NextAuthAuthenticationNext.jsApp Router

NextAuth v5: running GitHub OAuth, credentials, and magic links in the same app

Oliver White

17 May 2026 · 9 min read

The auth requirements for AI Art Arena were straightforward on paper: GitHub OAuth for developers who want to sign in quickly, email/password for users who prefer not to use OAuth, and magic links for users who want passwordless but do not have a GitHub account. In practice, combining all three in a single NextAuth v5 setup with a shared users table and consistent session shape took considerably more refinement than any single tutorial covers.

ℹ

This is part of the Directed Output build log. The methodology — how the refinement loop turns undocumented problems into solutions you actually own — is at /process.

The three-provider problem

Each provider has a different relationship with user creation. GitHub OAuth creates a user row on first sign-in if one does not exist. Credentials authentication requires the user to already exist — it is verifying an existing identity, not creating a new one. Magic links need to create the user if they do not exist, then send a tokenised email link. All three flows need to land in the same users table, produce the same session shape, and be treated identically downstream.

Provider	Creates user?	Requires existing user?	Gotcha
GitHub OAuth	Yes — first sign-in	No	GitHub email can be null if set to private — must handle the null case
Credentials	No	Yes	Password must be hashed with bcrypt — never store plaintext, never compare plaintext
Magic link	Yes — if not exists	No	Resend client must be instantiated inside the handler, never at module level

The auth.ts configuration

In NextAuth v5, the entire configuration moves from app/api/auth/[...nextauth]/route.ts to a top-level auth.ts file. The route file becomes a one-liner that re-exports the handlers. This separation matters because auth.ts can be imported directly by Server Components, middleware, and API routes — no more passing authOptions around.

typescript

// auth.ts
export const { handlers, auth, signIn, signOut } = NextAuth({
  providers: [
    GitHub({ clientId: process.env.GITHUB_CLIENT_ID!, clientSecret: process.env.GITHUB_CLIENT_SECRET! }),
    Credentials({
      credentials: { email: {}, password: {} },
      authorize: async ({ email, password }) => {
        const { data: user } = await supabase
          .from('users').select('id, email, password_hash, role').eq('email', email).single();
        if (!user || !user.password_hash) return null;
        const valid = await bcrypt.compare(password as string, user.password_hash);
        return valid ? { id: user.id, email: user.email, role: user.role } : null;
      },
    }),
    // Magic link — uses Resend. Client instantiated inside sendVerificationRequest, not here.
    Resend({ apiKey: process.env.RESEND_API_KEY, from: 'noreply@olliedoesis.dev' }),
  ],
  callbacks: {
    async session({ session, token }) {
      if (token.sub) {
        const { data: user } = await supabase
          .from('users').select('id, role').eq('id', token.sub).single();
        session.user.id   = user?.id   ?? token.sub;
        session.user.role = user?.role ?? 'user';
      }
      return session;
    },
  },
});

Middleware: wrapping auth() instead of withAuth()

The v4 middleware used withAuth() from next-auth/middleware. In v5 that export is gone. The new pattern exports a default function that wraps auth() — your middleware logic runs as a callback inside the NextAuth auth handler. This means security headers, redirects, and auth checks all live in one file and share the same request context.

typescript

// middleware.ts
import { auth } from '@/auth';

export default auth((req) => {
  const { nextUrl } = req;
  const session = req.auth;

  // Admin route protection — redirect to sign-in if not admin
  if (nextUrl.pathname.startsWith('/admin')) {
    if (!session?.user || session.user.role !== 'admin') {
      return NextResponse.redirect(new URL('/signin', nextUrl));
    }
  }

  // Apply security headers to every response
  return applySecurityHeaders(NextResponse.next());
});

export const config = {
  // Exclude static assets from auth processing — saves ~40ms per static request
  matcher: ['/((?!_next/static|_next/image|favicon.ico|.*\.(?:svg|png|jpg|ico)$).*)'],
};

⚠

The session callback fires on every request when using the JWT strategy. Keep it fast — a slow session callback adds latency to every authenticated page load. The Supabase query inside it should hit a cached row in practice, but watch this with profiling if latency becomes a problem.

Session type augmentation

By default NextAuth's Session type only includes name, email, and image. Adding id and role requires TypeScript module augmentation. Without it, every access to session.user.role will produce a type error — and you will be tempted to add 'as any' casts, which defeats the purpose of having types at all.

typescript

// types/next-auth.d.ts
import 'next-auth';

declare module 'next-auth' {
  interface Session {
    user: {
      id:    string;
      email: string;
      name:  string | null;
      image: string | null;
      role:  'user' | 'admin';
    };
  }
}

Built with this methodology

Most NextAuth v5 tutorials cover one provider in isolation. Running all three in the same app — shared session types, a users table that handles all three, middleware that covers every case — is a different problem. Here is what the integration actually looks like.

See the App Router architecture this post describes →

From the build log

ArchitectureSupabase

I built a live AI art voting platform in public — 33 migrations, one atomic RPC, and a methodology for working with AI that actually holds up

Read →

Next.jsTypeScript

The day I stopped fixing bugs and started fixing systems

Read →

Written by

Oliver White →

← All posts

NextAuthAuthenticationNext.jsApp Router

NextAuth v5: running GitHub OAuth, credentials, and magic links in the same app

Oliver White

17 May 2026 · 9 min read

ℹ

This is part of the Directed Output build log. The methodology — how the refinement loop turns undocumented problems into solutions you actually own — is at /process.

The three-provider problem

Provider	Creates user?	Requires existing user?	Gotcha
GitHub OAuth	Yes — first sign-in	No	GitHub email can be null if set to private — must handle the null case
Credentials	No	Yes	Password must be hashed with bcrypt — never store plaintext, never compare plaintext
Magic link	Yes — if not exists	No	Resend client must be instantiated inside the handler, never at module level

The auth.ts configuration

typescript

// auth.ts
export const { handlers, auth, signIn, signOut } = NextAuth({
  providers: [
    GitHub({ clientId: process.env.GITHUB_CLIENT_ID!, clientSecret: process.env.GITHUB_CLIENT_SECRET! }),
    Credentials({
      credentials: { email: {}, password: {} },
      authorize: async ({ email, password }) => {
        const { data: user } = await supabase
          .from('users').select('id, email, password_hash, role').eq('email', email).single();
        if (!user || !user.password_hash) return null;
        const valid = await bcrypt.compare(password as string, user.password_hash);
        return valid ? { id: user.id, email: user.email, role: user.role } : null;
      },
    }),
    // Magic link — uses Resend. Client instantiated inside sendVerificationRequest, not here.
    Resend({ apiKey: process.env.RESEND_API_KEY, from: 'noreply@olliedoesis.dev' }),
  ],
  callbacks: {
    async session({ session, token }) {
      if (token.sub) {
        const { data: user } = await supabase
          .from('users').select('id, role').eq('id', token.sub).single();
        session.user.id   = user?.id   ?? token.sub;
        session.user.role = user?.role ?? 'user';
      }
      return session;
    },
  },
});

Middleware: wrapping auth() instead of withAuth()

typescript

// middleware.ts
import { auth } from '@/auth';

export default auth((req) => {
  const { nextUrl } = req;
  const session = req.auth;

  // Admin route protection — redirect to sign-in if not admin
  if (nextUrl.pathname.startsWith('/admin')) {
    if (!session?.user || session.user.role !== 'admin') {
      return NextResponse.redirect(new URL('/signin', nextUrl));
    }
  }

  // Apply security headers to every response
  return applySecurityHeaders(NextResponse.next());
});

export const config = {
  // Exclude static assets from auth processing — saves ~40ms per static request
  matcher: ['/((?!_next/static|_next/image|favicon.ico|.*\.(?:svg|png|jpg|ico)$).*)'],
};

⚠

Session type augmentation

typescript

// types/next-auth.d.ts
import 'next-auth';

declare module 'next-auth' {
  interface Session {
    user: {
      id:    string;
      email: string;
      name:  string | null;
      image: string | null;
      role:  'user' | 'admin';
    };
  }
}

Built with this methodology

See the App Router architecture this post describes →

From the build log

ArchitectureSupabase

I built a live AI art voting platform in public — 33 migrations, one atomic RPC, and a methodology for working with AI that actually holds up

Read →

Next.jsTypeScript

The day I stopped fixing bugs and started fixing systems

Read →

Written by

Oliver White →

← All posts