nextauthjs · balazsorban44 · Jan 16, 2022 · Jan 16, 2022 · Jan 16, 2022 · Jan 17, 2022
@@ -225,6 +225,19 @@ export async function NextAuthHandler<
           }
         }
         return {}
+      case "session":
+        // Verified CSRF Token required for session updates
+        if (options.csrfTokenVerified) {
+          const session = await routes.session({
+            method: "POST",
+            user: req.body?.user,
+            options,
+            sessionStore,
+          })
+          if (session.cookies) cookies.push(...session.cookies)
+          return { ...session, cookies } as any
+        }
+        return { cookies, status: 401 }
       default:
     }
   }

@@ -3,10 +3,12 @@ import { fromDate } from "../lib/utils"
 import type { Adapter } from "../../adapters"
 import type { InternalOptions } from "../../lib/types"
 import type { OutgoingResponse } from ".."
-import type { Session } from "../.."
+import type { Session, User } from "../.."
 import type { SessionStore } from "../lib/cookie"
 
-interface SessionParams {
+interface SessionParams<M extends "POST" | undefined> {
+  method?: M
+  user?: M extends "POST" ? Partial<User> : never
   options: InternalOptions
   sessionStore: SessionStore
 }
@@ -16,8 +18,8 @@ interface SessionParams {
  * for Single Page App clients
  */
 
-export default async function session(
-  params: SessionParams
+export default async function session<M extends "POST" | undefined = undefined>(
+  params: SessionParams<M>
 ): Promise<OutgoingResponse<Session | {}>> {
   const { options, sessionStore } = params
   const {
@@ -83,14 +85,15 @@ export default async function session(
 
       await events.session?.({ session: newSession, token })
     } catch (error) {
-      // If JWT not verifiable, make sure the cookie for it is removed and return empty object
+      // If JWT not verifiable, make sure the cookie for it is removed and return
+      // empty object
       logger.error("JWT_SESSION_ERROR", error as Error)
 
       response.cookies?.push(...sessionStore.clean())
     }
   } else {
     try {
-      const { getSessionAndUser, deleteSession, updateSession } =
+      const { getSessionAndUser, deleteSession, updateSession, updateUser } =
         adapter as Adapter
       let userAndSession = await getSessionAndUser(sessionToken)
 
@@ -104,7 +107,7 @@ export default async function session(
       }
 
       if (userAndSession) {
-        const { user, session } = userAndSession
+        let { user, session } = userAndSession
 
         const sessionUpdateAge = options.session.updateAge
         // Calculate last updated date to throttle write updates to database
@@ -115,6 +118,19 @@ export default async function session(
           sessionMaxAge * 1000 +
           sessionUpdateAge * 1000
 
+        if (params.method === "POST" && params.user) {
+          // TODO: support e-mail change.
+          // This needs work, as all accounts need to be updated,
+          // user has to receive a confirmation e-mail
+          if (params.user.email) {
+            delete params.user.email
+            logger.warn("EMAIL_UPDATE_UNSUPPORTED")
+          }
+
+          const newUser = { ...params.user, id: user.id }
+          user = await updateUser(newUser)
+        }
+
         const newExpires = fromDate(sessionMaxAge)
         // Trigger update of session expiry date and write to database, only
         // if the session was last updated more than {sessionUpdateAge} ago
@@ -125,7 +141,8 @@ export default async function session(
         // Pass Session through to the session callback
         // @ts-expect-error
         const sessionPayload = await callbacks.session({
-          // By default, only exposes a limited subset of information to the client
+          // By default, only exposes a limited subset of information to the
+          // client
           // as needed for presentation purposes (e.g. "you are logged in as...").
           session: {
             user: {

@@ -19,7 +19,10 @@ function hasErrorProperty(
   return !!(x as any)?.error
 }
 
-export type WarningCode = "NEXTAUTH_URL" | "NO_SECRET"
+export type WarningCode =
+  | "NEXTAUTH_URL"
+  | "NO_SECRET"
+  | "EMAIL_UPDATE_UNSUPPORTED"
 
 /**
  * Override any of the methods, and the rest will use the default logger.

@@ -9,9 +9,11 @@
 // We use HTTP POST requests with CSRF Tokens to protect against CSRF attacks.
 
 import * as React from "react"
+import { flushSync } from "react-dom"
+
 import _logger, { proxyLogger } from "../lib/logger"
 import parseUrl from "../lib/parse-url"
-import { Session } from ".."
+import type { Session, User } from ".."
 import {
   BroadcastChannel,
   CtxOrReq,
@@ -66,13 +68,19 @@ const broadcast = BroadcastChannel()
 
 const logger = proxyLogger(_logger, __NEXTAUTH.basePath)
 
+type UpdateUser = (user: Partial<User>) => Session["user"]
+
 export type SessionContextValue<R extends boolean = false> = R extends true
   ?
-      | { data: Session; status: "authenticated" }
-      | { data: null; status: "loading" }
+      | { updateUser?: UpdateUser; data: Session; status: "authenticated" }
+      | { updateUser?: UpdateUser; data: null; status: "loading" }
   :
-      | { data: Session; status: "authenticated" }
-      | { data: null; status: "unauthenticated" | "loading" }
+      | { updateUser?: UpdateUser; data: Session; status: "authenticated" }
+      | {
+          updateUser?: UpdateUser
+          data: null
+          status: "unauthenticated" | "loading"
+        }
 
 const SessionContext = React.createContext<SessionContextValue | undefined>(
   undefined
@@ -308,7 +316,7 @@ export function SessionProvider(props: SessionProviderProps) {
   /** If session was passed, initialize as already synced */
   __NEXTAUTH._lastSync = hasInitialSession ? now() : 0
 
-  const [session, setSession] = React.useState(() => {
+  const [data, setData] = React.useState(() => {
     if (hasInitialSession) __NEXTAUTH._session = props.session
     return props.session
   })
@@ -327,7 +335,7 @@ export function SessionProvider(props: SessionProviderProps) {
           __NEXTAUTH._session = await getSession({
             broadcast: !storageEvent,
           })
-          setSession(__NEXTAUTH._session)
+          setData(__NEXTAUTH._session)
           return
         }
 
@@ -350,7 +358,7 @@ export function SessionProvider(props: SessionProviderProps) {
         // An event or session staleness occurred, update the client session.
         __NEXTAUTH._lastSync = now()
         __NEXTAUTH._session = await getSession()
-        setSession(__NEXTAUTH._session)
+        setData(__NEXTAUTH._session)
       } catch (error) {
         logger.error("CLIENT_SESSION_ERROR", error as Error)
       } finally {
@@ -403,17 +411,56 @@ export function SessionProvider(props: SessionProviderProps) {
     }
   }, [props.refetchInterval])
 
-  const value: any = React.useMemo(
-    () => ({
-      data: session,
-      status: loading
-        ? "loading"
-        : session
-        ? "authenticated"
-        : "unauthenticated",
-    }),
-    [session, loading]
-  )
+  const value: any = React.useMemo(() => {
+    let status
+
+    if (loading) {
+      if (data) status = "updating"
+      else status = "loading"
+    } else {
+      if (data) status = "authenticated"
+      else status = "unauthenticated"
+    }
+
+    return {
+      status,
+      data,
+      async updateUser(user: Partial<User>) {
+        if (!data) return data
+
+        // REVIEW:
+        if (!data.user) throw new TypeError("Session must have a `user` object")
+
+        try {
+          setLoading(true)
+          const csrfToken = await getCsrfToken()
+          const res = await fetch("/api/auth/session", {
+            method: "POST",
+            headers: {
+              "Content-Type": "application/json",
+            },
+            body: JSON.stringify({ user, csrfToken }),
+          })
+          if (res.ok) {
+            const newSession = await res.json()
+
+            const update = () => {
+              setData(newSession)
+              setLoading(false)
+            }
+
+            const [reactMajorVersion] = React.version.split(".")
+            // https://github.com/reactwg/react-18/discussions/21
+            if (reactMajorVersion >= "18") update()
+            else flushSync(update)
+          }
+        } catch (error) {
+          logger.error("CLIENT_UPDATE_USER_ERROR", error as Error)
+          setLoading(false)
+        }
+      },
+    }
+  }, [data, loading])
 
   return (
     <SessionContext.Provider value={value}>{children}</SessionContext.Provider>