Could an user mutate his own session object?

[ghost]

I am building an e-commerce with Next.js and am managing the authentication through NextAuth.js.
I have an API that is used to retrieve or modify an user's cart.
Obviously the only person able to access someone's cart should be the owner of the cart.
So I need to somehow verify the requests arriving to that API.

I first thought of attaching a secret environment variable to the requests, only to find out that they are hardcoded on the client.

So I am trying this other approach in which when a new user is created it gets (along with an username, a password etc.) a cartId.
Then when logging in, the cartId is added to the session:

// [...nextauth].js

export default NextAuth({

  // options

  providers: [
    Providers.Credentials({
      async authorize(credentials) {

        // some code

        return { email, cartId };
      }
    }),
  ],
  callbacks: {
    async jwt(token, user) {
      if (user) token.user = user;
      return token;
    },
    async session(session, token) {
      session.user = token.user;
      return session;
    },
  },
});

So that in the API I can check whether the cartId in the current session triple-equals the cartId stored in the database at registration time.

Now since NextAuth doesn't store sensitive information in the session object, I guess that it's not a safe place to store sensitive data.
However a possible attacker trying to access someone else's cart must not only steal the cartId, but also be able to modify his own session object, swapping his cartId with the stolen one.

So my question is: could an user mutate (or maybe even fake) his own session object?

[ByamB4]

Yeah, Looks good to me.

[ghost]

For looks good, you mean that people can't change or fake a NextAuth session, right?