auth-patterns
Scannednpx machina-cli add skill davepoon/buildwithclaude/auth-patterns --openclawFiles (1)
SKILL.md
8.3 KB
Authentication Patterns in Next.js
Overview
Next.js supports multiple authentication strategies. This skill covers common patterns including NextAuth.js (Auth.js), middleware-based protection, and session management.
Authentication Libraries
| Library | Best For |
|---|---|
| NextAuth.js (Auth.js) | Full-featured auth with providers |
| Clerk | Managed auth service |
| Lucia | Lightweight, flexible auth |
| Supabase Auth | Supabase ecosystem |
| Custom JWT | Full control |
NextAuth.js v5 Setup
Installation
npm install next-auth@beta
Configuration
// auth.ts
import NextAuth from 'next-auth'
import GitHub from 'next-auth/providers/github'
import Credentials from 'next-auth/providers/credentials'
export const { handlers, auth, signIn, signOut } = NextAuth({
providers: [
GitHub({
clientId: process.env.GITHUB_ID,
clientSecret: process.env.GITHUB_SECRET,
}),
Credentials({
credentials: {
email: { label: 'Email', type: 'email' },
password: { label: 'Password', type: 'password' },
},
authorize: async (credentials) => {
const user = await getUserByEmail(credentials.email)
if (!user || !verifyPassword(credentials.password, user.password)) {
return null
}
return user
},
}),
],
callbacks: {
authorized: async ({ auth }) => {
return !!auth
},
},
})
API Route Handler
// app/api/auth/[...nextauth]/route.ts
import { handlers } from '@/auth'
export const { GET, POST } = handlers
Middleware Protection
// middleware.ts
export { auth as middleware } from '@/auth'
export const config = {
matcher: ['/dashboard/:path*', '/api/protected/:path*'],
}
Getting Session Data
In Server Components
// app/dashboard/page.tsx
import { auth } from '@/auth'
import { redirect } from 'next/navigation'
export default async function DashboardPage() {
const session = await auth()
if (!session) {
redirect('/login')
}
return (
<div>
<h1>Welcome, {session.user?.name}</h1>
</div>
)
}
In Client Components
// components/user-menu.tsx
'use client'
import { useSession } from 'next-auth/react'
export function UserMenu() {
const { data: session, status } = useSession()
if (status === 'loading') {
return <div>Loading...</div>
}
if (!session) {
return <SignInButton />
}
return (
<div>
<span>{session.user?.name}</span>
<SignOutButton />
</div>
)
}
Session Provider Setup
// app/providers.tsx
'use client'
import { SessionProvider } from 'next-auth/react'
export function Providers({ children }: { children: React.ReactNode }) {
return <SessionProvider>{children}</SessionProvider>
}
// app/layout.tsx
import { Providers } from './providers'
export default function RootLayout({ children }) {
return (
<html>
<body>
<Providers>{children}</Providers>
</body>
</html>
)
}
Sign In/Out Components
// components/auth-buttons.tsx
import { signIn, signOut } from '@/auth'
export function SignInButton() {
return (
<form
action={async () => {
'use server'
await signIn('github')
}}
>
<button type="submit">Sign in with GitHub</button>
</form>
)
}
export function SignOutButton() {
return (
<form
action={async () => {
'use server'
await signOut()
}}
>
<button type="submit">Sign out</button>
</form>
)
}
Middleware-Based Auth
Basic Pattern
// middleware.ts
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'
const protectedRoutes = ['/dashboard', '/settings', '/api/protected']
const authRoutes = ['/login', '/signup']
export function middleware(request: NextRequest) {
const token = request.cookies.get('session')?.value
const { pathname } = request.nextUrl
// Redirect authenticated users away from auth pages
if (authRoutes.some(route => pathname.startsWith(route))) {
if (token) {
return NextResponse.redirect(new URL('/dashboard', request.url))
}
return NextResponse.next()
}
// Protect routes
if (protectedRoutes.some(route => pathname.startsWith(route))) {
if (!token) {
const loginUrl = new URL('/login', request.url)
loginUrl.searchParams.set('callbackUrl', pathname)
return NextResponse.redirect(loginUrl)
}
}
return NextResponse.next()
}
export const config = {
matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
}
With JWT Verification
// middleware.ts
import { NextResponse } from 'next/server'
import { jwtVerify } from 'jose'
const secret = new TextEncoder().encode(process.env.JWT_SECRET)
export async function middleware(request: NextRequest) {
const token = request.cookies.get('token')?.value
if (!token) {
return NextResponse.redirect(new URL('/login', request.url))
}
try {
const { payload } = await jwtVerify(token, secret)
// Token is valid, continue
return NextResponse.next()
} catch {
// Token is invalid
return NextResponse.redirect(new URL('/login', request.url))
}
}
Role-Based Access Control
Extending Session Types
// types/next-auth.d.ts
import { DefaultSession } from 'next-auth'
declare module 'next-auth' {
interface Session {
user: {
role: 'user' | 'admin'
} & DefaultSession['user']
}
}
// auth.ts
export const { handlers, auth } = NextAuth({
callbacks: {
session: ({ session, token }) => ({
...session,
user: {
...session.user,
role: token.role,
},
}),
jwt: ({ token, user }) => {
if (user) {
token.role = user.role
}
return token
},
},
})
Role-Based Component
// components/admin-only.tsx
import { auth } from '@/auth'
import { redirect } from 'next/navigation'
export async function AdminOnly({ children }: { children: React.ReactNode }) {
const session = await auth()
if (session?.user?.role !== 'admin') {
redirect('/unauthorized')
}
return <>{children}</>
}
// Usage
export default async function AdminPage() {
return (
<AdminOnly>
<AdminDashboard />
</AdminOnly>
)
}
Session Storage Options
JWT (Stateless)
// auth.ts
export const { auth } = NextAuth({
session: { strategy: 'jwt' },
// JWT stored in cookies, no database needed
})
Database Sessions
// auth.ts
import { PrismaAdapter } from '@auth/prisma-adapter'
import { prisma } from '@/lib/prisma'
export const { auth } = NextAuth({
adapter: PrismaAdapter(prisma),
session: { strategy: 'database' },
// Sessions stored in database
})
Custom Login Page
// app/login/page.tsx
'use client'
import { signIn } from 'next-auth/react'
import { useSearchParams } from 'next/navigation'
export default function LoginPage() {
const searchParams = useSearchParams()
const callbackUrl = searchParams.get('callbackUrl') || '/dashboard'
return (
<div className="flex flex-col gap-4">
<button
onClick={() => signIn('github', { callbackUrl })}
className="btn"
>
Sign in with GitHub
</button>
<button
onClick={() => signIn('google', { callbackUrl })}
className="btn"
>
Sign in with Google
</button>
</div>
)
}
Security Best Practices
- Use HTTPS in production
- Set secure cookie flags (HttpOnly, Secure, SameSite)
- Implement CSRF protection (built into NextAuth)
- Validate redirect URLs to prevent open redirects
- Use environment variables for secrets
- Implement rate limiting on auth endpoints
- Hash passwords with bcrypt or argon2
Resources
For detailed patterns, see:
references/middleware-auth.md- Advanced middleware patternsreferences/session-management.md- Session strategiesexamples/nextauth-setup.md- Complete NextAuth.js setup
Source
git clone https://github.com/davepoon/buildwithclaude/blob/main/plugins/nextjs-expert/skills/auth-patterns/SKILL.mdView on GitHub Overview
Auth-patterns covers common authentication strategies in Next.js, including NextAuth.js (Auth.js), middleware-based protections, and session management. It helps you implement login flows, protected routes, and authorization across both server and client components.
How This Skill Works
The skill surveys libraries such as NextAuth.js (Auth.js), Clerk, Lucia, Supabase Auth, and Custom JWT, with practical setup examples. It explains configuring NextAuth with providers (GitHub and Credentials), creating the API route handler, and enabling middleware-based protection plus session retrieval in server and client components.
When to Use It
- When building a Next.js app that requires user authentication with providers (e.g., GitHub) using NextAuth.js.
- When you need middleware-based protection for dashboards and API routes.
- When you want to retrieve and display session data in Server Components to personalize content.
- When implementing sign-in and sign-out UI with NextAuth client and server APIs.
- When selecting an auth strategy (NextAuth, Clerk, Lucia, or Supabase Auth) for your Next.js project.
Quick Start
- Step 1: Install NextAuth: npm install next-auth@beta
- Step 2: Configure NextAuth with providers (GitHub, Credentials) and a route handler (auth.ts) and include an authorize() example in the credentials provider.
- Step 3: Wrap the app with a SessionProvider (app/providers.tsx) and enable middleware protection for protected routes via a matcher.
Best Practices
- Use middleware with a matcher to enforce protected routes consistently.
- Wrap your app with a SessionProvider and use client components for session-aware UI.
- Perform session checks on the server (e.g., via auth()) before rendering protected content.
- Keep credentials and provider secrets in environment variables; implement proper authorize() logic.
- Define a clear authorization model (roles/permissions) in callbacks and session data.
Example Use Cases
- Integrate NextAuth.js with GitHub and Credentials providers, including authorize() logic.
- Protect /dashboard and API routes with middleware and a matcher.
- Fetch session data in a server component to greet the user.
- Create SignInButton and SignOutButton components that call signIn and signOut.
- Set up a SessionProvider in app/layout.tsx to provide session context across the app.
Frequently Asked Questions
Add this skill to your agents
