-
Notifications
You must be signed in to change notification settings - Fork 396
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modifications to session after login are overwritten over time #416
Comments
Hi @matthewdavidson, thanks for raising this. I'm afraid modifying the session is not supported when using refresh tokens - see #323 (comment) |
If there is an explicit api available to modify the session (e.g. Given that session construction happens in multiple places (i.e. not limited to the callback handler) then perhaps the consumer API to modify sessions ( |
Hi @matthewdavidson - thanks for raising this
When you refresh the Access Token, you get a new ID Token. This is why deleting We could have a hook that runs whenever the session is updated, but it would have to be different to For this specific case, deleting the ID Token from the session, you'll need to remove the idToken from the session after calling const onSessionUpdated = (session) => {
delete session.idToken;
};
const afterCallback = (req, res, session, state) => {
onSessionUpdated(session);
return session;
};
const myGetAccessToken = async (req, res) => {
const accessToken = await getAccessToken(req, res);
onSessionUpdated(getSession(req, res))
return accessToken;
}; |
The update to the cookie size FAQ still seems wrong. const afterCallback = (req, res, session, state) => {
delete session.user.unusedClaim; // This gets persisted by the SDK
return session;
}; The user data change doesn't get persisted either. At least not in the long run. Looking at the getAccessToken logic it looks like the entire user part of the session being updated on refresh. Object.assign(session, {
...newSession,
refreshToken: newSession.refreshToken || session.refreshToken,
user: { ...session.user, ...newSession.user }
}); |
has this changed in 2022 or its still like that? |
Hi @RobSchilderr - the quote you've shared is a a little far ranging out of context. But yes, the following is still correct:
If you want to remove the ID Token from the session, you'd need to do it after refreshing the token set - using the example provided in #416 (comment) |
Describe the problem
Modifications to session after login are overwritten over time
What was the expected behavior?
If code exists to modify the session after login like so (following the example in the docs):
Then those modifications should persist indefinitely, irrespective of the session being updated at a later point in time. I'm not exactly sure what is causing the session cookie contents to be updated, it could be either:
rolling: true
in session configoffline_access
has been added to the scope param to benefit from refresh tokensEither way the code written in
afterCallback
obviously has no bearing on the code that updates the session after the fact.Reproduction
Environment
The text was updated successfully, but these errors were encountered: