nextauth-securitylisted
Install: claude install-skill hlsitechio/claude-skills-security
# NextAuth.js / Auth.js Security Audit
Audit applications using NextAuth.js (now Auth.js). Covers v4 (next-auth) and v5 (Auth.js).
## When this skill applies
- Reviewing the auth configuration object (providers, callbacks, pages)
- Auditing JWT vs database session setup
- Reviewing callbacks for safety (jwt, session, signIn, redirect)
- Checking OAuth client credentials and provider config
- Auditing custom adapters
## Workflow
Follow `../_shared/audit-workflow.md`. Companion: `nextjs-security` for Next-specific concerns.
### Phase 1: Stack detection
```bash
grep -E '"(next-auth|@auth/.+)":' package.json
# Find the auth config file
find . -path '*/api/auth/[*nextauth*].ts*' 2>/dev/null
find . -name 'auth.ts' -o -name 'auth.config.ts' 2>/dev/null | head
```
Detect: v4 (`next-auth`) vs v5 (`@auth/*` modular). API differs.
### Phase 2: Inventory
```bash
# Auth config
cat src/auth.ts auth.config.ts app/api/auth/\[...nextauth\]/route.ts 2>/dev/null
# Callbacks
grep -rn 'callbacks:\|async jwt\|async session\|async signIn\|async redirect' . --include='*.ts' --include='*.js'
# Providers
grep -rn 'GoogleProvider\|GitHubProvider\|CredentialsProvider\|EmailProvider' .
# Env vars
grep -E '^NEXTAUTH_|^AUTH_' .env* 2>/dev/null
```
### Phase 3: Detection — the checks
#### Environment / secrets
- **NXA-SEC-1** `NEXTAUTH_SECRET` (v4) or `AUTH_SECRET` (v5) set — required for JWT signing and cookie encryption. Generate with `openssl rand -base64 32`.
- **NXA-SEC-2** `NEXTAUTH_UR