Is it by design or issue that return value of jwt callback is not persisted back to client side after signin?

[bboyz269]

I'm doing a custom credentials provider that delegate everything to a backend service.

{
  providers: [
    Providers.Credentials({
      ....
      authorize: async function (credentials, req) {
        // POST backend-service/auth/token 
        return { accessToken, refreshToken };
      }
    })
  ],
  callbacks: {
    async jwt(token, user) {
      // at signin, return user info {accessToken, refreshToken} from backend-service.
      if (user) return user; 

      // If accessToken still valid, return as it is.
      if (isValid(accessToken)) return token;

      // accessToken expired, exchange for new one with refresh token
      // POST backend-service/auth/token/exchange
      const exchange = {newAccessToken, newRefreshToken};
      return { accessToken: newAccessToken, refreshToken: newRefreshToken };      
​   }
  }
}

At sign in, custom jwt (from backend service) is store at client side (in form of next-auth.session-token cookie). But after that, client cookie is not be updated with new value (missing set-cookie response header despite being set).

Is this an issue or by design? If the latter, is there a way to force updating client cookie for my case?

[balazsorban44]

where does your first (isValid(accessToken)) get the accessToken? there seems to be no declaration of it.

Also before your last return, are you trying to do destructuring? because it goes the other way. destructured values on the left.

Also make sure you read up on the session callback.

[bboyz269]

@balazsorban44
Sorry for making it confusing, those was just pseudo-codes.

Anyway, I figured out my problem is.
Since I only use server side getSession(context) inside getServerSideProps to retrieve session, any changes from jwt callbacks stays within server, and never propagated back to frontend.

Do you think it's a good idea to also include set-cookie header for getSession(context) so client also get notified of the changes?
(similiar behavior with client side getSession or useSession)

I believe it was the following piece of code responsible for fetch session sever side.

next-auth/src/client/index.js

Lines 317 to 329 in e8a58a0

	async function _fetchData(path, { ctx, req = ctx?.req } = {}) {
	try {
	const baseUrl = await _apiBaseUrl()
	const options = req ? { headers: { cookie: req.headers.cookie } } : {}
	const res = await fetch(`${baseUrl}/${path}`, options)
	const data = await res.json()
	if (!res.ok) throw data
	return Object.keys(data).length > 0 ? data : null // Return null if data empty
	} catch (error) {
	logger.error("CLIENT_FETCH_ERROR", path, error)
	return null
	}
	}