Extending the Session
Auth.js libraries only expose a subset of the user’s information by default in a session to not accidentally expose sensitive user information.
This is name
, email
, and image
.
All callbacks are async functions, so you can also get extra information from a database or external APIs.
A common use case is to add the user’s id to the session. Below it is shown how to do this based on the session strategy you are using.
With JWT
To have access to the user id, add the following to your Auth.js configuration:
// By default, the `id` property does not exist on `token` or `session`. See the [TypeScript](https://authjs.dev/getting-started/typescript) on how to add it.
callbacks: {
jwt({ token, user }) {
if (user) { // User is available during sign-in
token.id = user.id
}
return token
},
session({ session, token }) {
session.user.id = token.id
return session
},
},
}
During sign-in, the jwt
callback exposes the user’s profile information coming from the provider.
You can leverage this to add the user’s id to the JWT token. Then, on subsequent calls of this API will have access to the user’s id via token.id
.
Then, to expose the user’s id in the actual session, you can access token.id
in the session
callback and save it on session.user.id
.
Calls to auth()
or useSession()
will now have access to the user’s id.
With Database
If you are using a database session strategy, you can add the user’s id to the session by modifying the session
callback:
// By default, the `id` property does not exist on `session`. See the [TypeScript](https://authjs.dev/getting-started/typescript) on how to add it.
callbacks: {
session({ session, user }) {
session.user.id = user.id
return session
},
}
}
This will add the user’s id to the session object. Notice that in this case, we are getting the id from the user
object, not the token
.
With the database session strategy, the user
object is the user from the database, and there is no token
.
Calls to auth()
or useSession()
will now have access to the user’s id.
The session object is not persisted server-side, even when using database
sessions - only data such as the session token (id), the user, and the expiry
time is stored in the session table. If you need to persist session data
server-side, you must save it elsewhere. You can connect to the database in
the session()
callback to retrieve this information.
With provider functions
We can extend the default session data in a few ways, one of which is by using the authorize
and profile
functions. These functions let us return a user object with the properties we need. We can then create logic based on this information to search in a database or an external API.
import Github from "next-auth/providers/github"
import Credentials from "next-auth/providers/credentials"
import type { Provider } from "next-auth/providers"
const providers: Provider[] = [
Google({
clientId: process.env.AUTH_GOOGLE_ID,
clientSecret: process.env.AUTH_GOOGLE_SECRET,
async profile(profile) {
return { ...profile }
},
}),
Credentials({
async authorize(credentials) {
return { ...credentials }
},
}),
]