Is it safe to save user role in JWT token with NextAuth?
Hello,
When using the JWT strategy, NextAuth puts the user role automatically in the token. Is this safe to do? If I google it, its a bit of a yes-no answer.
If I look at Cal.com, they even put more information in it. I want to use the role only to check if authenticated user is allowed to visit a specific page. Of course, everytime a user does an action, it will be checked if the user is allowed via a middleware.
16 Replies
as long as your jwt is signed it's safe to store the role there, since it's not a security risk for the client to know what their own role is
Ah okay, thanks
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
according to OpenAI (ai generated answer)
It is generally safe to include the user's role in a JWT token with NextAuth, as long as the token is properly signed and encrypted to prevent tampering or unauthorized access. JWT tokens are designed to be self-contained and secure, and NextAuth takes steps to ensure that the tokens it generates are safe and secure. When using the JWT strategy, NextAuth automatically signs the token using a secret key, which ensures that the token can only be verified by someone who has access to the same key. This prevents attackers from tampering with the token or forging their own tokens. In addition, NextAuth allows you to encrypt the JWT token using a public/private key pair, which provides an additional layer of security. This ensures that even if an attacker were able to obtain a valid JWT token, they would not be able to read or modify the contents of the token without access to the private key. In general, it is safe to include the user's role in the JWT token as long as you are using a secure signing and encryption scheme, and you are careful to verify the token on the server side before granting access to protected resources. This will ensure that only authenticated users with the appropriate role can access the resources they are allowed to access.
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
then you wouldnt be able to use that on the frontend
and there's no reason to do that, because then on the backend you still need to check the session and ideally that'd be part of the session data
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
define "safe"
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
that does not narrow it down at all
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
if it's an HTTP only cookie, you couldnt access it with javascript (but you can in the dev tools), so there'd be no point in doing it
if you blindly trust a cookie saying they're an admin, no
use a session cookie
yeah, credential provider
I took it via another approach
In the session callback, I am assigning the role via prisma and not via the token
If I check if the user role is in the token, it is not
This way, everytime the user reloads the page, it updates the role if it is changed which is good
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Every time you visit the site, for example hard refresh, new tab etc
not when you go to other pages via the router which does not hard refresh