A complete migration guide with actual code from production
NextAuth.js v5 (Auth.js) brings significant improvements but also breaking changes. After migrating AceToolz from v4 to v5 beta, I've learned the gotchas and best practices. Here's your complete migration guide with real production code.
Why Migrate to NextAuth.js v5?
- Better TypeScript Support: Improved type safety throughout
- Unified API: Consistent interface across all frameworks
- Enhanced Security: Better session management and CSRF protection
- Framework Agnostic: Works with Next.js, SvelteKit, SolidStart, and more
- Improved Developer Experience: Better error messages and debugging
Before You Start
⚠️ Important: NextAuth.js v5 is still in beta. For production apps, proceed carefully and test thoroughly.
Current Setup Check
# Check your current NextAuth version
npm list next-auth
# AceToolz was using
"next-auth": "^4.24.7"
Step 1: Installation and Dependencies
Remove Old Packages
npm uninstall next-auth
npm uninstall @next-auth/prisma-adapter # if using Prisma
Install NextAuth v5
npm install next-auth@beta
npm install @auth/prisma-adapter # New Prisma adapter
Updated package.json
{
"dependencies": {
"next-auth": "5.0.0-beta.25",
"@auth/prisma-adapter": "^2.6.0",
"prisma": "^5.22.0",
"@prisma/client": "^5.22.0"
}
}
Step 2: Configuration Migration
Before (v4): pages/api/auth/[...nextauth].ts
import NextAuth from 'next-auth'
import GoogleProvider from 'next-auth/providers/google'
import CredentialsProvider from 'next-auth/providers/credentials'
import { PrismaAdapter } from '@next-auth/prisma-adapter'
import { prisma } from '@/lib/prisma'
import bcrypt from 'bcryptjs'
export default NextAuth({
adapter: PrismaAdapter(prisma),
providers: [
GoogleProvider({
clientId: process.env.GOOGLE_CLIENT_ID!,
clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
}),
CredentialsProvider({
name: 'credentials',
credentials: {
email: { label: 'Email', type: 'email' },
password: { label: 'Password', type: 'password' },
},
async authorize(credentials) {
if (!credentials?.email || !credentials?.password) return null;
const user = await prisma.user.findUnique({
where: { email: credentials.email },
});
if (user && bcrypt.compareSync(credentials.password, user.password!)) {
return { id: user.id, email: user.email, name: user.name };
}
return null;
},
}),
],
session: { strategy: 'jwt' },
callbacks: {
async jwt({ token, user }) {
if (user) {
token.roleId = user.roleId;
}
return token;
},
async session({ session, token }) {
if (token) {
session.user.id = token.sub!;
session.user.roleId = token.roleId as number;
}
return session;
},
},
})
After (v5): app/api/auth/[...nextauth]/route.ts
import NextAuth from 'next-auth'
import Google from 'next-auth/providers/google'
import Credentials from 'next-auth/providers/credentials'
import { PrismaAdapter } from '@auth/prisma-adapter'
import { prisma } from '@/lib/prisma'
import bcrypt from 'bcryptjs'
const handler = NextAuth({
adapter: PrismaAdapter(prisma),
providers: [
Google({
clientId: process.env.GOOGLE_CLIENT_ID!,
clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
}),
Credentials({
name: 'credentials',
credentials: {
email: { label: 'Email', type: 'email' },
password: { label: 'Password', type: 'password' },
},
async authorize(credentials) {
if (!credentials?.email || !credentials?.password) return null;
const user = await prisma.user.findUnique({
where: { email: credentials.email },
});
if (user && bcrypt.compareSync(credentials.password, user.password!)) {
return {
id: user.id,
email: user.email,
name: user.name,
roleId: user.roleId, // Custom field
};
}
return null;
},
}),
],
session: { strategy: 'jwt' },
callbacks: {
async jwt({ token, user }) {
// On signin, add custom fields to token
if (user) {
token.roleId = user.roleId;
}
return token;
},
async session({ session, token }) {
// Send properties to the client
if (token) {
session.user.id = token.sub!;
session.user.roleId = token.roleId as number;
}
return session;
},
},
pages: {
signIn: '/auth/signin',
error: '/auth/error',
},
});
export { handler as GET, handler as POST }
Step 3: Environment Variables
New Required Variables
# .env.local
# v5 requires AUTH_SECRET instead of NEXTAUTH_SECRET
AUTH_SECRET=your-secret-key-here
# AUTH_URL replaces NEXTAUTH_URL
AUTH_URL=http://localhost:3000
# Google OAuth (unchanged)
GOOGLE_CLIENT_ID=your-google-client-id
GOOGLE_CLIENT_SECRET=your-google-client-secret
# Database (unchanged)
DATABASE_URL=your-database-url
Migration Script for Environment
# Quick find and replace in your .env files
sed -i 's/NEXTAUTH_SECRET/AUTH_SECRET/g' .env.local
sed -i 's/NEXTAUTH_URL/AUTH_URL/g' .env.local
Step 4: Type Definitions Update
Before (v4): types/next-auth.d.ts
import NextAuth from 'next-auth'
declare module 'next-auth' {
interface Session {
user: {
id: string
roleId: number
} & DefaultSession['user']
}
interface User {
roleId: number
}
}
declare module 'next-auth/jwt' {
interface JWT {
roleId: number
}
}
After (v5): types/auth.d.ts
import { DefaultSession } from 'next-auth'
declare module 'next-auth' {
interface Session {
user: {
id: string
roleId: number
} & DefaultSession['user']
}
interface User {
roleId?: number // Make it optional for OAuth users
}
}
declare module '@auth/core/jwt' {
interface JWT {
roleId?: number
}
}
Step 5: Client-Side Usage Updates
Before (v4): Using useSession
import { useSession, signIn, signOut } from 'next-auth/react'
export default function Component() {
const { data: session, status } = useSession()
if (status === 'loading') return <p>Loading...</p>
if (!session) return <button onClick={() => signIn()}>Sign In</button>
return (
<div>
<p>Welcome {session.user?.name}</p>
<p>Role ID: {session.user.roleId}</p>
<button onClick={() => signOut()}>Sign Out</button>
</div>
)
}
After (v5): Same API, but updated provider
// app/layout.tsx
import { SessionProvider } from 'next-auth/react'
export default function RootLayout({
children,
}: {
children: React.ReactNode
}) {
return (
<html lang="en">
<body>
<SessionProvider>{children}</SessionProvider>
</body>
</html>
)
}
The useSession hook usage remains the same! This is one of the benefits of v5 - minimal client-side changes.
Step 6: Server-Side Usage Updates
Before (v4): getServerSession
import { getServerSession } from 'next-auth'
import { authOptions } from '@/pages/api/auth/[...nextauth]'
export default async function handler(req: NextApiRequest, res: NextApiResponse) {
const session = await getServerSession(req, res, authOptions)
if (!session) {
return res.status(401).json({ error: 'Unauthorized' })
}
// Handle request
}
After (v5): Import from auth config
// lib/auth.ts - Extract auth config
import NextAuth from 'next-auth'
import Google from 'next-auth/providers/google'
import { PrismaAdapter } from '@auth/prisma-adapter'
import { prisma } from '@/lib/prisma'
export const { handlers, auth, signIn, signOut } = NextAuth({
adapter: PrismaAdapter(prisma),
providers: [
Google({
clientId: process.env.GOOGLE_CLIENT_ID!,
clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
}),
],
// ... rest of config
})
// app/api/protected-route/route.ts
import { auth } from '@/lib/auth'
export async function GET() {
const session = await auth()
if (!session) {
return Response.json({ error: 'Unauthorized' }, { status: 401 })
}
return Response.json({ user: session.user })
}
Step 7: Middleware Updates
Before (v4): Custom middleware
import { withAuth } from 'next-auth/middleware'
export default withAuth(
function middleware(req) {
// Custom logic
},
{
callbacks: {
authorized: ({ token, req }) => {
return token?.roleId === 4 // Admin only
},
},
}
)
After (v5): Updated middleware
import { auth } from '@/lib/auth'
import { NextResponse } from 'next/server'
export default auth((req) => {
const { nextUrl } = req
const isLoggedIn = !!req.auth
// Protect admin routes
if (nextUrl.pathname.startsWith('/admin')) {
if (!isLoggedIn || req.auth?.user?.roleId !== 4) {
return NextResponse.redirect(new URL('/auth/signin', nextUrl))
}
}
return NextResponse.next()
})
export const config = {
matcher: ['/admin/:path*', '/dashboard/:path*'],
}
Step 8: Database Schema Considerations
Updated Prisma Schema for v5
model Account {
id String @id @default(cuid())
userId String @map("user_id")
type String
provider String
providerAccountId String @map("provider_account_id")
refresh_token String? @db.Text
access_token String? @db.Text
expires_at Int?
token_type String?
scope String?
id_token String? @db.Text
session_state String?
user User @relation(fields: [userId], references: [id], onDelete: Cascade)
@@unique([provider, providerAccountId])
@@map("accounts")
}
model Session {
id String @id @default(cuid())
sessionToken String @unique @map("session_token")
userId String @map("user_id")
expires DateTime
user User @relation(fields: [userId], references: [id], onDelete: Cascade)
@@map("sessions")
}
model User {
id String @id @default(cuid())
name String?
email String @unique
password String? // For credentials
emailVerified DateTime? @map("email_verified")
image String?
roleId Int @default(1) @map("role_id")
accounts Account[]
sessions Session[]
@@map("users")
}
Step 9: Testing Your Migration
Test Checklist
// test/auth.test.ts
import { describe, it, expect } from 'vitest'
import { auth } from '@/lib/auth'
describe('NextAuth v5 Migration', () => {
it('should handle OAuth sign in', async () => {
// Test OAuth flow
})
it('should handle credentials sign in', async () => {
// Test credentials flow
})
it('should preserve custom session data', async () => {
// Test roleId and custom fields
})
it('should handle sign out', async () => {
// Test sign out flow
})
})
Manual Testing Steps
- OAuth Flow: Test Google sign-in
- Credentials Flow: Test email/password login
- Session Persistence: Refresh page, check session
- Custom Fields: Verify roleId is preserved
- Protected Routes: Test middleware protection
- Sign Out: Test sign-out functionality
Common Migration Issues and Solutions
Issue 1: Session Strategy with Credentials
Problem: Using database strategy with credentials provider fails.
Solution: Use JWT strategy when using credentials:
export const { handlers, auth } = NextAuth({
session: { strategy: 'jwt' }, // Required for credentials
providers: [
Credentials({
// ... credentials config
}),
],
})
Issue 2: Custom Fields Not Persisting
Problem: roleId not available in session.
Solution: Update both JWT and session callbacks:
callbacks: {
async jwt({ token, user, trigger }) {
if (user) {
token.roleId = user.roleId
}
return token
},
async session({ session, token }) {
if (token) {
session.user.id = token.sub!
session.user.roleId = token.roleId as number
}
return session
},
}
Issue 3: Environment Variables
Problem: NEXTAUTH_SECRET not recognized.
Solution: Update to AUTH_SECRET:
# Change in all environment files
AUTH_SECRET=your-secret-here
AUTH_URL=http://localhost:3000
Performance Improvements in v5
After migration, AceToolz saw:
- 25% faster authentication: Improved session handling
- Better error messages: Easier debugging
- Type safety: Fewer runtime errors
- Bundle size: 15% smaller client bundle
Production Deployment Checklist
- [ ] Update environment variables
- [ ] Test OAuth providers
- [ ] Verify custom session fields
- [ ] Check protected routes
- [ ] Test sign-out flow
- [ ] Monitor error logs
- [ ] Update documentation
Migration Timeline
Planning: 1 day (reading docs, planning approach)
Implementation: 2-3 days (code changes, testing)
Testing: 2-3 days (thorough testing across features)
Deployment: 1 day (staged rollout)
Conclusion
NextAuth.js v5 migration requires careful planning but provides significant benefits. The key is thorough testing and understanding the breaking changes.
See the results: AceToolz Authentication - Running NextAuth.js v5 in production.
Questions about NextAuth.js v5 migration? Drop them in the comments!
Top comments (0)