NextJS 16, Next-Auth 5, Authentication, Authorization

[Fred638]

Body

In a NextJS project I am trying to implement security, but have some issues. Using NextJS 16.1.6, TypeScript 5, and Next Auth 5, beta 30. The form, pages, and auth configuration are all in place, but the auth.ts is complaining about:
Type {} is missing the following properties from type 'App_User': id, name, email, password. in the async function getUser(email: string): Promise<App_User | undefined>... on the line -> return user[0];

I have added type App_User = { id: string; name: string; email: string; password: string; } in the auth.ts file, but the message is still there.

Console output: CallbackRouteError: ... Error: Illegal arguments: string, undefined

What could be the reason? Thanks!

Guidelines

• I have read and understood this category's guidelines before making this post.

[tmilost]

User object may be empty, and you get an error for the first thing, that is id == string

In your getUser(email): Promise<App_User | undefined> function, TypeScript is telling you that the value you’re returning (user[0]) is inferred as {} (or otherwise not strongly typed), so it can’t be treated as an App_User (which requires id, name, email, password).

Separately, the runtime error:

CallbackRouteError: ... Error: Illegal arguments: string, undefined

almost always means you’re passing undefined into something that expects (string, string)—commonly bcrypt.compare(password, user.password) where user is undefined (user not found) or credentials.password is undefined.

[tmilost]

It is always tricky to debug Auth, try with a hardcoded user, try to figure out which part is failing

[Fred638]

Agree. I'll try, thanks!

[Farhxn-15]

Yeah, this usually happens when NextAuth’s expected User type does not match what your adapter or credentials provider is actually returning.

Adding the App_User type alone does not fix it unless NextAuth knows to use that shape.

The error:

Type {} is missing properties from type App_User
and
CallbackRouteError: illegal arguments: string, undefined

often means getUser() is returning undefined or an object that does not match the expected structure.

A few things to check:

First, make sure your authorize or getUser function always returns a full user object:

return {
id: user.id,
name: user.name,
email: user.email
}

If it returns null or undefined, NextAuth throws the callback error.

Second, NextAuth expects its own User type. Instead of creating a separate type, extend the NextAuth types via module augmentation:

declare module "next-auth" {
interface User {
id: string
name: string
email: string
}
}

This ensures the types align across the auth flow.

Third, if you are using CredentialsProvider, ensure you are not returning password. Only return fields required by NextAuth.

Fourth, check your JWT and session callbacks. Returning undefined fields there can trigger the same error.

Also note that NextAuth v5 beta is strict with types, so even a missing property or undefined value can cause this error.

If you log the value returned from authorize or getUser, you will likely see undefined or a missing field causing the mismatch.