authentication - Auth.js v5 Database Session Strategy for Credential Provider Session Is Returning Null

[dHarshMakwana]

My Setup: Auth.js Version: v5

Provider: Credential Provider

Session Strategy: Database

Framework: Nextjs 15

Database: Supabase Postgres

Adapter: Drizzle

Config.ts

import bcrypt from "bcrypt";
import { DrizzleAdapter } from "@auth/drizzle-adapter";
import type { DefaultSession, NextAuthConfig } from "next-auth";
import CredentialsProvider from "next-auth/providers/credentials";

import { db } from "~/server/db";
import {
  accounts,
  sessions,
  users,
  verificationTokens,
} from "~/server/db/schema";
import { loginSchema } from "~/validation/auth";
import { eq } from "drizzle-orm";

/**
 * Module augmentation for `next-auth` types. Allows us to add custom properties to the `session`
 * object and keep type safety.
 *
 * @see https://next-auth.js.org/getting-started/typescript#module-augmentation
 */
declare module "next-auth" {
  interface Session extends DefaultSession {
    user: {
      id: string;
    } & DefaultSession["user"];
  }
}

/**
 * Options for NextAuth.js used to configure adapters, providers, callbacks, etc.
 *
 * @see https://next-auth.js.org/configuration/options
 */
export const authConfig = {
  providers: [
    CredentialsProvider({
      name: "Credentials",
      credentials: {
        email: {
          label: "Email",
          type: "email",
          placeholder: "[email protected]",
        },
        password: { label: "Password", type: "password" },
      },
      authorize: async (credentials) => {
        const cred = await loginSchema.parseAsync(credentials);

        const user = await db.query.users.findFirst({
          where: eq(users.email, credentials.email as string),
        });

        if (!user) {
          return null;
        }

        const isValidPassword = bcrypt.compareSync(
          cred.password,
          user.password
        );

        if (!isValidPassword) {
          return null;
        }

        return {
          id: user.id,
          email: user.email,
          username: user.name,
        };
      },
    }),
  ],
  pages: {
    signIn: "/login",
    newUser: "/register",
    error: "/login",
  },
  adapter: DrizzleAdapter(db, {
    usersTable: users,
    accountsTable: accounts,
    sessionsTable: sessions,
    verificationTokensTable: verificationTokens,
  }),
  session: { strategy: "database" },
  callbacks: {
    session: ({ session, user }) => ({
      ...session,
      user: {
        ...session.user,
        id: user.id,
      },
    }),
  },
} satisfies NextAuthConfig;

I'm returning the user in the authorize function if it passes the conditions. Everything is working correctly, except I am not getting the sessions in the page.tsx file when invoking const session = await auth();.

Any insights or suggestions would be greatly appreciated!

Thank you!

[lwensveen]

Reply to #12848:

@dHarshMakwana I can confirm this issue with @auth/drizzle-adapter and have debugged some info:

├── @auth/[email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]

1. Credentials vs. OAuth Divergence

• ✅ OAuth (GitHub/Google):

  • Creates account, user, and session records
  • Full session persistence works end-to-end

• ❌ Credentials:

  • authorize() succeeds (returns valid user object)
  • No session record created (verified via direct DB queries)
  • Session cookie set with orphaned token (no DB backing)

2. The Orphaned Token Paradox

Debug logs show:

POST /callback/credentials 200  # Authentication succeeds
Auth debug: adapter_getSessionAndUser {
  args: ["eyJhbGciOiJkaXI..."]  # Valid token generated
}
session null  # But no session found in DB!

3. Findings

• 🔍 Token appears in adapter_getSessionAndUser calls
• 🗃️ Zero session records created for credentials flow
• 🤝 OAuth works perfectly with same adapter/DB
• ⏱️ Failure occurs between authorize() and session creation

4. Reproduction Steps

// NextAuth config
adapter: DrizzleAdapter(db),  // Same DB that works for OAuth
session: { strategy: "database" },
providers: [
  Credentials({ authorize: () => user }),  // Returns valid user
  GitHub  // Works perfectly
]

5. Evidence of Silent Failure

Manual verification confirms:

SELECT * FROM session WHERE session_token = 'eyJhbGci...'; 
-- Returns empty set despite token being in use

This suggests a systemic issue with how the credentials provider handles database sessions, not adapter-specific behavior.

[dHarshMakwana]

So while using credentials, we have to manually create a session in next to use the session strategy with credentials provider

[lwensveen]

As seen in the discord, this issue seems to affect more people https://discord.com/channels/1200116961590399008/1359446960162996365

I'm not quite sure how to approach this, I've tried opening an issue but they want you do supply an example app, I've looked at https://github.com/nextauthjs/next-auth-example but since we need a db we also need a way to run this db, we could hypothetically use Docker for this, but I haven't had the time yet to do this.