fix(core): filter unnecessary param before passing to session callback

packages/core/src/adapters.ts

@@ -215,6 +215,7 @@ export interface AdapterSession {
    * A randomly generated value that is used to look up the session in the database
    * when using `"database"` `AuthConfig.strategy` option.
    * This value is saved in a secure, HTTP-Only cookie on the client.
+   * @internal
    */
   sessionToken: string
   /** Connects the active session to a user in the database */

packages/core/src/index.ts

@@ -400,15 +400,21 @@ export interface AuthConfig {
      * ```
      */
     session?: (
-      params: ({
-        session: { user: AdapterUser } & AdapterSession
-        /** Available when {@link AuthConfig.session} is set to `strategy: "database"`. */
-        user: AdapterUser
-      } & {
-        session: Session
-        /** Available when {@link AuthConfig.session} is set to `strategy: "jwt"` */
-        token: JWT
-      }) & {
+      params: (
+        | {
+            session: { user: AdapterUser } & Omit<
+              AdapterSession,
+              "sessionToken"
+            >
+            /** Available when {@link AuthConfig.session} is set to `strategy: "database"`. */
+            user: AdapterUser
+          }
+        | {
+            session: Session
+            /** Available when {@link AuthConfig.session} is set to `strategy: "jwt"` */
+            token: JWT
+          }
+      ) & {
         /**
          * Available when using {@link AuthConfig.session} `strategy: "database"` and an update is triggered for the session.
          *

packages/core/src/lib/actions/session.ts

@@ -100,7 +100,9 @@ export async function session(
     }
 
     if (userAndSession) {
-      const { user, session } = userAndSession
+      const { user, session: _session } = userAndSession
+      // We never really need to pass this to the user, so filtered off of the session object
+      const { sessionToken: _, ...session } = _session
 
       const sessionUpdateAge = options.session.updateAge
       // Calculate last updated date to throttle write updates to database
@@ -125,7 +127,6 @@ export async function session(
       const sessionPayload = await callbacks.session({
         // TODO: user already passed below,
         // remove from session object in https://github.com/nextauthjs/next-auth/pull/9702
-        // @ts-expect-error
         session: { ...session, user },
         user,
         newSession,

packages/core/src/lib/init.ts

@@ -42,7 +42,10 @@ export const defaultCallbacks: InternalOptions["callbacks"] = {
         email: session.user?.email,
         image: session.user?.image,
       },
-      expires: session.expires?.toISOString?.() ?? session.expires,
+      expires:
+        typeof session.expires === "string"
+          ? session.expires
+          : session.expires.toISOString(),
     }
   },
   jwt({ token }) {