Update the session exclusively from the server

[musjj]

Goals

Update the session data from the server, while preventing the client from doing the same.

Non-Goals

No response

Background

Server-side session updates are currently possible using a combination of jwt callbacks:

next-auth/apps/dev/nextjs/auth.config.ts

Lines 48 to 51 in 5c49f95

	jwt({ token, trigger, session }) {
	if (trigger === "update") token.name = session.user.name
	return token
	},

And unstable_update:

next-auth/apps/dev/nextjs/app/page.tsx

Line 1 in 5c49f95

import { auth, unstable_update as update } from "auth"

next-auth/apps/dev/nextjs/app/page.tsx

Lines 22 to 29 in 5c49f95

	<form
	action={async () => {
	"use server"
	await update({ user: { name: "Server Fill Murray" } })
	// revalidatePath("/")
	redirect("/")
	}}
	>

It works, but it really doesn't feel right. With the current setup, the client can inject any data they want to the current session token, due to the jwt callback. But this setup will not work without the having that callback.

Proposal

Have a server-exclusive method for updating the session data.

The jwt callback method above should be optional for users who really want to have a client-side method for updating the session.

I'm hoping that the current state is temporary (they are marked as unstable_* after all) and that they will be improved in the future.

[corned-beefhash]

when i try this in nextjs, i get errors about how "Cookies can only be modified in a Server Action" even though it is in a server action.
also, how can a client inject data into the session?

[musjj]

Use the update function returned by useSession().

[corned-beefhash]

Ahh, I do not use useSession anywhere at the moment. Hopefully they make them distinct, but in mean time perhaps you can use a key of some kind in your unstable_update, and then in your jwt, return token early if key is wrong or missing? No idea, I am pretty new to all of this.