Contributions and feedback on your experience of using this software are welcome. This includes bug reports, feature requests, ideas, pull requests, and examples of how you have used this software.
Please see the Code of Conduct and follow any templates configured in GitHub when reporting bugs, requesting enhancements, or contributing code.
If you found a security vulnerability, please do not open an issue nor raise a Pull Request for it. Kindly follow our Security Disclosure Guide.
Please raise any significant new functionality or breaking change an issue for discussion before raising a Pull Request for it.
Anyone can be a contributor. Either you found a typo, or you have an awesome feature request you could implement, we encourage you to create a Pull Request.
Before contributing, we recommend you read the Tour de Source: NextAuth.js post to become more familiar with the libraries inner workings.
- We are maintaining two major branches:
- The
main
is for the latest changes regarding thecore
package, the adapters packages, and framework packages. - The
v4
branch is fornext-auth@v4
related changes. - Please make your Pull Request against the according branch.
- The
- Pull Requests need approval of a core contributor before merging.
- We use TypeScript for source.
- We use ESLint/Prettier for linting/formatting, so please run
pnpm lint
andpnpm format
before committing to make resolving conflicts easier (VSCode users, check out this ESLint extension and this Prettier extension to fix lint and formatting issues in development). - We encourage you to test your changes, and if you have the opportunity, please make those tests part of the Pull Request.
- If you add new functionality, please provide the corresponding documentation as well and make it part of the Pull Request. We use JSDoc, which means most of the time, the documentation is in the same file as the source code.
NOTE: We only support new providers in the
@auth/core
package going forward.
If you think your custom provider might be useful to others, we encourage you to open a PR and add it to the built-in list so others can discover it much more easily! You will have to make the following changes:
- Add your config:
packages/core/src/providers/{provider}.ts
(Make sure you use a named default export, likeexport default function YourProvider
). - Add the provider documentation in the same file using JSDoc.
- Add the provider logo to the
docs/public/img/providers
directory. - Add the provider in the drop-down list in
.github/ISSUE_TEMPLATE/2_bug_provider.yml
That's it! 🎉 Others will be able to discover this provider much more easily now!
You can look at the existing built-in providers for inspiration.
- If you are adding a new OIDC provider, take a look at auth0.ts.
- If you are adding a new OAuth 2.0 provider, take a look at facebook.ts.
If you would like to contribute to an existing database adapter or help create a new one, please follow this guide.
NOTE: For core team reviewer, make sure to check all database queries to avoid introduce any vulnerabilities.
We use Turborepo and pnpm for managing our packages.
next-auth/
├─ apps/
│ ├─ dev/ <-- contains our dev app for nextjs, sveltekit, etc.
│ ├─ examples/ <-- contains our examples. These will be synced to the example template repos.
│ ├─ playgrounds/ <-- experimental stuff
├─ packages/
│ ├─ adapter-*/ <-- adapter packges.
│ ├─ core/ <-- the core package. Most of the logic is here.
│ ├─ framework-*/ <-- framework packages
│ ├─ next-auth/ <-- next-auth@v5
├─ docs/
Here is a quick guide on how to setup next-auth locally to work on it and test out any changes:
- Clone the repo:
git clone git@github.com:nextauthjs/next-auth.git
cd next-auth
- Set up the correct pnpm version, using Corepack. Run the following in the project'a root:
corepack enable pnpm
(Now, if you run pnpm --version
, it should print the same verion as the packageManager
property in the package.json
file)
- Install packages. Developing requires Node.js v18:
pnpm install
- Populate
.env.local
:
Copy apps/dev/nextjs/.env.local.example
to apps/dev/nextjs/.env.local
, and add your env variables for each provider you want to test.
cd apps/dev/nextjs
cp .env.local.example .env.local
NOTE: You can add any environment variables to .env.local that you would like to use in your dev app. You can find the next-auth config under
apps/dev/nextjs/auth.config.ts
.
- Start the developer application/server:
pnpm dev
Your developer application will be available on http://localhost:3000
That's it! 🎉
If you need an example project to link to, you can use next-auth-example.
When running pnpm dev
, you start a Next.js developer server on http://localhost:3000
, which includes hot reloading out-of-the-box. Make changes on any of the files in src
and see the changes immediately.
NOTE: When working on CSS, you will have to manually refresh the page after changes. The reason for this is our pages using CSS are server-side rendered (using API routes). (Improving this through a PR is very welcome!)
NOTE: The setup is as follows: The development application lives inside the
app
folder, and whenever you make a change to thesrc
folder in the root (where next-auth is), it gets copied intoapp
every time (gitignored), so Next.js can pick them up and apply hot reloading. This is to avoid some annoying issues with how symlinks are working with different React builds, and also to provide a super-fast feedback loop while developing core features.
Tests can be run with pnpm test
.
Automated tests are currently crude and limited in functionality, but improvements are in development.
We use a custom script together with Conventional Commits to automate releases. This makes the maintenance process easier and less error-prone. Please study the "Conventional Commits" site to understand how to write a good commit message.
When accepting Pull Requests, make sure the following:
- Use "Squash and merge"
- Make sure you merge contributor PRs into
main
- Rewrite the commit message to conform to the
Conventional Commits
style.- Using
fix
releases a patch (x.x.1) - Using
feat
releases a minor (x.1.x) - Using
feat
whenBREAKING CHANGE
is present in the commit message releases a major (1.x.x)
- Using
- Optionally link issues the PR will resolve (You can add "close" in front of the issue numbers to close the issues automatically, when the PR is merged.
semantic-release
will also comment back to connected issues and PRs, notifying the users that a feature is added/bug fixed, etc.)
If a commit contains [skip release]
in their message, it will be excluded from the commit analysis and won't participate in the release type determination. This is useful, if the PR being merged should not trigger a new npm
release.