Next-Auth question about JWTs
This is my understanding of how JWT's and Session work in Next auth:
- I send a login form to the server
- the authorize(credentials) function finds a user associated with those credentials and returns user data.
- That user data and accompanying data is given to the JWT() callback
- The JWT() callback decides what to retain from this before the JWT is sent to my cookie jar
- The things that were given to the JWT() callback, as well as the things the JWT() callback chose to retain, are given to the session() callback
- The session() callback decides what to retain from the JWT and creates a session variable on the server.
- Next uses this session variable to decide what to render and and give back to me.
- Now I am logged in and want to request a page that requires specific authorization.
- I send a request, my JWT is decoded on the server and that decoded information is given to the Session. Next renders certain things to me based on the contents of that session variable.
My question is: If the validity of the session variable is a function of the validity of the JWT that my client has, why not just render things based on the JWT contents and not worry about passing it off to a middleman like session before rendering? Or is there functionally zero difference between these two realities
- I send a login form to the server
- the authorize(credentials) function finds a user associated with those credentials and returns user data.
- That user data and accompanying data is given to the JWT() callback
- The JWT() callback decides what to retain from this before the JWT is sent to my cookie jar
- The things that were given to the JWT() callback, as well as the things the JWT() callback chose to retain, are given to the session() callback
- The session() callback decides what to retain from the JWT and creates a session variable on the server.
- Next uses this session variable to decide what to render and and give back to me.
- Now I am logged in and want to request a page that requires specific authorization.
- I send a request, my JWT is decoded on the server and that decoded information is given to the Session. Next renders certain things to me based on the contents of that session variable.
My question is: If the validity of the session variable is a function of the validity of the JWT that my client has, why not just render things based on the JWT contents and not worry about passing it off to a middleman like session before rendering? Or is there functionally zero difference between these two realities
