Sign-in links valid multiple times

[benjamintd]

When using passwordless authentication, it seems that links are only valid once (even during the maxAge period).

This is a problem with certain email firewalls that programmatically check links that are present in emails, making the link invalid when the actual user clicks the link.

It would be useful for the link to be valid for login during the whole maxAge time. Is there a possibility to achieve that with the library in its current state ?

Note: I'm using the Prisma Adapter to store sessions in my DB.

[balazsorban44]

There is currently no way of doing this (and I don't see it changing). You have to make sure that the link won't be used up by firewalls. There are related discussions of this, try searching.

You can also utilize https://next-auth.js.org/configuration/initialization#advanced-initialization to check if a request comes from a bot or an actual user.

[MuhammadBilalQamar]

When using passwordless authentication, it seems that links are only valid once (even during the maxAge period).

This is a problem with certain email firewalls that programmatically check links that are present in emails, making the link invalid when the actual user clicks the link.

It would be useful for the link to be valid for login during the whole maxAge time. Is there a possibility to achieve that with the library in its current state ?

Note: I'm using the Prisma Adapter to store sessions in my DB.

@benjamintd you can create custom adapter by extending the Prisma Adapter here is some workaround that . you also have an option to write your own custom logic for token management.

const CustomAdapter = (p: typeof prisma): Adapter => {
  return {
    ...PrismaAdapter(p),
    createVerificationToken: async (data) => {
      const verificationToken = await p.verificationToken.create({
        data: {
          identifier: data.identifier,
          token: data.token,
          expires: data.expires
        }
      })
      return verificationToken
    },
    useVerificationToken: async (params) => {
      // Instead of deleting, find the token and check if it's valid
      const verificationToken = await p.verificationToken.findFirst({
        where: {
          token: params.token,
          identifier: params.identifier,
          expires: {
            gt: new Date()
          },
        }
      })
      
      // Return the token if found and valid
      return verificationToken
    }
  }
}

const handler = NextAuth({
  adapter: CustomAdapter(prisma),
  providers: [
    Email({
      server: {
        host: process.env.EMAIL_SERVER_HOST,
        port: (process.env.EMAIL_SERVER_PORT != null) ? parseInt(process.env.EMAIL_SERVER_PORT) : 465,
        auth: {
          user: process.env.EMAIL_SERVER_USER,
          pass: process.env.EMAIL_SERVER_PASSWORD
        }
      },
      from: process.env.EMAIL_FROM,
      maxAge: 24 * 60 * 60, // 24 hours
      generateVerificationToken: async () => {
        return randomBytes(32).toString('hex')
      },
      async sendVerificationRequest({
        identifier: email,
        url,
        provider: { server, from }
      }) {
        const transport = nodemailer.createTransport(server)
        try {
          const result = await transport.sendMail({
            to: email,
            from,
            subject: `Sign in to Your App`,
            text: `Click this link to sign in: ${url}\nThis link will be valid for 24 hours and can be used multiple times.`,
            html: `
              <div>
                <p>Click this link to sign in:</p>
                <p><a href="${url}">${url}</a></p>
                <p>This link will be valid for 24 hours and can be used multiple times.</p>
              </div>
            `
          })
          const failed = result.rejected.concat(result.pending).filter(Boolean)
          if (failed.length) {
            throw new Error(`Email(s) (${failed.join(", ")}) could not be sent`)
          }
        } catch (error) {
          console.error('SEND_VERIFICATION_EMAIL_ERROR', error)
          throw new Error('SEND_VERIFICATION_EMAIL_ERROR', { cause: error })
        }
      }
    })
  ],
  session: {
    strategy: 'jwt'
  },
  jwt: {
    secret: process.env.NEXTAUTH_SECRET
  },
  pages: {
    error: '/auth/error', // Error code passed in query string as ?error=
    signIn: '/auth/login', // Displays signin buttons
    newUser: '/'
  },
  callbacks: {
    async signIn({ user, account, profile, email }) {
      if (account?.type === 'email') {
        try {
          const token = email?.verificationRequest ? undefined : 
            (typeof window !== 'undefined' ? 
              new URLSearchParams(window.location.search).get('token') : 
              undefined)

          if (token) {
            // Check if token exists and is not expired
            const verificationToken = await prisma.verificationToken.findFirst({
              where: {
                token,
                identifier: user.email!,
                expires: {
                  gt: new Date()
                }
              }
            })
            
            return !!verificationToken
          }
        } catch (error) {
          console.error('Token verification error:', error)
          return false
        }
      }
      return true
    },
    async redirect ({ url, baseUrl }) {
      return baseUrl
    },
    async session ({ session, user, token }) {
      await fixSession(session)
      return session
    },
    async jwt ({ token, session }) {
      return token
    }
  }
})