types
This module contains public types and interfaces of the core package.
Installationβ
- npm
- Yarn
- pnpm
npm install @auth/core
yarn add @auth/core
pnpm add @auth/core
You can then import this submodule from @auth/core/types
.
Usageβ
Even if you don't use TypeScript, IDEs like VSCode will pick up types to provide you with a better developer experience. While you are typing, you will get suggestions about what certain objects/functions look like, and sometimes links to documentation, examples, and other valuable resources.
Generally, you will not need to import types from this module.
Mostly when using the Auth
function and optionally the AuthConfig
interface,
everything inside there will already be typed.
Inside the Auth
function, you won't need to use a single type from this module.
Exampleβ
import { Auth } from "@auth/core"
const request = new Request("https://example.com")
const response = await Auth(request, {
callbacks: {
jwt(): JWT { // <-- This is unnecessary!
return { foo: "bar" }
},
session(
{ session, token }: { session: Session; token: JWT } // <-- This is unnecessary!
) {
return session
},
}
})
We are advocates of TypeScript, as it will help you catch errors at build-time, before your users do. π
Resourcesβ
AuthActionβ
type AuthAction:
| "callback"
| "csrf"
| "error"
| "providers"
| "session"
| "signin"
| "signout"
| "verify-request"
| "webauthn-options";
Supported actions by Auth.js. Each action map to a REST API endpoint.
Some actions have a GET
and POST
variant, depending on if the action
changes the state of the server.
"callback"
:GET
: Handles the callback from an OAuth provider.POST
: Handles the callback from a Credentials provider.
"csrf"
: Returns the raw CSRF token, which is saved in a cookie (encrypted). It is used for CSRF protection, implementing the double submit cookie technique.
Some frameworks have built-in CSRF protection and can therefore disable this action. In this case, the corresponding endpoint will return a 404 response. Read more at skipCSRFCheck
.
β We don't recommend manually disabling CSRF protection, unless you know what you're doing.
"error"
: Renders the built-in error page."providers"
: Returns a client-safe list of all configured providers."session"
:- **
GET**
: Returns the user's session if it exists, otherwisenull
. - **
POST**
: Updates the user's session and returns the updated session.
- **
"signin"
:GET
: Renders the built-in sign-in page.POST
: Initiates the sign-in flow.
"signout"
:GET
: Renders the built-in sign-out page.POST
: Initiates the sign-out flow. This will invalidate the user's session (deleting the cookie, and if there is a session in the database, it will be deleted as well).
"verify-request"
: Renders the built-in verification request page."webauthn-options"
:GET
: Returns the options for the WebAuthn authentication and registration flows.
ErrorPageParamβ
type ErrorPageParam: "Configuration" | "AccessDenied" | "Verification";
TODO: Check if all these are used/correct
SignInPageErrorParamβ
type SignInPageErrorParam:
| "Signin"
| "OAuthSignin"
| "OAuthCallbackError"
| "OAuthCreateAccount"
| "EmailCreateAccount"
| "Callback"
| "OAuthAccountNotLinked"
| "EmailSignin"
| "CredentialsSignin"
| "SessionRequired";
TODO: Check if all these are used/correct
TokenSetβ
type TokenSet: Partial< OAuth2TokenEndpointResponse | OpenIDTokenEndpointResponse > & {
expires_at: number;
};
Different tokens returned by OAuth Providers. Some of them are available with different casing, but they refer to the same value.
Type declarationβ
expires_atβ
expires_at?: number;
Date of when the access_token
expires in seconds.
This value is calculated from the expires_in
value.
Seeβ
https://www.ietf.org/rfc/rfc6749.html#section-4.2.2
Accountβ
Usually contains information about the provider being used
and also extends TokenSet
, which is different tokens returned by OAuth Providers.
Extendsβ
Partial
<OpenIDTokenEndpointResponse
>
Propertiesβ
providerβ
provider: string;
Provider's id for this account. Eg.: "google"
providerAccountIdβ
providerAccountId: string;
This value depends on the type of the provider being used to create the account.
- oauth/oidc: The OAuth account's id, returned from the
profile()
callback. - email: The user's email address.
- credentials:
id
returned from theauthorize()
callback
typeβ
type: ProviderType;
Provider's type for this account
expires_atβ
expires_at?: number;
Calculated value based on [OAuth2TokenEndpointResponse.expires_in]([object Object]).
It is the absolute timestamp (in seconds) when the [OAuth2TokenEndpointResponse.access_token]([object Object]) expires.
This value can be used for implementing token rotation together with [OAuth2TokenEndpointResponse.refresh_token]([object Object]).
Seeβ
- https://authjs.dev/guides/basics/refresh-token-rotation#database-strategy
- https://www.rfc-editor.org/rfc/rfc6749#section-5.1
userIdβ
userId?: string;
id of the user this account belongs to
Seeβ
https://authjs.dev/reference/core/adapters#user
Authenticatorβ
A webauthn authenticator. Represents an entity capable of authenticating the account it references, and contains the auhtenticator's credentials and related information.
Seeβ
https://www.w3.org/TR/webauthn/#authenticator
Extended Byβ
Propertiesβ
counterβ
counter: number;
Number of times the authenticator has been used.
credentialBackedUpβ
credentialBackedUp: boolean;
Whether the client authenticator backed up the credential.
credentialDeviceTypeβ
credentialDeviceType: string;
Device type of the authenticator.
credentialIDβ
credentialID: string;
Base64 encoded credential ID.
credentialPublicKeyβ
credentialPublicKey: string;
Base64 encoded credential public key.
providerAccountIdβ
providerAccountId: string;
The provider account ID connected to the authenticator.
transportsβ
transports?: string;
Concatenated transport flags.
userIdβ
userId?: string;
ID of the user this authenticator belongs to.
CallbacksOptions<P, A>β
Override the default session creation flow of Auth.js
Type parametersβ
βͺ P = Profile
βͺ A = Account
Propertiesβ
jwtβ
jwt: (params) => Awaitable< null | JWT >;
This callback is called whenever a JSON Web Token is created (i.e. at sign in)
or updated (i.e whenever a session is accessed in the client).
Its content is forwarded to the session
callback,
where you can control what should be returned to the client.
Anything else will be kept from your front-end.
The JWT is encrypted by default.
Documentation |
session
callback
Parametersβ
βͺ params: {
account
: null
| A
;
token
: JWT
;
user
: AdapterUser
| User
;
isNewUser
: boolean
;
profile
: P
;
session
: any
;
trigger
: "signIn"
| "update"
| "signUp"
;
}
βͺ params.account: null
| A
Contains information about the provider that was used to sign in. Also includes TokenSet
Note
available when trigger
is "signIn"
or "signUp"
βͺ params.token: JWT
When trigger
is "signIn"
or "signUp"
, it will be a subset of JWT,
name
, email
and image
will be included.
Otherwise, it will be the full JWT for subsequent calls.
βͺ params.user: AdapterUser
| User
Either the result of the OAuthConfig.profile or the CredentialsConfig.authorize callback.
Note
available when trigger
is "signIn"
or "signUp"
.
Resources:
βͺ params.isNewUser?: boolean
Deprecated
use trigger === "signUp"
instead
βͺ params.profile?: P
The OAuth profile returned from your provider. (In case of OIDC it will be the decoded ID Token or /userinfo response)
Note
available when trigger
is "signIn"
.
βͺ params.session?: any
When using AuthConfig.session strategy: "jwt"
, this is the data
sent from the client via the useSession().update
method.
β Note, you should validate this data before using it.
βͺ params.trigger?: "signIn"
| "update"
| "signUp"
Check why was the jwt callback invoked. Possible reasons are:
- user sign-in: First time the callback is invoked,
user
,profile
andaccount
will be present. - user sign-up: a user is created for the first time in the database (when AuthConfig.session.strategy is set to
"database"
) - update event: Triggered by the
useSession().update
method. In case of the latter,trigger
will beundefined
.
Returnsβ
Awaitable
< null
| JWT
>
redirectβ
redirect: (params) => Awaitable< string >;
This callback is called anytime the user is redirected to a callback URL (e.g. on signin or signout). By default only URLs on the same URL as the site are allowed, you can use this callback to customise that behaviour.
Parametersβ
βͺ params: {
baseUrl
: string
;
url
: string
;
}
βͺ params.baseUrl: string
Default base URL of site (can be used as fallback)
βͺ params.url: string
URL provided as callback URL by the client
Returnsβ
Awaitable
< string
>
sessionβ
session: (params) => Awaitable< Session | DefaultSession >;
This callback is called whenever a session is checked.
(Eg.: invoking the /api/session
endpoint, using useSession
or getSession
)
β By default, only a subset (email, name, image) of the token is returned for increased security.
If you want to make something available you added to the token through the jwt
callback,
you have to explicitly forward it here to make it available to the client.
Parametersβ
βͺ params: {
session
: {
user
: AdapterUser
;
} & AdapterSession
;
user
: AdapterUser
;
} & {
session
: Session
;
token
: JWT
;
} & {
newSession
: any
;
trigger
: "update"
;
}
Returnsβ
Awaitable
< Session
| DefaultSession
>
Seeβ
signInβ
signIn: (params) => Awaitable< string | boolean >;
Controls whether a user is allowed to sign in or not.
Returning true
continues the sign-in flow.
Returning false
or throwing an error will stop the sign-in flow and redirect the user to the error page.
Returning a string will redirect the user to the specified URL.
Unhandled errors will throw an AccessDenied
with the message set to the original error.
Parametersβ
βͺ params: {
account
: null
| A
;
user
: AdapterUser
| User
;
credentials
: Record
< string
, CredentialInput
>;
email
: {
verificationRequest
: boolean
;
};
profile
: P
;
}
βͺ params.account: null
| A
βͺ params.user: AdapterUser
| User
βͺ params.credentials?: Record
< string
, CredentialInput
>
If Credentials provider is used, it contains the user credentials
βͺ params.email?: {
verificationRequest
: boolean
;
}
If Email provider is used, on the first call, it contains a
verificationRequest: true
property to indicate it is being triggered in the verification request flow.
When the callback is invoked after a user has clicked on a sign in link,
this property will not be present. You can check for the verificationRequest
property
to avoid sending emails to addresses or domains on a blocklist or to only explicitly generate them
for email address in an allow list.
βͺ params.email.verificationRequest?: boolean
βͺ params.profile?: P
If OAuth provider is used, it contains the full OAuth profile returned by your provider.
Returnsβ
Awaitable
< string
| boolean
>
Seeβ
Exampleβ
callbacks: {
async signIn({ profile }) {
// Only allow sign in for users with email addresses ending with "yourdomain.com"
return profile?.email?.endsWith("@yourdomain.com")
}
CookieOptionβ
CookiesOptionsβ
EventCallbacksβ
The various event callbacks you can register for from next-auth
Propertiesβ
sessionβ
session: (message) => Awaitable< void >;
The message object will contain one of these depending on if you use JWT or database persisted sessions:
token
: The JWT for this session.session
: The session object from your adapter.
Parametersβ
βͺ message: {
session
: Session
;
token
: JWT
;
}
βͺ message.session: Session
βͺ message.token: JWT
Returnsβ
Awaitable
< void
>
signInβ
signIn: (message) => Awaitable< void >;
If using a credentials
type auth, the user is the raw response from your
credential provider.
For other providers, you'll get the User object from your adapter, the account,
and an indicator if the user was new to your Adapter.
Parametersβ
βͺ message: {
account
: null
| Account
;
user
: User
;
isNewUser
: boolean
;
profile
: Profile
;
}
βͺ message.account: null
| Account
βͺ message.user: User
βͺ message.isNewUser?: boolean
βͺ message.profile?: Profile
Returnsβ
Awaitable
< void
>
signOutβ
signOut: (message) => Awaitable< void >;
The message object will contain one of these depending on if you use JWT or database persisted sessions:
token
: The JWT for this session.session
: The session object from your adapter that is being ended.
Parametersβ
βͺ message: {
session
: void
| Awaitable
< undefined
| null
| AdapterSession
>;
} | {
token
: Awaitable
< null
| JWT
>;
}
Returnsβ
Awaitable
< void
>
LoggerInstanceβ
Override any of the methods, and the rest will use the default logger.
Extendsβ
Record
<string
,Function
>
Profileβ
The user info returned from your OAuth provider.
Seeβ
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
Sessionβ
The active session of the logged in user.
Extendsβ
DefaultSession
Themeβ
Change the theme of the built-in pages.
Userβ
The shape of the returned object in the OAuth providers' profile
callback,
available in the jwt
and session
callbacks,
or the second parameter of the session
callback, when using a database.