JWT cookieName option does not work

[tyrw]

Description 🐜

The cookieName option for the jwt section as described in the docs does not appear to work. The docs state:

It also supports the following options:

• secureCookie - (boolean) Use secure prefixed cookie name
  By default, the helper function will attempt to determine if it should use the secure prefixed cookie (e.g. true in production and false in development, unless NEXTAUTH_URL contains an HTTPS URL).
• cookieName - (string) Session token cookie name
  The secureCookie option is ignored if cookieName is explicitly specified.

How to reproduce ☕️

Clone the example repo

git clone https://github.com/nextauthjs/next-auth-example.git
cd next-auth-example
npm i

Add the cookieName option:

// In /pages/api/auth/[...nextauth].js

{
  jwt: {
    cookieName: "custom-name"
  }
}

This is not used by the application. It still uses next-auth.session-token.

In the source code for jwt.js, it does not appear to respect the setting:

next-auth/src/lib/jwt.js

Lines 115 to 117 in 543f812

	cookieName = secureCookie
	? "__Secure-next-auth.session-token"
	: "next-auth.session-token",

Screenshots / Logs 📽

Chrome tools shows that the cookie name remains next-auth.session-token.

Contributing 🙌🏽

Potentially interested in contributing, assuming I have understood the jwt.js file correctly.

[balazsorban44]

Did some digging, and it looks like this is the reminiscent of version 2.x 4167859#diff-2c2a1625654e55c4a251b587dc0196c4aba9c610825e56ce2b861762888c7155R29

In that case, the docs (And typescript

next-auth/types/jwt.d.ts

Line 49 in 0eb4159

cookieName?: string

) should be updated

[tyrw]

should be updated

Are you looking for an update to remove the option from the docs, or to re-implement the feature? I'm not clear on why it was removed in the first place.

[balazsorban44]

Update the docs. To be honest, I don't know either, @iaincollins did it a long time ago, I wasn't around then yet, sorry.

I think this is the particular diff that changed it:
8692102#diff-2c2a1625654e55c4a251b587dc0196c4aba9c610825e56ce2b861762888c7155L28-L30

[balazsorban44]

Wait, sorry!

next-auth/src/lib/jwt.js

Lines 107 to 124 in 0eb4159

	const {
	req,
	// Use secure prefix for cookie name, unless URL is NEXTAUTH_URL is http://
	// or not set (e.g. development or test instance) case use unprefixed name
	secureCookie = !(
	!process.env.NEXTAUTH_URL ||
	process.env.NEXTAUTH_URL.startsWith("http://")
	),
	cookieName = secureCookie
	? "__Secure-next-auth.session-token"
	: "next-auth.session-token",
	raw = false,
	decode: _decode = decode,
	} = params
	if (!req) throw new Error("Must pass `req` to JWT getToken()")
	// Try to get token from cookie
	let token = req.cookies[cookieName]

The current code only implements a default, but if you provide a cookieName, it SHOULD be used after all 🤦

[balazsorban44]

using getToken({cookieName: "some-name"}) do seem to work for me! Do you have a reproduction?

This
seem to be in the incorrect place.

Check the docs again: https://next-auth.js.org/configuration/options#jwt-helper

It is a parameter for the getToken() method.

You may also have to change it here: https://next-auth.js.org/configuration/options#cookies

Do note that this can introduce security issues. Can you maybe explain why do you need to change the name of this cookie?

[tyrw]

Here is a reproduction of it not working:

https://replit.com/@userfront/next-auth-example#pages/api/auth/[...nextauth].js

You can see when you log in (only Google is enabled) that the cookie is set to the default name.

[balazsorban44]

Please read my above comment carefully again. 😊 You set the cookieName in the wrong place.

[tyrw]

Thanks, I was just about to comment! It does work, though I would consider it to be a bug in the API, so to speak, that cookieName does not set the cookie name. Thanks for your help!

[balazsorban44]

Again, please read carefully! You have to set it in a different place. What you implemented is not documented anywhere in our documentation pages nor does it appear in our codebase.

The cookieName is something you pass to the getToken function, and/or the cookies advanced option. I linked it above.

[tyrw]

Yes I found it, thank you. My comment was simply that setting the cookie name using sessionToken instead of cookieName is confusing to a newcomer.