-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is it safe to store access token in next-auth session? #7976
Comments
you don't have to expose the access token to the client, see the docs https://next-auth.js.org/configuration/callbacks#session-callback This callback decides what's exposed of the session via the You can proxy API requests through the Next.js backend where you can safely read the whole content of the session, including your access_token. By default, we already only expose name, image and email for presentational purposes. |
Dear @balazsorban44 , sorry for reopening this issue. I wonder if you could give any guidance on how to |
@waza-ari I believe you can do so with the help of next-auth getServerSession method. https://next-auth.js.org/configuration/nextjs#getserversession |
@HaseebAhmed456 I tried that, it returns the same attributes that are exposed to the client session using the session callback. |
@waza-ari You need to call getServerSession inside your next backend i.e API routes which provides as public end point and you can route your requests through that endpoint. I also couldn't find any other solution as I was having the same issue |
I understand. I'm using server components and server data fetching already, so I don't need the data on the client. running |
@balazsorban44 Is there any other solution to this other than routing your requests through next backend proxy api. As we need access_token in our client components but getting this info via useSession exposes the access_token in network calls |
if you need it in your client components it has to be sent to the client somehow, there is no way around it. That's different from our use case, as we only want to get the AT on the server side. |
Well in your case you can use server actions which are basically functions that only run on the server. https://nextjs.org/docs/app/building-your-application/data-fetching/server-actions-and-mutations |
I fully understand and were using them. Again, I'm looking for a way to get the AT in the server actions without exposing them to the client. |
vercel/next.js#52006 |
Hello! I am using version 5.0.0-beta.4 of NextAuth. To retrieve the session on the server-side, I used the following code: javascript export default async function Page() { return ( Welcome {session?.user.name}! );} I found this code at: https://authjs.dev/getting-started/migrating-to-v5 |
The only clean way I have found to do this in v5 without exposing the access token client side is to use getToken() from next-auth/jwt to decode the jwt token cookie serverside, even though the v5 docs says using this is not recommended. This requires the authjs secret and the hashing salt. The latter is undocumented but you can find the details in #9133 |
@waza-ari I am assuming you don't mind the access token being present in the encrypted JWT, as long as the client can't access the decrypted version. Obviously if you don't even want the client to get the encrypted access token you can't store it in the JWT, period. I eventually figured out that while you have to pass a const baseConfig = {
callbacks: {
async jwt(...) { ... },
// no session(), or your custom session() that does not add the access token
},
...,
};
const serverConfig = {
...baseConfig,
callbacks: {
...baseConfig.callbacks,
async session({ session, token }) {
session.accessToken = token.accessToken;
// etc
return session;
},
},
};
// The GET handler doesn't get the access token, so neither does the client
const { handlers, signIn, signOut } = NextAuth(baseConfig);
// This will get the access token for use server-side
const { auth } = NextAuth(serverConfig); We are on 5.0.0beta, so this example does not use the removed |
Anyone tried this solution? It's not documented but promising. Is it the best practice to hide sensitive data from client but available on server? Since v5 is still beta I don't want to be broken later.
|
Question 💬
What I want is to access the protected data from resource provider, so I need to pass the access token to the backend API
Using next-auth, I was able to store the access token to the session. And I find out this official example: https://github.com/nextauthjs/next-auth-refresh-token-example/tree/57f84dbc50f30233d4ee389c7239212858ecae14.
Actually, put access_token in next-auth session, thats great, we can use
getServerSession()
to get our access token and fetch protected resourse in server side, but I found out that every time when we calleduseSession()
in client side, it triggers aget
request on the client side ( your_api_url/auth/session ) to retrieve the session information, including the access token. This means that the access token could potentially be exposed in the client-side network traffic.Does access token exposed in the client mean that there is some security risk? Authorization code flow requires the completion of code and token exchange in the server side is to protect the token in the server side rather than the client.
Is there some other way to store access token in nextauth?
How to reproduce ☕️
/api/[...nextauth]/route.ts
/index.ts
Contributing 🙌🏽
Yes, I am willing to help answer this question in a PR
The text was updated successfully, but these errors were encountered: