From c5012b698c4de0f58f893a9a93ece696e7c82a6e Mon Sep 17 00:00:00 2001 From: ndom91 Date: Tue, 23 Nov 2021 23:45:21 +0100 Subject: [PATCH 1/2] docs: add refresh token example repo links --- docs/faq.md | 2 ++ docs/tutorials/refresh-token-rotation.md | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/faq.md b/docs/faq.md index d645ed7f..732c82d4 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -218,6 +218,8 @@ You can then look them up from the database or persist them to the JSON Web Toke Note: NextAuth.js does not currently handle Access Token rotation for OAuth providers for you, however you can check out [this tutorial](/tutorials/refresh-token-rotation) if you want to implement it. +We also have an [example repository](https://github.com/nextauthjs/next-auth-refresh-token-example) / project based upon NextAuth.js v4 where we demonstrate how to use a refresh token to refresh the provided access token. +

diff --git a/docs/tutorials/refresh-token-rotation.md b/docs/tutorials/refresh-token-rotation.md index 6ea62dfd..83d37de6 100644 --- a/docs/tutorials/refresh-token-rotation.md +++ b/docs/tutorials/refresh-token-rotation.md @@ -7,7 +7,7 @@ While NextAuth.js doesn't automatically handle access token rotation for OAuth p ## Source Code -_A working example can be accessed [here](https://github.com/lawrencecchen/next-auth-refresh-tokens)._ +A working example can be accessed [here](https://github.com/nextauthjs/next-auth-refresh-token-example). ## Implementation From ac9524c12892de3064654d9d7110362bb0ddb62b Mon Sep 17 00:00:00 2001 From: ndom91 Date: Wed, 24 Nov 2021 00:03:35 +0100 Subject: [PATCH 2/2] chore: small secret/session tweaks --- docs/configuration/options.md | 6 ++++++ docs/getting-started/upgrade-to-v4.md | 24 ++++++++++++++++++++++-- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/docs/configuration/options.md b/docs/configuration/options.md index a508a26b..2f724939 100644 --- a/docs/configuration/options.md +++ b/docs/configuration/options.md @@ -70,6 +70,12 @@ A random string used to hash tokens, sign/encrypt cookies and generate cryptogra If not specified, it uses a hash for all configuration options, including OAuth Client ID / Secrets for entropy. Although if the user does not use such a provider, the configuration might be guessed. +You can quickly create a valid secret on the command line via this `openssl` command. + +```bash +$ openssl rand -base64 32 +``` + :::warning The default behaviour is volatile, and it is strongly recommended you explicitly specify a value. If `secret` is omitted in production, we will throw an error. ::: diff --git a/docs/getting-started/upgrade-to-v4.md b/docs/getting-started/upgrade-to-v4.md index 796fa8e3..070c382f 100644 --- a/docs/getting-started/upgrade-to-v4.md +++ b/docs/getting-started/upgrade-to-v4.md @@ -385,13 +385,33 @@ For more info, see the [Models page](/adapters/models). NextAuth.js used to generate a secret for convenience, when the user did not define one. This might have been useful in development, but can be a concern in production. We have always been clear about that in the docs, but from now on, if you forget to define a `secret` property in production, we will show the user an error page. Read more about this option [here](https://next-auth.js.org/configuration/options#secret) +You can generate a secret to be placed in the `secret` configuration option via the following command: + +```bash +$ openssl rand -base64 32 +``` + +Therefore, you're NextAuth.js config should look something like this: + +```javascript title="/pages/api/auth/[...nextauth].js" +... +export default NextAuth({ + ... + providers: [...], + secret: "LlKq6ZtYbr+hTC073mAmAh9/h2HwMfsFo4hrfCx5mLg=", + ... +}) +``` + Introduced in https://github.com/nextauthjs/next-auth/issues/3143 ## Session `strategy` -We have always supported two different session strategies. The more popular (and our default) JWT based, and a Database persisted session. Both have their advantages/disadvantages, you can learn more about the in the [FAQ](https://next-auth.js.org/faq) page. +We have always supported two different session strategies. The first being our most popular and default strategy - the JWT based one. The second is the database adapter persisted session strategy. Both have their advantages/disadvantages, you can learn more about them on the [FAQ](https://next-auth.js.org/faq) page. + +Previously, the way you configured this was through the `jwt: boolean` flag in the `session` option. The names `session` and `jwt` might have been a bit overused in the options, and so for a clearer message, we renamed this option to `strategy: "jwt" | "database"`, it is still in the `session` object. This will hopefully better indicate the purpose of this option as well as make very explicit which type of session you are going to use. -The way you configured this has been through the `jwt: boolean` flag in the `session` option. The names `session` and `jwt` might be a bit overused in the options, and so for a clearer message, we renamed that option to `strategy: "jwt" | "database"`. This will hopefully better indicate the type of session you are going to use. See the [`session` option docs](https://next-auth.js.org/configuration/options#session) for more details. +See the [`session` option docs](https://next-auth.js.org/configuration/options#session) for more details. Introduced in https://github.com/nextauthjs/next-auth/pull/3144