email provider - set user role during signing in process

[b-novikov-ipersonality]

Hi guys.
I'm using email provider and I need two roles for my application - product owners and product consumers.

Ideally I want two separate registration processes - one for consumer and the other for owner - when user chooses to register as consumer his role becomes consumer, same with owner. I couldn't figure out how to pass some data that would identify role to next-auth handler.

I was thinking about adding query to callbackUrl that would contain role=consumer or role=owner but that's not safe, anyone who registered as a consumer can change the query manually to owner unless there's some kind of verification token that is specific to selected role included.

Is there a way to tinker NextAuth handler so it would accept data? Like an additional field in body or maybe query parameter or cookie or something? Maybe there's some other way?

upd:
I found an answer to my "how to pass data" question here

But simply passing data to signIn function won't work because role is only provided on initial sign in request when verification email is sent. When user verifies email there's no role.

I'm currently looking for a workaround and I thought I could use cookies to store role but cookies get overwritten when I confirm email.
My signIn callback looks like this:

signIn: async ({ user, ...rest }) => {
  if (!user.id) {
    user.isNewUser = true;
  }

  const { body } = req;
  let { role } = body;

  if (role) res.setHeader('Set-Cookie', 'user-role=' + role + ';Max-Age=600');

  if (!role) {
    role = req.cookies['user-role'];

    console.log('\n\nROLE:::', role, '\n\n');

    if (!role) return false;

    user.role = role;
  }

  return true;
},

I think I can save user email and associated role to database but I really don't want to do that.

How can I preserve role in the signIn callback? Maybe there's some other way to achieve roles?

[ivan-kleshnin]

You've already find a way to expose role from the signIn callback downstream by mutating the user object. It works albeit hacky. Next steps:

1. Enrich JWT with new fields:

  async jwt({token, user}) {
    if (user) {
      return {
        ...token,
        // id: user.id,
        role: user.role,
      }
    } else {
      return token
    }
  },

2. Expose JWT to the session object:

  async session({session, token}) {
    return {
      ...session,
      user: {
        ...session.user,
        // id: token.id,
        role: token.role,
      },
    }
  },

The above assumes you use JWT-based session, not database-based.