From 7e7777d0dc14dd8495ccfa166ad76723aa72985e Mon Sep 17 00:00:00 2001 From: Ulrik Andersen Date: Wed, 6 Nov 2024 10:52:42 +0100 Subject: [PATCH] Adjust customization of session callback The customization was suppose to only add "id" to the "user" object of the session callback response (exposed via /api/auth/session), but when this customization is added, the callback also starts returning otherwise secret information - namely the "sessionToken". This is a problem because the session token is suppose to only be stored in an HttpOnly cookie in the browser and on the server side, making it inaccessible to JavaScript. But with the /api/auth/session endpoint returning the session token it is easily accessible from JavaScript by doing a network request. With this change the session object is explicitly constructed. --- src/composition.ts | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/composition.ts b/src/composition.ts index 5da65221..8514a16b 100644 --- a/src/composition.ts +++ b/src/composition.ts @@ -110,8 +110,18 @@ export const { signIn, auth, handlers: authHandlers } = NextAuth({ return await logInHandler.handleLogIn({ user, account }) }, async session({ session, user }) { - session.user.id = user.id - return session + // Construct a new session object conforming to DefaultSession + // If "session" is returned it will include everything from AdapterSession, + // which is critical as this contains the sessionToken + return { + user: { + id: user.id, + email: user.email, + name: user.name, + image: user.image + }, + expires: session.expires, + } } } })