Adjust customization of session callback

ulrikandersen · ulrikandersen · commit e70057f05498 · 2024-11-06T11:41:33.000+01:00
The customization was suppose to only add "id" to the "user" object of the session callback response (exposed via /api/auth/session), but when this customization is added, the callback also starts returning otherwise secret information - namely the "sessionToken".

This is a problem because the session token is suppose to only be stored in an HttpOnly cookie in the browser and on the server side, making it inaccessible to JavaScript. But with the /api/auth/session endpoint returning the session token it is easily accessible from JavaScript by doing a network request.

With this change the session object is explicitly constructed.
diff --git a/src/composition.ts b/src/composition.ts
@@ -1,5 +1,5 @@
 import { Pool } from "pg"
-import NextAuth from "next-auth"
+import NextAuth, { DefaultSession } from "next-auth"
 import GithubProvider from "next-auth/providers/github"
 import PostgresAdapter from "@auth/pg-adapter"
 import RedisKeyedMutexFactory from "@/common/mutex/RedisKeyedMutexFactory"
@@ -110,8 +110,13 @@ export const { signIn, auth, handlers: authHandlers } = NextAuth({
       return await logInHandler.handleLogIn({ user, account })
     },
     async session({ session, user }) {
-      session.user.id = user.id
-      return session
+      return {
+        user: {
+          ...session.user,
+          id: user.id,
+        },
+        expires: session.expires,
+      }
     }
   }
 })
