ReviseAlgo Logo

Authentication

NextAuth

Learn how Auth.js/NextAuth fits into Next.js authentication, including providers, sessions, protected pages, and route protection.

## 1. Learning Objectives By the end of this lesson, you will be able to configure Auth.js/NextAuth at a high level, read sessions on the server, protect pages and endpoints, and choose where authentication checks belong. Difficulty: Intermediate. ## 2. Prerequisites - Route Handlers. - Server Components. - Cookies and sessions. - OAuth basics. ## 3. Overview NextAuth, now developed as Auth.js, provides authentication primitives for Next.js apps: providers, callbacks, sessions, sign-in/sign-out helpers, and server-side session access through an exported `auth()` function. ## 4. Why This Topic Matters Authentication touches every sensitive workflow. A good setup keeps provider logic centralized, avoids leaking secrets to the browser, and verifies sessions close to protected data access. ## 5. Real-World Analogy Auth.js is like the reception desk in an office building. It verifies who you are, issues a visitor badge, and lets each floor check whether your badge allows entry. ## 6. Core Concepts | Concept | Meaning | |---|---| | Provider | OAuth, credentials, magic link, or passkey login source. | | Session | Server-readable representation of the signed-in user. | | `auth()` | Helper exported from Auth.js configuration to read current session. | | Callback | Hook to customize sign-in, JWT, session, or authorization behavior. | | Adapter | Database integration for persisted users and sessions. | ## 7. Syntax & API Reference
## 8. Visual Diagram
## 9. Live Example - Full Working Code
What just happened? The page checks the session on the server before rendering protected content. ## 10. Interactive Playground Try this: - Add a GitHub provider. - Render the current session in a Server Component. - Protect a Route Handler with `auth()`. ## 11. Common Mistakes | Mistake | Why It Happens | Correct Approach | |---|---|---| | Checking auth only in client UI | It hides controls but does not protect data. | Re-check auth on the server. | | Putting provider secrets in client code | Environment variable boundaries are misunderstood. | Keep provider secrets server-side. | | Assuming middleware/proxy is enough | Route guards can be bypassed by internal code paths. | Verify authorization near data access too. | ## 12. Best Practices - Keep auth configuration centralized. - Use server-side `auth()` for protected pages and handlers. - Validate authorization, not just authentication. - Keep secrets in server environment variables. - Use database sessions when revocation and auditability matter. ## 13. Browser Compatibility | Feature | Browser Impact | Notes | |---|---|---| | OAuth redirect | Standard browser navigation | Works broadly. | | Session cookie | Browser cookie support | Requires secure cookie settings in production. | | Server session check | Server-side | No browser API required. | ## 14. Interview Questions **Easy:** What problem does NextAuth/Auth.js solve? Answer: It provides authentication, provider integration, session handling, and helpers for Next.js apps. **Medium:** Where should protected page checks happen? Answer: On the server, usually in Server Components, Route Handlers, Server Actions, or middleware/proxy gates. **Hard:** Why is authorization different from authentication? Answer: Authentication proves identity; authorization decides whether that identity can perform a specific action. ## 15. Debugging Exercise Bug report: "The dashboard link is hidden, but users can still call the admin API." Solution Client UI checks are not security. Add server-side `auth()` and role/permission checks inside the API Route Handler or Server Action. ## 16. Practice Exercises - Easy: Render a signed-in user's email on a server page. - Medium: Protect a dashboard route with redirect. - Hard: Add role-based checks to an admin Route Handler. ## 17. Scenario-Based Challenge A SaaS app needs GitHub login, billing pages, and admin-only organization settings. Where should checks live? Walkthrough Use Auth.js providers for sign-in, middleware/proxy for coarse route gating, and server-side authorization checks in billing/admin data access paths. ## 18. Quick Quiz 1. What helper reads the server session? Answer: `auth()`. 2. Should provider secrets ship to the browser? Answer: No. 3. Is hiding a link enough security? Answer: No. 4. What is a provider? Answer: A login source such as GitHub or Google. 5. What is authorization? Answer: Permission checking after identity is known. ## 19. Summary & Key Takeaways - Auth.js/NextAuth centralizes authentication. - Use server-side session checks for protected content. - Keep secrets server-side. - Middleware/proxy can gate routes but should not be the only authorization layer. - Authorization must be checked close to sensitive data and mutations. ## 20. Cheat Sheet | Need | Tool | |---|---| | OAuth login | Provider | | Current server session | `auth()` | | Protected page | Server check + redirect | | Protected endpoint | `auth()` in Route Handler | | Role check | Server authorization logic | ## 21. Further Reading - Auth.js Docs: Protecting Resources. - Auth.js Docs: Session Management. - Next.js Docs: Authentication guide. ## 22. Next Lesson Preview Next, you will learn JWTs and when token-based sessions are useful or risky.