Forem: Nick The latest articles on Forem by Nick (@nick). https://forem.com/nick https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F26691%2F044537c4-529b-4f76-bf62-8fc861aab088.jpg Forem: Nick https://forem.com/nick en Handling Session Updates for Authenticated Users With NextAuth and JWT Nick Sat, 04 Feb 2023 05:08:00 +0000 https://forem.com/nick/nextauth-jwt-how-to-update-the-session-after-login-2e68 https://forem.com/nick/nextauth-jwt-how-to-update-the-session-after-login-2e68 <p>NextAuth is hands down the best authentication solution for Nextjs.</p> <p>I've been using it for over a year now and one of the challenges I've faced is updating the session after a successful login.</p> <p>While it's straightforward enough to do when using the database-persisted approach, it's a different story with the JWT-persisted session flow.</p> <p>Here are two scenarios where it's necessary to update the session:</p> <ol> <li>Authenticated users update their personal and public info (e.g.: first name)</li> <li>Authenticated users have additional data that they pick up throughout their onboarding process (e.g.: selecting a company to manage on a dashboard)</li> </ol> <p>We can all agree that those are pretty common scenarios, right? So today, at work, I needed to handle the second scenario while using the JWT-persisted session and since I've kinda figured it out, I thought I'd document it.</p> <p>The first solution that came to mind, as many have also suggested, was to use a global state management library, such as Redux, or Zustand, to create a client-side-only session.</p> <p>The issue with this approach is that it would need to be persisted locally (local storage, session storage...) and because of the server-side nature of Nextjs, I would need to check for its existence on each page (this one could most likely be easily handled using the new Nextjs 13 features, which I'm not able to use in this particular app).</p> <p>Then I stumbled upon <a href="https://stackoverflow.com/a/73830201" rel="noopener noreferrer">this solution</a>, which got me going. It involved setting up a wrapper around the NextAuth route handler and exploiting the Next API Request object.</p> <p>I liked it, but I figured I could improve on it:</p> <h2> Setup and Context </h2> <p>No matter which provider you're using (credentials, email, oAuth...), you should be able to follow along. Just make sure your setup currently works perfectly and successfully authenticates users.</p> <p>And since this tutorial is around the JWT-persisted session, you should have the <code>jwt</code> and <code>session</code> callbacks ready.</p> <p>Here's what my <code>jwt</code> callback originally looked like (no worries if yours is slightly different, I have my own needs):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="nf">jwt</span><span class="p">({</span> <span class="nx">token</span><span class="p">,</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">account</span><span class="p">,</span> <span class="p">})</span> <span class="p">{</span> <span class="c1">// This will only be true on the first login</span> <span class="k">if </span><span class="p">(</span><span class="nx">account</span> <span class="o">&amp;&amp;</span> <span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="p">...</span><span class="nx">token</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">user</span><span class="p">,</span> <span class="c1">// make sure you don't store passwords in there</span> <span class="nx">account</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">token</span> <span class="p">},</span> </code></pre> </div> <p>And here's how my <code>session</code> callback originally started:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="nf">session</span><span class="p">({</span> <span class="nx">session</span><span class="p">,</span> <span class="nx">token</span><span class="p">,</span> <span class="p">})</span> <span class="p">{</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">token</span><span class="p">.</span><span class="nx">user</span> <span class="k">return</span> <span class="nx">session</span> <span class="p">},</span> </code></pre> </div> <h2> Custom Route Handler </h2> <p>I started by creating the wrapper in <code>/pages/api/auth/[...nextauth].ts</code> (I'm using TypeScript, so mind the types if you're using JS):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextApiRequest</span><span class="p">,</span> <span class="nx">NextApiResponse</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next</span><span class="dl">"</span> <span class="kd">const</span> <span class="nx">handler</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextApiRequest</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">NextApiResponse</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">NextAuth</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nf">createOptions</span><span class="p">(</span><span class="nx">req</span><span class="p">))</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">handler</span> </code></pre> </div> <p>The only unknown here is the <code>createOptions</code> function, which is pretty much a function that returns the NextAuth options. Here's what it looks like without the <code>providers</code> property:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AuthOptions</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next-auth</span><span class="dl">"</span> <span class="kd">const</span> <span class="nx">createOptions</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextApiRequest</span><span class="p">):</span> <span class="nx">AuthOptions</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="c1">// ... other options, such as providers, debug, etc..</span> <span class="na">callbacks</span><span class="p">:</span> <span class="p">{</span> <span class="k">async</span> <span class="nf">jwt</span><span class="p">({</span> <span class="nx">token</span><span class="p">,</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">account</span><span class="p">,</span> <span class="p">})</span> <span class="p">{</span> <span class="c1">// This will only be true on the first login</span> <span class="k">if </span><span class="p">(</span><span class="nx">account</span> <span class="o">&amp;&amp;</span> <span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="p">...</span><span class="nx">token</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">user</span><span class="p">,</span> <span class="nx">account</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">token</span> <span class="p">},</span> <span class="k">async</span> <span class="nf">session</span><span class="p">({</span> <span class="nx">session</span><span class="p">,</span> <span class="nx">token</span><span class="p">,</span> <span class="p">})</span> <span class="p">{</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">token</span><span class="p">.</span><span class="nx">user</span> <span class="k">return</span> <span class="nx">session</span> <span class="p">},</span> <span class="p">},</span> <span class="p">})</span> </code></pre> </div> <h2> Exploiting the Next API Request Object </h2> <p>With this in place, we now have access to the <code>req</code> object so we can potentially pass in some (public and non sensitive) data to the <code>jwt</code> callback and ultimately the <code>session</code> callback. To do so, once it's time to update the session, all we have to do is send a <code>GET</code> request to the <code>/api/auth/session</code> endpoint that contains our data as query params:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Suppose this is being called right after the user selects the company they wish to manage</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/auth/session?companyId=</span><span class="p">${</span><span class="nx">company</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="c1">// Then you can potentially navigate away</span> </code></pre> </div> <blockquote> <p>Tip: If you try to read the response data from this request upon a successful call, it will return the updated token as well. Do what you want with this info.</p> </blockquote> <p>Now to handle this request from your callbacks, it will first go through the <code>jwt</code> one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="nf">jwt</span><span class="p">({</span> <span class="nx">token</span><span class="p">,</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">account</span><span class="p">,</span> <span class="p">})</span> <span class="p">{</span> <span class="c1">// If the specific query param(s) exist(s), we know it's</span> <span class="c1">// an update. So we add it to the token</span> <span class="c1">// This is the best place to make an API request so you</span> <span class="c1">// can complete the data</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">?.</span><span class="nx">companyId</span><span class="p">)</span> <span class="p">{</span> <span class="nx">token</span><span class="p">.</span><span class="nx">selectedCompanyId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">companyId</span> <span class="k">as</span> <span class="kr">string</span> <span class="p">}</span> <span class="c1">// This will only be true on the first login</span> <span class="k">if </span><span class="p">(</span><span class="nx">account</span> <span class="o">&amp;&amp;</span> <span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="p">...</span><span class="nx">token</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">user</span><span class="p">,</span> <span class="nx">account</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">token</span> <span class="p">},</span> </code></pre> </div> <p>Now the token will contain our additional data, which will be relayed to the <code>session</code> callback where we can make use of it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="nf">session</span><span class="p">({</span> <span class="nx">session</span><span class="p">,</span> <span class="nx">token</span><span class="p">,</span> <span class="p">})</span> <span class="p">{</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">token</span><span class="p">.</span><span class="nx">user</span> <span class="nx">session</span><span class="p">.</span><span class="nx">selectedCompanyId</span> <span class="o">=</span> <span class="nx">token</span><span class="p">.</span><span class="nx">selectedCompanyId</span> <span class="c1">// you could also add it to the `token.user` object from the `jwt` callback</span> <span class="k">return</span> <span class="nx">session</span> <span class="p">},</span> </code></pre> </div> <p>And that's it! The client will receive an updated session whenever you call <code>getSession</code> (server-side) moving forward. </p> <p>When it comes to <code>useSession</code> (client-side), it will be updated on the next page refresh, so make sure you mostly use the session coming from <code>getServerSideProps</code>.</p> <blockquote> <p>Note: Unfortunately, the NextAuth route handler doesn't support <code>POST</code> request methods, so you will not be able to pass in complex data through a payload object. But since the callbacks are async, you can always complete the data by making an API call within them.</p> </blockquote> <h2> Conclusion </h2> <p>This did require a bit of work, so hopefully I've explained it succinctly enough for you to remember the steps and why it's done this way.</p> <p>I'm almost certain the NextAuth maintainers are working on improving the DX around this, so please, make sure you keep an eye on their docs before going this route.</p> <p>Also, I cannot stress this enough: NEVER store sensitive data in the token, nor the session.</p> <p>Additionally, if you're using TypeScript as well, you may want to follow this <a href="https://next-auth.js.org/getting-started/typescript#module-augmentation" rel="noopener noreferrer">Module Augmentation</a> guide to update the <code>Session</code> and <code>JWT</code> types accordingly.</p> devto blockchain crypto web3