next-auth icon indicating copy to clipboard operation
next-auth copied to clipboard

Published 20 hours ago verified publisher icon nextauthjs

JWT maxAge is not working

Open ronalddas opened this issue 3 years ago • 2 comments

Description 🐜

When using maxAge option for JWT (refer: https://next-auth.js.org/configuration/options#json-web-token-options), the exp value of the next-auth.session-token is not reflected properly. I am also having custom callbacks for jwt and session, but I dont think it should affect the JWT expiry.

My custom callbacks

callbacks:{
        async jwt({ token, user, account, isNewUser }){
            if (user) {
               // token={...user}
               token={status:user.status}
            }
            return token;
        },
        // That token store in session
        async session({ session, token }) { // this token return above jwt()
            session.tokenStatus = token.status;
            // //if you want to add user details info
            // session.user = { name: "name", email: "email" };//this user info get via API call or decode token. Anything you want you can add
            return session;
        },
    },

It still uses the maxAge for the session option (refer: https://next-auth.js.org/configuration/options#session) . Ideally it should use the jwt.maxAge instead of session.maxAge

Is this a bug in your own project?

No

How to reproduce ☕️

Add this to your NextAuth options (pages/api/auth/[...nextauth].js)

jwt:{
        maxAge:120,
        secret:'secret2'
    },
    session:{
        strategy:'jwt',
        // maxAge:60,
    }

You can view the decrypted and decoded JWE token via creating a new route using the getToken (refer: https://next-auth.js.org/v3/tutorials/securing-pages-and-api-routes#using-gettoken) Example file my-nextjs-project/pages/api/getTokenDetails.ts

import { getToken } from 'next-auth/jwt';

const secret = 'secret2';

export default async (req, res) => {
    const token = await getToken({ req, secret });


    console.log(token)
    res.status(200).json({...token});
};

Screenshots / Logs 📽

The API response which contains the exp of the JWT

{
  status: 'success',
  iat: 1641311170,
  exp: 1643903170,
  jti: '65698cae-75e8-4831-a121-b2f0d02d4b8f'
}

Also attached screenshot Screenshot from 2022-01-04 21-16-18

Environment 🖥

  System:
    OS: Linux 5.11 Ubuntu 20.04.3 LTS (Focal Fossa)
    CPU: (4) x64 Intel(R) Core(TM) i7-7560U CPU @ 2.40GHz
    Memory: 2.64 GB / 15.36 GB
    Container: Yes
    Shell: 5.0.17 - /bin/bash
  Binaries:
    Node: 14.17.4 - ~/.nvm/versions/node/v14.17.4/bin/node
    Yarn: 1.22.17 - ~/.nvm/versions/node/v14.17.4/bin/yarn
    npm: 8.3.0 - ~/.nvm/versions/node/v14.17.4/bin/npm
  Browsers:
    Brave Browser: 96.1.33.106
    Chrome: 96.0.4664.110
    Firefox: 95.0.1

Contributing 🙌🏽

Yes, I am willing to help solve this bug in a PR

ronalddas avatar Jan 04 '22 15:01 ronalddas

Might sound silly but any changes to JWT might require restarting the server so maybe you'll have to run the yarn bundle again to see the changes

vashisth00 avatar Jan 04 '22 20:01 vashisth00

This is affecting us at work. Never contributed to open source before, so not sure if this is obvious, is there a way I can tell nobody has started working on this before i start giving it a go?

roberte777 avatar Jul 11 '22 02:07 roberte777

I believe this was fixed in https://github.com/nextauthjs/next-auth/pull/6829

ThangHuuVu avatar Mar 25 '23 09:03 ThangHuuVu