how to logout a user from server side.

[DarkOrbitWeaver]

Question 💬

I can't find a way to remove the next-auth.session-token from cookies

How to reproduce ☕️

I tried the follwing, but I don't know if removing cookies on client side is safe, what should I do?

export default function Home(props) {
  if(!props.isAuthenticated){
    signOut();
 }
  
  return (
    <>
   </>
  );
  

export async function getServerSideProps(context){
  const {data: isAuthenticated} = await axios.get(`${process.env.WEB_URI}/api/auth/verify/session`, {
    headers: {
      cookie: context.req.headers.cookie
    }
  });

//some code here...

return {
    props: { session, isAuthenticated }
  }
}

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

[yanickrochon]

Has this been reesolved? I found this dicussion through Google Search.

[Abel1011]

Hi, if you are using the jwt strategy, the way to close the session is client side with the signOut function. If you are working with the database strategy, you can remove the user session from the database from the server.

[DarkOrbitWeaver]

I gave up on coding cause of memory issues (I forgot stuff). Anyway, thanks for helping guys, I already managed to implement a session management system, it worked but it wasnt something impressive, here is what I did:
https://stackoverflow.com/questions/70172881/i-want-to-implement-a-sessions-management-system-using-next-auth/70475091#70475091
.
Guys you can still answer here in case someone needed it, thank you❤

[yanickrochon]

My need was to sign out a user from a third party app. So here's the function that is part of the auth public API script :

const SIGN_OUT_API_URI_SUFFIX = '/auth/api/signout';
const CSRF_API_URI_SUFFIX = '/auth/api/csrf';

/**
 * @returns {Promise<any>}
 */
function signOut() {
   return getFingerprint().then(fingerprint => {
      return fetch(getServerUrl(CSRF_API_URI_SUFFIX)).then(response => response.text()).then(csrfBody => {
         return fetch(getServerUrl(SIGN_OUT_API_URI_SUFFIX, getServerUrl(STATE_URI_SUFFIX)), {
            method: "POST",
            headers: {
               'Accept': 'application/json',
               'Content-Type': 'application/json',
               'X-API-Fingerprint': fingerprint
            },
            body: csrfBody
         }).then(response => response.json());
      })
   });   
};

We use @fingerprintjs/fingerprintjs in order to track and identify anomalies (not guaranteed, but it does help), so this is why we are getting the fingerprint, first. (Note: I am not sharing the getServerUrl function because it is irrelevant, too specific for our needs.)

Second, we fetch the CSRF token because it is required in order to validate the sign out query. I have NO idea why this is required since the sign out query has access to the same cookie... this is redundant to me, but this is the requirement!

Third, the request must specify a JSON data type on both the query params and the result. This is important otherwise the sign out API will redirect to the sign in HTML page, and we do not need that, just the success state.

My personal opinion is that Next Auth fails to provide a clean and unopinionated API. Every feature should be available as callable JS functions without relying on routes, whereas API routes should be JSON by default and not automatically redirect to HTML. Default pages should make use of both JS functions and API routes internally, so that custom pages could do just the same but with user components.

If Next Auth should have a major release, this should be the focus; unopinionated auth API (bring your own components, e.g. @next-auth/core) with an external package for default pages (e.g. @next-auth/pages), routes (e.g. @next-auth/routes), and specific providers (e.g. @next-auth/provider-credentials, @next-auth/provider-email, @next-auth/provider-google, etc.)

[skulden13]

Maybe this would be helpful #5334 (comment)