Remove problematic customization of session callback

ulrikandersen · ulrikandersen · commit a36299cd2755 · 2024-11-06T10:52:42.000+01:00
The customization was suppose to only add "id" to the "user" object of the session callback response (exposed via /api/auth/session), but when this customization is added, the callback also starts returning otherwise secret information - namely the "sessionToken".

This is a problem because the session token is suppose to only be stored in an HttpOnly cookie in the browser and on the server side, making it inaccessible to JavaScript. But with the /api/auth/session endpoint returning the session token it is easily accessible from JavaScript by doing a network request.
diff --git a/src/composition.ts b/src/composition.ts
@@ -109,10 +109,6 @@ export const { signIn, auth, handlers: authHandlers } = NextAuth({
     async signIn({ user, account }) {
       return await logInHandler.handleLogIn({ user, account })
     },
-    async session({ session, user }) {
-      session.user.id = user.id
-      return session
-    }
   }
 })
 
