Where should I call external API during login

[Khaaz]

Question 💬

We're using JWT login with several providers (example: discord, twitch...).

I have several questions:

• The user available in jwt callback seems different than session.user (in session callback). In our case for instance, it no longer have the id field in session.user.
  Is it expected behaviour and is it customisable? It would be useful to have the id, and even to add additional properties to user.

• Is it possible to cancel the session or SignOut the user within the session callback or is it not the way it is designed to work?
  My use case is: if some parameter are not met, we don't actually want to login the user.

• The SignIn callback seems to be designed for the purpose of not signing in the user if some requirements are not met. However it's only called on first sign-in. jwt is called everytime but with partial data. session is called everytime.
  Where am I supposed to do external request call (for instance my own API, or discord to get additional information etc)?

/
For my use case more specifically:
If I want to do something like "requesting my own API everytime I call session, and if the result is not what I expect, then not display the webpage or sign-out".

• Can/Should I do it with next-auth (maybe in a callback?)?
• Should I do it an other way? For instance just wrapping component front-end side so make this API call etc.

How to reproduce ☕️

N/A

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[balazsorban44]

For the first two questions:

1. https://next-auth.js.org/configuration/callbacks#session-callback
2. https://next-auth.js.org/configuration/callbacks#sign-in-callback

Otherwise, it's not clear what the API call would do. Are you trying to enrich the user profile?

In that case, the jwt callback with a conditional might be ideal: https://next-auth.js.org/configuration/callbacks#jwt-callback

But you can also do it via the profile callback, per provider. Each provider comes with a default, but you can override any of the options. Eg.: Discord: https://next-auth.js.org/providers/discord#options

[Khaaz]

Thanks for your answer @balazsorban44
However that does not entirely answers me, I think.

• I guess you're saying it's not possible to cancel / sign out within the session callback.

• It's still unclear to me why the user object in jwt callback is not the same as session.user in session callback. And with what you are saying about overriding profile callback in the provider, this is even more relevant. There is an id field added in the default profile callback. However that field is not in session.user. It raises the question to know if what I add in the profile callback will actually be transfered to session.user. And does that mean I can change the user object entirely then (I ?

• I am indeed trying to enrich the user profile. But I need to do it everytime the session is called. And not only once when the jwt token is created. And at the same time when doing that, if the call goes wrong I'd like to break the session.