nextauthjs/next-auth v3.0.0

on GitHub

Summary

The focus of this release has been to improve security and configuration.

Version 3.0 addresses issues in version 2.0 that were only possible to resolve by making breaking changes in some cases.

The refactoring required to upgrade from 2.0 should be relatively minor and should be eased by the new documentation.

Server

Added

• The OAuth 2.0 state object is now verified if supported (RFC 6749).
  Can be disabled for a provider with state: false provider option if not supported by a provider.
• Added Prisma Adapter as alterantive to the TypeORM Adapter.
• Added MySQL and Postgres SQL schemas to documentation and fixtures.
• Added support for JWE/JWA/JWK.

Changed

• Replaced site and baseUrl configuration options with the NEXTAUTH_URL environment variable.
  Allows for application wide site and base URL configuration in a single option.
• All sign in flows now use HTTP POST with CSRF tokens throughout.
• Pages option now uses camelCase for all options.
• Events option now uses camelCase for all options.
• Callbacks option now uses camelCase for all options.
• New options now passed to Sign In, Session and JWT callbacks to allow for more flexibility.
• Sign In and Credentials Authorize callbacks can now return Promise.reject() with an Error object or URLs.
• All timestamps columns in MySQL now use TIMESTAMP(6) consistantly.
• JSON Web Tokens are signed by default but not encrypted by default (improving interoperability and reducing overhead, making more space avalible for use). Encryption can still be enabled by setting encryption: true.
• Now use claims in JSON Web Tokens with smaller default payload.
• Removed getJwt() helper and replaced it with more sophisticated getToken() helper.
• No longer relies on Dynamic Import, which should resolve some compatibility problems with some configurations.
• Some sign in error messages are now displayed in line on the sign in page.

Client

Added

• Added keepAlive option to keep sessions alive when idle.
• Session state is updated when a window loses or gains focus.
• Open tabs/windows now sync session state when it changes.

Changed

• Refactored clientMaxAge behaviour to be more efficient.
• Reduced network load and improved memory footprint.
• Client methods now use camelCase.
• Misc. bug fixes and enhancement to client methods.

Credits

Thanks to everyone who has contributed to this release, with fixes, bug reports, new providers, tutorials and other changes.

@ndom91 @Fumler @tsaiDavid @tmayr @tylangesmith @timomeh @drborges @BenjaminWFox @nyedidikeke

• Thanks to Mark Lawlor for raising the issue with CSRF token and OAuth State support.
• Thanks to @Fumler for creating the Prisma adapter.

Apologies to anyone I have missed!