Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: update next-auth with newest version #2012

Merged
merged 3 commits into from
Nov 5, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 76 additions & 0 deletions www/src/components/docs/tabs.astro
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
---
const { tabName, slotOne, slotTwo } = Astro.props;
---

<style>
.tab-list {
display: flex;
cursor: pointer;
}

.tab {
padding: 0.5rem 1rem;
margin-right: 1rem;
font-weight: bold;
border: none;
background: none;
cursor: pointer;
outline: none;
transition: border-bottom 0.3s;
}

.tab.active {
border-bottom: 1px solid #4a3eeb;
color: #4a3eeb;
}
JayaDeHart marked this conversation as resolved.
Show resolved Hide resolved

.tab-panel.hidden {
display: none;
}

.tab-panel {
padding: 1rem 0;
}
</style>

<div>
<div class="tab-list">
<button class={`tab active ${tabName}`} data-target={slotOne}
>{slotOne}</button
>
<button class={`tab ${tabName}`} data-target={slotTwo}>{slotTwo}</button>
</div>
<div class="tab-panels">
<div id={slotOne} class={`tab-panel ${tabName}-panel`}>
<slot name="1" />
</div>
<div id={slotTwo} class={`tab-panel hidden ${tabName}-panel`}>
<slot name="2" />
</div>
</div>
</div>

<script define:vars={{ tabName }}>
document.addEventListener("DOMContentLoaded", () => {
const tabs = document.querySelectorAll(`.${tabName}`);
const panels = document.querySelectorAll(`.${tabName}-panel`);

tabs.forEach((tab) => {
tab.addEventListener("click", () => {
tabs.forEach((t) => t.classList.remove("active"));

panels.forEach((panel) => panel.classList.add("hidden"));

tab.classList.add("active");

const target = tab.getAttribute("data-target");
if (target) {
const targetPanel = document.getElementById(target);
if (targetPanel) {
targetPanel.classList.remove("hidden");
}
}
});
});
});
</script>
206 changes: 206 additions & 0 deletions www/src/pages/en/usage/next-auth-app-router.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,206 @@
import Callout from "../../../components/docs/callout.tsx";
import Tabs from "../../../components/docs/tabs.astro";

<Callout type="warning">
The newest version of NextAuth has migrated to [Auth.js](https://authjs.dev/)
</Callout>

## Retrieving session server side

Sometimes you might want to request the session on the server. To do so, use the `auth` helper function that `create-t3-app` provides.

```tsx:app/page.tsx
import { auth } from "~/server/auth";

export default async function Home() {
const session = await auth();
...
}
```

## Inclusion of `user.id` on the Session

Create T3 App is configured to utilise the [session callback](https://authjs.dev/guides/extending-the-session) in the NextAuth.js config to include the user's ID within the `session` object.

```ts:server/auth/config.ts
callbacks: {
session: ({ session, user }) => ({
...session,
user: {
...session.user,
id: user.id,
},
}),
},
```

This is coupled with a type declaration file to make sure the `user.id` is typed when accessed on the `session` object. Read more about [`Module Augmentation`](https://authjs.dev/getting-started/typescript#resources*module-augmentation) on NextAuth.js's docs.

```ts:server/auth/config.ts
import { DefaultSession } from "next-auth";

declare module "next-auth" {
interface Session extends DefaultSession {
user: {
id: string;
} & DefaultSession["user"];
}
```

The same pattern can be used to add any other data to the `session` object, such as a `role` field, but **should not be misused to store sensitive data** on the client.

## Usage with tRPC

When using NextAuth.js with tRPC, you can create reusable, protected procedures using [middleware](https://trpc.io/docs/v10/middlewares). This allows you to create procedures that can only be accessed by authenticated users. `create-t3-app` sets all of this up for you, allowing you to easily access the session object within authenticated procedures.

This is done in a two step process:

1. Pass the authentication session into the tRPC context:

```ts:server/api/trpc.ts
import { auth } from "~/server/auth";
import { db } from "~/server/db";

export const createTRPCContext = async (opts: { headers: Headers }) => {
const session = await auth();

return {
db,
session,
...opts,
};
};
```

2. Create a tRPC middleware that checks if the user is authenticated. We then use the middleware in a `protectedProcedure`. Any caller to these procedures must be authenticated, or else an error will be thrown which can be appropriately handled by the client.

```ts:server/api/trpc.ts
export const protectedProcedure = t.procedure
.use(({ ctx, next }) => {
if (!ctx.session || !ctx.session.user) {
throw new TRPCError({ code: "UNAUTHORIZED" });
}
return next({
ctx: {
session: { ...ctx.session, user: ctx.session.user },
},
});
});
```

The session object is a light, minimal representation of the user and only contains a few fields. When using the `protectedProcedures`, you have access to the user's id which can be used to fetch more data from the database.

```ts:server/api/routers/user.ts
const userRouter = router({
me: protectedProcedure.query(async ({ ctx }) => {
const user = await prisma.user.findUnique({
where: {
id: ctx.session.user.id,
},
});
return user;
}),
});
```

## Usage with a database provider

<Tabs slotOne="Prisma" slotTwo="Drizzle" tabName="db-provider">
<div slot="1">
Getting NextAuth.js to work with Prisma requires a lot of [initial
setup](https://authjs.dev/reference/adapter/prisma/). `create-t3-app`
handles all of this for you, and if you select both Prisma and NextAuth.js,
you'll get a fully working authentication system with all the required
models preconfigured. We ship your scaffolded app with a preconfigured
Discord OAuth provider, which we chose because it is one of the easiest to
get started with - just provide your tokens in the `.env` and you're good to
go. However, you can easily add more providers by following the [Auth.js
docs](https://authjs.dev/getting-started/authentication/oauth). Note that
certain providers require extra fields to be added to certain models. We
recommend you read the documentation for the provider you would like to use
to make sure you have all the required fields.
</div>
<div slot="2">
Getting NextAuth.js to work with Drizzle requires a lot of [initial
setup](https://authjs.dev/getting-started/adapters/drizzle). `create-t3-app`
handles all of this for you, and if you select both Drizzle and NextAuth.js,
you'll get a fully working authentication system with all the required
models preconfigured. We ship your scaffolded app with a preconfigured
Discord OAuth provider, which we chose because it is one of the easiest to
get started with - just provide your tokens in the `.env` and you're good to
go. However, you can easily add more providers by following the [Auth.js
docs](https://authjs.dev/getting-started/authentication/oauth). Note that
certain providers require extra fields to be added to certain models. We
recommend you read the documentation for the provider you would like to use
to make sure you have all the required fields.
</div>
</Tabs>

### Adding new fields to your models

When adding new fields to any of the `User`, `Account`, `Session`, or `VerificationToken` models (most likely you'd only need to modify the `User` model), you need to keep in mind that the [Prisma adapter](https://authjs.dev/reference/adapter/prisma/) automatically creates fields on these models when new users sign up and log in. Therefore, when adding new fields to these models, you must provide default values for them, since the adapter is not aware of these fields.

If for example, you'd like to add a `role` to the `User` model, you would need to provide a default value to the `role` field. This is done by adding a `@default` value to the `role` field in the `User` model:

```diff:prisma/schema.prisma
+ enum Role {
+ USER
+ ADMIN
+ }

model User {
...
+ role Role @default(USER)
}
```

## Usage with Next.js middleware

With Next.js 12+, the easiest way to protect a set of pages is using the [middleware file](https://authjs.dev/getting-started/session-management/protecting?framework=express#nextjs-middleware). You can create a middleware.ts file in your root pages directory with the following contents.

```middleware.ts
export { auth as middleware } from "@/auth"
```

Then define authorized callback in your auth.ts file. For more details check out the [reference docs.](https://authjs.dev/reference/nextjs#authorized)

```app/auth.ts
async authorized({ request, auth }) {
const url = request.nextUrl

if(request.method === "POST") {
const { authToken } = (await request.json()) ?? {}
// If the request has a valid auth token, it is authorized
const valid = await validateAuthToken(authToken)
if(valid) return true
return NextResponse.json("Invalid auth token", { status: 401 })
}

// Logged in users are authenticated, otherwise redirect to login page
return !!auth.user
}
```

<Callout type="warning">
You should not rely on middleware exclusively for authorization. Always ensure
that the session is verified as close to your data fetching as possible.
</Callout>

## Setting up the default DiscordProvider

1. Head to [the Applications section in the Discord Developer Portal](https://discord.com/developers/applications), and click on "New Application"
2. In the settings menu, go to "OAuth2 => General"

- Copy the Client ID and paste it in `DISCORD_CLIENT_ID` in `.env`.
- Under Client Secret, click "Reset Secret" and copy that string to `DISCORD_CLIENT_SECRET` in `.env`. Be careful as you won't be able to see this secret again, and resetting it will cause the existing one to expire.
- Click "Add Redirect" and paste in `<app url>/api/auth/callback/discord` (example for local development: <code class="break-all">http://localhost:3000/api/auth/callback/discord</code>)
- Save your changes
- It is possible, but not recommended, to use the same Discord Application for both development and production. You could also consider [Mocking the Provider](https://github.com/trpc/trpc/blob/main/examples/next-prisma-websockets-starter/src/pages/api/auth/%5B...nextauth%5D.ts) during development.

## Useful Resources

| Resource | Link |
| --------------------------------- | --------------------------------------- |
| NextAuth.js Docs | https://authjs.dev/ |
| NextAuth.js GitHub | https://github.com/nextauthjs/next-auth |
| tRPC Kitchen Sink - with NextAuth | https://kitchen-sink.trpc.io/next-auth |
Loading