fix(apple): guard against unexpected user shape in profile callback

[Nadav0077]

☕️ Reasoning

The Apple provider's profile callback in packages/core/src/providers/apple.ts assumes that whenever profile.user is truthy, it has the shape { name: { firstName, lastName } }.

That object comes from JSON.parse(params.user) in packages/core/src/lib/actions/callback/oauth/callback.ts, which performs no shape validation. Any JSON-valid value (a string, a number, null, or a partial object) ends up assigned to profile.user. When it is truthy but not the expected shape, profile.user.name.firstName throws a TypeError.

The error is swallowed upstream in getUserAndAccount's catch block, so the user just sees a silent sign-in failure with no useful diagnostic.

This change adds defensive optional chaining so the callback falls back to profile.email instead of throwing when the user payload is malformed or partial. No behavior change for the happy path.

🧢 Checklist

• Documentation
• Tests
• Ready to be merged

🎫 Affected issues

None.

📌 Resources

• Security guidelines
• Contributing guidelines
• Code of conduct
• Contributing to Open Source

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
auth-docs	Ready	Preview, Comment	Apr 17, 2026 9:38pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
next-auth-docs	Ignored	Preview	Apr 17, 2026 9:38pm

[vercel]

@Nadav0077 is attempting to deploy a commit to the authjs Team on Vercel.

A member of the Team first needs to authorize it.