Merge branch 'main' into feature/nonce-check-type

.github/workflows/release.yml

@@ -69,7 +69,7 @@ jobs:
           git config --global user.name "Balázs Orbán"
           pnpm release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
           NPM_TOKEN_PKG: ${{ secrets.NPM_TOKEN_PKG }}
           NPM_TOKEN_ORG: ${{ secrets.NPM_TOKEN_ORG }}
   release-pr:

apps/dev/pages/middleware-protected/_middleware.js → apps/dev/middleware.ts

@@ -1,5 +1,7 @@
 export { default } from "next-auth/middleware"
 
+export const config = { matcher: ["/middleware-protected"] }
+
 // Other ways to use this middleware
 
 // import withAuth from "next-auth/middleware"

apps/dev/package.json

@@ -16,21 +16,21 @@
   },
   "license": "ISC",
   "dependencies": {
-    "@next-auth/fauna-adapter": "^1.0.1",
-    "@next-auth/prisma-adapter": "^1.0.1",
-    "@prisma/client": "^3.10.0",
-    "cpx": "^1.5.0",
-    "fake-smtp-server": "^0.8.0",
-    "faunadb": "^4.4.1",
-    "next": "^12.1.0",
-    "nodemailer": "^6.7.2",
-    "react": "^17.0.2",
-    "react-dom": "^17.0.2"
+    "@next-auth/fauna-adapter": "^1",
+    "@next-auth/prisma-adapter": "^1",
+    "@prisma/client": "^3",
+    "faunadb": "^4",
+    "next": "12.1.7-canary.51",
+    "nodemailer": "^6",
+    "react": "^18",
+    "react-dom": "^18"
   },
   "devDependencies": {
-    "@types/react": "^17.0.37",
-    "@types/react-dom": "^17.0.11",
-    "concurrently": "^7.1.0",
-    "prisma": "^3.10.0"
+    "@types/react": "^18",
+    "@types/react-dom": "^18",
+    "concurrently": "^7",
+    "cpx": "^1.5.0",
+    "fake-smtp-server": "^0.8.0",
+    "prisma": "^3"
   }
 }

apps/dev/pages/api/examples/protected.js

@@ -1,8 +1,8 @@
 // This is an example of to protect an API route
-import { getSession } from "next-auth/react"
+import { unstable_getServerSession } from "next-auth/next"
 
 export default async (req, res) => {
-  const session = await getSession({ req })
+  const session = await unstable_getServerSession(req, res, options)
 
   if (session) {
     res.send({

apps/dev/pages/api/examples/session.js

@@ -1,7 +1,7 @@
 // This is an example of how to access a session from an API route
-import { getSession } from "next-auth/react"
+import { unstable_getServerSession } from "next-auth/next"
 
 export default async (req, res) => {
-  const session = await getSession({ req })
+  const session = await unstable_getServerSession(req, res, authOptions)
   res.send(JSON.stringify(session, null, 2))
 }

apps/dev/pages/protected-ssr.js

@@ -1,5 +1,5 @@
 // This is an example of how to protect content using server rendering
-import { getServerSession } from "next-auth/next"
+import { unstable_getServerSession } from "next-auth/next"
 import { authOptions } from "./api/auth/[...nextauth]"
 import Layout from "../components/layout"
 import AccessDenied from "../components/access-denied"
@@ -26,7 +26,11 @@ export default function Page({ content, session }) {
 }
 
 export async function getServerSideProps(context) {
-  const session = await getServerSession(context, authOptions)
+  const session = await unstable_getServerSession(
+    context.req,
+    context.res,
+    authOptions
+  )
   let content = null
 
   if (session) {

apps/dev/pages/server.js

@@ -1,4 +1,4 @@
-import { getSession } from "next-auth/react"
+import { unstable_getServerSession } from "next-auth/next"
 import Layout from "../components/layout"
 
 export default function Page() {
@@ -11,13 +11,17 @@ export default function Page() {
     <Layout>
       <h1>Server Side Rendering</h1>
       <p>
-        This page uses the universal <strong>getSession()</strong> method in{" "}
-        <strong>getServerSideProps()</strong>.
+        This page uses the <strong>unstable_getServerSession()</strong> method
+        in <strong>getServerSideProps()</strong>.
       </p>
       <p>
-        Using <strong>getSession()</strong> in{" "}
-        <strong>getServerSideProps()</strong> is the recommended approach if you
-        need to support Server Side Rendering with authentication.
+        Using <strong>unstable_getServerSession()</strong> in{" "}
+        <strong>getServerSideProps()</strong> is currently the recommended
+        approach, although the API may still change, if you need to support
+        Server Side Rendering with authentication.
+      </p>
+      <p>
+        Using <strong>getSession()</strong> is still recommended on the client.
       </p>
       <p>
         The advantage of Server Side Rendering is this page does not require
@@ -35,7 +39,11 @@ export default function Page() {
 export async function getServerSideProps(context) {
   return {
     props: {
-      session: await getSession(context),
+      session: await unstable_getServerSession(
+        contex.req,
+        contex.res,
+        authOptions
+      ),
     },
   }
 }

apps/example-gatsby/README.md

@@ -65,7 +65,6 @@ You **can** skip configuring a database and come back to it later if you want.
 For more information about setting up a database, please check out the following links:
 
 * Docs: [next-auth.js.org/adapters/overview](https://next-auth.js.org/adapters/overview)
-* Adapters Repo: [nextauthjs/adapters](https://github.com/nextauthjs/adapters)
 
 ### 3. Configure Authentication Providers
 

apps/example-gatsby/package.json

@@ -12,9 +12,9 @@
   "dependencies": {
     "dotenv": "^16.0.0",
     "gatsby": "next",
-    "next-auth": "^4.2.1",
-    "react": "^17.0.2",
-    "react-dom": "^17.0.2"
+    "next-auth": "latest",
+    "react": "^18",
+    "react-dom": "^18"
   },
   "devDependencies": {
     "vercel": "^23.1.2"

apps/example-nextjs/README.md

@@ -68,7 +68,6 @@ You **can** skip configuring a database and come back to it later if you want.
 For more information about setting up a database, please check out the following links:
 
 * Docs: [next-auth.js.org/adapters/overview](https://next-auth.js.org/adapters/overview)
-* Adapters Repo: [nextauthjs/adapters](https://github.com/nextauthjs/adapters)
 
 ### 3. Configure Authentication Providers
 

apps/example-nextjs/middleware.ts

@@ -0,0 +1,12 @@
+import { withAuth } from "next-auth/middleware"
+
+// More on how NextAuth.js middleware works: https://next-auth.js.org/configuration/nextjs#middleware
+export default withAuth({
+  callbacks: {
+    authorized: ({ req, token }) =>
+      // /admin requires admin role, but /me only requires the user to be logged in.
+      req.nextUrl.pathname !== "/admin" || token?.userRole === "admin",
+  },
+})
+
+export const config = { matcher: ["/admin", "/me"] }

apps/example-nextjs/package.json

@@ -23,16 +23,16 @@
   ],
   "license": "ISC",
   "dependencies": {
-    "next": "^12.0.11-canary.4",
+    "next": "12.1.7-canary.51",
     "next-auth": "latest",
-    "nodemailer": "^6.6.3",
-    "react": "^17.0.2",
-    "react-dom": "^17.0.2"
+    "nodemailer": "^6",
+    "react": "^18",
+    "react-dom": "^18"
   },
   "devDependencies": {
-    "@types/node": "^17.0.14",
-    "@types/react": "^17.0.39",
-    "typescript": "^4.5.5"
+    "@types/node": "^17",
+    "@types/react": "^18",
+    "typescript": "^4"
   },
   "prettier": {
     "semi": false

apps/example-nextjs/pages/admin/index.tsx → apps/example-nextjs/pages/admin.tsx

@@ -1,4 +1,4 @@
-import Layout from "../../components/layout"
+import Layout from "../components/layout"
 
 export default function Page() {
   return (

apps/example-nextjs/pages/api/auth/[...nextauth].ts

@@ -1,4 +1,4 @@
-import NextAuth from "next-auth"
+import NextAuth, { NextAuthOptions } from "next-auth"
 import GoogleProvider from "next-auth/providers/google"
 import FacebookProvider from "next-auth/providers/facebook"
 import GithubProvider from "next-auth/providers/github"
@@ -9,7 +9,7 @@ import Auth0Provider from "next-auth/providers/auth0"
 
 // For more information on each option (and a full list of options) go to
 // https://next-auth.js.org/configuration/options
-export default NextAuth({
+export const authOptions: NextAuthOptions = {
   // https://next-auth.js.org/configuration/providers/oauth
   providers: [
     /* EmailProvider({
@@ -18,7 +18,7 @@ export default NextAuth({
        }),
     // Temporarily removing the Apple provider from the demo site as the
     // callback URL for it needs updating due to Vercel changing domains
-      
+
     Providers.Apple({
       clientId: process.env.APPLE_ID,
       clientSecret: {
@@ -60,4 +60,6 @@ export default NextAuth({
       return token
     },
   },
-})
+}
+
+export default NextAuth(authOptions)

apps/example-nextjs/pages/api/examples/protected.ts

@@ -1,9 +1,9 @@
 // This is an example of to protect an API route
-import { getSession } from "next-auth/react"
+import { unstable_getServerSession } from "next-auth/next"
 import type { NextApiRequest, NextApiResponse } from "next"
 
 export default async (req: NextApiRequest, res: NextApiResponse) => {
-  const session = await getSession({ req })
+  const session = await unstable_getServerSession(req, res, authOptions)
 
   if (session) {
     res.send({
@@ -12,7 +12,8 @@ export default async (req: NextApiRequest, res: NextApiResponse) => {
     })
   } else {
     res.send({
-      error: "You must be signed in to view the protected content on this page.",
+      error:
+        "You must be signed in to view the protected content on this page.",
     })
   }
 }

apps/example-nextjs/pages/me/index.tsx → apps/example-nextjs/pages/me.tsx

@@ -1,5 +1,5 @@
 import { useSession } from "next-auth/react"
-import Layout from "../../components/layout"
+import Layout from "../components/layout"
 
 export default function MePage() {
   const { data } = useSession()

apps/example-nextjs/pages/server.tsx

@@ -1,26 +1,24 @@
-import { useSession, getSession } from "next-auth/react"
+import { unstable_getServerSession } from "next-auth/next"
+import { authOptions } from "./api/auth/[...nextauth]"
 import Layout from "../components/layout"
 import type { NextPageContext } from "next"
 
-export default function ServerSidePage() {
+export default function ServerSidePage({ session }) {
   // As this page uses Server Side Rendering, the `session` will be already
   // populated on render without needing to go through a loading stage.
-  // This is possible because of the shared context configured in `_app.js` that
-  // is used by `useSession()`.
-  const { data: session, status } = useSession()
-  const loading = status === "loading"
 
   return (
     <Layout>
       <h1>Server Side Rendering</h1>
       <p>
-        This page uses the universal <strong>getSession()</strong> method in{" "}
-        <strong>getServerSideProps()</strong>.
+        This page uses the <strong>unstable_getServerSession()</strong> method
+        in <strong>unstable_getServerSideProps()</strong>.
       </p>
       <p>
-        Using <strong>getSession()</strong> in{" "}
-        <strong>getServerSideProps()</strong> is the recommended approach if you
-        need to support Server Side Rendering with authentication.
+        Using <strong>unstable_getServerSession()</strong> in{" "}
+        <strong>unstable_getServerSideProps()</strong> is the recommended
+        approach if you need to support Server Side Rendering with
+        authentication.
       </p>
       <p>
         The advantage of Server Side Rendering is this page does not require
@@ -38,7 +36,7 @@ export default function ServerSidePage() {
 export async function getServerSideProps(context: NextPageContext) {
   return {
     props: {
-      session: await getSession(context),
+      session: await unstable_getServerSession(context.req, context.res, authOptions),
     },
   }
 }

apps/playground-sveltekit/package.json

@@ -30,7 +30,7 @@
   "type": "module",
   "dependencies": {
     "cookie": "0.4.1",
-    "next-auth": "^4.3.3"
+    "next-auth": "workspace:*"
   },
   "prettier": {
     "semi": false,

apps/playground-sveltekit/yarn.lock

@@ -1232,10 +1232,10 @@ natural-compare@^1.4.0:
   resolved "https://registry.yarnpkg.com/natural-compare/-/natural-compare-1.4.0.tgz#4abebfeed7541f2c27acfb29bdbbd15c8d5ba4f7"
   integrity sha1-Sr6/7tdUHywnrPspvbvRXI1bpPc=
 
-next-auth@^4.3.3:
-  version "4.3.3"
-  resolved "https://registry.yarnpkg.com/next-auth/-/next-auth-4.3.3.tgz#5ff892e73648a0f33c2af0e9d7cafda729f63ae7"
-  integrity sha512-bUs+oOOPT18Pq/+4v9q4PA/DGoVoAX6jwY7RTfE/akFXwlny+y/mNS6lPSUwpqcHjljqBaq34PQA3+01SdOOPw==
+next-auth@^4.5.0:
+  version "4.5.0"
+  resolved "https://registry.yarnpkg.com/next-auth/-/next-auth-4.5.0.tgz#2df57287fddc705b8971c88c60bad44a89ac6dd1"
+  integrity sha512-B6gYRIbqtj8nlDsx3y2Ruwp/mvZnItPs7VUULY43QYw+M9xtDPIM9EBZ3ryd/wNYA3MDteBJlzGm/ivseXcmJA==
   dependencies:
     "@babel/runtime" "^7.16.3"
     "@panva/hkdf" "^1.0.1"

docs/docs/adapters/dgraph.md

@@ -236,7 +236,7 @@ export default NextAuth({
     encode: async ({ secret, token }) => {
       return jwt.sign({...token, userId: token.id}, secret, {
         algorithm: "HS256",
-        expiresIn: 30 * 24 * 60 * 60; // 30 days
+        expiresIn: 30 * 24 * 60 * 60, // 30 days
       });
     },
     decode: async ({ secret, token }) => {

docs/docs/configuration/callbacks.md

@@ -107,7 +107,7 @@ The redirect callback may be invoked more than once in the same flow.
 This callback is called whenever a JSON Web Token is created (i.e. at sign
 in) or updated (i.e whenever a session is accessed in the client). The returned value will be [encrypted](/configuration/options#jwt), and it is stored in a cookie.
 
-Requests to `/api/auth/signin`, `/api/auth/session` and calls to `getSession()`, `useSession()` will invoke this function, but only if you are using a [JWT session](/configuration/options#session). This method is not invoked when you persist sessions in a database.
+Requests to `/api/auth/signin`, `/api/auth/session` and calls to `getSession()`, `unstable_getServerSession()`, `useSession()` will invoke this function, but only if you are using a [JWT session](/configuration/options#session). This method is not invoked when you persist sessions in a database.
 
 - As with database persisted session expiry times, token expiry time is extended whenever a session is active.
 - The arguments _user_, _account_, _profile_ and _isNewUser_ are only passed the first time this callback is called on a new session, after the user signs in. In subsequent calls, only `token` will be available.

docs/docs/configuration/events.md

@@ -53,6 +53,7 @@ The message object will contain:
 
 - `user`: The user object from your adapter.
 - `account`: The object returned from the provider.
+- `profile`: The object returned from the `profile` callback of the OAuth provider.
 
 ### session