Access cookies or req in jwt callback (and/or other callbacks) #543
Comments
|
Also related: #469 |
|
I'm realizing this brute force approach may give a little too much leeway to the developer. Giving folks (especially those with limited auth experience like myself) the ability to access this req object in a callback may enable some unsafe behavior along the lines of assigning unsecured password-like data from a login screen to a cookie. Aggregating other implementations that have been suggested:
|
|
@bscaspar Thanks for the follow up! FWIW I agree, I'm worried about exposing I think additional parameters and/or additional callbacks is general preferable approach. In this case, if you are integrating Facebook and Instagram I'd suggest ideally persisting users to a database and creating an API endpoint like The front end could then prompt the user to take action if needed, if the data is missing or invalid. A database is likely easier - it's technically possible to do a lot with using JWT without one, but it can be more work - but moving some of the logic for this to a dedicated API endpoint that uses Moving some logic out of the |
|
Thanks for the follow up! I guess I should look into using a DB after successfully avoiding it due to sheer laziness 😄 It looks like there may be some momentum towards the parameters getting passed to |
|
Isn't it already possible to access // [...nextauth].js
export default (req, res) => NextAuth(req, res, getOptions(req))Is there any downside to this approach? |
Summary
Provide req object or cookies as an arg in the jwt callback (and maybe others if folks are interested).
Purpose of proposed feature
We have a unique login flow - a user fills out their Instagram handle in the login page and then uses Facebook auth. On login, we need to validate that the user's authenticated Facebook account has access to the Instagram handle they submitted and confirm that handle is on our greenlist. After the initial Facebook login, we use the the JWT callback to get the list of Instagram accounts that Facebook account has access to from the FB graph API. At this point, we need to compare this list of Instagram account handles with the original handle submitted in the login form.
I would like to do this in the JWT callback so I can store the Instagram account ID in the JWT and access it through
getSession. The only way I can think of to get access to that handle, submitted to a form during login, is to store it in a cookie and access it here. I believe using a database might help solve this problem, but that's not a possibility for me right now, so the goal is to do this without.(Is there another way to pass data to the JWT callback from a form?)
Details
Most basic/obvious implementation would be to update this:
next-auth/src/server/routes/callback.js
Line 92 in 8115a7c
with something like
Potential problems
I am far from an auth expert and can only assume I'm missing an important security reason this isn't recommended.
Workaround
Currently I have this built into a post-login redirect route that fetches data from an API route to determine if the handle matches the Instagram accounts. It signs the user out if there isn't a match, and stores the data in a cookie if there is.
The text was updated successfully, but these errors were encountered: