replace jwt token by one created in the costum backend in passwordless email authentication

[bilalesi]

Question 💬

Hi team,
i want to thank you first for the amazing work you're doing
first i am trying to implement password-less authentication, and for that purpose i have already a backend that generate jwt tokens (due the app has multiple sub-apps and the jwt generator must be centralize)
i want to get the jwt from the server and replace the jwt generatad in jwt callback, i tried to use the signin callback to replace the accessToken but it seams not working

is there anything to do to use my own jwt token instead of the auto-generated by next-auth
thank you

How to reproduce ☕️

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

[balazsorban44]

The signIn method is not intended for mutation in the user. Its purpose is to determine if the user should be allowed to sign in.

My suggestion would be that you save the result of user_web_authentication method between signIn and the initial invocation of the jwt callback outside of the NextAuth option like so:

export default function auth(req, res) {
  let user_authenticated = null
  NextAuth(req, res, {
    // ...
    callbacks: {
      signIn(user) {
        user_authenticated = await user_web_authentication(user.email)
        // If true, will continue, otherwise signing in will be denied
        return Boolean(user_authenticated?.success)
      },
      jwt(token, user) {
        if (user) { // Initial invocation
          token.user.id = user_authenticated.profile.id
          // ...
        }
    
        return token
      }
    }
  })
}

The jwt callback won't be invoked unless signIn returns true, so you can be sure that it's value is not null anymore. Important things to remember:

1. let user_authenticated = null must be defined inside the handler function, so you don't accidentally share user data between multiple users who are signing in.
2. user_authenticated will only be available within if (user) check in the jwt callback, as it is the only time the signIn callback is invoked as well.

Suggestion: It is generally good practice to paste actual code, instead of images. It's easier to read/copy/test. See: Creating and highlighting code blocks

[bilalesi]

thank you man, your answer help me to understand more
but the thing i want to use the jwt generated on my custom backend to be used instead the one next-auth generated,
one more thing , when i tried the method you described, i found that the jwt token life time is updated each time the page refreshed, do this mean any thing or i miss-understand the concept ??

[balazsorban44]

There are two JWT tokens in question.

1. The one next-auth uses, you control the content of it by the jwt callback, and the JWT options https://next-auth.js.org/configuration/options#jwt
2. Your own token for your API. We don't control this, and if you save it in the session, this is the one you will have to forward to your APIs

[bilalesi]

you saved my day, thank you, one last question about the token lifetime, it's updated each time i refresh the page, i want it fixed for x days?

[balazsorban44]

the NextAuth session rotates the expiry date. meaning every invocation of /api/auth/session will renew the expiry. you can set a relative value for the session though, if the default 30 days is not sufficient

https://next-auth.js.org/configuration/options#session

[aboveyunhai]

@bilalesi I was thinking about setting the jwt token (from your backend) as one of the data field in the generated token (by next auth).
Then we don't need to put the jwt token into session, instead use useToken() to decrypt the next auth token, then get the true backend token there and do further action. Not sure if this is better than simply passing the backend towen into session.

[bilalesi]

Actually is a good idea, I will try it it seems pretty straightforward and let the session object small

…

On Sat, 31 Jul 2021, 08:31 aboveyunhai, ***@***.***> wrote: @bilalesi <https://github.com/bilalesi> I was thinking about setting the jwt token (from your backend) as one of the data field in the generated token (by next auth). Then we don't need to put the jwt token into session, instead use useToken() to decrypt the next auth token, then get the true backend token there and do further action. Not sure if this is better than simply passing the backend towen into session. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2400 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAUCWGKIBXPLWDAO2ERHDKLT2ORELANCNFSM5ATG7Z6A> .

[aboveyunhai]

I just quickly figure out for myself. It seems like as long as you pass a custom field into next-auth token, it will automatically override the jwt field. For example

token.server_jwt = "efg"; // assume jwt = abc without modification.

Then { jwt: abc } => { server_jwt: efg }, other 3 fields will remain unchanged. 

Probably has something to do with jwt webtoken standard