feat: integrate @zitadel/next-auth#57
Merged
Merged
Conversation
- Move Session/JWT module augmentation from src/lib/auth.ts into a dedicated src/types/auth.d.ts so it is picked up across the project. - Add tsconfig paths mapping @auth/core to ./node_modules/@auth/core to deduplicate the type identity (the SDK is linked via file: which otherwise loads two copies of @auth/core).
Replaces the hardcoded /auth/login (or /api/auth/signin/{provider})
URL with signInUrl({ redirectTo: ... }) from the SDK. The SDK builds
the URL from the configured basePath; the example no longer needs to
know where the sign-in page lives.
Converts /profile from a client component (useEffect + useSession +
client-side signIn) to a server component (await getSession +
redirect(signInUrl({ redirectTo: ... }))). Matches the server-side
gating pattern used by the other seven examples: no more flash of
the unauthenticated UI before the redirect kicks in.
The session lookup uses next/headers to build a Request from the
incoming cookie header for the SDK's getSession helper.
Two cleanups: 1. .env.example: remove NEXTAUTH_URL and NEXTAUTH_SECRET. These are NextAuth v4 legacy env var names; @auth/core v5 reads AUTH_URL / AUTH_SECRET. Grepped the source — nothing reads them. 2. SignOutButton.tsx: remove the 'use client' directive. The component is a pure HTML <form> with no event handlers, hooks, or state — it works as a server component. The directive was adding hydration weight for no functional reason.
The other examples (remix, sveltekit, tanstack) link the "Try signing in again" button to /auth/login (the custom Auth.js sign-in page). This example pointed at /api/auth/signin, which then redirected to /auth/login anyway via pages.signIn config — same destination but an extra hop. Drop the indirection so all 8 examples agree.
These were leftovers from the NextAuth v4 era; @auth/core v5 reads AUTH_URL / AUTH_SECRET instead, which the test env already provides via AUTH_URL. The dev server doesn't consume NEXTAUTH_* anywhere.
Aligns with example-remix-auth + example-tanstack-auth (and the other 3 examples whose tsconfig was bumped to ES2022 in the same sweep). Node 22 supports ES2022 natively so the build target matches the deployment baseline.
Adds cross-platform install entries for native deps (@rollup, @oxc-resolver, @oxc-parser) so 'npm ci' on Linux runners finds the linux-x64-gnu binaries. The previous lockfile was generated on darwin-arm64 only, omitting the Linux entries; CI hit npm/cli#4828 and refused to install them. Regenerated via: npm install --include=optional --os=linux --cpu=x64 --package-lock-only npm install --include=optional
devbox is a local-only nix-based package manager; coupling it to the devcontainer image (which already provides Node via the base image) creates an unnecessary dependency for contributors using the devcontainer. Remove the devbox feature and use plain npm ci / playwright install instead.
The SDK is actually imported by app code, so knip detects it without the override.
mridang
force-pushed
the
feat/use-zitadel-auth
branch
from
0c65161 to
594e0f8
Compare
The globals package was listed in devDeps but never imported. It was hidden by 'globals' in knip ignoreDependencies, so the unused-dep warning never surfaced. Uninstalling resolves both: no more unused dep AND no more stale knip override.
Pin @auth/core to ^0.40.0 to match the SDK's range so npm dedupes to a single copy (was pulling both 0.40 transitively and 0.41 directly). Also drop the postcss override: Next 16 + Tailwind 4 resolve postcss 8.5.15 natively, well above the GHSA-7fh5-64p2-3v2j threshold (<8.4.31), so the override is no longer doing anything.
Reverts the postcss override removal. Although the top-level postcss resolves to a safe 8.5.15, removing the override let a nested postcss@8.4.31 resurface (moderate XSS, GHSA-qx2v-qp2m-jg93). The override force-bumps every postcss instance, not just the top-level one, so it is load-bearing and must stay.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Migrates this example to the published
@zitadel/next-authSDK, replacing the hand-rolled auth wiring with the SDK's factory pattern (handlers,getSession,signIn,signOut,signInUrl,signOutUrl). Switches the dependency fromfile:../next-authto the npm-published version and aligns the/auth/login,/auth/error, and/profileroutes with the rest of the SDK family.Related Issue
N/A — part of the family-wide migration to the
@zitadel/*-authSDKs.Motivation and Context
The example previously hand-rolled OIDC/PKCE wiring on top of
@auth/coreand pulled the SDK via afile:link. Both go away once@zitadel/next-authis published: the example becomes a small consumer of the SDK and any consumer can copy it without local checkouts. This also brings the example's env vars (AUTH_URL,AUTH_SECRET, callback paths under/api/auth) in line with the other 7 example apps.How Has This Been Tested?
Locally via
devbox:npm run lint,npm run format:check,npm run prepack(typecheck), andnpm run buildall pass. Playwright E2E suite runs in CI. Manual smoke: full login →/profile→ logout against a real Zitadel instance.Documentation:
N/A — README updates for the new SDK shape landed in earlier commits on this branch.
Checklist: