Support passwordless login (EmailProvider) without adapters.

[amirhhashemi]

Description 📓

Adapters, though very useful, are limiters because they require a certain database structure that may not make sense for everyone. I think at least you should give users an option to handle database stuff themselves. In OAuth providers and Credentials provider, there is a place where we can do database operations if we don't want to use an adapter (signIn callback and authorize method) but there is no such place for Email Provider.

Email provider really needs an adapter just in one place (here). My proposal is to call this section conditionally. For example, we can add a method to EmailProvider named createVerificationToken which has a higher priority than the adapter one. When this method is defined in the provider options, the adapter.createVerificationToken shouldn't be called. this enables us to do something like this:

export default NextAuth({
  session: {
    strategy: "jwt",
  },
  providers: [
    EmailProvider({
      //...
      async createVerificationToken(identifier: string) {
          // save verification token in db
      }
    }),
    GithubProvider({
      //...
    }),
  ],
  callbacks: {
    async signIn({ user, email, account, profile }) {
      //...
    }
  },
});

Here is my problem with adapters: #4047 (comment)

UPDATE: The more I discover the source code, the more it seems impossible to do.

How to reproduce ☕️

I described my idea above.

Contributing 🙌🏽

Yes, I am willing to help implement this feature in a PR

[TomFreudenberg]

Hi,

we had a similar issue with that and created a quick and easy in memory adapter using LevelDB (want to change that into solidDB) to have just the store for current active Email Tokens around in space. Maybe it is from interest to share this adapter.

Guess you know already this documentation: https://next-auth.js.org/tutorials/creating-a-database-adapter

[amirhhashemi]

Hi
I'm not sure that's what I want. I'm using an OAuth provider along with the Email provider and if I set an adapter, the OAuth provider also wants to use it which ruins my current setup.
I gave more information about my current setup here.

Anyway, thank you for the help.

[TomFreudenberg]

Hi
I am using that in addtion with a JWT. We have just implemented the necessary functions to save the Email validation token. I will place some more information but before weekend our workload is too high.

[balazsorban44]

Nice workaround @TomFreudenberg. I think we might want to revisit the JWT-only passwordless case at least as an option, as I've seen it a few times being requested. Since it's actually a stricter flow and could be done opt-in, I don't see a very compelling reason not to provide it in some way. If you want to work on a PR, please do. Otherwise, @ThangHuuVu here is an interesting feature to tackle. Ping me on Slack and I could explain.

[TomFreudenberg]

Hi, I will prepare a PR during next days - maybe its a good starting point then

[TomFreudenberg]

Hi,

I have rewritten our small Adapter with node-cache while having automatic TTL.

The TTL will take care that the Token gets deleted after MaxAge and cannot be used afterwards.

Using the .take() method will prevent using the token more than once for a successfully login (OTP).

Using the email identifier as key will prevent that more than one valid token per each Email address does exist.

To use the EmailProvider you just need to define the NodeCache Adapter.

You should use the signIn callback to prepare your user object.

in [...nextauth].js

...

import NodeCache from 'node-cache';


function EmailTokenNodeCacheAdapter(client, options) {
  return {
    getUserByEmail: async (email) => ({ id: email, email }),

    getUserByAccount: async ({ providerAccountId, provider }) => ({ id: providerAccountId, provider }),

    updateUser: async (user) => user,

    createVerificationToken: async (data) => {
      return client.set(data.identifier, data) ? data : null
    },

    useVerificationToken: async ({ identifier, token }) => {
      const data = client.get(identifier);
      return (data?.token === token) ? client.take(identifier) : false;
    }
  }
}


export default NextAuth({
...
  adapter: EmailTokenNodeCacheAdapter(new NodeCache({ stdTTL: 24 * 60 * 60, checkperiod: 1 * 60 * 60 })),
...
  callbacks: {
    async signIn({ user, account, profile, email, credentials }) {
      ...
    },
    ...
  },
  ...
});

@balazsorban44 @ThangHuuVu - Do you like me to prepare a PR and put the Adapter extra?

[TomFreudenberg]

@ahhshm - I just saw that you wrote

I'm using an OAuth provider along with the Email provider

Haven't checked that yet in case we are using the Credentials Provider against our own GraphQL backend.

Will look on that (GithubProvider) today

Cheers
Tom

[TomFreudenberg]

@ahhshm it worked also with GitHub and Twitter (tested) and I guess with others also.

Just the function getUserByAccount was missing last night.

I updated the above Adapter code and now it should be complete.

[TomFreudenberg]

@balazsorban44 @ThangHuuVu you may guide me now what to do best, please.

On my side it worked for our usecase.

Please let me know what I should check in addition or append.

Happy to bring in some benefit.

Cheers,
Tom

[TomFreudenberg]

Just to add that note:

On very small sites it may also work without node-cache and using just an internal Key/Value variable like:

const internalTokenStore = []

Not sure if it make sense for saving the build sizes?

[MikeDupree]

Node-cache doesn't seem to be working for me.
I can set the data within createVerificationToken, however when trying to retrieve it on useVerificationToken i get undefined

[TomFreudenberg]

I wonder if looking at the Mail and the Link if it is really necessary to put the Email address into the mail and the link by default?

For the link I would prefer the SHA of the Email.

Wouldn't that increase security / data privacy?

http://localhost:3000/api/auth/callback/email?callbackUrl=http%3A%2F%2Flocalhost%3A3000%2Fde-DE&token=2a29ba957180bec743ffb985f3ed9c42f0e9d87208f0134c8267b9907c2ce880&email=user.name%40email.com

[TomFreudenberg]

Hey guys,

long time not moving forward here.

Is there any action I can do or deliver to support?

Tom

[ekeric13]

I too would find it useful to have either emailProvider work without adapter or have documented a barebones adapter example with only the methods needed being those necessary for the emailProvider to work...
The only thing that seems documented is this:
https://next-auth.js.org/tutorials/creating-a-database-adapter

[ekeric13]

Okay the above actually quite work for me and I think that is because I am using the emailProvider + other oauth providers.

I ended up with this:

export function RedisAdapter(redis: Redis): Adapter {
  return {
    // third oauth
    async createUser(user): Promise<AdapterUser> {
      return { id: user.email, ...user };
    },
    async getUser(_): Promise<AdapterUser | null> {
      return null;
    },
    // second oauth
    // first email
    async getUserByEmail(email): Promise<AdapterUser | null> {
      return null;
    },
    // first oauth
    async getUserByAccount({
      providerAccountId,
      provider,
    }): Promise<AdapterUser | null> {
      return null;
    },
    async updateUser(user): Promise<AdapterUser> {
      return user as AdapterUser;
    },
    // fourth oauth
    async linkAccount(_): Promise<null> {
      return null;
    },
    async createSession(session): Promise<AdapterSession> {
      return session;
    },
    async getSessionAndUser(_): Promise<null> {
      return null;
    },
    async updateSession(_): Promise<null> {
      return null;
    },
    async deleteSession(_): Promise<null> {
      return null;
    },
    // second email
    async createVerificationToken(verificationToken) {
      const { identifier, expires, token } = verificationToken;
      await redis.set(
        verification_namespace.key(identifier),
        JSON.stringify(verificationToken)
      );
      return verificationToken;
    },
    // third email
    async useVerificationToken(verificationToken) {
      const { identifier, token } = verificationToken;
      const redisKey = verification_namespace.key(identifier);
      const storedVerificationToken = await redis.get(redisKey);
      if (storedVerificationToken == null) return null;
      await redis.del(redisKey);
      return JSON.parse(storedVerificationToken);
    },
  };
}

Looking at the types a lot of the callbacks let you return null. I am guessing that is fine to do that if I don't have any use for the method.

Really all I want is createVerificationToken and useVerificationToken

[Dinuda]

My nextjs version: 14
db: prisma

Goal: Setup passwordless authentication with EmailProvider

Turns out Nextauthjs has been moved to Authjs. (Note: at the time I am writing this the site was still under development and lacked proper explanation).

If anyone is facing the error with prisma:

MISSING_ADAPTER_METHODS_ERROR` and `Required adapter methods were missing: createVerificationToken, useVerificationToken, getUserByEmail

The solution would be to :

1. Install @auth/prisma-adapter

    npm install @prisma/client @auth/prisma-adapter
    npm install prisma --save-dev
   

2. Use the new prisma client as the adapter

    import NextAuth, { type NextAuthOptions } from "next-auth";
    import EmailProvider from "next-auth/providers/email"
    import { PrismaAdapter } from "@auth/prisma-adapter"
    import { PrismaClient } from "@prisma/client"
    
    // create a prisma client if one doesn't already exist
    const prisma = new PrismaClient()
    
    export const authOptions: NextAuthOptions = {
      adapter: PrismaAdapter(prisma),
      secret: process.env.NEXTAUTH_SECRET,
      providers: [
        EmailProvider({
          server: {
            host: process.env.EMAIL_SERVER_HOST,
            port: Number(process.env.EMAIL_SERVER_PORT),
            auth: {
              user: process.env.EMAIL_SERVER_USER,
              pass: process.env.EMAIL_SERVER_PASSWORD,
            },
          },
          from: process.env.EMAIL_FROM,
        }),
      ],
    };
    
    const handler = NextAuth(authOptions);
    
    export { handler as GET, handler as POST };