSecureCookies ? '__Secure-' : ''
--- a/src/server/lib/csrf-token-handler.js
+++ b/src/server/lib/csrf-token-handler.js
@@ -14,29 +14,30 @@ import * as cookie from './cookie'
 * For more details, see the following OWASP links:
 * https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie
 * https://owasp.org/www-chapter-london/assets/slides/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf
+ * @param {import("..").NextAuthRequest} req
+ * @param {import("..").NextAuthResponse} res
 */
-export default function csrfTokenHandler (req, res, cookies, secret) {
-  const { csrfToken: csrfTokenFromRequest } = req.body
-
-  let csrfTokenFromCookie
-  let csrfTokenVerified = false
-  if (req.cookies[cookies.csrfToken.name]) {
-    const [csrfTokenValue, csrfTokenHash] = req.cookies[cookies.csrfToken.name].split('|')
-    if (csrfTokenHash === createHash('sha256').update(`${csrfTokenValue}${secret}`).digest('hex')) {
+export default function csrfTokenHandler (req, res) {
+  const { cookies, secret } = req.options
+  if (cookies.csrfToken.name in req.cookies) {
+    const [csrfToken, csrfTokenHash] = req.cookies[cookies.csrfToken.name].split('|')
+    const expectedCsrfTokenHash = createHash('sha256').update(`${csrfToken}${secret}`).digest('hex')
+    if (csrfTokenHash === expectedCsrfTokenHash) {
      // If hash matches then we trust the CSRF token value
-      csrfTokenFromCookie = csrfTokenValue
-
-      // If this is a POST request and the CSRF Token in the Post request matches
-      // the cookie we have already verified is one we have set, then token is verified!
-      if (req.method === 'POST' && csrfTokenFromCookie === csrfTokenFromRequest) { csrfTokenVerified = true }
+      // If this is a POST request and the CSRF Token in the POST request matches
+      // the cookie we have already verified is the one we have set, then the token is verified!
+      const csrfTokenVerified = req.method === 'POST' && csrfToken === req.body.csrfToken
+      req.options.csrfToken = csrfToken
+      req.options.csrfTokenVerified = csrfTokenVerified
+      return
    }
  }
-  if (!csrfTokenFromCookie) {
-    // If no csrfToken - because it's not been set yet, or because the hash doesn't match
-    // (e.g. because it's been modifed or because the secret has changed) create a new token.
-    csrfTokenFromCookie = randomBytes(32).toString('hex')
-    const newCsrfTokenCookie = `${csrfTokenFromCookie}|${createHash('sha256').update(`${csrfTokenFromCookie}${secret}`).digest('hex')}`
-    cookie.set(res, cookies.csrfToken.name, newCsrfTokenCookie, cookies.csrfToken.options)
-  }
-  return { csrfToken: csrfTokenFromCookie, csrfTokenVerified }
+  // If no csrfToken from cookie - because it's not been set yet,
+  // or because the hash doesn't match (e.g. because it's been modifed or because the secret has changed)
+  // create a new token.
+  const csrfToken = randomBytes(32).toString('hex')
+  const csrfTokenHash = createHash('sha256').update(`${csrfToken}${secret}`).digest('hex')
+  const csrfTokenCookie = `${csrfToken}|${csrfTokenHash}`
+  cookie.set(res, cookies.csrfToken.name, csrfTokenCookie, cookies.csrfToken.options)
+  req.options.csrfToken = csrfToken
 }
--- a/src/server/lib/events.d.ts
+++ b/src/server/lib/events.d.ts
@@ -1,12 +0,0 @@
-export type EventType=
-  | 'signIn'
-  | 'signOut'
-  | 'createUser'
-  | 'updateUser'
-  | 'linkAccount'
-  | 'session'
-  | 'error'
-
-export type EventCallback = (message: any) => Promise<void>
-
-export type EventsOptions = Partial<Record<EventType, EventCallback>>
--- a/src/server/lib/extend-res.js
+++ b/src/server/lib/extend-res.js
--- a/src/server/lib/oauth/callback.js
+++ b/src/server/lib/oauth/callback.js
@@ -1,19 +1,19 @@
-import { decode as jwtDecode } from 'jsonwebtoken'
-import oAuthClient from './client'
-import logger from '../../../lib/logger'
-import { OAuthCallbackError } from '../../../lib/errors'
+import { decode as jwtDecode } from "jsonwebtoken"
+import oAuthClient from "./client"
+import logger from "../../../lib/logger"
+import { OAuthCallbackError } from "../../../lib/errors"

-/** @param {import("../..").NextAuthRequest} req */
-export default async function oAuthCallback (req) {
+/** @param {import("types/internals").NextAuthRequest} req */
+export default async function oAuthCallback(req) {
  const { provider, pkce } = req.options
  const client = oAuthClient(provider)

-  if (provider.version?.startsWith('2.')) {
+  if (provider.version?.startsWith("2.")) {
    // The "user" object is specific to the Apple provider and is provided on first sign in
    // e.g. {"name":{"firstName":"Johnny","lastName":"Appleseed"},"email":"johnny.appleseed@nextauth.com"}
    let { code, user } = req.query // eslint-disable-line camelcase

-    if (req.method === 'POST') {
+    if (req.method === "POST") {
      try {
        const body = JSON.parse(JSON.stringify(req.body))
        if (body.error) {
@@ -23,25 +23,35 @@ export default async function oAuthCallback (req) {
        code = body.code
        user = body.user != null ? JSON.parse(body.user) : null
      } catch (error) {
-        logger.error('OAUTH_CALLBACK_HANDLER_ERROR', error, req.body, provider.id, code)
+        logger.error(
+          "OAUTH_CALLBACK_HANDLER_ERROR",
+          error,
+          req.body,
+          provider.id,
+          code
+        )
        throw error
      }
    }

    // REVIEW: Is this used by any of the providers?
    // Pass authToken in header by default (unless 'useAuthTokenHeader: false' is set)
-    if (Object.prototype.hasOwnProperty.call(provider, 'useAuthTokenHeader')) {
+    if (Object.prototype.hasOwnProperty.call(provider, "useAuthTokenHeader")) {
      client.useAuthorizationHeaderforGET(provider.useAuthTokenHeader)
    } else {
      client.useAuthorizationHeaderforGET(true)
    }

    try {
-      const tokens = await client.getOAuthAccessToken(code, provider, pkce.code_verifier)
+      const tokens = await client.getOAuthAccessToken(
+        code,
+        provider,
+        pkce.code_verifier
+      )
      let profileData
      if (provider.idToken) {
        if (!tokens?.id_token) {
-          throw new OAuthCallbackError('Missing JWT ID Token')
+          throw new OAuthCallbackError("Missing JWT ID Token")
        }

        // Support services that use OpenID ID Tokens to encode profile data
@@ -52,26 +62,28 @@ export default async function oAuthCallback (req) {

      return getProfile({ profileData, provider, tokens, user })
    } catch (error) {
-      logger.error('OAUTH_GET_ACCESS_TOKEN_ERROR', error, provider.id, code)
+      logger.error("OAUTH_GET_ACCESS_TOKEN_ERROR", error, provider.id, code)
      throw error
    }
  }

  try {
    // Handle OAuth v1.x
-    const {
-      oauth_token: oauthToken, oauth_verifier: oauthVerifier
-    } = req.query
-    const tokens = await client.getOAuthAccessToken(oauthToken, null, oauthVerifier)
+    // eslint-disable-next-line camelcase
+    const { oauth_token, oauth_verifier } = req.query
+
+    // eslint-disable-next-line camelcase
+    const { token_secret } = await client.getOAuthRequestToken(provider.params)
+    const tokens = await client.getOAuthAccessToken(oauth_token, token_secret, oauth_verifier)
    const profileData = await client.get(
      provider.profileUrl,
-      tokens.accessToken,
-      tokens.refreshToken
+      tokens.oauth_token,
+      tokens.oauth_token_secret
    )

    return getProfile({ profileData, tokens, provider })
  } catch (error) {
-    logger.error('OAUTH_V1_GET_ACCESS_TOKEN_ERROR', error)
+    logger.error("OAUTH_V1_GET_ACCESS_TOKEN_ERROR", error)
    throw error
  }
 }
@@ -89,15 +101,19 @@ export default async function oAuthCallback (req) {
 *     expires_in?: string | Date | null
 *     refresh_token?: string
 *     id_token?: string
+ *     token?: string
+ *     token_secret?: string
+ *     tokenSecret?: string
+ *     params?: any
 *   }
 *   provider: import("../..").Provider
 *   user?: object
 * }} profileParams
 */
-async function getProfile ({ profileData, tokens, provider, user }) {
+async function getProfile({ profileData, tokens, provider, user }) {
  try {
    // Convert profileData into an object if it's a string
-    if (typeof profileData === 'string' || profileData instanceof String) {
+    if (typeof profileData === "string" || profileData instanceof String) {
      profileData = JSON.parse(profileData)
    }

@@ -106,22 +122,22 @@ async function getProfile ({ profileData, tokens, provider, user }) {
      profileData.user = user
    }

-    logger.debug('PROFILE_DATA', profileData)
+    logger.debug("PROFILE_DATA", profileData)

    const profile = await provider.profile(profileData, tokens)
    // Return profile, raw profile and auth provider details
    return {
      profile: {
        ...profile,
-        email: profile.email?.toLowerCase() ?? null
+        email: profile.email?.toLowerCase() ?? null,
      },
      account: {
        provider: provider.id,
        type: provider.type,
        id: profile.id,
-        ...tokens
+        ...tokens,
      },
-      OAuthProfile: profileData
+      OAuthProfile: profileData,
    }
  } catch (exception) {
    // If we didn't get a response either there was a problem with the provider
@@ -131,11 +147,11 @@ async function getProfile ({ profileData, tokens, provider, user }) {
    // all providers, so we return an empty object; the user should then be
    // redirected back to the sign up page. We log the error to help developers
    // who might be trying to debug this when configuring a new provider.
-    logger.error('OAUTH_PARSE_PROFILE_ERROR', exception, profileData)
+    logger.error("OAUTH_PARSE_PROFILE_ERROR", exception, profileData)
    return {
      profile: null,
      account: null,
-      OAuthProfile: profileData
+      OAuthProfile: profileData,
    }
  }
 }
--- a/src/server/lib/oauth/client.js
+++ b/src/server/lib/oauth/client.js
@@ -7,7 +7,7 @@ import { sign as jwtSign } from 'jsonwebtoken'
 * @TODO Refactor to remove dependancy on 'oauth' package
 * It is already quite monkey patched, we don't use all the features and and it
 * would be easier to maintain if all the code was native to next-auth.
- * @param {import("../..").Provider} provider
+ * @param {import("types/providers").OAuthConfig} provider
 */
 export default function oAuthClient (provider) {
  if (provider.version?.startsWith('2.')) {
@@ -54,23 +54,36 @@ export default function oAuthClient (provider) {
  const originalGetOAuth1AccessToken = oauth1Client.getOAuthAccessToken.bind(oauth1Client)
  oauth1Client.getOAuthAccessToken = (...args) => {
    return new Promise((resolve, reject) => {
-      originalGetOAuth1AccessToken(...args, (error, accessToken, refreshToken, results) => {
+      // eslint-disable-next-line camelcase
+      originalGetOAuth1AccessToken(...args, (error, oauth_token, oauth_token_secret, params) => {
        if (error) {
          return reject(error)
        }
-        resolve({ accessToken, refreshToken, results })
+
+        resolve({
+          // TODO: Remove, this is only kept for backward compativility
+          // These are not in the OAuth 1.x spec
+          accessToken: oauth_token,
+          refreshToken: oauth_token_secret,
+          results: params,
+
+          oauth_token,
+          oauth_token_secret,
+          params
+        })
      })
    })
  }

  const originalGetOAuthRequestToken = oauth1Client.getOAuthRequestToken.bind(oauth1Client)
-  oauth1Client.getOAuthRequestToken = (...args) => {
+  oauth1Client.getOAuthRequestToken = (params = {}) => {
    return new Promise((resolve, reject) => {
-      originalGetOAuthRequestToken(...args, (error, oauthToken) => {
+      // eslint-disable-next-line camelcase
+      originalGetOAuthRequestToken(params, (error, oauth_token, oauth_token_secret, params) => {
        if (error) {
          return reject(error)
        }
-        resolve(oauthToken)
+        resolve({ oauth_token, oauth_token_secret, params })
      })
    })
  }
@@ -88,7 +101,7 @@ export default function oAuthClient (provider) {
 /**
 * Ported from https://github.com/ciaranj/node-oauth/blob/a7f8a1e21c362eb4ed2039431fb9ac2ae749f26a/lib/oauth2.js
 * @param {string} code
- * @param {import("../..").Provider} provider
+ * @param {import("types/providers").OAuthConfig} provider
 * @param {string | undefined} codeVerifier
 */
 async function getOAuth2AccessToken (code, provider, codeVerifier) {
@@ -136,7 +149,7 @@ async function getOAuth2AccessToken (code, provider, codeVerifier) {
    headers.Authorization = `Bearer ${code}`
  }

-  if (provider.protection === 'pkce') {
+  if (provider.protection.includes('pkce')) {
    params.code_verifier = codeVerifier
  }

@@ -167,9 +180,17 @@ async function getOAuth2AccessToken (code, provider, codeVerifier) {
          raw = querystring.parse(data)
        }

-        const accessToken = provider.id === 'slack'
-          ? raw.authed_user.access_token
-          : raw.access_token
+        let accessToken
+        if (provider.id === 'slack') {
+          const { ok, error } = raw
+          if (!ok) {
+            return reject(error)
+          }
+
+          accessToken = raw.authed_user.access_token
+        } else {
+          accessToken = raw.access_token
+        }

        resolve({
          accessToken,
@@ -188,7 +209,7 @@ async function getOAuth2AccessToken (code, provider, codeVerifier) {
 *
 * 18/08/2020 @robertcraigie added results parameter to pass data to an optional request preparer.
 * e.g. see providers/bungie
- * @param {import("../..").Provider} provider
+ * @param {import("types/providers").OAuthConfig} provider
 * @param {string} accessToken
 * @param {any} results
 */
--- a/src/server/lib/oauth/pkce-handler.js
+++ b/src/server/lib/oauth/pkce-handler.js
@@ -10,13 +10,14 @@ const PKCE_MAX_AGE = 60 * 15 // 15 minutes in seconds

 /**
 * Adds `code_verifier` to `req.options.pkce`, and removes the corresponding cookie
- * @param {import("../..").NextAuthRequest} req
- * @param {import("../..").NextAuthResponse} res
+ * @param {import("types/internals").NextAuthRequest} req
+ * @param {import("types/internals").NextAuthResponse} res
 */
 export async function handleCallback (req, res) {
  const { cookies, provider, baseUrl, basePath } = req.options
  try {
-    if (provider.protection !== 'pkce') { // Provider does not support PKCE, nothing to do.
+    // Provider does not support PKCE, nothing to do.
+    if (!provider.protection?.includes('pkce')) {
      return
    }

@@ -44,13 +45,13 @@ export async function handleCallback (req, res) {

 /**
 * Adds `code_challenge` and `code_challenge_method` to `req.options.pkce`.
- * @param {import("../..").NextAuthRequest} req
- * @param {import("../..").NextAuthResponse} res
+ * @param {import("types/internals").NextAuthRequest} req
+ * @param {import("types/internals").NextAuthResponse} res
 */
 export async function handleSignin (req, res) {
  const { cookies, provider, baseUrl, basePath } = req.options
  try {
-    if (provider.protection !== 'pkce') { // Provider does not support PKCE, nothing to do.
+    if (!provider.protection?.includes('pkce')) { // Provider does not support PKCE, nothing to do.
      return
    }
    // Started login flow, add generated pkce to req.options and (encrypted) code_verifier to a cookie
--- a/src/server/lib/oauth/state-handler.js
+++ b/src/server/lib/oauth/state-handler.js
@@ -6,17 +6,18 @@ import { OAuthCallbackError } from '../../../lib/errors'
 * For OAuth 2.0 flows, if the provider supports state,
 * check if state matches the one sent on signin
 * (a hash of the NextAuth.js CSRF token).
- * @param {import("../..").NextAuthRequest} req
- * @param {import("../..").NextAuthResponse} res
+ * @param {import("types/internals").NextAuthRequest} req
+ * @param {import("types/internals").NextAuthResponse} res
 */
 export async function handleCallback (req, res) {
  const { csrfToken, provider, baseUrl, basePath } = req.options
  try {
-    if (provider.protection !== 'state') { // Provider does not support state, nothing to do.
+    // Provider does not support state, nothing to do.
+    if (!provider.protection?.includes('state')) {
      return
    }

-    const { state } = req.query
+    const state = req.query.state || req.body.state
    const expectedState = createHash('sha256').update(csrfToken).digest('hex')

    logger.debug(
@@ -35,13 +36,13 @@ export async function handleCallback (req, res) {

 /**
 * Adds CSRF token to the authorizationParams.
- * @param {import("../..").NextAuthRequest} req
- * @param {import("../..").NextAuthResponse} res
+ * @param {import("types/internals").NextAuthRequest} req
+ * @param {import("types/internals").NextAuthResponse} res
 */
 export async function handleSignin (req, res) {
  const { provider, baseUrl, basePath, csrfToken } = req.options
  try {
-    if (provider.protection !== 'state') { // Provider does not support state, nothing to do.
+    if (!provider.protection?.includes('state')) { // Provider does not support state, nothing to do.
      return
    }

--- a/src/server/lib/signin/email.js
+++ b/src/server/lib/signin/email.js
@@ -10,7 +10,7 @@ export default async function email (email, provider, options) {
    const secret = provider.secret || options.secret

    // Generate token
-    const token = provider.generateVerificationToken?.() ?? randomBytes(32).toString('hex')
+    const token = await provider.generateVerificationToken?.() ?? randomBytes(32).toString('hex')

    // Send email with link containing token (the unhashed version)
    const url = `${baseUrl}${basePath}/callback/${encodeURIComponent(provider.id)}?email=${encodeURIComponent(email)}&token=${encodeURIComponent(token)}`
--- a/src/server/lib/signin/oauth.js
+++ b/src/server/lib/signin/oauth.js
@@ -1,17 +1,21 @@
 import oAuthClient from '../oauth/client'
 import logger from '../../../lib/logger'

-/** @param {import("../..").NextAuthRequest} req */
+/** @param {import("types/internals").NextAuthRequest} req */
 export default async function getAuthorizationUrl (req) {
  const { provider } = req.options

+  delete req.query?.nextauth
+  const params = {
+    ...provider.authorizationParams,
+    ...req.query
+  }
+
  const client = oAuthClient(provider)
  if (provider.version?.startsWith('2.')) {
-    delete req.query?.nextauth
    // Handle OAuth v2.x
    let url = client.getAuthorizeUrl({
-      ...provider.authorizationParams,
-      ...req.query,
+      ...params,
      redirect_uri: provider.callbackUrl,
      scope: provider.scope
    })
@@ -34,8 +38,12 @@ export default async function getAuthorizationUrl (req) {
  }

  try {
-    const oAuthToken = await client.getOAuthRequestToken()
-    const url = `${provider.authorizationUrl}?oauth_token=${oAuthToken}`
+    const tokens = await client.getOAuthRequestToken(params)
+    const url = `${provider.authorizationUrl}?${new URLSearchParams({
+      oauth_token: tokens.oauth_token,
+      oauth_token_secret: tokens.oauth_token_secret,
+      ...tokens.params
+    })}`
    logger.debug('GET_AUTHORIZATION_URL', url)
    return url
  } catch (error) {
--- a/src/server/pages/error.js
+++ b/src/server/pages/error.js
@@ -1,6 +1,5 @@
 // @ts-check
 import { h } from 'preact' // eslint-disable-line no-unused-vars
-import render from 'preact-render-to-string'

 /**
 * Renders an error page.
@@ -8,7 +7,7 @@ import render from 'preact-render-to-string'
 *   baseUrl: string
 *   basePath: string
 *   error?: string
- *   res: import("..").NextAuthResponse
+ *   res: import("types/internals").NextAuthResponse
 * }} params
 */
 export default function error ({ baseUrl, basePath, error = 'default', res }) {
@@ -53,11 +52,11 @@ export default function error ({ baseUrl, basePath, error = 'default', res }) {
    }
  }

-  const { statusCode, heading, message, signin } = errors[error.toLowerCase()]
+  const { statusCode, heading, message, signin } = errors[error.toLowerCase()] ?? errors.default

  res.status(statusCode)

-  return render(
+  return (
    <div className='error'>
      <h1>{heading}</h1>
      <div className='message'>{message}</div>
--- a/src/server/pages/index.js
+++ b/src/server/pages/index.js
@@ -1,3 +1,4 @@
+import renderToString from 'preact-render-to-string'
 import signin from './signin'
 import signout from './signout'
 import verifyRequest from './verify-request'
@@ -9,14 +10,34 @@ export default function renderPage (req, res) {
  const { baseUrl, basePath, callbackUrl, csrfToken, providers, theme } = req.options

  res.setHeader('Content-Type', 'text/html')
-  function send (html) {
-    res.send(`<!DOCTYPE html><head><style type="text/css">${css()}</style><meta name="viewport" content="width=device-width, initial-scale=1"></head><body class="__next-auth-theme-${theme}"><div class="page">${html}</div></body></html>`)
+  function send ({ html, title }) {
+    res.send(`<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0"><style>${css()}</style><title>${title}</title></head><body class="__next-auth-theme-${theme}"><div class="page">${renderToString(html)}</div></body></html>`)
  }

  return {
-    signin (props) { send(signin({ csrfToken, providers, callbackUrl, ...req.query, ...props })) },
-    signout (props) { send(signout({ csrfToken, baseUrl, basePath, ...props })) },
-    verifyRequest (props) { send(verifyRequest({ baseUrl, ...props })) },
-    error (props) { send(error({ basePath, baseUrl, res, ...props })) }
+    signin (props) {
+      send({
+        html: signin({ csrfToken, providers, callbackUrl, ...req.query, ...props }),
+        title: 'Sign In'
+      })
+    },
+    signout (props) {
+      send({
+        html: signout({ csrfToken, baseUrl, basePath, ...props }),
+        title: 'Sign Out'
+      })
+    },
+    verifyRequest (props) {
+      send({
+        html: verifyRequest({ baseUrl, ...props }),
+        title: 'Verify Request'
+      })
+    },
+    error (props) {
+      send({
+        html: error({ basePath, baseUrl, res, ...props }),
+        title: 'Error'
+      })
+    }
  }
 }
--- a/src/server/pages/signin.js
+++ b/src/server/pages/signin.js
@@ -1,5 +1,4 @@
 import { h } from 'preact' // eslint-disable-line no-unused-vars
-import render from 'preact-render-to-string'

 export default function signin ({ csrfToken, providers, callbackUrl, email, error: errorType }) {
  // We only want to render providers
@@ -30,7 +29,7 @@ export default function signin ({ csrfToken, providers, callbackUrl, email, erro

  const error = errorType && (errors[errorType] ?? errors.default)

-  return render(
+  return (
    <div className='signin'>
      {error &&
        <div className='error'>
--- a/src/server/pages/signout.js
+++ b/src/server/pages/signout.js
@@ -1,8 +1,7 @@
 import { h } from 'preact' // eslint-disable-line no-unused-vars
-import render from 'preact-render-to-string'

 export default function signout ({ baseUrl, basePath, csrfToken }) {
-  return render(
+  return (
    <div className='signout'>
      <h1>Are you sure you want to sign out?</h1>
      <form action={`${baseUrl}${basePath}/signout`} method='POST'>
--- a/src/server/pages/verify-request.js
+++ b/src/server/pages/verify-request.js
@@ -1,8 +1,7 @@
 import { h } from 'preact' // eslint-disable-line no-unused-vars
-import render from 'preact-render-to-string'

 export default function verifyRequest ({ baseUrl }) {
-  return render(
+  return (
    <div className='verify-request'>
      <h1>Check your email</h1>
      <p>A sign in link has been sent to your email address.</p>
--- a/src/server/routes/callback.js
+++ b/src/server/routes/callback.js
@@ -6,8 +6,8 @@ import dispatchEvent from '../lib/dispatch-event'

 /**
 * Handle callbacks from login services
- * @param {import("..").NextAuthRequest} req
- * @param {import("..").NextAuthResponse} res
+ * @param {import("types/internals").NextAuthRequest} req
+ * @param {import("types/internals").NextAuthResponse} res
 */
 export default async function callback (req, res) {
  const {
@@ -72,7 +72,7 @@ export default async function callback (req, res) {
          }
        } catch (error) {
          if (error instanceof Error) {
-            return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
+            return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error.message)}`)
          }
          // TODO: Remove in a future major release
          logger.warn('SIGNIN_CALLBACK_REJECT_REDIRECT')
@@ -168,7 +168,7 @@ export default async function callback (req, res) {
        }
      } catch (error) {
        if (error instanceof Error) {
-          return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
+          return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error.message)}`)
        }
        // TODO: Remove in a future major release
        logger.warn('SIGNIN_CALLBACK_REJECT_REDIRECT')
@@ -239,7 +239,7 @@ export default async function callback (req, res) {
      }
    } catch (error) {
      if (error instanceof Error) {
-        return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
+        return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error.message)}`)
      }
      return res.redirect(error)
    }
@@ -254,7 +254,7 @@ export default async function callback (req, res) {
      }
    } catch (error) {
      if (error instanceof Error) {
-        return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
+        return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error.message)}`)
      }
      return res.redirect(error)
    }
@@ -262,7 +262,8 @@ export default async function callback (req, res) {
    const defaultJwtPayload = {
      name: user.name,
      email: user.email,
-      picture: user.image
+      picture: user.image,
+      sub: user.id?.toString()
    }
    const jwtPayload = await callbacks.jwt(defaultJwtPayload, user, account, userObjectReturnedFromAuthorizeHandler, false)

--- a/src/server/routes/providers.js
+++ b/src/server/routes/providers.js
@@ -2,8 +2,8 @@
 * Return a JSON object with a list of all OAuth providers currently configured
 * and their signin and callback URLs. This makes it possible to automatically
 * generate buttons for all providers when rendering client side.
- * @param {import("..").NextAuthRequest} req
- * @param {import("..").NextAuthResponse} res
+ * @param {import("types/internals").NextAuthRequest} req
+ * @param {import("types/internals").NextAuthResponse} res
 */
 export default function providers (req, res) {
  const { providers } = req.options
--- a/tsconfig.json
+++ b/tsconfig.json
@@ -3,6 +3,9 @@
    "strictNullChecks": true,
    "baseUrl": ".",
    "paths": {
+      "types": [
+        "./types"
+      ],
      "next-auth": [
        "./src/server"
      ],
@@ -40,7 +43,8 @@
  "include": [
    "next-env.d.ts",
    "**/*.ts",
-    "**/*.tsx"
+    "**/*.tsx",
+    "**/*.js"
  ],
  "exclude": [
    "node_modules"
--- a/types/adapters.d.ts
+++ b/types/adapters.d.ts
@@ -0,0 +1,244 @@
+import { AppOptions } from "./internals"
+import { ConnectionOptions, EntitySchema } from "typeorm"
+import { User } from "."
+import { AppProvider } from "./internals/providers"
+
+export interface Profile {
+  id: string
+  name: string
+  email: string | null
+  image?: string | null
+}
+
+export interface Session {
+  userId: string | number | object
+  expires: Date
+  sessionToken: string
+  accessToken: string
+}
+
+export interface VerificationRequest {
+  identifier: string
+  token: string
+  expires: Date
+}
+
+export interface SendVerificationRequestParams {
+  identifier: string
+  url: string
+  token: string
+  baseUrl: string
+  provider: AppProvider
+}
+
+export type EmailAppProvider = AppProvider & {
+  sendVerificationRequest: (
+    params: SendVerificationRequestParams
+  ) => Promise<void>
+  maxAge: number | undefined
+}
+
+export interface AdapterInstance<
+  TUser,
+  TProfile,
+  TSession,
+  TVerificationRequest
+> {
+  createUser: (profile: TProfile) => Promise<TUser>
+  getUser: (id: string) => Promise<TUser | null>
+  getUserByEmail: (email: string) => Promise<TUser | null>
+  getUserByProviderAccountId: (
+    providerId: string,
+    providerAccountId: string
+  ) => Promise<TUser | null>
+  updateUser: (user: TUser) => Promise<TUser>
+  linkAccount: (
+    userId: string,
+    providerId: string,
+    providerType: string,
+    providerAccountId: string,
+    refreshToken: string,
+    accessToken: string,
+    accessTokenExpires: number
+  ) => Promise<void>
+  createSession: (user: TUser) => Promise<TSession>
+  getSession: (sessionToken: string) => Promise<TSession | null>
+  updateSession: (session: TSession, force?: boolean) => Promise<TSession>
+  deleteSession: (sessionToken: string) => Promise<void>
+  createVerificationRequest?: (
+    email: string,
+    url: string,
+    token: string,
+    secret: string,
+    provider: EmailAppProvider,
+    options: AppOptions
+  ) => Promise<TVerificationRequest>
+  getVerificationRequest?: (
+    email: string,
+    verificationToken: string,
+    secret: string,
+    provider: AppProvider
+  ) => Promise<TVerificationRequest | null>
+  deleteVerificationRequest?: (
+    email: string,
+    verificationToken: string,
+    secret: string,
+    provider: AppProvider
+  ) => Promise<void>
+}
+
+interface Adapter<
+  TUser extends User = any,
+  TProfile extends Profile = any,
+  TSession extends Session = any,
+  TVerificationRequest extends VerificationRequest = any
+> {
+  getAdapter: (
+    appOptions: AppOptions
+  ) => Promise<AdapterInstance<TUser, TProfile, TSession, TVerificationRequest>>
+}
+
+type Schema<T = any> = EntitySchema<T>["options"]
+
+interface BuiltInAdapters {
+  Default: TypeORMAdapter["Adapter"]
+  TypeORM: TypeORMAdapter
+  Prisma: PrismaAdapter
+}
+
+/**
+ * TODO: fix auto-type schema
+ */
+
+interface TypeORMAdapter<
+  A extends TypeORMAccountModel = any,
+  U extends TypeORMUserModel = any,
+  S extends TypeORMSessionModel = any,
+  VR extends TypeORMVerificationRequestModel = any
+> {
+  Adapter: (
+    typeOrmConfig: ConnectionOptions,
+    options?: {
+      models?: {
+        Account?: {
+          model: A
+          schema: Schema<A>
+        }
+        User?: {
+          model: U
+          schema: Schema<U>
+        }
+        Session?: {
+          model: S
+          schema: Schema<S>
+        }
+        VerificationRequest?: {
+          model: VR
+          schema: Schema<VR>
+        }
+      }
+    }
+  ) => Adapter<U, Profile, S, VR>
+  Models: {
+    Account: {
+      model: TypeORMAccountModel
+      schema: Schema<TypeORMAccountModel>
+    }
+    User: {
+      model: TypeORMUserModel
+      schema: Schema<TypeORMUserModel>
+    }
+    Session: {
+      model: TypeORMSessionModel
+      schema: Schema<TypeORMSessionModel>
+    }
+    VerificationRequest: {
+      model: TypeORMVerificationRequestModel
+      schema: Schema<TypeORMVerificationRequestModel>
+    }
+  }
+}
+
+interface PrismaAdapter {
+  Adapter: (config: {
+    prisma: any
+    modelMapping?: {
+      User: string
+      Account: string
+      Session: string
+      VerificationRequest: string
+    }
+  }) => Adapter
+}
+
+declare class TypeORMAccountModel {
+  compoundId: string
+  userId: number
+  providerType: string
+  providerId: string
+  providerAccountId: string
+  refreshToken?: string
+  accessToken?: string
+  accessTokenExpires?: Date
+
+  constructor(
+    userId: number,
+    providerId: string,
+    providerType: string,
+    providerAccountId: string,
+    refreshToken?: string,
+    accessToken?: string,
+    accessTokenExpires?: Date
+  )
+}
+
+declare class TypeORMUserModel implements User {
+  name?: string
+  email?: string
+  image?: string
+  emailVerified?: Date
+
+  constructor(
+    name?: string,
+    email?: string,
+    image?: string,
+    emailVerified?: Date
+  )
+}
+
+declare class TypeORMSessionModel implements Session {
+  userId: number
+  expires: Date
+  sessionToken: string
+  accessToken: string
+
+  constructor(
+    userId: number,
+    expires: Date,
+    sessionToken?: string,
+    accessToken?: string
+  )
+}
+
+declare class TypeORMVerificationRequestModel implements VerificationRequest {
+  identifier: string
+  token: string
+  expires: Date
+
+  constructor(identifier: string, token: string, expires: Date)
+}
+
+declare const Adapters: BuiltInAdapters
+
+export default Adapters
+
+export {
+  Adapter,
+  BuiltInAdapters as Adapters,
+  TypeORMAdapter,
+  TypeORMAccountModel,
+  TypeORMUserModel,
+  TypeORMSessionModel,
+  TypeORMVerificationRequestModel,
+  PrismaAdapter,
+}
--- a/types/client.d.ts
+++ b/types/client.d.ts
@@ -0,0 +1,218 @@
+import * as React from "react"
+import { IncomingMessage } from "http"
+import { Session } from "."
+import { ProviderType } from "./providers"
+
+export interface CtxOrReq {
+  req?: IncomingMessage
+  ctx?: { req: IncomingMessage }
+}
+
+/***************
+ * Session types
+ **************/
+
+export type GetSessionOptions = CtxOrReq & {
+  event?: "storage" | "timer" | "hidden" | string
+  triggerEvent?: boolean
+}
+
+/**
+ * React Hook that gives you access
+ * to the logged in user's session data.
+ *
+ * [Documentation](https://next-auth.js.org/getting-started/client#usesession)
+ */
+export function useSession(): [Session | null, boolean]
+
+/**
+ * Can be called client or server side to return a session asynchronously.
+ * It calls `/api/auth/session` and returns a promise with a session object,
+ * or null if no session exists.
+ *
+ * [Documentation](https://next-auth.js.org/getting-started/client#getsession)
+ */
+export function getSession(options: GetSessionOptions): Promise<Session | null>
+
+/**
+ * Alias for `getSession`
+ * @docs https://next-auth.js.org/getting-started/client#getsession
+ */
+export const session: typeof getSession
+
+/*******************
+ * CSRF Token types
+ ******************/
+
+/**
+ * Returns the current Cross Site Request Forgery Token (CSRF Token)
+ * required to make POST requests (e.g. for signing in and signing out).
+ * You likely only need to use this if you are not using the built-in
+ * `signIn()` and `signOut()` methods.
+ *
+ * [Documentation](https://next-auth.js.org/getting-started/client#getcsrftoken)
+ */
+export function getCsrfToken(ctxOrReq: CtxOrReq): Promise<string | null>
+
+/**
+ * Alias for `getCsrfToken`
+ * @docs https://next-auth.js.org/getting-started/client#getcsrftoken
+ */
+export const csrfToken: typeof getCsrfToken
+
+/******************
+ * Providers types
+ *****************/
+
+export interface ClientSafeProvider {
+  id: string
+  name: string
+  type: ProviderType
+  signinUrl: string
+  callbackUrl: string
+}
+
+/**
+ * It calls `/api/auth/providers` and returns
+ * a list of the currently configured authentication providers.
+ * It can be useful if you are creating a dynamic custom sign in page.
+ *
+ * [Documentation](https://next-auth.js.org/getting-started/client#getproviders)
+ */
+export function getProviders(): Promise<Record<
+  string,
+  ClientSafeProvider
+> | null>
+
+/**
+ * Alias for `getProviders`
+ * @docs https://next-auth.js.org/getting-started/client#getproviders
+ */
+export const providers: typeof getProviders
+
+/****************
+ * Sign in types
+ ***************/
+
+export type RedirectableProvider = "email" | "credentials"
+
+export type SignInProvider = RedirectableProvider | string | undefined
+
+export interface SignInOptions extends Record<string, unknown> {
+  /**
+   * Defaults to the current URL.
+   * @docs https://next-auth.js.org/getting-started/client#specifying-a-callbackurl
+   */
+  callbackUrl?: string
+  /** @docs https://next-auth.js.org/getting-started/client#using-the-redirect-false-option */
+  redirect?: boolean
+}
+
+export interface SignInResponse {
+  error: string | undefined
+  status: number
+  ok: boolean
+  url: string | null
+}
+
+/** Match `inputType` of `new URLSearchParams(inputType)` */
+export type SignInAuthorisationParams =
+  | string
+  | string[][]
+  | Record<string, string>
+  | URLSearchParams
+
+/**
+ * Client-side method to initiate a signin flow
+ * or send the user to the signin page listing all possible providers.
+ * Automatically adds the CSRF token to the request.
+ *
+ * [Documentation](https://next-auth.js.org/getting-started/client#signin)
+ */
+export function signIn<P extends SignInProvider = undefined>(
+  provider?: P,
+  options?: SignInOptions,
+  authorizationParams?: SignInAuthorisationParams
+): Promise<
+  P extends RedirectableProvider ? SignInResponse | undefined : undefined
+>
+
+/**
+ * Alias for `signIn`
+ * @docs https://next-auth.js.org/getting-started/client#signin
+ */
+export const signin: typeof signIn
+
+/****************
+ * Sign out types
+ ****************/
+
+/** @docs https://next-auth.js.org/getting-started/client#using-the-redirect-false-option-1 */
+export interface SignOutResponse {
+  url: string
+}
+
+export interface SignOutParams<R extends boolean = true> {
+  /** @docs https://next-auth.js.org/getting-started/client#specifying-a-callbackurl-1 */
+  callbackUrl?: string
+  /** @docs https://next-auth.js.org/getting-started/client#using-the-redirect-false-option-1 */
+  redirect?: R
+}
+
+/**
+ * Signs the user out, by removing the session cookie.
+ * Automatically adds the CSRF token to the request.
+ *
+ * [Documentation](https://next-auth.js.org/getting-started/client#signout)
+ */
+export function signOut<R extends boolean = true>(
+  params?: SignOutParams<R>
+): Promise<R extends true ? undefined : SignOutResponse>
+
+/**
+ * @docs https://next-auth.js.org/getting-started/client#signout
+ * Alias for `signOut`
+ */
+export const signout: typeof signOut
+/************************
+ * SessionProvider types
+ ***********************/
+
+/** @docs: https://next-auth.js.org/getting-started/client#options */
+export interface SessionProviderOptions {
+  baseUrl?: string
+  basePath?: string
+  clientMaxAge?: number
+  keepAlive?: number
+}
+
+/**
+ * Provider to wrap the app in to make session data available globally.
+ * Can also be used to throttle the number of requests to the endpoint
+ * `/api/auth/session`.
+ *
+ * [Documentation](https://next-auth.js.org/getting-started/client#provider)
+ */
+export type SessionProvider = React.FC<{
+  children: React.ReactNode
+  session?: Session
+  options?: SessionProviderOptions
+}>
+
+/**
+ * Provider to wrap the app in to make session data available globally.
+ * Can also be used to throttle the number of requests to the endpoint
+ * `/api/auth/session`.
+ *
+ * [Documentation](https://next-auth.js.org/getting-started/client#provider)
+ */
+export const Provider: SessionProvider
+
+/** @docs: https://next-auth.js.org/getting-started/client#options */
+export function setOptions(options: SessionProviderOptions): void
+
+/**
+ * Alias for `setOptions`
+ * @docs: https://next-auth.js.org/getting-started/client#options
+ */
+export const options: typeof setOptions
--- a/types/index.d.ts
+++ b/types/index.d.ts
@@ -0,0 +1,413 @@
+// Minimum TypeScript Version: 3.5
+
+/// <reference types="node" />
+
+import { ConnectionOptions } from "typeorm"
+import { Adapter } from "./adapters"
+import { JWTOptions, JWT } from "./jwt"
+import { AppProviders } from "./providers"
+import {
+  Awaitable,
+  NextApiRequest,
+  NextApiResponse,
+  NextApiHandler,
+} from "./internals/utils"
+
+/**
+ * Configure your NextAuth instance
+ *
+ * [Documentation](https://next-auth.js.org/configuration/options#options)
+ */
+export interface NextAuthOptions {
+  /**
+   * An array of authentication providers for signing in
+   * (e.g. Google, Facebook, Twitter, GitHub, Email, etc) in any order.
+   * This can be one of the built-in providers or an object with a custom provider.
+   * * **Default value**: `[]`
+   * * **Required**: *Yes*
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#providers) | [Providers documentation](https://next-auth.js.org/configuration/providers)
+   */
+  providers: AppProviders
+  /**
+   * A database connection string or configuration object.
+   * * **Default value**: `null`
+   * * **Required**: *No (unless using email provider)*
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#database) | [Databases](https://next-auth.js.org/configuration/databases)
+   */
+  database?: string | Record<string, any> | ConnectionOptions
+  /**
+   * A random string used to hash tokens, sign cookies and generate cryptographic keys.
+   * If not specified is uses a hash of all configuration options, including Client ID / Secrets for entropy.
+   * The default behavior is volatile, and **it is strongly recommended** you explicitly specify a value
+   * to avoid invalidating end user sessions when configuration changes are deployed.
+   * * **Default value**: `string` (SHA hash of the "options" object)
+   * * **Required**: No - **but strongly recommended**!
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#secret)
+   */
+  secret?: string
+  /**
+   * Configure your session like if you want to use JWT or a database,
+   * how long until an idle session expires, or to throttle write operations in case you are using a database.
+   * * **Default value**: See the documentation page
+   * * **Required**: No
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#session)
+   */
+  session?: SessionOptions
+  /**
+   * JSON Web Tokens can be used for session tokens if enabled with the `session: { jwt: true }` option.
+   * JSON Web Tokens are enabled by default if you have not specified a database.
+   * By default JSON Web Tokens are signed (JWS) but not encrypted (JWE),
+   * as JWT encryption adds additional overhead and comes with some caveats.
+   * You can enable encryption by setting `encryption: true`.
+   * * **Default value**: See the documentation page
+   * * **Required**: *No*
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#jwt)
+   */
+  jwt?: JWTOptions
+  /**
+   * Specify URLs to be used if you want to create custom sign in, sign out and error pages.
+   * Pages specified will override the corresponding built-in page.
+   * * **Default value**: `{}`
+   * * **Required**: *No*
+   * @example
+   *
+   * ```js
+   *   pages: {
+   *     signIn: '/auth/signin',
+   *     signOut: '/auth/signout',
+   *     error: '/auth/error',
+   *     verifyRequest: '/auth/verify-request',
+   *     newUser: null
+   *   }
+   * ```
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#pages) | [Pages documentation](https://next-auth.js.org/configuration/pages)
+   */
+  pages?: PagesOptions
+  /**
+   * Callbacks are asynchronous functions you can use to control what happens when an action is performed.
+   * Callbacks are *extremely powerful*, especially in scenarios involving JSON Web Tokens
+   * as they **allow you to implement access controls without a database** and to **integrate with external databases or APIs**.
+   * * **Default value**: See the Callbacks documentation
+   * * **Required**: *No*
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#callbacks) | [Callbacks documentation](https://next-auth.js.org/configuration/callbacks)
+   */
+  callbacks?: CallbacksOptions
+  /**
+   * Events are asynchronous functions that do not return a response, they are useful for audit logging.
+   * You can specify a handler for any of these events below - e.g. for debugging or to create an audit log.
+   * The content of the message object varies depending on the flow
+   * (e.g. OAuth or Email authentication flow, JWT or database sessions, etc),
+   * but typically contains a user object and/or contents of the JSON Web Token
+   * and other information relevant to the event.
+   * * **Default value**: `{}`
+   * * **Required**: *No*
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#events) | [Events documentation](https://next-auth.js.org/configuration/events)
+   */
+  events?: EventsOptions
+  /**
+   * By default NextAuth.js uses a database adapter that uses TypeORM and supports MySQL, MariaDB, Postgres and MongoDB and SQLite databases.
+   * An alternative adapter that uses Prisma, which currently supports MySQL, MariaDB and Postgres, is also included.
+   * You can use the adapter option to use the Prisma adapter - or pass in your own adapter
+   * if you want to use a database that is not supported by one of the built-in adapters.
+   * * **Default value**: TypeORM adapter
+   * * **Required**: *No*
+   *
+   * - ⚠ If the `adapter` option is specified it overrides the `database` option, only specify one or the other.
+   * - ⚠ Adapters are being migrated to their own home in a Community maintained repository.
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#adapter) |
+   * [Default adapter](https://next-auth.js.org/schemas/adapters#typeorm-adapter) |
+   * [Community adapters](https://github.com/nextauthjs/adapters)
+   */
+  adapter?: Adapter
+  /**
+   * Set debug to true to enable debug messages for authentication and database operations.
+   * * **Default value**: `false`
+   * * **Required**: *No*
+   *
+   * - ⚠ If you added a custom `logger`, this setting is ignored.
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#debug) | [Logger documentation](https://next-auth.js.org/configuration/options#logger)
+   */
+  debug?: boolean
+  /**
+   * Override any of the logger levels (`undefined` levels will use the built-in logger),
+   * and intercept logs in NextAuth. You can use this option to send NextAuth logs to a third-party logging service.
+   * * **Default value**: `console`
+   * * **Required**: *No*
+   *
+   * @example
+   *
+   * ```js
+   * // /pages/api/auth/[...nextauth].js
+   * import log from "logging-service"
+   * export default NextAuth({
+   *   logger: {
+   *     error(code, ...message) {
+   *       log.error(code, message)
+   *     },
+   *     warn(code, ...message) {
+   *       log.warn(code, message)
+   *     },
+   *     debug(code, ...message) {
+   *       log.debug(code, message)
+   *     }
+   *   }
+   * })
+   * ```
+   *
+   * - ⚠ When set, the `debug` option is ignored
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#logger) |
+   * [Debug documentation](https://next-auth.js.org/configuration/options#debug)
+   */
+  logger?: LoggerInstance
+  /**
+   * Changes the theme of pages.
+   * Set to `"light"` if you want to force pages to always be light.
+   * Set to `"dark"` if you want to force pages to always be dark.
+   * Set to `"auto"`, (or leave this option out)if you want the pages to follow the preferred system theme.
+   * * **Default value**: `"auto"`
+   * * **Required**: *No*
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#theme) | [Pages documentation]("https://next-auth.js.org/configuration/pages")
+   */
+  theme?: "auto" | "dark" | "light"
+  /**
+   * When set to `true` then all cookies set by NextAuth.js will only be accessible from HTTPS URLs.
+   * This option defaults to `false` on URLs that start with `http://` (e.g. http://localhost:3000) for developer convenience.
+   * You can manually set this option to `false` to disable this security feature and allow cookies
+   * to be accessible from non-secured URLs (this is not recommended).
+   * * **Default value**: `true` for HTTPS and `false` for HTTP sites
+   * * **Required**: No
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#usesecurecookies)
+   *
+   * - ⚠ **This is an advanced option.** Advanced options are passed the same way as basic options,
+   * but **may have complex implications** or side effects.
+   * You should **try to avoid using advanced options** unless you are very comfortable using them.
+   */
+  useSecureCookies?: boolean
+  /**
+   * You can override the default cookie names and options for any of the cookies used by NextAuth.js.
+   * You can specify one or more cookies with custom properties,
+   * but if you specify custom options for a cookie you must provide all the options for that cookie.
+   * If you use this feature, you will likely want to create conditional behavior
+   * to support setting different cookies policies in development and production builds,
+   * as you will be opting out of the built-in dynamic policy.
+   * * **Default value**: `{}`
+   * * **Required**: No
+   *
+   * - ⚠ **This is an advanced option.** Advanced options are passed the same way as basic options,
+   * but **may have complex implications** or side effects.
+   * You should **try to avoid using advanced options** unless you are very comfortable using them.
+   *
+   * [Documentation](https://next-auth.js.org/configuration/options#cookies) | [Usage example](https://next-auth.js.org/configuration/options#example)
+   */
+  cookies?: CookiesOptions
+}
+
+/**
+ * Override any of the methods, and the rest will use the default logger.
+ *
+ * [Documentation](https://next-auth.js.org/configuration/options#logger)
+ */
+export interface LoggerInstance {
+  warn(code: string, ...message: unknown[]): void
+  error(code: string, ...message: unknown[]): void
+  debug(code: string, ...message: unknown[]): void
+}
+
+/**
+ * Different tokens returned by OAuth Providers.
+ * Some of them are available with different casing,
+ * but they refer to the same value.
+ */
+export interface TokenSet {
+  accessToken: string
+  idToken?: string
+  refreshToken?: string
+  access_token: string
+  expires_in?: number | null
+  refresh_token?: string
+  id_token?: string
+}
+
+/**
+ * Usually contains information about the provider being used
+ * and also extends `TokenSet`, which is different tokens returned by OAuth Providers.
+ */
+export interface Account extends TokenSet, Record<string, unknown> {
+  id: string
+  provider: string
+  type: string
+}
+
+/** The OAuth profile returned from your provider */
+export interface Profile extends Record<string, unknown> {
+  sub?: string
+  name?: string
+  email?: string
+  image?: string
+}
+
+/** [Documentation](https://next-auth.js.org/configuration/callbacks) */
+export interface CallbacksOptions<
+  P extends Record<string, unknown> = Profile,
+  A extends Record<string, unknown> = Account
+> {
+  /**
+   * Use this callback to control if a user is allowed to sign in.
+   * Returning true will continue the sign-in flow.
+   * Throwing an error or returning a string will stop the flow, and redirect the user.
+   *
+   * [Documentation](https://next-auth.js.org/configuration/callbacks#sign-in-callback)
+   */
+  signIn?(user: User, account: A, profile: P): Awaitable<string | boolean>
+  /**
+   * This callback is called anytime the user is redirected to a callback URL (e.g. on signin or signout).
+   * By default only URLs on the same URL as the site are allowed,
+   * you can use this callback to customise that behaviour.
+   *
+   * [Documentation](https://next-auth.js.org/configuration/callbacks#redirect-callback)
+   */
+  redirect?(url: string, baseUrl: string): Awaitable<string>
+  /**
+   * This callback is called whenever a session is checked.
+   * (Eg.: invoking the `/api/session` endpoint, using `useSession` or `getSession`)
+   *
+   * - ⚠ By default, only a subset of the token is returned for increased security.
+   * If you want to make something available you added to the token through the `jwt` callback,
+   * you have to explicitely forward it here to make it available to the client.
+   *
+   * [Documentation](https://next-auth.js.org/configuration/callbacks#session-callback) |
+   * [`jwt` callback](https://next-auth.js.org/configuration/callbacks#jwt-callback) |
+   * [`useSession`](https://next-auth.js.org/getting-started/client#usesession) |
+   * [`getSession`](https://next-auth.js.org/getting-started/client#getsession) |
+   *
+   */
+  session?(session: Session, userOrToken: JWT | User): Awaitable<Session>
+  /**
+   * This callback is called whenever a JSON Web Token is created (i.e. at sign in)
+   * or updated (i.e whenever a session is accessed in the client).
+   * Its content is forwarded to the `session` callback,
+   * where you can control what should be returned to the client.
+   * Anything else will be kept from your front-end.
+   *
+   * - ⚠ By default the JWT is signed, but not encrypted.
+   *
+   * [Documentation](https://next-auth.js.org/configuration/callbacks#jwt-callback) |
+   * [`session` callback](https://next-auth.js.org/configuration/callbacks#session-callback)
+   */
+  jwt?(
+    token: JWT,
+    user?: User,
+    account?: A,
+    profile?: P,
+    isNewUser?: boolean
+  ): Awaitable<JWT>
+}
+
+/** [Documentation](https://next-auth.js.org/configuration/options#cookies) */
+export interface CookieOption {
+  name: string
+  options: {
+    httpOnly: boolean
+    sameSite: true | "strict" | "lax" | "none"
+    path?: string
+    secure: boolean
+    maxAge?: number
+    domain?: string
+  }
+}
+
+/** [Documentation](https://next-auth.js.org/configuration/options#cookies) */
+export interface CookiesOptions {
+  sessionToken?: CookieOption
+  callbackUrl?: CookieOption
+  csrfToken?: CookieOption
+  pkceCodeVerifier?: CookieOption
+}
+
+/** [Documentation](https://next-auth.js.org/configuration/events) */
+export type EventType =
+  | "signIn"
+  | "signOut"
+  | "createUser"
+  | "updateUser"
+  | "linkAccount"
+  | "session"
+  | "error"
+
+/** [Documentation](https://next-auth.js.org/configuration/events) */
+export type EventCallback = (message: any) => Promise<void>
+
+/** [Documentation](https://next-auth.js.org/configuration/events) */
+export type EventsOptions = Partial<Record<EventType, EventCallback>>
+
+/** [Documentation](https://next-auth.js.org/configuration/pages) */
+export interface PagesOptions {
+  signIn?: string
+  signOut?: string
+  /** Error code passed in query string as ?error= */
+  error?: string
+  verifyRequest?: string
+  /** If set, new users will be directed here on first sign in */
+  newUser?: string
+}
+
+/**
+ * Returned by `useSession`, `getSession`, returned by the `session` callback
+ * and also the shape received as a prop on the `Provider` React Context
+ *
+ * [`useSession`](https://next-auth.js.org/getting-started/client#usesession) |
+ * [`getSession`](https://next-auth.js.org/getting-started/client#getsession) |
+ * [`Provider`](https://next-auth.js.org/getting-started/client#provider) |
+ * [`session` callback](https://next-auth.js.org/configuration/callbacks#jwt-callback)
+ */
+export interface Session extends Record<string, unknown> {
+  user?: User
+  accessToken?: string
+  expires: string
+}
+
+/** [Documentation](https://next-auth.js.org/configuration/options#session) */
+export interface SessionOptions {
+  jwt?: boolean
+  maxAge?: number
+  updateAge?: number
+}
+
+/**
+ * The shape of the returned object in the OAuth providers' `profile` callback,
+ * available in the `jwt` and `session` callbacks,
+ * or the second parameter of the `session` callback, when using a database.
+ *
+ * [`signIn` callback](https://next-auth.js.org/configuration/callbacks#sign-in-callback) |
+ * [`session` callback](https://next-auth.js.org/configuration/callbacks#jwt-callback) |
+ * [`jwt` callback](https://next-auth.js.org/configuration/callbacks#jwt-callback) |
+ * [`profile` OAuth provider callback](https://next-auth.js.org/configuration/providers#using-a-custom-provider)
+ */
+export interface User {
+  name?: string | null
+  email?: string | null
+  image?: string | null
+}
+
+declare function NextAuth(
+  req: NextApiRequest,
+  res: NextApiResponse,
+  options: NextAuthOptions
+): ReturnType<NextApiHandler>
+
+declare function NextAuth(options: NextAuthOptions): ReturnType<NextApiHandler>
+
+export default NextAuth
--- a/types/internals/client.d.ts
+++ b/types/internals/client.d.ts
@@ -0,0 +1,34 @@
+import * as React from "react"
+import { Session } from ".."
+
+export interface BroadcastMessage {
+  event?: "session"
+  data?: {
+    trigger?: "signout" | "getSession"
+  }
+  clientId: string
+  timestamp: number
+}
+
+export interface NextAuthConfig {
+  baseUrl: string
+  basePath: string
+  baseUrlServer: string
+  basePathServer: string
+  /** 0 means disabled (don't send); 60 means send every 60 seconds */
+  keepAlive: number
+  /** 0 means disabled (only use cache); 60 means sync if last checked > 60 seconds ago */
+  clientMaxAge: number
+  /** Used for timestamp since last sycned (in seconds) */
+  _clientLastSync: number
+  /** Stores timer for poll interval */
+  _clientSyncTimer: ReturnType<typeof setTimeout>
+  /** Tracks if event listeners have been added */
+  _eventListenersAdded: boolean
+  /** Stores last session response from hook */
+  _clientSession: Session | null | undefined
+  /** Used to store to function export by getSession() hook */
+  _getSession: any
+}
+
+export type SessionContext = React.Context<Session>
--- a/types/internals/index.d.ts
+++ b/types/internals/index.d.ts
@@ -0,0 +1,50 @@
+import { NextApiRequest, NextApiResponse } from "./utils"
+import { NextAuthOptions } from ".."
+import { AppProvider } from "./providers"
+
+/** Options that are the same both in internal and user provided options. */
+export type NextAuthSharedOptions =
+  | "pages"
+  | "jwt"
+  | "events"
+  | "callbacks"
+  | "cookies"
+  | "secret"
+  | "adapter"
+  | "theme"
+  | "debug"
+  | "logger"
+
+export interface AppOptions
+  extends Pick<NextAuthOptions, NextAuthSharedOptions> {
+  pkce?: {
+    code_verifier?: string
+    /**
+     * Could be `"plain"`, but not recommended.
+     * We ignore it for now.
+     * @spec https://tools.ietf.org/html/rfc7636#section-4.2.
+     */
+    code_challenge_method?: "S256"
+  }
+  provider?: AppProvider
+  providers: AppProvider[]
+  baseUrl?: string
+  basePath?: string
+  action?:
+    | "providers"
+    | "session"
+    | "csrf"
+    | "signin"
+    | "signout"
+    | "callback"
+    | "verify-request"
+    | "error"
+  csrfToken?: string
+  csrfTokenVerified?: boolean
+}
+
+export interface NextAuthRequest extends NextApiRequest {
+  options: AppOptions
+}
+
+export type NextAuthResponse = NextApiResponse
--- a/types/internals/next.d.ts
+++ b/types/internals/next.d.ts
@@ -0,0 +1,40 @@
+import { IncomingMessage, ServerResponse } from "http"
+
+// ------------------------------------------------------
+// Types from next@10,
+// see: https://github.com/microsoft/dtslint/issues/297
+// ------------------------------------------------------
+export interface NextApiRequest extends IncomingMessage {
+  query: {
+    [key: string]: string | string[]
+  }
+  cookies: {
+    [key: string]: string
+  }
+  body: any
+  env: any
+  preview?: boolean
+  previewData?: any
+}
+
+export type Send<T> = (body: T) => void
+
+export type NextApiResponse<T = any> = ServerResponse & {
+  send: Send<T>
+  json: Send<T>
+  status: (statusCode: number) => NextApiResponse<T>
+  redirect: ((url: string) => NextApiResponse<T>) &
+    ((status: number, url: string) => NextApiResponse<T>)
+  setPreviewData: (
+    data: object | string,
+    options?: {
+      maxAge?: number
+    }
+  ) => NextApiResponse<T>
+  clearPreviewData: () => NextApiResponse<T>
+}
+
+export type NextApiHandler<T = any> = (
+  req: NextApiRequest,
+  res: NextApiResponse<T>
+) => void | Promise<void>
--- a/types/internals/providers.d.ts
+++ b/types/internals/providers.d.ts
@@ -0,0 +1,6 @@
+import { CommonProviderOptions } from "../providers"
+
+export interface AppProvider extends CommonProviderOptions {
+  signinUrl: string
+  callbackUrl: string
+}
--- a/types/internals/utils.d.ts
+++ b/types/internals/utils.d.ts
@@ -0,0 +1,42 @@
+import { IncomingMessage, ServerResponse } from "http"
+
+export type Awaitable<T> = T | PromiseLike<T>
+
+// ------------------------------------------------------
+// Types from next@10,
+// see: https://github.com/microsoft/dtslint/issues/297
+// ------------------------------------------------------
+export interface NextApiRequest extends IncomingMessage {
+  query: {
+    [key: string]: string | string[]
+  }
+  cookies: {
+    [key: string]: string
+  }
+  body: any
+  env: any
+  preview?: boolean
+  previewData?: any
+}
+
+export type Send<T> = (body: T) => void
+
+export type NextApiResponse<T = any> = ServerResponse & {
+  send: Send<T>
+  json: Send<T>
+  status: (statusCode: number) => NextApiResponse<T>
+  redirect: ((url: string) => NextApiResponse<T>) &
+    ((status: number, url: string) => NextApiResponse<T>)
+  setPreviewData: (
+    data: object | string,
+    options?: {
+      maxAge?: number
+    }
+  ) => NextApiResponse<T>
+  clearPreviewData: () => NextApiResponse<T>
+}
+
+export type NextApiHandler<T = any> = (
+  req: NextApiRequest,
+  res: NextApiResponse<T>
+) => void | Promise<void>
--- a/types/jwt.d.ts
+++ b/types/jwt.d.ts
@@ -0,0 +1,66 @@
+import { JWT as JoseJWT, JWE } from "jose"
+import { NextApiRequest } from "./internals/utils"
+
+/**
+ * Returned by the `jwt` callback and `getToken`, when using JWT sessions
+ *
+ * [`jwt` callback](https://next-auth.js.org/configuration/callbacks#jwt-callback) | [`getToken`](https://next-auth.js.org/tutorials/securing-pages-and-api-routes#using-gettoken)
+ */
+export interface JWT extends Record<string, unknown> {
+  name?: string | null
+  email?: string | null
+  picture?: string | null
+}
+
+export interface JWTEncodeParams {
+  token?: JWT
+  maxAge?: number
+  secret: string | Buffer
+  signingKey?: string
+  signingOptions?: JoseJWT.SignOptions
+  encryptionKey?: string
+  encryptionOptions?: object
+  encryption?: boolean
+}
+
+export function encode(params?: JWTEncodeParams): Promise<string>
+
+export interface JWTDecodeParams {
+  token?: string
+  maxAge?: number
+  secret: string | Buffer
+  signingKey?: string
+  verificationKey?: string
+  verificationOptions?: JoseJWT.VerifyOptions<false>
+  encryptionKey?: string
+  decryptionKey?: string
+  decryptionOptions?: JWE.DecryptOptions<false>
+  encryption?: boolean
+}
+
+export function decode(params?: JWTDecodeParams): Promise<JWT>
+
+export type GetTokenParams<R extends boolean = false> = {
+  req: NextApiRequest
+  secureCookie?: boolean
+  cookieName?: string
+  raw?: R
+  decode?: typeof decode
+  secret?: string
+} & Omit<JWTDecodeParams, "secret">
+
+/** [Documentation](https://next-auth.js.org/tutorials/securing-pages-and-api-routes#using-gettoken) */
+export function getToken<R extends boolean = false>(
+  params?: GetTokenParams<R>
+): Promise<R extends true ? string : JWT | null>
+
+export interface JWTOptions {
+  secret?: string
+  maxAge?: number
+  encryption?: boolean
+  signingKey?: string
+  encryptionKey?: string
+  encode?: typeof encode
+  decode?: typeof decode
+  verificationOptions?: JoseJWT.VerifyOptions<false>
+}
--- a/types/providers.d.ts
+++ b/types/providers.d.ts
@@ -0,0 +1,166 @@
+import { Profile, TokenSet, User } from "."
+import { Awaitable } from "./internals/utils"
+
+export type ProviderType = "oauth" | "email" | "credentials"
+
+export interface CommonProviderOptions {
+  id: string
+  name: string
+  type: ProviderType
+}
+
+/**
+ * OAuth Provider
+ */
+
+type ProtectionType = "pkce" | "state" | "both" | "none"
+
+/**
+ * OAuth provider options
+ *
+ * [Documentation](https://next-auth.js.org/configuration/providers#oauth-provider-options)
+ */
+export interface OAuthConfig<P extends Record<string, unknown> = Profile>
+  extends CommonProviderOptions {
+  authorizationParams?: Record<string, string>
+  headers?: Record<string, any>
+  type: "oauth"
+  version: string
+  scope: string
+  params: { grant_type: string }
+  accessTokenUrl: string
+  requestTokenUrl: string
+  authorizationUrl: string
+  profileUrl: string
+  profile(profile: P, tokens: TokenSet): Awaitable<User & { id: string }>
+  protection?: ProtectionType | ProtectionType[]
+  clientId: string
+  clientSecret:
+    | string
+    // TODO: only allow for Apple
+    | Record<"appleId" | "teamId" | "privateKey" | "keyId", string>
+  idToken?: boolean
+  /**
+   * @deprecated Will be removed in an upcoming major release. Use `protection: ["state"]` instead.
+   */
+  state?: boolean
+
+  // TODO: only allow for BattleNet
+  region?: string
+  // TODO: only allow for some
+  domain?: string
+  // TODO: only allow for Azure Active Directory B2C and FusionAuth
+  tenantId?: string
+}
+
+export type OAuthProviderType =
+  | "Apple"
+  | "Atlassian"
+  | "Auth0"
+  | "AzureADB2C"
+  | "Basecamp"
+  | "BattleNet"
+  | "Box"
+  | "Bungie"
+  | "Cognito"
+  | "Discord"
+  | "EVEOnline"
+  | "Facebook"
+  | "FACEIT"
+  | "Foursquare"
+  | "FusionAuth"
+  | "GitHub"
+  | "GitLab"
+  | "Google"
+  | "IdentityServer4"
+  | "Instagram"
+  | "Kakao"
+  | "LINE"
+  | "LinkedIn"
+  | "MailRu"
+  | "Medium"
+  | "Netlify"
+  | "Okta"
+  | "Osso"
+  | "Reddit"
+  | "Salesforce"
+  | "Slack"
+  | "Spotify"
+  | "Strava"
+  | "Twitch"
+  | "Twitter"
+  | "VK"
+  | "Yandex"
+  | "Zoho"
+
+export type OAuthProvider = (options: Partial<OAuthConfig>) => OAuthConfig
+
+/**
+ * Credentials Provider
+ */
+
+interface CredentialInput {
+  label?: string
+  type?: string
+  value?: string
+  placeholder?: string
+}
+
+interface CredentialsConfig<C extends Record<string, CredentialInput> = {}>
+  extends CommonProviderOptions {
+  type: "credentials"
+  credentials: C
+  authorize(credentials: Record<keyof C, string>): Awaitable<User | null>
+}
+
+export type CredentialsProvider = (
+  options: Partial<CredentialsConfig>
+) => CredentialsConfig
+
+export type CredentialsProviderType = "Credentials"
+
+/** Email Provider */
+
+export interface EmailConfigServerOptions {
+  host: string
+  port: number
+  auth: {
+    user: string
+    pass: string
+  }
+}
+
+export interface EmailConfig extends CommonProviderOptions {
+  type: "email"
+  // TODO: Make use of https://www.typescriptlang.org/docs/handbook/2/template-literal-types.html
+  server: string | EmailConfigServerOptions
+  from?: string
+  maxAge?: number
+  sendVerificationRequest(params: {
+    identifier: string
+    url: string
+    baseUrl: string
+    token: string
+    provider: EmailConfig
+  }): Awaitable<void>
+}
+
+export type EmailProvider = (options: Partial<EmailConfig>) => EmailConfig
+
+// TODO: Rename to Token provider
+// when started working on https://github.com/nextauthjs/next-auth/discussions/1465
+export type EmailProviderType = "Email"
+
+export type Provider = OAuthConfig | EmailConfig | CredentialsConfig
+
+export type BuiltInProviders = Record<OAuthProviderType, OAuthProvider> &
+  Record<CredentialsProviderType, CredentialsProvider> &
+  Record<EmailProviderType, EmailProvider>
+
+export type AppProviders = Array<
+  Provider | ReturnType<BuiltInProviders[keyof BuiltInProviders]>
+>
+
+declare const Providers: BuiltInProviders
+
+export default Providers
--- a/types/tests/adapters.test.ts
+++ b/types/tests/adapters.test.ts
@@ -0,0 +1,26 @@
+import Adapters from "next-auth/adapters"
+
+// ExpectType TypeORMAdapter["Adapter"]
+Adapters.Default({
+  type: "sqlite",
+  database: ":memory:",
+  synchronize: true,
+})
+
+// ExpectType TypeORMAdapter
+Adapters.TypeORM.Adapter({
+  type: "sqlite",
+  database: ":memory:",
+  synchronize: true,
+})
+
+// ExpectType PrismaAdapter
+Adapters.Prisma.Adapter({
+  prisma: {},
+  modelMapping: {
+    User: "foo",
+    Account: "bar",
+    Session: "session",
+    VerificationRequest: "foo",
+  },
+})
--- a/types/tests/client.test.ts
+++ b/types/tests/client.test.ts
@@ -0,0 +1,97 @@
+import * as client from "next-auth/client"
+import { nextReq } from "./test-helpers"
+
+const clientSession = {
+  user: {
+    name: "Bruce",
+    email: "bruce@lee.com",
+    image: "path/to/img",
+  },
+  accessToken: "123z",
+  expires: "1234",
+}
+
+// $ExpectType [Session | null, boolean]
+client.useSession()
+
+// $ExpectType Promise<Session | null>
+client.getSession({ req: nextReq })
+
+// $ExpectType Promise<Session | null>
+client.session({ req: nextReq })
+
+// $ExpectType Promise<Record<string, ClientSafeProvider> | null>
+client.getProviders()
+
+// $ExpectType Promise<Record<string, ClientSafeProvider> | null>
+client.providers()
+
+// $ExpectType Promise<string | null>
+client.getCsrfToken({ req: nextReq })
+
+// $ExpectType Promise<string | null>
+client.csrfToken({ req: nextReq })
+
+// $ExpectType Promise<string | null>
+client.csrfToken({ ctx: { req: nextReq } })
+
+// $ExpectType Promise<undefined>
+client.signin("github", { callbackUrl: "foo" }, { login: "username" })
+
+// $ExpectType Promise<SignInResponse | undefined>
+client.signin("credentials", { callbackUrl: "foo", redirect: true })
+
+// $ExpectType Promise<SignInResponse | undefined>
+client.signin("credentials", { redirect: false })
+
+// $ExpectType Promise<SignInResponse | undefined>
+client.signin("email", { callbackUrl: "foo", redirect: false })
+
+// $ExpectType Promise<SignInResponse | undefined>
+client.signin("email", { callbackUrl: "foo", redirect: true })
+
+// $ExpectType Promise<undefined>
+client.signout()
+
+// $ExpectType Promise<undefined>
+client.signout({ callbackUrl: "https://foo.com/callback", redirect: true })
+
+// $ExpectType Promise<SignOutResponse>
+client.signOut({ callbackUrl: "https://foo.com/callback", redirect: false })
+
+// $ExpectType ReactElement<any, any> | null
+client.Provider({
+  children: null,
+  session: clientSession,
+  options: {
+    baseUrl: "https://foo.com",
+    basePath: "/",
+    clientMaxAge: 1234,
+  },
+})
+
+// $ExpectType ReactElement<any, any> | null
+client.Provider({
+  children: null,
+  session: clientSession,
+})
+
+// $ExpectType ReactElement<any, any> | null
+client.Provider({
+  children: null,
+  options: {},
+})
+
+// $ExpectType ReactElement<any, any> | null
+client.Provider({
+  children: null,
+  session: {
+    expires: "",
+  },
+  options: {
+    baseUrl: "https://foo.com",
+    basePath: "/",
+    clientMaxAge: 1234,
+    keepAlive: 4321,
+  },
+})
--- a/types/tests/jwt.test.ts
+++ b/types/tests/jwt.test.ts
@@ -0,0 +1,26 @@
+import * as JWTType from "next-auth/jwt"
+import { nextReq } from "./test-helpers"
+
+// $ExpectType Promise<string>
+JWTType.encode({
+  token: { key: "value" },
+  secret: "secret",
+})
+
+// $ExpectType Promise<JWT>
+JWTType.decode({
+  token: "token",
+  secret: "secret",
+})
+
+// $ExpectType Promise<string>
+JWTType.getToken({
+  req: nextReq,
+  raw: true,
+})
+
+// $ExpectType Promise<JWT | null>
+JWTType.getToken({
+  req: nextReq,
+  secret: "secret",
+})
--- a/types/tests/providers.test.ts
+++ b/types/tests/providers.test.ts
@@ -0,0 +1,259 @@
+import Providers from "next-auth/providers"
+
+// $ExpectType EmailConfig
+Providers.Email({
+  server: "path/to/server",
+  from: "path/from",
+})
+
+// $ExpectType EmailConfig
+Providers.Email({
+  server: {
+    host: "host",
+    port: 123,
+    auth: {
+      user: "foo",
+      pass: "123",
+    },
+  },
+  from: "path/from",
+})
+
+// $ExpectType CredentialsConfig<{}>
+Providers.Credentials({
+  id: "login",
+  name: "account",
+  credentials: {
+    user: {
+      label: "Password",
+      type: "password",
+    },
+    password: {
+      label: "Password",
+      type: "password",
+    },
+  },
+  authorize: async (credentials) => {
+    const user = {
+      /* fetched user */
+    }
+    return user
+  },
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Apple({
+  clientId: "foo123",
+  clientSecret: {
+    appleId: "foo@icloud.com",
+    teamId: "foo",
+    privateKey: "123xyz",
+    keyId: "1234",
+  },
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Twitter({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Facebook({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.GitHub({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.GitHub({
+  clientId: "foo123",
+  clientSecret: "bar123",
+  scope: "change:thing read:that",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.GitLab({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Slack({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Google({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Google({
+  clientId: "foo123",
+  clientSecret: "bar123",
+  authorizationUrl: "https://foo.google.com",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Auth0({
+  clientId: "foo123",
+  clientSecret: "bar123",
+  domain: "https://foo.auth0.com",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Auth0({
+  clientId: "foo123",
+  clientSecret: "bar123",
+  domain: "https://foo.auth0.com",
+  profile: () => ({
+    id: "foo123",
+    name: "foo",
+    email: "foo@bar.io",
+    image: "https://foo.auth0.com/image/1.png",
+  }),
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.IdentityServer4({
+  id: "identity-server4",
+  name: "IdentityServer4",
+  scope: "change:thing read:that",
+  domain: "https://foo.is4.com",
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Discord({
+  clientId: "foo123",
+  clientSecret: "bar123",
+  scope: "identify",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Twitch({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Okta({
+  clientId: "foo123",
+  clientSecret: "bar123",
+  domain: "https://foo.auth0.com",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.BattleNet({
+  clientId: "foo123",
+  clientSecret: "bar123",
+  region: "europe",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Box({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Cognito({
+  clientId: "foo123",
+  clientSecret: "bar123",
+  domain: "https://foo.auth0.com",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Yandex({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.LinkedIn({
+  clientId: "foo123",
+  clientSecret: "bar123",
+  scope: "r_emailaddress r_liteprofile",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Spotify({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Spotify({
+  clientId: "foo123",
+  clientSecret: "bar123",
+  scope: "user-read-email",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Basecamp({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Reddit({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.AzureADB2C({
+  clientId: "foo123",
+  clientSecret: "bar123",
+  scope: "offline_access User.Read",
+  tenantId: "tenantId",
+  idToken: true,
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.FusionAuth({
+  name: "FusionAuth",
+  domain: "domain",
+  clientId: "clientId",
+  clientSecret: "clientSecret",
+  tenantId: "tenantId",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.FACEIT({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Instagram({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Kakao({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Osso({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
+
+// $ExpectType OAuthConfig<Profile>
+Providers.Zoho({
+  clientId: "foo123",
+  clientSecret: "bar123",
+})
--- a/types/tests/server.test.ts
+++ b/types/tests/server.test.ts
@@ -0,0 +1,260 @@
+import Providers, { OAuthConfig } from "next-auth/providers"
+import {
+  Adapter,
+  EmailAppProvider,
+  Profile,
+  Session,
+  VerificationRequest,
+} from "next-auth/adapters"
+import NextAuth, * as NextAuthTypes from "next-auth"
+import { IncomingMessage, ServerResponse } from "http"
+import * as JWTType from "next-auth/jwt"
+import { Socket } from "net"
+import { NextApiRequest, NextApiResponse } from "internals/utils"
+import { AppOptions } from "internals"
+import { AppProvider } from "internals/providers"
+
+const req: NextApiRequest = Object.assign(new IncomingMessage(new Socket()), {
+  query: {},
+  cookies: {},
+  body: {},
+  env: {},
+})
+
+const res: NextApiResponse = Object.assign(new ServerResponse(req), {
+  send: (body: string) => undefined,
+  json: (body: string) => undefined,
+  status: (code: number) => res,
+  redirect: (statusOrUrl: number | string, url?: string) => res as any,
+  setPreviewData: (data: object | string) => res,
+  clearPreviewData: () => res,
+})
+
+const pageOptions = {
+  signin: "path/to/signin",
+  signout: "path/to/signout",
+  error: "path/to/error",
+  verifyRequest: "path/to/verify",
+  newUsers: "path/to/signup",
+}
+
+const simpleConfig = {
+  providers: [
+    Providers.GitHub({
+      clientId: "123",
+      clientSecret: "123",
+      scope:
+        "user public_repo repo repo_deployment repo:status read:repo_hook read:org read:public_key read:gpg_key",
+    }),
+  ],
+}
+
+const exampleUser: NextAuthTypes.User = {
+  name: "",
+  image: "",
+  email: "",
+}
+
+const exampleSession: Session = {
+  userId: "",
+  accessToken: "",
+  sessionToken: "",
+  expires: new Date(),
+}
+
+const exampleVerificatoinRequest: VerificationRequest = {
+  identifier: "",
+  token: "",
+  expires: new Date(),
+}
+
+const adapter: Adapter<
+  NextAuthTypes.User,
+  Profile,
+  Session,
+  VerificationRequest
+> = {
+  async getAdapter(appOptions: AppOptions) {
+    return {
+      createUser: async (profile: Profile) => exampleUser,
+      getUser: async (id: string) => exampleUser,
+      getUserByEmail: async (email: string) => exampleUser,
+      getUserByProviderAccountId: async (
+        providerId: string,
+        providerAccountId: string
+      ) => exampleUser,
+      updateUser: async (user: NextAuthTypes.User) => exampleUser,
+      linkAccount: async (
+        userId: string,
+        providerId: string,
+        providerType: string,
+        providerAccountId: string,
+        refreshToken: string,
+        accessToken: string,
+        accessTokenExpires: number
+      ) => undefined,
+      createSession: async (user: NextAuthTypes.User) => exampleSession,
+      getSession: async (sessionToken: string) => exampleSession,
+      updateSession: async (session: Session, force?: boolean) =>
+        exampleSession,
+      deleteSession: async (sessionToken: string) => undefined,
+      createVerificationRequest: async (
+        email: string,
+        url: string,
+        token: string,
+        secret: string,
+        provider: EmailAppProvider,
+        options: AppOptions
+      ) => exampleVerificatoinRequest,
+      getVerificationRequest: async (
+        email: string,
+        verificationToken: string,
+        secret: string,
+        provider: AppProvider
+      ) => exampleVerificatoinRequest,
+      deleteVerificationRequest: async (
+        email: string,
+        verificationToken: string,
+        secret: string,
+        provider: AppProvider
+      ) => undefined,
+    }
+  },
+}
+
+const allConfig = {
+  providers: [
+    Providers.Twitter({
+      clientId: "123",
+      clientSecret: "123",
+    }),
+  ],
+  database: "path/to/db",
+  debug: true,
+  secret: "my secret",
+  session: {
+    jwt: true,
+    maxAge: 365,
+    updateAge: 60,
+  },
+  jwt: {
+    secret: "secret-thing",
+    maxAge: 365,
+    encryption: true,
+    signingKey: "some-key",
+    encryptionKey: "some-key",
+    encode: async () => "foo",
+    decode: async () => ({}),
+  },
+  pages: pageOptions,
+  callbacks: {
+    async signIn(
+      user: NextAuthTypes.User,
+      account: Record<string, unknown>,
+      profile: Record<string, unknown>
+    ) {
+      return true
+    },
+    async redirect(url: string, baseUrl: string) {
+      return "path/to/foo"
+    },
+    async session(
+      session: NextAuthTypes.Session,
+      userOrToken: NextAuthTypes.User
+    ) {
+      return { ...session }
+    },
+    async jwt(
+      token: JWTType.JWT,
+      user?: NextAuthTypes.User,
+      account?: Record<string, unknown>,
+      profile?: Record<string, unknown>,
+      isNewUser?: boolean
+    ) {
+      return token
+    },
+  },
+  events: {
+    async signIn(message: string) {
+      return undefined
+    },
+    async signOut(message: string) {
+      return undefined
+    },
+    async createUser(message: string) {
+      return undefined
+    },
+    async linkAccount(message: string) {
+      return undefined
+    },
+    async session(message: string) {
+      return undefined
+    },
+    async error(message: string) {
+      return undefined
+    },
+  },
+  adapter,
+  useSecureCookies: true,
+  cookies: {
+    sessionToken: {
+      name: "__Secure-next-auth.session-token",
+      options: {
+        httpOnly: true,
+        sameSite: true as true,
+        path: "/",
+        secure: true,
+        domain: "foo.com",
+      },
+    },
+  },
+}
+
+const customProvider: OAuthConfig<{
+  id: string
+  name: string
+  email: string
+  picture: string
+}> = {
+  id: "google",
+  name: "Google",
+  type: "oauth",
+  version: "2.0",
+  scope:
+    "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
+  params: { grant_type: "authorization_code" },
+  accessTokenUrl: "https://accounts.google.com/o/oauth2/token",
+  requestTokenUrl: "https://accounts.google.com/o/oauth2/auth",
+  authorizationUrl:
+    "https://accounts.google.com/o/oauth2/auth?response_type=code",
+  profileUrl: "https://www.googleapis.com/oauth2/v1/userinfo?alt=json",
+  async profile(profile, tokens) {
+    return {
+      id: profile.id,
+      name: profile.name,
+      email: profile.email,
+      image: profile.picture,
+    }
+  },
+  clientId: "",
+  clientSecret: "",
+}
+
+const customProviderConfig = {
+  providers: [customProvider],
+}
+
+// $ExpectType void | Promise<void>
+NextAuth(simpleConfig)
+
+// $ExpectType void | Promise<void>
+NextAuth(allConfig)
+
+// $ExpectType void | Promise<void>
+NextAuth(customProviderConfig)
+
+// $ExpectType void | Promise<void>
+NextAuth(req, res, simpleConfig)
+
+// $ExpectType void | Promise<void>
+NextAuth(req, res, allConfig)
--- a/types/tests/test-helpers.ts
+++ b/types/tests/test-helpers.ts
@@ -0,0 +1,13 @@
+import { IncomingMessage } from "http"
+import { Socket } from "net"
+import { NextApiRequest } from "internals/utils"
+
+export const nextReq: NextApiRequest = Object.assign(
+  new IncomingMessage(new Socket()),
+  {
+    query: {},
+    cookies: {},
+    body: {},
+    env: {},
+  }
+)
--- a/types/tsconfig.json
+++ b/types/tsconfig.json
@@ -0,0 +1,22 @@
+{
+  "compilerOptions": {
+    "module": "commonjs",
+    "lib": ["es6", "dom"],
+    "jsx": "react",
+    "noImplicitAny": true,
+    "noImplicitThis": true,
+    "strictFunctionTypes": true,
+    "strictNullChecks": true,
+    "esModuleInterop": true,
+    "noEmit": true,
+    "forceConsistentCasingInFileNames": true,
+    "baseUrl": ".",
+    "paths": {
+      "next-auth": ["."],
+      "next-auth/providers": ["./providers"],
+      "next-auth/adapters": ["./adapters"],
+      "next-auth/client": ["./client"],
+      "next-auth/jwt": ["./jwt"]
+    }
+  }
+}
--- a/types/tslint.json
+++ b/types/tslint.json
@@ -0,0 +1,7 @@
+{
+  "extends": "dtslint/dtslint.json",
+  "rules": {
+    "semicolon": false,
+    "no-redundant-jsdoc": false
+  }
+}
--- a/www/docs/configuration/callbacks.md
+++ b/www/docs/configuration/callbacks.md
@@ -79,7 +79,7 @@ When using NextAuth.js without a database, the user object it will always be a p
 :::

 :::tip
-If you only want to allow users who already have accounts in the database to sign in, you can check for the existance of a `user.id` property and reject any sign in attempts from accounts that do not have one.
+If you only want to allow users who already have accounts in the database to sign in, you can check for the existence of a `user.id` property and reject any sign in attempts from accounts that do not have one.

 If you are using NextAuth.js without database and want to control who can sign in, you can check their email address or profile against a hard coded list in the `signIn()` callback.
 :::
@@ -112,52 +112,6 @@ callbacks: {
 The redirect callback may be invoked more than once in the same flow.
 :::

-## Session callback
-
-The session callback is called whenever a session is checked.
-
-e.g. `getSession()`, `useSession()`, `/api/auth/session`
-
-* When using database sessions, the User object is passed as an argument.
-* When using JSON Web Tokens for sessions, the JWT payload is provided instead.
-
-```js title="pages/api/auth/[...nextauth].js"
-...
-callbacks: {
-  /**
-   * @param  {object} session      Session object
-   * @param  {object} token        User object    (if using database sessions)
-   *                               JSON Web Token (if not using database sessions)
-   * @return {object}              Session that will be returned to the client 
-   */
-  async session(session, token) {
-    if(token?.accessToken) {
-      // Add property to session, like an access_token from a provider
-      session.accessToken = token.accessToken
-    }
-    return session
-  }
-}
-...
-```
-
-:::tip
-When using JSON Web Tokens the `jwt()` callback is invoked before the `session()` callback, so anything you add to the
-JSON Web Token will be immediately available in the session callback, like for example an `access_token` from a provider.
-:::
-
-:::tip
-To better represent its value, when using a JWT session, the second parameter should be called `token` (This is the same thing you return from the `jwt` callback). If you use a database, call it `user`.
-:::
-
-:::warning
-The session object is not persisted server side, even when using database sessions - only data such as the session token, the user, and the expiry time is stored in the session table.
-
-If you need to persist session data server side, you can use the `accessToken` returned for the session as a key - and connect to the database in the `session()` callback to access it. Session `accessToken` values do not rotate and are valid as long as the session is valid.
-
-If using JSON Web Tokens instead of database sessions, you should use the User ID or a unique key stored in the token (you will need to generate a key for this yourself on sign in, as access tokens for sessions are not generated when using JSON Web Tokens).
-:::
-
 ## JWT callback

 This JSON Web Token callback is called whenever a JSON Web Token is created (i.e. at sign 
@@ -206,3 +160,47 @@ NextAuth.js does not limit how much data you can store in a JSON Web Token, howe

 If you need to persist a large amount of data, you will need to persist it elsewhere (e.g. in a database). You can store a key that can be used to look up that data in the `session()` callback.
 :::
+
+## Session callback
+
+The session callback is called whenever a session is checked. By default, only a subset of the token is returned for increased security. If you want to make something available you added to the token through the `jwt()` callback, you have to explicitely forward it here to make it available to the client.
+
+e.g. `getSession()`, `useSession()`, `/api/auth/session`
+
+* When using database sessions, the User object is passed as an argument.
+* When using JSON Web Tokens for sessions, the JWT payload is provided instead.
+
+```js title="pages/api/auth/[...nextauth].js"
+...
+callbacks: {
+  /**
+   * @param  {object} session      Session object
+   * @param  {object} token        User object    (if using database sessions)
+   *                               JSON Web Token (if not using database sessions)
+   * @return {object}              Session that will be returned to the client 
+   */
+  async session(session, token) {
+    // Add property to session, like an access_token from a provider.
+    session.accessToken = token.accessToken
+    return session
+  }
+}
+...
+```
+
+:::tip
+When using JSON Web Tokens the `jwt()` callback is invoked before the `session()` callback, so anything you add to the
+JSON Web Token will be immediately available in the session callback, like for example an `access_token` from a provider.
+:::
+
+:::tip
+To better represent its value, when using a JWT session, the second parameter should be called `token` (This is the same thing you return from the `jwt()` callback). If you use a database, call it `user`.
+:::
+
+:::warning
+The session object is not persisted server side, even when using database sessions - only data such as the session token, the user, and the expiry time is stored in the session table.
+
+If you need to persist session data server side, you can use the `accessToken` returned for the session as a key - and connect to the database in the `session()` callback to access it. Session `accessToken` values do not rotate and are valid as long as the session is valid.
+
+If using JSON Web Tokens instead of database sessions, you should use the User ID or a unique key stored in the token (you will need to generate a key for this yourself on sign in, as access tokens for sessions are not generated when using JSON Web Tokens).
+:::
--- a/www/docs/configuration/databases.md
+++ b/www/docs/configuration/databases.md
@@ -136,17 +136,44 @@ Install module:
 database: 'mariadb://username:password@127.0.0.1:3306/database_name'
 ```

-### Postgres
+### Postgres / CockroachDB

 Install module:
 `npm i pg`

 #### Example

+PostgresDB
 ```js
 database: 'postgres://username:password@127.0.0.1:5432/database_name'
 ```

+CockroachDB
+```js
+database: 'postgres://username:password@127.0.0.1:26257/database_name'
+```
+
+If the node is using Self-signed cert
+
+```js
+database: {
+    type: "cockroachdb",
+    host: process.env.DATABASE_HOST,
+    port: 26257,
+    username: process.env.DATABASE_USER,
+    password: process.env.DATABASE_PASSWORD,
+    database: process.env.DATABASE_NAME,
+    ssl: {
+      rejectUnauthorized: false,
+      ca: fs.readFileSync('/path/to/server-certificates/root.crt').toString()
+    },
+  },
+```
+
+Read more: [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)
+
+---
+
 ### Microsoft SQL Server

 Install module:
@@ -166,7 +193,7 @@ Install module:
 #### Example

 ```js
-database: 'mongodb://username:password@127.0.0.1:27017/database_name'
+database: 'mongodb://username:password@127.0.0.1:3306/database_name'
 ```

 ### SQLite
@@ -182,9 +209,6 @@ Install module:
 database: 'sqlite://localhost/:memory:'
 ```

-
---
-
 ## Other databases

 See the [documentation for adapters](/schemas/adapters) for more information on advanced configuration, including how to use NextAuth.js with other databases using a [custom adapter](/tutorials/creating-a-database-adapter).
--- a/www/docs/configuration/options.md
+++ b/www/docs/configuration/options.md
@@ -18,9 +18,17 @@ If your Next.js application uses a custom base path, specify the route to the AP
 _e.g. `NEXTAUTH_URL=https://example.com/custom-route/api/auth`_

 :::tip
-To set environment variables on Vercel, you can use the [dashboard](https://vercel.com/dashboard) or the `now env` command.
+To set environment variables on Vercel, you can use the [dashboard](https://vercel.com/dashboard) or the `vercel env` command.
 :::

+### NEXTAUTH_URL_INTERNAL
+
+If provided, server-side calls will use this instead of `NEXTAUTH_URL`. Useful in environments when the server doesn't have access to the canonical URL of your site. Defaults to `NEXTAUTH_URL`.
+
+```
+NEXTAUTH_URL_INTERNAL=http://10.240.8.16
+```
+
 ---

 ## Options
@@ -113,11 +121,29 @@ By default JSON Web Tokens are signed (JWS) but not encrypted (JWE), as JWT encr
 jwt: {
  // A secret to use for key generation - you should set this explicitly
  // Defaults to NextAuth.js secret if not explicitly specified.
+  // This is used to generate the actual signingKey and produces a warning
+  // message if not defined explicitly.
  // secret: 'INp8IvdIyeMcoGAgFGoA61DdBglwwSqnXJZkgz8PSnw',
  
+  // You can generate a signing key using `jose newkey -s 512 -t oct -a HS512`
+  // This gives you direct knowledge of the key used to sign the token so you can use it
+  // to authenticate indirectly (eg. to a database driver)
+  // signingKey: {"kty":"oct","kid":"Dl893BEV-iVE-x9EC52TDmlJUgGm9oZ99_ZL025Hc5Q","alg":"HS512","k":"K7QqRmJOKRK2qcCKV_pi9PSBv3XP0fpTu30TP8xn4w01xR3ZMZM38yL2DnTVPVw6e4yhdh0jtoah-i4c_pZagA"},
+  
+  // If you chose something other than the default algorithm for the signingKey (HS512)
+  // you also need to configure the algorithm
+  // verificationOptions: {
+  //    algorithms: ['HS256']
+  // },
+  
  // Set to true to use encryption. Defaults to false (signing only).
  // encryption: true,
-
+  // encryptionKey: "",
+  // decryptionKey = encryptionKey,
+  // decryptionOptions = {
+  //    algorithms: ['A256GCM']
+  // },
+  
  // You can define your own encode/decode functions for signing and encryption
  // if you want to override the default behaviour.
  // async encode({ secret, token, maxAge }) {},
@@ -328,7 +354,7 @@ export default NextAuth({
    },
    warn(code, ...message) {
      log.warn(code, message)
-    }
+    },
    debug(code, ...message) {
      log.debug(code, message)
    }
--- a/www/docs/configuration/pages.md
+++ b/www/docs/configuration/pages.md
@@ -7,7 +7,7 @@ NextAuth.js automatically creates simple, unbranded authentication pages for han

 The options displayed on the sign up page are automatically generated based on the providers specified in the options passed to NextAuth.js.

-To add a custom login page, for example. You can use the `pages` option:
+To add a custom login page, you can use the `pages` option:

 ```javascript title="pages/api/auth/[...nextauth].js"
 ...
@@ -21,6 +21,38 @@ To add a custom login page, for example. You can use the `pages` option:
 ...
 ```

+## Error codes
+We purposefully restrict the returned error codes for increased security.
+
+### Error page
+The following errors are passed as error query parameters to the default or overriden error page:
+
+- **Configuration**: There is a problem with the server configuration. Check if your [options](/configuration/options#options) is correct.
+- **AccessDenied**: Usually occurs, when you restriected access through the [`signIn` callback](/configuration/callbacks#sign-in-callback), or [`redirect` callback](/configuration/callbacks#redirect-callback)
+- **Verification**: Related to the Email provider. The token has expired or has already been used
+- **Default**: Catch all, will apply, if none of the above matched
+
+Example: `/auth/error?error=Configuration`
+
+### Sign-in page
+The following errors are passed as error query parameters to the default or overriden sign-in page:
+
+- **OAuthSignin**: Error in constructing an authorization URL ([1](https://github.com/nextauthjs/next-auth/blob/457952bb5abf08b09861b0e5da403080cd5525be/src/server/lib/signin/oauth.js), [2](https://github.com/nextauthjs/next-auth/blob/main/src/server/lib/oauth/pkce-handler.js), [3](https://github.com/nextauthjs/next-auth/blob/main/src/server/lib/oauth/state-handler.js)),
+- **OAuthCallback**: Error in handling the response ([1](https://github.com/nextauthjs/next-auth/blob/main/src/server/lib/oauth/callback.js), [2](https://github.com/nextauthjs/next-auth/blob/main/src/server/lib/oauth/pkce-handler.js), [3](https://github.com/nextauthjs/next-auth/blob/main/src/server/lib/oauth/state-handler.js)) from an OAuth provider.
+- **OAuthCreateAccount**: Could not create OAuth provider user in the database.
+- **EmailCreateAccount**: Could not create email provider user in the database.
+- **Callback**: Error in the [OAuth callback handler route](https://github.com/nextauthjs/next-auth/blob/main/src/server/routes/callback.js)
+- **OAuthAccountNotLinked**: If the email on the account is already linked, but not with this OAuth account
+- **EmailSignin**: Sending the e-mail with the verification token failed
+- **CredentialsSignin**: The `authorize` callback returned `null` in the [Credentials provider](/providers/credentials). We don't recommend providing information about which part of the credentials were wrong, as it might be abused by malicious hackers.
+- **Default**: Catch all, will apply, if none of the above matched
+  
+Example: `/auth/error?error=Default`
+
+## Theming
+
+By default, the built-in pages will follow the system theme, utilizing the [`prefer-color-scheme`](https://developer.mozilla.org/en-US/docs/Web/CSS/@media/prefers-color-scheme) Media Query. You can override this to always use a dark or light theme, through the [`theme` option](/configuration/options#theme).
+
 ## Examples

 ### OAuth Sign in
@@ -42,11 +74,22 @@ export default function SignIn({ providers }) {
  )
 }

-SignIn.getInitialProps = async (context) => {
+// This is the recommended way for Next.js 9.3 or newer
+export async function getServerSideProps(context){
+  const providers = await providers()
  return {
-    providers: await providers(context)
+    props: { providers }
  }
 }
+
+/*
+// If older than Next.js 9.3
+SignIn.getInitialProps = async () => {
+  return {
+    providers: await providers()
+  }
+}
+*/
 ```

 ### Email Sign in
@@ -54,7 +97,7 @@ SignIn.getInitialProps = async (context) => {
 If you create a custom sign in form for email sign in, you will need to submit both fields for the **email** address and **csrfToken** from **/api/auth/csrf** in a POST request to **/api/auth/signin/email**.

 ```jsx title="pages/auth/email-signin.js"
-import { csrfToken } from 'next-auth/client'
+import { getCsrfToken } from 'next-auth/client'

 export default function SignIn({ csrfToken }) {
  return (
@@ -62,18 +105,29 @@ export default function SignIn({ csrfToken }) {
      <input name='csrfToken' type='hidden' defaultValue={csrfToken}/>
      <label>
        Email address
-        <input type='text' id='email' name='email'/>
+        <input type='email' id='email' name='email'/>
      </label>
      <button type='submit'>Sign in with Email</button>
    </form>
  )
 }

-SignIn.getInitialProps = async (context) => {
+// This is the recommended way for Next.js 9.3 or newer
+export async function getServerSideProps(context){
+  const csrfToken = await getCsrfToken(context)
  return {
-    csrfToken: await csrfToken(context)
+    props: { csrfToken }
  }
 }
+
+/*
+// If older than Next.js 9.3
+SignIn.getInitialProps = async (context) => {
+  return {
+    csrfToken: await getCsrfToken(context)
+  }
+}
+*/
 ```

 You can also use the `signIn()` function which will handle obtaining the CSRF token for you:
@@ -87,7 +141,7 @@ signIn('email', { email: 'jsmith@example.com' })
 If you create a sign in form for credentials based authentication, you will need to pass a **csrfToken** from **/api/auth/csrf** in a POST request to **/api/auth/callback/credentials**.

 ```jsx title="pages/auth/credentials-signin.js"
-import { csrfToken } from 'next-auth/client'
+import { getCsrfToken } from 'next-auth/client'

 export default function SignIn({ csrfToken }) {
  return (
@@ -99,18 +153,30 @@ export default function SignIn({ csrfToken }) {
      </label>
      <label>
        Password
-        <input name='password' type='text'/>
+        <input name='password' type='password'/>
      </label>
      <button type='submit'>Sign in</button>
    </form>
  )
 }

-SignIn.getInitialProps = async (context) => {
+// This is the recommended way for Next.js 9.3 or newer
+export async function getServerSideProps(context) {
  return {
-    csrfToken: await csrfToken(context)
+    props: {
+      csrfToken: await getCsrfToken(context)
+    }
  }
 }
+
+/*
+// If older than Next.js 9.3
+SignIn.getInitialProps = async (context) => {
+  return {
+    csrfToken: await getCsrfToken(context)
+  }
+}
+*/
 ```

 You can also use the `signIn()` function which will handle obtaining the CSRF token for you:
@@ -121,4 +187,4 @@ signIn('credentials', { username: 'jsmith', password: '1234' })

 :::tip
 Remember to put any custom pages in a folder outside **/pages/api** which is reserved for API code. As per the examples above, a location convention suggestion is `pages/auth/...`. 
-:::
+:::
--- a/www/docs/configuration/providers.md
+++ b/www/docs/configuration/providers.md
@@ -56,15 +56,11 @@ NextAuth.js is designed to work with any OAuth service, it supports OAuth 1.0, 1

 <Image src="/img/signin.png" alt="Signin Screenshot" />

-:::tip
-If you want to create a custom sign in link you can link to **/api/auth/signin/[provider]** which will sign in the user in directly with that provider.
-:::
-
 ### Using a custom provider

 You can use an OAuth provider that isn't built-in by using a custom object.

-As an example of what this looks like, this is the the provider object returned for the Google provider:
+As an example of what this looks like, this is the provider object returned for the Google provider:

 ```js
 {
@@ -145,7 +141,7 @@ You can look at the existing built-in providers for inspiration.
 |       profile       |       An callback returning an object with the user's info       |            `object`             |    No    |
 |       idToken       |   Set to `true` for services that use ID Tokens (e.g. OpenID)    |            `boolean`            |    No    |
 |       headers       |      Any headers that should be sent to the OAuth provider       |            `object`             |    No    |
-|     protection      | Additional security for OAuth login flows (defaults to `state`)  |     `pkce`, `state`, `none`     |    No    |
+|     protection      | Additional security for OAuth login flows (defaults to `state`)  |`[pkce]`,`[state]`,`[pkce,state]`|    No    |
 |        state        | Same as `protection: "state"`. Being deprecated, use protection. |            `boolean`            |    No    |

 ## Sign in with Email
--- a/www/docs/errors.md
+++ b/www/docs/errors.md
@@ -83,6 +83,25 @@ Check if `cookies.pkceCodeVerifier` is configured correctly. The default `code_c

 #### JWT_SESSION_ERROR

+https://next-auth.js.org/errors#jwt_session_error JWKKeySupport: the key does not support HS512 verify algorithm
+
+The algorithm used for generating your key isn't listed as supported. You can generate a HS512 key using
+
+````
+  jose newkey -s 512 -t oct -a HS512
+````
+
+If you are unable to use an HS512 key (for example to interoperate with other services) you can define what is supported using
+
+````
+  jwt: {
+    signingKey: {"kty":"oct","kid":"--","alg":"HS256","k":"--"}
+    verificationOptions: {
+      algorithms: ["HS256"]
+    }
+  }
+````
+
 #### SESSION_ERROR

 ---
@@ -139,4 +158,4 @@ Check your mail server configuration.

 This error happens when `[...nextauth].js` file is not found inside `pages/api/auth`.

-Make sure the file is there and the filename is written correctly.
+Make sure the file is there and the filename is written correctly.
--- a/www/docs/faq.md
+++ b/www/docs/faq.md
@@ -54,10 +54,15 @@ NextAuth.js does not currently support automatically signing into sites on diffe

 ### Can I use NextAuth.js with React Native?

-NextAuth.js is designed as a secure, confidental client and implements a server side authentication flow.
+NextAuth.js is designed as a secure, confidential client and implements a server side authentication flow.

 It is not intended to be used in native applications on desktop or mobile applications, which typically implement public clients (e.g. with client / secrets embedded in the application).

+
+### Is NextAuth.js supporting TypeScript?
+
+Yes! Check out the [TypeScript docs](/getting-started/typescript)
+
 ---

 ## Databases
@@ -70,7 +75,7 @@ It also provides an Adapter API which allows you to connect it to any database.

 ### What does NextAuth.js use databases for?

-Databases in NextAuth.js are used for persisting users, oauth accounts, email sign in tokens and sessions.
+Databases in NextAuth.js are used for persisting users, OAuth accounts, email sign in tokens and sessions.

 Specifying a database is optional if you don't need to persist user data or support email sign in. If you don't specify a database then JSON Web Tokens will be enabled for session storage and used to store session data.

@@ -116,7 +121,7 @@ NextAuth.js records Refresh Tokens and Access Tokens on sign in (if supplied by

 You can then look them up from the database or persist them to the JSON Web Token.

-Note: NextAuth.js does not currently handle Access Token rotation for OAuth providers for you, if this is something you need, currently you will need to write the logic to handle that yourself. 
+Note: NextAuth.js does not currently handle Access Token rotation for OAuth providers for you, however you can check out [this tutorial](/tutorials/refresh-token-rotation) if you want to implement it.

 ### When I sign in with another account with the same email address, why are accounts not linked automatically?

@@ -126,7 +131,7 @@ When an email address is associated with an OAuth account it does not necessaril

 With automatic account linking on sign in, this can be exploited by bad actors to hijack accounts by creating an OAuth account associated with the email address of another user.

-For this reason it is not secure to automatically link accounts between abitrary providers on sign in, which is why this feature is generally not provided by authentication service and is not provided by NextAuth.js.
+For this reason it is not secure to automatically link accounts between arbitrary providers on sign in, which is why this feature is generally not provided by authentication service and is not provided by NextAuth.js.

 Automatic account linking is seen on some sites, sometimes insecurely. It can be technically possible to do automatic account linking securely if you trust all the providers involved to ensure they have securely verified the email address associated with the account, but requires placing trust (and transferring the risk) to those providers to handle the process securely.

@@ -169,7 +174,7 @@ NextAuth.js supports both database session tokens and JWT session tokens.
 * If a database is specified, database session tokens will be used by default.
 * If no database is specified, JWT session tokens will be used by default.

-You can also choose to use JSON Web Tokens as session tokens with using a database, by explictly setting the `session: { jwt: true }` option.
+You can also choose to use JSON Web Tokens as session tokens with using a database, by explicitly setting the `session: { jwt: true }` option.

 ### What are the advantages of JSON Web Tokens?

@@ -201,13 +206,13 @@ JSON Web Tokens can be used for session tokens, but are also used for lots of ot

  Avoid storing any data in a token that might be problematic if it were to be decrypted in the future.

-* If you do not explictly specify a secret for for NextAuth.js, existing sessions will be invalidated any time your NextAuth.js configuration changes, as NextAuth.js will default to an auto-generated secret.
+* If you do not explicitly specify a secret for for NextAuth.js, existing sessions will be invalidated any time your NextAuth.js configuration changes, as NextAuth.js will default to an auto-generated secret.

  If using JSON Web Token you should at least specify a secret and ideally configure public/private keys.

 ### Are JSON Web Tokens secure?

-By default tokens are signed (JWS) but not encrypted (JWE), as encryption adds additional overhead and reduces the amount of space avalible to store data (total cookie size for a domain is limited to 4KB).
+By default tokens are signed (JWS) but not encrypted (JWE), as encryption adds additional overhead and reduces the amount of space available to store data (total cookie size for a domain is limited to 4KB).

 * JSON Web Tokens in NextAuth.js use JWS and are signed using HS512 with an auto-generated key.

@@ -217,7 +222,7 @@ You can specify other valid algorithms - [as specified in RFC 7518](https://tool

 NextAuth.js will generate keys for you, but this will generate a warning at start up.

-Using explict public/private keys for signing is strongly recommended.
+Using explicit public/private keys for signing is strongly recommended.

 ### What signing and encryption standards does NextAuth.js support?

--- a/www/docs/getting-started/client.md
+++ b/www/docs/getting-started/client.md
@@ -212,7 +212,18 @@ The URL must be considered valid by the [redirect callback handler](/configurati

 #### Using the redirect: false option

-When you use the `credentials` provider, you might not want the user to redirect to an error page if an error occurs, so you can handle any errors (like wrong credentials given by the user) on the same page. For that, you can pass `redirect: false` in the second parameter object. `signIn` then will return a Promise, that resolves to the following:
+:::note
+The redirect option is only available for `credentials` and `email` providers.
+:::
+
+In some cases, you might want to deal with the sign in response on the same page and disable the default redirection. For example, if an error occurs (like wrong credentials given by the user), you might want to handle the error on the same page. For that, you can pass `redirect: false` in the second parameter object.
+
+e.g.
+
+- `signIn('credentials', { redirect: false, password: 'password' })`
+- `signIn('email', { redirect: false, email: 'bill@fillmurray.com' })`
+
+`signIn` will then return a Promise, that resolves to the following:

 ```ts
 {
@@ -345,7 +356,7 @@ export default function App ({ Component, pageProps }) {
 :::note
 **These options have no effect on clients that are not signed in.**

-Every tab/window maintains it's own copy of the local session state; the session it is not stored in shared storage like localStorage or sessionStorage. Any update in one tab/window triggers a message to other tabs/windows to update their own session state.
+Every tab/window maintains its own copy of the local session state; the session is not stored in shared storage like localStorage or sessionStorage. Any update in one tab/window triggers a message to other tabs/windows to update their own session state.

 Using low values for `clientMaxAge` or `keepAlive` will increase network traffic and load on  authenticated clients and may impact hosting costs and performance.
 :::
--- a/www/docs/getting-started/rest-api.md
+++ b/www/docs/getting-started/rest-api.md
@@ -35,7 +35,7 @@ The `POST` submission requires CSRF token from `/api/auth/csrf`.

 Returns client-safe session object - or an empty object if there is no session.

-The contents of the session object that is returned is configurable with the session callback.
+The contents of the session object that is returned are configurable with the session callback.

 #### `GET` /api/auth/csrf

@@ -52,7 +52,7 @@ It can be used to dynamically generate custom sign up pages and to check what ca
 ---

 :::note
-The default base path is `/api/auth` but it is configurable by specyfing a custom path in `NEXTAUTH_URL`
+The default base path is `/api/auth` but it is configurable by specifying a custom path in `NEXTAUTH_URL`

 e.g. 

--- a/www/docs/getting-started/typescript.md
+++ b/www/docs/getting-started/typescript.md
@@ -1,22 +1,105 @@
 ---
 id: typescript
-title: TypeScript Support
+title: TypeScript
 ---

-Currently, NextAuth.js relies on the community to provide TypeScript types. You can download it from [DefinitelyTyped](https://www.npmjs.com/package/@types/next-auth).
+NextAuth.js comes with its own type definitions, so you can safely use it in your TypeScript projects. Even if you don't use TypeScript, IDEs like VSCode will pick this up, to provide you with a better developer experience. While you are typing, you will get suggestions about how certain objects/functions look like, and sometimes also links to documentation, examples and other useful resources.

-Add it to your project with:
+:::warning
+ The types at [DefinitelyTyped](https://github.com/DefinitelyTyped/DefinitelyTyped) under the name of `@types/next-auth` are now deprecated, and not maintained anymore.
+:::

-```sh
-npm i -D @types/next-auth
+***
+## Module Augmentation
+
+`next-auth` comes with certain types/interfaces, that are shared across submodules. Good examples are `Session` and `JWT`. Ideally, you should only need to create these types at a single place, and TS should pick them up in every location where they are referenced. Luckily, this is exactly what Module Augmentation can do for us. Define your shared interfaces in a single location, and get type-safety across your application, when you use `next-auth` (or one of its submodules).
+
+### Main module
+Let's look at `Session`:
+
+```ts title="pages/api/[...nextauth].ts"
+import NextAuth from "next-auth"
+
+export default NextAuth({
+  callbacks: {
+    session(session, token) {
+      return session // The type here should match the one returned in `useSession()`
+    }
+  }
+})
 ```

-or
+```ts title="pages/index.ts"
+import { useSession } from "next-auth/client"

-```sh
-yarn add -D @types/next-auth
+export default function IndexPage() {
+  // `session` should match `callbacks.session()` in `NextAuth()`
+  const [session] = useSession() 
+
+  return (
+    // Your component
+  )
+}
 ```

-You can find an initial Pull Request at [next-auth#516](https://github.com/nextauthjs/next-auth/pull/516) adding TypeScript. At the time of this writing, it looks like we would like to go from a complete migration to a more relaxed, incremental rewrite.
+To extend/augment this type, create a `types/next-auth.d.ts` file in your project:

-Feel free to open a Pull Request, if you would like to contribute!
+```ts title="types/next-auth.d.ts"
+import NextAuth from "next-auth"
+
+declare module "next-auth" {
+  /**
+   * Returned by `useSession`, `getSession` and received as a prop on the `Provider` React Context
+   */
+  interface Session {
+    user: {
+      /** The user's postal address. */
+      address: string
+    }
+  }
+}
+```
+#### Popular interfaces to augment
+
+Although you can augment almost anything, here are some of the more common interfaces that you might want to override in the `next-auth` module:
+```ts
+  /**
+   * The shape of the user object returned in the OAuth providers' `profile` callback,
+   * or the second parameter of the `session` callback, when using a database.
+   */
+  interface User {} 
+  /**
+   * Usually contains information about the provider being used
+   * and also extends `TokenSet`, which is different tokens returned by OAuth Providers.
+   */
+  interface Account {}
+  /** The OAuth profile returned from your provider */
+  interface Profile {}
+```
+
+Make sure that the `types` folder is added to [`typeRoots`](https://www.typescriptlang.org/tsconfig/#typeRoots) in your project's `tsconfig.json` file.
+
+### Submodules
+The `JWT` interface can be found in the `next-auth/jwt` submodule:
+
+```ts title="types/next-auth.d.ts"
+declare module "next-auth/jwt" {
+  /** Returned by the `jwt` callback and `getToken`, when using JWT sessions */
+  interface JWT { 
+    /** OpenID ID Token */
+    idToken?: string
+  }
+}
+```
+
+### Useful links
+1. [TypeScript documentation: Module Augmentation](https://www.typescriptlang.org/docs/handbook/declaration-merging.html#module-augmentation)
+2. [Digital Ocean: Module Augmentation in TypeScript](https://www.digitalocean.com/community/tutorials/typescript-module-augmentation)
+
+## Contributing
+
+Contributions of any kind are always welcome, especially for TypeScript. Please keep in mind that we are a small team working on this project in our free time. We will try our best to give support, but if you think you have a solution for a problem, please open a PR!
+
+:::note
+When contributing to TypeScript, if the actual JavaScript user API does not change in a breaking manner, we reserve the right to push any TypeScript change in a minor release. This is to ensure that we can keep us on a faster release cycle.
+:::
--- a/www/docs/providers/email.md
+++ b/www/docs/providers/email.md
@@ -91,7 +91,7 @@ providers: [
  Providers.Email({
    server: process.env.EMAIL_SERVER, 
    from: process.env.EMAIL_FROM,
-    sendVerificationRequest: ({ identifier: email, url, token, site, provider }) => { /* your function */ }
+    sendVerificationRequest: ({ identifier: email, url, token, baseUrl, provider }) => { /* your function */ }
  })
 ]
 ```
@@ -184,3 +184,17 @@ const text = ({ url, site }) => `Sign in to ${site}\n${url}\n\n`
 :::tip
 If you want to generate great looking email client compatible HTML with React, check out https://mjml.io
 :::
+
+
+## Customising the Verification Token
+
+By default, we are generating a random verification token. You can define a `generateVerificationToken` method in your provider options if you want to override it:
+
+```js title="pages/api/auth/[...nextauth].js"
+providers: [
+  Providers.Email({
+    async generateVerificationToken() {
+      return "ABC123"
+    }
+  })
+],
--- a/www/docs/providers/faceit.md
+++ b/www/docs/providers/faceit.md
@@ -0,0 +1,30 @@
+---
+id: faceit
+title: FACEIT
+---
+
+## Documentation
+
+https://cdn.faceit.com/third_party/docs/FACEIT_Connect_3.0.pdf
+
+## Configuration
+
+https://developers.faceit.com/apps
+
+Grant type: `Authorization Code`
+
+Scopes to have basic infos (email, nickname, guid and avatar) : `openid`, `email`, `profile`
+
+## Example
+
+```js
+import Providers from `next-auth/providers`
+...
+providers: [
+  Providers.FACEIT({
+    clientId: process.env.FACEIT_CLIENT_ID,
+    clientSecret: process.env.FACEIT_CLIENT_SECRET
+  })
+]
+...
+```
--- a/www/docs/providers/instagram.md
+++ b/www/docs/providers/instagram.md
@@ -0,0 +1,42 @@
+---
+id: instagram
+title: Instagram
+---
+
+## Documentation
+
+https://developers.facebook.com/docs/instagram-basic-display-api/getting-started
+
+## Configuration
+
+https://developers.facebook.com/apps/
+
+## Example
+
+```jsx
+// pages/api/auth/[...nextauth].js
+import Providers from `next-auth/providers`
+...
+providers: [
+  Providers.Instagram({
+    clientId: process.env.INSTAGRAM_CLIENT_ID,
+    clientSecret: process.env.INSTAGRAM_CLIENT_SECRET
+  })
+]
+...
+// pages/index.jsx
+import { signIn } from "next-auth/client"
+...
+<button onClick={() => signIn("instagram")}>
+  Sign in
+</button>
+...
+```
+
+:::warning
+Email address is not returned by the Instagram API.
+:::
+
+:::tip
+Instagram display app required callback URL to be configured in your Facebook app and Facebook required you to use **https** even for localhost! In order to do that, you either need to [add an SSL to your localhost](https://www.freecodecamp.org/news/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec/) or use a proxy such as [ngrock](https://ngrok.com/docs).
+:::
--- a/www/docs/providers/kakao.md
+++ b/www/docs/providers/kakao.md
@@ -0,0 +1,32 @@
+---
+id: kakao
+title: Kakao
+---
+
+## Documentation
+
+https://developers.kakao.com/product/kakaoLogin
+
+## Configuration
+
+https://developers.kakao.com/docs/latest/en/kakaologin/common
+
+## Example
+
+```js
+import Providers from `next-auth/providers`
+...
+providers: [
+  Providers.Kakao({
+    clientId: process.env.KAKAO_CLIENT_ID,
+    clientSecret: process.env.KAKAO_CLIENT_SECRET
+  })
+]
+...
+```
+
+## Instructions
+
+### Configuration
+
+Create a provider and a Kakao application at `https://developers.kakao.com/console/app`. In the settings of the app under Kakao Login, activate web app, change consent items and configure callback URL.
--- a/www/docs/providers/linkedin.md
+++ b/www/docs/providers/linkedin.md
@@ -11,6 +11,10 @@ https://docs.microsoft.com/en-us/linkedin/shared/authentication/authorization-co

 https://www.linkedin.com/developers/apps/

+From the Auth tab get the client ID and client secret. On the same tab, add redirect URLs such as http://localhost:3000/api/auth/callback/linkedin so LinkedIn can correctly redirect back to your application. Finally, head over to the Products tab and enable the "Sign In with LinkedIn" product. The LinkedIn team will review and approve your request before you can test it out.
+
+![image](https://user-images.githubusercontent.com/330396/114429603-68195600-9b72-11eb-8311-62e58383c42b.png)
+
 ## Example

 ```js
--- a/www/docs/providers/osso.md
+++ b/www/docs/providers/osso.md
@@ -0,0 +1,39 @@
+---
+id: osso
+title: Osso
+---
+
+## Documentation
+
+Osso is an open source service that handles SAML authentication against Identity Providers, normalizes profiles, and makes those profiles available to you in an OAuth 2.0 code grant flow.
+
+If you don't yet have an Osso instance, you can use [Osso's Demo App](https://demo.ossoapp.com) for your testing purposes. For documentation on deploying an Osso instance, see https://ossoapp.com/docs/deploy/overview/
+
+## Configuration
+
+You can configure your OAuth Clients on your Osso Admin UI, i.e. https://demo.ossoapp.com/admin/config - you'll need to get a Client ID and Secret and allow-list your redirect URIs.
+
+[SAML SSO differs a bit from OAuth](https://ossoapp.com/blog/saml-vs-oauth) - for every tenant who wants to sign in to your application using SAML, you and your customer need to perform a multi-step configuration in Osso's Admin UI and the admin dashboard of the tenant's Identity Provider. Osso provides documentation for providers like Okta and OneLogin, cloud-based IDPs who also offer a developer account that's useful for testing. Osso also provides a [Mock IDP](https://idp.ossoapp.com) that you can use for testing without needing to sign up for an Identity Provider service.
+
+See Osso's complete configuration and testing documentation at https://ossoapp.com/docs/configure/overview
+
+## Example
+
+A full example application is available at https://github.com/enterprise-oss/osso-next-auth-example and https://nextjs-demo.ossoapp.com
+
+```js
+import Providers from `next-auth/providers`
+...
+providers: [
+  Providers.Osso({
+    clientId: process.env.OSSO_CLIENT_ID,
+    clientSecret: process.env.OSSO_CLIENT_SECRET,
+    domain: process.env.OSSO_DOMAIN
+  })
+}
+...
+```
+
+:::note
+`domain` should be the fully qualified domain – e.g. `demo.ossoapp.com`
+:::
--- a/www/docs/providers/twitch.md
+++ b/www/docs/providers/twitch.md
@@ -11,6 +11,8 @@ https://dev.twitch.tv/docs/authentication

 https://dev.twitch.tv/console/apps

+Add the following redirect URL into the console `http://<your-next-app-url>/api/auth/callback/twitch`
+
 ## Example

 ```js
@@ -23,4 +25,4 @@ providers: [
  })
 ]
 ...
-```
+```
--- a/www/docs/providers/zoho.md
+++ b/www/docs/providers/zoho.md
@@ -0,0 +1,26 @@
+---
+id: zoho
+title: Zoho
+---
+
+## Documentation
+
+https://www.zoho.com/accounts/protocol/oauth/web-server-applications.html
+
+## Configuration
+
+https://api-console.zoho.com/
+
+## Example
+
+```js
+import Providers from `next-auth/providers`
+...
+providers: [
+  Providers.Zoho({
+    clientId: process.env.ZOHO_CLIENT_ID,
+    clientSecret: process.env.ZOHO_CLIENT_SECRET
+  })
+]
+...
+```
--- a/www/docs/schemas/adapters.md
+++ b/www/docs/schemas/adapters.md
@@ -185,7 +185,7 @@ Once you have saved your schema, use the Prisma CLI to generate the Prisma Clien
 npx prisma generate
 ```

-To configure you database to use the new schema (i.e. create tables and columns) use the `primsa migrate` command:
+To configure you database to use the new schema (i.e. create tables and columns) use the `prisma migrate` command:

 ```
 npx prisma migrate dev --preview-feature
--- a/www/docs/tutorials.md
+++ b/www/docs/tutorials.md
@@ -9,6 +9,18 @@ _These tutorials are contributed by the community and hosted on this site._

 _New submissions and edits are welcome!_

+### [NextJS Authentication Crash Course with NextAuth.js](https://youtu.be/o_wZIVmWteQ)
+
+This tutorial dives in to the ins and outs of NextAuth including email, GitHub, Twitter and integrating with Auth0 in under hour.
+
+### [Create your own NextAuth.js Login Pages](https://youtu.be/kB6YNYZ63fw)
+
+This tutorial shows you how to jump in and create your own custom login pages versus using the ones provided by NextAuth.js
+
+### [Refresh Token Rotation](tutorials/refresh-token-rotation)
+
+How to implement refresh token rotation.
+
 ### [Securing pages and API routes](tutorials/securing-pages-and-api-routes)

 How to restrict access to pages and API routes.
@@ -65,8 +77,7 @@ This example shows how to implement a fullstack app in TypeScript with Next.js u

 ### [Adding Authentication to an existing Next.js Application in no time!](https://dev.to/ndom91/adding-authentication-to-an-existing-serverless-next-js-app-in-no-time-with-nextauth-js-192h)

-This `dev.to` tutorial walks one through adding NextAuth.js to an existing project. Including setting up the OAuth client id and secret, adding the API routes for authentication, protecting pages and api routes behind that authentication, etc.
-
+This `dev.to` tutorial walks one through adding NextAuth.js to an existing project. Including setting up the OAuth client id and secret, adding the API routes for authentication, protecting pages and API routes behind that authentication, etc.

 ### [Adding Sign in With Apple Next JS](https://thesiddd.com/blog/apple-auth)

--- a/www/docs/tutorials/refresh-token-rotation.md
+++ b/www/docs/tutorials/refresh-token-rotation.md
@@ -0,0 +1,139 @@
+---
+id: refresh-token-rotation
+title: Refresh Token Rotation
+---
+
+While NextAuth.js doesn't automatically handle access token rotation for OAuth providers yet, this functionality can be implemented using [callbacks](https://next-auth.js.org/configuration/callbacks).
+
+## Source Code
+
+_A working example can be accessed [here](https://github.com/lawrencecchen/next-auth-refresh-tokens)._
+
+## Implementation
+
+### Server Side
+
+Using a [JWT callback](https://next-auth.js.org/configuration/callbacks#jwt-callback) and a [session callback](https://next-auth.js.org/configuration/callbacks#session-callback), we can persist OAuth tokens and refresh them when they expire.
+
+Below is a sample implementation using Google's Identity Provider. Please note that the OAuth 2.0 request in the `refreshAccessToken()` function will vary between different providers, but the core logic should remain similar.
+
+```js title="pages/auth/[...nextauth.js]"
+import NextAuth from "next-auth";
+import Providers from "next-auth/providers";
+
+const GOOGLE_AUTHORIZATION_URL =
+  "https://accounts.google.com/o/oauth2/v2/auth?" +
+  new URLSearchParams({
+    prompt: "consent",
+    access_type: "offline",
+    response_type: "code",
+  });
+
+/**
+ * Takes a token, and returns a new token with updated
+ * `accessToken` and `accessTokenExpires`. If an error occurs,
+ * returns the old token and an error property
+ */
+async function refreshAccessToken(token) {
+  try {
+    const url =
+      "https://oauth2.googleapis.com/token?" +
+      new URLSearchParams({
+        client_id: process.env.GOOGLE_CLIENT_ID,
+        client_secret: process.env.GOOGLE_CLIENT_SECRET,
+        grant_type: "refresh_token",
+        refresh_token: token.refreshToken,
+      });
+
+    const response = await fetch(url, {
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      method: "POST",
+    });
+
+    const refreshedTokens = await response.json();
+
+    if (!response.ok) {
+      throw refreshedTokens;
+    }
+
+    return {
+      ...token,
+      accessToken: refreshedTokens.access_token,
+      accessTokenExpires: Date.now() + refreshedTokens.expires_in * 1000,
+      refreshToken: refreshedTokens.refresh_token ?? token.refreshToken, // Fall back to old refresh token
+    };
+  } catch (error) {
+    console.log(error);
+
+    return {
+      ...token,
+      error: "RefreshAccessTokenError",
+    };
+  }
+}
+
+export default NextAuth({
+  providers: [
+    Providers.Google({
+      clientId: process.env.GOOGLE_CLIENT_ID,
+      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+      authorizationUrl: GOOGLE_AUTHORIZATION_URL,
+    }),
+  ],
+  callbacks: {
+    async jwt(token, user, account) {
+      // Initial sign in
+      if (account && user) {
+        return {
+          accessToken: account.accessToken,
+          accessTokenExpires: Date.now() + account.expires_in * 1000,
+          refreshToken: account.refresh_token,
+          user,
+        };
+      }
+
+      // Return previous token if the access token has not expired yet
+      if (Date.now() < token.accessTokenExpires) {
+        return token;
+      }
+
+      // Access token has expired, try to update it
+      return refreshAccessToken(token);
+    },
+    async session(session, token) {
+      if (token) {
+        session.user = token.user;
+        session.accessToken = token.accessToken;
+        session.error = token.error;
+      }
+
+      return session;
+    },
+  },
+});
+```
+
+### Client Side
+
+The `RefreshAccessTokenError` error that is caught in the `refreshAccessToken()` method is passed all the way to the client. This means that you can direct the user to the sign in flow if we cannot refresh their token.
+
+We can handle this functionality as a side effect:
+
+```js title="pages/auth/[...nextauth.js]"
+import { signIn, useSession } from "next-auth/client";
+import { useEffect } from "react";
+
+const HomePage() {
+  const [session] = useSession();
+
+  useEffect(() => {
+    if (session?.error === "RefreshAccessTokenError") {
+      signIn(); // Force sign in to hopefully resolve error
+    }
+  }, [session]);
+
+return (...)
+}
+```
--- a/www/package-lock.json
+++ b/www/package-lock.json
--- a/www/package.json
+++ b/www/package.json
@@ -11,16 +11,16 @@
    "generate-providers": "node ./scripts/generate-providers.js"
  },
  "dependencies": {
-    "@docusaurus/core": "^2.0.0-alpha.66",
-    "@docusaurus/preset-classic": "^2.0.0-alpha.66",
+    "@docusaurus/core": "^2.0.0-alpha.70",
+    "@docusaurus/preset-classic": "^2.0.0-alpha.70",
    "classnames": "^2.2.6",
-    "docusaurus-lunr-search": "^2.1.7",
+    "docusaurus-lunr-search": "^2.1.10",
    "jose": "^2.0.2",
    "lodash.times": "^4.3.2",
    "react": "^17.0.1",
    "react-dom": "^17.0.1",
    "react-marquee-slider": "^1.1.2",
-    "styled-components": "^5.2.0"
+    "styled-components": "^5.2.1"
  },
  "browserslist": {
    "production": [
@@ -35,6 +35,6 @@
    ]
  },
  "devDependencies": {
-    "standard": "^15.0.0"
+    "standard": "^16.0.3"
  }
 }
Author	SHA1	Message	Date
dogomedia-github	ae26df091d	fix(provider): add sub to defaultJwtPayload for credentials provider. (#1725 ) Co-authored-by: Joseph Chen <jchen@dogomedia.com>	2021-04-20 12:59:48 +02:00
dependabot[bot]	1cbf73b2f6	chore(deps): bump jose from 1.27.2 to 1.28.1 (#1772 ) Bumps [jose](https://github.com/panva/jose) from 1.27.2 to 1.28.1. - [Release notes](https://github.com/panva/jose/releases) - [Changelog](https://github.com/panva/jose/blob/v1.28.1/CHANGELOG.md) - [Commits](https://github.com/panva/jose/compare/v1.27.2...v1.28.1) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2021-04-20 12:56:07 +02:00
Balázs Orbán	46b62d723c	feat(ts): expose types from main package (#1773 ) * chore: add beta to release flow/GH actions * feat(ts): expose types from the package (#1665) * chore(types): move existing types to the repo * feat(ts): expose types from the main package * chore(deps): bring back `react-dom` version range * chore(ts): cleanup deps and comments * chore(ci): run types tests on a separate workflow * chore(ci): fix typo on types workflow * fix(ts): correctly export sub-module types (#1677) * chore(types): build types script Adds a script that moves the declaration files we have in `./types` to `./dist` relative to the files they intend to type. This is the first step, we still need to change what we declare in `package.json`, add the script to the CI pipeline if we're happy with it and figure out how to type `next-auth/jwt`. * refactor(lint): fix build-types script * fix(ts): add .d.ts sub-module files to package.json #1677 seemed to miss this * fix(built): typo in package.json * fix(build): fix release * feat(ts): support module augmentation (#1681) * chore(ts): remove unused imports * refactor(ts): clean up CallbackOptions * docs(ts): explain Module Augmentation * docs(ts): don't use @ in folder name "types" * test(ts): make jwt params optional * docs(ts): fix typo (TypeScript -> NextAuth.js) * style: replace ts-standard with eslint/prettier (#1724) * style: move from ts-standard to eslint/prettier * fix: install remaining eslint-config-standard peer deps * fix: add remaining missing dependencies/config Co-authored-by: Balázs Orbán <info@balazsorban.com> * docs(lint): update contributing.md (#1760) Regarding ESLint / Prettier use and link to their VSCode extensions * refactor(ts): de-duplicate types (#1690) * refactor(ts): deduplicate internal types * refactor(ts): ease up providers typings * test(ts): fix failing TS tests * test(ts): rename TS property to fix test * docs(ts): mention TS docs in README.md * feat(ts): move/update client types * refactor(TS): rename some types * test(ts): fix client tests * docs(ts): move function descriptions to .d.ts * chore: fix lint error * refactor(ts): separate internal types * chore: simplify build-types script * chore: update type import paths in src * chore(build): create root files at build * chore: remove unnecessary .npmignore * chore: run prettier on types * fix(ts): clean up jwt types * fix(ts): make getToken return type depend on raw param * docs(page): explain page errors, add theming note * docs(ts): add JSDoc to NextAuthOptions props * chore(ts): remove unused import * docs(ts): change JSDOC docs notation * refactor(build): extract module entries into enum * chore(ts): move ClientSafeProvider * chore(ts): simplify GetTokenParams generic * style(lint): fix linting errors * chore: re-add generic extension to GetTokenParams * fix(ts): extract EmailConfigServerOptions to interface * fix(ts): use relative imports * Merge branch 'main' into beta * Merge main into beta * fix(ts): fix typos, add more links to documentation * test(ts): update JWT getToken test * fix(build): fix tsconfig.json formatting * test(ts): use absolute imports in test files * fix(ts): add missing callbacks JSDoc * docs: mention TS in FAQ, fix typos * docs: fix some typos in the docs Co-authored-by: Lluis Agusti <hi@llu.lu> Co-authored-by: Nico Domino <yo@ndo.dev>	2021-04-20 12:20:43 +02:00
Balázs Orbán	457952bb5a	fix(jwt): make decode overrideable in getToken (#1751 )	2021-04-17 12:40:50 +02:00
Balázs Orbán	17b789822d	fix: make oauth_token_secret and oauth_token available (#1322 ) * fix: add oauth_token_secret to requests * chore: remove console.log * refactor: follow casing from response	2021-04-14 21:26:15 +02:00
Ovidiu Dan	fd12194c0c	docs(provider): Explain how to get access to LinkedIn authentication (#1706 )	2021-04-12 18:46:20 +02:00
Balázs Orbán	1c662e9ddc	fix(page): fall back to default error page (#1700 )	2021-04-12 03:56:47 +02:00
Balázs Orbán	968903d227	fix(oauth): support `response_mode=form_post` (#1669 ) * chore: alias dev script to next * feat(core): fallback to body when reading state * refactor: set csrfToken on req.options implicitly Ensures we do this similarly than in other handlers like pkce, state, extendRes, callbackUrlHandler etc. * chore: add code comment for debugging	2021-04-12 00:24:05 +02:00
Balázs Orbán	3dedf6c26c	fix(provider): proper check of protection property (#1694 ) * fix(provider): proper check of protection property * chore: add comment	2021-04-12 00:15:29 +02:00
Amauri Dias	d1dbfe1023	fix: truly replace .flat() to support Node <11 again (#1691 )	2021-04-11 23:20:37 +02:00
David Colón	63171a0271	fix: validate provider existence before looking for protection property (#1687 ) * Fix validation of provider existence before looking for protection property * Use optional chaining	2021-04-11 15:20:01 +02:00
Amauri Dias	872e180339	fix: replace .flat() to support Node <11 again (#1684 )	2021-04-11 10:57:25 +02:00
ifly7charlie	a7709df796	docs: Document the additional parameters in JWT (#1550 ) Co-authored-by: Balázs Orbán <info@balazsorban.com>	2021-04-08 14:00:19 +02:00
Balázs Orbán	dbe283f0fa	refactor: rename extend-res to extend-req	2021-04-07 22:26:54 +02:00
Balázs Orbán	727426bbec	chore(ts): auto-label TypeScript related changes	2021-04-07 20:16:10 +02:00
Vinicius CR	5a3ee47337	feat(provider): accept array for protection to support multiple mechanisms (#1565 ) * fix: add protection both option * feat: update docs with new protection value * fix: lint files * refactor: change protection from string to array * chore: reverting unespected change * chore: lint files Co-authored-by: Balázs Orbán <info@balazsorban.com>	2021-04-06 19:20:56 +02:00
bhaveshmishra-code	8dd8f7c48a	docs: fix typo in callbacks.md (#1657 ) Fixed the spelling mistake. existance -> existence	2021-04-05 19:35:26 +02:00
Jaime Martínez Rincón	072c59d85a	docs: fix typo `primsa` (#1652 )	2021-04-05 00:25:46 +02:00
dependabot[bot]	d0e8147a48	chore(deps): bump y18n from 4.0.0 to 4.0.1 (#1631 ) Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/yargs/y18n/releases) - [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md) - [Commits](https://github.com/yargs/y18n/commits) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2021-04-05 00:24:39 +02:00
Jasper Moelker	5bc8f8b986	docs(page): correct getCsrfToken and input types (#1651 ) This fixes the a mismatch between the import (`csrfToken`) and the method (`getCsrfToken`) used in `getInitialProps`/`getServerSideProps`. In addition the form input fields now have their correct type: `email` for email input (for better autocomplete, virtual keyboard support and native validation) and `password` for the password input (to hide password while typing).	2021-04-04 22:01:53 +02:00
hoangbits	136361e1f4	docs: rename command to vercel cli, now cli is deprecated (#1647 )	2021-04-04 11:02:38 +02:00
hoangbits	cc9869592c	docs: fix typo in providers.md (#1641 )	2021-04-02 17:18:40 +02:00
Jay Liew	073da60c3d	docs: Update pages.md (#1592 ) * Update pages.md Updated Credentials Sign-In code example to indicate how to use `getServerSideProps` but still also showing the older `getInitialProps` example * Update www/docs/configuration/pages.md Co-authored-by: Balázs Orbán <info@balazsorban.com> * update documentation to show example using getServerSideProps() Co-authored-by: Balázs Orbán <info@balazsorban.com> Co-authored-by: Jay Liew <jay@haute.tech>	2021-03-31 00:31:31 +02:00
ifly7charlie	aacc34bbfd	docs(error): Add missing error message and technique to resolve (#1549 ) * Add missing error message and technique to resolve * Update errors.md Correct with correct error message and more complete suggestions on resolving it	2021-03-26 23:09:21 +01:00
jgollhardt	074688d10e	docs(provider): fix wrong param name in sendVerificationRequest example (#1595 )	2021-03-26 23:01:25 +01:00
Macarse, Christian Ryan R	b3ffe50c03	docs(provider): removed misleading provider signin link (#1588 )	2021-03-25 22:30:46 +01:00
Shubham Shukla	e6d063825d	fix(provider): added options in instagram provider (#1570 )	2021-03-23 22:28:54 +01:00
Balázs Orbán	985f7b3431	fix(logger): properly end request every time (#1557 ) * fix(logger): properly end request every time * chore: fix linting	2021-03-20 10:08:12 +01:00
Max	237b016378	fix(provider): reject access token if slack login flow was canceled (#1544 ) * fix: reject access token if slack login flow was canceled * style: fix lint errors in oauth client	2021-03-18 14:59:24 +01:00
Joshua Williams	776b9480da	feat(provider): add Zoho provider (#1516 ) * feat(provider): add zoho * fix: use LF instead of CRLF * fix: crlf to lf line endings Co-authored-by: Balázs Orbán <info@balazsorban.com>	2021-03-16 19:27:11 +01:00
Honman Yau	07a3f76cb3	docs: fix typos in REST API guide (#1528 )	2021-03-16 19:25:24 +01:00
tclaude94	3726d68c49	feat(provider): add FACEIT provider (#1469 )	2021-03-16 00:00:35 +01:00
dependabot[bot]	e31db1726a	chore(deps): bump xmldom from 0.3.0 to 0.5.0 (#1510 ) Bumps [xmldom](https://github.com/xmldom/xmldom) from 0.3.0 to 0.5.0. - [Release notes](https://github.com/xmldom/xmldom/releases) - [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md) - [Commits](https://github.com/xmldom/xmldom/compare/0.3.0...0.5.0) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2021-03-13 14:19:22 +01:00
James Perkins	a241199c11	docs(tutorials): Adding two more tutorials to the list. [skip release]	2021-03-13 03:42:00 +00:00
dependabot[bot]	5385ec20a9	chore(deps): bump elliptic from 6.5.3 to 6.5.4 in /www (#1493 ) Bumps [elliptic](https://github.com/indutny/elliptic) from 6.5.3 to 6.5.4. - [Release notes](https://github.com/indutny/elliptic/releases) - [Commits](https://github.com/indutny/elliptic/compare/v6.5.3...v6.5.4) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2021-03-10 22:59:10 +01:00
Balázs Orbán	810d02e671	fix(deps): upgrade to latest preact-render-to-string (#1475 )	2021-03-08 10:39:13 +01:00
Valentin Hervieu	e5535734f8	fix(client): set useSession loading state correctly (#1468 ) This is fixing #1467. The issue was due to doing the `setLoading(false)` in the finally: as we can do an early return [here](`a7e08e2a32/src/client/index.js (L100-L100)`), we would still go to the finally and mark the session as being loaded. I simply removed the `finally` block to only set the `loading` state to false when: - the data is ready - an error occures	2021-03-07 19:11:32 +01:00
Taehwan Noh	ba7aed1057	feat(provider): add Kakao provider (#1459 )	2021-03-06 21:52:39 +01:00
Balázs Orbán	a7e08e2a32	fix: make sure useSession populates session correctly (#1462 )	2021-03-06 20:02:43 +01:00
mcha	0d13040264	docs(client): fix client.md typos (#1453 )	2021-03-06 10:50:29 +01:00
Balázs Orbán	582520f8ef	chore: fix typo in feature request template	2021-03-06 00:35:09 +01:00
Sam Bauch	95942519a5	feat(provider): add Osso SAML provider (#1448 ) Co-authored-by: @sbauch	2021-03-06 00:21:38 +01:00
Balázs Orbán	f3e64f04cc	feat(client): introduce NEXTAUTH_URL_INTERNAL (#1449 ) Co-authored-by: @gergelyke	2021-03-06 00:10:36 +01:00
Balázs Orbán	ed5cc4aa65	feat(provider): add Instagram provider (#1447 ) Co-authored-by: @PolMrt pol@hey.com	2021-03-05 23:39:50 +01:00
Balázs Orbán	0e20b60229	docs(database): mention CockroachDB Co-authored-by: @jukbot <jukbot@yellotalk.co>	2021-03-05 22:52:48 +01:00
Balázs Orbán	3aee24b5dc	refactor: client improvements (#1428 ) * docs(client): add TS definitions to client * docs(client): add documentation links to public methods * refactor(client): simplify window sync, simplify logic * refactor(client): extract repeating logic to _fetchData * refactor(client): remove clientId * refactor(client): use session in Provider if passed	2021-03-05 22:47:32 +01:00
Baterka	960ca85907	fix: send only the error message in callback redirects (#1424 ) Changed `encodeURIComponent(error)` to `encodeURIComponent(error.message)` to remove prefix (such as `Error: ` and possible stack trace). Seems like better way of doing it and also safer if server throws some error with sensitive data.	2021-03-05 18:34:11 +01:00
Balázs Orbán	f960cc0f6f	chore(docs): upgrade docs dependencies	2021-03-03 20:13:46 +01:00
Balázs Orbán	0f64f3eea7	chore: don't mark bugs as stale Had a good laugh today 😄: "This is not stale. Bread goes stale. Bugs don't. They don't just magically go away because time has passed" - Unknown https://twitter.com/ericclemmons/status/1367000259046604803	2021-03-03 19:54:13 +01:00
yannicktian	71c78e8e24	feat(provider): allow disabling redirection on sign in with email (#1416 ) * feat: allow to disable client-side redirect for email provider * docs(client): mention that redirect can also be disabled for email provider * feat: only display one email input in email page	2021-03-02 22:38:02 +01:00
dependabot[bot]	d86609a2dc	chore(deps): bump prismjs from 1.22.0 to 1.23.0 in /www (#1409 ) Bumps [prismjs](https://github.com/PrismJS/prism) from 1.22.0 to 1.23.0. - [Release notes](https://github.com/PrismJS/prism/releases) - [Changelog](https://github.com/PrismJS/prism/blob/master/CHANGELOG.md) - [Commits](https://github.com/PrismJS/prism/compare/v1.22.0...v1.23.0) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2021-03-01 22:52:46 +01:00
Joost van Wollingen	d0c3400d30	docs(page): Remove unnecessary context param (#1406 ) ...when calling providers in the docs	2021-03-01 21:39:03 +01:00
Praneeth	172e79cb04	fix(page): add character encoding and page titles (#1380 ) * added character encoding fix * changed multi-line to inline and added title param to send fn in src/server/pages/index.js * modified the return object of renderPage in src/server/pages/index.js	2021-03-01 21:17:51 +01:00
Balázs Orbán	46d5c76605	docs: reword callbacks.md Explain the `jwt()` callback before the `session()` callback, as it comes first in the flow.	2021-02-28 18:05:10 +01:00
Zach White	438efd8a9b	docs: reword pages.md (#1386 ) language edits	2021-02-27 23:43:45 +01:00
Balázs Orbán	d8d497cc91	feat(provider): call generateVerificationToken async (#1378 )	2021-02-27 23:33:26 +01:00
Pop Stefan	6152c8afbb	docs: added refresh token tutorial link in faq page (#1385 )	2021-02-27 20:24:09 +01:00
Balázs Orbán	5ae6f6118c	docs: add missing comma Thx @followbl 😺	2021-02-25 23:29:33 +01:00
sid	96ff048b59	fix(provider): use correct file type for Discord profile img (#1365 )	2021-02-23 21:39:27 +01:00
Ariel Weingarten	e80f6e936d	docs(provider): Update twitch.md (#1353 ) State what redirect URL to add to the Twitch console.	2021-02-22 20:04:38 +01:00
Lawrence Chen	6b5a215fb2	docs(tutorials): refresh token rotation (#1310 ) * docs(tutorials): refresh token rotation * use simple initialization * be optimistic Co-authored-by: Balázs Orbán <info@balazsorban.com> * add yarn.lock to .gitignore Co-authored-by: Balázs Orbán <info@balazsorban.com>	2021-02-21 22:30:01 +01:00
				`@@ -1 +0,0 @@`
				`module.exports = require('./dist/adapters').default`
				`@@ -1 +0,0 @@`
				`module.exports = require('./dist/client').default`
				`@@ -1 +0,0 @@`
				`module.exports = require('./dist/lib/jwt').default`
				`@@ -1 +0,0 @@`
				`module.exports = require('./dist/providers').default`