-
-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Return new token from signIn callback #728
Comments
The [docs states](https://next-auth.js.org/configuration/callbacks#sign-in-callback) > Return `true` (or a modified JWT) to allow sign in * Return `false` to deny access This change is also related to nextauthjs/next-auth#728 nextauthjs/next-auth#730
Thanks for the PR. It sounds like there is some confusing stemming from a typo in comment in example code in the docs. Including the response I've also left from the PR for completeness for anyone reading this:
With NextAuth.js you can either use JSON Web Tokens for sessions or use a database for Sessions but you'd need to pick which. Tracking JWTs have been issued in a database is not a flow that is supported in NextAuth.js, it's very much either JWT or database for session access. If you want to prevent additional sign in attempts, it should be pretty straightforward - you can use database sessions and use the If you want to use a JWT, in the In theory you could combine logic in the |
Yeah, I aim to support allowing multiple concurrent logins, so the database will/should hold a list of sessions. My initial thoughts are to create a sessionId in the db, and send it back to the user at signin. When a new user is trying to sign in, the DB will also check first if the max no. of allowed concurrent logins is reached, in that case, it will drop the oldest login sessionId, and add a new one for the user currently signing in. After a while, the access token for the old user will expire, and in that case, I check if their sessionId is still present in the session DB. if not, the user should not be authorized anymore and the jwt token returned will be empty. Although, I am not entirely sure if it is the "proper way" to "log the user out". Here is my code at the moment (moving the code I intended to have in the // [...nextauth.ts]
async jwt(token: JWTTokenWithUser, _, account: IDSAccount, profile: IDSUser) {
// Signin in
if (account && profile) {
const numberOfActiveSessions = await sessionsDB.getNumberOfSessions(account.id)
if (MAX_CONCURRENT_LOGINS <= numberOfActiveSessions ) {
return {}
}
const accessTokenExpires = new Date(account.accessTokenExpires ?? addSeconds(new Date(), DEFAULT_EXPIRES_IN )).toISOString()
const jwtToken: JWTTokenWithUser = {
accessToken: account.accessToken,
accessTokenExpires,
id: account.id,
refreshToken: account.refreshToken,
sessionId: await sessionsDB.addSession(account.id),
user: mapIDSProfileToUser(profile),
}
return jwtToken
}
// Subsequent use of JWT, the user has been logged in before
// access token did has not expired yet
if (new Date().toISOString() < token.accessTokenExpires) {
return token
}
// access token has expired, check if the session is still valid.
if (await sessionsDB.isActiveSession(token.id, token.sessionId)) {
return refreshAccessToken(token)
}
// the session is not valid anymore, annul the jwt token
return {}
},
//... UPDATE: I just tested it, and it kind of works, but returning an empty object throws the following error:
And sends me to the following documentation page https://next-auth.js.org/errors#jwt_session_error, which is empty. I solved it by adding some kind of an error in the JWT eg.: // the session is invalid, annul the jwt token
return {
error: {
message: "This user session has expired.",
type: "SessionExpired",
},
} Which is actually fine. |
If you move a check like this into the const numberOfActiveSessions = await sessionsDB.getNumberOfSessions(account.id)
if (MAX_CONCURRENT_LOGINS <= numberOfActiveSessions ) {
return false // or return URL to redirect to
} |
I got it working! I will close this issue now, and open a new one if I have further questions. Thanks for the help and explanation! |
UPDATE:
I eagerly created both a PR and updated the type definitions to mitigate this. 馃
Describe the bug
I am trying to implement #583 in user land to create a Proof of Concept.
According to the docs, it should be possible to return a modified JWT token in the
signIn
callback, which I was assuming I could get in thejwt
callback.Steps to reproduce
Expected behavior
I would like to pass a sessionId to the
jwt
callback.Screenshots or error logs
If applicable add screenshots or error logs to help explain the problem.
Additional context
On line 71, the signIn callback response is saved, but the value is never used at line 92.
next-auth/src/server/routes/callback.js
Lines 70 to 92 in 8115a7c
Wouldn't it be enough to resue
signInCallbackResponse
at line 87 to create adefaultJwtPayload
Feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.
The text was updated successfully, but these errors were encountered: