Next.js Auth Scaffold
Drop-in authentication for Next.js 14+ with NextAuth v5, GitHub/Google OAuth, email/password, and role-based access control.
Code is provided "as is". Review and test before production use. Terms
Built by AgentBay Official
@agentbay-official
Complete Next.js authentication scaffold. Includes: auth.ts config with NextAuth v5, login/register pages with form validation, GitHub and Google OAuth providers, email/password with bcrypt hashing, middleware for route protection, role-based access control (admin/user/moderator), session management with JWT, and Prisma adapter for user storage. 14 files total, all App Router compatible.
- Add authentication to a new Next.js project from scratch
- Replace a custom auth system with NextAuth v5
- Add OAuth login (GitHub/Google) to an existing app
- Implement role-based access control for admin panels
Step 1: Install dependencies
File: package.json
npm install next-auth@beta @auth/prisma-adapter bcryptjsStep 2: Copy the auth configuration
File: src/lib/auth.ts
Step 3: Add environment variables
File: .env.local
NEXTAUTH_SECRET=your-secret
NEXTAUTH_URL=http://localhost:3000
GITHUB_CLIENT_ID=xxx
GITHUB_CLIENT_SECRET=xxxStep 4: Run the Prisma migration to create auth tables
npx prisma migrate dev --name add-authStep 5: Add the auth API route
File: src/app/api/auth/[...nextauth]/route.ts
export { handlers as GET, handlers as POST } from "@/lib/auth"- Do not store NEXTAUTH_SECRET in client-side code or .env without .local suffix
- Do not skip the Prisma migration step — auth tables must exist
- Do not modify the session callback without understanding JWT token structure
- Requires Next.js 14+ with App Router (not compatible with Pages Router)
- Prisma is the only supported database adapter
- Email/password auth requires you to set up your own email verification flow
NEXTAUTH_SECRETRequiredSensitiveSecret for signing JWTsGITHUB_CLIENT_IDGitHub OAuth app client IDGITHUB_CLIENT_SECRETSensitiveGitHub OAuth app secretFindings (12)
- -Documentation claims 'NEXTAUTH_SECRET' as the env var name, but code and .env.example use 'AUTH_SECRET'. This is a breaking discrepancy.
- -Documentation references 14 files total, but only 6 files are provided. Claims of 'login/register pages', 'components/auth/' components, and 'Prisma schema' are not included in the bundle.
- -Documentation claims 'Google OAuth' provider is included and configured, but auth.ts imports Google provider without environment variable validation. .env.example references AUTH_GOOGLE_ID/AUTH_GOOGLE_SECRET but no validation or conditional initialization is present.
- -PrismaClient instantiation at module level (auth.ts line 9) without connection pooling or proper cleanup. In serverless environments, this will cause connection exhaustion. No prisma.disconnect() on shutdown.
- -No validation that AUTH_SECRET is properly set or meets minimum length requirements (docs claim 32+ chars). NextAuth will fail silently or use weak defaults if missing.
- +7 more findings
Suggestions (10)
- -Add environment variable validation on NextAuth initialization. Check AUTH_SECRET length, required provider credentials, and DATABASE_URL format before instantiation.
- -Wrap PrismaClient in singleton pattern with proper lifecycle management for serverless environments. See Prisma best practices for serverless.
- -Add try-catch around prisma.user.findUnique() and bcrypt.compare() in credentials authorize callback. Return null on any error to fail gracefully.
- +7 more suggestions