凭据提供者

凭据提供者允许您处理使用任意凭据进行登录，例如用户名和密码、域名、双因素身份验证或硬件设备（例如 YubiKey U2F / FIDO）。

它旨在支持您需要对现有系统进行用户身份验证的用例，因此以这种方式进行身份验证的用户不会持久存储在数据库中。

资源

客户端输入验证示例

配置

/auth.ts

import NextAuth from "next-auth"
import Credentials from "next-auth/providers/credentials"
 
export const { signIn, signOut, auth } = NextAuth({
  providers: [
    Credentials({
      credentials: {
        username: { label: "Username" },
        password: { label: "Password", type: "password" },
      },
      async authorize({ request }) {
        const response = await fetch(request)
        if (!response.ok) return null
        return (await response.json()) ?? null
      },
    }),
  ],
})

/src/routes/[email protected]

import { QwikAuth$ } from "@auth/qwik"
import Credentials from "@auth/qwik/providers/credentials"
 
export const { onRequest, useSession, useSignIn, useSignOut } = QwikAuth$(
  () => ({
    providers: [
      Credentials({
        credentials: {
          username: { label: "Username" },
          password: { label: "Password", type: "password" },
        },
        async authorize({ request }) {
          const response = await fetch(request)
          if (!response.ok) return null
          return (await response.json()) ?? null
        },
      }),
    ],
  })
)

/src/auth.ts

import { SvelteKitAuth } from "@auth/sveltekit"
import Credentials from "@auth/sveltekit/providers/credentials"
 
export const { handle, signIn, signOut } = SvelteKitAuth({
  providers: [
    Credentials({
      credentials: {
        username: { label: "Username" },
        password: { label: "Password", type: "password" },
      },
      async authorize({ request }) {
        const response = await fetch(request)
        if (!response.ok) return null
        return (await response.json()) ?? null
      },
    }),
  ],
})

/src/app.ts

import { ExpressAuth } from "@auth/express";
import Credentials from "@auth/express/providers/credentials";
 
app.use("/auth/*", ExpressAuth({
  providers: [
    Credentials({
      credentials: {
        username: { label: "Username" },
        password: { label: "Password", type: "password" },
      },
      async authorize({ request }) {
        const response = await fetch(request);
        if (!response.ok) return null;
        return (await response.json()) ?? null;
      },
    }),
  ],
});

自定义错误消息

您可以在 authorize 函数中抛出自定义错误，以向用户返回自定义错误消息。

@/auth.ts

import NextAuth, { CredentialsSignin } from "next-auth"
import Credentials from "next-auth/providers/credentials"
 
class InvalidLoginError extends CredentialsSignin {
  code = "Invalid identifier or password"
}
 
export const { handlers, auth } = NextAuth({
  providers: [
    Credentials({
      credentials: {
        username: { label: "Username" },
        password: { label: "Password", type: "password" },
      },
      async authorize(credentials) {
        throw new InvalidLoginError()
      },
    }),
  ],
})

然后您将在用户在登录尝试失败后返回到的登录页面查询参数中收到该自定义错误代码，例如 https://app.company.com/auth/signin?error=CredentialsSignin&code=Invalid+identifier+or+password。

⚠️

OAuth 提供商投入大量资金、时间和工程努力来构建

滥用检测（机器人防护、速率限制）
密码管理（密码重置、凭据填充、轮换）
数据安全（加密/加盐、强度验证）

以及更多用于身份验证解决方案的功能。您的应用程序很可能会从利用这些经过实战检验的解决方案中获益，而不是尝试从头开始重建它们。

如果您仍然想为您的应用程序构建基于密码的身份验证，尽管存在这些风险，但 Auth.js 允许您完全控制。

Coinbase Descope

凭据提供者

资源

配置

自定义错误消息

关于 Auth.js

下载

致谢