A starter project for Next.js with authentication
Authentication is now handled by the next-auth library.
All authentication code - including express and passport integration - has been forked off into this npm module making it easier to manage and providing complete separation of auth configuration and database code.
The session handling code is now provided by next-auth-client.
While authentication is still more complicated to add to a new project than is ideal, future updates to next-auth may provide easier interfaces to do this in future.
A pre-release 2.0 beta version was previously listed, although it was a recent beta so there are no actual changes to the code for the release version.
This is the only supported version and it's is strongly recommended you upgrade to this version, especially for Internet Explorer compatibility.
This release features email and oAuth based authentication, with CSRF protection and using httpOnly cookies to project against XSS exploits. It also adds support for live reloading of CSS/SCSS and linting with 'xo' and has extended documentation.
Client and server configuration (including oAuth providers) is easily configurable. A range of options, including oAuth configuration options, are exposed and can be configured in .env (see .env.defaults for examples). Additionally options can be configured within the app in 'auth.js'.
This release uses Next.js 2.0.0-beta.23. It has been tested in recent versions of all major browsers (Chrome, Firefox, Internet Explorer and Safari).
This release is identical to v2.5.4 but is missing a polyfill for Promise which resolves a problem caused by Internet Explorer lacking native Promise support.
You should use release v2.5.4 instead of this release.
This release features email only based authentication, with CSRF protection and using httpOnly cookies to project against XSS exploits.
It is the first release to feature a fully implemented session class, that includes being able to specify how long a client should consider a session valid for before it checks with the server again.
This value can be 0 (to force the client to check the session state on every page navigation or interaction with the session component, which is how sessions behave normally with server-only rendering) or 30 seconds or longer, to reduce the amount of traffic to the server, which will make navigating between pages faster for users.
The default value for 'clientMaxAge' been set to 60 seconds and like all other auth options can be configured when 'routes/auth.js' is invoked. Note this is distinct (and less than) the actual session maxAge.
Note: Regardless of this value, users will always see their session status updated immediately if the sign or out, as that information is shared between tabs and windows.
Future releases will see updates and refactoring to the authentication to add new features. If you wish to just reference a simpler release, this would be an appropriate release to choose.