accessToken is undefined while user is logged in

[ziedHamdi]

Question 💬

Hi all,

I have a backend graphql server that my next app queries to obtain data. My issue is that calling getSession (sometimes) returns a session without the accessToken

debug:["current session: ",{"user":{"name":"Zied Hamdi","email":"[email protected]","image":"https://platform-lookaside.fbsbx.com/platform/profilepic/?asid=10206438893841298&height=50&width=50&ext=1626867412&hash=AeTv3FwYuXkrigPuA9U","i
d":"60d079d48cc3ab35c8401bae"},"expires":"2021-08-18T08:34:56.051Z"}]

I could pass it the user Id directly to tthe backend since the connection between the two servers is private, but I want to rely on the accessToken to be sure the session is still active (eg. for a re-run of a query)

Here's my code;
/api/auth/[...nextauth].js

import NextAuth from 'next-auth'
import Providers from 'next-auth/providers'
import logger from "../../../lib/logger";

export default NextAuth({
    // Configure one or more authentication providers
    providers: [
        Providers.Facebook({
            clientId: process.env.FACEBOOK_ID,
            clientSecret: process.env.FACEBOOK_SECRET
        }),
        Providers.Google({
            clientId: process.env.GOOGLE_ID,
            clientSecret: process.env.GOOGLE_SECRET
        }),
        // ...add more providers here
    ],

    // A database is optional, but required to persist accounts in a database
    database: process.env.DATABASE_URL,
    callbacks: {
        /**
         * @param  {object} session      Session object
         * @param  {object} token        User object    (if using database sessions)
         *                               JSON Web Token (if not using database sessions)
         * @return {object}              Session that will be returned to the client
         */
        async session(session, token) {
            // Add property to session, like an access_token from a provider.
            session.accessToken = token.accessToken
            session.user.id = token.id
            return session
        }
    }
})

/api/graphql.js

import logger from '../../lib/logger'
import {getSession} from "next-auth/client";


export default async (_req, _res) => {
    // logger.debug("api/graphql: Request body:\n", _req.body)
    const session = await getSession({req: _req})
    logger.debug( "current session: ", session )
    const query = {
        method: 'POST', // *GET, POST, PUT, DELETE, etc.
        mode: 'cors', // no-cors, *cors, same-origin
        cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached
        credentials: 'same-origin', // include, *same-origin, omit
        headers: {
            'Content-Type': 'application/json',
            accessToken: session?.accessToken
            // 'Content-Type': 'application/x-www-form-urlencoded',
        },
        redirect: 'follow', // manual, *follow, error
        referrerPolicy: 'no-referrer', // no-referrer, *no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url
        body: JSON.stringify({
            operationName: _req.body.operationName,
            variables: _req.body.variables,
            query: _req.body.query
        }) // body data type must match "Content-Type" header
    };
    const res = await fetch('http://localhost:4000/api/graphql', query)
    const json = await res.json()
    _res.statusCode = 200;
    _res.setHeader('Content-Type', 'application/json');
    _res.setHeader('Cache-Control', 'max-age=180000');
    _res.json(json)
    _res.end()
};

I found a topic about this issue here, but it's not clear what was done and if it was solved: #913

Thanks for your time, I really appreciate it

How to reproduce ☕️

run a /api/graphql query

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

[ziedHamdi]

I'm going to create a JWT token between my servers as a workaround (that I will create in my callback): I know the user is connected since I have access to a session object, so if the lib's token is inconsistent, I can create mine

[ziedHamdi]

This is how I did it:

backend gql middleware

function addGraphqlRoute(app, url) {
        app.use(url ? url : '/api/graphql', graphqlHTTP(async (req, res, graphQLParams) => {
        const infraToken = req.header('infraToken')
        let user = null
        if (infraToken) {
            logger.debug("####### secret ", TOKEN_SECRET)
            user = jwt.verify(infraToken, TOKEN_SECRET)?.data
        }
        return {
            schema: GraphQlSchema,
            graphiql: process.env.NODE_ENV !== 'production',
            customFormatErrorFn: formatError,
            context: {
                user: user,
                sessionID: req.sessionID
            }
        }
    }))
}

Callback in [...nextAuth].js

    callbacks: {
        /**
         * @param  {object} session      Session object
         * @param  {object} token        User object    (if using database sessions)
         *                               JSON Web Token (if not using database sessions)
         * @return {object}              Session that will be returned to the client
         */
        async session(session, token) {
            logger.debug("connected user token: ", token)
            session.accessToken = token.accessToken
            session.user.id = token.id
            session.infraToken = jwt.sign({data:{_id:token.id, name:token.name, email:token.email}}, TOKEN_SECRET)
            return session
        }
    }

I didn't provide an exp date to avoid having two unsynced expiry managers (I will maybe have some surprises on this since it is automatically managed by the JWT lib)