Manual session deleting

[trey-m]

Authentication Setup:

• Google OAUTH
• Prisma adapter -> Postgres

When a session gets created I plan to fetch the users roles from my DB and store it in the session. I will also be creating an accessToken that I will store in the session as well to access my API.

The scenario is say a user has the ADMIN role and I want to remove that role from their account. I would ideally like to just delete their current session(s) in the DB and just have them re-login which will then fetch their new role list.

Approach:
Set the provider options clientMaxAge and keepAlive so it will check the server for a session say every 5mins. The problem with this approach is it fetches the session on the server but never finds it (since I deleted it from the db), and the only way to have the client reflect that it doesn't exist is to refresh the page or navigate elsewhere.

Questions:
Does this seem like a good approach? If so, what are some suggested ways on ensuring the client is watching for that change to navigate the user accordingly? If not, what are some alternative flows I can look into?

[Fronix]

I'm assuming you are using JWTs since you say you want to store your users roles inside the session? If not, I'm confused since NextAuth has support for normal db session, and it creates a session for a user in the session table. So you could easily just fetch the user-roles in the session() function or modify the adapter to include it when getUser() is called.

This way, when you remove a user's role, the keepAlive trigger will reflect this as soon as it is triggered.

[trey-m]

Yeah, that was exactly my intention. Thanks for confirming!

[Fronix]

No problem, happy to help