How should I protect an external endpoint outside of next-auth?

[TheHolyWaffle]

I'm curious as to what the best approach is here.

I currently have a hybrid setup where nextjs and the api pages provide one portion of the api. And a websocket endpoint is hosted on a different server. The client-side js should be able to create a websocket connection by passing the encoded JWT as a query parameter.

Now I was wondering what the best approach is to validate the JWT token on websocket side? And how I can even get access to an encoded JWT on the client side?

Cookies are not a option, since they are not included when making a websocket connection to a different domain.

[TheHolyWaffle]

For now, I've created a secondary jwt token in the session callback and verify that one in my websocket server. Based upon an earlier suggestion #643

    callbacks: {
        session: async (session, user) => {
            session.id = user.sub || user.id;
            session.externalJwt = jwt.sign(
                {
                    sub: session.id,
                    email: user.email,
                    exp: Math.floor(Date.now() / 1000) + 5 * 60,
                },
                process.env.NEXTAUTH_SECRET_EXTERNAL_JWT || ""
            );
            return session;
        },
    },

Now I'm wondering if this callback is the right place, or if jwt callback would be better suited to reduce overhead?

[getTobiasNielsen]

Did you end up with a result that you were happy with, or did you run into some issues with this approach ?

[subnomo]

I would think the jwt would be a better place, after testing this solution it seemed like accessing the session from the client ended up causing the session callback to be called again, which would regenerate externalJwt every time. I ended up with a solution like this, which only generates the JWT on login:

async jwt(token, user, account, profile, isNewUser) {
  if (user) {
    token.externalJwt = jwt.sign({
      sub: user.id,
      email: user.email,
    }, process.env.EXTERNAL_SECRET ?? '', { expiresIn: '30d' });
  }

  return token;
},

I then add externalJwt to the session in the session callback.

[WeersProductions]

Sorry to bring this post up again, but I am in the exact same situation. I was wondering whether this is the way to go?
While I am not too experienced with this, it feels strange that we need a secondary JWT? Can't we use a single JWT? Or would that compromise security?

If your approach is the correct one, I will follow this same technique :)

[balazsorban44]

I am fairly sure you could reuse our JWT, but I guess it is more secure if your API uses a different secret/token. This is how you would use an OAuth provider anyway, they give their own access_token.

[WeersProductions]

That makes sense! Thanks a lot.