NextJS + ExpressJS + Credentials: Verifying session in the backend?

[musjj]

I have a setup where there's a Next.js frontend communicating with a REST database backend API written in Express.js, with a credential provider as the authentication. It's a really odd setup, but this is the constraint that I have to live with.

So on the Next.js side I have something like this:

export const { handlers, signIn, signOut, auth } = NextAuth({
  providers: [
    Credentials({
      credentials: {
        username: {},
        password: {},
      },
      authorize: async (credentials) => {
        try {
          const { username, password } = await z
            .object({ username: z.string().min(5), password: z.string().min(8) })
            .parseAsync(credentials);

          return await api.user.signin.mutate({ username, password }); // Call the Express.js backend
        } catch (error) {
          return null;
        }
      },
    }),
  ],
});

It seems to work. But now I want the Express.js backend to verify if the user have logged in, for specific routes. Is there a way to verify the session token from the Express.js side?

[hillac]

I'm a bit late, but if you still haven't solved this you could potentially use @auth/express and a simplified config with no providers to just check the session:

  const session = await getSession(req, {
    adapter: {adapter if you're using database strategy},
    providers: [],
    session: {
      strategy: 'database',
      maxAge: 30 * 24 * 60 * 60,
      updateAge: 24 * 60 * 60,
    },
  });

Assuming AUTH_SECRET is in your env variables. Just throw that in a handler to check for the session. Pretty much the same as managing session in the docs.

Make sure your session cookie is being sent to the express server for this to work. I'm assuming you mean verify the session for calls from the client, not the next backend?