4.0.0-beta.7 (2021-11-15)
Bug Fixes
- providers: set 42 default scope (#3189) (38cefdd)
- allow configuring http timeout (#3188) (b871b47)
- bump openid-client (#3063) (da991de), closes #3052
- correctly transpile all client-side submodules (#3100) (1597369)
- normalize URL before parsing (#3077) (b66afcc)
- respect
hostingetServerSession(#3179) (e9ac11b) - use
errorquery param if set (#3141) (0d7d8da) - oauth: allow 10 sec clock tolerance (#3071) (4181988)
Features
- allow relative redirects (#3140) (6502b63)
- Clerk to README supporters (533ed94)
- introduce chunking when session cookie becomes too big (#3101) (f9e0ef8)
- make missing secret an error (#3143) (76bf524)
- rename session strategy (#3144) (ba39efb)
BREAKING CHANGES
- It is now required to set a
secretin production. - The
session.jwt: booleanoption has been renamed tosession.strategy: "jwt" | "database". The goal is to make the user's options more intuitive:
- No adapter,
strategy: "jwt": This is the default. The session is saved in a cookie and never persisted anywhere. - With Adapter,
strategy: "database": If an Adapter is defined, this will be the implicit setting. No user config is needed. - With Adapter,
strategy: "jwt": The user can explicitly instructnext-authto use JWT even if a database is available. This can result in faster lookups in compromise of lowered security. Read more about: https://next-auth.js.org/faq#json-web-tokens
Example:
session: {
- jwt: true,
+ strategy: "jwt",
}