Confused about what's needed for JWT encryption to work w/o warnings

[mAAdhaTTah]

I'm looking at a few things: https://next-auth.js.org/configuration/options#jwt which has this info about secret, signingKey, encryptionKey and decryptionKey. The decryptionKey, according to the docs, will be the same as the encryptionKey unless specified.

However, I started getting JWT_AUTO_GENERATED_SIGNING_KEY & JWT_AUTO_GENERATED_ENCRYPTION_KEY warnings as I started setting things up, so I found this: https://github.com/nextauthjs/next-auth/blob/76df2b5e702be2084674c81e098d989c2ec39ed9/www/docs/warnings.md which suggests setting the signingKey & verificationKey. The verificationKey is not in the docs nor in the TypeScript types, so I'm not 100% sure it exists. Additionally, the section in warnings for JWT_AUTO_GENERATED_ENCRYPTION_KEY is empty, which initially took to mean it would be solved the same way as the JWT_AUTO_GENERATED_SIGNING_KEY but that does not seem to be the case.

So questions:

1. Is verificationKey even a thing and do I need it to configure encrypted JWTs?
2. What's the minimum configuration I need to include in order to get this working w/o the console warnings and the potential invalidation it's warning me about?
3. What's the purpose of having distinct encryption vs decryption keys?

I'm happy to update the docs to match all of this since I'm working on it currently but need some guidance as to what's correct to do so.

[michaelcmelton]

@mAAdhaTTah If you're using TypeScript exclusively, I found some of the same errors when I was trying to setup provider clientIds and Secrets. The following helped me, let me know if it helps!

• Install the @types/node package.
• Inside the root of your project, set up a environment.d.ts file.
• In the environment.d.ts declare your .env files like the following:

namespace NodeJS {
  interface ProcessEnv {
    //Keys and Types go here.
   // ex. JWT_AUTO_GENERATED_SIGNING_KEY:  string;
  }
}

If I'm off on my answer here, I apologize!

[mAAdhaTTah]

@michaelcmelton I appreciate the suggestion, but the problem isn't TypeScript. It's a JS project and I'm trying to get it configured but seeing a mismatch between the various pieces of documentation I'm reading (which happens to include the TS types as one thing I was looking at).

[balazsorban44]

TS types have been written by the community until now, we are in the process of moving types into the core. hopefully they will catch up with the actual code soon. About the docs, I acknowledge that it can be improved. We have gaps and mismatch with implementation. Trying our best, but PRs are always welcome! 🙏 ♥

one idea is to somehow generate parts of the docs from TS, so we would have a single source of truth

[mAAdhaTTah]

@balazsorban44 Yeah I'm happy to update the docs but I legit don't know what I need to do to make this work. How do I need to configure this?

[Xoffio]

Hi @mAAdhaTTah ,
I'm not an expert either but I also had similar questions and after a day of research this is what I got:

1. Is verificationKey even a thing and do I need it to configure encrypted JWTs?
   It was a thing at least until Jul 26 2020 but I don't know about now. In any case I guess we can look into the code. Also, it is optional so you don't need to set it up to get the thing running without warnings. Here @iaincollins explains how to set it up.

Update jun 11 2020
It is being used in the function decode to sign the key. By default is the same as signingKey. So by setting up signingKey you also set this one up.

2. What's the minimum configuration I need to include in order to get this working w/o the console warnings and the potential invalidation it's warning me about?

• Install node-jose-tools

$ npm install -g node-jose-tools

• Create a new env variable in the file .env.local and call it JWT_SIGNING_PRIVATE_KEY
  and set it to the output of:

$ jose newkey -s 256 -t oct -a HS512

It should look something like this:

JWT_SIGNING_PRIVATE_KEY={"kty":"oct","kid":"aqkORXYmG1ECfvHPaHZWh412eckeRkmu2feXdg2AA7g","alg":"HS512","k":"vSwBa0dACLbK45ZgFXa3QEEqDiSYLNRMsswAvzsVJKs"}

• Then add the option jwt to the file /api/auth/[...nextauth].js, to look like this:

jwt: {
    secret: 'INp8IvdIyeMcoGAgFGoA61DdBglwwSqnXJZkgz8PSnw',
    signingKey: process.env.JWT_SIGNING_PRIVATE_KEY,
}

Note: The secret value is a random string with 43 characters

3. What's the purpose of having distinct encryption vs decryption keys?
   And... that's why I'm here... I don't know but if you ever know please share it so others can learn.