Merge branch 'main' into feature/nonce-check-type

.github/workflows/release.yml

@@ -16,6 +16,8 @@ jobs:
     steps:
       - name: Init
         uses: actions/checkout@v2
+        with:
+          fetch-depth: 2
       - name: Install pnpm
         uses: pnpm/action-setup@v2.2.1
         with:
@@ -101,7 +103,7 @@ jobs:
           echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> .npmrc
           pnpm publish --no-git-checks --access public --tag experimental
         env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN_PKG }}
       - name: Comment version on PR
         uses: NejcZdovc/comment-pr@v1
         with:

.gitignore

@@ -30,7 +30,7 @@ packages/next-auth/providers
 packages/next-auth/src/providers/oauth-types.ts
 packages/next-auth/client
 packages/next-auth/css
-packages/next-auth/lib
+packages/next-auth/utils
 packages/next-auth/core
 packages/next-auth/jwt
 packages/next-auth/react

apps/playground-sveltekit/package.json

@@ -30,7 +30,7 @@
   "type": "module",
   "dependencies": {
     "cookie": "0.4.1",
-    "next-auth": "^4.3.2"
+    "next-auth": "^4.3.3"
   },
   "prettier": {
     "semi": false,

apps/playground-sveltekit/src/lib/next-auth.ts

@@ -65,7 +65,7 @@ async function SKNextAuthHandler(
     query: Object.fromEntries(url.searchParams),
     headers: request.headers,
     method: request.method,
-    cookies: cookie.parse(request.headers.get("cookie")),
+    cookies: cookie.parse(request.headers.get("cookie") ?? ""),
     action: nextauth[0] as NextAuthAction,
     providerId: nextauth[1],
     error: nextauth[1],
@@ -91,7 +91,7 @@ export async function getServerSession(
       host: import.meta.env.VITE_NEXTAUTH_URL,
       action: "session",
       method: "GET",
-      cookies: cookie.parse(request.headers.get("cookie")),
+      cookies: cookie.parse(request.headers.get("cookie") ?? ""),
       headers: request.headers,
     },
     options,

apps/playground-sveltekit/yarn.lock

@@ -1232,10 +1232,10 @@ natural-compare@^1.4.0:
   resolved "https://registry.yarnpkg.com/natural-compare/-/natural-compare-1.4.0.tgz#4abebfeed7541f2c27acfb29bdbbd15c8d5ba4f7"
   integrity sha1-Sr6/7tdUHywnrPspvbvRXI1bpPc=
 
-next-auth@^4.3.2:
-  version "4.3.2"
-  resolved "https://registry.yarnpkg.com/next-auth/-/next-auth-4.3.2.tgz#eb4976511fb19766d0397bd4de45eee87c5c1998"
-  integrity sha512-yj9HN9p81Fg3dkrq4Y0FxjfgupiABac7o+ve47j5GPLjo1qE2FFX1pr7g7mwQ1HDUCoGhLmgBpFBR8+pdWgFfQ==
+next-auth@^4.3.3:
+  version "4.3.3"
+  resolved "https://registry.yarnpkg.com/next-auth/-/next-auth-4.3.3.tgz#5ff892e73648a0f33c2af0e9d7cafda729f63ae7"
+  integrity sha512-bUs+oOOPT18Pq/+4v9q4PA/DGoVoAX6jwY7RTfE/akFXwlny+y/mNS6lPSUwpqcHjljqBaq34PQA3+01SdOOPw==
   dependencies:
     "@babel/runtime" "^7.16.3"
     "@panva/hkdf" "^1.0.1"

docs/docs/configuration/nextjs.md

@@ -16,16 +16,53 @@ You must set the [`NEXTAUTH_SECRET`](/configuration/options#nextauth_secret) env
 
 **We strongly recommend** replacing the `secret` value completely with this `NEXTAUTH_SECRET` environment variable. This environment variable will be picked up by both the [NextAuth config](/configuration/options#options), as well as the middleware config.
 
----
 
+### Basic usage
 ```js
 import withAuth from "next-auth/middleware"
 // or
 import { withAuth } from "next-auth/middleware"
 ```
 
----
+### Custom JWT decode method
+
+If you have custom jwt decode method set in `[...nextauth].ts`, you must also pass the same `decode` method to `withAuth` in order to read the custom-signed JWT correctly. You may want to extract the encode/decode logic to a separate function for consistency.
+
+`[...nextauth].ts`
+```ts
+import jwt from "jsonwebtoken";
+
+export default NextAuth({
+  providers: [...],
+  secret: /* Please use `process.env.NEXTAUTH_SECRET` */,
+  jwt: {
+    encode: async ({ secret, token }) => {
+      return jwt.sign(token as any, secret);
+    },
+    decode: async ({ secret, token }) => {
+      return jwt.verify(token as string, secret) as any;
+    },
+  },
+})
+```
 
+Any `_middleware.ts`
+```ts
+import withAuth from "next-auth/middleware"
+import jwt from "jsonwebtoken";
+
+export default withAuth({
+  jwt: {
+    decode: async ({ secret, token }) => {
+      return jwt.verify(token, secret) as any;
+    },
+  },
+  callbacks: {
+    authorized: ({ token }) => !!token,
+  },
+})
+```
+---
 ### `callbacks`
 
 - **Required:** No

docs/docs/configuration/options.md

@@ -494,6 +494,8 @@ Using a custom cookie policy may introduce security flaws into your application
 
 NextAuth.js uses encrypted JSON Web Tokens ([JWE](https://datatracker.ietf.org/doc/html/rfc7516)) by default. Unless you have a good reason, we recommend keeping this behaviour. Although you can override this using the `encode` and `decode` methods. Both methods must be defined at the same time.
 
+**IMPORTANT: If you use middleware to protect routes, make sure the same method is also set in the [`_middleware.ts` options](/configuration/nextjs#custom-jwt-decode-method)**
+
 ```js
 jwt: {
   async encode(params: {

docs/docs/errors.md

@@ -99,7 +99,7 @@ This is required to store the verification token. Please see the [email provider
 
 The Credentials Provider can only be used if JSON Web Tokens are used for sessions.
 
-JSON Web Tokens are used for Sessions by default if you have not specified a database. However, if you are using a database, then Database Sessions are enabled by default and you need to [explicitly enable JWT Sessions](https://next-auth.js.org/configuration/options#session) to use the Credentials Provider.
+JSON Web Tokens are used for Sessions by default if you have not specified a database. However, if you are using a database, then Database Sessions are enabled by default and you need to [explicitly enable JWT Sessions](/configuration/options#session) to use the Credentials Provider.
 
 If you are using a Credentials Provider, NextAuth.js will not persist users or sessions in a database - user accounts used with the Credentials Provider must be created and managed outside of NextAuth.js.
 
@@ -119,13 +119,17 @@ The default `code_challenge_method` is `"S256"`. This is currently not configura
 > If the client is capable of using "S256", it MUST use "S256", as
   S256" is Mandatory To Implement (MTI) on the server.
 
+#### INVALID_CALLBACK_URL_ERROR
+
+The `callbackUrl` provided was either invalid or not defined. See [specifying a `callbackUrl`](/getting-started/client#specifying-a-callbackurl) for more information.
+
 ---
 
 ### Session Handling
 
 #### JWT_SESSION_ERROR
 
-https://next-auth.js.org/errors#jwt_session_error JWKKeySupport: the key does not support HS512 verify algorithm
+JWKKeySupport: the key does not support HS512 verify algorithm
 
 The algorithm used for generating your key isn't listed as supported. You can generate a HS512 key using
 
@@ -161,7 +165,7 @@ Make sure the file is there and the filename is written correctly.
 
 #### NO_SECRET
 
-In production, we expect you to define a `secret` property in your configuration. In development, this is shown as a warning for convenience. [Read more](https://next-auth.js.org/configuration/options#secret)
+In production, we expect you to define a `secret` property in your configuration. In development, this is shown as a warning for convenience. [Read more](/configuration/options#secret)
 
 #### oauth_callback_error expected 200 OK with body but no body was returned
 

docs/docs/providers/authentik.md

@@ -31,5 +31,5 @@ providers: [
 ```
 
 :::note
-`issuer` should include the slug – e.g. `https://my-authentik-domain.com/application/o/My_Slug/`
+`issuer` should include the slug without a trailing slash – e.g., `https://my-authentik-domain.com/application/o/My_Slug`
 :::

docs/docs/providers/united-effects.md

@@ -0,0 +1,43 @@
+---
+id: united-effects
+title: United Effects
+---
+
+## Documentation
+
+https://docs.unitedeffects.com/integrations/nextauthjs
+
+## Configuration
+
+https://core.unitedeffects.com
+
+## Options
+
+The **United Effects Provider** comes with a set of default options:
+
+- [United Effects Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/united-effects.ts)
+
+You can override any of the options to suit your own use case.
+
+## Example
+
+```js
+import UnitedEffectsProvider from "next-auth/providers/united-effects";
+...
+providers: [
+  UnitedEffectsProvider({
+    clientId: process.env.UNITED_EFFECTS_CLIENT_ID,
+    clientSecret: process.env.UNITED_EFFECTS_CLIENT_SECRET,
+    issuer: process.env.UNITED_EFFECTS_ISSUER
+  })
+]
+...
+```
+
+:::note
+`issuer` should be the fully qualified URL including your Auth Group ID – e.g. `https://auth.unitedeffects.com/YQpbQV5dbW-224dCovz-3`
+:::
+
+:::warning
+The United Effects API does not return the user name or image by design, so this provider will return null for both. United Effects prioritizes user personal information security above all and has built a secured profile access request system separate from the provider API.
+:::

docs/docs/providers/workos.md

@@ -15,7 +15,7 @@ https://dashboard.workos.com
 
 The **WorkOS Provider** comes with a set of default options:
 
-- [WorkOS Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/workos.js)
+- [WorkOS Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/workos.ts)
 
 You can override any of the options to suit your own use case.
 

packages/adapter-sequelize/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@next-auth/sequelize-adapter",
-  "version": "1.0.2",
+  "version": "1.0.4",
   "description": "Sequelize adapter for next-auth.",
   "homepage": "https://next-auth.js.org",
   "repository": "https://github.com/nextauthjs/adapters",

packages/adapter-test/jest/jest-preset.js

@@ -1,7 +1,7 @@
 module.exports = {
   transform: {
-    ".(ts|tsx)$": "ts-jest",
-    ".(js|jsx)$": "babel-jest", // jest's default
+    ".(ts|tsx)$": "@swc/jest",
+    ".(js|jsx)$": "@swc/jest", // jest's default
   },
   transformIgnorePatterns: ["[/\\\\]node_modules[/\\\\].+\\.(js|jsx)$"],
   moduleFileExtensions: ["ts", "tsx", "js", "jsx", "json", "node"],

packages/adapter-test/package.json

@@ -19,7 +19,6 @@
     "@types/nodemailer": "^6.4.4",
     "@typescript-eslint/eslint-plugin": "^4.24.0",
     "@typescript-eslint/parser": "^4.24.0",
-    "babel-jest": "^27.4.2",
     "eslint": "^7.27.0",
     "eslint-config-prettier": "^8.3.0",
     "eslint-config-standard-with-typescript": "^20.0.0",

packages/next-auth/config/babel.config.js

@@ -25,15 +25,15 @@ module.exports = (api) => {
     ignore: [
       "../src/**/__tests__/**",
       "../src/adapters.ts",
-      "../src/lib/types.ts",
+      "../src/core/types.ts",
       "../src/providers/oauth-types.ts",
     ],
     comments: false,
     overrides: [
       {
         test: [
           "../src/react/index.tsx",
-          "../src/lib/logger.ts",
+          "../src/utils/logger.ts",
           "../src/core/errors.ts",
           "../src/client/**",
         ],

packages/next-auth/config/jest.config.js → packages/next-auth/config/jest.client.config.js

@@ -1,10 +1,7 @@
 /** @type {import('@jest/types').Config.InitialOptions} */
 module.exports = {
   transform: {
-    "\\.(js|jsx|ts|tsx)$": [
-      "babel-jest",
-      { configFile: "./config/babel.config.js" },
-    ],
+    "\\.(js|jsx|ts|tsx)$": ["@swc/jest", require("./swc.config")],
   },
   rootDir: "../src",
   setupFilesAfterEnv: ["../config/jest-setup.js"],

packages/next-auth/config/jest.core.config.js

@@ -0,0 +1,13 @@
+/** @type {import('@jest/types').Config.InitialOptions} */
+module.exports = {
+  transform: {
+    "\\.(js|jsx|ts|tsx)$": ["@swc/jest", require("./swc.config")],
+  },
+  rootDir: "..",
+  testMatch: ["**/*.test.ts"],
+  setupFilesAfterEnv: ["./config/jest-setup.js"],
+  watchPlugins: [
+    "jest-watch-typeahead/filename",
+    "jest-watch-typeahead/testname",
+  ],
+}

packages/next-auth/config/swc.config.js

@@ -0,0 +1,17 @@
+module.exports = {
+  jsc: {
+    parser: {
+      syntax: "typescript",
+      tsx: true,
+    },
+    transform: {
+      react: {
+        runtime: "automatic",
+        pragma: "React.createElement",
+        pragmaFrag: "React.Fragment",
+        throwIfNamespace: true,
+        useBuiltins: true,
+      },
+    },
+  },
+}