Ad-hoc “hard” refresh of JWT

[adamdottv]

Description 📓

I’m using JWTs with a backing database (DynamoDB) and my serverless backend makes changes to the user records directly. In that scenario, I’d like to call GET /api/auth/session with a query parameter (/api/auth/session?latest=true?) and have the JWT callback receive the latest user record from the adapter.

How to reproduce ☕️

NA

Contributing 🙌🏽

Yes, I am willing to help implement this feature in a PR

[adamdottv]

Related to #3648 but in my case I don’t need to call updateUser as the user has already been updated by an external process.

[adamdottv]

Thoughts on this, @balazsorban44? Would this be a welcome change? Anything I'm overlooking?

[balazsorban44]

Haven't had the time to think about it before yet 🙏.

What I would do is in the jwt callback, simply set a "lifetime" for the validity, and after that, just go and fetch the new user data. Very similar to refresh token rotation:
https://next-auth.js.org/tutorials/refresh-token-rotation

If you want to update the user data immediatelly, you could already achieve what you propose through https://next-auth.js.org/configuration/initialization#advanced-initialization

Just check when the request is going to /api/auth/session and have the ?latest query parameter, and make the call in the jwt callback then.

You might still want to rate-limit how often you want the user to be able to get the data maybe, not sure. Maybe it doesn't have a benefit, just thinking out loud.

I currently consider this an edge case, as OAuth refresh token rotation will cover most users' cases, which we would like to support built-in.

We don't really recommend rolling your own auth.

As such, I'll close this issue for now.