Calling getToken after getServerSession might miss a token change #1026
Description
Environment
- Operating System: Linux
- Node Version: v20.19.1
- Nuxt Version: 3.17.5
- CLI Version: 3.25.1
- Nitro Version: 2.11.12
- Package Manager: [email protected]
- Builder: -
- User Config: compatibilityDate, devtools, modules, auth
- Runtime Modules: @sidebase/[email protected]
- Build Modules: -
Reproduction
I have managed to reproduce the issue in a pretty minimal StackBlitz. As it requires having authenticated and StackBlitz is a bit finicky with the baseURL, you may need to change that value to your web container. Most possibly my lack of experience with StackBlitz.
Describe the bug
If you call to getServerSession and getToken in a server-side function, any modifications made to the token by the session call (which includes the jwt and session callbacks) will not be updated. The token received will always be the original one from the client request.
Additional context
The issue is caused by the resolution of issue #523, which consisted of using a virtual request for getServerSession to avoid mutations to the original request. Even though I agree that limiting modifications to the request is a must-have, doing it this way causes an issue with the token.
Because the AuthHandler expects the call to session to be made directly by the client, it will send updates to the token via Set-Cookie. Because we are using a virtual request, this update to the token is totally lost. This means that, if you use getToken inside a Server function after a getServerSession call, the token may have changes that you cannot recover and getToken will return an outdated token.
I don't really have that much experience with TS so I'm not really sure if I should try to submit a PR. Open to suggestions though!