feat(sveltekit): add getSessionWithSetCookies function for carrying over cookies and enabling token refresh in sveltekit

[ndom91]

☕️ Reasoning

PRed from work done by @benjaminknox (see: #8034 (comment))

When getSession() is called it returns only the body from the backend and the header to set the authentication cookie is lost. Ben was able to create a workaround by creating another function (getSessionWithSetCookies) to return the set-cookie headers and then set them myself in +layout.server.ts

Usage in +layout.server.ts

// src/routes/+layout.server.ts
import type { LayoutServerLoad } from "./$types"

export const load: LayoutServerLoad = async (event) => {
  const sessionWithCookies = await event.locals.getSessionWithSetCookies();

  for(const cookieName in sessionWithCookies?.cookies) {
    const { value, options } = sessionWithCookies.cookies[cookieName]
    event.cookies.set(cookieName, value, options)
  }

  return {
    session: sessionWithCookies?.session
  }
}

Todo

• Having issues with the cookies types still 🤔

🧢 Checklist

• Documentation
• Tests
• Ready to be merged

🎫 Affected issues

Fixes: #8034

📌 Resources

• Security guidelines
• Contributing guidelines
• Code of conduct
• Contributing to Open Source

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
auth-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jan 16, 2024 4:54pm

2 Ignored Deployments

Name	Status	Preview	Comments	Updated (UTC)
auth-docs-nextra	⬜️ Ignored (Inspect)	Visit Preview		Jan 16, 2024 4:54pm
next-auth-docs	⬜️ Ignored (Inspect)	Visit Preview		Jan 16, 2024 4:54pm

[ThangHuuVu]

can we use the getSetCookie here? 😁

[ndom91]

Yeah good call, modified that a bit. Also added cookie and @types/cookie as peer deps to @auth/svelte since their dependencies in @auth/core already anyway and that'll always be installed together. Does that make sense? Or should I just add them as straight-up dependencies for @auth/sveltekit too?

[ndom91]

Hmm so the build step is failing for the @auth/drizzle-adapter apparently, but I can't find any similar code issues in my locally checked out copy of htis branch and the build script runs for me locally without issue as well 🤔

Is it working for yuo locally?

[balazsorban44]

I don't like the added work for the user.

A better API might be to wrap load with getSession instead (maybe rename it to auth() to align with next-auth too) so it can set the cookies after the user logic has run, merging the results.

This is similar to what we do here:

next-auth/packages/next-auth/src/lib/index.ts

Lines 206 to 210 in a05872d

	// Preserve cookies from the session response
	for (const cookie of sessionResponse.headers.getSetCookie())
	finalResponse.headers.append("set-cookie", cookie)
	return finalResponse

For the user, ideally, the +layout.server.ts file could just be export const load = auth(). 🤔

[ndom91]

Hmm yeah i can test that, i have a sveltekit project with auth.js currently WIP.

But the wrapping load strategy feels a bit un-sveltekit like, based on the little experience i have at least. I'd be curious what a more seasoned svelte person would say about this 🤔

[balazsorban44]

Let's merge with a unstable_ prefix then. 👍 but IMO it needs to go at the end. it should "just work"

(build needs to pass first)

[ndom91]

Let's merge with a unstable_ prefix then. 👍 but IMO it needs to go at the end. it should "just work"

(build needs to pass first)

Okay so we had amended the pre-existing getSession method, you're saying add it as a new method then? So we have getSession() and unstable_getSessionWithCookies() or something like that?

[stalkerg]

Just in case, I don't think "updated from client to server" is a real issue. A decorator can be better.
btw composition can be more flexible, decorators (wrapper) usually is less flexible. Current getSession should be keep as is I believe.

[ndom91]

Heads up anyone following this PR - feature's been merged via #9694 🙏

[aakash14goplani]

@ndom91 - can you please update documentation to specific how to use new method and how it is different then existing get-session method. Thanks!

[ndom91]

@aakash14goplani Yeah we're working on a new version of the docs and it'll definitely be in there.

For now, the old method is still available, although marked deprecated. The usage of the auth() method is the same as the getSession one, the difference is that it sets the cookies from the auth response before returning the session body, keeping expiry updated.