getSession() vs getToken() #3411
-
|
Which is recommended for securing the backend and why? I see documentation uses both as examples but in essentially the same way. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
|
Depends on your use case.
|
Beta Was this translation helpful? Give feedback.
-
|
Thanks. very much. Do you have any recommendations or resources for use cases where you need to immediately remove access from a user etc? |
Beta Was this translation helpful? Give feedback.
-
|
By removing access, do you mean revoking their access token? that's the job of the Identity Provider, not next-auth. depends on which provider you use? We might introduce a token endpoint in the future, that could help with that, as well as token rotation (think refresh_token) |
Beta Was this translation helpful? Give feedback.
-
|
Just generally invalidating a specific user token at any given time. I've read up on various techniques used such as black listing until expiration etc., but I figured that you would be able to give a good recommendation. |
Beta Was this translation helpful? Give feedback.
-
|
Don't confuse session with access tokens in this case. An access token can be revoked by the provider. most of them have an API for that. to terminate a session in next-auth, the user has to sign out. |
Beta Was this translation helpful? Give feedback.
Depends on your use case.
getTokenis much simpler, but only works with the JWT strategy.getTokenalso exposes anything returned from thejwtcallback, whilegetSessiononly exposes what is returned from thesessioncallback.