UNPKG

@auth/core

Version:

Authentication for the Web.

authjs.dev

nextauthjs/next-auth

75 lines (74 loc) 2.86 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
/** * The Credentials provider allows you to handle signing in with arbitrary credentials, * such as a username and password, domain, or two factor authentication or hardware device (e.g. YubiKey U2F / FIDO). * * It is intended to support use cases where you have an existing system you need to authenticate users against. * * It comes with the constraint that users authenticated in this manner are not persisted in the database, * and consequently that the Credentials provider can only be used if JSON Web Tokens are enabled for sessions. * * :::caution * The functionality provided for credentials-based authentication is intentionally limited to discourage the use of passwords due to the inherent security risks of the username-password model. * * OAuth providers spend significant amounts of money, time, and engineering effort to build: * * - abuse detection (bot-protection, rate-limiting) * - password management (password reset, credential stuffing, rotation) * - data security (encryption/salting, strength validation) * * and much more for authentication solutions. It is likely that your application would benefit from leveraging these battle-tested solutions rather than try to rebuild them from scratch. * * If you'd still like to build password-based authentication for your application despite these risks, Auth.js gives you full control to do so. * * ::: * * See the [callbacks documentation](/reference/core#authconfig#callbacks) for more information on how to interact with the token. For example, you can add additional information to the token by returning an object from the `jwt()` callback: * * ```ts * callbacks: { * async jwt({ token, user, account, profile, isNewUser }) { * if (user) { * token.id = user.id * } * return token * } * } * ``` * * @example * ```ts * import { Auth } from "@auth/core" * import Credentials from "@auth/core/providers/credentials" * * const request = new Request("https://example.com") * const response = await AuthHandler(request, { * providers: [ * Credentials({ * credentials: { * username: { label: "Username" }, * password: { label: "Password", type: "password" } * }, * async authorize({ request }) { * const response = await fetch(request) * if(!response.ok) return null * return await response.json() ?? null * } * }) * ], * secret: "...", * trustHost: true, * }) * ``` * @see [Username/Password Example](https://authjs.dev/getting-started/authentication/credentials) */ export default function Credentials(config) { return { id: "credentials", name: "Credentials", type: "credentials", credentials: {}, authorize: () => null, // @ts-expect-error options: config, }; }