that depends on how you would like to authenticate your user.
You can either just save a session token on the client (session based auth). This session token will be set as cookie and send, when there are auth requests. You will get the cookie and check if he is allowed to do that operation.
-> You just save the session token and request everytime data from your database to see if he's allowed.

Another solution is to sign (and encrypt) a json object that contains specific data (jwt based auth). This data will be set as cookie and you can view the data without checking the database. It will be send when there are auth requests. You will get the cookie data and check if he is allowed to do that operation.
-> You just save the json object and check if he's allowed

If I get the details from req.user it doesn't read from the database right?

I mean once I login the details are stored as a token but in the backend right?

So then I can make an API call to a route to read that info. Which would mean that I don't have to store a token or object with the user info in the client side right?

Pardon me if I don't make sense. I just have a lot of questions

I haven't used Express as a Nextjs server, but I have one project using Express + Passport as a seperate backend and Nextjs as the frontend. Probably not that different I assume. However I have used Redis to store the session, instead of a database or JWT.

I naturally defined my passport authentication routes in Express. Authenticating would send a cookie to the client that contains a session ID. That session ID is stored in Redis as a key and, in my case, has the user ID as the value (using ioredis as my express-session store).

When making requests from the frontend, I send that cookie (containing session ID) to the server. The user ID is then gotten from Redis by looking up the session ID, and is assigned to req.user.

With the user ID in req.user, I can now fetch the user from the database.

First:
-> authenticate
-> cookie with session ID sent to client and sessionId:userId stored in Redis

Then:
-> client sends request to server, including cookie with session ID
-> look up session in Redis and get user ID
-> fetch user by ID
-> perform additional checks or return user or whatever

So you have the user Id of the client in redis and you fetch the user from db whenever you need right?

What i thought is similar to this but I planned to store the entire client info in req.user and not just the id. So whenever I need it i can fetch it from my backend

Yeah I personally like to store only the user id in the session, not the entire user details

But my method is also good right or is storing the whole user info like a bad practice?

It's definitely not wrong and will work, but to be honest I don't know all the pros and cons. You might have to google that.
But... lets say that I wouldn't store the user ID but the whole user in my Redis instance. Then I would always get the same user data, unless I create a new session. That wouldn't be ideal if you for example changed a users permissions, because those changes wouldn't be applied to the session data, unless you create a new session and fetch the user again

Ohh ok I got it now

Thanks you

How do you plan to refresh the token if its a session based?

middleware 👏

I mean based on the docs, you shouldn't do database calls or heavy tasks? refreshing token involves API call and database update?

i plan to make the session last for like 1hr or something

in express-session you can set that