#Understanding JWT and session callbacks in Auth.js

1 messages · Page 1 of 1 (latest)

candid apex
#

The JWT callback states that: Anything you return here will be saved in the JWT and forwarded to the session callback. There you can control what should be returned to the client.. But I don't really understand what the purpose of the JWT callback is. Is it just used to create a JWT and pass the JWT to the session callback? And what is the point of the JWT that is created when I can just access the id of the user in the session in the frontend and use that to fetch data from the backend?

The contents in the image is the token passed to the session callback.

// auth.ts in project root
export const { handlers, signIn, signOut, auth } = NextAuth({
  providers: [
    Credentials({
        credentials: {
            username: {},
            password: {}
        },
        authorize: async (credentials) => {
              return {
                  id: user._id.toString(),
                  username: user.username,
                  email: user.email,
              };
        }
    })
  ],
  callbacks: {
    jwt({ token, user }) {
      if (user) {
        token.id = user.id
      }
      return token
    },
    session({ session, token }) {
      session.user.id = token.id as string
      return session
    }
  }
})
image.png
thin cedarBOT
#
Post created!

🔎 This post has been indexed in our web forum and will be seen by search engines so other users can find it outside Discord

🕵️ Your user profile is private by default and won't be visible to users outside Discord, if you want to be visible in the web forum you can add the "Public Profile" role in id:customize

✅ You can mark a message as the answer for your post with Right click -> Apps -> Mark Solution
(if you don't see the option, try refreshing Discord with Ctrl + R)

random mulch
candid apex
# 
  callbacks: {
    jwt({ token, user }) {
      if (user) {
        token.id = user.id;
        token.username = user.username;
      }
      return token;
    },
    session({ session, token }) {
      session.user.id = token.id as string;
      session.user.username = token.username;
      return session;
    }
  }
random mulch
#

it's saved into the session, which is stored wherever the session is stored

#

usually a cookie

#

sometimes localstorage

#

the cookie gets sent to the server on every request

#

you can use that to avoid looking up the username from the DB every time you want to display it, even in SSR

#

common to include name, email, and permissions/roles in the session, basically anything you'd want to check during middleware to redirect people

#

downside of storing everything in the cookie is it has limited max size, and your backend doesn't control that info so if you remotely remove someone's role they will still be able to navigate as if they have it until their session cookie updates (for that reason you still do the DB lookup before performing any actions)

#

there's a medium ground where you store the session in a KV store like redis, so it's still fast to look up and unlimited size but then you have the power to revoke the session remotely

#

general jargon is

  • cookie session (all info in cookie)
  • redis backed session (id in cookie)
  • database backed sessions (id in cookie)
candid apex