Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions src/lib/auth.ts
Original file line number Diff line number Diff line change
Expand Up @@ -175,8 +175,6 @@ export const authOptions: NextAuthOptions = {
return token;
},
async session({ session, token }) {
if (typeof token.accessToken === "string")
session.accessToken = token.accessToken;
if (typeof token.githubId === "string")
session.githubId = token.githubId;
if (typeof token.githubLogin === "string")
Expand Down
19 changes: 17 additions & 2 deletions src/lib/get-session-token.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
import "server-only";
import { getServerSession } from "next-auth";
import { getToken } from "next-auth/jwt";
import { headers, cookies } from "next/headers";
import { authOptions } from "@/lib/auth";
import { resolveAppUser } from "@/lib/resolve-user";
import type { Session } from "next-auth";
Expand All @@ -13,11 +15,24 @@ export async function getSessionWithToken(): Promise<SessionWithToken | null> {
const session = await getServerSession(authOptions);
if (!session?.githubId || !session?.githubLogin) return null;

const accessToken = session.accessToken;
// accessToken no longer lives on `session` (see auth.ts session callback).
// Read it server-side, directly from the encrypted JWT cookie instead.
const token = await getToken({
req: { headers: headers(), cookies: cookies() } as any,
secret: process.env.NEXTAUTH_SECRET,
});
const accessToken = typeof token?.accessToken === "string" ? token.accessToken : null;
if (!accessToken) return null;

const userRow = await resolveAppUser(session.githubId, session.githubLogin);
if (!userRow) return null;

return { session, accessToken };
}
}
export async function getAccessToken(): Promise<string | null> {
const token = await getToken({
req: { headers: headers(), cookies: cookies() } as any,
secret: process.env.NEXTAUTH_SECRET,
});
return typeof token?.accessToken === "string" ? token.accessToken : null;
}
6 changes: 4 additions & 2 deletions test/auth.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -162,15 +162,17 @@ describe('auth.ts NextAuth callbacks', () => {
});

describe('session callback', () => {
it('populates session.accessToken from token.jwt', async () => {
it('does NOT expose accessToken on the session object (security: token must stay server-side)', async () => {
const sessionCallback = authOptions.callbacks?.session;
if (!sessionCallback) return;

const session: Record<string, any> = {};
const token = { accessToken: 'jwt-token-xyz', githubId: '111', githubLogin: 'user1' } as any;
const result = await sessionCallback({ session, token, user: {} } as any);

expect((result as any).accessToken).toBe('jwt-token-xyz');
// session is exposed to client-side code via useSession()/getSession(),
// so the raw GitHub token must never be copied onto it.
expect((result as any).accessToken).toBeUndefined();
});

it('populates session.githubId from token.jwt', async () => {
Expand Down
Loading