Reputation: 130
next.js and next auth refresh token and request new access token
I am a bit confused on the whole refresh token part of next auth.
I followed their documentation, but in the callback they add the refresh token to the session that is shared to client side, so in the browser I can see that we have a session with a json object that contains the refresh token and that supposed to be insecure.
When using next auth the login is done on the server side, I use credential provider and login to nodejs backend. nodejs create 2 secure httpOnly cookies (refreshToken & accessToken)
Now, how am I supposed to handle those in the next auth callback so I can in the callback check if access token is expired and auto request new access token server side without saving the refresh token in the session shared with client side?
Btw, all other api calls are done client side and next protected routes are checked on the server side. so I do save the access token in the client session because I need it for api calls.
Upvotes: 0
Views: 744
Answers (1)
Reputation: 89
We shouldn't store the refresh token in session storage. Instead, store it in an HTTP-only cookie so that it's not accessible via JavaScript. This enhances security. Also, ensure the access token is refreshed server-side using the refresh token when it expires, without exposing the refresh token to the client.
Upvotes: 0
Related Questions
- Use axios interceptor to refresh the token for Next-Auth?
- Next Auth session network request exposing token information
- Next Auth: How to manually trigger the jwt callback to update an access token
- next-auth/ next.js server-side callback create session
- Next Auth Refresh Tokens Produces Multiple Callbacks