From harness-claude
Implements Next.js App Router authentication using Auth.js v5 with session handling, middleware guards, Server/Client session access, RBAC, and OAuth providers.
npx claudepluginhub intense-visions/harness-engineering --plugin harness-claudeThis skill uses the workspace's default tool permissions.
> Implement authentication with session handling, middleware guards, and Auth.js integration
Implements Next.js authentication with NextAuth.js v5, middleware for protected routes, server/client session access, and JWT strategies.
Implements Auth.js 5 authentication patterns for Next.js 15+ App Router including protected routes, Server Components sessions, OAuth providers, RBAC, and sign-in/out flows.
Implements complete Next.js authentication with Auth.js: OAuth providers (GitHub/Google), credentials login, Prisma adapter, session management (JWT/DB), middleware-protected routes, RBAC, and login forms.
Share bugs, ideas, or general feedback.
Implement authentication with session handling, middleware guards, and Auth.js integration
auth.ts at the project root to configure providers, callbacks, and session strategy.middleware.ts using the Auth.js auth export — redirect unauthenticated users before the page renders.auth() — never trust client-supplied user data.useSession() from next-auth/react — wrap the app in <SessionProvider> in a Client Component layout wrapper.signIn() and signOut() from next-auth/react in Client Components, or call them from Server Actions for progressive enhancement.// auth.ts — Auth.js v5 configuration
import NextAuth from 'next-auth';
import GitHub from 'next-auth/providers/github';
export const { handlers, auth, signIn, signOut } = NextAuth({
providers: [GitHub],
callbacks: {
async jwt({ token, user }) {
if (user) token.role = user.role; // persist role in JWT
return token;
},
async session({ session, token }) {
session.user.role = token.role as string; // expose in session
return session;
},
},
});
// middleware.ts — route protection
export { auth as middleware } from '@/auth';
export const config = {
matcher: ['/dashboard/:path*', '/api/protected/:path*'],
};
// app/dashboard/page.tsx — server-side session access
import { auth } from '@/auth';
import { redirect } from 'next/navigation';
export default async function DashboardPage() {
const session = await auth();
if (!session) redirect('/login');
if (session.user.role !== 'admin') redirect('/unauthorized');
return <Dashboard user={session.user} />;
}
Auth.js v5 is designed for the App Router and provides auth() as both a middleware function and a server-side session accessor. The same function works in middleware, Server Components, Route Handlers, and Server Actions.
Session strategies: Auth.js supports JWT sessions (stateless, stored in cookies) and database sessions (stateful, stored in your database). JWT is simpler to deploy; database sessions allow true session revocation. Use database sessions when you need to invalidate sessions on logout or role changes.
Middleware guard scope: The Auth.js middleware auth export only protects routes matched by config.matcher. API Route Handlers and Server Actions are not automatically protected — always call auth() and check the session inside them independently.
Role-based access: Store roles in the JWT payload via the jwt callback. The JWT is signed and cannot be tampered with client-side. Read session.user.role in Server Components to make authorization decisions. Never read roles from URL parameters or request bodies for authorization.
OAuth callback URL: OAuth providers require registering the callback URL: https://yourdomain.com/api/auth/callback/github. In development, use http://localhost:3000/api/auth/callback/github. Auth.js handles the callback route via the handlers export mounted at app/api/auth/[...nextauth]/route.ts.
PKCE and security: Auth.js automatically uses PKCE for OAuth flows and includes CSRF protection for credential login. Do not re-implement these manually.
https://nextjs.org/docs/app/building-your-application/authentication