Code Monkey home page Code Monkey logo

next-auth's Introduction


Authentication for the Web.

Open Source. Full Stack. Own Your Data.

TypeScript Downloads Github Stars Github Stable Release

Auth.js is a set of open-source packages that are built on Web Standard APIs for authentication in modern applications with any framework on any platform in any JS runtime.

See for our framework-specific libraries, or check out for next-auth (Next.js).


Flexible and easy to use

  • Designed to work with any OAuth service, it supports 2.0+, OIDC
  • Built-in support for many popular sign-in services
  • Email/Passwordless authentication
  • Bring Your Database - or none! - stateless authentication with any backend (Active Directory, LDAP, etc.)
  • Runtime-agnostic, runs anywhere! (Vercel Edge Functions, Node.js, Serverless, etc.)

Own your data

Auth.js can be used with or without a database.

Secure by default

  • Promotes the use of passwordless sign-in mechanisms
  • Designed to be secure by default and encourage best practices for safeguarding user data
  • Uses Cross-Site Request Forgery (CSRF) Tokens on POST routes (sign in, sign out)
  • Default cookie policy aims for the most restrictive policy appropriate for each cookie
  • When JSON Web Tokens are used, they are encrypted by default (JWE) with A256GCM
  • Features tab/window syncing and session polling to support short-lived sessions
  • Attempts to implement the latest guidance published by Open Web Application Security Project

Advanced configuration allows you to define your routines to handle controlling what accounts are allowed to sign in, for encoding and decoding JSON Web Tokens and to set custom cookie security policies and session properties, so you can control who can sign in and how often sessions have to be re-validated.


Auth.js libraries are written with type safety in mind. Check out the docs for more information.


If you think you have found a vulnerability (or are not sure) in Auth.js or any of the related packages (i.e. Adapters), we ask you to read our Security Policy to reach out responsibly. Please do not open Pull Requests/Issues/Discussions before consulting with us.


Auth.js is made possible thanks to all of its contributors.


We have an OpenCollective for individuals and companies looking to contribute financially to the project!

Vercel Logo

🥉 Bronze Financial Sponsor
☁️ Infrastructure Support
Prisma Logo

🥉 Bronze Financial Sponsor
Clerk Logo

🥉 Bronze Financial Sponsor
Lowdefy Logo

🥉 Bronze Financial Sponsor
WorkOS Logo

🥉 Bronze Financial Sponsor
Descope Logo

🥉 Bronze Financial Sponsor
Checkly Logo

☁️ Infrastructure Support
superblog Logo

☁️ Infrastructure Support


We're open to all community contributions! If you'd like to contribute in any way, please first read our Contributing Guide.



next-auth's People


actions-user avatar arvindell avatar azeek21 avatar balazsorban44 avatar benjaminwfox avatar boredland avatar csbok avatar dependabot[bot] avatar francisudeji avatar fumler avatar geraldnolan avatar iaincollins avatar jeffersonbledsoe avatar jibingeo avatar jschlesser avatar khuezy avatar kripod avatar lluia avatar lorikarikari avatar lukel97 avatar mahieyin-rahmun avatar ndom91 avatar orjdev avatar panva avatar reconbot avatar sabarivig avatar sponte avatar thanghuuvu avatar typedashutosh avatar wobsoriano avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

next-auth's Issues

why provider returns only static attributes such as id,name,email?


as the title asks away, its not obvious why can't i set the attributes that are returns from "getProfile" function in the "next-auth.providers.js" file.

its very limiting, what if i want the user profile pic and extra info?
in my twitter provider i set the return object to have extra fields i am interested in but they are never get to the "...this.props.session.user" prop.

how can this be resolved?

thank you!

WP Rest API as Provider

Is it possible to add wordpress rest api as provider?

Instead of mongo db i'd like to use wp. I have a project where i get the user data and but i want to make the auth persistent.

Prevent creation of extra sessions in development mode

In development mode - I think due to the hot reloading code - extra sessions are created in the session database being used, because Next.js makes page request without cookies to URLs under /_next (so Express Session interprets this as a new user, and creates a new session for them).

I think we can fix this by adding something like this before the Express Session is added:

  expressApp.all('/_next/*', (req, res) => {
    let nextRequestHandler = nextApp.getRequestHandler()
    return nextRequestHandler(req, res)

Internet Explorer 11 support?

There has been a report of incompatibility with the NextAuth Client and Microsoft Internet Explorer 11.

Note: There are no reports of issues with Microsoft Edge, this issue relates only to the legacy browser Microsoft Internet Explorer.

This issue is currently unconfirmed and has not been replicated / confirmed. It used to work in Microsoft Internet Explorer but there may have been breaking changes at some point.

Since the original issue was raised, there have been further updates to next-auth and webpack (which has had an update addressing an issue in an upstream package that seems to relate directly to this issue) and also changes to how NextAuth Client is bundled.

The demo at should always run the latest version and be a useful reference to confirm if there is still an issue with next-auth and Internet Explorer 11 or not.

Both feedback and pull requests are welcome.

Note: If it is (as reported) an issue with webpack it may further the case for moving to Rollup instead of webpack - recent versions of webpack are already causing problems for universal libraries like the NextAuth Client.

Not able to set (override) callbackURL from outside

callbackURL is derived like this and not allowing set using StrategyOptions from outside.

serverUrl = null // assigned earlier
strategyOptions.callbackURL = (serverUrl || '') + `${pathPrefix}/oauth/${providerName.toLowerCase()}/callback`

Please check callbackUrl in strategyOptions if it's already set, leave it untouched to allow overriding from outside.

Add extra step for token verification in email authentication

This is more of a feature request than an issue if we don't mind the possibility of automatic signins, i would like to use a recaptcha to prevent this.
One way could be instead of checking the token right away after user clicks the link in the email, it could be forwarded to a page where a recaptcha could verify its not a bot and then perform the token checking via ajax, i assume the recaptcha validation is only needed for the email authentication not for the identity providers, this way only the email authentication flow gets validated by recaptcha.
This page could also set the token in localstorage triggering the 'storage' event letting the other open tab know the user is now logged and sync.
(Sorry if last part is unrelated, i think this package is amazing, thanks btw)

Add support for updating AccessTokens

Add a method which auto-updates AccessTokens for APIs which support rotating tokens (like Google) automatically, whenever the current AccessToken expires.

This would be useful for anyone who wants to make API calls as a user once they have signed in with an oAuth service.

I already have handlers to do this, I just need to import them into the project.

Twitter accessTokenSecret

Is it possible to return client Twitter accessTokenSecret with accessToken on authentication? If not are you able to suggest a method to get accessTokenSecret

Remove dependancy on cookie-parser

As of Express Session 1.5 the cookie-parser middleware is no longer required.

We can drop it to reduce a dependancy and make configuration of sessions easier.

Add example to secure some urls

How should one go about securing some urls? I'm guessing if one requires authentication, it means we want to protect about unauthenticated parties.

Ideally, when rendering server-side, if a url is protected it should be redirected to an auth page /auth, and when calling a protected api from browser, the server should return some error.

I would be happy to submit a PR for docs/code/whatever, just need some pointers.

Unable to login through passport strategy if local account exists.

Assume we have a local account for [email protected] email. All attempts to sign in using external identity providers (through a passport strategy) that have [email protected] as email in profile info are rejected because of this line:

It's probably reasonable (according to the comment before this line), but IMHO instead of just rejecting successful sign-in in this case, it's better to redirect to another page with a prompt to enter user's passport to confirm the intent.

If it makes sense, I would try to prepare a PR to resolve it this way (or probably the other way you might suggest) since it's a blocker for me.


Is this code licensed the same as the Next.js Starter boilerplate (and how is that licensed—I posted the same question in its GitHub repo)?

Mongoose schema

Hi, instead of the mongodb package, I would like to use mongoose instead. I was wondering what would the mongoose schema be for the user model?

Update README to thank contributors

Reminder to update the README to thank recent PR contributors and to reflect the enhancements they have added to the next release (hopefully out this week).

Provide a generic interface for non-Next.js projects?

While the goal of this project is to be make it easier to add authentication to Next.js projects, it could also be used with other React projects that don't use Next.js - as it doesn't use any Next.js specific hooks under the hood.

Crucially, there would need to be an example of how to consume NextAuth.init() in whatever the equivalent of getInitialProps() is in the Server Side Rendering system being used.

If anyone would like to see this, suggestions and input is welcome.

Provider a simpler interface

While this library does a lot of heavy lifting, it's still complicated to follow as there are several instructions. It would be better if it provided common functionality with as little configuration out of the box as possible.

I might bundle build in helpers for it, so it's easy to use with common oAuth providers and Mongo DB out of the box, just by passing oAuth Credentials for the providers and a Mongo DB URI, so that no other configuration is required (but can still be specified if desired).

Proposals for NextAuth 2.0

Proposal for NextAuth 2.0

The following proposal is what is planned for NextAuth 2.0. Some of these features have already made it into 1.5. Others are in progress. It is an active work in progress but there is no fixed ETA yet.

Comments and feedback are welcome.

Updated 29 May, 2018.

Simpler Configuration

The core rationale for NextAuth 2.0 is to make it much simpler to use, so that instead of 3 configuration files all you will need is to use it is to do something like this:

const next = require('next')
const nextAuth = require('next-auth')


const nextApp = next({
  dir: '.',
  dev: (process.env.NODE_ENV === 'development')

.then(() => {
  return nextAuth.load(nextApp, {
     serverUrl: process.env.SERVER_URL,
     port: process.env.PORT,
     functions: NextAuth.Functions(process.env.CONNECTION_STRING),
     sessions: NextAuth.Sessions(process.env.CONNECTION_STRING),
     email: {
       from: process.env.EMAIL_FROM,
       host: process.env.EMAIL_SERVER,
       port: process.env.EMAIL_PORT,
       username: process.env.EMAIL_USERNAME,
       password: process.env.EMAIL_PASSWORD
     providers: {
       "Facebook": {
         provider: NextAuth.Facebook,
         id: process.env.FACEBOOK_ID,
         secret: process.env.FACEBOOK_SECRET
       "Twitter": {
         provider: NextAuth.Twitter,
         id: process.env.TWITTER_ID,
         secret: process.env.TWITTER_SECRET
.then(response => {
  console.log(`Ready on http://localhost:${response.port}`)
.catch(err => {
  console.log('An error occurred, unable to start the server')

It will include built in support for at least Mongo DB and MySQL and use the connection string to detect database type (e.g. checking if it starts withmongodb:// or mysql://).

It will still be possible to define your own functions to integrate with another database. Having examples for both an SQL and NoSQL database should make it easy to create adapters for other databases.

New Features

Changes to Session Storage and CSRF Tokens

There are some changes to the way session storage will be handled:

  • The implementation of Cross Site Request Forgery tokens will switch to the Double Submit Cookie method, which does not require a server side session.

  • A session in a databases will only be created for a user when they log in, to reduce database load - this also helps provide some protection against trivial Denial of Service attacks.

  • CSRF will be an option, and it will be possible to set it to null or to explicitly pass a method which can be used to disable it on white listed routes if required.

NextAuth Pages

  • Built in 'white labeled' pages for displaying a sign in dialog and linking/unlinking accounts.

  • Built in 'white labeled' pages for callbacks, error handling and email token messages.

These will be the default but you will specify your own URLs if you wished:

pages: {
  signin: "/signin",
  callback: "/callback",
  checkEmail: "/check-email",
  error: "/error"

## NextAuth Components

We will also expose the components used to make these pages (e.g. <NextAuth.SignInButton/>, <NextAuth.SignOutButton/>), to make it easier to add them to a site.

Going further, a basic page will also be exported as NextAuth.React.Component to automatically add session data to every page if used in place of React.Component when declaring a page. It will otherwise work exactly like a React page in Next.js.


import React from 'react'
import { NextAuth } from 'next-auth'
export default class extends NextAuth.React.Component {
  render() {
    if (this.props.session) {
          <p>You are logged in as { ||}.</p>
    } else {
          <p>You are not logged in.</p>

These components will take options like <NextAuth.SignInButtons className="btn btn-primary"> to allow them to be easily styled. They will be simple HTML elements with perhaps (optional) JavaScript behaviour bound to them.

Built in Database support

  • Bundled strategies for both session and user databases - including as an in-memory DB, Mongo DB and MySQL.

  • It will still be possible to define your own methods for other session and database stores (and this will be easier than it is now - so it shouldn't matter which SQL or NoSQL DB you are using).

  • The session and user database stores will not have to be the same database or even the same type of database.

Internally, the functions might change to make this easier, so that instead of general purpose database methods like update() and insert() they might be named after actions such as createUser(), linkProvider(), unlinkProvider(), generateSigninToken(), etc.

This will mean slightly more functions will need to be defined than in 1.x, but they will be explicit in functionality so that they can be more single purpose and easier to adapt to different databases.

If the database type in the connection string is one of the supported types, it will load the appropriate config, connect (and check the table structure if an SQL database, creating tables and columns as required if they don't existing) then return pre-configured strategy so it "just works" out of the box.

NextAuth will of course need to be updated to only start once the promise returned by NextAuth.Functions() and NextAuth.Sessions() had returned

  • Provider configuration will be much simpler for common providers.

We'd only bundle support for a few simple commonly used strategies - such as Facebook, Twitter and Google, but you'd still be able to define your own for any oAuth provider - the same way they are already configured for NextAuth.

Optional parameters for each Provider will include:

  • callback - A URL that can be defined for each provider; this has already been added to 1.x as a requested feature since this was written.
  • seralize - A function to normalize user objects from third party services.

Additionally, it will be easier to add support for password and/or two factor based authentication. Functionality for this has been added to 1.x but the support for this will improve.

Better NextAuth Email

  • Built in email templates.

I'd like to include nice looking HTML email templates for sending emails and bundle nodemailer.

This behaviour should of course still be able to be overridden as it is now.

Bundle NextAuthClient

I'd like to expose NextAuthClient directly in NextAuth (as NextAuth.Client) if this can be done simply and cleanly.

It will provide a simpler way to use NextAuth and ensure both will be updated easily and were always in sync.

NextAuth.Client is now already available in 1.x as it made sense to simplify how it was used and didn't require major changes client side.

The bundler for NextAuth.Client may change at some point, as there are some issues with newer webpack releases that mean it no longer generate isomorphic libraries that also run in service workers correctly (so for now we are not using the latest-and-greatest webpack to build it, as older versions work fine for universal apps) but even if we do that shouldn't change how it is used.

Rollup is one option and is much simpler, though it doesn't support Hot Module Replacement (HMR) and that might be a problem.

Internet Explorer is no longer supported [Edit: Fixed: it is now]

UPDATE: v1.11.0

I have wrangled babel and rollup and as of 1.11.0 NextAuth works in Internet Explorer again.

The information below is outdated.

The current release of NextAuth supports the latest browser from all major vendors, including Google, Microsoft, Apple and Mozilla.

The current release of NextAuth does not support Microsoft Internet Explorer, which was superseded Microsoft Edge in 2015 (and is the default browser on Microsoft Windows).

See issue #31 for the history of this issue.

It is still possible to log in with NextAuth in Internet Explorer, thanks to falling back to server side rendering, but there is no client side support - and you will see it fail and generate a syntax error in the console if you are using Internet Explorer.

You can see what this looks like by visiting in Internet Explorer.

Note: If you intend to support Internet Explorer explicitly, you may want to provide a callback page that has specific CSS or HTML for Internet Explorer as the browser will not be redirected automatically (you should not use a refresh without a browser conditional or will negatively impact other users).

It will probably not be resolved, as getting Internet Explorer to work at all with client sider rendering recent releases of Next.js is somewhat of a hassle at this point (see vercel/next.js#1943) but pull requests to address the issue (e.g. an updated rollup.config.js or .babelrc with suitable config) are very welcome and will be accepted.

Add support for additional databases

The current example next-auth.functions.js works with Mongo and NeDB.

I'd like to add support for other databases, including SQL databases like MySQL/MariaDB and Postgres - as well as other NoSQL databases and alternate drivers such as Mongoose.

Example alternative configs are welcome.

Add Email and Password authentication example

Please add email and password based authentication example.
I am trying to authenticate using API in signIn() method and returning user object but it is not getting stored in local storage.
OAuth is working great.

next.js 7.0.2

I updated nextjs from 5 to 7 and callbacks from Google, or email links are not working. Google send me to error page, while query is null, even it is http://localhost:3000/auth/error?action=signin&type=oauth&service=Google. Email link show just blank page on http://localhost:3000/auth/callback?action=signin&service=email
Is it working with next 7?

Pass req object to sendSignInEmail function

The package allows for a custom function for sending the sign in email, but to create the email i also need access to the req.locale variable that is being set by a middleware based on the Accept-Language headers sent by the browser and the supported locales of the app.
Is there other way to accomplish this?

Mongoose: user.emailToken stays after sign in

If in next-auth.functions.js pass Model instance of Mongoose rather then Object Collection instance of MongoClient, in this case user.emailToken stays after signing in till next email sign in.

//  User.js
const mongoose = require('mongoose')

const UserSchema = new mongoose.Schema({
  _id          : mongoose.Schema.Types.ObjectId,
  pass         : String,
  name         : String,
  email        : String,
  google       : Object,
  admin        : Boolean,
  emailVerified: Boolean,
  emailToken   : String

mongoose.model('User', UserSchema)
//  next-auth.functions.js
const mongoose = require('mongoose')

const User = mongoose.model('User')

module.exports = () => {
  new Promise((resolve, reject) => {
    if (!User) reject('new Error(\'\\n  connection error\')')
  }).then((User) => {
    return Promise.resolve({

      find: ({id, email, emailToken, provider} = {}) => {
        let query = {}

        if (id) {
          query = {_id: ObjectId(id)}
        } else if (email) {
          query = {email: email}
        } else if (emailToken) {
          query = {emailToken: emailToken}
        } else if (provider) {
          query = {[`${}.id`]:}

        return new Promise((resolve, reject) => {
          User.findOne(query, (err, user) => {
            return err ? reject((err)) : resolve(user)

      insert: (user, oAuthProfile) => {
        return new Promise((resolve, reject) => {
          User.insert(user, (err, response) => {
            if (err) return reject(err)
            if (!user._id && response._id) user._id = response._id
            return resolve(user)

      update: (user, profile) => {
        return new Promise((resolve, reject) => {
          User.update({_id: ObjectId(user._id)}, user, {}, err => {
           **// it passes user.emailToken after sign in**
            return err ? reject(err) : resolve(user)

      remove: (id) => {
        return new Promise((resolve, reject) => {
          User.remove({_id: ObjectId(id)}, (err) => {
            if (err) return reject(err)
            return resolve(true)

      serialize: (user) => {
        if ( {
          return Promise.resolve(
        } else if (user._id) {
          return Promise.resolve(user._id)
        } else {
          return Promise.reject(new Error("Unable to serialise user"))

      deserialize: (id) => {
        return new Promise((resolve, reject) => {
          User.findOne({_id: ObjectId(id)}, (err, user) => {
            !!err && reject(err)
            !user && resolve(null)

            return resolve({
              id           : user._id,
              name         :,
              email        :,
              emailVerified: user.emailVerified,
              admin        : user.admin || false,
      sendSignInEmail: ({
        email = null,
        url = null
      } = {}) => {
            to     : email,
            from   : process.env.EMAIL_FROM,
            subject: 'Sign in link',
            text   : `Use the link below to sign in:\n\n${url}\n\n`,
            html   : `<p>Use the link below to sign in:</p><p>${url}</p>`
          }, (err) => {
            if (err) {
              console.error('Error sending email to ' + email, err)
        if (process.env.NODE_ENV === 'development') {
          console.log('------>>>>> Generated sign in link ' + url + ' for ' + email)

or am i wrong somewhere?

Undesirable 92KB Bundle Size Increase at v1.11.0

I'm experiencing a bundle size increase of 92KB after upgrading from v1.10.0 to v1.11.0.

I suspect this is due to the addition of Babel-Polyfill, which adds all of core-js and regenerator-runtime to the bundle.

Before upgrading my main.js bundle was 213KB, and after upgrading it is 305KB, an increase of 43%.

I am of the opinion that opting into polyfills for IE support should be done at the app level, rather than the library level. In my own case, I have next-auth as a dependency, and would rather not include the babel-polyfill code in my code's bundle, and also would rather not take on babel-polyfill, core-js, and regenerator-runtime as transitive dependencies. My app has no intention of supporting IE, and I'm trying to keep the bundle as small as possible, so I personally would rather not include these polyfills. I'm sure others would also take issue with the inclusion of these polyfills.

The change made in v1.11.0 makes it impossible to opt out of including these polyfills.

Would you kindly consider removing babel-polyfill as a dependency of this library, and instead encourage your users who need IE support to add it to their app's codebase instead? Thank you very much.

Allow using custom Passport LocalStrategy for local authentication

This is related to #9 as it is about doing local authentication, but it is about using a custom Passport LocalStrategy I have written. Is it possible to use Passport LocalStrategy with next-auth? I tried creating a provider and passing the strategy in the Strategy property, but that wouldn't work. I wonder if I am doing something wrong. Does it only work with OAuth providers?

  providerName: 'Local Login',
  providerOptions: {
    scope: ['profile', 'email'],
  Strategy: require('./passport/local-login'),
  strategyOptions: {
  getProfile(profile) {
    // Normalize profile into one with {id, name, email} keys
    return {
      name: profile.displayName,
      email: profile.emails[0].value,

Logout of Keycloak not working, session seems to be persisted. And having trouble debugging the logout flow

Hi @iaincollins, Firstly, great library. Thanks for the effort you put into it :)

I'm having a bit of trouble trying to figure out an issue. I know you're not affiliated with the keycloak-passport strategy that I'm using but I'm hoping your experience might be able to point me in the right direction.

My issue is related to the issue @garmeeh was having last week

I'd like to use as authentication on my project and I'm using your nextjs-starter examples to test the flow of login and log out. I'm also leveraging the keycloak-passport to handle the actions.

I've tested logging in and out using Google as an identity provider and it worked flawlessly so I'm doing something wrong with but I'm not sure what.

When I run your examples locally I can successfully log in using the keycloak-passport strategy but when I logout, the client side says I'm logged out and when I try to log in again using keycloak-passport I get the Unable to sign in page.

It seems to be logging out from the client side but the session seems to be persisted on the server side. When I hit my login page directly it redirects me to the account admin section on my keycloak instance so I'm definitely still logged in on the server.

I've tried to debug the logout flow to see if I can determine the problem but none of the console.log statements I placed in the handleSignOutSubmit() and signout() functions are firing.

I also opened an issue on the keycloak-passport library, which can be found here, in the hopes that someone can help me with this issue.

Any help with this issue would be greatly appreciated

Example for generic OAuth2?


After adding a generic passport-oauth2 provider in next-auth.providers.js, I'm running into this error on /auth/oauth/mycoolprovider:

TypeError: strategy.authenticate is not a function
    at attempt (/Users/joshkadis/Repos/themostlaps_v2/node_modules/passport/lib/middleware/authenticate.js:361:16)
    at authenticate (/Users/joshkadis/Repos/themostlaps_v2/node_modules/passport/lib/middleware/authenticate.js:362:7)
    at Layer.handle [as handle_request] (/Users/joshkadis/Repos/themostlaps_v2/node_modules/express/lib/router/layer.js:95:5)
    at next (/Users/joshkadis/Repos/themostlaps_v2/node_modules/express/lib/router/route.js:137:13)
# etc., etc...

It seems like Passport can't find the function registered for the named authentication strategy. Can you provide some documentation for this step from

Add a field to your User model (in 'index.js') with the name of the provider

Thanks for the rad library!

Add emailTokenExpires option to invalidate old tokens

Currently tokens are single use only, and change when a new token is requested, but old tokens to not expire.

They should be updated to expire email sign in links if not used in a reasonable time (e.g. after an hour), and they should be stored hashed with bcrypt.

It's undecided if this will be a feature that makes it into a future 1.x release or if it will wait till 2.0.

Bug: `sessionResave` default value should be `true`

Currently the default value for sessionResave is false. The default for this option should be true.

Having it set to false is causes sessions to eventually expire after sessionMaxAge (which has a default of 7 days) instead of rotating (the expiry time being bumped every time the session is active).

Some people will prefer to be able to control this option so it should still be exposed, but the default should be to automatically rotate sessions once active.

A fix will be coming this week. To work around this for now, just specify sessionResave : true in the options in next-auth.config.js.

Password authentication

I'd like to use Next.js Starter to use email & password-based authentication. It seems next-auth takes care of this now as it adds the /email/signin route.
Is it possible to add a way to supply a username and password validation function to next-auth (that I can connect to MongoDB inside of)?

Something else to consider is using bcrypt to generate password hashes. I don't need this now since I will not be doing user registration (only login), but I might need it later on for other projects.

Incorrect cookie options passed to Express Session

The following values should be set on the Express Session cookie option:

cookie: {
  httpOnly: true,
  secure: true

Currently it's set incorrectly:

    secret: sessionSecret,
    store: sessionStore,
    resave: false,
    rolling: true,
    saveUninitialized: false,
    httpOnly: true,
    cookie: {
      maxAge: sessionMaxAge

The documentation says that httpOnly is true by default in Express session, which is why it works as intended, even though the httpOnly option is specified in the wrong place.

I'd like to flip cookies to secure (HTTPS only) by default, though the secure option should still default to false for development and I need to figure out the best way to handle it. I might just expose it as an option for anyone that really wants to, but if not specified set it to 'true' if NODE_ENV=production (otherwise, leave it off).

Update example in Using NextAuth with Express and Custom Routes

I tried using the first example from the Using NextAuth with Express and Custom Routes wiki, but I noticed that it wasn't working properly. After taking a look at the source, I realized there was a change that affects how this example should work.

Please see the proposed update below:

diff --git a/ b/
index b94f233..2371b39 100644
--- a/
+++ b/
@@ -29,21 +29,21 @@ nextApp

   return nextAuth(nextApp, nextAuthOptions)
-.then( => {
+.then(nextAuthApp => {

   // Get instance of Express from NextAuth instance
-  const express =
+  const expressApp = nextAuthApp.expressApp

   // Configure additional routes here
-  express.use("/api/v1/users", () => {})
+  expressApp.use("/api/v1/users", () => {})

   // Default catch-all handler to allow Next.js to handle all other routes
-  express.all('*', (req, res) => {
+  expressApp.all('*', (req, res) => {
     let nextRequestHandler = nextApp.getRequestHandler()
     return nextRequestHandler(req, res)

-  express.listen(process.env.PORT, err => {
+  expressApp.listen(process.env.PORT, err => {
     if (err) throw err
     console.log('> Ready on http://localhost:' + process.env.PORT)

CSRF - add list of urls to exclude

I'm trying to handle some post callbacks from 3td party that are not sending CSRF. Are there any way to exclude some path from this security checks? I found this at lusca(krakenjs/lusca#58), but I didn't find any way here how to use it

Allow returning more explicit error text when sign in fails

We should try and return more detailed error information when sign in fails, perhaps by passing an additional query string parameter to the ./auth/error page with a detailed error.

We should allow the signIn() method to throw an Error object and serialise it in the query string.

The copy on the example oauth error page could probably use another pass as well, to see if it can be shorter. It should probably have an email sign in option on the page.

See #45 for details.

Testing log-in or sign-up with mocha / chai

Hi! I am making some tests using mocha and chai for the app that I am building using next-auth.
I have to make some tests for the API, as anon and as a logged user.
The method we are using is by sending the log-in token.

I would love to know how to get the log-in token so i can test my API as different users.
Is there any examples of how to test it properly?

Module not found: Error: Can't resolve fs after adding next-auth

Getting this error after added next-auth module to my nextjs app i tried setting node fs to empty. But it lead to other issues and the app completely stops working.
Enclosed the log below for your reference.

`D:\Code\link-api>npm run build

[email protected] build D:\Code\link-api
next build

Failed to build
{ Error: (client) ./node_modules/next-auth/node_modules/destroy/index.js
Module not found: Error: Can't resolve 'fs' in 'D:\Code\link-api\node_modules\next-auth\node_modules\destroy'
@ ./node_modules/next-auth/node_modules/destroy/index.js 14:17-30
@ ./node_modules/next-auth/node_modules/send/index.js
@ ./node_modules/next-auth/node_modules/express/lib/response.js
@ ./node_modules/next-auth/node_modules/express/lib/express.js
@ ./node_modules/next-auth/node_modules/express/index.js`


Support for server side NextAuth.signin()

Is there a way to perform signin & logout from the server side? NextAuth.signin()/logout() only work client side. Is there any work around (i.e, intercepting the post on /auth/signin ???)

Typescript Types?

Are there any typescript typings or any plans to make them?

If not I might whip some up.

Trying to use with keycloak-passport

I have been trying to use next-auth with this keycloak-passport Strategy. (I did have to modify the strategy's name to be lowercase to be able to test it out)

I can log in no problem and it creates a session. Only problem is, getProfile() doesn't seem to fire at all so the session just contains the csrfSecret but no user. Keycloak recognises I'm already logged in when trying to log in.

Have been trying to debug through what could be happening but couldn't get to the bottom of it. Any direction on what might be the issue would be great. If I get it working would be happy to submit some documentation on it.

Add method for deleting an account

To promote the practice of providing an easy way for users to delete their accounts, which all sites should provide, NextAuth should provide a POST endpoint to allow users to delete their account.

Note: The example project currently includes a remove(id) method, but next-auth does not currently add a route that can be called to invoke it (e.g. /auth/delete).

Can't npm install example site

I tried an npm install on the example folder here and received a no such file or directory, rename on .staging\next-auth.... error

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.