From d7b518f4f1e2a87665c37314d829ce8b4fd8a64d Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Thu, 6 Feb 2025 11:34:50 +0700
Subject: [PATCH 01/18] Reorganize provider

---
 apps/web/src/auth.ts                          | 176 ++----------------
 apps/web/src/auth/providers/email.ts          |  40 ++++
 apps/web/src/auth/providers/google.ts         |  11 ++
 apps/web/src/auth/providers/guest.ts          |  14 ++
 apps/web/src/auth/providers/microsoft.ts      |  19 ++
 apps/web/src/auth/providers/oidc.ts           |  34 ++++
 .../src/auth/providers/registration-token.ts  |  47 +++++
 7 files changed, 184 insertions(+), 157 deletions(-)
 create mode 100644 apps/web/src/auth/providers/email.ts
 create mode 100644 apps/web/src/auth/providers/google.ts
 create mode 100644 apps/web/src/auth/providers/guest.ts
 create mode 100644 apps/web/src/auth/providers/microsoft.ts
 create mode 100644 apps/web/src/auth/providers/oidc.ts
 create mode 100644 apps/web/src/auth/providers/registration-token.ts

diff --git a/apps/web/src/auth.ts b/apps/web/src/auth.ts
index 04c9833324a..0c45fb2fbc7 100644
--- a/apps/web/src/auth.ts
+++ b/apps/web/src/auth.ts
@@ -1,172 +1,29 @@
 import { prisma } from "@rallly/database";
 import { posthog } from "@rallly/posthog/server";
-import { absoluteUrl } from "@rallly/utils/absolute-url";
-import { generateOtp, randomid } from "@rallly/utils/nanoid";
 import type {
   GetServerSidePropsContext,
   NextApiRequest,
   NextApiResponse,
 } from "next";
-import type { NextAuthOptions, User } from "next-auth";
+import type { NextAuthOptions } from "next-auth";
 import NextAuth, {
   getServerSession as getServerSessionWithOptions,
 } from "next-auth/next";
-import AzureADProvider from "next-auth/providers/azure-ad";
-import CredentialsProvider from "next-auth/providers/credentials";
-import EmailProvider from "next-auth/providers/email";
-import GoogleProvider from "next-auth/providers/google";
 import type { Provider } from "next-auth/providers/index";
 
-import { env } from "@/env";
-import type { RegistrationTokenPayload } from "@/trpc/types";
-import { getEmailClient } from "@/utils/emails";
-import { getValueByPath } from "@/utils/get-value-by-path";
-import { decryptToken } from "@/utils/session";
-
 import { CustomPrismaAdapter } from "./auth/custom-prisma-adapter";
 import { mergeGuestsIntoUser } from "./auth/merge-user";
-
-const providers: Provider[] = [
-  // When a user registers, we don't want to go through the email verification process
-  // so this provider allows us exchange the registration token for a session token
-  CredentialsProvider({
-    id: "registration-token",
-    name: "Registration Token",
-    credentials: {
-      token: {
-        label: "Token",
-        type: "text",
-      },
-    },
-    async authorize(credentials) {
-      if (credentials?.token) {
-        const payload = await decryptToken<RegistrationTokenPayload>(
-          credentials.token,
-        );
-        if (payload) {
-          const user = await prisma.user.findUnique({
-            where: {
-              email: payload.email,
-            },
-            select: {
-              id: true,
-              email: true,
-              name: true,
-              locale: true,
-              timeFormat: true,
-              timeZone: true,
-              image: true,
-            },
-          });
-
-          if (user) {
-            return user;
-          }
-        }
-      }
-
-      return null;
-    },
-  }),
-  CredentialsProvider({
-    id: "guest",
-    name: "Guest",
-    credentials: {},
-    async authorize() {
-      return {
-        id: `user-${randomid()}`,
-        email: null,
-      };
-    },
-  }),
-  EmailProvider({
-    server: "",
-    from: process.env.NOREPLY_EMAIL,
-    generateVerificationToken() {
-      return generateOtp();
-    },
-    async sendVerificationRequest({ identifier: email, token, url }) {
-      const user = await prisma.user.findUnique({
-        where: {
-          email,
-        },
-        select: {
-          name: true,
-          locale: true,
-        },
-      });
-
-      if (user) {
-        await getEmailClient(user.locale ?? undefined).sendTemplate(
-          "LoginEmail",
-          {
-            to: email,
-            props: {
-              magicLink: absoluteUrl("/auth/login", {
-                magicLink: url,
-              }),
-              code: token,
-            },
-          },
-        );
-      }
-    },
-  }),
-];
-
-// If we have an OAuth provider configured, we add it to the list of providers
-if (
-  process.env.OIDC_DISCOVERY_URL &&
-  process.env.OIDC_CLIENT_ID &&
-  process.env.OIDC_CLIENT_SECRET
-) {
-  providers.push({
-    id: "oidc",
-    name: process.env.OIDC_NAME ?? "OpenID Connect",
-    type: "oauth",
-    wellKnown: process.env.OIDC_DISCOVERY_URL,
-    authorization: { params: { scope: "openid email profile" } },
-    clientId: process.env.OIDC_CLIENT_ID,
-    clientSecret: process.env.OIDC_CLIENT_SECRET,
-    idToken: true,
-    checks: ["state"],
-    allowDangerousEmailAccountLinking: true,
-    profile(profile) {
-      return {
-        id: profile.sub,
-        name: getValueByPath(profile, env.OIDC_NAME_CLAIM_PATH),
-        email: getValueByPath(profile, env.OIDC_EMAIL_CLAIM_PATH),
-        image: getValueByPath(profile, env.OIDC_PICTURE_CLAIM_PATH),
-      } as User;
-    },
-  });
-}
-
-if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET) {
-  providers.push(
-    GoogleProvider({
-      clientId: process.env.GOOGLE_CLIENT_ID,
-      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
-      allowDangerousEmailAccountLinking: true,
-    }),
-  );
-}
-
-if (
-  process.env.MICROSOFT_TENANT_ID &&
-  process.env.MICROSOFT_CLIENT_ID &&
-  process.env.MICROSOFT_CLIENT_SECRET
-) {
-  providers.push(
-    AzureADProvider({
-      name: "Microsoft",
-      tenantId: process.env.MICROSOFT_TENANT_ID,
-      clientId: process.env.MICROSOFT_CLIENT_ID,
-      clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
-      wellKnown:
-        "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration",
-    }),
-  );
+import { EmailProvider } from "./auth/providers/email";
+import { GoogleProvider } from "./auth/providers/google";
+import { GuestProvider } from "./auth/providers/guest";
+import { MicrosoftProvider } from "./auth/providers/microsoft";
+import { OIDCProvider } from "./auth/providers/oidc";
+import { RegistrationTokenProvider } from "./auth/providers/registration-token";
+
+function getOptionalProviders() {
+  return [OIDCProvider(), GoogleProvider(), MicrosoftProvider()].filter(
+    Boolean,
+  ) as Provider[];
 }
 
 const getAuthOptions = (...args: GetServerSessionParams) =>
@@ -183,7 +40,12 @@ const getAuthOptions = (...args: GetServerSessionParams) =>
     session: {
       strategy: "jwt",
     },
-    providers: providers,
+    providers: [
+      RegistrationTokenProvider,
+      GuestProvider,
+      EmailProvider,
+      ...getOptionalProviders(),
+    ],
     pages: {
       signIn: "/login",
       verifyRequest: "/login/verify",
@@ -360,7 +222,7 @@ export function getOAuthProviders(): {
   id: string;
   name: string;
 }[] {
-  return providers
+  return getOptionalProviders()
     .filter((provider) => provider.type === "oauth")
     .map((provider) => {
       return {
diff --git a/apps/web/src/auth/providers/email.ts b/apps/web/src/auth/providers/email.ts
new file mode 100644
index 00000000000..69bbf95225c
--- /dev/null
+++ b/apps/web/src/auth/providers/email.ts
@@ -0,0 +1,40 @@
+import { prisma } from "@rallly/database";
+import { absoluteUrl } from "@rallly/utils/absolute-url";
+import { generateOtp } from "@rallly/utils/nanoid";
+import BaseEmailProvider from "next-auth/providers/email";
+
+import { getEmailClient } from "@/utils/emails";
+
+export const EmailProvider = BaseEmailProvider({
+  server: "",
+  from: process.env.NOREPLY_EMAIL,
+  generateVerificationToken() {
+    return generateOtp();
+  },
+  async sendVerificationRequest({ identifier: email, token, url }) {
+    const user = await prisma.user.findUnique({
+      where: {
+        email,
+      },
+      select: {
+        name: true,
+        locale: true,
+      },
+    });
+
+    if (user) {
+      await getEmailClient(user.locale ?? undefined).sendTemplate(
+        "LoginEmail",
+        {
+          to: email,
+          props: {
+            magicLink: absoluteUrl("/auth/login", {
+              magicLink: url,
+            }),
+            code: token,
+          },
+        },
+      );
+    }
+  },
+});
diff --git a/apps/web/src/auth/providers/google.ts b/apps/web/src/auth/providers/google.ts
new file mode 100644
index 00000000000..d344aae9cae
--- /dev/null
+++ b/apps/web/src/auth/providers/google.ts
@@ -0,0 +1,11 @@
+import BaseGoogleProvider from "next-auth/providers/google";
+
+export function GoogleProvider() {
+  if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET) {
+    return BaseGoogleProvider({
+      clientId: process.env.GOOGLE_CLIENT_ID,
+      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+      allowDangerousEmailAccountLinking: true,
+    });
+  }
+}
diff --git a/apps/web/src/auth/providers/guest.ts b/apps/web/src/auth/providers/guest.ts
new file mode 100644
index 00000000000..4894a98aaab
--- /dev/null
+++ b/apps/web/src/auth/providers/guest.ts
@@ -0,0 +1,14 @@
+import { randomid } from "@rallly/utils/nanoid";
+import CredentialsProvider from "next-auth/providers/credentials";
+
+export const GuestProvider = CredentialsProvider({
+  id: "guest",
+  name: "Guest",
+  credentials: {},
+  async authorize() {
+    return {
+      id: `user-${randomid()}`,
+      email: null,
+    };
+  },
+});
diff --git a/apps/web/src/auth/providers/microsoft.ts b/apps/web/src/auth/providers/microsoft.ts
new file mode 100644
index 00000000000..2738bf369af
--- /dev/null
+++ b/apps/web/src/auth/providers/microsoft.ts
@@ -0,0 +1,19 @@
+import AzureADProvider from "next-auth/providers/azure-ad";
+
+export function MicrosoftProvider() {
+  if (
+    process.env.MICROSOFT_TENANT_ID &&
+    process.env.MICROSOFT_CLIENT_ID &&
+    process.env.MICROSOFT_CLIENT_SECRET
+  ) {
+    return AzureADProvider({
+      name: "Microsoft",
+      tenantId: process.env.MICROSOFT_TENANT_ID,
+      clientId: process.env.MICROSOFT_CLIENT_ID,
+      clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
+      wellKnown:
+        "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration",
+    });
+  }
+  return null;
+}
diff --git a/apps/web/src/auth/providers/oidc.ts b/apps/web/src/auth/providers/oidc.ts
new file mode 100644
index 00000000000..e6ac62fc1e3
--- /dev/null
+++ b/apps/web/src/auth/providers/oidc.ts
@@ -0,0 +1,34 @@
+import type { User } from "next-auth";
+import type { Provider } from "next-auth/providers/index";
+
+import { env } from "@/env";
+import { getValueByPath } from "@/utils/get-value-by-path";
+
+export const OIDCProvider = () => {
+  if (
+    process.env.OIDC_DISCOVERY_URL &&
+    process.env.OIDC_CLIENT_ID &&
+    process.env.OIDC_CLIENT_SECRET
+  ) {
+    return {
+      id: "oidc",
+      name: process.env.OIDC_NAME ?? "OpenID Connect",
+      type: "oauth",
+      wellKnown: process.env.OIDC_DISCOVERY_URL,
+      authorization: { params: { scope: "openid email profile" } },
+      clientId: process.env.OIDC_CLIENT_ID,
+      clientSecret: process.env.OIDC_CLIENT_SECRET,
+      idToken: true,
+      checks: ["state"],
+      allowDangerousEmailAccountLinking: true,
+      profile(profile) {
+        return {
+          id: profile.sub,
+          name: getValueByPath(profile, env.OIDC_NAME_CLAIM_PATH),
+          email: getValueByPath(profile, env.OIDC_EMAIL_CLAIM_PATH),
+          image: getValueByPath(profile, env.OIDC_PICTURE_CLAIM_PATH),
+        } as User;
+      },
+    } satisfies Provider;
+  }
+};
diff --git a/apps/web/src/auth/providers/registration-token.ts b/apps/web/src/auth/providers/registration-token.ts
new file mode 100644
index 00000000000..c1d2fb56956
--- /dev/null
+++ b/apps/web/src/auth/providers/registration-token.ts
@@ -0,0 +1,47 @@
+import { prisma } from "@rallly/database";
+import CredentialsProvider from "next-auth/providers/credentials";
+
+import type { RegistrationTokenPayload } from "@/trpc/types";
+import { decryptToken } from "@/utils/session";
+
+// When a user registers, we don't want to go through the email verification process
+// so this provider allows us exchange the registration token for a session token
+export const RegistrationTokenProvider = CredentialsProvider({
+  id: "registration-token",
+  name: "Registration Token",
+  credentials: {
+    token: {
+      label: "Token",
+      type: "text",
+    },
+  },
+  async authorize(credentials) {
+    if (credentials?.token) {
+      const payload = await decryptToken<RegistrationTokenPayload>(
+        credentials.token,
+      );
+      if (payload) {
+        const user = await prisma.user.findUnique({
+          where: {
+            email: payload.email,
+          },
+          select: {
+            id: true,
+            email: true,
+            name: true,
+            locale: true,
+            timeFormat: true,
+            timeZone: true,
+            image: true,
+          },
+        });
+
+        if (user) {
+          return user;
+        }
+      }
+    }
+
+    return null;
+  },
+});

From 88b9de5fc2901372cf5ddb5cdce1ae0a80c3b055 Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Thu, 6 Feb 2025 15:32:01 +0700
Subject: [PATCH 02/18] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20Upgrade=20to=20lates?=
 =?UTF-8?q?t=20next-auth?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/web/declarations/next-auth.d.ts          |   1 +
 apps/web/package.json                         |   4 +-
 .../profile/delete-account-dialog.tsx         |   2 +-
 .../login/components/login-email-form.tsx     |   4 +-
 .../login/components/login-with-oidc.tsx      |   2 +-
 .../(auth)/login/components/sso-provider.tsx  |   4 +-
 .../src/app/[locale]/(auth)/login/page.tsx    |  36 ++--
 apps/web/src/app/[locale]/layout.tsx          |   4 +-
 .../src/app/api/auth/[...nextauth]/route.ts   |   6 +
 .../api/notifications/unsubscribe/route.ts    |   4 +-
 apps/web/src/app/api/stripe/checkout/route.ts |   4 +-
 apps/web/src/app/api/stripe/portal/route.ts   |   4 +-
 apps/web/src/app/api/trpc/[trpc]/route.ts     |   4 +-
 .../app/api/user/verify-email-change/route.ts |   4 +-
 apps/web/src/auth.ts                          |  17 +-
 .../prisma.ts}                                |  21 ++-
 apps/web/src/auth/get-optional-providers.ts   |  11 ++
 apps/web/src/auth/is-email-blocked.ts         |  19 ++
 apps/web/src/auth/providers/email.ts          |   7 +-
 apps/web/src/auth/providers/microsoft.ts      |   6 +-
 apps/web/src/auth/providers/oidc.ts           |   6 +-
 .../quick-create/lib/get-guest-polls.ts       |   4 +-
 apps/web/src/middleware.ts                    | 104 ++++-------
 apps/web/src/next-auth.confg.ts               |   9 +
 apps/web/src/next-auth.ts                     | 166 ++++++++++++++++++
 apps/web/src/pages/api/auth/[...nextauth].ts  |  14 --
 apps/web/src/trpc/server/create-ssr-helper.ts |   4 +-
 packages/posthog/src/server/index.ts          |   8 +
 yarn.lock                                     | 138 +++++++--------
 29 files changed, 386 insertions(+), 231 deletions(-)
 create mode 100644 apps/web/src/app/api/auth/[...nextauth]/route.ts
 rename apps/web/src/auth/{custom-prisma-adapter.ts => adapters/prisma.ts} (69%)
 create mode 100644 apps/web/src/auth/get-optional-providers.ts
 create mode 100644 apps/web/src/auth/is-email-blocked.ts
 create mode 100644 apps/web/src/next-auth.confg.ts
 create mode 100644 apps/web/src/next-auth.ts
 delete mode 100644 apps/web/src/pages/api/auth/[...nextauth].ts

diff --git a/apps/web/declarations/next-auth.d.ts b/apps/web/declarations/next-auth.d.ts
index cfcdd3bfaee..9f5f276a164 100644
--- a/apps/web/declarations/next-auth.d.ts
+++ b/apps/web/declarations/next-auth.d.ts
@@ -20,6 +20,7 @@ declare module "next-auth" {
   }
 
   interface User extends DefaultUser {
+    id: string;
     locale?: string | null;
     timeZone?: string | null;
     timeFormat?: TimeFormat | null;
diff --git a/apps/web/package.json b/apps/web/package.json
index 8632f442eb6..4588f352eb5 100644
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -18,7 +18,7 @@
     "docker:start": "./scripts/docker-start.sh"
   },
   "dependencies": {
-    "@auth/prisma-adapter": "^1.0.3",
+    "@auth/prisma-adapter": "^2.7.4",
     "@aws-sdk/client-s3": "^3.645.0",
     "@aws-sdk/s3-request-presigner": "^3.645.0",
     "@hookform/resolvers": "^3.3.1",
@@ -67,7 +67,7 @@
     "lucide-react": "^0.387.0",
     "micro": "^10.0.1",
     "nanoid": "^5.0.9",
-    "next-auth": "^4.24.5",
+    "next-auth": "^5.0.0-beta.25",
     "next-i18next": "^13.0.3",
     "php-serialize": "^4.1.1",
     "postcss": "^8.4.31",
diff --git a/apps/web/src/app/[locale]/(admin)/settings/profile/delete-account-dialog.tsx b/apps/web/src/app/[locale]/(admin)/settings/profile/delete-account-dialog.tsx
index b4503d09760..a291862414b 100644
--- a/apps/web/src/app/[locale]/(admin)/settings/profile/delete-account-dialog.tsx
+++ b/apps/web/src/app/[locale]/(admin)/settings/profile/delete-account-dialog.tsx
@@ -38,7 +38,7 @@ export function DeleteAccountDialog({
     onSuccess() {
       posthog?.capture("delete account");
       signOut({
-        callbackUrl: "/login",
+        redirectTo: "/login",
       });
     },
   });
diff --git a/apps/web/src/app/[locale]/(auth)/login/components/login-email-form.tsx b/apps/web/src/app/[locale]/(auth)/login/components/login-email-form.tsx
index b0e4e9de238..eac42707025 100644
--- a/apps/web/src/app/[locale]/(auth)/login/components/login-email-form.tsx
+++ b/apps/web/src/app/[locale]/(auth)/login/components/login-email-form.tsx
@@ -53,13 +53,13 @@ export function LoginWithEmailForm() {
           if (doesExist) {
             await signIn("email", {
               email: identifier,
-              callbackUrl: searchParams?.get("callbackUrl") ?? undefined,
+              redirectTo: searchParams?.get("callbackUrl") ?? undefined,
               redirect: false,
             });
             // redirect to verify page with callbackUrl
             router.push(
               `/login/verify?callbackUrl=${encodeURIComponent(
-                searchParams?.get("callbackUrl") ?? "",
+                searchParams?.get("callbac`kUrl") ?? "",
               )}`,
             );
           } else {
diff --git a/apps/web/src/app/[locale]/(auth)/login/components/login-with-oidc.tsx b/apps/web/src/app/[locale]/(auth)/login/components/login-with-oidc.tsx
index 67f9bd237f5..083124ddb78 100644
--- a/apps/web/src/app/[locale]/(auth)/login/components/login-with-oidc.tsx
+++ b/apps/web/src/app/[locale]/(auth)/login/components/login-with-oidc.tsx
@@ -15,7 +15,7 @@ export async function LoginWithOIDC({
     <Button
       onClick={() => {
         signIn("oidc", {
-          callbackUrl,
+          redirectTo: callbackUrl,
         });
       }}
       variant="link"
diff --git a/apps/web/src/app/[locale]/(auth)/login/components/sso-provider.tsx b/apps/web/src/app/[locale]/(auth)/login/components/sso-provider.tsx
index e7934691d43..cf3ff306fdd 100644
--- a/apps/web/src/app/[locale]/(auth)/login/components/sso-provider.tsx
+++ b/apps/web/src/app/[locale]/(auth)/login/components/sso-provider.tsx
@@ -15,7 +15,7 @@ function SSOImage({ provider }: { provider: string }) {
     );
   }
 
-  if (provider === "azure-ad") {
+  if (provider === "microsoft-entra-id") {
     return (
       <Image
         src="/static/microsoft.svg"
@@ -58,7 +58,7 @@ export function SSOProvider({
       key={providerId}
       onClick={() => {
         signIn(providerId, {
-          callbackUrl,
+          redirectTo: callbackUrl,
         });
       }}
     >
diff --git a/apps/web/src/app/[locale]/(auth)/login/page.tsx b/apps/web/src/app/[locale]/(auth)/login/page.tsx
index 94a518ae82c..34c2ba8a50e 100644
--- a/apps/web/src/app/[locale]/(auth)/login/page.tsx
+++ b/apps/web/src/app/[locale]/(auth)/login/page.tsx
@@ -1,7 +1,10 @@
 import Link from "next/link";
 import { Trans } from "react-i18next/TransWithoutContext";
 
-import { getOAuthProviders } from "@/auth";
+import { getOptionalProviders } from "@/auth/get-optional-providers";
+import { GoogleProvider } from "@/auth/providers/google";
+import { MicrosoftProvider } from "@/auth/providers/microsoft";
+import { OIDCProvider } from "@/auth/providers/oidc";
 import { getTranslation } from "@/i18n/server";
 
 import {
@@ -26,16 +29,15 @@ export default async function LoginPage({
   };
 }) {
   const { t } = await getTranslation();
-  const oAuthProviders = getOAuthProviders();
+  const oAuthProviders = getOptionalProviders().map((provider) => ({
+    id: provider.options,
+    name: provider.name,
+  }));
 
   const hasAlternateLoginMethods = oAuthProviders.length > 0;
 
-  const oidcProvider = oAuthProviders.find(
-    (provider) => provider.id === "oidc",
-  );
-  const socialProviders = oAuthProviders.filter(
-    (provider) => provider.id !== "oidc",
-  );
+  const oidcProvider = OIDCProvider();
+  const socialProviders = [GoogleProvider(), MicrosoftProvider()];
 
   return (
     <AuthPageContainer>
@@ -63,14 +65,16 @@ export default async function LoginPage({
         ) : null}
         {socialProviders ? (
           <div className="grid gap-4">
-            {socialProviders.map((provider) => (
-              <SSOProvider
-                key={provider.id}
-                providerId={provider.id}
-                name={provider.name}
-                callbackUrl={searchParams?.callbackUrl}
-              />
-            ))}
+            {socialProviders.map((provider) =>
+              provider ? (
+                <SSOProvider
+                  key={provider.id}
+                  providerId={provider.id}
+                  name={provider.options?.name || provider.name}
+                  callbackUrl={searchParams?.callbackUrl}
+                />
+              ) : null,
+            )}
           </div>
         ) : null}
       </AuthPageContent>
diff --git a/apps/web/src/app/[locale]/layout.tsx b/apps/web/src/app/[locale]/layout.tsx
index e33e6ddac8d..2101e9c85ca 100644
--- a/apps/web/src/app/[locale]/layout.tsx
+++ b/apps/web/src/app/[locale]/layout.tsx
@@ -8,8 +8,8 @@ import React from "react";
 
 import { TimeZoneChangeDetector } from "@/app/[locale]/timezone-change-detector";
 import { Providers } from "@/app/providers";
-import { getServerSession } from "@/auth";
 import { SessionProvider } from "@/auth/session-provider";
+import { auth } from "@/next-auth";
 
 const inter = Inter({
   subsets: ["latin"],
@@ -30,7 +30,7 @@ export default async function Root({
   children: React.ReactNode;
   params: { locale: string };
 }) {
-  const session = await getServerSession();
+  const session = await auth();
 
   return (
     <html lang={locale} className={inter.className}>
diff --git a/apps/web/src/app/api/auth/[...nextauth]/route.ts b/apps/web/src/app/api/auth/[...nextauth]/route.ts
new file mode 100644
index 00000000000..ea0b83b3e28
--- /dev/null
+++ b/apps/web/src/app/api/auth/[...nextauth]/route.ts
@@ -0,0 +1,6 @@
+import { withPosthog } from "@rallly/posthog/server";
+
+import { handlers } from "@/next-auth";
+
+export const GET = withPosthog(handlers.GET);
+export const POST = withPosthog(handlers.POST);
diff --git a/apps/web/src/app/api/notifications/unsubscribe/route.ts b/apps/web/src/app/api/notifications/unsubscribe/route.ts
index 34106b42f86..09755b616e3 100644
--- a/apps/web/src/app/api/notifications/unsubscribe/route.ts
+++ b/apps/web/src/app/api/notifications/unsubscribe/route.ts
@@ -3,7 +3,7 @@ import { cookies } from "next/headers";
 import type { NextRequest } from "next/server";
 import { NextResponse } from "next/server";
 
-import { getServerSession } from "@/auth";
+import { auth } from "@/next-auth";
 import type { DisableNotificationsPayload } from "@/trpc/types";
 import { decryptToken } from "@/utils/session";
 
@@ -14,7 +14,7 @@ export const GET = async (req: NextRequest) => {
     return NextResponse.redirect(new URL("/login", req.url));
   }
 
-  const session = await getServerSession();
+  const session = await auth();
 
   if (!session || !session.user?.email) {
     return NextResponse.redirect(new URL("/login", req.url));
diff --git a/apps/web/src/app/api/stripe/checkout/route.ts b/apps/web/src/app/api/stripe/checkout/route.ts
index 443517d6c5e..56bb2ab27d5 100644
--- a/apps/web/src/app/api/stripe/checkout/route.ts
+++ b/apps/web/src/app/api/stripe/checkout/route.ts
@@ -5,7 +5,7 @@ import type { NextRequest } from "next/server";
 import { NextResponse } from "next/server";
 import { z } from "zod";
 
-import { getServerSession } from "@/auth";
+import { auth } from "@/next-auth";
 
 const inputSchema = z.object({
   period: z.enum(["monthly", "yearly"]).optional(),
@@ -14,7 +14,7 @@ const inputSchema = z.object({
 });
 
 export async function POST(request: NextRequest) {
-  const userSession = await getServerSession();
+  const userSession = await auth();
   const formData = await request.formData();
   const { period = "monthly", return_path } = inputSchema.parse(
     Object.fromEntries(formData.entries()),
diff --git a/apps/web/src/app/api/stripe/portal/route.ts b/apps/web/src/app/api/stripe/portal/route.ts
index d23dea9312e..ef6b88f227e 100644
--- a/apps/web/src/app/api/stripe/portal/route.ts
+++ b/apps/web/src/app/api/stripe/portal/route.ts
@@ -5,7 +5,7 @@ import * as Sentry from "@sentry/nextjs";
 import type { NextRequest } from "next/server";
 import { NextResponse } from "next/server";
 
-import { getServerSession } from "@/auth";
+import { auth } from "@/next-auth";
 
 export async function GET(request: NextRequest) {
   const sessionId = request.nextUrl.searchParams.get("session_id");
@@ -32,7 +32,7 @@ export async function GET(request: NextRequest) {
       );
     }
   } else {
-    const userSession = await getServerSession();
+    const userSession = await auth();
     if (!userSession?.user || userSession.user.email === null) {
       Sentry.captureException(new Error("User not logged in"));
       return NextResponse.json(
diff --git a/apps/web/src/app/api/trpc/[trpc]/route.ts b/apps/web/src/app/api/trpc/[trpc]/route.ts
index b9bc7bf6fdd..5e440ffc28b 100644
--- a/apps/web/src/app/api/trpc/[trpc]/route.ts
+++ b/apps/web/src/app/api/trpc/[trpc]/route.ts
@@ -4,7 +4,7 @@ import { ipAddress } from "@vercel/functions";
 import type { NextRequest } from "next/server";
 
 import { getLocaleFromHeader } from "@/app/guest";
-import { getServerSession } from "@/auth";
+import { auth } from "@/next-auth";
 import type { TRPCContext } from "@/trpc/context";
 import { appRouter } from "@/trpc/routers";
 import { getEmailClient } from "@/utils/emails";
@@ -15,7 +15,7 @@ const handler = (req: NextRequest) => {
     req,
     router: appRouter,
     createContext: async () => {
-      const session = await getServerSession();
+      const session = await auth();
       const locale = await getLocaleFromHeader(req);
       const user = session?.user
         ? {
diff --git a/apps/web/src/app/api/user/verify-email-change/route.ts b/apps/web/src/app/api/user/verify-email-change/route.ts
index 42d3e282056..9ebe60d6fe8 100644
--- a/apps/web/src/app/api/user/verify-email-change/route.ts
+++ b/apps/web/src/app/api/user/verify-email-change/route.ts
@@ -3,7 +3,7 @@ import { cookies } from "next/headers";
 import type { NextRequest } from "next/server";
 import { NextResponse } from "next/server";
 
-import { getServerSession } from "@/auth";
+import { auth } from "@/next-auth";
 import { decryptToken } from "@/utils/session";
 
 type EmailChangePayload = {
@@ -50,7 +50,7 @@ export const GET = async (request: NextRequest) => {
     return NextResponse.json({ error: "No token provided" }, { status: 400 });
   }
 
-  const session = await getServerSession();
+  const session = await auth();
 
   if (!session?.user || !session.user.email) {
     return NextResponse.redirect(
diff --git a/apps/web/src/auth.ts b/apps/web/src/auth.ts
index 0c45fb2fbc7..10acd80d616 100644
--- a/apps/web/src/auth.ts
+++ b/apps/web/src/auth.ts
@@ -5,13 +5,9 @@ import type {
   NextApiRequest,
   NextApiResponse,
 } from "next";
-import type { NextAuthOptions } from "next-auth";
-import NextAuth, {
-  getServerSession as getServerSessionWithOptions,
-} from "next-auth/next";
-import type { Provider } from "next-auth/providers/index";
+import type { OAuthProviderType } from "next-auth/providers";
 
-import { CustomPrismaAdapter } from "./auth/custom-prisma-adapter";
+import { CustomPrismaAdapter } from "./auth/adapters/prisma";
 import { mergeGuestsIntoUser } from "./auth/merge-user";
 import { EmailProvider } from "./auth/providers/email";
 import { GoogleProvider } from "./auth/providers/google";
@@ -23,12 +19,12 @@ import { RegistrationTokenProvider } from "./auth/providers/registration-token";
 function getOptionalProviders() {
   return [OIDCProvider(), GoogleProvider(), MicrosoftProvider()].filter(
     Boolean,
-  ) as Provider[];
+  ) as OAuthProviderType[];
 }
 
 const getAuthOptions = (...args: GetServerSessionParams) =>
   ({
-    adapter: CustomPrismaAdapter(prisma, {
+    adapter: CustomPrismaAdapter({
       migrateData: async (userId) => {
         const session = await getServerSession(...args);
         if (session?.user && session.user.email === null) {
@@ -193,11 +189,6 @@ export async function getServerSession(...args: GetServerSessionParams) {
   return await getServerSessionWithOptions(...args, getAuthOptions(...args));
 }
 
-export async function AuthApiRoute(req: NextApiRequest, res: NextApiResponse) {
-  const authOptions = getAuthOptions(req, res);
-  return NextAuth(req, res, authOptions);
-}
-
 export const isEmailBlocked = (email: string) => {
   if (process.env.ALLOWED_EMAILS) {
     const allowedEmails = process.env.ALLOWED_EMAILS.split(",");
diff --git a/apps/web/src/auth/custom-prisma-adapter.ts b/apps/web/src/auth/adapters/prisma.ts
similarity index 69%
rename from apps/web/src/auth/custom-prisma-adapter.ts
rename to apps/web/src/auth/adapters/prisma.ts
index 433d881d639..56cd58c20ab 100644
--- a/apps/web/src/auth/custom-prisma-adapter.ts
+++ b/apps/web/src/auth/adapters/prisma.ts
@@ -10,19 +10,18 @@
  * See: https://github.com/lukevella/rallly/issues/949
  */
 import { PrismaAdapter } from "@auth/prisma-adapter";
-import type { ExtendedPrismaClient, PrismaClient } from "@rallly/database";
-import type { Adapter, AdapterAccount } from "next-auth/adapters";
+import { prisma } from "@rallly/database";
+import type { Adapter } from "next-auth/adapters";
 
-export function CustomPrismaAdapter(
-  client: ExtendedPrismaClient,
-  options: { migrateData: (userId: string) => Promise<void> },
-) {
-  const adapter = PrismaAdapter(client as PrismaClient);
+export function CustomPrismaAdapter(options: {
+  migrateData: (userId: string) => Promise<void>;
+}) {
+  const adapter = PrismaAdapter(prisma);
   return {
     ...adapter,
-    linkAccount: async (account: AdapterAccount) => {
+    linkAccount: async (account) => {
       await options.migrateData(account.userId);
-      return (await client.account.create({
+      return prisma.account.create({
         data: {
           userId: account.userId,
           type: account.type,
@@ -36,7 +35,7 @@ export function CustomPrismaAdapter(
           scope: account.scope as string,
           session_state: account.session_state as string,
         },
-      })) as AdapterAccount;
+      });
     },
-  } satisfies Adapter;
+  } as Adapter;
 }
diff --git a/apps/web/src/auth/get-optional-providers.ts b/apps/web/src/auth/get-optional-providers.ts
new file mode 100644
index 00000000000..722c426fc2e
--- /dev/null
+++ b/apps/web/src/auth/get-optional-providers.ts
@@ -0,0 +1,11 @@
+import type { Provider } from "next-auth/providers/index";
+
+import { GoogleProvider } from "./providers/google";
+import { MicrosoftProvider } from "./providers/microsoft";
+import { OIDCProvider } from "./providers/oidc";
+
+export function getOptionalProviders() {
+  return [OIDCProvider(), GoogleProvider(), MicrosoftProvider()].filter(
+    Boolean,
+  ) as Provider[];
+}
diff --git a/apps/web/src/auth/is-email-blocked.ts b/apps/web/src/auth/is-email-blocked.ts
new file mode 100644
index 00000000000..6fe6a90847b
--- /dev/null
+++ b/apps/web/src/auth/is-email-blocked.ts
@@ -0,0 +1,19 @@
+export const isEmailBlocked = (email: string) => {
+  if (process.env.ALLOWED_EMAILS) {
+    const allowedEmails = process.env.ALLOWED_EMAILS.split(",");
+    // Check whether the email matches enough of the patterns specified in ALLOWED_EMAILS
+    const isAllowed = allowedEmails.some((allowedEmail) => {
+      const regex = new RegExp(
+        `^${allowedEmail
+          .replace(/[.+?^${}()|[\]\\]/g, "\\$&")
+          .replaceAll(/[*]/g, ".*")}$`,
+      );
+      return regex.test(email);
+    });
+
+    if (!isAllowed) {
+      return true;
+    }
+  }
+  return false;
+};
diff --git a/apps/web/src/auth/providers/email.ts b/apps/web/src/auth/providers/email.ts
index 69bbf95225c..59db1f48d55 100644
--- a/apps/web/src/auth/providers/email.ts
+++ b/apps/web/src/auth/providers/email.ts
@@ -1,13 +1,14 @@
 import { prisma } from "@rallly/database";
 import { absoluteUrl } from "@rallly/utils/absolute-url";
 import { generateOtp } from "@rallly/utils/nanoid";
-import BaseEmailProvider from "next-auth/providers/email";
+import NodemailerProvider from "next-auth/providers/nodemailer";
 
 import { getEmailClient } from "@/utils/emails";
 
-export const EmailProvider = BaseEmailProvider({
-  server: "",
+export const EmailProvider = NodemailerProvider({
+  server: "none", // This value is required even though we don't need it
   from: process.env.NOREPLY_EMAIL,
+  id: "email",
   generateVerificationToken() {
     return generateOtp();
   },
diff --git a/apps/web/src/auth/providers/microsoft.ts b/apps/web/src/auth/providers/microsoft.ts
index 2738bf369af..981733d2e2e 100644
--- a/apps/web/src/auth/providers/microsoft.ts
+++ b/apps/web/src/auth/providers/microsoft.ts
@@ -1,4 +1,4 @@
-import AzureADProvider from "next-auth/providers/azure-ad";
+import MicrosoftEntraID from "next-auth/providers/microsoft-entra-id";
 
 export function MicrosoftProvider() {
   if (
@@ -6,14 +6,12 @@ export function MicrosoftProvider() {
     process.env.MICROSOFT_CLIENT_ID &&
     process.env.MICROSOFT_CLIENT_SECRET
   ) {
-    return AzureADProvider({
+    return MicrosoftEntraID({
       name: "Microsoft",
-      tenantId: process.env.MICROSOFT_TENANT_ID,
       clientId: process.env.MICROSOFT_CLIENT_ID,
       clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
       wellKnown:
         "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration",
     });
   }
-  return null;
 }
diff --git a/apps/web/src/auth/providers/oidc.ts b/apps/web/src/auth/providers/oidc.ts
index e6ac62fc1e3..c7732e89639 100644
--- a/apps/web/src/auth/providers/oidc.ts
+++ b/apps/web/src/auth/providers/oidc.ts
@@ -1,5 +1,5 @@
 import type { User } from "next-auth";
-import type { Provider } from "next-auth/providers/index";
+import type { OIDCConfig } from "next-auth/providers/index";
 
 import { env } from "@/env";
 import { getValueByPath } from "@/utils/get-value-by-path";
@@ -13,7 +13,7 @@ export const OIDCProvider = () => {
     return {
       id: "oidc",
       name: process.env.OIDC_NAME ?? "OpenID Connect",
-      type: "oauth",
+      type: "oidc",
       wellKnown: process.env.OIDC_DISCOVERY_URL,
       authorization: { params: { scope: "openid email profile" } },
       clientId: process.env.OIDC_CLIENT_ID,
@@ -29,6 +29,6 @@ export const OIDCProvider = () => {
           image: getValueByPath(profile, env.OIDC_PICTURE_CLAIM_PATH),
         } as User;
       },
-    } satisfies Provider;
+    } satisfies OIDCConfig<Record<string, unknown>>;
   }
 };
diff --git a/apps/web/src/features/quick-create/lib/get-guest-polls.ts b/apps/web/src/features/quick-create/lib/get-guest-polls.ts
index a08d2f95b17..9d4a828f2b3 100644
--- a/apps/web/src/features/quick-create/lib/get-guest-polls.ts
+++ b/apps/web/src/features/quick-create/lib/get-guest-polls.ts
@@ -1,9 +1,9 @@
 import { prisma } from "@rallly/database";
 
-import { getServerSession } from "@/auth";
+import { auth } from "@/next-auth";
 
 export async function getGuestPolls() {
-  const session = await getServerSession();
+  const session = await auth();
   const user = session?.user;
   const guestId = !user?.email ? user?.id : null;
 
diff --git a/apps/web/src/middleware.ts b/apps/web/src/middleware.ts
index 8176d6f2a6b..5a3091edb18 100644
--- a/apps/web/src/middleware.ts
+++ b/apps/web/src/middleware.ts
@@ -1,10 +1,12 @@
 import languages from "@rallly/languages";
 import { withPostHog } from "@rallly/posthog/next/middleware";
 import { NextResponse } from "next/server";
-import withAuth from "next-auth/middleware";
+import NextAuth from "next-auth";
 
 import { getLocaleFromHeader } from "@/app/guest";
-import { isSelfHosted } from "@/utils/constants";
+import { nextAuthConfig } from "@/next-auth.confg";
+
+const { auth } = NextAuth(nextAuthConfig);
 
 const supportedLocales = Object.keys(languages);
 
@@ -20,78 +22,50 @@ if (process.env.QUICK_CREATE_ENABLED === "true") {
   publicRoutes.push("/quick-create", "/new");
 }
 
-export const middleware = withAuth(
-  async function middleware(req) {
-    const { nextUrl } = req;
-    const newUrl = nextUrl.clone();
+export default auth(async (req) => {
+  const { nextUrl } = req;
+  const newUrl = nextUrl.clone();
 
-    const isLoggedIn = req.nextauth.token?.email;
-    // set x-pathname header to the pathname
+  const isLoggedIn = req.auth?.user?.email;
 
-    // if the user is already logged in, don't let them access the login page
-    if (/^\/(login)/.test(newUrl.pathname) && isLoggedIn) {
-      newUrl.pathname = "/";
-      return NextResponse.redirect(newUrl);
-    }
+  // if the user is already logged in, don't let them access the login page
+  if (/^\/(login)/.test(newUrl.pathname) && isLoggedIn) {
+    newUrl.pathname = "/";
+    return NextResponse.redirect(newUrl);
+  }
 
-    // if the user is not logged in and the page is not public, redirect to login
-    if (
-      !isLoggedIn &&
-      !publicRoutes.some((route) => newUrl.pathname.startsWith(route))
-    ) {
-      if (newUrl.pathname !== "/") {
-        newUrl.searchParams.set("callbackUrl", newUrl.pathname);
-      }
-      newUrl.pathname = "/login";
-      return NextResponse.redirect(newUrl);
+  // if the user is not logged in and the page is not public, redirect to login
+  if (
+    !isLoggedIn &&
+    !publicRoutes.some((route) => newUrl.pathname.startsWith(route))
+  ) {
+    if (newUrl.pathname !== "/") {
+      newUrl.searchParams.set("callbackUrl", newUrl.pathname);
     }
+    newUrl.pathname = "/login";
+    return NextResponse.redirect(newUrl);
+  }
 
-    // Check if locale is specified in cookie
-    let locale = req.nextauth.token?.locale;
-    if (locale && supportedLocales.includes(locale)) {
-      newUrl.pathname = `/${locale}${newUrl.pathname}`;
-    } else {
-      // Check if locale is specified in header
-      locale = await getLocaleFromHeader(req);
+  // Check if locale is specified in cookie
+  let locale = req.auth?.user?.locale;
+  if (locale && supportedLocales.includes(locale)) {
+    newUrl.pathname = `/${locale}${newUrl.pathname}`;
+  } else {
+    // Check if locale is specified in header
+    locale = await getLocaleFromHeader(req);
 
-      newUrl.pathname = `/${locale}${newUrl.pathname}`;
-    }
+    newUrl.pathname = `/${locale}${newUrl.pathname}`;
+  }
 
-    const res = NextResponse.rewrite(newUrl);
-    res.headers.set("x-pathname", newUrl.pathname);
-
-    if (req.nextauth.token) {
-      await withPostHog(res, { distinctID: req.nextauth.token.sub });
-    }
+  const res = NextResponse.rewrite(newUrl);
+  res.headers.set("x-pathname", newUrl.pathname);
 
-    return res;
-  },
-  {
-    secret: process.env.SECRET_PASSWORD,
-    callbacks: {
-      authorized: ({ token, req }) => {
-        const nextUrl = req.nextUrl;
-        const isGuest = !token?.email;
-        if (
-          isSelfHosted &&
-          isGuest &&
-          !(
-            nextUrl.pathname.startsWith("/invite") ||
-            nextUrl.pathname.startsWith("/login") ||
-            nextUrl.pathname.startsWith("/register") ||
-            nextUrl.pathname.startsWith("/auth") ||
-            nextUrl.pathname.startsWith("/p/")
-          )
-        ) {
-          // limit which pages guests can access for self-hosted instances
-          return false;
-        }
+  if (req.auth?.user?.id) {
+    await withPostHog(res, { distinctID: req.auth.user.id });
+  }
 
-        return true;
-      },
-    },
-  },
-);
+  return res;
+});
 
 export const config = {
   matcher: ["/((?!api|_next/static|_next/image|static|.*\\.).*)"],
diff --git a/apps/web/src/next-auth.confg.ts b/apps/web/src/next-auth.confg.ts
new file mode 100644
index 00000000000..dc8fccd681f
--- /dev/null
+++ b/apps/web/src/next-auth.confg.ts
@@ -0,0 +1,9 @@
+import type { NextAuthConfig } from "next-auth";
+
+export const nextAuthConfig = {
+  session: {
+    strategy: "jwt",
+  },
+  secret: process.env.SECRET_PASSWORD,
+  providers: [],
+} satisfies NextAuthConfig;
diff --git a/apps/web/src/next-auth.ts b/apps/web/src/next-auth.ts
new file mode 100644
index 00000000000..d6994c5d633
--- /dev/null
+++ b/apps/web/src/next-auth.ts
@@ -0,0 +1,166 @@
+import type { TimeFormat } from "@rallly/database";
+import { prisma } from "@rallly/database";
+import { posthog } from "@rallly/posthog/server";
+import NextAuth from "next-auth";
+import type { Provider } from "next-auth/providers";
+
+import { CustomPrismaAdapter } from "./auth/adapters/prisma";
+import { isEmailBlocked } from "./auth/is-email-blocked";
+import { mergeGuestsIntoUser } from "./auth/merge-user";
+import { EmailProvider } from "./auth/providers/email";
+import { GoogleProvider } from "./auth/providers/google";
+import { GuestProvider } from "./auth/providers/guest";
+import { MicrosoftProvider } from "./auth/providers/microsoft";
+import { OIDCProvider } from "./auth/providers/oidc";
+import { RegistrationTokenProvider } from "./auth/providers/registration-token";
+import { nextAuthConfig } from "./next-auth.confg";
+
+export const { auth, handlers, signIn, signOut } = NextAuth({
+  ...nextAuthConfig,
+
+  adapter: CustomPrismaAdapter({
+    migrateData: async (userId) => {
+      const session = await auth();
+      if (session?.user && session.user.email === null) {
+        await mergeGuestsIntoUser(userId, [session.user.id]);
+      }
+    },
+  }),
+  providers: [
+    RegistrationTokenProvider,
+    EmailProvider,
+    GuestProvider,
+    ...([GoogleProvider(), OIDCProvider(), MicrosoftProvider()].filter(
+      Boolean,
+    ) as Provider[]),
+  ],
+  pages: {
+    signIn: "/login",
+    verifyRequest: "/login/verify",
+    error: "/auth/error",
+  },
+  session: {
+    strategy: "jwt",
+  },
+  events: {
+    signIn({ user, account }) {
+      if (user.id) {
+        posthog?.capture({
+          distinctId: user.id,
+          event: "login",
+          properties: {
+            method: account?.provider,
+            $set: {
+              name: user.name,
+              email: user.email,
+              timeZone: user.timeZone,
+              locale: user.locale,
+            },
+          },
+        });
+      }
+    },
+  },
+  callbacks: {
+    async signIn({ user, email, profile }) {
+      const distinctId = user.id;
+      // prevent sign in if email is not verified
+      if (
+        profile &&
+        "email_verified" in profile &&
+        profile.email_verified === false &&
+        distinctId
+      ) {
+        posthog?.capture({
+          distinctId,
+          event: "login failed",
+          properties: {
+            reason: "email not verified",
+          },
+        });
+        return false;
+      }
+      // Make sure email is allowed
+      if (user.email) {
+        const isBlocked = isEmailBlocked(user.email);
+        if (isBlocked) {
+          return false;
+        }
+      }
+
+      // For now, we don't allow users to login unless they have
+      // registered an account. This is just because we need a name
+      // to display on the dashboard. The flow can be modified so that
+      // the name is requested after the user has logged in.
+      if (email?.verificationRequest) {
+        const isRegisteredUser =
+          (await prisma.user.count({
+            where: {
+              email: user.email as string,
+            },
+          })) > 0;
+
+        return isRegisteredUser;
+      }
+
+      // when we login with a social account for the first time, the user is not created yet
+      // and the user id will be the same as the provider account id
+      // we handle this case the the prisma adapter when we link accounts
+      const isInitialSocialLogin = user.id === profile?.sub;
+
+      if (!isInitialSocialLogin) {
+        // merge guest user into newly logged in user
+        const session = await auth();
+        if (user.id && session?.user && !session.user.email) {
+          await mergeGuestsIntoUser(user.id, [session.user.id]);
+        }
+      }
+
+      return true;
+    },
+    async jwt({ token, session }) {
+      const userId = token.sub;
+      const isGuest = userId?.startsWith("guest-");
+      if (userId && !isGuest) {
+        const user = await prisma.user.findUnique({
+          where: {
+            id: userId,
+          },
+          select: {
+            email: true,
+            locale: true,
+            timeFormat: true,
+            timeZone: true,
+            weekStart: true,
+          },
+        });
+
+        if (user) {
+          token.email = user.email;
+          token.locale = user.locale;
+          token.timeFormat = user.timeFormat;
+          token.timeZone = user.timeZone;
+          token.weekStart = user.weekStart;
+        }
+      }
+
+      if (session) {
+        token.locale = session.user.locale;
+        token.timeFormat = session.user.timeFormat;
+        token.timeZone = session.user.timeZone;
+        token.weekStart = session.user.weekStart;
+      }
+
+      return token;
+    },
+    async session({ session, token }) {
+      session.user.id = token.sub as string;
+      session.user.email = token.email as string;
+      session.user.locale = token.locale as string;
+      session.user.timeFormat = token.timeFormat as TimeFormat;
+      session.user.timeZone = token.timeZone as string;
+      session.user.weekStart = token.weekStart as number;
+      return session;
+    },
+  },
+});
diff --git a/apps/web/src/pages/api/auth/[...nextauth].ts b/apps/web/src/pages/api/auth/[...nextauth].ts
deleted file mode 100644
index 5350908b674..00000000000
--- a/apps/web/src/pages/api/auth/[...nextauth].ts
+++ /dev/null
@@ -1,14 +0,0 @@
-import { posthogApiHandler } from "@rallly/posthog/server";
-import type { NextApiRequest, NextApiResponse } from "next";
-
-import { AuthApiRoute } from "@/auth";
-import { composeApiHandlers } from "@/utils/next";
-
-export default async function auth(req: NextApiRequest, res: NextApiResponse) {
-  if (req.method === "HEAD") {
-    res.status(200).end();
-    res.setHeader("Content-Length", "0");
-  } else {
-    return composeApiHandlers(AuthApiRoute, posthogApiHandler)(req, res);
-  }
-}
diff --git a/apps/web/src/trpc/server/create-ssr-helper.ts b/apps/web/src/trpc/server/create-ssr-helper.ts
index 052ab234d37..7050a37dfad 100644
--- a/apps/web/src/trpc/server/create-ssr-helper.ts
+++ b/apps/web/src/trpc/server/create-ssr-helper.ts
@@ -2,14 +2,14 @@ import { createServerSideHelpers } from "@trpc/react-query/server";
 import { redirect } from "next/navigation";
 import superjson from "superjson";
 
-import { getServerSession } from "@/auth";
+import { auth } from "@/next-auth";
 import { getEmailClient } from "@/utils/emails";
 
 import type { TRPCContext } from "../context";
 import { appRouter } from "../routers";
 
 async function createContext(): Promise<TRPCContext> {
-  const session = await getServerSession();
+  const session = await auth();
   return {
     user: session?.user
       ? {
diff --git a/packages/posthog/src/server/index.ts b/packages/posthog/src/server/index.ts
index 7710c72001c..8be0feaf19b 100644
--- a/packages/posthog/src/server/index.ts
+++ b/packages/posthog/src/server/index.ts
@@ -1,4 +1,5 @@
 import { waitUntil } from "@vercel/functions";
+import type { NextRequest } from "next/server";
 import { PostHog } from "posthog-node";
 
 function PostHogClient() {
@@ -21,3 +22,10 @@ export function posthogApiHandler() {
     console.error("Failed to flush PostHog events:", error);
   }
 }
+export function withPosthog(handler: (req: NextRequest) => Promise<Response>) {
+  return async (req: NextRequest) => {
+    const res = await handler(req);
+    posthogApiHandler();
+    return res;
+  };
+}
diff --git a/yarn.lock b/yarn.lock
index 1daa10cfb04..aed956af547 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -20,24 +20,36 @@
     "@jridgewell/gen-mapping" "^0.1.0"
     "@jridgewell/trace-mapping" "^0.3.9"
 
-"@auth/core@0.16.1":
-  version "0.16.1"
-  resolved "https://registry.npmjs.org/@auth/core/-/core-0.16.1.tgz"
-  integrity sha512-V+YifnjpyOadiiTbxfYDV2xYWo8xpKNtwYVskAEKUSwMvE0FlSlP+10QGBpf0axS/AJFOO61IR6GncFF/IOrHQ==
-  dependencies:
-    "@panva/hkdf" "^1.0.4"
-    cookie "0.5.0"
-    jose "^4.11.1"
-    oauth4webapi "^2.0.6"
+"@auth/core@0.37.2":
+  version "0.37.2"
+  resolved "https://registry.yarnpkg.com/@auth/core/-/core-0.37.2.tgz#0db8a94a076846bd88eb7f9273618513e2285cb2"
+  integrity sha512-kUvzyvkcd6h1vpeMAojK2y7+PAV5H+0Cc9+ZlKYDFhDY31AlvsB+GW5vNO4qE3Y07KeQgvNO9U0QUx/fN62kBw==
+  dependencies:
+    "@panva/hkdf" "^1.2.1"
+    "@types/cookie" "0.6.0"
+    cookie "0.7.1"
+    jose "^5.9.3"
+    oauth4webapi "^3.0.0"
     preact "10.11.3"
     preact-render-to-string "5.2.3"
 
-"@auth/prisma-adapter@^1.0.3":
-  version "1.0.3"
-  resolved "https://registry.npmjs.org/@auth/prisma-adapter/-/prisma-adapter-1.0.3.tgz"
-  integrity sha512-AMwQbO7OiBYRCA6VNfv9CpcpiRh0BP4EKhPdtO+pom9Uhuor2ioE4IqvhUfJyBkSjAP2Gt9WbKqr9kzL9LrtIg==
+"@auth/core@0.37.4":
+  version "0.37.4"
+  resolved "https://registry.yarnpkg.com/@auth/core/-/core-0.37.4.tgz#c51410aa7d0997fa22a07a196d2c21c8b1bca71b"
+  integrity sha512-HOXJwXWXQRhbBDHlMU0K/6FT1v+wjtzdKhsNg0ZN7/gne6XPsIrjZ4daMcFnbq0Z/vsAbYBinQhhua0d77v7qw==
+  dependencies:
+    "@panva/hkdf" "^1.2.1"
+    jose "^5.9.6"
+    oauth4webapi "^3.1.1"
+    preact "10.24.3"
+    preact-render-to-string "6.5.11"
+
+"@auth/prisma-adapter@^2.7.4":
+  version "2.7.4"
+  resolved "https://registry.yarnpkg.com/@auth/prisma-adapter/-/prisma-adapter-2.7.4.tgz#4890be47a9f227f449832302d955c565c02879ee"
+  integrity sha512-3T/X94R9J1sxOLQtsD3ijIZ0JGHPXlZQxRr/8NpnZBJ3KGxun/mNsZ1MwMRhTxy0mmn9JWXk7u9+xCcVn0pu3A==
   dependencies:
-    "@auth/core" "0.16.1"
+    "@auth/core" "0.37.4"
 
 "@aws-crypto/crc32@3.0.0":
   version "3.0.0"
@@ -3378,10 +3390,10 @@
   dependencies:
     "@opentelemetry/core" "^1.1.0"
 
-"@panva/hkdf@^1.0.2", "@panva/hkdf@^1.0.4":
-  version "1.1.1"
-  resolved "https://registry.npmjs.org/@panva/hkdf/-/hkdf-1.1.1.tgz"
-  integrity sha512-dhPeilub1NuIG0X5Kvhh9lH4iW3ZsHlnzwgwbOlgwQ2wG1IqFzsgHqmKPk3WzsdWAeaxKJxgM0+W433RmN45GA==
+"@panva/hkdf@^1.2.1":
+  version "1.2.1"
+  resolved "https://registry.yarnpkg.com/@panva/hkdf/-/hkdf-1.2.1.tgz#cb0d111ef700136f4580349ff0226bf25c853f23"
+  integrity sha512-6oclG6Y3PiDFcoyk8srjLfVKyMfVCKJ27JwNPViuXziFpmdz+MZnZN/aKY0JGXgYuO/VghU0jcOAZgWXZ1Dmrw==
 
 "@peculiar/asn1-schema@^2.1.6", "@peculiar/asn1-schema@^2.3.0":
   version "2.3.3"
@@ -6135,6 +6147,11 @@
   resolved "https://registry.npmjs.org/@types/content-disposition/-/content-disposition-0.5.5.tgz"
   integrity sha512-v6LCdKfK6BwcqMo+wYW05rLS12S0ZO0Fl4w1h4aaZMD7bqT3gVUns6FvLJKGZHQmYn3SX55JWGpziwJRwVgutA==
 
+"@types/cookie@0.6.0":
+  version "0.6.0"
+  resolved "https://registry.yarnpkg.com/@types/cookie/-/cookie-0.6.0.tgz#eac397f28bf1d6ae0ae081363eca2f425bedf0d5"
+  integrity sha512-4Kh9a6B2bQciAhf7FSuMRRkUWecJgJu9nPnx3yzpsfXX/c50REIqpHY4C82bXP90qrLtXtkDxTZosYO3UpOwlA==
+
 "@types/cookie@^0.4.1":
   version "0.4.1"
   resolved "https://registry.yarnpkg.com/@types/cookie/-/cookie-0.4.1.tgz#bfd02c1f2224567676c1545199f87c3a861d878d"
@@ -7862,7 +7879,12 @@ convert-source-map@^2.0.0:
   resolved "https://registry.yarnpkg.com/convert-source-map/-/convert-source-map-2.0.0.tgz#4b560f649fc4e918dd0ab75cf4961e8bc882d82a"
   integrity sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==
 
-cookie@0.5.0, cookie@^0.5.0:
+cookie@0.7.1:
+  version "0.7.1"
+  resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.7.1.tgz#2f73c42142d5d5cf71310a74fc4ae61670e5dbc9"
+  integrity sha512-6DnInpx7SJ2AK3+CTUE/ZM0vWTUboZCegxhC2xiIydHR9jNuTAASBrfEpHhiGOZw/nX51bHt6YQl8jsGo4y/0w==
+
+cookie@^0.5.0:
   version "0.5.0"
   resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.5.0.tgz#d1f5d71adec6558c58f389987c366aa47e994f8b"
   integrity sha512-YZ3GUyn/o8gfKJlnlX7g7xq4gyO6OSuhGPKaaGssGB2qgDUS0gPgtTvoyZLTt9Ab6dC4hfc9dV5arkvc/OCmrw==
@@ -10393,12 +10415,7 @@ joi@^17.6.0:
     "@sideway/formula" "^3.0.1"
     "@sideway/pinpoint" "^2.0.0"
 
-jose@^4.11.1, jose@^4.11.4, jose@^4.15.1:
-  version "4.15.5"
-  resolved "https://registry.yarnpkg.com/jose/-/jose-4.15.5.tgz#6475d0f467ecd3c630a1b5dadd2735a7288df706"
-  integrity sha512-jc7BFxgKPKi94uOvEmzlSWFFe2+vASyXaKUpdQKatWAESU2MWjDfFf0fdfc83CDKcA5QecabZeNLyfhe3yKNkg==
-
-jose@^5.2.3:
+jose@^5.2.3, jose@^5.9.3, jose@^5.9.6:
   version "5.9.6"
   resolved "https://registry.yarnpkg.com/jose/-/jose-5.9.6.tgz#77f1f901d88ebdc405e57cce08d2a91f47521883"
   integrity sha512-AMlnetc9+CV9asI19zHmrgS/WYsWUwCn2R7RzlbJWD7F9eWYUTGyBmU9o6PxngtLGOiDGPRu+Uc4fhKzbpteZQ==
@@ -11356,20 +11373,12 @@ neverthrow@^7.0.1:
   resolved "https://registry.yarnpkg.com/neverthrow/-/neverthrow-7.2.0.tgz#76fa0a6cf1f6d59f0770df461c92b8b270910694"
   integrity sha512-iGBUfFB7yPczHHtA8dksKTJ9E8TESNTAx1UQWW6TzMF280vo9jdPYpLUXrMN1BCkPdHFdNG3fxOt2CUad8KhAw==
 
-next-auth@^4.24.5:
-  version "4.24.5"
-  resolved "https://registry.yarnpkg.com/next-auth/-/next-auth-4.24.5.tgz#1fd1bfc0603c61fd2ba6fd81b976af690edbf07e"
-  integrity sha512-3RafV3XbfIKk6rF6GlLE4/KxjTcuMCifqrmD+98ejFq73SRoj2rmzoca8u764977lH/Q7jo6Xu6yM+Re1Mz/Og==
+next-auth@^5.0.0-beta.25:
+  version "5.0.0-beta.25"
+  resolved "https://registry.yarnpkg.com/next-auth/-/next-auth-5.0.0-beta.25.tgz#3a9f9734e1d8fa5ced545360f1afc24862cb92d5"
+  integrity sha512-2dJJw1sHQl2qxCrRk+KTQbeH+izFbGFPuJj5eGgBZFYyiYYtvlrBeUw1E/OJJxTRjuxbSYGnCTkUIRsIIW0bog==
   dependencies:
-    "@babel/runtime" "^7.20.13"
-    "@panva/hkdf" "^1.0.2"
-    cookie "^0.5.0"
-    jose "^4.11.4"
-    oauth "^0.9.15"
-    openid-client "^5.4.0"
-    preact "^10.6.3"
-    preact-render-to-string "^5.1.19"
-    uuid "^8.3.2"
+    "@auth/core" "0.37.2"
 
 next-i18next@^13.0.3:
   version "13.1.6"
@@ -11535,26 +11544,16 @@ nth-check@^2.0.1:
   dependencies:
     boolbase "^1.0.0"
 
-oauth4webapi@^2.0.6:
-  version "2.3.0"
-  resolved "https://registry.npmjs.org/oauth4webapi/-/oauth4webapi-2.3.0.tgz"
-  integrity sha512-JGkb5doGrwzVDuHwgrR4nHJayzN4h59VCed6EW8Tql6iHDfZIabCJvg6wtbn5q6pyB2hZruI3b77Nudvq7NmvA==
-
-oauth@^0.9.15:
-  version "0.9.15"
-  resolved "https://registry.npmjs.org/oauth/-/oauth-0.9.15.tgz"
-  integrity sha512-a5ERWK1kh38ExDEfoO6qUHJb32rd7aYmPHuyCu3Fta/cnICvYmgd2uhuKXvPD+PXB+gCEYYEaQdIRAjCOwAKNA==
+oauth4webapi@^3.0.0, oauth4webapi@^3.1.1:
+  version "3.1.4"
+  resolved "https://registry.yarnpkg.com/oauth4webapi/-/oauth4webapi-3.1.4.tgz#50695385cea8e7a43f3e2e23bc33ea27faece4a7"
+  integrity sha512-eVfN3nZNbok2s/ROifO0UAc5G8nRoLSbrcKJ09OqmucgnhXEfdIQOR4gq1eJH1rN3gV7rNw62bDEgftsgFtBEg==
 
 object-assign@^4, object-assign@^4.0.1, object-assign@^4.1.0, object-assign@^4.1.1:
   version "4.1.1"
   resolved "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz"
   integrity sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==
 
-object-hash@^2.2.0:
-  version "2.2.0"
-  resolved "https://registry.npmjs.org/object-hash/-/object-hash-2.2.0.tgz"
-  integrity sha512-gScRMn0bS5fH+IuwyIFgnh9zBdo4DV+6GhygmWM9HyNJSgS0hScp1f5vjtm7oIIOiT9trXrShAkLFSc2IqKNgw==
-
 object-hash@^3.0.0:
   version "3.0.0"
   resolved "https://registry.npmjs.org/object-hash/-/object-hash-3.0.0.tgz"
@@ -11648,11 +11647,6 @@ obuf@~1.1.2:
   resolved "https://registry.yarnpkg.com/obuf/-/obuf-1.1.2.tgz#09bea3343d41859ebd446292d11c9d4db619084e"
   integrity sha512-PX1wu0AmAdPqOL1mWhqmlOd8kOIZQwGZw6rh7uby9fTc5lhaOWFLX3I6R1hrF9k3zUY40e6igsLGkDXK92LJNg==
 
-oidc-token-hash@^5.0.3:
-  version "5.0.3"
-  resolved "https://registry.npmjs.org/oidc-token-hash/-/oidc-token-hash-5.0.3.tgz"
-  integrity sha512-IF4PcGgzAr6XXSff26Sk/+P4KZFJVuHAJZj3wgO3vX2bMdNVp/QXTP3P7CEm9V1IdG8lDLY3HhiqpsE/nOwpPw==
-
 once@^1.3.0, once@^1.3.1, once@^1.3.2, once@^1.4.0:
   version "1.4.0"
   resolved "https://registry.npmjs.org/once/-/once-1.4.0.tgz"
@@ -11672,16 +11666,6 @@ opener@^1.5.2:
   resolved "https://registry.npmjs.org/opener/-/opener-1.5.2.tgz"
   integrity sha512-ur5UIdyw5Y7yEj9wLzhqXiy6GZ3Mwx0yGI+5sMn2r0N0v3cKJvUmFH5yPP+WXh9e0xfyzyJX95D8l088DNFj7A==
 
-openid-client@^5.4.0:
-  version "5.6.0"
-  resolved "https://registry.npmjs.org/openid-client/-/openid-client-5.6.0.tgz"
-  integrity sha512-uFTkN/iqgKvSnmpVAS/T6SNThukRMBcmymTQ71Ngus1F60tdtKVap7zCrleocY+fogPtpmoxi5Q1YdrgYuTlkA==
-  dependencies:
-    jose "^4.15.1"
-    lru-cache "^6.0.0"
-    object-hash "^2.2.0"
-    oidc-token-hash "^5.0.3"
-
 optionator@^0.9.3:
   version "0.9.3"
   resolved "https://registry.npmjs.org/optionator/-/optionator-0.9.3.tgz"
@@ -12154,28 +12138,26 @@ preact-render-to-string@5.2.3:
   dependencies:
     pretty-format "^3.8.0"
 
-preact-render-to-string@^5.1.19:
-  version "5.2.6"
-  resolved "https://registry.npmjs.org/preact-render-to-string/-/preact-render-to-string-5.2.6.tgz"
-  integrity sha512-JyhErpYOvBV1hEPwIxc/fHWXPfnEGdRKxc8gFdAZ7XV4tlzyzG847XAyEZqoDnynP88akM4eaHcSOzNcLWFguw==
-  dependencies:
-    pretty-format "^3.8.0"
+preact-render-to-string@6.5.11:
+  version "6.5.11"
+  resolved "https://registry.yarnpkg.com/preact-render-to-string/-/preact-render-to-string-6.5.11.tgz#467e69908a453497bb93d4d1fc35fb749a78e027"
+  integrity sha512-ubnauqoGczeGISiOh6RjX0/cdaF8v/oDXIjO85XALCQjwQP+SB4RDXXtvZ6yTYSjG+PC1QRP2AhPgCEsM2EvUw==
 
 preact@10.11.3:
   version "10.11.3"
   resolved "https://registry.npmjs.org/preact/-/preact-10.11.3.tgz"
   integrity sha512-eY93IVpod/zG3uMF22Unl8h9KkrcKIRs2EGar8hwLZZDU1lkjph303V9HZBwufh2s736U6VXuhD109LYqPoffg==
 
+preact@10.24.3:
+  version "10.24.3"
+  resolved "https://registry.yarnpkg.com/preact/-/preact-10.24.3.tgz#086386bd47071e3b45410ef20844c21e23828f64"
+  integrity sha512-Z2dPnBnMUfyQfSQ+GBdsGa16hz35YmLmtTLhM169uW944hYL6xzTYkJjC07j+Wosz733pMWx0fgON3JNw1jJQA==
+
 preact@^10.19.3:
   version "10.19.3"
   resolved "https://registry.yarnpkg.com/preact/-/preact-10.19.3.tgz#7a7107ed2598a60676c943709ea3efb8aaafa899"
   integrity sha512-nHHTeFVBTHRGxJXKkKu5hT8C/YWBkPso4/Gad6xuj5dbptt9iF9NZr9pHbPhBrnT2klheu7mHTxTZ/LjwJiEiQ==
 
-preact@^10.6.3:
-  version "10.18.1"
-  resolved "https://registry.npmjs.org/preact/-/preact-10.18.1.tgz"
-  integrity sha512-mKUD7RRkQQM6s7Rkmi7IFkoEHjuFqRQUaXamO61E6Nn7vqF/bo7EZCmSyrUnp2UWHw0O7XjZ2eeXis+m7tf4lg==
-
 prelude-ls@^1.2.1:
   version "1.2.1"
   resolved "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.2.1.tgz"

From cc85b0bb206f0e3797b53cc50b26be6fae6f0f30 Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Thu, 6 Feb 2025 15:33:16 +0700
Subject: [PATCH 03/18] Fix typo

---
 .../app/[locale]/(auth)/login/components/login-email-form.tsx   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/web/src/app/[locale]/(auth)/login/components/login-email-form.tsx b/apps/web/src/app/[locale]/(auth)/login/components/login-email-form.tsx
index eac42707025..141e281f365 100644
--- a/apps/web/src/app/[locale]/(auth)/login/components/login-email-form.tsx
+++ b/apps/web/src/app/[locale]/(auth)/login/components/login-email-form.tsx
@@ -59,7 +59,7 @@ export function LoginWithEmailForm() {
             // redirect to verify page with callbackUrl
             router.push(
               `/login/verify?callbackUrl=${encodeURIComponent(
-                searchParams?.get("callbac`kUrl") ?? "",
+                searchParams?.get("callbackUrl") ?? "",
               )}`,
             );
           } else {

From 82a5fbb685e5ee668318943dc4b1d43f4040531d Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Thu, 6 Feb 2025 15:40:22 +0700
Subject: [PATCH 04/18] Fixes

---
 apps/web/src/auth.ts                          | 224 ------------------
 .../src/auth/providers/registration-token.ts  |   2 +-
 apps/web/src/trpc/routers/auth.ts             |   2 +-
 3 files changed, 2 insertions(+), 226 deletions(-)
 delete mode 100644 apps/web/src/auth.ts

diff --git a/apps/web/src/auth.ts b/apps/web/src/auth.ts
deleted file mode 100644
index 10acd80d616..00000000000
--- a/apps/web/src/auth.ts
+++ /dev/null
@@ -1,224 +0,0 @@
-import { prisma } from "@rallly/database";
-import { posthog } from "@rallly/posthog/server";
-import type {
-  GetServerSidePropsContext,
-  NextApiRequest,
-  NextApiResponse,
-} from "next";
-import type { OAuthProviderType } from "next-auth/providers";
-
-import { CustomPrismaAdapter } from "./auth/adapters/prisma";
-import { mergeGuestsIntoUser } from "./auth/merge-user";
-import { EmailProvider } from "./auth/providers/email";
-import { GoogleProvider } from "./auth/providers/google";
-import { GuestProvider } from "./auth/providers/guest";
-import { MicrosoftProvider } from "./auth/providers/microsoft";
-import { OIDCProvider } from "./auth/providers/oidc";
-import { RegistrationTokenProvider } from "./auth/providers/registration-token";
-
-function getOptionalProviders() {
-  return [OIDCProvider(), GoogleProvider(), MicrosoftProvider()].filter(
-    Boolean,
-  ) as OAuthProviderType[];
-}
-
-const getAuthOptions = (...args: GetServerSessionParams) =>
-  ({
-    adapter: CustomPrismaAdapter({
-      migrateData: async (userId) => {
-        const session = await getServerSession(...args);
-        if (session?.user && session.user.email === null) {
-          await mergeGuestsIntoUser(userId, [session.user.id]);
-        }
-      },
-    }),
-    secret: process.env.SECRET_PASSWORD,
-    session: {
-      strategy: "jwt",
-    },
-    providers: [
-      RegistrationTokenProvider,
-      GuestProvider,
-      EmailProvider,
-      ...getOptionalProviders(),
-    ],
-    pages: {
-      signIn: "/login",
-      verifyRequest: "/login/verify",
-      error: "/auth/error",
-    },
-    events: {
-      signIn({ user, account }) {
-        posthog?.capture({
-          distinctId: user.id,
-          event: "login",
-          properties: {
-            method: account?.provider,
-            $set: {
-              name: user.name,
-              email: user.email,
-              timeZone: user.timeZone,
-              locale: user.locale,
-            },
-          },
-        });
-      },
-    },
-    callbacks: {
-      async signIn({ user, email, profile }) {
-        const distinctId = user.id;
-        // prevent sign in if email is not verified
-        if (
-          profile &&
-          "email_verified" in profile &&
-          profile.email_verified === false
-        ) {
-          posthog?.capture({
-            distinctId,
-            event: "login failed",
-            properties: {
-              reason: "email not verified",
-            },
-          });
-          return false;
-        }
-        // Make sure email is allowed
-        if (user.email) {
-          const isBlocked = isEmailBlocked(user.email);
-          if (isBlocked) {
-            return false;
-          }
-        }
-
-        // For now, we don't allow users to login unless they have
-        // registered an account. This is just because we need a name
-        // to display on the dashboard. The flow can be modified so that
-        // the name is requested after the user has logged in.
-        if (email?.verificationRequest) {
-          const isRegisteredUser =
-            (await prisma.user.count({
-              where: {
-                email: user.email as string,
-              },
-            })) > 0;
-
-          return isRegisteredUser;
-        }
-
-        // when we login with a social account for the first time, the user is not created yet
-        // and the user id will be the same as the provider account id
-        // we handle this case the the prisma adapter when we link accounts
-        const isInitialSocialLogin = user.id === profile?.sub;
-
-        if (!isInitialSocialLogin) {
-          // merge guest user into newly logged in user
-          const session = await getServerSession(...args);
-          if (session?.user && !session.user.email) {
-            await mergeGuestsIntoUser(user.id, [session.user.id]);
-          }
-        }
-
-        return true;
-      },
-      async jwt({ token, session }) {
-        if (session) {
-          token.locale = session.locale;
-          token.timeFormat = session.timeFormat;
-          token.timeZone = session.timeZone;
-          token.weekStart = session.weekStart;
-        }
-
-        return token;
-      },
-      async session({ session, token }) {
-        if (!token.sub) {
-          return session;
-        }
-
-        if (token.sub?.startsWith("user-")) {
-          session.user = {
-            id: token.sub as string,
-            locale: token.locale,
-            timeFormat: token.timeFormat,
-            timeZone: token.timeZone,
-            weekStart: token.weekStart,
-          };
-          return session;
-        }
-
-        const user = await prisma.user.findUnique({
-          where: {
-            id: token.sub as string,
-          },
-          select: {
-            id: true,
-            name: true,
-            timeFormat: true,
-            timeZone: true,
-            locale: true,
-            weekStart: true,
-            email: true,
-            image: true,
-          },
-        });
-
-        if (user) {
-          session.user = {
-            id: user.id,
-            name: user.name,
-            email: user.email,
-            image: user.image,
-            locale: user.locale,
-            timeFormat: user.timeFormat,
-            timeZone: user.timeZone,
-            weekStart: user.weekStart,
-          };
-        }
-
-        return session;
-      },
-    },
-  }) satisfies NextAuthOptions;
-
-type GetServerSessionParams =
-  | [GetServerSidePropsContext["req"], GetServerSidePropsContext["res"]]
-  | [NextApiRequest, NextApiResponse]
-  | [];
-
-export async function getServerSession(...args: GetServerSessionParams) {
-  return await getServerSessionWithOptions(...args, getAuthOptions(...args));
-}
-
-export const isEmailBlocked = (email: string) => {
-  if (process.env.ALLOWED_EMAILS) {
-    const allowedEmails = process.env.ALLOWED_EMAILS.split(",");
-    // Check whether the email matches enough of the patterns specified in ALLOWED_EMAILS
-    const isAllowed = allowedEmails.some((allowedEmail) => {
-      const regex = new RegExp(
-        `^${allowedEmail
-          .replace(/[.+?^${}()|[\]\\]/g, "\\$&")
-          .replaceAll(/[*]/g, ".*")}$`,
-      );
-      return regex.test(email);
-    });
-
-    if (!isAllowed) {
-      return true;
-    }
-  }
-  return false;
-};
-
-export function getOAuthProviders(): {
-  id: string;
-  name: string;
-}[] {
-  return getOptionalProviders()
-    .filter((provider) => provider.type === "oauth")
-    .map((provider) => {
-      return {
-        id: provider.id,
-        name: provider.options?.name || provider.name,
-      };
-    });
-}
diff --git a/apps/web/src/auth/providers/registration-token.ts b/apps/web/src/auth/providers/registration-token.ts
index c1d2fb56956..f0a9ebc4452 100644
--- a/apps/web/src/auth/providers/registration-token.ts
+++ b/apps/web/src/auth/providers/registration-token.ts
@@ -18,7 +18,7 @@ export const RegistrationTokenProvider = CredentialsProvider({
   async authorize(credentials) {
     if (credentials?.token) {
       const payload = await decryptToken<RegistrationTokenPayload>(
-        credentials.token,
+        credentials.token as string,
       );
       if (payload) {
         const user = await prisma.user.findUnique({
diff --git a/apps/web/src/trpc/routers/auth.ts b/apps/web/src/trpc/routers/auth.ts
index 0fc6bfbe7ef..bcad3815aee 100644
--- a/apps/web/src/trpc/routers/auth.ts
+++ b/apps/web/src/trpc/routers/auth.ts
@@ -4,7 +4,7 @@ import { generateOtp } from "@rallly/utils/nanoid";
 import * as Sentry from "@sentry/nextjs";
 import { z } from "zod";
 
-import { isEmailBlocked } from "@/auth";
+import { isEmailBlocked } from "@/auth/is-email-blocked";
 import { mergeGuestsIntoUser } from "@/auth/merge-user";
 import { getEmailClient } from "@/utils/emails";
 import { createToken, decryptToken } from "@/utils/session";

From 4d47faa6ed9c114ffd2eac5487af503c193fbc93 Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Thu, 6 Feb 2025 15:57:21 +0700
Subject: [PATCH 05/18] Handle case sensitivity

---
 .../src/app/[locale]/(auth)/login/actions.ts  | 22 ++++++++++++-------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/apps/web/src/app/[locale]/(auth)/login/actions.ts b/apps/web/src/app/[locale]/(auth)/login/actions.ts
index b7b7281d254..86f18197e6f 100644
--- a/apps/web/src/app/[locale]/(auth)/login/actions.ts
+++ b/apps/web/src/app/[locale]/(auth)/login/actions.ts
@@ -4,18 +4,24 @@ import { prisma } from "@rallly/database";
 import { cookies } from "next/headers";
 
 export async function setVerificationEmail(email: string) {
-  const count = await prisma.user.count({
+  const user = await prisma.user.findUnique({
     where: {
       email,
     },
+    select: {
+      email: true,
+    },
   });
 
-  cookies().set("verification-email", email, {
-    httpOnly: true,
-    secure: process.env.NODE_ENV === "production",
-    sameSite: "lax",
-    maxAge: 15 * 60,
-  });
+  if (user) {
+    cookies().set("verification-email", user.email, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === "production",
+      sameSite: "lax",
+      maxAge: 15 * 60,
+    });
+    return true;
+  }
 
-  return count > 0;
+  return false;
 }

From 11a361f40321d931b319d0f6126ae5f272953ffe Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Thu, 6 Feb 2025 16:08:12 +0700
Subject: [PATCH 06/18] Fixes

---
 apps/web/src/middleware.ts                               | 2 +-
 apps/web/src/{next-auth.confg.ts => next-auth.config.ts} | 4 +++-
 apps/web/src/next-auth.ts                                | 2 +-
 package.json                                             | 3 ++-
 yarn.lock                                                | 6 +++---
 5 files changed, 10 insertions(+), 7 deletions(-)
 rename apps/web/src/{next-auth.confg.ts => next-auth.config.ts} (73%)

diff --git a/apps/web/src/middleware.ts b/apps/web/src/middleware.ts
index 5a3091edb18..6bb267c12c5 100644
--- a/apps/web/src/middleware.ts
+++ b/apps/web/src/middleware.ts
@@ -4,7 +4,7 @@ import { NextResponse } from "next/server";
 import NextAuth from "next-auth";
 
 import { getLocaleFromHeader } from "@/app/guest";
-import { nextAuthConfig } from "@/next-auth.confg";
+import { nextAuthConfig } from "@/next-auth.config";
 
 const { auth } = NextAuth(nextAuthConfig);
 
diff --git a/apps/web/src/next-auth.confg.ts b/apps/web/src/next-auth.config.ts
similarity index 73%
rename from apps/web/src/next-auth.confg.ts
rename to apps/web/src/next-auth.config.ts
index dc8fccd681f..0af3435d047 100644
--- a/apps/web/src/next-auth.confg.ts
+++ b/apps/web/src/next-auth.config.ts
@@ -1,9 +1,11 @@
 import type { NextAuthConfig } from "next-auth";
 
+import { env } from "@/env";
+
 export const nextAuthConfig = {
   session: {
     strategy: "jwt",
   },
-  secret: process.env.SECRET_PASSWORD,
+  secret: env.SECRET_PASSWORD,
   providers: [],
 } satisfies NextAuthConfig;
diff --git a/apps/web/src/next-auth.ts b/apps/web/src/next-auth.ts
index d6994c5d633..5595349ce6a 100644
--- a/apps/web/src/next-auth.ts
+++ b/apps/web/src/next-auth.ts
@@ -13,7 +13,7 @@ import { GuestProvider } from "./auth/providers/guest";
 import { MicrosoftProvider } from "./auth/providers/microsoft";
 import { OIDCProvider } from "./auth/providers/oidc";
 import { RegistrationTokenProvider } from "./auth/providers/registration-token";
-import { nextAuthConfig } from "./next-auth.confg";
+import { nextAuthConfig } from "./next-auth.config";
 
 export const { auth, handlers, signIn, signOut } = NextAuth({
   ...nextAuthConfig,
diff --git a/package.json b/package.json
index ea99c415abf..3c74556aa6a 100644
--- a/package.json
+++ b/package.json
@@ -58,5 +58,6 @@
   "engines": {
     "node": "20.x"
   },
-  "packageManager": "yarn@1.22.22"
+  "packageManager": "yarn@1.22.22",
+  "dependencies": {}
 }
diff --git a/yarn.lock b/yarn.lock
index aed956af547..39c02f94cf5 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -7545,9 +7545,9 @@ camelcase@^6.2.0:
   integrity sha512-Gmy6FhYlCY7uOElZUSbxo2UCDH8owEk996gkbrpsgGtrJLM3J7jGxl9Ic7Qwwj4ivOE5AWZWRMecDdF7hqGjFA==
 
 caniuse-lite@^1.0.30001406, caniuse-lite@^1.0.30001426, caniuse-lite@^1.0.30001449, caniuse-lite@^1.0.30001464, caniuse-lite@^1.0.30001579, caniuse-lite@^1.0.30001580, caniuse-lite@^1.0.30001629:
-  version "1.0.30001636"
-  resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001636.tgz#b15f52d2bdb95fad32c2f53c0b68032b85188a78"
-  integrity sha512-bMg2vmr8XBsbL6Lr0UHXy/21m84FTxDLWn2FSqMd5PrlbMxwJlQnC2YWYxVgp66PZE+BBNF2jYQUBKCo1FDeZg==
+  version "1.0.30001697"
+  resolved "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001697.tgz"
+  integrity sha512-GwNPlWJin8E+d7Gxq96jxM6w0w+VFeyyXRsjU58emtkYqnbwHqXm5uT2uCmO0RQE9htWknOP4xtBlLmM/gWxvQ==
 
 ccount@^2.0.0:
   version "2.0.1"

From 811e2860679e0cdee5eb7fa77622e04a2005501f Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Thu, 6 Feb 2025 16:12:17 +0700
Subject: [PATCH 07/18] More fixes

---
 apps/web/src/app/[locale]/(auth)/login/page.tsx | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/apps/web/src/app/[locale]/(auth)/login/page.tsx b/apps/web/src/app/[locale]/(auth)/login/page.tsx
index 34c2ba8a50e..2162676e1af 100644
--- a/apps/web/src/app/[locale]/(auth)/login/page.tsx
+++ b/apps/web/src/app/[locale]/(auth)/login/page.tsx
@@ -1,7 +1,6 @@
 import Link from "next/link";
 import { Trans } from "react-i18next/TransWithoutContext";
 
-import { getOptionalProviders } from "@/auth/get-optional-providers";
 import { GoogleProvider } from "@/auth/providers/google";
 import { MicrosoftProvider } from "@/auth/providers/microsoft";
 import { OIDCProvider } from "@/auth/providers/oidc";
@@ -29,15 +28,10 @@ export default async function LoginPage({
   };
 }) {
   const { t } = await getTranslation();
-  const oAuthProviders = getOptionalProviders().map((provider) => ({
-    id: provider.options,
-    name: provider.name,
-  }));
-
-  const hasAlternateLoginMethods = oAuthProviders.length > 0;
 
   const oidcProvider = OIDCProvider();
   const socialProviders = [GoogleProvider(), MicrosoftProvider()];
+  const hasAlternateLoginMethods = socialProviders.length > 0 || !!oidcProvider;
 
   return (
     <AuthPageContainer>

From 519ada21775c994b15368ecdfaa930fd1d9f0427 Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Thu, 6 Feb 2025 16:16:27 +0700
Subject: [PATCH 08/18] Fix

---
 .../app/[locale]/(auth)/register/verify/components/otp-form.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/web/src/app/[locale]/(auth)/register/verify/components/otp-form.tsx b/apps/web/src/app/[locale]/(auth)/register/verify/components/otp-form.tsx
index a82371f1e23..844898ae787 100644
--- a/apps/web/src/app/[locale]/(auth)/register/verify/components/otp-form.tsx
+++ b/apps/web/src/app/[locale]/(auth)/register/verify/components/otp-form.tsx
@@ -68,7 +68,7 @@ export function OTPForm({ token }: { token: string }) {
 
     signIn("registration-token", {
       token,
-      callbackUrl: searchParams?.get("callbackUrl") ?? "/",
+      redirectTo: searchParams?.get("callbackUrl") ?? "/",
     });
   });
 

From 7b0acd951e2b8a3fcd07d1069d938783bf07be76 Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Thu, 6 Feb 2025 16:18:36 +0700
Subject: [PATCH 09/18] Rename callbackUrl to redirectTo

---
 .../[locale]/(auth)/login/components/login-email-form.tsx | 8 ++++----
 .../[locale]/(auth)/login/components/login-with-oidc.tsx  | 6 +++---
 .../app/[locale]/(auth)/login/components/sso-provider.tsx | 6 +++---
 apps/web/src/app/[locale]/(auth)/login/page.tsx           | 6 +++---
 .../[locale]/(auth)/login/verify/components/otp-form.tsx  | 2 +-
 .../(auth)/register/verify/components/otp-form.tsx        | 2 +-
 apps/web/src/app/api/user/verify-email-change/route.ts    | 2 +-
 apps/web/src/components/login-link.tsx                    | 2 +-
 apps/web/src/components/register-link.tsx                 | 2 +-
 apps/web/src/middleware.ts                                | 2 +-
 apps/web/tests/create-delete-poll.spec.ts                 | 2 +-
 11 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/apps/web/src/app/[locale]/(auth)/login/components/login-email-form.tsx b/apps/web/src/app/[locale]/(auth)/login/components/login-email-form.tsx
index 141e281f365..5c8a2692058 100644
--- a/apps/web/src/app/[locale]/(auth)/login/components/login-email-form.tsx
+++ b/apps/web/src/app/[locale]/(auth)/login/components/login-email-form.tsx
@@ -53,13 +53,13 @@ export function LoginWithEmailForm() {
           if (doesExist) {
             await signIn("email", {
               email: identifier,
-              redirectTo: searchParams?.get("callbackUrl") ?? undefined,
+              redirectTo: searchParams?.get("redirectTo") ?? undefined,
               redirect: false,
             });
-            // redirect to verify page with callbackUrl
+            // redirect to verify page with redirectTo
             router.push(
-              `/login/verify?callbackUrl=${encodeURIComponent(
-                searchParams?.get("callbackUrl") ?? "",
+              `/login/verify?redirectTo=${encodeURIComponent(
+                searchParams?.get("redirectTo") ?? "",
               )}`,
             );
           } else {
diff --git a/apps/web/src/app/[locale]/(auth)/login/components/login-with-oidc.tsx b/apps/web/src/app/[locale]/(auth)/login/components/login-with-oidc.tsx
index 083124ddb78..ebe251b2831 100644
--- a/apps/web/src/app/[locale]/(auth)/login/components/login-with-oidc.tsx
+++ b/apps/web/src/app/[locale]/(auth)/login/components/login-with-oidc.tsx
@@ -6,16 +6,16 @@ import { Trans } from "@/components/trans";
 
 export async function LoginWithOIDC({
   name,
-  callbackUrl,
+  redirectTo,
 }: {
   name: string;
-  callbackUrl?: string;
+  redirectTo?: string;
 }) {
   return (
     <Button
       onClick={() => {
         signIn("oidc", {
-          redirectTo: callbackUrl,
+          redirectTo: redirectTo,
         });
       }}
       variant="link"
diff --git a/apps/web/src/app/[locale]/(auth)/login/components/sso-provider.tsx b/apps/web/src/app/[locale]/(auth)/login/components/sso-provider.tsx
index cf3ff306fdd..1e0ec531999 100644
--- a/apps/web/src/app/[locale]/(auth)/login/components/sso-provider.tsx
+++ b/apps/web/src/app/[locale]/(auth)/login/components/sso-provider.tsx
@@ -40,11 +40,11 @@ function SSOImage({ provider }: { provider: string }) {
 export function SSOProvider({
   providerId,
   name,
-  callbackUrl,
+  redirectTo,
 }: {
   providerId: string;
   name: string;
-  callbackUrl?: string;
+  redirectTo?: string;
 }) {
   const { t } = useTranslation();
   return (
@@ -58,7 +58,7 @@ export function SSOProvider({
       key={providerId}
       onClick={() => {
         signIn(providerId, {
-          redirectTo: callbackUrl,
+          redirectTo: redirectTo,
         });
       }}
     >
diff --git a/apps/web/src/app/[locale]/(auth)/login/page.tsx b/apps/web/src/app/[locale]/(auth)/login/page.tsx
index 2162676e1af..9750322fb23 100644
--- a/apps/web/src/app/[locale]/(auth)/login/page.tsx
+++ b/apps/web/src/app/[locale]/(auth)/login/page.tsx
@@ -24,7 +24,7 @@ export default async function LoginPage({
   searchParams,
 }: {
   searchParams?: {
-    callbackUrl?: string;
+    redirectTo?: string;
   };
 }) {
   const { t } = await getTranslation();
@@ -54,7 +54,7 @@ export default async function LoginPage({
         {oidcProvider ? (
           <LoginWithOIDC
             name={oidcProvider.name}
-            callbackUrl={searchParams?.callbackUrl}
+            redirectTo={searchParams?.redirectTo}
           />
         ) : null}
         {socialProviders ? (
@@ -65,7 +65,7 @@ export default async function LoginPage({
                   key={provider.id}
                   providerId={provider.id}
                   name={provider.options?.name || provider.name}
-                  callbackUrl={searchParams?.callbackUrl}
+                  redirectTo={searchParams?.redirectTo}
                 />
               ) : null,
             )}
diff --git a/apps/web/src/app/[locale]/(auth)/login/verify/components/otp-form.tsx b/apps/web/src/app/[locale]/(auth)/login/verify/components/otp-form.tsx
index d0b432bd23a..d9d21e2be5e 100644
--- a/apps/web/src/app/[locale]/(auth)/login/verify/components/otp-form.tsx
+++ b/apps/web/src/app/[locale]/(auth)/login/verify/components/otp-form.tsx
@@ -50,7 +50,7 @@ export function OTPForm({ email }: { email: string }) {
         message: t("wrongVerificationCode"),
       });
     } else {
-      window.location.href = searchParams?.get("callbackUrl") ?? "/";
+      window.location.href = searchParams?.get("redirectTo") ?? "/";
     }
   });
 
diff --git a/apps/web/src/app/[locale]/(auth)/register/verify/components/otp-form.tsx b/apps/web/src/app/[locale]/(auth)/register/verify/components/otp-form.tsx
index 844898ae787..fcc5289a028 100644
--- a/apps/web/src/app/[locale]/(auth)/register/verify/components/otp-form.tsx
+++ b/apps/web/src/app/[locale]/(auth)/register/verify/components/otp-form.tsx
@@ -68,7 +68,7 @@ export function OTPForm({ token }: { token: string }) {
 
     signIn("registration-token", {
       token,
-      redirectTo: searchParams?.get("callbackUrl") ?? "/",
+      redirectTo: searchParams?.get("redirectTo") ?? "/",
     });
   });
 
diff --git a/apps/web/src/app/api/user/verify-email-change/route.ts b/apps/web/src/app/api/user/verify-email-change/route.ts
index 9ebe60d6fe8..b941013e9ac 100644
--- a/apps/web/src/app/api/user/verify-email-change/route.ts
+++ b/apps/web/src/app/api/user/verify-email-change/route.ts
@@ -54,7 +54,7 @@ export const GET = async (request: NextRequest) => {
 
   if (!session?.user || !session.user.email) {
     return NextResponse.redirect(
-      new URL(`/login?callbackUrl=${request.url}`, request.url),
+      new URL(`/login?redirectTo=${request.url}`, request.url),
     );
   }
 
diff --git a/apps/web/src/components/login-link.tsx b/apps/web/src/components/login-link.tsx
index ce69d2b0ab0..1902ccfbac4 100644
--- a/apps/web/src/components/login-link.tsx
+++ b/apps/web/src/components/login-link.tsx
@@ -12,7 +12,7 @@ export const LoginLink = React.forwardRef<
     <Link
       ref={ref}
       {...props}
-      href={`/login?callbackUrl=${encodeURIComponent(pathname)}`}
+      href={`/login?redirectTo=${encodeURIComponent(pathname)}`}
     >
       {children}
     </Link>
diff --git a/apps/web/src/components/register-link.tsx b/apps/web/src/components/register-link.tsx
index ab6829441e5..a8cfccc4bc6 100644
--- a/apps/web/src/components/register-link.tsx
+++ b/apps/web/src/components/register-link.tsx
@@ -17,7 +17,7 @@ export const RegisterLink = React.forwardRef<
       onClick={async (e) => {
         e.preventDefault();
         props.onClick?.(e);
-        router.push("/register?callbackUrl=" + encodeURIComponent(pathname));
+        router.push("/register?redirectTo=" + encodeURIComponent(pathname));
       }}
     >
       {children}
diff --git a/apps/web/src/middleware.ts b/apps/web/src/middleware.ts
index 6bb267c12c5..4a573f144cf 100644
--- a/apps/web/src/middleware.ts
+++ b/apps/web/src/middleware.ts
@@ -40,7 +40,7 @@ export default auth(async (req) => {
     !publicRoutes.some((route) => newUrl.pathname.startsWith(route))
   ) {
     if (newUrl.pathname !== "/") {
-      newUrl.searchParams.set("callbackUrl", newUrl.pathname);
+      newUrl.searchParams.set("redirectTo", newUrl.pathname);
     }
     newUrl.pathname = "/login";
     return NextResponse.redirect(newUrl);
diff --git a/apps/web/tests/create-delete-poll.spec.ts b/apps/web/tests/create-delete-poll.spec.ts
index b688a0704b5..78a6bca442f 100644
--- a/apps/web/tests/create-delete-poll.spec.ts
+++ b/apps/web/tests/create-delete-poll.spec.ts
@@ -31,6 +31,6 @@ test.describe.serial(() => {
 
     deletePollDialog.getByRole("button", { name: "delete" }).click();
 
-    await expect(page).toHaveURL("/login?callbackUrl=%2Fpolls");
+    await expect(page).toHaveURL("/login?redirectTo=%2Fpolls");
   });
 });

From 80209d7a594159ebcf780bd6c318c0e354cead57 Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Fri, 7 Feb 2025 09:43:47 +0700
Subject: [PATCH 10/18] Move session callback to shared next-auth config

---
 .../src/components/poll/language-selector.tsx |  2 +-
 apps/web/src/next-auth.config.ts              | 12 ++++
 apps/web/src/next-auth.ts                     | 72 +++++++++----------
 3 files changed, 45 insertions(+), 41 deletions(-)

diff --git a/apps/web/src/components/poll/language-selector.tsx b/apps/web/src/components/poll/language-selector.tsx
index 24d6a7c37d8..9b5940b17a0 100644
--- a/apps/web/src/components/poll/language-selector.tsx
+++ b/apps/web/src/components/poll/language-selector.tsx
@@ -18,7 +18,7 @@ export const LanguageSelect: React.FunctionComponent<{
   return (
     <Select value={value} onValueChange={onChange}>
       <SelectTrigger asChild className={className}>
-        <Button variant="ghost">
+        <Button>
           <Icon>
             <GlobeIcon />
           </Icon>
diff --git a/apps/web/src/next-auth.config.ts b/apps/web/src/next-auth.config.ts
index 0af3435d047..1b35cd13cd4 100644
--- a/apps/web/src/next-auth.config.ts
+++ b/apps/web/src/next-auth.config.ts
@@ -1,3 +1,4 @@
+import type { TimeFormat } from "@rallly/database";
 import type { NextAuthConfig } from "next-auth";
 
 import { env } from "@/env";
@@ -8,4 +9,15 @@ export const nextAuthConfig = {
   },
   secret: env.SECRET_PASSWORD,
   providers: [],
+  callbacks: {
+    async session({ session, token }) {
+      session.user.id = token.sub as string;
+      session.user.email = token.email as string;
+      session.user.locale = token.locale as string;
+      session.user.timeFormat = token.timeFormat as TimeFormat;
+      session.user.timeZone = token.timeZone as string;
+      session.user.weekStart = token.weekStart as number;
+      return session;
+    },
+  },
 } satisfies NextAuthConfig;
diff --git a/apps/web/src/next-auth.ts b/apps/web/src/next-auth.ts
index 5595349ce6a..3e99e3a65f2 100644
--- a/apps/web/src/next-auth.ts
+++ b/apps/web/src/next-auth.ts
@@ -1,4 +1,3 @@
-import type { TimeFormat } from "@rallly/database";
 import { prisma } from "@rallly/database";
 import { posthog } from "@rallly/posthog/server";
 import NextAuth from "next-auth";
@@ -17,7 +16,6 @@ import { nextAuthConfig } from "./next-auth.config";
 
 export const { auth, handlers, signIn, signOut } = NextAuth({
   ...nextAuthConfig,
-
   adapter: CustomPrismaAdapter({
     migrateData: async (userId) => {
       const session = await auth();
@@ -62,6 +60,7 @@ export const { auth, handlers, signIn, signOut } = NextAuth({
     },
   },
   callbacks: {
+    ...nextAuthConfig.callbacks,
     async signIn({ user, email, profile }) {
       const distinctId = user.id;
       // prevent sign in if email is not verified
@@ -118,49 +117,42 @@ export const { auth, handlers, signIn, signOut } = NextAuth({
 
       return true;
     },
-    async jwt({ token, session }) {
-      const userId = token.sub;
-      const isGuest = userId?.startsWith("guest-");
-      if (userId && !isGuest) {
-        const user = await prisma.user.findUnique({
-          where: {
-            id: userId,
-          },
-          select: {
-            email: true,
-            locale: true,
-            timeFormat: true,
-            timeZone: true,
-            weekStart: true,
-          },
-        });
-
-        if (user) {
-          token.email = user.email;
-          token.locale = user.locale;
-          token.timeFormat = user.timeFormat;
-          token.timeZone = user.timeZone;
-          token.weekStart = user.weekStart;
+    async jwt({ token, session, trigger }) {
+      if (trigger === "update") {
+        if (session) {
+          Object.entries(session).forEach(([key, value]) => {
+            token[key] = value;
+          });
         }
-      }
+      } else {
+        const userId = token.sub;
+        const isGuest = userId?.startsWith("guest-");
 
-      if (session) {
-        token.locale = session.user.locale;
-        token.timeFormat = session.user.timeFormat;
-        token.timeZone = session.user.timeZone;
-        token.weekStart = session.user.weekStart;
+        if (userId && !isGuest) {
+          const user = await prisma.user.findUnique({
+            where: {
+              id: userId,
+            },
+            select: {
+              email: true,
+              locale: true,
+              timeFormat: true,
+              timeZone: true,
+              weekStart: true,
+            },
+          });
+
+          if (user) {
+            token.email = user.email;
+            token.locale = user.locale;
+            token.timeFormat = user.timeFormat;
+            token.timeZone = user.timeZone;
+            token.weekStart = user.weekStart;
+          }
+        }
       }
 
       return token;
     },
-    async session({ session, token }) {
-      session.user.id = token.sub as string;
-      session.user.email = token.email as string;
-      session.user.locale = token.locale as string;
-      session.user.timeFormat = token.timeFormat as TimeFormat;
-      session.user.timeZone = token.timeZone as string;
-      session.user.weekStart = token.weekStart as number;
-      return session;
-    },
   },
 });

From 3326b2c7ff5ac3f6233784959eff29d9ff413b7f Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Fri, 7 Feb 2025 09:54:00 +0700
Subject: [PATCH 11/18] Parse session update

---
 apps/web/declarations/next-auth.d.ts |  1 +
 apps/web/src/next-auth.config.ts     |  9 ++++-----
 apps/web/src/next-auth.ts            | 15 +++++++++++++--
 3 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/apps/web/declarations/next-auth.d.ts b/apps/web/declarations/next-auth.d.ts
index 9f5f276a164..8472d7500fa 100644
--- a/apps/web/declarations/next-auth.d.ts
+++ b/apps/web/declarations/next-auth.d.ts
@@ -12,6 +12,7 @@ declare module "next-auth" {
   interface Session {
     user?: {
       id: string;
+      email?: string | null;
       timeZone?: string | null;
       timeFormat?: TimeFormat | null;
       locale?: string | null;
diff --git a/apps/web/src/next-auth.config.ts b/apps/web/src/next-auth.config.ts
index 1b35cd13cd4..e521aa68822 100644
--- a/apps/web/src/next-auth.config.ts
+++ b/apps/web/src/next-auth.config.ts
@@ -1,4 +1,3 @@
-import type { TimeFormat } from "@rallly/database";
 import type { NextAuthConfig } from "next-auth";
 
 import { env } from "@/env";
@@ -13,10 +12,10 @@ export const nextAuthConfig = {
     async session({ session, token }) {
       session.user.id = token.sub as string;
       session.user.email = token.email as string;
-      session.user.locale = token.locale as string;
-      session.user.timeFormat = token.timeFormat as TimeFormat;
-      session.user.timeZone = token.timeZone as string;
-      session.user.weekStart = token.weekStart as number;
+      session.user.locale = token.locale;
+      session.user.timeFormat = token.timeFormat;
+      session.user.timeZone = token.timeZone;
+      session.user.weekStart = token.weekStart;
       return session;
     },
   },
diff --git a/apps/web/src/next-auth.ts b/apps/web/src/next-auth.ts
index 3e99e3a65f2..be930b5bed3 100644
--- a/apps/web/src/next-auth.ts
+++ b/apps/web/src/next-auth.ts
@@ -2,6 +2,7 @@ import { prisma } from "@rallly/database";
 import { posthog } from "@rallly/posthog/server";
 import NextAuth from "next-auth";
 import type { Provider } from "next-auth/providers";
+import z from "zod";
 
 import { CustomPrismaAdapter } from "./auth/adapters/prisma";
 import { isEmailBlocked } from "./auth/is-email-blocked";
@@ -14,6 +15,13 @@ import { OIDCProvider } from "./auth/providers/oidc";
 import { RegistrationTokenProvider } from "./auth/providers/registration-token";
 import { nextAuthConfig } from "./next-auth.config";
 
+const sessionUpdateSchema = z.object({
+  locale: z.string().nullish(),
+  timeFormat: z.enum(["12h", "24h"]).nullish(),
+  timeZone: z.string().nullish(),
+  weekStart: z.number().nullish(),
+});
+
 export const { auth, handlers, signIn, signOut } = NextAuth({
   ...nextAuthConfig,
   adapter: CustomPrismaAdapter({
@@ -119,10 +127,13 @@ export const { auth, handlers, signIn, signOut } = NextAuth({
     },
     async jwt({ token, session, trigger }) {
       if (trigger === "update") {
-        if (session) {
-          Object.entries(session).forEach(([key, value]) => {
+        const parsed = sessionUpdateSchema.safeParse(session);
+        if (parsed.success) {
+          Object.entries(parsed.data).forEach(([key, value]) => {
             token[key] = value;
           });
+        } else {
+          console.error(parsed.error);
         }
       } else {
         const userId = token.sub;

From 0375ec1cdfcc9daa07f670971d964621fd966c06 Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Fri, 7 Feb 2025 10:22:03 +0700
Subject: [PATCH 12/18] Move authorization code to next-auth config

---
 apps/web/src/middleware.ts       | 24 -----------------------
 apps/web/src/next-auth.config.ts | 33 ++++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 24 deletions(-)

diff --git a/apps/web/src/middleware.ts b/apps/web/src/middleware.ts
index 4a573f144cf..0964e40740f 100644
--- a/apps/web/src/middleware.ts
+++ b/apps/web/src/middleware.ts
@@ -10,18 +10,6 @@ const { auth } = NextAuth(nextAuthConfig);
 
 const supportedLocales = Object.keys(languages);
 
-const publicRoutes = [
-  "/login",
-  "/register",
-  "/invite/",
-  "/poll/",
-  "/auth/login",
-];
-
-if (process.env.QUICK_CREATE_ENABLED === "true") {
-  publicRoutes.push("/quick-create", "/new");
-}
-
 export default auth(async (req) => {
   const { nextUrl } = req;
   const newUrl = nextUrl.clone();
@@ -34,18 +22,6 @@ export default auth(async (req) => {
     return NextResponse.redirect(newUrl);
   }
 
-  // if the user is not logged in and the page is not public, redirect to login
-  if (
-    !isLoggedIn &&
-    !publicRoutes.some((route) => newUrl.pathname.startsWith(route))
-  ) {
-    if (newUrl.pathname !== "/") {
-      newUrl.searchParams.set("redirectTo", newUrl.pathname);
-    }
-    newUrl.pathname = "/login";
-    return NextResponse.redirect(newUrl);
-  }
-
   // Check if locale is specified in cookie
   let locale = req.auth?.user?.locale;
   if (locale && supportedLocales.includes(locale)) {
diff --git a/apps/web/src/next-auth.config.ts b/apps/web/src/next-auth.config.ts
index e521aa68822..44bfa9792f7 100644
--- a/apps/web/src/next-auth.config.ts
+++ b/apps/web/src/next-auth.config.ts
@@ -1,7 +1,25 @@
+import { NextResponse } from "next/server";
 import type { NextAuthConfig } from "next-auth";
 
 import { env } from "@/env";
+import { isQuickCreateEnabled } from "@/features/quick-create/constants";
 
+const publicRoutes = [
+  "/login",
+  "/register",
+  "/invite/",
+  "/poll/",
+  "/auth/login",
+];
+
+if (isQuickCreateEnabled) {
+  publicRoutes.push("/quick-create", "/new");
+}
+
+/**
+ * We split the next-auth config so that we can create an edge compatible instance that is
+ * used in middleware.
+ */
 export const nextAuthConfig = {
   session: {
     strategy: "jwt",
@@ -18,5 +36,20 @@ export const nextAuthConfig = {
       session.user.weekStart = token.weekStart;
       return session;
     },
+    async authorized({ request, auth }) {
+      const { nextUrl } = request;
+      const isLoggedIn = !!auth?.user?.email;
+      const isPublicRoute = publicRoutes.some((route) =>
+        nextUrl.pathname.startsWith(route),
+      );
+      if (isLoggedIn || isPublicRoute) {
+        return true;
+      }
+      const redirectUrl = new URL("/login", request.url);
+      if (nextUrl.pathname !== "/") {
+        redirectUrl.searchParams.set("redirectTo", nextUrl.href);
+      }
+      return NextResponse.redirect(redirectUrl);
+    },
   },
 } satisfies NextAuthConfig;

From 3dcbd49716ec914d1a109ea27cab08e73e0b5864 Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Fri, 7 Feb 2025 10:30:50 +0700
Subject: [PATCH 13/18] Update

---
 apps/web/declarations/next-auth.d.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/web/declarations/next-auth.d.ts b/apps/web/declarations/next-auth.d.ts
index 8472d7500fa..9f5f276a164 100644
--- a/apps/web/declarations/next-auth.d.ts
+++ b/apps/web/declarations/next-auth.d.ts
@@ -12,7 +12,6 @@ declare module "next-auth" {
   interface Session {
     user?: {
       id: string;
-      email?: string | null;
       timeZone?: string | null;
       timeFormat?: TimeFormat | null;
       locale?: string | null;

From dfbe501539002e5f14ca2db3178237494b208811 Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Fri, 7 Feb 2025 10:40:05 +0700
Subject: [PATCH 14/18] Update redirect

---
 apps/web/src/next-auth.config.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/web/src/next-auth.config.ts b/apps/web/src/next-auth.config.ts
index 44bfa9792f7..7855d64e1c7 100644
--- a/apps/web/src/next-auth.config.ts
+++ b/apps/web/src/next-auth.config.ts
@@ -47,7 +47,8 @@ export const nextAuthConfig = {
       }
       const redirectUrl = new URL("/login", request.url);
       if (nextUrl.pathname !== "/") {
-        redirectUrl.searchParams.set("redirectTo", nextUrl.href);
+        const redirectPath = nextUrl.pathname + nextUrl.search;
+        redirectUrl.searchParams.set("redirectTo", redirectPath);
       }
       return NextResponse.redirect(redirectUrl);
     },

From 40e71cbdc14d5a9470a479bc4ee273f0b5c32271 Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Fri, 7 Feb 2025 12:10:40 +0700
Subject: [PATCH 15/18] Avoid network resolution

---
 apps/web/.env.test | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/web/.env.test b/apps/web/.env.test
index 10a8391217d..211b6be2742 100644
--- a/apps/web/.env.test
+++ b/apps/web/.env.test
@@ -4,6 +4,6 @@ NEXTAUTH_URL=$NEXT_PUBLIC_BASE_URL
 SECRET_PASSWORD=abcdef1234567890abcdef1234567890
 DATABASE_URL=postgres://postgres:postgres@localhost:5450/rallly
 SUPPORT_EMAIL=support@rallly.co
-SMTP_HOST=localhost
+SMTP_HOST=0.0.0.0
 SMTP_PORT=1025
 QUICK_CREATE_ENABLED=true
\ No newline at end of file

From 5fb2085195637e0155886b4e1ccee0d1704dc0e2 Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Fri, 7 Feb 2025 12:21:18 +0700
Subject: [PATCH 16/18] Update public routes

---
 apps/web/src/next-auth.config.ts | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/apps/web/src/next-auth.config.ts b/apps/web/src/next-auth.config.ts
index 7855d64e1c7..ec9ede4bc31 100644
--- a/apps/web/src/next-auth.config.ts
+++ b/apps/web/src/next-auth.config.ts
@@ -4,13 +4,7 @@ import type { NextAuthConfig } from "next-auth";
 import { env } from "@/env";
 import { isQuickCreateEnabled } from "@/features/quick-create/constants";
 
-const publicRoutes = [
-  "/login",
-  "/register",
-  "/invite/",
-  "/poll/",
-  "/auth/login",
-];
+const publicRoutes = ["/login", "/register", "/invite/", "/poll/", "/auth"];
 
 if (isQuickCreateEnabled) {
   publicRoutes.push("/quick-create", "/new");

From 7876b9c036ef1731a3faa9a35a45ced491bfce6c Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Sat, 8 Feb 2025 09:23:51 +0700
Subject: [PATCH 17/18] Error handling

---
 apps/web/i18next-scanner.config.js             |  2 +-
 apps/web/public/locales/en/app.json            |  7 ++-----
 .../auth/login/components/login-page.tsx       | 18 +++++++++++++++---
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/apps/web/i18next-scanner.config.js b/apps/web/i18next-scanner.config.js
index 04cb299b958..51accfa191c 100644
--- a/apps/web/i18next-scanner.config.js
+++ b/apps/web/i18next-scanner.config.js
@@ -1,7 +1,7 @@
 const typescriptTransform = require("i18next-scanner-typescript");
 
 module.exports = {
-  input: ["src/**/*.{ts,tsx}", "!src/auth.ts"],
+  input: ["src/**/*.{ts,tsx}", "!src/next-auth*.ts"],
   options: {
     nsSeparator: false,
     defaultNs: "app",
diff --git a/apps/web/public/locales/en/app.json b/apps/web/public/locales/en/app.json
index 39c7aa7e146..262a80ef210 100644
--- a/apps/web/public/locales/en/app.json
+++ b/apps/web/public/locales/en/app.json
@@ -32,7 +32,6 @@
   "emailNotAllowed": "This email is not allowed.",
   "emailPlaceholder": "jessie.smith@example.com",
   "exportToCsv": "Export to CSV",
-  "forgetMe": "Forget me",
   "guest": "Guest",
   "ifNeedBe": "If need be",
   "location": "Location",
@@ -199,9 +198,6 @@
   "pollStatusFinalized": "Finalized",
   "share": "Share",
   "noParticipants": "No participants",
-  "userId": "User ID",
-  "aboutGuest": "Guest User",
-  "aboutGuestDescription": "Profile settings are not available for guest users. <0>Sign in</0> to your existing account or <1>create a new account</1> to customize your profile.",
   "logoutDescription": "Sign out of your existing session",
   "events": "Events",
   "inviteParticipantsDescription": "Copy and share the invite link to start gathering responses from your participants.",
@@ -305,5 +301,6 @@
   "registerVerifyDescription": "Check your email for the verification code",
   "loginVerifyTitle": "Finish Logging In",
   "loginVerifyDescription": "Check your email for the verification code",
-  "createAccount": "Create Account"
+  "createAccount": "Create Account",
+  "loginMagicLinkError": "This link is invalid or expired. Please request a new link."
 }
diff --git a/apps/web/src/app/[locale]/(auth)/auth/login/components/login-page.tsx b/apps/web/src/app/[locale]/(auth)/auth/login/components/login-page.tsx
index 04ed2e88414..4cefcc81253 100644
--- a/apps/web/src/app/[locale]/(auth)/auth/login/components/login-page.tsx
+++ b/apps/web/src/app/[locale]/(auth)/auth/login/components/login-page.tsx
@@ -4,10 +4,12 @@ import { Button } from "@rallly/ui/button";
 import { useMutation } from "@tanstack/react-query";
 import { useRouter } from "next/navigation";
 import { useSession } from "next-auth/react";
+import React from "react";
 
 import { OptimizedAvatarImage } from "@/components/optimized-avatar-image";
 import { Skeleton } from "@/components/skeleton";
 import { Trans } from "@/components/trans";
+import { useTranslation } from "@/i18n/client";
 import { trpc } from "@/trpc/client";
 
 type PageProps = { magicLink: string; email: string };
@@ -15,9 +17,12 @@ type PageProps = { magicLink: string; email: string };
 export const LoginPage = ({ magicLink, email }: PageProps) => {
   const session = useSession();
   const posthog = usePostHog();
+  const { t } = useTranslation();
+  const [error, setError] = React.useState<string | null>(null);
+
   const magicLinkFetch = useMutation({
     mutationFn: async () => {
-      const res = await fetch(magicLink);
+      const res = await fetch(magicLink + "test");
       return res;
     },
     onSuccess: async (data) => {
@@ -31,9 +36,15 @@ export const LoginPage = ({ magicLink, email }: PageProps) => {
             name: updatedSession.user.name,
           });
         }
+        router.push(data.url);
+      } else {
+        setError(
+          t("loginMagicLinkError", {
+            defaultValue:
+              "This link is invalid or expired. Please request a new link.",
+          }),
+        );
       }
-
-      router.push(data.url);
     },
   });
   const { data } = trpc.user.getByEmail.useQuery({ email });
@@ -72,6 +83,7 @@ export const LoginPage = ({ magicLink, email }: PageProps) => {
             <Trans i18nKey="login" defaults="Login" />
           </Button>
         </div>
+        {error && <p className="text-destructive text-sm">{error}</p>}
       </div>
     </div>
   );

From 7d57138acd2f9362254ba5b83628b1157e5748f9 Mon Sep 17 00:00:00 2001
From: Luke Vella <me@lukevella.com>
Date: Sat, 8 Feb 2025 09:27:44 +0700
Subject: [PATCH 18/18] Remove suffix

---
 .../app/[locale]/(auth)/auth/login/components/login-page.tsx    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/web/src/app/[locale]/(auth)/auth/login/components/login-page.tsx b/apps/web/src/app/[locale]/(auth)/auth/login/components/login-page.tsx
index 4cefcc81253..ecf276892f4 100644
--- a/apps/web/src/app/[locale]/(auth)/auth/login/components/login-page.tsx
+++ b/apps/web/src/app/[locale]/(auth)/auth/login/components/login-page.tsx
@@ -22,7 +22,7 @@ export const LoginPage = ({ magicLink, email }: PageProps) => {
 
   const magicLinkFetch = useMutation({
     mutationFn: async () => {
-      const res = await fetch(magicLink + "test");
+      const res = await fetch(magicLink);
       return res;
     },
     onSuccess: async (data) => {