bug: next-auth 4.18 breaks auth

edit: turning this issue into the catchall next-auth 4.18 unstable_getServerSession issue because my original diagnosis was incorrect

Provide environment information

  System:
    OS: macOS 12.5.1
    CPU: (8) arm64 Apple M1
    Memory: 82.56 MB / 16.00 GB
    Shell: 5.8.1 - /bin/zsh
  Binaries:
    Node: 16.16.0 - ~/.nvm/versions/node/v16.16.0/bin/node
    Yarn: 1.22.19 - ~/Documents/dev/node_modules/.bin/yarn
    npm: 8.11.0 - ~/.nvm/versions/node/v16.16.0/bin/npm

create-t3-app v 6.11.0

Describe the bug

Currently, installing a t3-app with next-auth but without prisma creates a project that doesn’t work out of the box and requires significant modification in order to get it working.

Error:

[next-auth][error][JWT_SESSION_ERROR] 
https://next-auth.js.org/errors#jwt_session_error Invalid Compact JWE {
  message: 'Invalid Compact JWE',
  stack: 'JWEInvalid: Invalid Compact JWE\n' +
    '    at compactDecrypt (/Users/ce-dev/Documents/dev/temp/nextauth-without-adapter/node_modules/.pnpm/jose@4.11.1/node_modules/jose/dist/node/cjs/jwe/compact/decrypt.js:16:15)\n' +
    '    at jwtDecrypt (/Users/ce-dev/Documents/dev/temp/nextauth-without-adapter/node_modules/.pnpm/jose@4.11.1/node_modules/jose/dist/node/cjs/jwt/decrypt.js:8:61)\n' +
    '    at Object.decode (/Users/ce-dev/Documents/dev/temp/nextauth-without-adapter/node_modules/.pnpm/next-auth@4.18.0_pknogjuzx4bv7zxtatcb2ahtsq/node_modules/next-auth/jwt/index.js:64:34)\n' +
    '    at async Object.session (/Users/ce-dev/Documents/dev/temp/nextauth-without-adapter/node_modules/.pnpm/next-auth@4.18.0_pknogjuzx4bv7zxtatcb2ahtsq/node_modules/next-auth/core/routes/session.js:41:28)\n' +
    '    at async NextAuthHandler (/Users/ce-dev/Documents/dev/temp/nextauth-without-adapter/node_modules/.pnpm/next-auth@4.18.0_pknogjuzx4bv7zxtatcb2ahtsq/node_modules/next-auth/core/index.js:158:27)\n' +
    '    at async unstable_getServerSession (/Users/ce-dev/Documents/dev/temp/nextauth-without-adapter/node_modules/.pnpm/next-auth@4.18.0_pknogjuzx4bv7zxtatcb2ahtsq/node_modules/next-auth/next/index.js:120:19)\n' +
    '    at async getServerAuthSession (webpack-internal:///(api)/./src/server/common/get-server-auth-session.ts:17:12)\n' +
    '    at async Object.createContext (webpack-internal:///(api)/./src/server/trpc/context.ts:26:21)\n' +
    '    at async _createContext (file:///Users/ce-dev/Documents/dev/temp/nextauth-without-adapter/node_modules/.pnpm/@trpc+server@10.4.3/node_modules/@trpc/server/dist/nodeHTTPRequestHandler-5b0aff5a.mjs:40:16)\n' +
    '    at async resolveHTTPResponse (file:///Users/ce-dev/Documents/dev/temp/nextauth-without-adapter/node_modules/.pnpm/@trpc+server@10.4.3/node_modules/@trpc/server/dist/resolveHTTPResponse-face5d34.mjs:94:15)',
  name: 'JWEInvalid'
}

To reproduce

Scaffold an app with next-auth but not prisma, set up the discord auth, start the app, and try to log in

Additional information

The reason this is happening are mostly:

1. You can’t put an ID object on the user if there is no database
2. unstable_getServerSession doesn’t work without a database
3. (not breaking but worth mentioning) next-auth throws loud errors to the console if it tries to decode a JWT (which it falls back on without an adapter) without the NEXTAUTH_SECRET environment variable set.

It is possible to get next-auth running without a database/adapter. The following diff shows the steps to get this working: https://github.com/c-ehrlich/nextauth-without-adapter/commit/27f9a3733472f738309d0cf10993ff829c092c59

We need to decide whether the goal of an app with next-auth but without prisma should be, as we will require very different changes depending on what we want:

1. For the user to bring their own adapter
   • in this case we should at the very least warn the user that a stock app won’t work without an adapter
   • Then, either:
     • create clear documentation (maybe in the last stage of the CLI and the “First steps” docs page) on how to get things set up in case the user does not want to use an adapter.
     • we can tell the user that they’re on their own for this, but at least let them know that they will encounter this issue
2. To allow the app to work out of the box without an adapter/database
   • in this case we would require significant changes to that version of the template
   • maybe also a guide on how to add their own adapter, which if we make these changes would be more work than it is currently

I’m in favor of 1, and documenting the situation better. But open to discussion.