Next.js Discord

Discord Forum

Understanding JWT and session callbacks in Auth.js

Unanswered
Atlantic menhaden posted this in #help-forum
Open in Discord
Atlantic menhadenOP
The JWT callback states that: Anything you return here will be saved in the JWT and forwarded to the session callback. There you can control what should be returned to the client.. But I don't really understand what the purpose of the JWT callback is. Is it just used to create a JWT and pass the JWT to the session callback? And what is the point of the JWT that is created when I can just access the id of the user in the session in the frontend and use that to fetch data from the backend?

The contents in the image is the token passed to the session callback.
// auth.ts in project root
export const { handlers, signIn, signOut, auth } = NextAuth({
  providers: [
    Credentials({
        credentials: {
            username: {},
            password: {}
        },
        authorize: async (credentials) => {
              return {
                  id: user._id.toString(),
                  username: user.username,
                  email: user.email,
              };
        }
    })
  ],
  callbacks: {
    jwt({ token, user }) {
      if (user) {
        token.id = user.id
      }
      return token
    },
    session({ session, token }) {
      session.user.id = token.id as string
      return session
    }
  }
})

14 Replies

@Mallow bee The token can contain its own information, like the username and the email, which lets you display that info without doing a lookup from the database
Atlantic menhadenOP
But the token isn't accessed anywhere in the frontend, right? From what I can tell, you take the contents of the token param in the session callback and add them to the session param.
  callbacks: {
    jwt({ token, user }) {
      if (user) {
        token.id = user.id;
        token.username = user.username;
      }
      return token;
    },
    session({ session, token }) {
      session.user.id = token.id as string;
      session.user.username = token.username;
      return session;
    }
  }
Mallow bee
it's saved into the session, which is stored wherever the session is stored
usually a cookie
sometimes localstorage
the cookie gets sent to the server on every request
you can use that to avoid looking up the username from the DB every time you want to display it, even in SSR
common to include name, email, and permissions/roles in the session, basically anything you'd want to check during middleware to redirect people
downside of storing everything in the cookie is it has limited max size, and your backend doesn't control that info so if you remotely remove someone's role they will still be able to navigate as if they have it until their session cookie updates (for that reason you still do the DB lookup before performing any actions)
there's a medium ground where you store the session in a KV store like redis, so it's still fast to look up and unlimited size but then you have the power to revoke the session remotely
general jargon is
- cookie session (all info in cookie)
- redis backed session (id in cookie)
- database backed sessions (id in cookie)
@Mallow bee it's saved into the session, which is stored wherever the session is stored
Atlantic menhadenOP
When signing in it creates a authjs.session_token in cookies, so I guess that's where the name, email, etc. is stored