Return current token in JWT callback

[kjugi]

Question 💬

Hi and thanks for the great tool for authorization for next.js. It's a crucial part of every app and thanks to you I'm able to integrate simply with a lot of providers! 😄

Opening for the issue:

In my solution, I'm integrating with my custom backend where I'm also getting a pair of tokens. This part is done for now. I managed to refresh the tokens inside the authorize method after calling the signIn from next-auth/react.

Also, I saw a discussion in the #1350 issue and that was very helpful for me but I come with a different approach for it.

My refreshing logic looks like this:

async authorize(credentials, req) {
  const token = cookie.parse(req.headers.cookie || '')['next-auth.session-token'];

   if (token) {
    try {
      const signKey = await parseJwk(JSON.parse(JWT_SIGNING_KEY));

      const { payload } = await jwtVerify(token, signKey);

      if (payload) {
        const refreshedToken = await refreshAccessToken(payload); // my custom method to refresh - irrelevant method for now

        return {
          access: refreshedToken.accessToken,
          refresh: refreshedToken.refreshToken,
        };
      }

     throw new Error('Token not created');
   } catch (e) {
     return {
        error: 'RefreshAccessTokenError',
      };
    }
  }

  // ... standard logic to authorize
}

I'm using the CredentialsProvider provider to manage it and it's working cool. I just wanted to clarify one possible case which maybe you could add in the future or help to figure it out for me.

The real question is here:

Is there any chance to return or to obtain the current token object in the jwt callback? Even if the return in authorize is not the same as during the login process. Right now it returns empty fields in the object (See comments in the demo)

That will allow me to delete this whole parsing and encoding part from authorizing and simply allows me to run my refreshAsseccToken method if needed in the jwt callback.

Also if you have any feedback due to the current refreshing flow - I'm all ears 😄

Right now the variable token seems to be cleaned when calling this callback. Dunno why exactly...

My jwt callback right now:

async jwt({ token, user, account }) {
  if (user) {
    token.accessToken = user.access;
    token.refreshToken = user.refresh;
  }

  // Access token is close to expire, try to update it
  if (token && isTokenCloseToExpiry(token.accessToken)) {
    const refreshedToken = await refreshAccessToken(token); // my custom method to refresh - irrelevant method for now
    return refreshedToken;
  }

  // Return previous token if the access token has not expired yet
  return token;
},

---

As I understand (and it's simplified) after returning obj in the authorize method jwt callback is called and I can access the payload of the token. Maybe one of the params should still contain old values of the last known JWT payload?

How to reproduce ☕️

Demo link with the main idea here.
I don't think it clearly shows what I mean b/c we can't make real requests. But check out the console.logs and comments in the jwt callback.

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[balazsorban44]

authorize expects an object to be returned, not a JWT, hence you are getting undefined in the jwt callback. (assuming here that data is a JWT in a string format)

Not sure what this does:

if (!credentials.email) {
  return {
    refreshing: true
  };
}

The authorize method is only hit once when a user signs in. So returning different things doesn't really make sense, I think, but I don't fully understand what you are trying to do yet.

token is always the "previous" token as expected. In the case of the first login, it will be the subset of the user object that you are supposed to return from authorize

[kjugi]

Ok, first things first. In my case the data from the axios.post('v1/auth/jwt/create/' is in the object format so this part is fine.

Also, I've managed to change my flow for refreshing. Approach from the first comment is wrong even if possible.

Right now I'm triggering the jwt callback by calling the getSession() hook which is nothing else like but a request to the /api/auth/session as the docs say.

That allows me to run validation for my internal token and refresh if needed.

Thanks for the response!

MAINTAINER COMMENT: Changed a word for clarity for others in the future.

[Mosquid]

Do I understand correctly that you do isTokenCloseToExpiry in your session callback? If so, how do you get your raw (string) token? Do you encode the payload?

Thank you

[kjugi]

Nope, I'm running isTokenCloseToExpiry in the jwt callback. In the session callback I'm just setting the token to session.