RFC: Cookies Adapter

[ThangHuuVu]

Goals

1. Simplify the core. The core should interact with the Adapter abstraction instead of branching on JWT/database strategies.
2. The developer doesn't need to import and specify a adapter-cookies package to use Auth.js. The developer may still use another DB adapter to persist the data elsewhere.

Non-Goals

1. Dealing with the callbacks, like the JWT callback, will not be addressed in this RFC
2. At first, we won't expose this as a separate package yet.

Background

Adding authentication with Auth.js is minimal (doesn't require an adapter) and secure by default thanks to the JWT session cookies implementation. To further simplify the core's functionality and ease of maintenance, we would like to introduce the CookiesAdapter to unify the abstraction between the jwt and the database strategy in the core.

This is a core refactoring - for the developers, the change should be ideally invisible. Auth.js core will use this new adapter as the default under the hood, and the configurations for JWT via authOptions.jwt should remain unchanged.

This would however leave some chance to rethink the JWT callback (it's getting a bit bloated) in the follow up PRs. The breaking changes, if any, should be introduce later on there.

Proposal

The logic to handle JWT strategy will be moved to the CookiesAdapter file. While moving stuff around, we want to make sure that the tests are still passing for both /session and /callback, as the authentication flow should remain unchanged.