Calling useSession().update with no body should not set trigger = undefined in server JWT callback

[ElijahMSmith]

Goals

Always set trigger = "update" in the jwt callback parameters when invoking useSession().update from the client, regardless of whether a body was sent.

Non-Goals

• Adding further differentiation in the jwt callback between a body/bodyless update request.

Background

It is a documented feature that calling update() from the useSession() hook will pass an undefined trigger instead of update.

https://authjs.dev/reference/nextjs#parameters

params.trigger?	"signIn" | "update" | "signUp"	Check why was the jwt callback invoked. Possible reasons are: - user sign-in: First time the callback is invoked, user, profile and account will be present. - user sign-up: a user is created for the first time in the database (when AuthConfig.session.strategy is set to "database") - update event: Triggered by the useSession().update method. In case of the latter, trigger will be undefined.

My use case is that we have a NextJS app with a BFF that manages authentication with our custom OAuth2 provider running in a separate microservice. We receive an access token to the external API from that provider and make direct API requests with the bearer token, rather than serving an API from the NextJS backend. We've opted into the JWT session strategy so that the access token can live encrypted on a browser cookie and the backend server only has to decrypt it and let the browser store the access token in memory.

We want to trigger a session update from the browser when the access token is expired to obtain a new access token from the provider (implemented with refresh tokens, but that is not super important here). This goes to the jwt callback, and so I naturally wrote some code looking for trigger = "update", which I expected to be set when calling useSession().update.

However, the actual behavior I noticed is that when I call update() with no argument, the trigger is set to undefined but with any argument (ex: update({})) it is instead "update".

In next-auth@5.0.0-beta.31, useSession().update (next-auth/react.js):

const newSession = await fetchData("session", __NEXTAUTH, logger,
  typeof data === "undefined" ? undefined : { body: { csrfToken, data } });

and fetchData (next-auth/lib/client.js):

if (req?.body) { options.body = JSON.stringify(req.body); options.method = "POST"; }

No arguments => GET with no body.
{} => POST with JSON string body.

In @auth/core/lib/index.js, the GET branch calls
actions.session(options, sessionStore, cookies) with no isUpdate
argument, while the POST branch calls
actions.session(options, sessionStore, cookies, true, request.body?.data).

In @auth/core/lib/actions/session.js:

const token = await callbacks.jwt({
  token: payload,
  ...(isUpdate && { trigger: "update" }),   // omitted entirely when !isUpdate
  session: newSession,
});

On a GET, isUpdate is falsy, so the trigger key is never added and the
callback sees trigger === undefined.

Our jwt callback only rotates on trigger === "update"
(webgui/ark-webgui/app/auth/[...nextauth]/route.ts):

if (trigger === "update") {
  return refreshAccessToken(token);
}
// otherwise returns the token unchanged
return token;

Result: refresh fires → jwt runs with account undefined and trigger
undefined → the same expired token is returned.

There are legitimate cases where the jwt callback may be called with trigger = undefined:

• useSession() hook (reading the session to be returned by the hook call)
• getSession()/getServerSession()
• getToken()
• Client-side session polling
• etc.

But if I call update() client side, I am deliberately telling the server to update my session (even if I am not passing any new data to spread into the session object). In this case, I do this so that my callback can use its OAuth2 refresh token to get a new access token and store it in the new session.

Proposal

The update function from the useSession() hook should always call the POST endpoint to indicate the session should be updated, even if there was no body passed (undefined). A user should not call update() from the useSession() hook if there is no intended action to update the session, they could instead just read the session value from useSession() or any of the other client methods.

I expect that the GET route on the server is used by more than just the update() function and matches the HTTP method with the callback function - return the JWT from the active session. Thus, this fix should be client-side to the useSession() hook where this unexpected behavior occurs.