Sending cookies to custom server

[AashJ]

Question 💬

I have a nextjs application using next-authjs and the github provider. I've successfully logged in and I see my cookies are being set. When i send requests to a next api route I see the cookies are sent in the request header. However, when i send requests to a route at localhost:4000 the cookies are not being sent in the header. What can I do to include them with every request?

How to reproduce ☕️

This is my current nextauth config:

export default NextAuth({
    // Configure one or more authentication providers
    adapter: PrismaAdapter(prisma),
    providers: [
        GitHubProvider({
            clientId: process.env.GITHUB_ID,
            clientSecret: process.env.GITHUB_SECRET,
        }),
    ],
})

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[balazsorban44]

You probably don't want to do that. you should scope the cookies for the same site. (that is the default behaviour for next-auth)

I'm curious what's the usecase?

[balazsorban44]

Our cookies are as restrictive as possible by default, for increased security. That said, you can override it, but I really don't recommend, if you don't know what you are doing: https://next-auth.js.org/configuration/options#cookies

Besides, you cannot decode the token in the cookie created by NextAuth on your API anyway.

[RTiwary]

Dropping in here - I'm running a next-auth frontend with a custom express backend. Just like @AashJ mentions, my server runs on api.example.com and my frontend runs on example.com, and after overriding the cookie's domain attribute, the token also sends automatically.

It sounds like you're saying here though that the cookie should be encrypted – and even though I have secure:true for the token's cookie (and left useSecureCookies as the default), when I inspect the cookie in chrome dev tools it's unencrypted and it is also unencrypted when it reaches my backend server. Should this be occurring/do you know why it is unencrypted?

[balazsorban44]

Hard to say anything without seeing your code. Encryption is the default since v4:

next-auth/src/jwt/index.ts

Line 27 in c71cb84

.encrypt(encryptionSecret)

[RTiwary]

Thanks for the response 🙂 That looks like it's just for the JWTs though right? Or is it also for the cookie for the session token (I'm using the database strategy, not JWTs). I'm using version 4.0.0-beta.7 for Next-Auth and here is my /pages/api/auth/[...nextauth].js file, although it's pretty unremarkable: https://www.codepile.net/pile/o9GwDN9n

[balazsorban44]

First of all, I suggest upgrading to latest, since v4 is out of beta now.

If you are using a database, there is nothing really to encrypt. The only thing saved in the cookie is a session token, which is different than the session id in the database, to prevent spoofing on your database type by guessing the id format.

Here is the token generation method:

next-auth/src/core/lib/callback-handler.ts

Line 224 in c71cb84

return randomUUID?.() ?? randomBytes(32).toString("hex")

It should give enough entropy.