docs: fix OpenCollective link in README.md (#3494)

* fix #3449: removed default placeholder for credentials provider

* fix: formatting

README.md

@@ -149,7 +149,7 @@ export default function Component() {
 
 ### Share/configure session state
 
-Use the `<SessionProvider>` to allows instances of `useSession()` to share the session object across components. It also takes care of keeping the session updated and synced between tabs/windows.
+Use the `<SessionProvider>` to allow instances of `useSession()` to share the session object across components. It also takes care of keeping the session updated and synced between tabs/windows.
 
 ```jsx title="pages/_app.js"
 import { SessionProvider } from "next-auth/react"
@@ -179,7 +179,7 @@ export default function App({
 
 ### Support
 
-We're happy to announce we've recently created an [OpenCollective](https://opencollective.org/nextauth) for individuals and companies looking to contribute financially to the project!
+We're happy to announce we've recently created an [OpenCollective](https://opencollective.com/nextauth) for individuals and companies looking to contribute financially to the project!
 
 <!--sponsors start-->
 <table>

SECURITY.md

@@ -2,12 +2,6 @@
 
 NextAuth.js practices responsible disclosure.
 
-## Supported Versions
-
-Security updates are only released for the current version.
-
-Old releases are not maintained and do not receive updates.
-
 ## Reporting a Vulnerability
 
 We request that you contact us directly to report serious issues that might impact the security of sites using NextAuth.js.
@@ -19,6 +13,12 @@ If you contact us regarding a serious issue:
 - We will disclose the issue (and credit you, with your consent) once a fix to resolve the issue has been released.
 - If 90 days has elapsed and we still don't have a fix, we will disclose the issue publicly.
 
-Currently, the best way to report an issue is by contacting us via email at me@iaincollins.com or info@balazsorban.com and yo@ndo.dev.
+The best way to report an issue is by contacting us via email at info@balazsorban.com or me@iaincollins.com and yo@ndo.dev, or raise a public issue requesting someone get in touch with you via whatever means you prefer for more details. (Please do not disclose sensitive details publicly at this stage.)
 
-For less serious issues (e.g. RFC compliance for unsupported flows or potential issues that may cause a problem future or default behaviour / options) it is appropriate to submit these these publically as bug reports or feature requests or to raise a question to open a discussion around them.
+> For less serious issues (e.g. RFC compliance for unsupported flows or potential issues that may cause a problem in the future) it is appropriate to submit these these publically as bug reports or feature requests or to raise a question to open a discussion around them.
+
+## Supported Versions
+
+Security updates are only released for the current version.
+
+Old releases are not maintained and do not receive updates.

app/next-env.d.ts

@@ -1,5 +1,4 @@
 /// <reference types="next" />
-/// <reference types="next/types/global" />
 /// <reference types="next/image-types/global" />
 
 // NOTE: This file should not be edited

app/next.config.js

@@ -3,6 +3,7 @@ const path = require("path")
 module.exports = {
   webpack(config) {
     config.experiments = {
+      ...config.experiments,
       topLevelAwait: true,
     }
     config.resolve = {

app/package.json

@@ -21,7 +21,7 @@
     "@prisma/client": "^2.29.1",
     "fake-smtp-server": "^0.8.0",
     "faunadb": "^4.3.0",
-    "next": "^11.1.0",
+    "next": "^12.0.7",
     "nodemailer": "^6.6.3",
     "react": "^17.0.2",
     "react-dom": "^17.0.2"

app/tsconfig.json

@@ -16,6 +16,7 @@
     "moduleResolution": "node",
     "resolveJsonModule": true,
     "isolatedModules": true,
+    "incremental": true,
     "jsx": "preserve",
     "baseUrl": ".",
     "paths": {

package.json

@@ -65,13 +65,13 @@
   ],
   "license": "ISC",
   "dependencies": {
-    "@babel/runtime": "^7.15.4",
-    "@panva/hkdf": "^1.0.0",
+    "@babel/runtime": "^7.16.3",
+    "@panva/hkdf": "^1.0.1",
     "cookie": "^0.4.1",
-    "jose": "^4.1.2",
+    "jose": "^4.3.7",
     "oauth": "^0.9.15",
-    "openid-client": "^5.0.2",
-    "preact": "^10.5.14",
+    "openid-client": "^5.1.0",
+    "preact": "^10.6.3",
     "preact-render-to-string": "^5.1.19",
     "uuid": "^8.3.2"
   },
@@ -87,50 +87,47 @@
   },
   "devDependencies": {
     "@actions/core": "^1.6.0",
-    "@babel/cli": "^7.15.7",
-    "@babel/core": "^7.15.5",
-    "@babel/plugin-proposal-optional-catch-binding": "^7.14.5",
-    "@babel/plugin-transform-runtime": "^7.15.0",
-    "@babel/preset-env": "^7.15.6",
-    "@babel/preset-react": "^7.14.5",
-    "@babel/preset-typescript": "^7.15.0",
-    "@testing-library/jest-dom": "^5.14.1",
+    "@babel/cli": "^7.16.0",
+    "@babel/core": "^7.16.0",
+    "@babel/plugin-proposal-optional-catch-binding": "^7.16.0",
+    "@babel/plugin-transform-runtime": "^7.16.4",
+    "@babel/preset-env": "^7.16.4",
+    "@babel/preset-react": "^7.16.0",
+    "@babel/preset-typescript": "^7.16.0",
+    "@testing-library/jest-dom": "^5.16.1",
     "@testing-library/react": "^12.1.2",
     "@testing-library/react-hooks": "^7.0.2",
-    "@testing-library/user-event": "^13.2.1",
-    "@types/node": "^16.11.6",
+    "@testing-library/user-event": "^13.5.0",
+    "@types/node": "^16.11.12",
     "@types/nodemailer": "^6.4.4",
     "@types/oauth": "^0.9.1",
-    "@types/react": "^17.0.27",
-    "@types/react-dom": "^17.0.9",
-    "@typescript-eslint/eslint-plugin": "^4.33.0",
+    "@types/react": "^17.0.37",
+    "@types/react-dom": "^17.0.11",
     "@typescript-eslint/parser": "^4.33.0",
-    "autoprefixer": "^10.3.7",
-    "babel-jest": "^27.3.0",
+    "autoprefixer": "^10.4.0",
+    "babel-jest": "^27.4.2",
     "babel-plugin-jsx-pragmatic": "^1.0.2",
     "babel-preset-preact": "^2.0.0",
     "conventional-changelog-conventionalcommits": "4.6.1",
-    "cssnano": "^5.0.8",
+    "cssnano": "^5.0.12",
     "eslint": "^7.32.0",
     "eslint-config-prettier": "^8.3.0",
     "eslint-config-standard-with-typescript": "^21.0.1",
-    "eslint-plugin-import": "^2.24.2",
-    "eslint-plugin-jest": "^25.2.2",
+    "eslint-plugin-jest": "^25.3.0",
     "eslint-plugin-node": "^11.1.0",
-    "eslint-plugin-promise": "^5.1.0",
     "fs-extra": "^10.0.0",
-    "husky": "^7.0.2",
-    "jest": "^27.3.0",
+    "husky": "^7.0.4",
+    "jest": "^27.4.3",
     "jest-watch-typeahead": "^1.0.0",
-    "msw": "^0.35.0",
-    "next": "v11.1.3-canary.0",
-    "postcss-cli": "^9.0.1",
+    "msw": "^0.36.3",
+    "next": "12.0.7",
+    "postcss-cli": "^9.0.2",
     "postcss-nested": "^5.0.6",
-    "prettier": "^2.4.1",
-    "pretty-quick": "^3.1.1",
+    "prettier": "2.4.1",
+    "pretty-quick": "^3.1.2",
     "react": "^17.0.2",
     "react-dom": "^17.0.2",
-    "typescript": "^4.4.3",
+    "typescript": "^4.5.2",
     "whatwg-fetch": "^3.6.2"
   },
   "engines": {

src/core/index.ts

@@ -12,7 +12,7 @@ import type { ErrorType } from "./pages/error"
 
 export interface IncomingRequest {
   /** @default "http://localhost:3000" */
-  host: string
+  host?: string
   method?: string
   cookies?: Record<string, string>
   headers?: Record<string, any>

src/core/init.ts

@@ -100,7 +100,7 @@ export async function init({
     // Callback functions
     callbacks: { ...defaultCallbacks, ...userOptions.callbacks },
     logger,
-    callbackUrl: process.env.NEXTAUTH_URL ?? "http://localhost:3000",
+    callbackUrl: url.origin,
   }
 
   // Init cookies

src/core/pages/signin.tsx

@@ -130,8 +130,7 @@ export default function SigninPage(props: SignInServerPageParams) {
                         id={`input-${credential}-for-${provider.id}-provider`}
                         type={provider.credentials[credential].type ?? "text"}
                         placeholder={
-                          provider.credentials[credential].placeholder ??
-                          "Password"
+                          provider.credentials[credential].placeholder ?? ""
                         }
                         {...provider.credentials[credential]}
                       />

src/core/types.ts

@@ -298,7 +298,7 @@ export interface CallbacksOptions<
    * This callback is called whenever a session is checked.
    * (Eg.: invoking the `/api/session` endpoint, using `useSession` or `getSession`)
    *
-   * ⚠ By default, only a subset (email, name, imgage)
+   * ⚠ By default, only a subset (email, name, image)
    * of the token is returned for increased security.
    *
    * If you want to make something available you added to the token through the `jwt` callback,

src/jwt/index.ts

@@ -3,7 +3,7 @@ import hkdf from "@panva/hkdf"
 import { v4 as uuid } from "uuid"
 import { SessionStore } from "../core/lib/cookie"
 import type { NextApiRequest } from "next"
-import type { JWT, JWTDecodeParams, JWTEncodeParams } from "./types"
+import type { JWT, JWTDecodeParams, JWTEncodeParams, JWTOptions } from "./types"
 import type { LoggerInstance } from ".."
 
 export * from "./types"
@@ -56,7 +56,7 @@ export interface GetTokenParams<R extends boolean = false> {
    */
   raw?: R
   secret: string
-  decode?: typeof decode
+  decode?: JWTOptions["decode"]
   logger?: LoggerInstance | Console
 }
 
@@ -70,10 +70,8 @@ export async function getToken<R extends boolean = false>(
 ): Promise<R extends true ? string : JWT | null> {
   const {
     req,
-    secureCookie = !(
-      !process.env.NEXTAUTH_URL ||
-      process.env.NEXTAUTH_URL.startsWith("http://")
-    ),
+    secureCookie = process.env.NEXTAUTH_URL?.startsWith("https://") ??
+      !!process.env.VERCEL_URL,
     cookieName = secureCookie
       ? "__Secure-next-auth.session-token"
       : "next-auth.session-token",
@@ -90,7 +88,13 @@ export async function getToken<R extends boolean = false>(
     logger
   )
 
-  const token = sessionStore.value
+  let token = sessionStore.value
+
+  if (!token && req.headers.authorization?.split(" ")[0] === "Bearer") {
+    const urlEncodedToken = req.headers.authorization.split(" ")[1]
+    token = decodeURIComponent(urlEncodedToken)
+  }
+
   // @ts-expect-error
   if (!token) return null
 

src/jwt/types.ts

@@ -1,4 +1,4 @@
-import { decode, encode } from "."
+import type { Awaitable } from ".."
 
 export interface DefaultJWT extends Record<string, unknown> {
   name?: string | null
@@ -42,9 +42,9 @@ export interface JWTOptions {
    */
   maxAge: number
   /** Override this method to control the NextAuth.js issued JWT encoding. */
-  encode: typeof encode
+  encode: (params: JWTEncodeParams) => Awaitable<string>
   /** Override this method to control the NextAuth.js issued JWT decoding. */
-  decode: typeof decode
+  decode: (params: JWTDecodeParams) => Awaitable<JWT | null>
 }
 
 export type Secret = string | Buffer

src/next/index.ts

@@ -21,7 +21,7 @@ async function NextAuthNextHandler(
   const { nextauth, ...query } = req.query
   const handler = await NextAuthHandler({
     req: {
-      host: (process.env.NEXTAUTH_URL ?? process.env.VERCEL_URL) as string,
+      host: process.env.NEXTAUTH_URL ?? process.env.VERCEL_URL,
       body: req.body,
       query,
       cookies: req.cookies,
@@ -87,7 +87,7 @@ export async function getServerSession(
   const session = await NextAuthHandler<Session | {}>({
     options,
     req: {
-      host: (process.env.NEXTAUTH_URL ?? process.env.VERCEL_URL) as string,
+      host: process.env.NEXTAUTH_URL ?? process.env.VERCEL_URL,
       action: "session",
       method: "GET",
       cookies: context.req.cookies,

src/providers/42-school.ts

@@ -168,7 +168,7 @@ export default function FortyTwo<
     userinfo: "https://api.intra.42.fr/v2/me",
     profile(profile) {
       return {
-        id: profile.id,
+        id: profile.id.toString(),
         name: profile.usual_full_name,
         email: profile.email,
         image: profile.image_url,

src/providers/auth0.ts

@@ -2,7 +2,7 @@ import type { OAuthConfig, OAuthUserConfig } from "."
 
 export interface Auth0Profile {
   sub: string
-  nicname: string
+  nickname: string
   email: string
   picture: string
 }

src/providers/cognito.ts

@@ -15,6 +15,7 @@ export default function Cognito<P extends Record<string, any> = CognitoProfile>(
     name: "Cognito",
     type: "oauth",
     wellKnown: `${options.issuer}/.well-known/openid-configuration`,
+    idToken: true,
     profile(profile) {
       return {
         id: profile.sub,

src/providers/fusionauth.js

@@ -1,20 +0,0 @@
-/** @type {import(".").OAuthProvider} */
-export default function FusionAuth(options) {
-  return {
-    id: "fusionauth",
-    name: "FusionAuth",
-    type: "oauth",
-    authorization: `${options.issuer}oauth2/authorize`,
-    token: `${options.issuer}oauth2/token`,
-    userinfo: `${options.issuer}oauth2/userinfo`,
-    profile(profile) {
-      return {
-        id: profile.sub,
-        name: profile.name,
-        email: profile.email,
-        image: profile.picture,
-      }
-    },
-    options,
-  }
-}

src/providers/fusionauth.ts

@@ -0,0 +1,52 @@
+import { OAuthConfig, OAuthUserConfig } from "./oauth"
+
+/** This is the default openid signature returned from FusionAuth
+ * it can be customized using [lambda functions](https://fusionauth.io/docs/v1/tech/lambdas)
+ */
+export interface FusionAuthProfile {
+  aud: string
+  exp: number
+  iat: number
+  iss: string
+  sub: string
+  jti: string
+  authenticationType: string
+  email: string
+  email_verified: boolean
+  preferred_username: string
+  at_hash: string
+  c_hash: string
+  scope: string
+  sid: string
+}
+
+export default function FusionAuth<
+  P extends Record<string, any> = FusionAuthProfile
+>(
+  // tenantId only needed if there is more than one tenant configured on the server
+  options: OAuthUserConfig<P> & { tenantId?: string }
+): OAuthConfig<P> {
+  return {
+    id: "fusionauth",
+    name: "FusionAuth",
+    type: "oauth",
+    wellKnown: options?.tenantId
+      ? `${options.issuer}/.well-known/openid-configuration?tenantId=${options.tenantId}`
+      : `${options.issuer}/.well-known/openid-configuration`,
+    authorization: {
+      params: {
+        scope: "openid offline_access",
+        ...(options?.tenantId && { tenantId: options.tenantId }),
+      },
+    },
+    checks: ["pkce", "state"],
+    profile(profile) {
+      return {
+        id: profile.sub,
+        email: profile.email,
+        name: profile?.preferred_username,
+      }
+    },
+    options,
+  }
+}

src/providers/okta.ts

@@ -43,6 +43,7 @@ export default function Okta<P extends Record<string, any> = OktaProfile>(
     type: "oauth",
     wellKnown: `${options.issuer}/.well-known/openid-configuration`,
     authorization: { params: { scope: "openid email profile" } },
+    idToken: true,
     profile(profile) {
       return {
         id: profile.sub,