createSession called without userId parameter in Email provider + Database sessions (v5.0.0-beta.30) #13346
Description
Adapter type
@auth/mongodb-adapter
Environment
System
CPU: (4) x64 Intel(R) Celeron(R) N5095 @ 2.00GHz
Memory: 2.01 GB / 7.55 GB
Container: Yes
Shell: 5.2.37 - /bin/bash
Binaries:
Node: 20.19.2 - /usr/bin/node
npm: 9.2.0 - /usr/bin/npm
Browsers:
Firefox: 140.6.0esr
Firefox Developer Edition: 140.6.0esr
npmPackages:
@auth/mongodb-adapter: ^3.11.1 => 3.11.1
next: ^16.0.8 => 16.0.8
next-auth: ^5.0.0-beta.30 => 5.0.0-beta.30
react: ^19.2.1 => 19.2.1
Reproduction URL
https://github.com/unitedcolorsofg/nextauth-email-session-bug
Describe the issue
When using NextAuth v5 beta with Email provider and database session strategy, the adapter.createSession() method is called without the userId parameter after email verification, resulting in orphaned sessions that cannot be retrieved and completely broken authentication.
Debug Output
[DEBUG] updateUser called with: { id: "675c1234abcd5678efgh9012", emailVerified: "2024-12-13T..." }
[DEBUG] createSession called with: { sessionToken: "abc123...", expires: "2025-01-12T..." }
// Notice: userId is missing from createSession call
Workaround
Cache the userId from updateUser and inject it into createSession:
let lastUserIdFromUpdate: string | null = null;
export const { handlers, signIn, signOut, auth } = NextAuth({
adapter: {
...baseAdapter,
updateUser: async (user) => {
if (user.id) {
lastUserIdFromUpdate = user.id; // Cache the ID
}
return await baseAdapter.updateUser!(user);
},
createSession: async (session) => {
if (!session.userId && lastUserIdFromUpdate) {
session.userId = lastUserIdFromUpdate; // Inject cached ID
lastUserIdFromUpdate = null;
}
return await baseAdapter.createSession!(session);
},
},
// ...
});
Related Issues
This appears to be part of a broader pattern of adapter issues in v5 beta:
- Type issue in 4.24.8 Adapter #11916 - Type conflicts between next-auth and @auth/core adapter definitions
- ID not beeing created in the database #11124 - User ID not generated in createUser (Drizzle adapter)
All three issues involve missing or incorrectly passed ID parameters in adapter methods, suggesting incomplete adapter contracts in v5 beta.
Additional Context
This bug only affects the Email provider + Database sessions combination.
How to reproduce
-
Configure NextAuth with Email provider and database sessions:
export const { handlers, signIn, signOut, auth } = NextAuth({
adapter: MongoDBAdapter(clientPromise),
providers: [EmailProvider({ /* ... */ })],
session: { strategy: 'database' },
}); -
User requests magic link via email
-
User clicks verification link
-
NextAuth calls adapter.updateUser() with correct user ID
-
NextAuth then calls adapter.createSession() without userId parameter
-
Session is created in database but userId field is null/undefined
-
Authentication fails - getSessionAndUser() cannot link session to user
Expected behavior
adapter.createSession(session) should receive a session object with the userId field populated, allowing the session to be linked to the authenticated user.
Actual Behavior
adapter.createSession(session) is called with a session object where userId is undefined, creating an orphaned session that cannot be retrieved by getSessionAndUser().