Email requires adapter, which makes session strategy default to database. Middleware then doesn't work.

[ardeaf]

What is the improvement or update you wish to see?

Hello, I coudln't figure out for the life of me why the middleware kept sending me to the sign in page. What I ended up doing was:

1. Viewing the docs on how to set up an Email provider
2. This led to me setting up the adapter and provider in my [...nextauth.js] file
3. I further read documentation and saw that I can use the middleware.ts file in root to protect everything. Awesome!
4. Everything seemed great, but after a lot of troubleshooting, I eventually stumbled upon the session configuration option which let me know that if adapter is specified it defaults to database.

Once I changed the session strategy back to jwt, everything worked great again

I would like to suggest a few fixes:

1. Highlight somewhere in the Email Provider docs that because the email provider requires the use of an adapter in the configuration, then the session: { strategy: '...' } will automatically be switched to database and you need to explicitly specify jwt in the session strategy if you are also wanting to make use of middleware.ts
2. Send a warning that if middleware.ts is being used and the session strategy is database then middleware will not work as expected
3. If an adapter is configured but there is no explicit session strategy specified, and the user has a middleware.ts file in the root, then the console should send a warning/info noticed (maybe supressable) stating that the default session strategy has been set to database

I know it's a new feature but the combination of factors caused this to go undetected for quite a while and it was pure luck I stumbled upon the correct combination of docs.

Is there any context that might help us understand?

I just started using next-auth.js within the last few days.

Here are the relevant docs:
https://next-auth.js.org/providers/email
Lets us know that we need to set up an adapter, but doesn't note how this impacts middleware usage.

https://next-auth.js.org/tutorials/securing-pages-and-api-routes
Lets us know how to use the new middleware feature, noting that jwt must be used.

https://next-auth.js.org/configuration/options#session
Lets us know that session strategy defaults to database if you use an adapter and don't set it explicitly, but doesn't note that this may produce unexpected results if you then go on to use middleware.

Does the docs page already exist? Please link to it.

No response

[balazsorban44]

This is documented under https://next-auth.js.org/configuration/nextjs#caveats. We are aware. Until a good Edge-first database solution comes and #4299 and #4769 aren't merged, we don't have a good path supporting the E-mail provider together with Middleware.

[ardeaf]

I'm aware it's documented and that there is no support for Edge-first database solutions. I made the issue to point out that more clarity in documentation under either the email provider or middleware set up documentation would help a lot with usability.

Specifically, noting in either of those sections that having an adapter specified automatically switches the session strategy to database.

As it is right now, by going through the email provider set up and the middleware set up, the developer does not encounter anything that lets them know the session strategy gets changed by default to an unusable method. I feel like if there are examples or tutorials in the docs, they should be able to produce a working app, and some clarity as mentioned above would help with that.

[ilijaNL]

I think an additional option should be added to next-auth, where there is possibility to create a stateless verification email which does not require any datastore. This can be done by creating a jwt as token, validating the token (jwt) and comparing the email which is stored inside the token.