fix(test): improve adapter test suite (#11904)

* chore(test): improve adapter test suite

* update kysely

* tweak invite check

* more tweaks

* mention adapter tests in top section and fix link

Author: balazsorban44

docs/pages/guides/creating-a-database-adapter.mdx

@@ -8,6 +8,8 @@ Auth.js adapters are very flexible, and you can implement only the methods you n
 
 An Auth.js adapter is a function that receives an ORM/database client and returns an object with methods (based on the [`Adapter` interface](/reference/core/adapters#adapter)) that interact with the database. The same database Adapter will be compatible with any Auth.js library.
 
+Optionally, you can run our [Adapter tests](https://github.com/nextauthjs/next-auth/blob/main/packages/utils/adapter.ts) on your adapter to ensure it is compliant with the Auth.js.
+
 ## User management
 
 Auth.js differentiates between users and accounts. A user can have multiple accounts. An account is created for each provider type the user signs in with for the first time. For example, if a user signs in with Google and then with Facebook, they will have two accounts, one for each provider. The first provider the user signs in with will also be used to create the user object. See the [`profile()` provider method](/reference/core/providers#profile).
@@ -146,7 +148,7 @@ See also: [Verification Token](/concepts/database-models#verification-token) mod
 If you created an adapter and want us to distribute it as an official package, please make sure it meets the following requirements. Check out this [existing adapter](https://github.com/nextauthjs/next-auth/tree/main/packages/adapter-prisma) to learn about the package structure, required files, test setup, config, etc.
 
 1. The Adapter _must_ implement all methods of the [`Adapter` interface](/reference/core/adapters#adapter)
-1. [Adapter tests](https://github.com/nextauthjs/next-auth/tree/main/packages/utils/adapter/index.ts) _must_ be included and _must_ pass. Docker is favored over services, to make CI resilient to network errors and to reduce the number of GitHub Action Secrets (which also lets us run these tests in fork PRs)
+1. [Adapter tests](https://github.com/nextauthjs/next-auth/blob/main/packages/utils/adapter.ts) _must_ be included and _must_ pass. Docker is favored over services, to make CI resilient to network errors and to reduce the number of GitHub Action Secrets (which also lets us run these tests in fork PRs)
 1. The Adapter _must_ follow these coding styles
 
    - Written in TypeScript

packages/adapter-kysely/src/index.ts

@@ -186,6 +186,7 @@ export function KyselyAdapter(db: Kysely<Database>): Adapter {
             .selectFrom("VerificationToken")
             .selectAll()
             .where("token", "=", token)
+            .where("identifier", "=", identifier)
             .executeTakeFirst()
             .then(async (res) => {
               await query.executeTakeFirst()

packages/core/src/lib/actions/callback/index.ts

@@ -198,13 +198,13 @@ export async function callback(
 
       return { redirect: callbackUrl, cookies }
     } else if (provider.type === "email") {
-      const token = query?.token as string | undefined
-      const identifier = query?.email as string | undefined
+      const paramToken = query?.token as string | undefined
+      const paramIdentifier = query?.email as string | undefined
 
-      if (!token || !identifier) {
+      if (!paramToken || !paramIdentifier) {
         const e = new TypeError(
           "Missing token or email. The sign-in URL was manually opened without token/identifier or the link was not sent correctly in the email.",
-          { cause: { hasToken: !!token, hasEmail: !!identifier } }
+          { cause: { hasToken: !!paramToken, hasEmail: !!paramIdentifier } }
         )
         e.name = "Configuration"
         throw e
@@ -213,16 +213,18 @@ export async function callback(
       const secret = provider.secret ?? options.secret
       // @ts-expect-error -- Verified in `assertConfig`.
       const invite = await adapter.useVerificationToken({
-        identifier,
-        token: await createHash(`${token}${secret}`),
+        identifier: paramIdentifier, // TODO: Drop this requirement for lookup
+        token: await createHash(`${paramToken}${secret}`),
       })
 
       const hasInvite = !!invite
-      const expired = invite ? invite.expires.valueOf() < Date.now() : undefined
-      const invalidInvite = !hasInvite || expired
+      const expired = hasInvite && invite.expires.valueOf() < Date.now()
+      const invalidInvite =
+        !hasInvite || expired || invite.identifier !== paramIdentifier
       if (invalidInvite) throw new Verification({ hasInvite, expired })
 
-      const user = (await adapter!.getUserByEmail(identifier)) ?? {
+      const { identifier } = invite
+      const user = (await adapter!.getUserByEmail(paramIdentifier)) ?? {
         id: crypto.randomUUID(),
         email: identifier,
         emailVerified: null,

packages/utils/adapter.ts

@@ -1,6 +1,6 @@
 import { afterAll, beforeAll, expect, test } from "vitest"
 
-import type { Adapter } from "@auth/core/adapters"
+import type { Adapter, VerificationToken } from "@auth/core/adapters"
 import { createHash, randomInt, randomUUID } from "crypto"
 
 export interface TestOptions {
@@ -287,7 +287,7 @@ export async function runBasicTests(options: TestOptions) {
       identifier,
       expires:
         options.fixtures?.verificationTokenExpires ?? FIFTEEN_MINUTES_FROM_NOW,
-    }
+    } satisfies VerificationToken
     await adapter.createVerificationToken?.(verificationToken)
 
     const dbVerificationToken1 = await adapter.useVerificationToken?.({
@@ -301,8 +301,26 @@ export async function runBasicTests(options: TestOptions) {
 
     expect(dbVerificationToken1).toEqual(verificationToken)
 
-    const dbVerificationToken2 = await adapter.useVerificationToken?.({
+    const dbVerificationTokenSecondTry = await adapter.useVerificationToken?.({
+      identifier,
+      token: hashedToken,
+    })
+
+    expect(dbVerificationTokenSecondTry).toBeNull()
+
+    // Should only return if the identifier matches
+
+    const verificationToken2 = {
+      token: hashedToken,
       identifier,
+      expires:
+        options.fixtures?.verificationTokenExpires ?? FIFTEEN_MINUTES_FROM_NOW,
+    } satisfies VerificationToken
+
+    await adapter.createVerificationToken?.(verificationToken2)
+
+    const dbVerificationToken2 = await adapter.useVerificationToken?.({
+      identifier: "[email protected]",
       token: hashedToken,
     })