Using Next Auth JWT's with a custom node api

[aaryamvn]

I have a next js client that uses next auth, and a custom decoupled node REST API. I am not using the built-in next API. I am only using two next-auth providers, Google and Twitter, and have no custom email sign-in. I need a way to authenticate routes on my backend using a jwt.

This is how my next auth file looks right now:

import NextAuth from "next-auth";
import Providers from "next-auth/providers";

export default NextAuth({
  providers: [
    Providers.Google({
      clientId: process.env.GOOGLE_CLIENT_ID,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
      authorizationUrl:
        "https://accounts.google.com/o/oauth2/v2/auth?prompt=consent&access_type=offline&response_type=code",
    }),
    Providers.Twitter({
      clientId: process.env.TWITTER_CLIENT_ID,
      clientSecret: process.env.TWITTER_CLIENT_SECRET,
    }),
  ],
  callbacks: {
    async signIn(user, account, profile) {
      if (account.provider === "google" || account.provider === "twitter") {
        return true;
      } else {
        return "/signin-error";
      }
    },
    async jwt(token, user, account, profile, isNewUser) {
      return token;
    },
  },
});

Maybe in a particular callback, I should retrieve a token from my API? Could someone tell me what to write on my backend that can give me back this jwt and I can use it with every subsequent request. Another thing I considered is generating the jwt from a callback in my next auth file directly and not making requests to my API for a token. Could someone tell me whats the right approach here?

[roderik]

if you set a manual jwt signing key, you can use jose in e.g. passport to verify the jwt from Nextauth

e.g. in Nest

import { JwtPayload, User } from '@bpaas/user-entity';
import { Injectable, UnauthorizedException } from '@nestjs/common';
import { PassportStrategy } from '@nestjs/passport';
import jose from 'jose';
import { ExtractJwt, Strategy } from 'passport-jwt';
import { AuthService } from '../auth.service';
import { StrictConfigService } from '../../../strict-config/src/strict-config.service';

@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
  constructor(private readonly authService: AuthService, configService: StrictConfigService) {
    super({
      jwtFromRequest: ExtractJwt.fromExtractors([cookieExtractor, ExtractJwt.fromAuthHeaderAsBearerToken()]),
      ignoreExpiration: false,
      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
      secretOrKey: Buffer.from(jose.JWK.asKey(JSON.parse(configService.get<string>('signingKey'))).k!, 'base64'),
    });
  }

  async validate(payload: JwtPayload): Promise<User> {
    const user = await this.authService.validateUser(payload);
    if (!user) {
      throw new UnauthorizedException();
    }
    return user;
  }
}

const cookieExtractor = (req: { cookies?: { jwt: string } }) => {
  if (req?.cookies) {
    return req.cookies['next-auth.session-token'];
  }

  return null;
};