[V5] Secure API Call within NextAuth Callbacks to Verify User Status

[aymericfontaine]

Hello everyone 👋

I am currently working on a feature to verify whether a user still exists in the database and hasn’t been deactivated. Here’s the current NextAuth configuration code I’m using:

export const { handlers, auth, signIn, signOut } = NextAuth({
  providers: [credentialsProvider],
  callbacks: {
    async session({ session, token }) {
      if (token) {
        session.user = { ...session.user, ...token };
      }
      return session;
    },
    async jwt({ token, user }) {
      if (user) {
        token = {
          ...token,
          ...user,
        };
      }

      if (token) {
        try {
          // How to send cookie / token to endpoint ?
          const userExist = await fetch(
            `${env.NEXT_PUBLIC_URL}/api/user/refresh`,
          );
          if (userExist.status !== 200) throw new Error();
        } catch (error) {
          return null;
        }
      }

      return token;
    },
  },
});

To ensure security, I would like to check if the user is still active by making an API call, as I am unable to use Prisma with edge runtime.

Endpoint Code

export async function GET(request: Request) {
  try {
    // How to get token / userId ?
    const userId = '???';

    const userExist = await userExistUseCase(userId);

    if (!userExist) {
      return unauthorizedResponse();
    } else {
      return Response.json({
        exist: true,
      });
    }
  } catch (error) {
    return errorResponse(error);
  }
}

Questions

• How can I secure this endpoint by passing either the cookie or a Bearer token for authentication? I’m not sure how to implement this approach correctly.
• How can I retrieve the user token in the endpoint to validate that the user is still active and authenticated?

Thank you in advance for your suggestions and ideas!