User object passed into session callback is undefined with successful login.

[tylerpashigian]

I am using NextAuth and CredentialsProvider to login and want to extend the user/session to add a custom field. I overrode my User and Session interfaces. When logging in I am returning a user with the updated model in my authorize() func. My user object in the jwt() callback is valid when I log it, but then seems to immediately run again and undefined is logged. By the time the session() callback is called, the user object is undefined there (I assume because it somehow got set to undefined in the jwt() callback).

I came to the same conclusion as this post, but it feels like this is incorrect. Why do we have to append the user to the token in the jwt() callback when the user is passed into the session() callback? I will attach my code/logs below to see if this helps debug.

Models

declare module "next-auth" {
  interface Session extends DefaultSession {
    user: DefaultSession["user"] & {
      id: string;
      // ...other properties
      username?: string;
      // role: UserRole;
    };
  }

  interface User extends DefaultUser {
    username?: string;
    // ...other properties
    // role: UserRole;
  }
}

Callbacks

callbacks: {
    session({ session, token, user }) {
      console.log("User in session: ", user);
      return {
        ...session,
        user: {
          ...session.user,
          id: token.sub,
          username: user.username,
        },
      };
    },
    jwt({ token, user }) {
      console.log("User in JWT: ", user);
      return { ...token, user };
    },
  },

Logs

User in JWT:  {
  id: 'clqd9un7t0004q9xh76tmqd4e',
  email: null,
  image: null,
  username: 'newuser'
}
User in JWT:  undefined
User in session:  undefined

[jiappo]

same problem for me

[tylerpashigian]

I made a workaround similar to the message from Daniel below: https://github.com/tylerpashigian/t3-recipe-book/blob/main/src/server/auth.ts.

Also here is a thread about this in discord if you want more context on my solution: https://discordapp.com/channels/966627436387266600/1187023223452348507

[Coding-Hashira]

Have you resolved it?

[tylerpashigian]

I made a workaround similar to the message from Daniel below: https://github.com/tylerpashigian/t3-recipe-book/blob/main/src/server/auth.ts.

Also here is a thread about this in discord if you want more context on my solution: https://discordapp.com/channels/966627436387266600/1187023223452348507

[danielzeljko]

Friends -- we seem to have a huge misunderstanding with how the user parameter works within the jwt callback:

The arguments user, account, profile and isNewUser are only passed the first time this callback is called on a new session, after the user signs in. In subsequent calls, only token will be available.
https://next-auth.js.org/configuration/callbacks#jwt-callback

In other words, the user parameter will only have a value (the response from the authorize callback) on initial sign-in. It will then have a value of undefined on subsequent calls. For example, if you try to get the session object via useSession(), getServerSession(), etc.

To persist user data, you want to add the user data to the token on initial sign-in only:

        // https://next-auth.js.org/configuration/callbacks#jwt-callback
        async jwt({ token, user: data, account, profile }) {
            if (account && account.provider !== 'credentials') {
                throw new Error('Unsupported Provider');
            }

            const isInitialSignIn = account && data;
            if (isInitialSignIn) {
                const { user, access, refresh } = data;
                token.accessToken = access;
                token.accessTokenExpires =
                    getUnixExpirationTimeFromToken(access);
                token.refreshToken = refresh;
                token.refreshTokenExpires =
                    getUnixExpirationTimeFromToken(refresh);
                token.user = user;
                return token;
            }
            // ... refresh token login below
       }

The token will then get sent to the session callback and you'd need to assign properties to the session object that you want to keep:

        // https://next-auth.js.org/configuration/callbacks#session-callback
        async session({ session, user, token }) {
            // TODO: Do we need to reject the session here if the tokens are expired?
            if (token?.user && token?.accessToken) {
                session.user = token.user;
                session.accessToken = token.accessToken;
            }

            return session;
        },

If anyone has any feedback on my todo, I'd love to hear your two cents!

[tylerpashigian]

It just feels strange to expose the user in the session() callback if you can't truly access the user outside of the initial sign in. I made a workaround similar to your comment above. It seems like I am not the only one confused by this, though.

[nipun-threestops]

you saved my life mate!!

[alexnsorensen]

@danielzeljko you are a legend!
The only difference is that in my code, the token is the user?
so I had to do this:

jwt({ token, user, account }) {
	const isInitialSignIn = account && user;

	if (isInitialSignIn) {
		token.permissions = user.permissions;
		return token;
	}

	return token;
},

Is this the correct way? Because it seems to work.

[tylerpashigian]

The token and the user should be different are separate in the jwt() callback. You append the user (or specific user fields - permissions in your case) to the token so it can be accessed in the session() callback. This looks similar to what I did in the example above as well.

[BartoszKlonowski]

Thank you, @danielzeljko! 💪
This should be the default behavior, without the need to override the callbacks implementation, and if that's the way it should be then, as a crucial thing for all to work, it should be highlighted in the docs way better.

[MhL5]

for me it only works after changing the strategy to "jwt"
version: "next-auth": "^5.0.0-beta.19"

 session: {
    strategy: "jwt",
  }

[DePasqualeOrg]

The type of user in the callbacks should be changed from User | AdapterUser to User | AdapterUser | undefined to reflect this. This resulted in errors that were difficult to fix in my SvelteKit app using Auth.js.