Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Session Callback should return the updated session if possible

See original GitHub issue

Description 📓

Hello everyone !

We use Next-auth in our company, with a custom adapter for FaunaDB. I already posted a discussion but no answers.

I tried to check again the issue and found that the returning session was always the old one & not the updated one, as you can see here.

We have an accessToken which is valid for the current session.
When the session needs to be updated, the token is recreated (the old one is removed automatically from Fauna because of its ttl).

So why not return the updated session instead ? It could help with token rotation.

Thank you !

How to reproduce ☕️

callbacks: {
  async session(session, user) {
    return session; // currently, it's always the non-updated session
    // the session.accessToken is therefore sometimes unvalid (expired ttl),
    // The session gets updated (with new active accessToken), but not available here :(
  },
}

// Updated code in /src/server/routes/session.js:L82
const session = await getSession(sessionToken)
    
if (session) {
    // await updateSession(session) OLD
    const updatedSession = await updateSession(session) // NEW

    const user = await getUser(session.userId)

    // By default, only exposes a limited subset of information to the client
    // as needed for presentation purposes (e.g. "you are logged in as…").
    const defaultSessionPayload = {
        user: {
            name: user.name,
            email: user.email,
            image: user.image,
        },
        // accessToken: session.accessToken, OLD
        // expires: session.expires, OLD
        accessToken: updatedSession.accessToken, // NEW: updated accessToken (for rotation)
        expires: updatedSession.expires, // NEW: updated expires
    }

    // Pass Session through to the session callback
    const sessionPayload = await callbacks.session(
        defaultSessionPayload,
        user
    )

    // Return session payload as response
    response = sessionPayload

    // Set cookie again to update expiry
    cookie.set(res, cookies.sessionToken.name, sessionToken, {
        expires: session.expires,
        ...cookies.sessionToken.options,
    })

    await dispatchEvent(events.session, { session: sessionPayload })
}

Contributing 🙌🏽

Yes, I am willing to help implement this feature in a PR

Issue Analytics

State:
Created 2 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

2reactions

matha-iocommented, Aug 20, 2021

Wow magnificent ! Thanks, eager to see it live ! Any ETA for the V4 ? Is there a way to follow it ?

EDIT : Oops, it’s here : https://github.com/nextauthjs/next-auth/tree/next

0reactions

balazsorban44commented, Aug 19, 2021

Tokens are usually unique per provider, so it only makes sense to store them on accounts.

I believe OAuth providers are already required to return an access_token, but not all of them support token rotation (meaning you don’t even receive a refresh_token from them).

The next version will make it possible to override certain adapter methods though, so you will still be able to create your own adapter, based on the official ones. The official Fauna Adapter is already rewritten for the new API, see it here for inspiration:

https://github.com/nextauthjs/adapters/blob/5c915823c43867dd54adf3977c26968baa5ec11f/packages/fauna/src/index.ts