Adjust customization of session callback

ulrikandersen · ulrikandersen · commit 7e7777d0dc14 · 2024-11-06T11:52:41.000+01:00
The customization was suppose to only add "id" to the "user" object of the session callback response (exposed via /api/auth/session), but when this customization is added, the callback also starts returning otherwise secret information - namely the "sessionToken".

This is a problem because the session token is suppose to only be stored in an HttpOnly cookie in the browser and on the server side, making it inaccessible to JavaScript. But with the /api/auth/session endpoint returning the session token it is easily accessible from JavaScript by doing a network request.

With this change the session object is explicitly constructed.
diff --git a/src/composition.ts b/src/composition.ts
@@ -110,8 +110,18 @@ export const { signIn, auth, handlers: authHandlers } = NextAuth({
       return await logInHandler.handleLogIn({ user, account })
     },
     async session({ session, user }) {
-      session.user.id = user.id
-      return session
+      // Construct a new session object conforming to DefaultSession
+      // If "session" is returned it will include everything from AdapterSession,
+      // which is critical as this contains the sessionToken
+      return {
+        user: {
+          id: user.id,
+          email: user.email,
+          name: user.name,
+          image: user.image
+        },
+        expires: session.expires,
+      }
     }
   }
 })
