Next-Auth question about JWTs
This is my understanding of how JWT's and Session work in Next auth:
- I send a login form to the server
- the authorize(credentials) function finds a user associated with those credentials and returns user data.
- That user data and accompanying data is given to the JWT() callback
- The JWT() callback decides what to retain from this before the JWT is sent to my cookie jar
- The things that were given to the JWT() callback, as well as the things the JWT() callback chose to retain, are given to the session() callback
- The session() callback decides what to retain from the JWT and creates a session variable on the server.
- Next uses this session variable to decide what to render and and give back to me.
- Now I am logged in and want to request a page that requires specific authorization.
- I send a request, my JWT is decoded on the server and that decoded information is given to the Session. Next renders certain things to me based on the contents of that session variable.
My question is: If the validity of the session variable is a function of the validity of the JWT that my client has, why not just render things based on the JWT contents and not worry about passing it off to a middleman like session before rendering? Or is there functionally zero difference between these two realities
2 Replies
ONE reason is, as mentioned in the docs, security, the returned "token" object consists of heavily sensitive info that is immediately stored in the cookies as HttpOnly (meaning no client side javascript can read it)
But they realize some of the info returned may need to be accessed by the client, so they give u the oppurtunity to extract CERTAIN properties (like access_token) from the token object and store it within the session object.. so session is a subset of the token object, it contains ONLY the properties the client needs to know, and the middleman is to ensure that the session isnt just given access to ALL the returned values
Getting Started | NextAuth.js
The example code below describes how to add authentication to a Next.js app.