Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add PKCE support #941

Merged
merged 12 commits into from
Jan 20, 2021
Merged

feat: add PKCE support #941

merged 12 commits into from
Jan 20, 2021

Conversation

balazsorban44
Copy link
Member

@balazsorban44 balazsorban44 commented Dec 9, 2020

What:

Adding support for Proof Key for Code Exchange by OAuth Public Clients

Why:

Many popular Identity Providers require us to support this flow: https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce

How:

A new option to providers:

  protection: "pkce"

If this value is found, next-auth will create a code_challenge - code_verifier pair, which then will respectively be passed to the OAuth2 /authorize and /token endpoints. The code_verifier is saved in a cookie before redirecting to /authorize, and then read and removed before calling the /token endpoint.

Checklist:

  • Documentation
  • Tests
  • Ready to be merged

NOTE: This is highly experimental, and not sure yet if creating a single challenge-verifier pair for the entire app is good/secure enough. I just wanted to have this some place, so I can start experimenting.

Closes #685, closes #502 (potentially others as well, please link to this issue, if you stumble upon other open, related issues.)

Useful sources:
YouTube: https://www.youtube.com/watch?v=Gtbm5Fut-j8
Spec: https://tools.ietf.org/html/rfc7636
Auth0 article: https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce

Maybe needed, if we need to create the code in the browser(?):
https://developer.mozilla.org/en-US/docs/Web/API/Crypto/subtle

@balazsorban44 balazsorban44 added the enhancement New feature or request label Dec 9, 2020
@vercel
Copy link

vercel bot commented Dec 9, 2020

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/nextauthjs/next-auth/rhd2arnzn
✅ Preview: https://next-auth-git-feature-pkce.nextauthjs.vercel.app

@balazsorban44 balazsorban44 changed the title feat: PKCE support feat: add PKCE support Dec 9, 2020
@balazsorban44 balazsorban44 self-assigned this Dec 9, 2020
@@ -217,6 +218,8 @@ async function NextAuth (req, res, userSuppliedOptions) {
redirect
}

const pkce = options.providers[provider]?.pkce ? pkceChallenge(64) : undefined
Copy link
Member Author

@balazsorban44 balazsorban44 Dec 9, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Length of 64 was arbitrarily chosen here. The requirement by the spec is 43-128 characters.

Also, this is created for the entire app, meaning this will be the same for all the users. This makes the whole feature much less complicated, but I am not sure if this brings any security issues. If I remember our chat earlier @iaincollins, you said that in theory, we wouldn't even need to care about PKCE. Am I right, or we should find a way to create this per user?

The problem is that in that case, the values must be saved somewhere, so the challenge and verifier can be passed to both /authorize and /token respectively

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In terms of saving the challenge and verifier, it could be saved in local storage (maybe session) to be cleaned up after a successful log in.

Copy link
Member Author

@balazsorban44 balazsorban44 Dec 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure we would like to store anything sensitive this way, cause it is perceptible with potentially malicious code on the client. If I understand it correctly, sessionStorage would be a better option in this cause, although I am still not sure it is good enough. Going to discuss it with @iaincollins hopefully this weekend, I hope he has some insights as well.

Maybe the way you describe it IS the way we have to go, we will see. Thanks for weighing in!

Copy link

@mikecabana mikecabana Dec 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem! I inspired myself from oidc-client-js which I'm currently using in a production spa. They use localStorage for the code_verifier and sessionStorage for the tokens.

Via the spec every new authorization flow should use a new code_verifier so this could be why they've opted to go this route. I'm not really sure either what kind of security concerns this method raises.

In any case I've set up a simple sample to generate the code_verifier and code_challenge in the browser. I don't think it's perfect but it can help to get you started. https://gist.github.com/mikecabana/9cae8b447afd2a36da5d38b94bfc2565

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In theory we wouldn't actually need PKCE to be secure I think, since our secrets are all server-side and never accessed by the client. So this is why I went with my implementation. Although there might be something important I leave out. We will have a talk about this soon.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@balazsorban44 FWIW for the record this is exactly my current understanding as well.

@vercel vercel bot temporarily deployed to Preview December 9, 2020 19:33 Inactive
@@ -50,11 +50,12 @@
"jwt-decode": "^2.2.0",
"nodemailer": "^6.4.16",
"oauth": "^0.9.15",
"pkce-challenge": "^2.1.0",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can probably be removed and we can create our own, added to be able to get started a bit faster

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

openid-client has this built-in, we can utilize it when/if we finish #1105

package.json Outdated Show resolved Hide resolved
@balazsorban44
Copy link
Member Author

balazsorban44 commented Jan 5, 2021

https://stackoverflow.com/a/56873098/5364135 it might just be OK to consider our server app as one single client, and we don't need to generate separate challenges for each user.

(or I am misunderstanding something).

@vercel vercel bot temporarily deployed to Preview January 19, 2021 16:57 Inactive
@balazsorban44
Copy link
Member Author

balazsorban44 commented Jan 19, 2021

Added some changes. The code_verifier is now saved in a cookie, to be able to create a verifier/challenge pair per user.

Also, the previous method wouldn't have worked anyway, because each invocation would have created a new verifier/challenge pair, and the signin flow would have failed.

This still needs some re-thinking, just sharing my implementation in hope that someone may come with a good solution.

The way I see it, we have 4 alternatives:

  1. generate a deterministic code_challenge/code_verifier at the start from the secret provided by the user, and save it in req.options
  2. generate a code_challenge/code_verifier from the secret provided by the user at signin and save it in a cookie (encrypted)
  3. generate a code_challenge/code_verifier from the secret provided by the user at signin and save it in state (encrypted)
  4. generate a code_challenge/code_verifier client-side, store the code_verifier in a cookie, and provide it to /api/auth/callback when needed

@balazsorban44 balazsorban44 added the hacktoberfest-help-needed The maintainer needs help due to time constraint/missing knowledge label Jan 19, 2021
@thulstrup
Copy link

@balazsorban44 The beta version of nextjs-auth0 supports PKCE. Maybe you can use that to validate your implementation?
https://github.com/auth0/nextjs-auth0/tree/beta

@balazsorban44
Copy link
Member Author

balazsorban44 commented Jan 19, 2021

Thanks! I'll definitely check!

I also checked the docs of openid-client which we might turn to later on (#1105)

and there they say this:

store the code_verifier in your framework's session mechanism, if it is a cookie based solution // it should be httpOnly (not readable by javascript) and encrypted.

So option 2 might be the best alternative.

@vercel vercel bot temporarily deployed to Preview January 19, 2021 21:58 Inactive
@github-actions github-actions bot added hacktoberfest-docs Relates to documentation providers labels Jan 19, 2021
@balazsorban44
Copy link
Member Author

balazsorban44 commented Jan 19, 2021

@thulstrup thanks again, your info was very useful! I went with option 2 (generate a code_challenge/code_verifier from the secret provided by the user at signin and save it in a cookie (encrypted)), as someone at nextjs-auth0 confirmed they also saved the code_verifier in an encrypted cookie.

What I am starting to settle on, that we should introduce a new Provider option called protection (maybe a better name?), that can take either pkce or state as a value. Current providers that support PKCE can use the features added in this PR, while providers only supporting state can use the already present features. If a Provider does not support either pkce or state, then no extra checks will be added in the login flow. (As far as I know, currently only the Apple provider is opted-out of thestate check)

I added Auth0 as an example to the dev application (start with npm run dev after adding the right env variables in .env.local), please test it out!

@vercel vercel bot temporarily deployed to Preview January 19, 2021 22:11 Inactive
@vercel vercel bot temporarily deployed to Preview January 19, 2021 22:12 Inactive
@vercel vercel bot temporarily deployed to Preview January 19, 2021 22:17 Inactive
@balazsorban44 balazsorban44 marked this pull request as ready for review January 20, 2021 08:44
@balazsorban44 balazsorban44 merged commit 536f0ad into canary Jan 20, 2021
@balazsorban44 balazsorban44 deleted the feature/pkce branch January 20, 2021 14:06
@github-actions
Copy link

🎉 This PR is included in version 3.2.0-canary.29 🎉

The release is available on:

Your semantic-release bot 📦🚀

@thulstrup
Copy link

@balazsorban44 That is awesome! I will test later today.

@thulstrup
Copy link

@balazsorban44 I had to fix one tiny error to get it working:
import logger from 'src/lib/logger' should be import logger from '../../lib/logger'

After that change I was able to log in using PKCE 🎉

@balazsorban44
Copy link
Member Author

balazsorban44 commented Jan 20, 2021

I see! Will fix immediately. Fixed, should be OK in the canary 30 release. Thanks!

balazsorban44 added a commit that referenced this pull request Feb 1, 2021
* chore(deps): upgrade dependencies

* chore(deps): add pkce-challenge

* feat(pkce): initial implementation of PCKE support

* chore: remove URLSearchParams

* chore(deps): upgrade lockfile

* refactor: store code_verifier in a cookie

* refactor: add pkce handlers

* docs: add PKCE documentation

* chore: remove unused param

* chore: revert unnecessary code change

* fix: correct variable names
@github-actions
Copy link

github-actions bot commented Feb 1, 2021

🎉 This PR is included in version 3.3.0-canary.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

balazsorban44 added a commit that referenced this pull request Feb 9, 2021
* feat: simplify NextAuth instantiation (#911)

* feat: allow react 17 as a peer dependency (#819)

Co-authored-by: Balázs Orbán <[email protected]>

* docs: update for Now to Vercel (#847)

Vercel archived their now packages a while back, so you can use vercel env pull to pull in the .env

* docs: fix discord example code (#850)

* docs: fix typo in callbacks.md (#815)

This is a simple typographical error changed accesed to accessed

* fix: update nodemailer version in response to CVE. (#860)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7769 reports a high-severity issue with the current version of nodemailer. This should be merged and released right away if possible.

* fix: ensure Images are produced for discord (#734)

* fix: update Okta routes (#763)

the current routing for the Okta provider does not follow the standard
set by Okta, and as such doesn't allow for custom subdomains. this
update amends the routes to allow for customer subdomains, and also
aligns next-auth with Okta's documentation.

* fix(provider): handle no profile image for Spotify (#914)

* chore(deps): upgrade "standard"

* style(lint): run lint fix

* fix(provider): optional chain Spotify provider profile img

* Merge main into canary (#917)

* chore: use stale label, instead of wontfix

* chore: add link to issue explaining stalebot

* chore: fix typo in stalebot comment

* chore: run build GitHub Action on canary also

* chore: run build GitHub Actions on canary as well

* chore: add reproduction section to questions

* docs: Update default ports for support Databases (#839)

https://next-auth.js.org/configuration/databases

* Fix for Reddit Authentication (#866)

* Fixed Reddit Authentication

* updated fix for build test

* updated buffer to avoid deprecation message

* Updated for passing tests

* WIP: Update Docusaurus + Site dependencies (#802)

* update: deps

* fix: broken link

* fix: search upgrade change

* Include callbackUrl in newUser page (#790)

* Include callbackUrl in newUser page

* Update src/server/routes/callback.js

Co-authored-by: Iain Collins <[email protected]>

* Update src/server/routes/callback.js

Co-authored-by: Iain Collins <[email protected]>

Co-authored-by: Iain Collins <[email protected]>
Co-authored-by: Nico Domino <[email protected]>

* add(db): Add support for Fauna DB (#708)

* Add support for Fauna DB

* Add integration tests

Co-authored-by: Nico Domino <[email protected]>

* feat(provider): add netlify (#555)

Co-authored-by: styxlab <[email protected]>
Co-authored-by: Balázs Orbán <[email protected]>

* Bump next from 9.5.3 to 9.5.4 in /test/docker/app (#759)

Bumps [next](https://github.com/vercel/next.js) from 9.5.3 to 9.5.4.
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v9.5.3...v9.5.4)

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Nico Domino <[email protected]>

* feat(provider): Add Bungie (#589)

* Add Bungie provider

* Use absolute URL for images

* Correct image URL and use consistent formatting

Co-authored-by: Nico Domino <[email protected]>

* feat: add foursquare (#584)

* feat(provider): Add Azure Active Directory B2C (#921)

* add provider: Microsoft

* documentation

* support no tenant setup

* fix code style

* chore: rename Microsoft provider to AzureADB2C

* chore: alphabetical order in providers/index

* doc: add provider to FAQ

* update(provider): Update Slack provider to use V2 OAuth endpoints (#895)

* Update Slack to v2 authorize urls, option for additional authorize params
* acessTokenGetter + documentation

* refactor(db): update Prisma calls to support 2.12+ (#881)

Co-authored-by: Balázs Orbán <[email protected]>
Co-authored-by: Nico Domino <[email protected]>

* chore(dep): Bump highlight.js from 9.18.1 to 9.18.5 (#880)

Bumps [highlight.js](https://github.com/highlightjs/highlight.js) from 9.18.1 to 9.18.5.
- [Release notes](https://github.com/highlightjs/highlight.js/releases)
- [Changelog](https://github.com/highlightjs/highlight.js/blob/9.18.5/CHANGES.md)
- [Commits](highlightjs/highlight.js@9.18.1...9.18.5)

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Balázs Orbán <[email protected]>
Co-authored-by: Nico Domino <[email protected]>

* chore: disallow issues without template

* chore: add note about conveting questions to discussions

* chore: create PULL_REQUEST_TEMPLATE.md

* chore: reword PR template

* feat: Store user ID in sub claim of default JWT (#784)

This allows us to check if the user is signed in when using JWTs

Part of #625

* docs: fix incorrect references in cypress docs (#932)

* chore: use stale label, instead of wontfix

* chore: add link to issue explaining stalebot

* chore: fix typo in stalebot comment

* chore: run build GitHub Action on canary also

* chore: run build GitHub Actions on canary as well

* chore: add reproduction section to questions

* feat(provider): Add Azure Active Directory B2C (#809)

* add provider: Microsoft

* documentation

* support no tenant setup

* fix code style

* chore: rename Microsoft provider to AzureADB2C

* chore: alphabetical order in providers/index

* Revert "feat(provider): Add Azure Active Directory B2C (#809)" (#919)

This reverts commit 6e6a24a.

* chore: add myself to the contributors list 🙈

* docs: fix incorrect references in cypress docs

* chore: add additional docs clarification

Co-authored-by: Balázs Orbán <[email protected]>
Co-authored-by: Vladimir Evdokimov <[email protected]>

* feat: Display error if no [...nextauth].js found (#678)

* Display error if no [...nextauth].js found

fixes #647

* Log the error and describe it inside errors.md

Co-authored-by: Balázs Orbán <[email protected]>

* chore(deps): Bump ini from 1.3.5 to 1.3.8 in /www (#953)

Bumps [ini](https://github.com/isaacs/ini) from 1.3.5 to 1.3.8.
- [Release notes](https://github.com/isaacs/ini/releases)
- [Commits](npm/ini@v1.3.5...v1.3.8)

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* docs: fix typo Adapater -> Adapter (#960)

Co-authored-by: Balázs Orbán <[email protected]>
Co-authored-by: Vladimir Evdokimov <[email protected]>

* docs: We have twice the word "side" (#964)

* chore: use stale label, instead of wontfix

* chore: add link to issue explaining stalebot

* chore: fix typo in stalebot comment

* chore: run build GitHub Action on canary also

* chore: run build GitHub Actions on canary as well

* chore: add reproduction section to questions

* feat(provider): Add Azure Active Directory B2C (#809)

* add provider: Microsoft

* documentation

* support no tenant setup

* fix code style

* chore: rename Microsoft provider to AzureADB2C

* chore: alphabetical order in providers/index

* Revert "feat(provider): Add Azure Active Directory B2C (#809)" (#919)

This reverts commit 6e6a24a.

* chore: add myself to the contributors list 🙈

* We have twice the word "side"

Co-authored-by: Balázs Orbán <[email protected]>
Co-authored-by: Vladimir Evdokimov <[email protected]>

* docs: Correcting a typo. "available" Line 70 (#965)

* chore: use stale label, instead of wontfix

* chore: add link to issue explaining stalebot

* chore: fix typo in stalebot comment

* chore: run build GitHub Action on canary also

* chore: run build GitHub Actions on canary as well

* chore: add reproduction section to questions

* feat(provider): Add Azure Active Directory B2C (#809)

* add provider: Microsoft

* documentation

* support no tenant setup

* fix code style

* chore: rename Microsoft provider to AzureADB2C

* chore: alphabetical order in providers/index

* Revert "feat(provider): Add Azure Active Directory B2C (#809)" (#919)

This reverts commit 6e6a24a.

* chore: add myself to the contributors list 🙈

* Correcting a typo. "available" Line 70

Co-authored-by: Balázs Orbán <[email protected]>
Co-authored-by: Vladimir Evdokimov <[email protected]>

* chore: hide comments from pull request template

* Update README.md

Updated the readme to include the projects logo, fixed some typos, and added license info and contributor image.

* feat: add strava provider (#986)

* Add Strava as a provider

* Add documentation for Strava provider

* Fix lint errors

Co-authored-by: Paul Kenneth Kent <[email protected]>

* Update README.md

* Update README.md

* feat: add semantic-release (#920)

* chore(release): change semantic-release/git to semantic-release/github

* docs(database): add mssql indexes in docs, fix typos (#925)

* added mssql indexes in docs, fixed typo

* docs: fix typo in www/docs/schemas/mssql.md

Co-authored-by: Balázs Orbán <[email protected]>

* chore(release): delete old workflow

* chore(release): trigger release on docs type

* fix: treat user.id as optional param (#1010)

* fix(adapter): use findOne for typeorm (#1014)

* Change image to text from varchar (#777)

Co-authored-by: Nico Domino <[email protected]>

* feat(db): make Fauna DB collections & indexes configurable (#968)

* Add collections & indexes overrides for Fauna DB

* Fix the name of the verification token index

Co-authored-by: Florian Michaut <[email protected]>

* docs: Remove unnecessary promises (#915)

* feat: allow to return string in signIn callback (#1019)

* docs: small update to sign in/out examples (#1016)

* Update examples in client.md

* Update more examples

Co-authored-by: Balázs Orbán <[email protected]>

* docs: update contributing information [skip release] (#1011)

* docs: update CONTRIBUTING.md

* docs:  use db instead of database for more space

* docs: update CONTRIBUTING.md

* docs: update PR template

* docs: add note about skipping a release

* docs: fix typos in CONTRIBUTING.md [skip release]

* refactor: code base improvements (#959)

* chore: fix casing of OAuth

* refacotr: simplify default callbacks lib file

* refactor: use native URL instead of string concats

* refactor: move redirect to res.redirect, done to res.end

* refactor: move options to req

* refactor: improve IntelliSense, name all functions

* fix(lint): fix lint errors

* refactor: remove jwt-decode dependency

* refactor: refactor some callbacks to Promises

* revert: "refactor: use native URL instead of string concats"

Refs: 690c55b

* chore: misc changes

Co-authored-by: Balazs Orban <[email protected]>

* feat(provider): Add Mail.ru OAuth Service Provider and Callback snippet (#522)

* Update callback.js

- Fix Mail.ru bug (missing request parameter: access_token)

Note: setGetAccessTokenProfileUrl should be added to Mail.ru provider to enable support.

* Add Mail.ru OAuth Service Provider

* Update callbacks.md

- Fix broken callbacks snippet.

* Update callback.js

- Bug fix #522 (comment)
- Minor refactoring.

* Fix: Code linting.

* Update callback.js

Improve approach for building of URL based review recommendation.

* Feat: Reduce API surface expansion

Make use of provider.id === "mailru" as suggested in review discussion in place of setGetAccessTokenProfileUrl.

* Fix: Code linting

* feat: forward id_token to jwt and signIn callbacks (#1024)

* chore: add auto labeling to PRs [skip release] (#1025)

* chore: add auto labeling to PRs [skip release]

* chore: allow any file type for test label to be added

* chore: rename labeler.yaml to labeler.yml [skip release]

* fix: miscellaneous bugfixes (#1030)

* fix: use named params to fix order

* fix: avoid recursive redirects

* fix: revert to use parsed baseUrl

* fix: avoid recursive res.end calls

* fix: use named params in renderPage

* fix: promisify lib/oauth/callback result

* fix: don't chain on res.end on non-chainable res methods (#1031)

* docs: add powered by vercel logo [skip release]

* chore: run tests on canary [skip release]

* docs: misc improvements [skip release] (#1043)

* refactor: code base improvements 2 (#1045)

* fix: trigger release

* fix: use authorizationUrl correctly

* feat(provider): reduce user facing API (#1023)

Co-authored-by: Balazs Orban <[email protected]>

* fix: remove async from NextAuth default handler

This function should not return a Promise

* feat(provider): add vk.com provider (#1060)

* feat(provider): add vk.com provider

* refactor(provider): reduce vk.com provider api

* refactor: code base improvements 3 (#1072)

* refactor: extend res.{end,send,json}, redirect

* refactor: chain res methods, remove unnecessary ones

* refactor: simplify oauth callback signature

* refactor: code simplifications

* refactor: re-export everything from routes in one

* refactor: split up main index.js to multiple files

* refactor: simplify passing of provider(s) around

* refactor: extend req with callbackUrl inline

* refactor: simplify page rendering

* refactor: move error page redirects to main file, simplify renderer

* refactor: inline req.options definition

* refactor: simplify error fallbacks

* refactor: remove else branches and unnecessary try..catch

* refactor: add docs, and simplify jwt functions

* refactor: prefer errors object over switch..case in signin page

* feat: log all params sent to logger instead of only first

* refactor: fewer lines input validation

* refactor: remove even more unnecessary else branches

* feat: improve package development experience (#1064)

* chore(deps): add next and react to dev dependencies

* chore: move build configs to avoid crash with next dev

* chore: add next js dev app

* chore: remove .txt extension from LICENSE file

* chore: update CONTRIBUTING.md

* chore: watch css under development

* style(lint): run linter on index.css

* chore: fix some imports for dev server

* refactor: simplify client code

* chore: mention VSCode extension for linting

* docs: reword CONTRIBUTING.md

* chore: ignore linting pages and components

* fix: pass csrfToken to signin renderer

* feat: replace blur/focus event to visibility API for getSession (#1081)

* docs: clarify .env usage in CONTRIBUTING.md [skip release] (#1085)

* docs: improve FAQ docs [skip release]

* chore: update caiuse-lite db

* docs: update  some urls in the docs [skip release]

* feat(pages): add dark theme support (#1088)

* feat(pages): add dark theme support

* docs: document theme option

* chore: remove ts-check from dev app

* style(pages): fix some text colors in dark mode

* feat(provider): add LINE provider (#1091)

* refactor: be explicit about path in jsonconfig [skip release]

* refactor: show signin page in dev app [skip release]

* fix: export getSession [skip release]

somehow the default export does not work in the dev app

* style: make p system theme aware [skip release]

* feat(provider): finish Reddit provider and add documentation (#1094)

* Create reddit.md

* uncommented profile callback

* Update reddit.md

* fix lint issues

* added reddit provider

* added reddit provider

* Add Reddit Provider

For some reason a bunch of providers got deleted in the last commit

* Add Reddit Provider

* Add Reddit Provider

* chore: define providers in single file for docs [skip release]

* chore: Comply to Vercel Open Source sponsorship [skip release] (#1087)

* added banner

* Changed banner image allignment

* changed location of banner again

* added to acknowledgement

* added to acknowledgement 1

* changed image size

* k

* l

* s

* s

* .

* added link to the banner in readme.md

* fixed image redirect

* fixed image allignment

* made changes in readme and index.js

* Changed the source of the banner image

* added banner to the footer of the site

* chore: fix lint issues [skip release]

* feat: add native hkdf (#1124)

* feat: add native hkdf

* feat: import only needed to do hkdf

* feat: tweak digest and arguments

* chore(deps): upgrade typeorm to v0.2.30 (#1145)

* docs: remove v1 documentation (#1142)

* chore(adapters): remove fauna (#1148)

* feat: forward signIn auth params to /authorize (#1149)

* refactor: authorisation -> authorization

* feat: forward authorizationParams from signIn function

* refactor: take auth params as third argument

* docs: document signIn authorizationParams

* fix(adapter): fix ISO Datetime type error in Prisma updateSession (#640)

Co-authored-by: Nico Domino <[email protected]>
Co-authored-by: Balázs Orbán <[email protected]>

* feat(provider): add option to generate email verification token (#541)

* Add option to generate email verification token

* chore: remove unused import

* refactor: define default generateVerificationToken in-place

* refactor: define default generateVerificationToken in-place

Co-authored-by: Nico Domino <[email protected]>
Co-authored-by: Balázs Orbán <[email protected]>

* docs: update info about TypeScript [skip release]

* feat: add PKCE support (#941)

* chore(deps): upgrade dependencies

* chore(deps): add pkce-challenge

* feat(pkce): initial implementation of PCKE support

* chore: remove URLSearchParams

* chore(deps): upgrade lockfile

* refactor: store code_verifier in a cookie

* refactor: add pkce handlers

* docs: add PKCE documentation

* chore: remove unused param

* chore: revert unnecessary code change

* fix: correct variable names

* fix: correct logger import

* feat(provider): add Salesforce provider (#1027)

* docs(provider): add Salesforce provider

* fix(provider): use authed_user on slack instead of spotify (#1174)

* fix: use startsWith for protocol matching in parseUrl

closes #842

* fix: fix lint issues

* docs: clear things up around using access_token [skip release]

#1078

* docs: fix typo in callbacks.md [skip release]

* chore(provider): remove Mixer (#1178)

"Thank you to our amazing community and Partners.
As of July 22, the Mixer service has closed."

* feat(provider): re-add state, expand protection provider options  (#1184)

* refactor: move OAuthCallbackError to errors file

* refactor: improve pkce handling

* feat(provider): re-introduce state to provider options

* docs(provider): mention protection options "state" and "none"

* docs(provider): document state property deprecation

* fix: only add code_verifier param if protection is pkce

* docs: explain state deprecation better

* chore: unify string

* fix: send /authorize params through url

* fix: Add a null check to the window 'storage' event listener (#1198)

* Add a null check to the window 'storage' event listener

While testing in Cypress it's possible to receive a null value on Storage Events when 'clear' is called and will cause errors as seen in #1125.

* Update index.js

typo

* Update src/client/index.js

Co-authored-by: Balázs Orbán <[email protected]>

* formatting

Co-authored-by: Balázs Orbán <[email protected]>

* docs(provider): fix typos in providers code snippets [skip release] (#1204)

* docs(adapter): add adapter repo to documentation [skip release] (#1173)

* docs(adapter): add adapter repo to documentation

* docs(adapter): elaborate on custom repo

* fix: forward second argument to fetch body in signIn

fixes #1206

* docs: Fix grammar in "Feature Requests" section of FAQs [skip release] (#1212)

* refactor: provide raw idToken through account object (#1211)

* refactor: provide raw idToken through account object

* docs: clear up accessToken naming

* refactor: provide raw token response to account

* chore: fix grammar in comments

* feat: send all params to logger function (#1214)

* feat(provider): Add Medium (#1213)

* fix: leave accessTokenExpires as null

Forwarding expires_in as is to accessTokenExpires has shown to cause issues with Prisma, and maybe with other flows as well. Setting it back to `null` for now. We still forward `expires_in`, so users can use it if they want to.

Fixes #1216

* docs: more emphasis on req methods [skip release]

* docs: remove announcement bar [skip release]

* fix: make OAuth 1 work after refactoring (#1218)

* chore: add twitter provider to dev app

* feat: bind client instance to overriden methods

* fix: don't add extra params to getOAuthRequestToken

* chore: add twitter to env example, add secret gen instructions

* docs: Update Providers.Credential Example Block [skip release] (#1225)

Closing curly bracket where it should have been a square bracket.

* feat(provider): option to disable client-side redirects (credentials) (#1219)

* chore: add credentials provider to dev app

* feat: add redirect option to signIn, signOut

* feat: set correct status codes for credentials errors

* chore: add credentials page to dev app

* fix: support any provider name for credentials

* feat(ts): preliminary TypeScript support (#1223)

* chore: replace standard with ts-standard

* feat(ts): add some initial types

* feat(ts): import and use types

* chore: allow global fetch through package.json

* chore: upgrade lint scripts to use ts-standard

* chore: run linter on dev app

* chore(ts): satisfy dev Next.js server for TS

* fix: add eslint as dev dependency

* fix(lint): ignore next-env.d.ts from linting

* feat(ts): improve cookies options types

* fix: run linter with fix

* feat(provider): add EVE Online provider (#1227)

* Adding EVEOnline provider

* Adding EVEOnline provider

* Adding EVEOnline provider

* Adding EVEOnline provider

* Adding EVEOnline provider

* Adding EVEOnline provider

* Adding EVEOnline provider

* Adding EVEOnline provider

Co-authored-by: Gerald McNicholl <[email protected]>

* docs: clarify custom pages usage [skip release] (#1239)

* docs(provider): Update Atlassian docs (#1255)

* docs: Update Atlassian docs [skip release]

* Update atlassian.md

* fix(provider): okta client authentication (#1257)

* fix: okta client authentication

* chore: run lint fix

* Update pages/api/auth/[...nextauth].js

Co-authored-by: Balázs Orbán <[email protected]>

Co-authored-by: mgraser <[email protected]>
Co-authored-by: Balázs Orbán <[email protected]>

* chore: don't sync labels with labeler [skip release]

manually added PR labels were constantly removed on new commits/builds, this hopefully fixes that

* fix(provider): add verificationRequest flag to email signIn callback (#1258)

* fix(ui): use color text var for input color (#1260)

Co-authored-by: Archit Khode <[email protected]>

* docs: Minor text error fixed [skip release] (#1263)

* feat(provider): update session when signIn/signOut successful (#1267)

* feat(provider): update session when login/logout successful

* chore: remove manual page reload from dev app

* docs(client): document redirect: false

* fix(page): fix typo in error page

* Merge pull request from GHSA-pg53-56cg-4m8q

* fix(adapter): Verify identifier as well as token in Prisma adapter

* feat(adapter): Improve typeorm adapter

Improve conditional check in TypeORM adapter.

This should have no impact in practice but sets  a good example.

* docs(adapter): Update Prisma docs [skip release] (#1279) (#1283)

Co-authored-by: Iain Collins <[email protected]>

* docs(provider): Update azure-ad-b2c.md [skip release] (#1280)

* docs(adapter): Update Prisma docs (#1279)

* Update azure-ad-b2c.md

add hint for redirection URL, otherwise difficult to find out

* Update azure-ad-b2c.md

changed .env ro .env.local as per recommendation

* Update azure-ad-b2c.md

* Update azure-ad-b2c.md

* Update azure-ad-b2c.md

* update conf in .env.local 

follow the .env guidelines

* Update azure-ad-b2c.md

* Create azure-ad-b2c.md

* Create azure-ad-b2c.md

* Update azure-ad-b2c.md

Co-authored-by: Iain Collins <[email protected]>

* docs: Change "docs" to "documentation"

* fix(provider): Fixes for email sign in (#1285)

* fix(adapter): Fix Prisma delete

Must use Prsima deleteMany() instead of delete() with multiple clauses.

* feat: Update example project

Update example project to make it easier to test with database adapters.

* fix(ui): Fix message text in light / auto theme

Info message text is always on the same background (blue) on both themes so should always be white.

* docs: Update example .env [skip release]

* feat: Update Prisma peerOptionalDependencies

* docs: trigger release

Co-authored-by: Luke Lau <[email protected]>
Co-authored-by: James Perkins <[email protected]>
Co-authored-by: Joshua K. Martinez <[email protected]>
Co-authored-by: Pauldic <[email protected]>
Co-authored-by: Josh Padnick <[email protected]>
Co-authored-by: Daggy1234 <[email protected]>
Co-authored-by: Alan Ray <[email protected]>
Co-authored-by: Manish Chiniwalar <[email protected]>
Co-authored-by: Aymeric <[email protected]>
Co-authored-by: Nico Domino <[email protected]>
Co-authored-by: Fabrizio Ruggeri <[email protected]>
Co-authored-by: Iain Collins <[email protected]>
Co-authored-by: Joseph Vaughan <[email protected]>
Co-authored-by: Joost Jansky <[email protected]>
Co-authored-by: styxlab <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: RobertCraigie <[email protected]>
Co-authored-by: Joe Bell <[email protected]>
Co-authored-by: Vladimir Evdokimov <[email protected]>
Co-authored-by: Cathy Chen <[email protected]>
Co-authored-by: Kristóf Poduszló <[email protected]>
Co-authored-by: Haldun Anil <[email protected]>
Co-authored-by: Jakub Naskręski <[email protected]>
Co-authored-by: imgregduh <[email protected]>
Co-authored-by: pkabore <[email protected]>
Co-authored-by: Paul Kenneth Kent <[email protected]>
Co-authored-by: Paul Kenneth Kent <[email protected]>
Co-authored-by: Balazs Orban <[email protected]>
Co-authored-by: Junior Vidotti <[email protected]>
Co-authored-by: Yuma Matsune <[email protected]>
Co-authored-by: Ben West <[email protected]>
Co-authored-by: Florian Michaut <[email protected]>
Co-authored-by: Florian Michaut <[email protected]>
Co-authored-by: Melanie Seltzer <[email protected]>
Co-authored-by: Didi Keke <[email protected]>
Co-authored-by: Evgeniy Boreyko <[email protected]>
Co-authored-by: Alex B <[email protected]>
Co-authored-by: Ben <[email protected]>
Co-authored-by: suraj10k <[email protected]>
Co-authored-by: t.kuriyama <[email protected]>
Co-authored-by: Yuri Gor <[email protected]>
Co-authored-by: Radhika <[email protected]>
Co-authored-by: Henrik Wenz <[email protected]>
Co-authored-by: Zhao Lei <[email protected]>
Co-authored-by: Mohamed El Mahallawy <[email protected]>
Co-authored-by: Dillon Mulroy <[email protected]>
Co-authored-by: Carmelo Scandaliato <[email protected]>
Co-authored-by: Aishah <[email protected]>
Co-authored-by: Samson Zhang <[email protected]>
Co-authored-by: Vova <[email protected]>
Co-authored-by: Cody Ogden <[email protected]>
Co-authored-by: geraldm74 <[email protected]>
Co-authored-by: Gerald McNicholl <[email protected]>
Co-authored-by: Jeremy Caine <[email protected]>
Co-authored-by: Matthew Graser <[email protected]>
Co-authored-by: mgraser <[email protected]>
Co-authored-by: Kristofor Carle <[email protected]>
Co-authored-by: Archit Khode <[email protected]>
Co-authored-by: Archit Khode <[email protected]>
Co-authored-by: Daniel Gadd <[email protected]>
Co-authored-by: Robert Hufsky <[email protected]>
@kierancrown
Copy link

I might be a little dumb here. But where do I add this within the config? I can't see anything in the type files.

@aakash14goplani
Copy link

Can I use code-verifier from cookie as is or it needs some decryption?

mnphpexpert added a commit to mnphpexpert/next-auth that referenced this pull request Sep 2, 2024
* chore(deps): upgrade dependencies

* chore(deps): add pkce-challenge

* feat(pkce): initial implementation of PCKE support

* chore: remove URLSearchParams

* chore(deps): upgrade lockfile

* refactor: store code_verifier in a cookie

* refactor: add pkce handlers

* docs: add PKCE documentation

* chore: remove unused param

* chore: revert unnecessary code change

* fix: correct variable names
mnphpexpert added a commit to mnphpexpert/next-auth that referenced this pull request Sep 2, 2024
* feat: simplify NextAuth instantiation (nextauthjs#911)

* feat: allow react 17 as a peer dependency (nextauthjs#819)

Co-authored-by: Balázs Orbán <[email protected]>

* docs: update for Now to Vercel (nextauthjs#847)

Vercel archived their now packages a while back, so you can use vercel env pull to pull in the .env

* docs: fix discord example code (nextauthjs#850)

* docs: fix typo in callbacks.md (nextauthjs#815)

This is a simple typographical error changed accesed to accessed

* fix: update nodemailer version in response to CVE. (nextauthjs#860)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7769 reports a high-severity issue with the current version of nodemailer. This should be merged and released right away if possible.

* fix: ensure Images are produced for discord (nextauthjs#734)

* fix: update Okta routes (nextauthjs#763)

the current routing for the Okta provider does not follow the standard
set by Okta, and as such doesn't allow for custom subdomains. this
update amends the routes to allow for customer subdomains, and also
aligns next-auth with Okta's documentation.

* fix(provider): handle no profile image for Spotify (nextauthjs#914)

* chore(deps): upgrade "standard"

* style(lint): run lint fix

* fix(provider): optional chain Spotify provider profile img

* Merge main into canary (nextauthjs#917)

* chore: use stale label, instead of wontfix

* chore: add link to issue explaining stalebot

* chore: fix typo in stalebot comment

* chore: run build GitHub Action on canary also

* chore: run build GitHub Actions on canary as well

* chore: add reproduction section to questions

* docs: Update default ports for support Databases (nextauthjs#839)

https://next-auth.js.org/configuration/databases

* Fix for Reddit Authentication (nextauthjs#866)

* Fixed Reddit Authentication

* updated fix for build test

* updated buffer to avoid deprecation message

* Updated for passing tests

* WIP: Update Docusaurus + Site dependencies (nextauthjs#802)

* update: deps

* fix: broken link

* fix: search upgrade change

* Include callbackUrl in newUser page (nextauthjs#790)

* Include callbackUrl in newUser page

* Update src/server/routes/callback.js

Co-authored-by: Iain Collins <[email protected]>

* Update src/server/routes/callback.js

Co-authored-by: Iain Collins <[email protected]>

Co-authored-by: Iain Collins <[email protected]>
Co-authored-by: Nico Domino <[email protected]>

* add(db): Add support for Fauna DB (nextauthjs#708)

* Add support for Fauna DB

* Add integration tests

Co-authored-by: Nico Domino <[email protected]>

* feat(provider): add netlify (nextauthjs#555)

Co-authored-by: styxlab <[email protected]>
Co-authored-by: Balázs Orbán <[email protected]>

* Bump next from 9.5.3 to 9.5.4 in /test/docker/app (nextauthjs#759)

Bumps [next](https://github.com/vercel/next.js) from 9.5.3 to 9.5.4.
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v9.5.3...v9.5.4)

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Nico Domino <[email protected]>

* feat(provider): Add Bungie (nextauthjs#589)

* Add Bungie provider

* Use absolute URL for images

* Correct image URL and use consistent formatting

Co-authored-by: Nico Domino <[email protected]>

* feat: add foursquare (nextauthjs#584)

* feat(provider): Add Azure Active Directory B2C (nextauthjs#921)

* add provider: Microsoft

* documentation

* support no tenant setup

* fix code style

* chore: rename Microsoft provider to AzureADB2C

* chore: alphabetical order in providers/index

* doc: add provider to FAQ

* update(provider): Update Slack provider to use V2 OAuth endpoints (nextauthjs#895)

* Update Slack to v2 authorize urls, option for additional authorize params
* acessTokenGetter + documentation

* refactor(db): update Prisma calls to support 2.12+ (nextauthjs#881)

Co-authored-by: Balázs Orbán <[email protected]>
Co-authored-by: Nico Domino <[email protected]>

* chore(dep): Bump highlight.js from 9.18.1 to 9.18.5 (nextauthjs#880)

Bumps [highlight.js](https://github.com/highlightjs/highlight.js) from 9.18.1 to 9.18.5.
- [Release notes](https://github.com/highlightjs/highlight.js/releases)
- [Changelog](https://github.com/highlightjs/highlight.js/blob/9.18.5/CHANGES.md)
- [Commits](highlightjs/highlight.js@9.18.1...9.18.5)

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Balázs Orbán <[email protected]>
Co-authored-by: Nico Domino <[email protected]>

* chore: disallow issues without template

* chore: add note about conveting questions to discussions

* chore: create PULL_REQUEST_TEMPLATE.md

* chore: reword PR template

* feat: Store user ID in sub claim of default JWT (nextauthjs#784)

This allows us to check if the user is signed in when using JWTs

Part of nextauthjs#625

* docs: fix incorrect references in cypress docs (nextauthjs#932)

* chore: use stale label, instead of wontfix

* chore: add link to issue explaining stalebot

* chore: fix typo in stalebot comment

* chore: run build GitHub Action on canary also

* chore: run build GitHub Actions on canary as well

* chore: add reproduction section to questions

* feat(provider): Add Azure Active Directory B2C (nextauthjs#809)

* add provider: Microsoft

* documentation

* support no tenant setup

* fix code style

* chore: rename Microsoft provider to AzureADB2C

* chore: alphabetical order in providers/index

* Revert "feat(provider): Add Azure Active Directory B2C (nextauthjs#809)" (nextauthjs#919)

This reverts commit 6e6a24a.

* chore: add myself to the contributors list 🙈

* docs: fix incorrect references in cypress docs

* chore: add additional docs clarification

Co-authored-by: Balázs Orbán <[email protected]>
Co-authored-by: Vladimir Evdokimov <[email protected]>

* feat: Display error if no [...nextauth].js found (nextauthjs#678)

* Display error if no [...nextauth].js found

fixes nextauthjs#647

* Log the error and describe it inside errors.md

Co-authored-by: Balázs Orbán <[email protected]>

* chore(deps): Bump ini from 1.3.5 to 1.3.8 in /www (nextauthjs#953)

Bumps [ini](https://github.com/isaacs/ini) from 1.3.5 to 1.3.8.
- [Release notes](https://github.com/isaacs/ini/releases)
- [Commits](npm/ini@v1.3.5...v1.3.8)

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* docs: fix typo Adapater -> Adapter (nextauthjs#960)

Co-authored-by: Balázs Orbán <[email protected]>
Co-authored-by: Vladimir Evdokimov <[email protected]>

* docs: We have twice the word "side" (nextauthjs#964)

* chore: use stale label, instead of wontfix

* chore: add link to issue explaining stalebot

* chore: fix typo in stalebot comment

* chore: run build GitHub Action on canary also

* chore: run build GitHub Actions on canary as well

* chore: add reproduction section to questions

* feat(provider): Add Azure Active Directory B2C (nextauthjs#809)

* add provider: Microsoft

* documentation

* support no tenant setup

* fix code style

* chore: rename Microsoft provider to AzureADB2C

* chore: alphabetical order in providers/index

* Revert "feat(provider): Add Azure Active Directory B2C (nextauthjs#809)" (nextauthjs#919)

This reverts commit 6e6a24a.

* chore: add myself to the contributors list 🙈

* We have twice the word "side"

Co-authored-by: Balázs Orbán <[email protected]>
Co-authored-by: Vladimir Evdokimov <[email protected]>

* docs: Correcting a typo. "available" Line 70 (nextauthjs#965)

* chore: use stale label, instead of wontfix

* chore: add link to issue explaining stalebot

* chore: fix typo in stalebot comment

* chore: run build GitHub Action on canary also

* chore: run build GitHub Actions on canary as well

* chore: add reproduction section to questions

* feat(provider): Add Azure Active Directory B2C (nextauthjs#809)

* add provider: Microsoft

* documentation

* support no tenant setup

* fix code style

* chore: rename Microsoft provider to AzureADB2C

* chore: alphabetical order in providers/index

* Revert "feat(provider): Add Azure Active Directory B2C (nextauthjs#809)" (nextauthjs#919)

This reverts commit 6e6a24a.

* chore: add myself to the contributors list 🙈

* Correcting a typo. "available" Line 70

Co-authored-by: Balázs Orbán <[email protected]>
Co-authored-by: Vladimir Evdokimov <[email protected]>

* chore: hide comments from pull request template

* Update README.md

Updated the readme to include the projects logo, fixed some typos, and added license info and contributor image.

* feat: add strava provider (nextauthjs#986)

* Add Strava as a provider

* Add documentation for Strava provider

* Fix lint errors

Co-authored-by: Paul Kenneth Kent <[email protected]>

* Update README.md

* Update README.md

* feat: add semantic-release (nextauthjs#920)

* chore(release): change semantic-release/git to semantic-release/github

* docs(database): add mssql indexes in docs, fix typos (nextauthjs#925)

* added mssql indexes in docs, fixed typo

* docs: fix typo in www/docs/schemas/mssql.md

Co-authored-by: Balázs Orbán <[email protected]>

* chore(release): delete old workflow

* chore(release): trigger release on docs type

* fix: treat user.id as optional param (nextauthjs#1010)

* fix(adapter): use findOne for typeorm (nextauthjs#1014)

* Change image to text from varchar (nextauthjs#777)

Co-authored-by: Nico Domino <[email protected]>

* feat(db): make Fauna DB collections & indexes configurable (nextauthjs#968)

* Add collections & indexes overrides for Fauna DB

* Fix the name of the verification token index

Co-authored-by: Florian Michaut <[email protected]>

* docs: Remove unnecessary promises (nextauthjs#915)

* feat: allow to return string in signIn callback (nextauthjs#1019)

* docs: small update to sign in/out examples (nextauthjs#1016)

* Update examples in client.md

* Update more examples

Co-authored-by: Balázs Orbán <[email protected]>

* docs: update contributing information [skip release] (nextauthjs#1011)

* docs: update CONTRIBUTING.md

* docs:  use db instead of database for more space

* docs: update CONTRIBUTING.md

* docs: update PR template

* docs: add note about skipping a release

* docs: fix typos in CONTRIBUTING.md [skip release]

* refactor: code base improvements (nextauthjs#959)

* chore: fix casing of OAuth

* refacotr: simplify default callbacks lib file

* refactor: use native URL instead of string concats

* refactor: move redirect to res.redirect, done to res.end

* refactor: move options to req

* refactor: improve IntelliSense, name all functions

* fix(lint): fix lint errors

* refactor: remove jwt-decode dependency

* refactor: refactor some callbacks to Promises

* revert: "refactor: use native URL instead of string concats"

Refs: 690c55b

* chore: misc changes

Co-authored-by: Balazs Orban <[email protected]>

* feat(provider): Add Mail.ru OAuth Service Provider and Callback snippet (nextauthjs#522)

* Update callback.js

- Fix Mail.ru bug (missing request parameter: access_token)

Note: setGetAccessTokenProfileUrl should be added to Mail.ru provider to enable support.

* Add Mail.ru OAuth Service Provider

* Update callbacks.md

- Fix broken callbacks snippet.

* Update callback.js

- Bug fix nextauthjs#522 (comment)
- Minor refactoring.

* Fix: Code linting.

* Update callback.js

Improve approach for building of URL based review recommendation.

* Feat: Reduce API surface expansion

Make use of provider.id === "mailru" as suggested in review discussion in place of setGetAccessTokenProfileUrl.

* Fix: Code linting

* feat: forward id_token to jwt and signIn callbacks (nextauthjs#1024)

* chore: add auto labeling to PRs [skip release] (nextauthjs#1025)

* chore: add auto labeling to PRs [skip release]

* chore: allow any file type for test label to be added

* chore: rename labeler.yaml to labeler.yml [skip release]

* fix: miscellaneous bugfixes (nextauthjs#1030)

* fix: use named params to fix order

* fix: avoid recursive redirects

* fix: revert to use parsed baseUrl

* fix: avoid recursive res.end calls

* fix: use named params in renderPage

* fix: promisify lib/oauth/callback result

* fix: don't chain on res.end on non-chainable res methods (nextauthjs#1031)

* docs: add powered by vercel logo [skip release]

* chore: run tests on canary [skip release]

* docs: misc improvements [skip release] (nextauthjs#1043)

* refactor: code base improvements 2 (nextauthjs#1045)

* fix: trigger release

* fix: use authorizationUrl correctly

* feat(provider): reduce user facing API (nextauthjs#1023)

Co-authored-by: Balazs Orban <[email protected]>

* fix: remove async from NextAuth default handler

This function should not return a Promise

* feat(provider): add vk.com provider (nextauthjs#1060)

* feat(provider): add vk.com provider

* refactor(provider): reduce vk.com provider api

* refactor: code base improvements 3 (nextauthjs#1072)

* refactor: extend res.{end,send,json}, redirect

* refactor: chain res methods, remove unnecessary ones

* refactor: simplify oauth callback signature

* refactor: code simplifications

* refactor: re-export everything from routes in one

* refactor: split up main index.js to multiple files

* refactor: simplify passing of provider(s) around

* refactor: extend req with callbackUrl inline

* refactor: simplify page rendering

* refactor: move error page redirects to main file, simplify renderer

* refactor: inline req.options definition

* refactor: simplify error fallbacks

* refactor: remove else branches and unnecessary try..catch

* refactor: add docs, and simplify jwt functions

* refactor: prefer errors object over switch..case in signin page

* feat: log all params sent to logger instead of only first

* refactor: fewer lines input validation

* refactor: remove even more unnecessary else branches

* feat: improve package development experience (nextauthjs#1064)

* chore(deps): add next and react to dev dependencies

* chore: move build configs to avoid crash with next dev

* chore: add next js dev app

* chore: remove .txt extension from LICENSE file

* chore: update CONTRIBUTING.md

* chore: watch css under development

* style(lint): run linter on index.css

* chore: fix some imports for dev server

* refactor: simplify client code

* chore: mention VSCode extension for linting

* docs: reword CONTRIBUTING.md

* chore: ignore linting pages and components

* fix: pass csrfToken to signin renderer

* feat: replace blur/focus event to visibility API for getSession (nextauthjs#1081)

* docs: clarify .env usage in CONTRIBUTING.md [skip release] (nextauthjs#1085)

* docs: improve FAQ docs [skip release]

* chore: update caiuse-lite db

* docs: update  some urls in the docs [skip release]

* feat(pages): add dark theme support (nextauthjs#1088)

* feat(pages): add dark theme support

* docs: document theme option

* chore: remove ts-check from dev app

* style(pages): fix some text colors in dark mode

* feat(provider): add LINE provider (nextauthjs#1091)

* refactor: be explicit about path in jsonconfig [skip release]

* refactor: show signin page in dev app [skip release]

* fix: export getSession [skip release]

somehow the default export does not work in the dev app

* style: make p system theme aware [skip release]

* feat(provider): finish Reddit provider and add documentation (nextauthjs#1094)

* Create reddit.md

* uncommented profile callback

* Update reddit.md

* fix lint issues

* added reddit provider

* added reddit provider

* Add Reddit Provider

For some reason a bunch of providers got deleted in the last commit

* Add Reddit Provider

* Add Reddit Provider

* chore: define providers in single file for docs [skip release]

* chore: Comply to Vercel Open Source sponsorship [skip release] (nextauthjs#1087)

* added banner

* Changed banner image allignment

* changed location of banner again

* added to acknowledgement

* added to acknowledgement 1

* changed image size

* k

* l

* s

* s

* .

* added link to the banner in readme.md

* fixed image redirect

* fixed image allignment

* made changes in readme and index.js

* Changed the source of the banner image

* added banner to the footer of the site

* chore: fix lint issues [skip release]

* feat: add native hkdf (nextauthjs#1124)

* feat: add native hkdf

* feat: import only needed to do hkdf

* feat: tweak digest and arguments

* chore(deps): upgrade typeorm to v0.2.30 (nextauthjs#1145)

* docs: remove v1 documentation (nextauthjs#1142)

* chore(adapters): remove fauna (nextauthjs#1148)

* feat: forward signIn auth params to /authorize (nextauthjs#1149)

* refactor: authorisation -> authorization

* feat: forward authorizationParams from signIn function

* refactor: take auth params as third argument

* docs: document signIn authorizationParams

* fix(adapter): fix ISO Datetime type error in Prisma updateSession (nextauthjs#640)

Co-authored-by: Nico Domino <[email protected]>
Co-authored-by: Balázs Orbán <[email protected]>

* feat(provider): add option to generate email verification token (nextauthjs#541)

* Add option to generate email verification token

* chore: remove unused import

* refactor: define default generateVerificationToken in-place

* refactor: define default generateVerificationToken in-place

Co-authored-by: Nico Domino <[email protected]>
Co-authored-by: Balázs Orbán <[email protected]>

* docs: update info about TypeScript [skip release]

* feat: add PKCE support (nextauthjs#941)

* chore(deps): upgrade dependencies

* chore(deps): add pkce-challenge

* feat(pkce): initial implementation of PCKE support

* chore: remove URLSearchParams

* chore(deps): upgrade lockfile

* refactor: store code_verifier in a cookie

* refactor: add pkce handlers

* docs: add PKCE documentation

* chore: remove unused param

* chore: revert unnecessary code change

* fix: correct variable names

* fix: correct logger import

* feat(provider): add Salesforce provider (nextauthjs#1027)

* docs(provider): add Salesforce provider

* fix(provider): use authed_user on slack instead of spotify (nextauthjs#1174)

* fix: use startsWith for protocol matching in parseUrl

closes nextauthjs#842

* fix: fix lint issues

* docs: clear things up around using access_token [skip release]

nextauthjs#1078

* docs: fix typo in callbacks.md [skip release]

* chore(provider): remove Mixer (nextauthjs#1178)

"Thank you to our amazing community and Partners.
As of July 22, the Mixer service has closed."

* feat(provider): re-add state, expand protection provider options  (nextauthjs#1184)

* refactor: move OAuthCallbackError to errors file

* refactor: improve pkce handling

* feat(provider): re-introduce state to provider options

* docs(provider): mention protection options "state" and "none"

* docs(provider): document state property deprecation

* fix: only add code_verifier param if protection is pkce

* docs: explain state deprecation better

* chore: unify string

* fix: send /authorize params through url

* fix: Add a null check to the window 'storage' event listener (nextauthjs#1198)

* Add a null check to the window 'storage' event listener

While testing in Cypress it's possible to receive a null value on Storage Events when 'clear' is called and will cause errors as seen in nextauthjs#1125.

* Update index.js

typo

* Update src/client/index.js

Co-authored-by: Balázs Orbán <[email protected]>

* formatting

Co-authored-by: Balázs Orbán <[email protected]>

* docs(provider): fix typos in providers code snippets [skip release] (nextauthjs#1204)

* docs(adapter): add adapter repo to documentation [skip release] (nextauthjs#1173)

* docs(adapter): add adapter repo to documentation

* docs(adapter): elaborate on custom repo

* fix: forward second argument to fetch body in signIn

fixes nextauthjs#1206

* docs: Fix grammar in "Feature Requests" section of FAQs [skip release] (nextauthjs#1212)

* refactor: provide raw idToken through account object (nextauthjs#1211)

* refactor: provide raw idToken through account object

* docs: clear up accessToken naming

* refactor: provide raw token response to account

* chore: fix grammar in comments

* feat: send all params to logger function (nextauthjs#1214)

* feat(provider): Add Medium (nextauthjs#1213)

* fix: leave accessTokenExpires as null

Forwarding expires_in as is to accessTokenExpires has shown to cause issues with Prisma, and maybe with other flows as well. Setting it back to `null` for now. We still forward `expires_in`, so users can use it if they want to.

Fixes nextauthjs#1216

* docs: more emphasis on req methods [skip release]

* docs: remove announcement bar [skip release]

* fix: make OAuth 1 work after refactoring (nextauthjs#1218)

* chore: add twitter provider to dev app

* feat: bind client instance to overriden methods

* fix: don't add extra params to getOAuthRequestToken

* chore: add twitter to env example, add secret gen instructions

* docs: Update Providers.Credential Example Block [skip release] (nextauthjs#1225)

Closing curly bracket where it should have been a square bracket.

* feat(provider): option to disable client-side redirects (credentials) (nextauthjs#1219)

* chore: add credentials provider to dev app

* feat: add redirect option to signIn, signOut

* feat: set correct status codes for credentials errors

* chore: add credentials page to dev app

* fix: support any provider name for credentials

* feat(ts): preliminary TypeScript support (nextauthjs#1223)

* chore: replace standard with ts-standard

* feat(ts): add some initial types

* feat(ts): import and use types

* chore: allow global fetch through package.json

* chore: upgrade lint scripts to use ts-standard

* chore: run linter on dev app

* chore(ts): satisfy dev Next.js server for TS

* fix: add eslint as dev dependency

* fix(lint): ignore next-env.d.ts from linting

* feat(ts): improve cookies options types

* fix: run linter with fix

* feat(provider): add EVE Online provider (nextauthjs#1227)

* Adding EVEOnline provider

* Adding EVEOnline provider

* Adding EVEOnline provider

* Adding EVEOnline provider

* Adding EVEOnline provider

* Adding EVEOnline provider

* Adding EVEOnline provider

* Adding EVEOnline provider

Co-authored-by: Gerald McNicholl <[email protected]>

* docs: clarify custom pages usage [skip release] (nextauthjs#1239)

* docs(provider): Update Atlassian docs (nextauthjs#1255)

* docs: Update Atlassian docs [skip release]

* Update atlassian.md

* fix(provider): okta client authentication (nextauthjs#1257)

* fix: okta client authentication

* chore: run lint fix

* Update pages/api/auth/[...nextauth].js

Co-authored-by: Balázs Orbán <[email protected]>

Co-authored-by: mgraser <[email protected]>
Co-authored-by: Balázs Orbán <[email protected]>

* chore: don't sync labels with labeler [skip release]

manually added PR labels were constantly removed on new commits/builds, this hopefully fixes that

* fix(provider): add verificationRequest flag to email signIn callback (nextauthjs#1258)

* fix(ui): use color text var for input color (nextauthjs#1260)

Co-authored-by: Archit Khode <[email protected]>

* docs: Minor text error fixed [skip release] (nextauthjs#1263)

* feat(provider): update session when signIn/signOut successful (nextauthjs#1267)

* feat(provider): update session when login/logout successful

* chore: remove manual page reload from dev app

* docs(client): document redirect: false

* fix(page): fix typo in error page

* Merge pull request from GHSA-pg53-56cg-4m8q

* fix(adapter): Verify identifier as well as token in Prisma adapter

* feat(adapter): Improve typeorm adapter

Improve conditional check in TypeORM adapter.

This should have no impact in practice but sets  a good example.

* docs(adapter): Update Prisma docs [skip release] (nextauthjs#1279) (nextauthjs#1283)

Co-authored-by: Iain Collins <[email protected]>

* docs(provider): Update azure-ad-b2c.md [skip release] (nextauthjs#1280)

* docs(adapter): Update Prisma docs (nextauthjs#1279)

* Update azure-ad-b2c.md

add hint for redirection URL, otherwise difficult to find out

* Update azure-ad-b2c.md

changed .env ro .env.local as per recommendation

* Update azure-ad-b2c.md

* Update azure-ad-b2c.md

* Update azure-ad-b2c.md

* update conf in .env.local 

follow the .env guidelines

* Update azure-ad-b2c.md

* Create azure-ad-b2c.md

* Create azure-ad-b2c.md

* Update azure-ad-b2c.md

Co-authored-by: Iain Collins <[email protected]>

* docs: Change "docs" to "documentation"

* fix(provider): Fixes for email sign in (nextauthjs#1285)

* fix(adapter): Fix Prisma delete

Must use Prsima deleteMany() instead of delete() with multiple clauses.

* feat: Update example project

Update example project to make it easier to test with database adapters.

* fix(ui): Fix message text in light / auto theme

Info message text is always on the same background (blue) on both themes so should always be white.

* docs: Update example .env [skip release]

* feat: Update Prisma peerOptionalDependencies

* docs: trigger release

Co-authored-by: Luke Lau <[email protected]>
Co-authored-by: James Perkins <[email protected]>
Co-authored-by: Joshua K. Martinez <[email protected]>
Co-authored-by: Pauldic <[email protected]>
Co-authored-by: Josh Padnick <[email protected]>
Co-authored-by: Daggy1234 <[email protected]>
Co-authored-by: Alan Ray <[email protected]>
Co-authored-by: Manish Chiniwalar <[email protected]>
Co-authored-by: Aymeric <[email protected]>
Co-authored-by: Nico Domino <[email protected]>
Co-authored-by: Fabrizio Ruggeri <[email protected]>
Co-authored-by: Iain Collins <[email protected]>
Co-authored-by: Joseph Vaughan <[email protected]>
Co-authored-by: Joost Jansky <[email protected]>
Co-authored-by: styxlab <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: RobertCraigie <[email protected]>
Co-authored-by: Joe Bell <[email protected]>
Co-authored-by: Vladimir Evdokimov <[email protected]>
Co-authored-by: Cathy Chen <[email protected]>
Co-authored-by: Kristóf Poduszló <[email protected]>
Co-authored-by: Haldun Anil <[email protected]>
Co-authored-by: Jakub Naskręski <[email protected]>
Co-authored-by: imgregduh <[email protected]>
Co-authored-by: pkabore <[email protected]>
Co-authored-by: Paul Kenneth Kent <[email protected]>
Co-authored-by: Paul Kenneth Kent <[email protected]>
Co-authored-by: Balazs Orban <[email protected]>
Co-authored-by: Junior Vidotti <[email protected]>
Co-authored-by: Yuma Matsune <[email protected]>
Co-authored-by: Ben West <[email protected]>
Co-authored-by: Florian Michaut <[email protected]>
Co-authored-by: Florian Michaut <[email protected]>
Co-authored-by: Melanie Seltzer <[email protected]>
Co-authored-by: Didi Keke <[email protected]>
Co-authored-by: Evgeniy Boreyko <[email protected]>
Co-authored-by: Alex B <[email protected]>
Co-authored-by: Ben <[email protected]>
Co-authored-by: suraj10k <[email protected]>
Co-authored-by: t.kuriyama <[email protected]>
Co-authored-by: Yuri Gor <[email protected]>
Co-authored-by: Radhika <[email protected]>
Co-authored-by: Henrik Wenz <[email protected]>
Co-authored-by: Zhao Lei <[email protected]>
Co-authored-by: Mohamed El Mahallawy <[email protected]>
Co-authored-by: Dillon Mulroy <[email protected]>
Co-authored-by: Carmelo Scandaliato <[email protected]>
Co-authored-by: Aishah <[email protected]>
Co-authored-by: Samson Zhang <[email protected]>
Co-authored-by: Vova <[email protected]>
Co-authored-by: Cody Ogden <[email protected]>
Co-authored-by: geraldm74 <[email protected]>
Co-authored-by: Gerald McNicholl <[email protected]>
Co-authored-by: Jeremy Caine <[email protected]>
Co-authored-by: Matthew Graser <[email protected]>
Co-authored-by: mgraser <[email protected]>
Co-authored-by: Kristofor Carle <[email protected]>
Co-authored-by: Archit Khode <[email protected]>
Co-authored-by: Archit Khode <[email protected]>
Co-authored-by: Daniel Gadd <[email protected]>
Co-authored-by: Robert Hufsky <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request hacktoberfest-docs Relates to documentation hacktoberfest-help-needed The maintainer needs help due to time constraint/missing knowledge providers
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Is "Authorization Code + PKCE" Supported? invalid_grant when using IdentityServer4
6 participants