Ability to override creation and validation of CSRF token

[jeffreyschultz]

Goals

1. Allow the ability to synchronize the usage of CSRF tokens used across multiple deployed polyglot containers within a system.
2. Provide ability through the use of callbacks, similar to callbacks already provided, that will allow developers to provide custom functions for handling creation and validation of tokens.

Non-Goals

1. Expand the scope and usage of existing CSRF capabilities within next-auth.

Background

I am currently trying to allow multiple containers within a deployment to use the same jwt and csrf tokens. The containers are a mix of multiple technologies where the others allow customization of these functions already, and I wish to do the same with the next-auth-powered nextjs frontends.

Proposal

Make changes to the configuration objects to allow providing custom callbacks for handling creation and validation of csrf tokens. The existing handler code within next-auth will check to see if a callback has been provided, and if so, it will delegate the responsibility to the custom callbacks. If not, then the existing behavior will be used.

Alternative

Replace the current csrf token implementation with one that can be validated against the secret. This will allow sharing of the secret across containers, and independent validation the csrf token without the involvement of the other containers. The token payload could be anything next-auth wants to use, but the important part for me is that it can be independently validated.