nextauthjs · AlexErrant · Apr 13, 2023 · AlexErrant · Apr 13, 2023 · AlexErrant
@@ -27,7 +27,7 @@ export async function signIn<
   options?: SignInOptions,
   authorizationParams?: SignInAuthorizationParams
 ) {
-  const { callbackUrl = window.location.href, redirect = true } = options ?? {}
+  const { callbackUrl = window.location.href, redirect = true, signinInfo } = options ?? {}
 
   // TODO: Support custom providers
   const isCredentials = providerId === "credentials"
@@ -58,6 +58,7 @@ export async function signIn<
       ...options,
       csrfToken,
       callbackUrl,
+      signinInfo: signinInfo === undefined ? undefined : encodeURIComponent(signinInfo)
     }),
   })
 

@@ -23,6 +23,10 @@ export interface SignInOptions extends Record<string, unknown> {
   callbackUrl?: string
   /** [Documentation](https://next-auth.js.org/getting-started/client#using-the-redirect-false-option) */
   redirect?: boolean
+  /**
+   * Information that will be passed to the `signIn` callback, the `createUser` adapter function, and the `createUser` event.
+   */
+  signinInfo?: string
 }
 export interface SignInResponse {
   error: string | undefined

@@ -140,7 +140,7 @@ The signatures for the callback methods now look like this:
 
 ```diff
 - signIn(user, account, profileOrEmailOrCredentials)
-+ signIn({ user, account, profile, email, credentials })
++ signIn({ user, account, profile, email, credentials, signinInfo })
 ```
 
 ```diff

@@ -12,9 +12,9 @@ If you want to pass data such as an Access Token or User ID to the browser when
 
 You can specify a handler for any of the callbacks below.
 
-```js title="pages/api/auth/[...nextauth].js"s
+```js title="pages/api/auth/[...nextauth].js"
   callbacks: {
-    async signIn({ user, account, profile, email, credentials }) {
+    async signIn({ user, account, profile, email, credentials, signinInfo }) {
       return true
     },
     async redirect({ url, baseUrl }) {
@@ -37,7 +37,7 @@ Use the `signIn()` callback to control if a user is allowed to sign in.
 
 ```js title="pages/api/auth/[...nextauth].js"
 callbacks: {
-  async signIn({ user, account, profile, email, credentials }) {
+  async signIn({ user, account, profile, email, credentials, signinInfo }) {
     const isAllowedToSignIn = true
     if (isAllowedToSignIn) {
       return true

@@ -36,7 +36,7 @@ The message object will contain one of these depending on if you use JWT or data
 
 Sent when the adapter is told to create a new user.
 
-The message object will contain the user.
+The message object will contain the user and `signinInfo`.
 
 ### updateUser
 

@@ -5,3 +5,14 @@ title: Client
 :::warning WIP
 `@auth/nextjs/client` is work in progress. For now, please use [NextAuth.js Client API](https://next-auth.js.org/getting-started/client).
 :::
+
+### Using the `signinInfo` option
+
+A string may be passed to the `signinInfo` parameter of the client's `signIn()` method. That string will be available in the `signIn` callback, the `createUser` adapter function, and the `createUser` event. This may be helpful in determining if a user can login (e.g. users must enter an invitation code or beta key) or in creating a user (e.g. the primary key is a user-supplied "DisplayName" - you'll likely need to write your own adapter).
+
+`signinInfo` must be a string. You are in charge of de/serialization.
+
+Example usage:
+
+- `signIn("google", { signinInfo: "Bill Johnson" })`
+
@@ -10,6 +10,16 @@ signIn()
 signIn("provider") // example: signIn("github")
 ```
 
+### Using the `signinInfo` option
+
+A string may be passed to the `signinInfo` parameter of the client's `signIn()` method. That string will be available in the `signIn` callback, the `createUser` adapter function, and the `createUser` event. This may be helpful in determining if a user can login (e.g. users must enter an invitation code or beta key) or in creating a user (e.g. the primary key is a user-supplied "DisplayName" - you'll likely need to write your own adapter).
+
+`signinInfo` must be a string. You are in charge of de/serialization.
+
+Example usage:
+
+- `signIn("google", { signinInfo: "Bill Johnson" })`
+
 ## Signing out
 
 ```ts

@@ -116,7 +116,7 @@
  */
 
 import { ProviderType } from "./providers/index.js"
-import type { Account, Awaitable, User } from "./types.js"
+import type { Account, Awaitable, SigninInfo, User } from "./types.js"
 // TODO: Discuss if we should expose methods to serialize and deserialize
 // the data? Many adapters share this logic, so it could be useful to
 // have a common implementation.
@@ -216,7 +216,7 @@ export interface VerificationToken {
  * :::
  */
 export interface Adapter {
-  createUser?(user: Omit<AdapterUser, "id">): Awaitable<AdapterUser>
+  createUser?(user: Omit<AdapterUser, "id">, info?: { signinInfo?: SigninInfo }): Awaitable<AdapterUser>
   getUser?(id: string): Awaitable<AdapterUser | null>
   getUserByEmail?(email: string): Awaitable<AdapterUser | null>
   /** Using the provider id and the id of the user for a specific account, get the user. */

@@ -6,7 +6,7 @@ import type {
   AdapterSession,
   AdapterUser,
 } from "../adapters.js"
-import type { Account, InternalOptions, User } from "../types.js"
+import type { Account, SigninInfo, InternalOptions, User } from "../types.js"
 import type { JWT } from "../jwt.js"
 import type { OAuthConfig } from "../providers/index.js"
 import type { SessionToken } from "./cookie.js"
@@ -27,7 +27,8 @@ export async function handleLogin(
   sessionToken: SessionToken,
   _profile: User | AdapterUser | { email: string },
   _account: AdapterAccount | Account | null,
-  options: InternalOptions
+  options: InternalOptions,
+  signinInfo: SigninInfo | undefined
 ) {
   // Input validation
   if (!_account?.providerAccountId || !_account.type)
@@ -107,8 +108,8 @@ export async function handleLogin(
     } else {
       const { id: _, ...newUser } = { ...profile, emailVerified: new Date() }
       // Create user account if there isn't one for the email address already
-      user = await createUser(newUser)
-      await events.createUser?.({ user })
+      user = await createUser(newUser, { signinInfo })
+      await events.createUser?.({ user, signinInfo })
       isNewUser = true
     }
 
@@ -211,9 +212,9 @@ export async function handleLogin(
         // create a new account for the user, link it to the OAuth account and
         // create a new session for them so they are signed in with it.
         const { id: _, ...newUser } = { ...profile, emailVerified: null }
-        user = await createUser(newUser)
+        user = await createUser(newUser, { signinInfo })
       }
-      await events.createUser?.({ user })
+      await events.createUser?.({ user, signinInfo })
 
       await linkAccount({ ...account, userId: user.id })
       await events.linkAccount?.({ user, account, profile })

@@ -103,6 +103,15 @@ export function defaultCookies(useSecureCookies: boolean): CookiesOptions {
         maxAge: 60 * 15, // 15 minutes in seconds
       },
     },
+    signinInfo: {
+      name: `${cookiePrefix}next-auth.signin-info`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: useSecureCookies,
+      },
+    },
     nonce: {
       name: `${cookiePrefix}next-auth.nonce`,
       options: {

@@ -11,6 +11,8 @@ import type {
   ResponseInternal,
 } from "../types.js"
 
+const SIGNIN_INFO_MAX_AGE = 60 * 15 // 15 minutes in seconds
+
 /** @internal */
 export async function AuthInternal<
   Body extends string | Record<string, any> | any[]
@@ -139,6 +141,18 @@ export async function AuthInternal<
   } else {
     switch (action) {
       case "signin":
+        if (request.body?.signinInfo !== undefined) {
+          const expires = new Date()
+          expires.setTime(expires.getTime() + SIGNIN_INFO_MAX_AGE * 1000)
+          cookies.push({
+            name: options.cookies.signinInfo.name,
+            value: request.body.signinInfo,
+            options: {
+              ...options.cookies.signinInfo.options,
+              expires,
+            },
+          })
+        }
         if ((csrfDisabled || options.csrfTokenVerified) && options.provider) {
           const signin = await routes.signin(
             request.query,

@@ -10,6 +10,7 @@ import type {
   ResponseInternal,
   InternalOptions,
   Account,
+  SigninInfo,
 } from "../../types.js"
 import type { Cookie, SessionStore } from "../cookie.js"
 
@@ -41,6 +42,20 @@ export async function callback(params: {
 
   const useJwtSession = sessionStrategy === "jwt"
 
+  let signinInfo: undefined | SigninInfo = undefined
+  const encodedSigninInfo = params.cookies?.[options.cookies.signinInfo.name]
+  if (encodedSigninInfo !== undefined) {
+    signinInfo = decodeURIComponent(encodedSigninInfo)
+    // clear signinInfo cookie
+    cookies.push({
+      name: options.cookies.signinInfo.name,
+      value: "",
+      options: {
+        ...options.cookies.signinInfo.options,
+        maxAge: 0,
+      },
+    })
+  }
   try {
     if (provider.type === "oauth" || provider.type === "oidc") {
       const authorizationResult = await handleOAuth(
@@ -82,7 +97,7 @@ export async function callback(params: {
       }
 
       const unauthorizedOrError = await handleAuthorized(
-        { user: userOrProfile, account, profile: OAuthProfile },
+        { user: userOrProfile, account, profile: OAuthProfile, signinInfo },
         options
       )
 
@@ -93,7 +108,8 @@ export async function callback(params: {
         sessionStore.value,
         profile,
         account,
-        options
+        options,
+        signinInfo
       )
 
       if (useJwtSession) {
@@ -194,7 +210,7 @@ export async function callback(params: {
 
       // Check if user is allowed to sign in
       const unauthorizedOrError = await handleAuthorized(
-        { user, account },
+        { user, account, signinInfo },
         options
       )
 
@@ -205,7 +221,7 @@ export async function callback(params: {
         user: loggedInUser,
         session,
         isNewUser,
-      } = await handleLogin(sessionStore.value, user, account, options)
+      } = await handleLogin(sessionStore.value, user, account, options, signinInfo)
 
       if (useJwtSession) {
         const defaultToken = {
@@ -288,15 +304,14 @@ export async function callback(params: {
         }
       }
 
-      /** @type {import("src").Account} */
-      const account = {
+      const account: Account = {
         providerAccountId: user.id,
-        type: "credentials",
+        type: "credentials" as const,
         provider: provider.id,
       }
 
       const unauthorizedOrError = await handleAuthorized(
-        { user, account, credentials },
+        { user, account, credentials, signinInfo },
         options
       )
 
@@ -312,7 +327,6 @@ export async function callback(params: {
       const token = await callbacks.jwt({
         token: defaultToken,
         user,
-        // @ts-expect-error
         account,
         isNewUser: false,
       })
@@ -335,7 +349,6 @@ export async function callback(params: {
         cookies.push(...sessionCookies)
       }
 
-      // @ts-expect-error
       await events.signIn?.({ user, account })
 
       return { redirect: callbackUrl, cookies }

@@ -2,7 +2,7 @@ import { AuthorizedCallbackError } from "../../errors.js"
 import { InternalOptions } from "../../types.js"
 
 export async function handleAuthorized(
-  params: any,
+  params: Parameters<InternalOptions["callbacks"]["signIn"]>[0],
   { url, logger, callbacks: { signIn } }: InternalOptions
 ) {
   try {

@@ -41,8 +41,9 @@ export async function signin(
         provider: provider.id,
       }
 
+      const signinInfo = body?.signinInfo === undefined ? undefined : decodeURIComponent(body.signinInfo)
       const unauthorizedOrError = await handleAuthorized(
-        { user, account, email: { verificationRequest: true } },
+        { user, account, email: { verificationRequest: true }, signinInfo },
         options
       )
 

@@ -163,6 +163,8 @@ export interface CallbacksOptions<P = Profile, A = Account> {
     }
     /** If Credentials provider is used, it contains the user credentials */
     credentials?: Record<string, CredentialInput>
+    /** Info from the client's `signIn()` function. */
+    signinInfo?: SigninInfo
   }) => Awaitable<boolean>
   /**
    * This callback is called anytime the user is redirected to a callback URL (e.g. on signin or signout).
@@ -237,9 +239,12 @@ export interface CookiesOptions {
   csrfToken: CookieOption
   pkceCodeVerifier: CookieOption
   state: CookieOption
+  signinInfo: CookieOption
   nonce: CookieOption
 }
 
+export type SigninInfo = string
+
 /**
  *  The various event callbacks you can register for from next-auth
  *
@@ -269,7 +274,7 @@ export interface EventCallbacks {
       | { session: Awaited<ReturnType<Required<Adapter>["deleteSession"]>> }
       | { token: Awaited<ReturnType<JWTOptions["decode"]>> }
   ) => Awaitable<void>
-  createUser: (message: { user: User }) => Awaitable<void>
+  createUser: (message: { user: User, signinInfo?: SigninInfo }) => Awaitable<void>
   updateUser: (message: { user: User }) => Awaitable<void>
   linkAccount: (message: {
     user: User | AdapterUser

@@ -27,7 +27,7 @@ export async function signIn<
   options?: SignInOptions,
   authorizationParams?: SignInAuthorizationParams
 ) {
-  const { callbackUrl = window.location.href, redirect = true } = options ?? {}
+  const { callbackUrl = window.location.href, redirect = true, signinInfo } = options ?? {}
 
   // TODO: Support custom providers
   const isCredentials = providerId === "credentials"
@@ -56,6 +56,7 @@ export async function signIn<
       ...options,
       csrfToken,
       callbackUrl,
+      signinInfo: signinInfo === undefined ? undefined : encodeURIComponent(signinInfo)
     }),
   })
 

@@ -27,7 +27,7 @@ export async function signIn<
   options?: SignInOptions,
   authorizationParams?: SignInAuthorizationParams
 ) {
-  const { callbackUrl = window.location.href, redirect = true } = options ?? {}
+  const { callbackUrl = window.location.href, redirect = true, signinInfo } = options ?? {}
 
   // TODO: Support custom providers
   const isCredentials = providerId === "credentials"
@@ -57,6 +57,7 @@ export async function signIn<
       ...options,
       csrfToken,
       callbackUrl,
+      signinInfo: signinInfo === undefined ? undefined : encodeURIComponent(signinInfo)
     }),
   })