Allow to block authorization depending on whether it is a new user or not

[GermanJablo]

Description 📓

Problem

Currently, there is no easy and direct way to intervene in the authorization flow based on whether the user is new (signup) or not (login).

A user has proposed to verify some property that is not in both situations, but I don't know how reliable it is. Does it work in all circumstances? For all providers? Also, it's not self-evident or something that follows from the documentation. A user a few comments above in the same thread proposed a similar alternative, which ended up not working. As you can see, it is a workaround that is prone to errors.

Possible solutions:

1. Bring the isNewUser property also to the signIn callback (as requested here).
2. Allow events to block the authorization flow in some way (return boolean, throw error, etc.).
3. Extend next-auth to have signup and login as different processes. This would likely involve, but not necessarily be limited to:
   3.1. Add a new Signup callback (as requested here).
   3.2. Add a new Signup function (as requested here).

The third point is probably the hardest to implement and the one that would add the most complexity. I don't know to what extent it would be wrong since users and programmers actually think of creation and login as different concepts. Still, I think I lean more toward options 1 and 2.

In option 2, the events would end up being essentially the same as the callbacks.
Option 1, on the other hand, would be to add for an event, its corresponding callback that does not exist yet. Which would make the event technically unnecessary.
I wonder if actually "events" was a good abstraction and not just a few more callbacks should have been defined.

Background - Related References

The large number of posts, comments, and upvotes in the login vs signup topic indicate that this is something that users are frequently stumbling upon. Some examples:

• How to determine if is new user? #1578
• How do you prevent new signups? #736
• https://stackoverflow.com/questions/73369742/how-to-differentiate-nextauth-user-signin-and-signup
• Adding SignUp callback #4124
• Why is there no signup function? #945
• Auth0Provider - How to direct to signup instead of login page #7164
• Ability to hook into signup #1356
• https://stackoverflow.com/questions/70739015/next-auth-check-if-user-signs-in-for-the-first-time
• https://stackoverflow.com/questions/71397331/signup-from-next-auth-react-doesnt-exist

How to reproduce ☕️

N/A

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[kahveciderin]

I saw this issue yesterday and thought maybe I could contribute, so I've created a PR that hopefully fixes this.

[stale]

It looks like this issue did not receive any activity for 60 days. It will be closed in 7 days if no further activity occurs. If you think your issue is still relevant, commenting will keep it open. Thanks!

[thclark]

Massive upvote on this. I'm new to next-auth and am finding it to be really very well polished, so I'm very grateful!

However, this area of signup vs signin seems so massively, massively complicated when it should be simple!

[stale]

It looks like this issue did not receive any activity for 60 days. It will be closed in 7 days if no further activity occurs. If you think your issue is still relevant, commenting will keep it open. Thanks!

[GermanJablo]

keep it open please

[Luchanso]

next-auth: 5.0.0-beta.25 (but this must work on 4.24.8 and above

Solution for me:

export const { handlers, signIn, signOut, auth } = NextAuth((request) => ({
  trustHost: true,
  adapter: PrismaAdapter(prisma),
  providers,
  session: {
    maxAge: 24 * 60 * 60 * 365,
  },
  pages: {
    signIn: "/auth/signin",
    verifyRequest: "/auth/verify"
  },
  callbacks: {
    signIn: async (params) => {
      // if params.email don't exist in db, than return false;

      return true;
    }
  },
}));