* Add user id to `session` and `jwt` callback
* Minor changes
- Notes on why the id is not exposed by default is already documented in the `session` section.
* Apply suggestions from code review
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* docs(adapters): Add prisma client docs for typescript users
Add documentation for connecting prisma client w/ prisma adapter for typescript users.
* docs(adapters): remove prismadb.js for prismadb.ts
remove prismadb.js as it is identical to the prismadb.ts
* Apply suggestions from code review
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Update prisma.md
The referenced official doc page describes how to fix the `warn(prisma-client) There are already 10 instances of Prisma Client actively running.` error in development mode.
* Update prisma.md
Implemented best practice for Prisma Client creation.
* Fixed typo in Prisma db filename.
* fix(middleware): use `includes()` for NextAuth pages
Some users could be setting their `signIn` and `error` pages option to
`/` to disable the automatically generated pages, as suggested in [1].
This commit reverts the behaviour for matching `signIn` and `error`
pages in `handleMiddleware` to pre-v4.10.3.
```
const signInPage = "/"
const errorPage = "/"
const publicPaths = [signInPage, errorPage, "/_next", "/favicon.ico"]
// pathname = "/" will return true
publicPaths.some((p) => pathname.startsWith(p))
```
Fixes: aedabc8d ("fix: avoid redirect on always public paths")
Reference [1]: https://github.com/nextauthjs/next-auth/discussions/2330#discussioncomment-1678298
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
* test(middleware): add tests for public paths
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Co-authored-by: Thang Vu <thvu@hey.com>
* clean up `package.json` files
* chore(ts): make sure `next-auth/next` does not conflict with `next`
* simplify `turbo.json`
* fix: apply suggestion
* simplify doc dev command
* ignore upstash redis again
* ignore mikro orm for now
* chore: dev command
* update lock file
* update css path for dev only
* Update apps/dev/package.json
Co-authored-by: Thang Vu <thvu@hey.com>
* Send client_id and client_secret to linkedin
Linkedin now requires client_id and client_secret to be
sent in the oauth callback. Fixes#5220
* Update linkedin.ts
Co-authored-by: Thang Vu <thvu@hey.com>
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* feat: added providing database name in options
* fix: added database name providing in readme
* Apply suggestions from code review
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* fix: return null in unstable_getServerSession if there's an error
* Remove status check and instead check body is not a string
* Combine similar tests
* Keep error from being logged twice
The same errors have been logged, firstly before throwing
OAuthCallbackError, later in the catch-clause of it.
This commit removes the former and lets the latter survive,
because logging functionality seems better to reside in the
same neighborhood.
* doc: Merge CALLBACK_OAUTH_ERROR to OAUTH_CALLBACK_ERROR
* doc: This particular error from openid-client comes with SIGNIN_OAUTH_ERROR
* Provide logger with `providerId`
Co-authored-by: Thang Vu <thvu@hey.com>
Co-authored-by: Thang Vu <thvu@hey.com>
* fix typo in faq
Added missing “not” in same root different subdomain config section warning text
* Apply suggestions from code review
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* feat: add nonce check type
* Update types import for nonce-handler.ts
* Update packages/next-auth/src/core/lib/oauth/callback.ts
Co-authored-by: Thang Vu <thvu@hey.com>
* Add further info to debug msg as per PR suggestion
* Cast OauthChecks as OpenIDCallbackChecks
* Update order of imports as per PR suggestion
Co-authored-by: Hamid Adelyar <hamid.adelyar@bjss.com>
Co-authored-by: hamidbjss <98807568+hamidbjss@users.noreply.github.com>
Co-authored-by: Thang Vu <thvu@hey.com>
Contains the following squashed commits:
* Added how to install next-auth
* Update docs/docs/getting-started/example.md
* Update docs/docs/getting-started/example.md
* Updated with suggestions in mind
* Update example.md
* type safe babel config
* avoid auth redirect for `_next`
* force render default error page on user miconfig
* add slash to _next path
* use `.some`
* add docs
* change from localhost
* add favicon to public path
Split a FAQ into two parts:
Before:
- Can I use NextAuth.js with a website that does not use Next.js?
After:
- Can I use NextAuth.js with a framework different than Next.js?
- Can session generated by NextAuth.js be used by another website?
Ports and refactors `@next-auth/firebase-adapter` to use the new Adapter API. Ported from this PR: nextauthjs/adapters#183
BREAKING CHANGE:
- Renames `FirebaseAdapter` export to `FirestoreAdpater`
- This adapter now requires firebase v9+
We haven't kept up with the recent TypeORM changes, and since they are still <1, it's likely that users kept upgrading, even if there were breaking changes.
BREAKING CHANGE:
[`typeorm`](https://github.com/typeorm/typeorm) is still in active development and has not yet published a stable release. Because of this, you can expect breaking changes in minor versions. This release of the adapter expects `typeorm@0.3.7` and is not validated against previous or future releases.
Run `npm i typeorm@latest` and make sure to read the [release notes](https://github.com/typeorm/typeorm/releases) for breaking changes in TypeORM
* ✨ provide secret via config
* 🐛 make secret optional
* 📝 docs for middleware and env var
* 📝 recommendation at the end of paragraph
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* chore: update docs regarding new server session API
* fix: add note about unstable_ API prefix
* Apply suggestions from code review
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* merge `main`, fix workspace dependencies
* chore(dev): use `matcher` in Middleware
* fix(middleware): support `cookies` as `Map`
* simplify
* chore(example): use new Middleware API
* chore(example): use `next-auth@latest`
* docs(middleware): document new Middleware API
* docs(ts): update inline example
* fix(ts): make cookies optional
* remove non-null assertion
* fix: signIn infer provider type
The "P" type it's not passed in any props, so the result type doesn't understand and return the false type always, Adding the "P" at provider type props.
* fix: P possibly undefined
Co-authored-by: arthurpedroti@gmail.com <arthurpedroti@LAPTOP-MVAK9RM5.localdomain>
in next Next.js versions, NextRequest.cookies will be an instance of NextCookies which is
some kind of a Map, instead of a plain object.
This commit checks whether there's a `get` function in req.cookies, and acts accordingly,
to make sure we will support newer Next.js versions with Edge Functions/Middleware
* Adding United Effects as a provider
* Update packages/next-auth/src/providers/united-effects.ts
* returning name and image as null in profile response
Co-authored-by: Lluis Agusti <hi@llu.lu>
The "P" type it's not passed in any props, so the result type doesn't understand and return the false type always, Adding the "P" at provider type props.
* feat: Add the support of custom cookieName on the next-auth/middleware
* chore: Only accept used params based on NextAuthConfig
* docs: Remove duplicated docs
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Use relative URL for middleware's signin callbackUrl
* Include params to callbackUrl if any
* For testing purpose, append params to existing link for test instead of create another one
* Update apps/dev/components/header.js
Co-authored-by: CODY Mai <nhan.mai@shiftasia.com>
Co-authored-by: Thang Vu <31528554+ThangHuuVu@users.noreply.github.com>
The Authentik provider already adds a `/` after the `issuer`, so this creates a double slash that causes a NextAuth `SIGNIN_OAUTH_ERROR` ("expected 200 OK, got: 301 Moved Permanently").
* chore(docs): add link to SIWE example app / tutorial
* chore(docs): add link to example signin page and cleanup
* chore: update copy for SIWE credentials provider example
* Add additional type
* do not cast to 'any' anymore
* add missing import
* import NextRequest from next/server
Co-authored-by: Lluis Agusti <hi@llu.lu>
* fix(core\pages\signin.tsx): set type of built-in email sign-in input to email for browse validation
* fix(core\pages\signin.tsx): add required attribute to built-in sign-in email input
Co-authored-by: Lluis Agusti <hi@llu.lu>
* docs: Update JWT docs to reflect JWE changes in v4
This PR https://github.com/nextauthjs/next-auth/pull/3039 changed the defaults for JWT tokens to be encrypted by default (JWE). We have conflicting documentation across the docs site and readme.
Additionatlly this PR https://github.com/nextauthjs/next-auth/pull/3783 made providing a secret required in production via NEXTAUTH_SECRET or an option.
* Missed a reference
* Update docs/docs/faq.md
Co-authored-by: Nico Domino <yo@ndo.dev>
* Update docs/docs/faq.md
Co-authored-by: Nico Domino <yo@ndo.dev>
Co-authored-by: Nico Domino <yo@ndo.dev>
* docs: fix Custom Client Session Handling example
It made reference to a useEffect call that was no longer needed.
* Update docs/docs/getting-started/client.md
Co-authored-by: Lluis Agusti <hi@llu.lu>
Co-authored-by: Lluis Agusti <hi@llu.lu>
* chore(docs): add carbon ads to docs page
* fix: add carbon-wrap element
* fix: script in docusaurus config object
* fix: add _carbonads_js id
* fix: add script directly to sidebar
* fix: carbon ads style
* chore: bump ad container down a bit
BREAKING CHANGE
From now on, you will need a minimum version of `@upstash/redis@v1` installed if you want to use this adapter.
You can upgrade by running `npm i @upstash/redis@latest` or `yarn add @upstash/redis@latest`
Until we migrate to v1 there might be people installing the latest
version of @upstash/redis and then encountering errors.
With this they will at least get a warning.
This is obsolete and should be updated once
https://github.com/nextauthjs/next-auth/issues/4183 is resolved.
Co-authored-by: Balázs Orbán <info@balazsorban.com>
I saw in the documentation that v4 now uses
session: {
strategy: "jwt"
},
instead of
session: {
jwt: true
},
also there was double ;; at the end of the return statement, fixing it
* added saml-jackson provider
* incorporated code review changes
* fixed SAMLJacksonProfile type
* trying to adjust code for monorepo
* cleanup from merge with main
* updated docs link
* added example
* consistent naming
* Incorporated code review changes:
- env var default values moved to env.local.example
- consistent naming and use of id
* email is guaranteed to be present
This field is already nullable in the database, so this should only
affect types.
Because the type is being widened, not narrowed, this should also be
fully backwards-compatible, since pre-existing custom entities of type
`string` will be substitutable for the new default type of `string |
null`.
See #4055 for more specifics on the impact.
* chore: separate build commands for core and app
* Move emitDeclarationOnly to next-auth
* Update release.yml
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* refactor(dev): moved dev app
* chore(dev): fix dev app
* fix(providers): WorkOS to TS, use `client_secret_post`
* chore: decrease test concurrency
* chore: remove org
* chore: run tests sequentially
* feat(providers): use `picture` in WorkOS if available
* fix labeler
* try fixing test runs in GitHub Actions
* pass flags to test command
* test version pr
* move versoin-pr action
* remove --dry-run flag
* re-enable testing, re-add semantic release for now
* add docs
* use `yarn.lock` and different docs port
* simplify dev app config
* fix coverage report
* fix provider source links
* fix more links
* fix(providers): properly warn when using Twitter OAuth 2
* refactor(providers): move Twitter OAuth2 warning to `assert`
* fix: use proper warning code
* refactor: only set boolean
* Fix: Add OpenID to authorization scope
* Fix: Check for valid profile picture response before converting to base64
* Update src/providers/azure-ad.ts
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Confirm that profile photo was returned
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* feat(providers): add support to Twitter OAuth 2.0
* docs: add docs comment
* chore: cleanup
* chore: remove comments
* chore: give warning for OAuth 2 for now
* Added patreon provider - tested and working
* Update src/providers/patreon.js
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Update src/providers/patreon.js
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Update src/providers/patreon.js
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Update src/providers/patreon.js
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Switched to TS, restore .env.local, restore package.json as per comments on the PR
* chore: ran Prettier
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* fix: add eslintIgnore in package.json
* Let eslint runs in app, config + js files
* Add a separate tsconfig.eslint.json file
We want to run the lint command on `app`, `src` and `config`, but at the same time want `tsc` to compile files in `src` only. A separate `tsconfig.eslint.json` is a suitable solution to satisfy both `eslint` and `tsc`: 04d1f3e549/packages/parser/README.md
* Update client.ts
Set custom.setHttpOptionsDefaults before Issuer.discover(.wellKnown). This allow discover the .wellKnown endpoint behind a proxy
* chore: address code review
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Update strava.js
Auth with Strava was throwing errors before, this works.
* Update strava.js
changed according to commenters' suggestions
* chore: run linter
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Ensure that GitHub provider always gives an email
* Update src/providers/github.js
Co-authored-by: Balázs Orbán <info@balazsorban.com>
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* fix(provider): correct authorization for Atlassian
* feat(providers): use wellKnown for better configuration
* fix(atlassian): switch back to raw config
* fix(providers): pass generic to `OAuthUserConfig`
Co-authored-by: Lluis Agusti <hi@llu.lu>
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* refactor EVEOnlineProvider into typescript, fix default scopes
* Update src/providers/eveonline.ts
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* update to new OIDC SSO endpoints
* set idToken: true
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* Added support for zoom in beta
* Converted to typescript
* rename
* Now reflects response from Zoom
* chore: Prettier
Co-authored-by: Balázs Orbán <info@balazsorban.com>
If the expected cookie size would exceed the 4096 bytes most browsers allow, we split up the cookie value and put the content into multiple cookies, then assemble it upon reading it back. This eliminates the need for a database or user-land solutions in case the user wants to save more data or is constrained by their IdP for certain fields.
With no scope defined, it sets `openid` by default, which is an invalid 42 scope.
Co-authored-by: Alaa Zorkane <alaazorkane@gmail.com>
Co-authored-by: Alaa Zorkane <alaazorkane@gmail.com>
BREAKING CHANGE:
The `session.jwt: boolean` option has been renamed to `session.strategy: "jwt" | "database"`. The goal is to make the user's options more intuitive:
1. No adapter, `strategy: "jwt"`: This is the default. The session is saved in a cookie and never persisted anywhere.
2. With Adapter, `strategy: "database"`: If an Adapter is defined, this will be the implicit setting. No user config is needed.
3. With Adapter, `strategy: "jwt"`: The user can explicitly instruct `next-auth` to use JWT even if a database is available. This can result in faster lookups in compromise of lowered security. Read more about: https://next-auth.js.org/faq#json-web-tokens
Example:
```diff
session: {
- jwt: true,
+ strategy: "jwt",
}
```
* feat(react): preserve history on client-side navigation
* chore(deps): upgrade jest
* test(client): use absolute URL since `whatwg-*` refusing relative URLs
MS Docs has a lot of local language translations, so it's best to remove locale information from the URLs so that when someone follows them, they land on the right language version of the content.
* docs(readme): add opencollective details to readme
* docs(www): add sponsors to docs footer
* docs(readme): move support under ack
* docs(www): dropped docusaurus link in footer
* Update Fauna Adapter
- added one-liner to explain how to use the setup scripts inside of the Fauna dashboard
- updated the `verification_request_by_token` index name to match what is expected inside of the SDK which is `verification_request_by_token_and_identifier`
* Update Typo
Co-authored-by: Balázs Orbán <info@balazsorban.com>
Co-authored-by: Balázs Orbán <info@balazsorban.com>
* (docs) initial issue template forms as per #2271
* (typo) fix grammar and typo
* (forms) make the requested changes
* (chore) delete the old .md files
* (forms) fix type key
**NOTE:** Issues that are potentially security related should be reported to us by following the [Security guidelines](https://next-auth.js.org/security) rather than on GitHub.
Thanks for taking the time to fill out this issue after reading/searching through the [documentation](https://next-auth.js.org) first!
Is this your first time contributing? Check out this video: https://www.youtube.com/watch?v=cuoNzXFLitc
### Important :exclamation:
_Providing incorrect/insufficient information or skipping steps to reproduce the issue may result in closing the issue or converting to a discussion without further explanation._
If you have a generic question specific to your project, it is best asked in Discussions under the [Questions category](https://github.com/nextauthjs/next-auth/discussions/new?category=Questions)
# Let's wait with this until adoption in other frameworks.
# - type: dropdown
# attributes:
# label: Framework
# description: Which framework(s) is this issue related to?
# multiple: true
# options:
# - "Next.js"
# - "Other"
- type:textarea
attributes:
label:Environment
description:|
Run this command in your project's root folder and paste the result:
Alternatively, you can manually gather the version information from your package.json for these packages: "next", "react" and "next-auth". Please also mention your OS and Node.js version, as well as the browser you are using.
validations:
required:true
- type:input
attributes:
label:Reproduction URL
description:A URL to a repository/code that clearly reproduces your issue. You can use our [`next-auth-example`](https://github.com/nextauthjs/next-auth-example) template repository to get started more easily, or link to your project if it's public
validations:
required:true
- type:textarea
attributes:
label:Describe the issue
description:Describe us what the issue is and what have you tried so far to fix it. Add any extra useful information in this section. Feel free to use screenshots (but prefer [code blocks](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks#syntax-highlighting) over a picture of your code) or a video explanation.
validations:
required:true
- type:textarea
attributes:
label:How to reproduce
description:Explain with clear steps how to reproduce the issue
validations:
required:true
- type:textarea
attributes:
label:Expected behavior
description:Explain what should have happened instead of what actually happened
**NOTE:** Issues that are potentially security related should be reported to us by following the [Security guidelines](https://next-auth.js.org/security) rather than on GitHub.
Thanks for taking the time to fill out this [Provider](https://next-auth.js.org/providers/overview) related issue!
Is this your first time contributing? Check out this video: https://www.youtube.com/watch?v=cuoNzXFLitc
### Important :exclamation:
_Providing incorrect/insufficient information or skipping steps to reproduce the issue may result in closing the issue or converting to a discussion without further explanation._
If you have a generic question specific to your project, it is best asked in Discussions under the [Questions category](https://github.com/nextauthjs/next-auth/discussions/new?category=Questions)
- type:dropdown
attributes:
label:Provider type
description:Provider(s) this issue is related to
multiple:true
options:
- "Credentials"
- "Email"
- "Custom provider"
- "42 School"
- "Apple"
- "Atlassian"
- "Auth0"
- "Authentik"
- "Azure Active Directory"
- "Azure Active Directory B2C"
- "Battlenet"
- "Box"
- "Bungie"
- "Cognito"
- "Coinbase"
- "Discord"
- "Dropbox"
- "EVE Online"
- "Facebook"
- "FACEIT"
- "Foursquare"
- "Freshbooks"
- "FusionAuth"
- "GitHub"
- "GitLab"
- "Google"
- "Identity Server 4"
- "Instagram"
- "Kakao"
- "Keycloak"
- "Line"
- "LinkedIn"
- "Mailchimp"
- "Mail.ru"
- "Medium"
- "Naver"
- "Netlify"
- "Okta"
- "OneLogin"
- "Osso"
- "Osu"
- "Patreon"
- "Pipedrive"
- "Reddit"
- "Salesforce"
- "Slack"
- "Spotify"
- "Strava"
- "Trakt"
- "Twitch"
- "Twitter"
- "Vk"
- "Wordpress"
- "WorkOS"
- "Yandex"
- "Zoho"
- "Zoom"
validations:
required:true
- type:textarea
attributes:
label:Environment
description:|
Run this command in your project's root folder and paste the result:
Alternatively, you can manually gather the version information from your package.json for these packages: "next", "react" and "next-auth". Please also mention your OS and Node.js version, as well as the browser you are using.
validations:
required:true
- type:input
attributes:
label:Reproduction URL
description:A URL to a repository/code that clearly reproduces your issue. You can use our [`next-auth-example`](https://github.com/nextauthjs/next-auth-example) template repository to get started more easily, or link to your project if it's public
validations:
required:true
- type:textarea
attributes:
label:Describe the issue
description:Describe us what the issue is and what have you tried so far to fix it. Add any extra useful information in this section. Feel free to use screenshots (but prefer [code blocks](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks#syntax-highlighting) over a picture of your code) or a video explanation.
validations:
required:true
- type:textarea
attributes:
label:How to reproduce
description:Explain with clear steps how to reproduce the issue
validations:
required:true
- type:textarea
attributes:
label:Expected behavior
description:Explain what should have happened instead of what actually happened
**NOTE:** Issues that are potentially security related should be reported to us by following the [Security guidelines](https://next-auth.js.org/security) rather than on GitHub.
Thanks for taking the time to fill out this [Adapter](https://next-auth.js.org/adapters/overview) related issue!
Is this your first time contributing? Check out this video: https://www.youtube.com/watch?v=cuoNzXFLitc
### Important :exclamation:
_Providing incorrect/insufficient information or skipping steps to reproduce the issue may result in closing the issue or converting to a discussion without further explanation._
If you have a generic question specific to your project, it is best asked in Discussions under the [Questions category](https://github.com/nextauthjs/next-auth/discussions/new?category=Questions)
- type:dropdown
attributes:
label:Adapter type
description:Adapter(s) this issue is related to
multiple:true
options:
- "Custom adapter"
- "@next-auth/dgraph-adapter"
- "@next-auth/dynamodb-adapter"
- "@next-auth/fauna-adapter"
- "@next-auth/firebase-adapter"
- "@next-auth/mikro-orm-adapter"
- "@next-auth/mongodb-adapter"
- "@next-auth/neo4j-adapter"
- "@next-auth/pouchdb-adapter"
- "@next-auth/prisma-adapter"
- "@next-auth/sequelize-adapter"
- "@next-auth/typeorm-legacy-adapter"
- "@next-auth/upstash-redis-adapter"
validations:
required:true
- type:textarea
attributes:
label:Environment
description:|
Run this command in your project's root folder and paste the result:
Alternatively, if the above command did not work, we need the version of the following packages from your package.json: "next", "react", "next-auth" and your adapter. Please also mention your OS and Node.js version, as well as the browser you are using.
validations:
required:true
- type:input
attributes:
label:Reproduction URL
description:A URL to a repository/code that clearly reproduces your issue. You can use our [`next-auth-example`](https://github.com/nextauthjs/next-auth-example) template repository to get started more easily, or link to your project if it's public
validations:
required:true
- type:textarea
attributes:
label:Describe the issue
description:Describe us what the issue is and what have you tried so far to fix it. Add any extra useful information in this section. Feel free to use screenshots (but prefer [code blocks](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks#syntax-highlighting) over a picture of your code) or a video explanation.
validations:
required:true
- type:textarea
attributes:
label:How to reproduce
description:Explain with clear steps how to reproduce the issue
validations:
required:true
- type:textarea
attributes:
label:Expected behavior
description:Explain what should have happened instead of what actually happened
Thank you very much for reaching out to us regarding the awesome feature that you believe should be included in the NextAuth.js library. Please provide the following information:
value:|
**NOTE:**Issues that are potentially security related should be reported to us by following the [Security guidelines](https://next-auth.js.org/security) rather than on GitHub.
Thank you very much for reaching out to us regarding the awesome feature that you believe should be included in the NextAuth.js library.
_NOTE:Feature requests are converted to [discussions (Ideas 💡)](https://github.com/nextauthjs/next-auth/discussions/categories/ideas). Make sure your idea hasn't been asked yet, and upvote the existing one before opening a new instead._
### Important :exclamation:
Please proceed by providing the following information:
- type:textarea
id:description
attributes:
@@ -39,7 +45,7 @@ body:
- type:textarea
id:reproduction
attributes:
label:How to reproduce ☕️
label:How to reproduce ☕️
description:If you have a CodeSandbox playground or some code snippets to help us visualize your idea better, please provide it here.
validations:
required:true
@@ -49,7 +55,6 @@ body:
You can use one of the templates set up on **CodeSandbox** to better illustrate your idea:
**NOTE:**Issues that are potentially security related should be reported to us by following the [Security guidelines](https://next-auth.js.org/security) rather than on GitHub.
Make sure you [link]() to external documentation if necessary and provide inline code examples like so:
```js
@@ -25,21 +26,20 @@ body:
}
```
**NOTE:**Questions will be converted to Discussions. You can find them [here](https://github.com/nextauthjs/next-auth/discussions)!
**NOTE:**Questions will be converted to Discussions. You can find them [here](https://github.com/nextauthjs/next-auth/discussions)!
- type:textarea
id:codesandbox
attributes:
label:How to reproduce ☕️
attributes:
label:How to reproduce ☕️
description:Please provide a link to a minimal reproduction or code snippets that represents your question
validations:
required:true
required:true
- type:markdown
attributes:
value:|
We encourage you to use the template set-up on **CodeSandbox** as a playground to represent your question or doubt:
**NOTE:**Issues that are potentially security related should be reported to us by following the [Security guidelines](https://next-auth.js.org/security) rather than on GitHub.
We are glad that you have a question about this library. Please provide the following information:
- type:textarea
@@ -21,7 +21,7 @@ body:
required:true
- type:markdown
attributes:
value:|
value:|
Make sure you [link]() to external documentation if necessary and provide inline code examples like so:
```js
@@ -30,21 +30,21 @@ body:
}
```
**NOTE:**Questions will be converted to Discussions. You can find them [here](https://github.com/nextauthjs/next-auth/discussions)!
**NOTE:**Questions will be converted to Discussions. You can find them [here](https://github.com/nextauthjs/next-auth/discussions)!
- type:textarea
id:reproduction
attributes:
label:How to reproduce ☕️
attributes:
label:How to reproduce ☕️
description:Please provide a link to a minimal reproduction or code snippets that represents your question
validations:
required:true
required:true
- type:markdown
attributes:
value:|
We encourage you to use the template set-up on **CodeSandbox** as a playground to represent your question or doubt:
Thanks for taking the time to fill out this bug report! Please provide the following information:
- type:textarea
id:description
attributes:
label:Description 🐜
description:Please provide a clear and concise description of the bug in NextAuth.js
validations:
required:true
- type:dropdown
id:ownproject
attributes:
label:Is this a bug in your own project?
description:🚧 – _Do not report bugs with your own project here; ask for help [by raising a question instead](https://github.com/nextauthjs/next-auth/issues/new?assignees=&labels=question&template=question.md) or use the [Discussions tab](https://github.com/nextauthjs/next-auth/discussions) - this helps us reduce the maintenance overhead._
multiple:false
options:
- "Yes"
- "No"
validations:
required:true
- type:textarea
id:reproduction
attributes:
label:How to reproduce ☕️
description:Please provide a link or code snippets to a minimal reproduction of the bug
validations:
required:true
- type:markdown
attributes:
value:|
We encourage you to use one of the templates set up on **CodeSandbox** to reproduce your issue:
Thanks for your interest in the project. Bugs filed and PRs submitted are appreciated!
Please make sure that you are familiar with and follow the Code of Conduct for
this project (found in the CODE_OF_CONDUCT.md file).
Also, please make sure you're familiar with and follow the instructions in the
contributing guidelines (found in the CONTRIBUTING.md file).
If you're new to contributing to open source projects, you might find this free
video course helpful: https://kcd.im/pull-request
Please fill out the information below to expedite the review and (hopefully)
merge of your pull request!
-->
<!-- What changes are being made? (What feature/bug is being fixed here?) -->
> _NOTE_:
>
> - It's a good idea to open an issue first to discuss potential changes.
> - Please make sure that you are _NOT_ opening a PR to fix a potential security vulnerability. Instead, please follow the [Security guidelines](../Security.md) to disclose the issue to us confidentially.
## Reasoning 💡
## ☕️ Reasoning
<!-- What changes are being made? What feature/bug is being fixed here? -->
## Checklist 🧢
<!-- Feel free cross items ( like this `~[] item~` ) if they're irrelevant to your changes.
To check an item, place an `x` in the box like so: `- [x] Documentation`. -->
## 🧢 Checklist
- [ ] Documentation
- [ ] Tests
- [ ] Ready to be merged
<!-- In your opinion, is this ready to be merged as soon as it's reviewed? -->
## 🎫 Affected issues
## Affected issues 🎟
<!--
Please [scout and link issues](https://github.com/nextauthjs/next-auth/issues) that might be solved by this PR.
If you write `"Fixes"` or `"Closes"` before the issue link like so:
Fixes: INSERT_ISSUE_LINK_HERE
```
Fixes #359
```
## 📌 Resources
the connected issue will be automatically closed once the PR is merged and hence help with maintenance of the library 😊
-->
- [Security guidelines](../Security.md)
- [Contributing guidelines](../CONTRIBUTING.md)
- [Code of conduct](../CODE_OF_CONDUCT.md)
- [Contributing to Open Source](https://kcd.im/pull-request)
@@ -17,15 +17,15 @@ Anyone can be a contributor. Either you found a typo, or you have an awesome fea
- The latest changes are always in `main`, so please make your Pull Request against that branch.
- Pull Requests should be raised for any change
- Pull Requests need approval of a [core contributor](https://next-auth.js.org/contributors#core-team) before merging
- We use ESLint/Prettier for linting/formatting, so please run `npm run lint:fix` before committing to make resolving conflicts easier (VSCode users, check out [this ESLint extension](https://marketplace.visualstudio.com/items?itemName=dbaeumer.vscode-eslint) and [this Prettier extension](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode) to fix lint and formatting issues in development)
- We use ESLint/Prettier for linting/formatting, so please run `pnpm lint:fix` before committing to make resolving conflicts easier (VSCode users, check out [this ESLint extension](https://marketplace.visualstudio.com/items?itemName=dbaeumer.vscode-eslint) and [this Prettier extension](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode) to fix lint and formatting issues in development)
- We encourage you to test your changes, and if you have the opportunity, please make those tests part of the Pull Request
- If you add new functionality, please provide the corresponding documentation as well and make it part of the Pull Request
### Setting up local environment
A quick guide on how to setup _next-auth_ locally to work on it and test out any changes:
The developer application requires you to use `npm@7`.
Copy `app/.env.local.example` to `app/.env.local`, and add your env variables for each provider you want to test.
> NOTE: You can add any environment variables to .env.local that you would like to use in your dev app.
> You can find the next-auth config under`app/pages/api/auth/[...nextauth].js`.
1. Start the developer application/server:
Copy `apps/dev/.env.local.example` to `apps/dev/.env.local`, and add your env variables for each provider you want to test.
```sh
npm run dev
cd apps/dev
cp .env.local.example .env.local
```
> NOTE: You can add any environment variables to .env.local that you would like to use in your dev app.
> You can find the next-auth config under`apps/dev/pages/api/auth/[...nextauth].js`.
4. Start the developer application/server:
```sh
pnpm dev
```
Your developer application will be available on `http://localhost:3000`
That's it! 🎉
@@ -61,7 +65,7 @@ If you need an example project to link to, you can use [next-auth-example](https
#### Hot reloading
When running `npm run dev`, you start a Next.js developer server on `http://localhost:3000`, which includes hot reloading outofthebox. Make changes on any of the files in `src` and see the changes immediately.
When running `pnpm dev`, you start a Next.js developer server on `http://localhost:3000`, which includes hot reloading out-of-the-box. Make changes on any of the files in `src` and see the changes immediately.
> NOTE: When working on CSS, you will have to manually refresh the page after changes. The reason for this is our pages using CSS are server-side rendered (using API routes). (Improving this through a PR is very welcome!)
@@ -71,7 +75,7 @@ When running `npm run dev`, you start a Next.js developer server on `http://loca
If you think your custom provider might be useful to others, we encourage you to open a PR and add it to the built-in list so others can discover it much more easily! You only need to add two changes:
1. Add your config: [`src/providers/{provider}.js`](https://github.com/nextauthjs/next-auth/tree/main/src/providers) (Make sure you use a named default export, like `export default function YourProvider`!)
1. Add your config: [`src/providers/{provider}.js`](https://github.com/nextauthjs/next-auth/tree/main/packages/next-auth/src/providers) (Make sure you use a named default export, like `export default function YourProvider`!)
That's it! 🎉 Others will be able to discover this provider much more easily now!
@@ -81,43 +85,27 @@ You can look at the existing built-in providers for inspiration.
#### Databases
If you would like to contribute to an existing database adapter or help create a new one, head over to the [nextauthjs/adapters](https://www.github.com/nextauthjs/adapters) repository and follow the instructions provided there.
#### Testing
Tests can be run with `npm run test`.
Tests can be run with `pnpm test`.
Automated tests are currently crude and limited in functionality, but improvements are in development.
## For maintainers
We use [semantic-release](https://github.com/semantic-release/semantic-release) together with [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0) to automate releases. This makes the maintenance process easier and less error-prone to human error. Please study the "Conventional Commits" site to understand how to write a good commit message.
We use [a custom script](https://github.com/nextauthjs/next-auth/blob/main/scripts/release/index.ts) together with [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0) to automate releases. This makes the maintenance process easier and less error-prone. Please study the "Conventional Commits" site to understand how to write a good commit message.
When accepting Pull Requests, make sure the following:
- Use "Squash and merge"
- Make sure you merge contributor PRs into `main`
- Rewrite the commit message to conform to the `Conventional Commits` style. Check the "Recommended Scopes" section for further advice.
- Rewrite the commit message to conform to the `Conventional Commits` style.
- Using `fix` releases a patch (x.x.1)
- Using `feat` releases a minor (x.1.x)
- Using `feat` when `BREAKING CHANGE` is present in the commit message releases a major (1.x.x)
- Optionally link issues the PR will resolve (You can add "close" in front of the issue numbers to close the issues automatically, when the PR is merged. `semantic-release` will also comment back to connected issues and PRs, notifying the users that a feature is added/bug fixed, etc.)
### Recommended Scopes
A typical conventional commit looks like this:
```
type(scope): title
body
```
Scope is the part that will help grouping the different commit types in the release notes.
Some recommended scopes are:
- **provider** - Provider related changes. (eg.: "feat(provider): add X provider", "docs(provider): fix typo in X documentation"
- **adapter** - Adapter related changes. (eg.: "feat(adapter): add X provider", "docs(provider): fix typo in X documentation"
- **db** - Database related changes. (eg.: "feat(db): add X database", "docs(db): fix typo in X documentation"
- **deps** - Adding/removing/updating a dependency (eg.: "chore(deps): add X")
> NOTE: If you are not sure which scope to use, you can simply ignore it. (eg.: "feat: add something"). Adding the correct type already helps a lot when analyzing the commit messages.
### Skipping a release
Every commit that contains [skip release] or [release skip] in their message will be excluded from the commit analysis and won't participate in the release type determination. This is useful, if the PR being merged should not trigger a new `npm` release.
If a commit contains `[skip release]` in their message, it will be excluded from the commit analysis and won't participate in the release type determination. This is useful, if the PR being merged should not trigger a new `npm` release.
NextAuth.js is a complete open source authentication solution for [Next.js](http://nextjs.org/) applications.
It is designed from the ground up to support Next.js and Serverless.
## Getting Started
```
npm install --save next-auth
```
The easiest way to continue getting started, is to follow the [getting started](https://next-auth.js.org/getting-started/example) section in our docs.
We also have a section of [tutorials](https://next-auth.js.org/tutorials) for those looking for more specific examples.
See [next-auth.js.org](https://next-auth.js.org) for more information and documentation.
## Features
### Flexible and easy to use
- Designed to work with any OAuth service, it supports OAuth 1.0, 1.0A and 2.0
- Built-in support for [many popular sign-in services](https://next-auth.js.org/configuration/providers)
- Supports email / passwordless authentication
- Supports stateless authentication with any backend (Active Directory, LDAP, etc)
- Supports both JSON Web Tokens and database sessions
- Designed for Serverless but runs anywhere (AWS Lambda, Docker, Heroku, etc…)
### Own your own data
NextAuth.js can be used with or without a database.
- An open source solution that allows you to keep control of your data
- Supports Bring Your Own Database (BYOD) and can be used with any database
- Built-in support for [MySQL, MariaDB, Postgres, Microsoft SQL Server, MongoDB and SQLite](https://next-auth.js.org/configuration/databases)
- Works great with databases from popular hosting providers
- Can also be used _without a database_ (e.g. OAuth + JWT)
### Secure by default
- Promotes the use of passwordless sign-in mechanisms
- Designed to be secure by default and encourage best practices for safeguarding user data
- Uses Cross-Site Request Forgery (CSRF) Tokens on POST routes (sign in, sign out)
- Default cookie policy aims for the most restrictive policy appropriate for each cookie
- When JSON Web Tokens are enabled, they are signed by default (JWS) with HS512
- Use JWT encryption (JWE) by setting the option `encryption: true` (defaults to A256GCM)
- Auto-generates symmetric signing and encryption keys for developer convenience
- Features tab/window syncing and session polling to support short lived sessions
- Attempts to implement the latest guidance published by [Open Web Application Security Project](https://owasp.org)
Advanced options allow you to define your own routines to handle controlling what accounts are allowed to sign in, for encoding and decoding JSON Web Tokens and to set custom cookie security policies and session properties, so you can control who is able to sign in and how often sessions have to be re-validated.
### TypeScript
NextAuth.js comes with built-in types. For more information and usage, check out the [TypeScript section](https://next-auth.js.org/getting-started/typescript) in the documentation.
## Example
### Add API Route
```javascript
// pages/api/auth/[...nextauth].js
importNextAuthfrom"next-auth"
importProvidersfrom"next-auth/providers"
exportdefaultNextAuth({
providers:[
// OAuth authentication providers
Providers.Apple({
clientId:process.env.APPLE_ID,
clientSecret:process.env.APPLE_SECRET,
}),
Providers.Google({
clientId:process.env.GOOGLE_ID,
clientSecret:process.env.GOOGLE_SECRET,
}),
// Sign in with passwordless email link
Providers.Email({
server:process.env.MAIL_SERVER,
from:"<no-reply@example.com>",
}),
],
})
```
### Add React Hook
The `useSession()` React Hook in the NextAuth.js client is the easiest way to check if someone is signed in.
Use the `<SessionProvider>` to allows instances of `useSession()` to share the session object across components. It also takes care of keeping the session updated and synced between tabs/windows.
```jsx title="pages/_app.js"
import { SessionProvider } from "next-auth/react"
export default function App({
Component,
pageProps: { session, ...pageProps }
}) {
return (
<SessionProvider session={session}>
<Component {...pageProps} />
</SessionProvider>
)
}
```
## Acknowledgments
[NextAuth.js is made possible thanks to all of its contributors.](https://next-auth.js.org/contributors)
We're happy to announce we've recently created an [OpenCollective](https://opencollective.org/nextauth) for individuals and companies looking to contribute financially to the project!
We're open to all community contributions! If you'd like to contribute in any way, please first read our [Contributing Guide](https://github.com/nextauthjs/next-auth/blob/canary/CONTRIBUTING.md).
Security updates are only released for the current version.
Old releases are not maintained and do not receive updates.
## Reporting a Vulnerability
We request that you contact us directly to report serious issues that might impact the security of sites using NextAuth.js.
@@ -19,6 +13,12 @@ If you contact us regarding a serious issue:
- We will disclose the issue (and credit you, with your consent) once a fix to resolve the issue has been released.
- If 90 days has elapsed and we still don't have a fix, we will disclose the issue publicly.
Currently, the best way to report an issue is by contacting us via email at me@iaincollins.com or info@balazsorban.com and yo@ndo.dev.
The best way to report an issue is by contacting us via email at hi@thvu.dev, info@balazsorban.com, yo@ndo.dev and me@iaincollins.com, or raise a public issue requesting someone get in touch with you via whatever means you prefer for more details. (Please do not disclose sensitive details publicly at this stage.)
For less serious issues (e.g. RFC compliance for unsupported flows or potential issues that may cause a problem future or default behaviour / options) it is appropriate to submit these these publically as bug reports or feature requests or to raise a question to open a discussion around them.
> For less serious issues (e.g. RFC compliance for unsupported flows or potential issues that may cause a problem in the future) it is appropriate to submit these publicly as bug reports or feature requests or to raise a question to open a discussion around them.
## Supported Versions
Security updates are only released for the current version.
Old releases are not maintained and do not receive updates.
> The example repository is maintained from a [monorepo](https://github.com/nextauthjs/next-auth/tree/main/apps/example-gatsby). Pull Requests should be opened against [`nextauthjs/next-auth`](https://github.com/nextauthjs/next-auth).
NextAuth.js is a complete open source authentication solution.
This is an example application that shows how `next-auth` is applied to a basic Gatsby app. We are showing how to configure the backend both as a [Vercel Function](https://vercel.com/docs/concepts/functions/introduction) for deployment to Vercel, and also for [Gatsby Functions](https://www.gatsbyjs.com/docs/reference/functions) for other platforms.
The deployed version can be found at [`next-auth-gatsby-example.vercel.app`](https://next-auth-gatsby-example.vercel.app)
### About NextAuth.js
NextAuth.js is an easy to implement, full-stack (client/server) open source authentication library originally designed for [Next.js](https://nextjs.org) and [Serverless](https://vercel.com), but this example shows how to use it in a Gatsby project. Our goal is to [support even more frameworks](https://github.com/nextauthjs/next-auth/issues/2294) in the future.
Go to [next-auth.js.org](https://next-auth.js.org) for more information and documentation.
> *NextAuth.js is not officially associated with Vercel or Next.js.*
## Getting Started
### 1. Clone the repository and install dependencies
Copy the .env.local.example file in this directory to .env.local (which will be ignored by Git):
```
cp .env.local.example .env.local
```
Add details for one or more providers (e.g. Google, Twitter, GitHub, Email, etc).
#### Database
A database is needed to persist user accounts and to support email sign in. However, you can still use NextAuth.js for authentication without a database by using OAuth for authentication. If you do not specify a database, [JSON Web Tokens](https://jwt.io/introduction) will be enabled by default.
You **can** skip configuring a database and come back to it later if you want.
For more information about setting up a database, please check out the following links:
1. Review and update options in `nextauth.config.js` as needed.
2. When setting up OAuth, in the developer admin page for each of your OAuth services, you should configure the callback URL to use a callback path of `{server}/api/auth/callback/{provider}`.
e.g. For Google OAuth you would use: `http://localhost:3000/api/auth/callback/google`
A list of configured providers and their callback URLs is available from the endpoint `/api/auth/providers`. You can find more information at https://next-auth.js.org/configuration/providers/oauth
3. You can also choose to specify an SMTP server for passwordless sign in via email.
### 4. Start the application
To run your site locally, use:
```
npm run dev
```
To run it in production mode, use:
```
npm run build
npm run start
```
### 5. Preparing for Production
Follow the [Deployment documentation](https://next-auth.js.org/deployment)
> The example repository is maintained from a [monorepo](https://github.com/nextauthjs/next-auth/tree/main/apps/example-nextjs). Pull Requests should be opened against [`nextauthjs/next-auth`](https://github.com/nextauthjs/next-auth).
NextAuth.js is a complete open source authentication solution.
This is an example application that shows how `next-auth` is applied to a basic Next.js app.
The deployed version can be found at [`next-auth-example.vercel.app`](https://next-auth-example.vercel.app)
### About NextAuth.js
NextAuth.js is an easy to implement, full-stack (client/server) open source authentication library originally designed for [Next.js](https://nextjs.org) and [Serverless](https://vercel.com). Our goal is to [support even more frameworks](https://github.com/nextauthjs/next-auth/issues/2294) in the future.
Go to [next-auth.js.org](https://next-auth.js.org) for more information and documentation.
> *NextAuth.js is not officially associated with Vercel or Next.js.*
## Getting Started
### 1. Clone the repository and install dependencies
Copy the .env.local.example file in this directory to .env.local (which will be ignored by Git):
```
cp .env.local.example .env.local
```
Add details for one or more providers (e.g. Google, Twitter, GitHub, Email, etc).
#### Database
A database is needed to persist user accounts and to support email sign in. However, you can still use NextAuth.js for authentication without a database by using OAuth for authentication. If you do not specify a database, [JSON Web Tokens](https://jwt.io/introduction) will be enabled by default.
You **can** skip configuring a database and come back to it later if you want.
For more information about setting up a database, please check out the following links:
1. Review and update options in `pages/api/auth/[...nextauth].js` as needed.
2. When setting up OAuth, in the developer admin page for each of your OAuth services, you should configure the callback URL to use a callback path of `{server}/api/auth/callback/{provider}`.
e.g. For Google OAuth you would use: `http://localhost:3000/api/auth/callback/google`
A list of configured providers and their callback URLs is available from the endpoint `/api/auth/providers`. You can find more information at https://next-auth.js.org/configuration/providers/oauth
3. You can also choose to specify an SMTP server for passwordless sign in via email.
### 4. Start the application
To run your site locally, use:
```
npm run dev
```
To run it in production mode, use:
```
npm run build
npm run start
```
### 5. Preparing for Production
Follow the [Deployment documentation](https://next-auth.js.org/deployment)
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
