getSession in server side with IP restriction #904

airtoxin · 2020-12-03T07:16:32Z

airtoxin
Dec 3, 2020

Your question

We have IP restriction and all http request must through the NAT gateway, so origin IP of server outbound http request is equal to IP of NAT. And IP restriction does not allow NAT IP.
In this environment, calling getSession in server-side fails, because current implementation of getSession in server-side is fetching /session route with http request (its original IP is changes to NAT).
Yes, I know its issue can solve to allow NAT IP but this is not allowed in our security policy.
Is there any workaround?

What are you trying to do

Our current workaround is re-implementing session route process manually in our api route.

next-auth/src/server/routes/session.js

Lines 60 to 95 in 8115a7c

    
           try { 
        
             const { getUser, getSession, updateSession } = await adapter.getAdapter(options) 
        
             const session = await getSession(sessionToken) 
        
             if (session) { 
        
               // Trigger update to session object to update session expiry 
        
               await updateSession(session) 
        
               const user = await getUser(session.userId) 
        
               // By default, only exposes a limited subset of information to the client 
        
               // as needed for presentation purposes (e.g. "you are logged in as…"). 
        
               const defaultSessionPayload = { 
        
                 user: { 
        
                   name: user.name, 
        
                   email: user.email, 
        
                   image: user.image 
        
                 }, 
        
                 accessToken: session.accessToken, 
        
                 expires: session.expires 
        
               } 
        
               // Pass Session through to the session callback 
        
               const sessionPayload = await callbacks.session(defaultSessionPayload, user) 
        
               // Return session payload as response 
        
               response = sessionPayload 
        
               // Set cookie again to update expiry 
        
               cookie.set(res, cookies.sessionToken.name, sessionToken, { expires: session.expires, ...cookies.sessionToken.options }) 
        
               await dispatchEvent(events.session, { session: sessionPayload }) 
        
             } else if (sessionToken) { 
        
               // If sessionToken was found set but it's not valid for a session then 
        
               // remove the sessionToken cookie from browser. 
        
               cookie.set(res, cookies.sessionToken.name, '', { ...cookies.sessionToken.options, maxAge: 0 }) 
        
             }

but this approach is awful and ugly.

Feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.