Chunking session cookies throws errors on decode and logs user out

[janhoogeveen]

Environment

• Operating System: Darwin
• Node Version: v18.14.2
• Nuxt Version: 3.3.1
• Nitro Version: 2.3.1
• Package Manager: [email protected]
• Builder: vite
• User Config: extends, srcDir, runtimeConfig, app, imports, typescript, css, modules, tailwindcss
• Runtime Modules: @nuxtjs/[email protected]
• Build Modules: -

Reproduction

Try to return this user including tokens from the authenticate method in the credentialsprovider:

const largeToken = {
  name: "Pablo Diego José Francisco de Paula Juan Nepomuceno María de los Remedios Cipriano de la Santísima Trinidad Ruiz y Picasso",
  email: "[email protected]",
  id: "2a7d1072-f292-4343-824d-65058202b618esfsefesfesfse2fsef",
  picture: "http://placekitten.com/400/200",
  initials: "PDJFDPJNM",
  tokens: {
    accessToken:
      "https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJ0ZXN0MSI6IkhlbGxvIHdvcmxkIiwiZG91Z2xhcyI6eyJxdW90ZSI6IkZvciBpbnN0YW5jZSwgb24gdGhlIHBsYW5ldCBFYXJ0aCwgbWFuIGhhZCBhbHdheXMgYXNzdW1lZCB0aGF0IGhlIHdhcyBtb3JlIGludGVsbGlnZW50IHRoYW4gZG9scGhpbnMgYmVjYXVzZSBoZSBoYWQgYWNoaWV2ZWQgc28gbXVjaOKAlHRoZSB3aGVlbCwgTmV3IFlvcmssIHdhcnMgYW5kIHNvIG9u4oCUd2hpbHN0IGFsbCB0aGUgZG9scGhpbnMgaGFkIGV2ZXIgZG9uZSB3YXMgbXVjayBhYm91dCBpbiB0aGUgd2F0ZXIgaGF2aW5nIGEgZ29vZCB0aW1lLiBCdXQgY29udmVyc2VseSwgdGhlIGRvbHBoaW5zIGhhZCBhbHdheXMgYmVsaWV2ZWQgdGhhdCB0aGV5IHdlcmUgZmFyIG1vcmUgaW50ZWxsaWdlbnQgdGhhbiBtYW7igJRmb3IgcHJlY2lzZWx5IHRoZSBzYW1lIHJlYXNvbnMuIiwicXVvdGUyIjoi4oCcVGhlcmUgaXMgYSB0aGVvcnkgd2hpY2ggc3RhdGVzIHRoYXQgaWYgZXZlciBhbnlvbmUgZGlzY292ZXJzIGV4YWN0bHkgd2hhdCB0aGUgVW5pdmVyc2UgaXMgZm9yIGFuZCB3aHkgaXQgaXMgaGVyZSwgaXQgd2lsbCBpbnN0YW50bHkgZGlzYXBwZWFyIGFuZCBiZSByZXBsYWNlZCBieSBzb21ldGhpbmcgZXZlbiBtb3JlIGJpemFycmUgYW5kIGluZXhwbGljYWJsZS4iLCJxdW90ZTMiOiJUaGVyZSBpcyBhbm90aGVyIHRoZW9yeSB3aGljaCBzdGF0ZXMgdGhhdCB0aGlzIGhhcyBhbHJlYWR5IGhhcHBlbmVkLiJ9LCJ0ZXN0dXNlciI6eyJpZCI6MSwiZmlyc3RfbmFtZSI6IkFhcm9uIiwibGFzdF9uYW1lIjoiTnV0bGV5IiwiZW1haWwiOiJhbnV0bGV5MEBldXJvcGEuZXUiLCJnZW5kZXIiOiJNYWxlIiwiaXBfYWRkcmVzcyI6IjMzLjE2OS4zMy4yMTgifSwidGVzdHVzZXIyIjp7ImlkIjoyLCJmaXJzdF9uYW1lIjoiTWFyaW4iLCJsYXN0X25hbWUiOiJNYXR5c2lrIiwiZW1haWwiOiJtbWF0eXNpazFAdXNhdG9kYXkuY29tIiwiZ2VuZGVyIjoiRmVtYWxlIiwiaXBfYWRkcmVzcyI6IjE2LjEzMy42OS4xMzkifX0.mJUaFtoUfZ5qIgTRbcB4cLGDi15HFojQKZg5I1h6yRg",
    accessExpiraton: 1679309043,
    refreshToken:
      "https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJ0ZXN0MSI6IkhlbGxvIHdvcmxkIiwiZG91Z2xhcyI6eyJxdW90ZSI6IkZvciBpbnN0YW5jZSwgb24gdGhlIHBsYW5ldCBFYXJ0aCwgbWFuIGhhZCBhbHdheXMgYXNzdW1lZCB0aGF0IGhlIHdhcyBtb3JlIGludGVsbGlnZW50IHRoYW4gZG9scGhpbnMgYmVjYXVzZSBoZSBoYWQgYWNoaWV2ZWQgc28gbXVjaOKAlHRoZSB3aGVlbCwgTmV3IFlvcmssIHdhcnMgYW5kIHNvIG9u4oCUd2hpbHN0IGFsbCB0aGUgZG9scGhpbnMgaGFkIGV2ZXIgZG9uZSB3YXMgbXVjayBhYm91dCBpbiB0aGUgd2F0ZXIgaGF2aW5nIGEgZ29vZCB0aW1lLiBCdXQgY29udmVyc2VseSwgdGhlIGRvbHBoaW5zIGhhZCBhbHdheXMgYmVsaWV2ZWQgdGhhdCB0aGV5IHdlcmUgZmFyIG1vcmUgaW50ZWxsaWdlbnQgdGhhbiBtYW7igJRmb3IgcHJlY2lzZWx5IHRoZSBzYW1lIHJlYXNvbnMuIiwicXVvdGUyIjoi4oCcVGhlcmUgaXMgYSB0aGVvcnkgd2hpY2ggc3RhdGVzIHRoYXQgaWYgZXZlciBhbnlvbmUgZGlzY292ZXJzIGV4YWN0bHkgd2hhdCB0aGUgVW5pdmVyc2UgaXMgZm9yIGFuZCB3aHkgaXQgaXMgaGVyZSwgaXQgd2lsbCBpbnN0YW50bHkgZGlzYXBwZWFyIGFuZCBiZSByZXBsYWNlZCBieSBzb21ldGhpbmcgZXZlbiBtb3JlIGJpemFycmUgYW5kIGluZXhwbGljYWJsZS4iLCJxdW90ZTMiOiJUaGVyZSBpcyBhbm90aGVyIHRoZW9yeSB3aGljaCBzdGF0ZXMgdGhhdCB0aGlzIGhhcyBhbHJlYWR5IGhhcHBlbmVkLiJ9LCJ0ZXN0dXNlciI6eyJpZCI6MSwiZmlyc3RfbmFtZSI6IkFhcm9uIiwibGFzdF9uYW1lIjoiTnV0bGV5IiwiZW1haWwiOiJhbnV0bGV5MEBldXJvcGEuZXUiLCJnZW5kZXIiOiJNYWxlIiwiaXBfYWRkcmVzcyI6IjMzLjE2OS4zMy4yMTgifSwidGVzdHVzZXIyIjp7ImlkIjoyLCJmaXJzdF9uYW1lIjoiTWFyaW4iLCJsYXN0X25hbWUiOiJNYXR5c2lrIiwiZW1haWwiOiJtbWF0eXNpazFAdXNhdG9kYXkuY29tIiwiZ2VuZGVyIjoiRmVtYWxlIiwiaXBfYWRkcmVzcyI6IjE2LjEzMy42OS4xMzkifX0.mJUaFtoUfZ5qIgTRbcB4cLGDi15HFojQKZg5I1h6yRg",
    refreshExpiraton: 1679910247,
  },
};

You can find an edited version of the auth handler in my example repo, though @sidebase/nuxt-auth does not seem to run on codesandbox.

Describe the bug

When generating a JWT that is bigger than 4096 bytes, the next-auth core module will chunk your cookies. That way, you'll end up with 2 session tokens.

next-auth.session-token.0
next-auth.session-token.1

Initial login seems to work fine, and I can see I'm logged in.

However, when I reload the page I get an error in my console and my session cookies get removed automatically. Sometimes I need to reload a couple of times to trigger this. Sometimes it's immediate.

Additional context

• This error does not happen with session cookies under the 4096 bytes limit.
• I can reproduce by generating a large token.

Logs

When logging in or reloading the page:

[next-auth][debug][CHUNKING_SESSION_COOKIE] {                                                                                                                   11:28:41
  message: 'Session cookie exceeds allowed 4096 bytes.',
  emptyCookieSize: 163,
  valueSize: 4729,
  chunks: [ 4096, 959 ]
}

When hammering a page reload and it logs me out:

[next-auth][error][JWT_SESSION_ERROR]                                                                                                                           11:28:41
https://next-auth.js.org/errors#jwt_session_error JWE Initialization Vector missing or incorrect type {
  message: 'JWE Initialization Vector missing or incorrect type',
  stack: 'JWEInvalid: JWE Initialization Vector missing or incorrect type\n' +
    '    at flattenedDecrypt (/Users/jan.hoogeveen/Projects/demo-app/node_modules/jose/dist/node/cjs/jwe/flattened/decrypt.js:24:15)\n' +
    '    at compactDecrypt (/Users/jan.hoogeveen/Projects/demo-app/node_modules/jose/dist/node/cjs/jwe/compact/decrypt.js:18:63)\n' +
    '    at jwtDecrypt (/Users/jan.hoogeveen/Projects/demo-app/node_modules/jose/dist/node/cjs/jwt/decrypt.js:8:61)\n' +
    '    at Object.decode (/Users/jan.hoogeveen/Projects/demo-app/node_modules/next-auth/jwt/index.js:64:34)\n' +
    '    at async Object.session (/Users/jan.hoogeveen/Projects/demo-app/node_modules/next-auth/core/routes/session.js:41:28)\n' +
    '    at async AuthHandler (/Users/jan.hoogeveen/Projects/demo-app/node_modules/next-auth/core/index.js:158:27)\n' +
    '    at async file:///Users/jan.hoogeveen/Projects/demo-app/.nuxt/dev/index.mjs:540:24\n' +
    '    at async Object.handler (file:///Users/jan.hoogeveen/Projects/demo-app/node_modules/h3/dist/index.mjs:1212:19)\n' +
    '    at async toNodeHandle (file:///Users/jan.hoogeveen/Projects/demo-app/node_modules/h3/dist/index.mjs:1287:7)\n' +
    '    at async ufetch (file:///Users/jan.hoogeveen/Projects/demo-app/node_modules/unenv/runtime/fetch/index.mjs:9:17)',
  name: 'JWEInvalid'
}
[next-auth][error][JWT_SESSION_ERROR]                                                                                                                           11:28:41
https://next-auth.js.org/errors#jwt_session_error Invalid Compact JWE {
  message: 'Invalid Compact JWE',
  stack: 'JWEInvalid: Invalid Compact JWE\n' +
    '    at compactDecrypt (/Users/jan.hoogeveen/Projects/demo-app/node_modules/jose/dist/node/cjs/jwe/compact/decrypt.js:16:15)\n' +
    '    at jwtDecrypt (/Users/jan.hoogeveen/Projects/demo-app/node_modules/jose/dist/node/cjs/jwt/decrypt.js:8:61)\n' +
    '    at Object.decode (/Users/jan.hoogeveen/Projects/demo-app/node_modules/next-auth/jwt/index.js:64:34)\n' +
    '    at async Object.session (/Users/jan.hoogeveen/Projects/demo-app/node_modules/next-auth/core/routes/session.js:41:28)\n' +
    '    at async AuthHandler (/Users/jan.hoogeveen/Projects/demo-app/node_modules/next-auth/core/index.js:158:27)\n' +
    '    at async file:///Users/jan.hoogeveen/Projects/demo-app/.nuxt/dev/index.mjs:540:24\n' +
    '    at async Object.handler (file:///Users/jan.hoogeveen/Projects/demo-app/node_modules/h3/dist/index.mjs:1212:19)\n' +
    '    at async toNodeHandle (file:///Users/jan.hoogeveen/Projects/demo-app/node_modules/h3/dist/index.mjs:1287:7)\n' +
    '    at async ufetch (file:///Users/jan.hoogeveen/Projects/demo-app/node_modules/unenv/runtime/fetch/index.mjs:9:17)\n' +
    '    at async $fetchRaw2 (file:///Users/jan.hoogeveen/Projects/demo-app/node_modules/ofetch/dist/shared/ofetch.502a4799.mjs:180:24)',
  name: 'JWEInvalid'
}

[kilakewe]

+1 having same issue.

[BracketJohn]

Hey @janhoogeveen 👋

Thanks for the report - noted, it'll take us some time to look into this, other issues have higher priorities right now. If you want to provide a fix though, or I can help you to walk through it that would be very welcome (:

[kilakewe]

@BracketJohn I'd keen to help get this resolved - I've enabled debugging messages but I'm not seeing anything that would indicate what's causing the issue when trying recombine the chunks.

For me, it comes from trying to pass the access token and refresh token back from the IDP to the user and persist it in the token.

I'm thinking there's two alternative solutions.

1. Allow the original access/id/refresh tokens to be passed to the frontend. This would be particularly useful for SSG apps.
2. Allow the additional tokens to be stored as additional cookies that the function session function can also access.

I know general support for static apps isn't a there, so any guidance on where to dig into the chunk issue, or any insights into if option 2 could be done would be appreciated.

[janhoogeveen]

@BracketJohn I understand. I'll see how far I can get on my own, or with the help of @kilakewe.

The first login works well. That we know.
At a page reload, there's a chance the cookies work well or they get rejected as invalid

Based on this, I had a theory that the order of the cookies, or the chunks, was not guaranteed.

I've been logging the chunks that are used in next-auth/core/lib/cookies.js

Logs from first login (valid, working tokens)

Getting value of chunks                                                                                                                                         14:33:27
{                                                                                                                                                               14:33:27
  'next-auth.session-token.0': 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..S5HBPKlkZoasR4WC.B3ILaT0kwvgmIydLp60T-BaLkSTolqxCJHqxAQWdsCiO_-nvRc3z_niAYvHrPH1iciGlliEKgVj_UGLpbIDVgR8DGHirsMz2J6aPWwxjI1evht4vsQm6bBsGzJu43w88i6xDKRAqQK-zP15MYoNczlf9tAaeVagu7jPTRhUnQOVa3OsHDwc9K_CETpPdJMkcXiHa2yfxFGOa0LtP0ONPqaickrv9IzUPf2_64CEOL7QHqeFoTy-XuLtISh5IHd45ElVZr-hCZ9Qf0LiLX-nOAkgDY0G-1LJ29YGWTzfGeWNkN3UHWEqP6rBQ7ZfT59DSkWXHw_CErEl2stFzXBcWhLoqwhmFGC5B_JydZ9VHRjRIBeQdFXct2ebGgGJEyWNgUNv-4MK0w7FGK5ivwNRyJAhf9lTZngmP2z1EqIE_XSG3lrLBFPNnEHAJ08wCxFIpP14gSjyhYGPI_IXJ1RPQG9c23-TXscuF5_yO152Sa_rSIA8on0JgjHPsvg10Uk1ucUA7Uu2LZEmsLF5jmwf61lz10NW2LTqW3xUNfLcIPSccPyocycc1WI70s35TWulwSVDxgwwEEmE2ht2vb92d2WrBoAsxS7xcE0ygqx0itYIruN5RbmeMrQ6_-GhuDEpgl8-c0fG2TpWMWGQxd5idagXnCq9KhV37LmDjVregWAdKglPnZ5nXdELa-Sh5-b9YFPYg441Px0YmN-CNWIpUoHnYwojosVsADlKWFrMiCXHUDNWLNmKlXAK-A62F6QPJI01E0buJrvQU-XMf8bWtC3ZEQSo8hmbjx54dEmX8fnL20mtqgOXO5t76aOKg-s3ggpdgF09DuqDRzpUPZrriJJXQzg1ur0Ue0VtvULvW68tTtUQJmQTxhzRwTTqhhi6qzzEypQBgqgQpK162m7pWnCAwzfUm14Jq3XVTN45NGknxSCJ9z5CApHMsaH5SV2xqAj6-QIOK9d-rhvsqSSJ50hMmNxI47ILyaMtoaTmNqwdWF_cWFy5-3X5nickICRsLac11fypO4oDFYR0Ozyqj87MC1kD5R77rIehHepQFOu6y5Xbe21axnV_ejUrAkmXAorJsWmDPIOj7uzIdjFGQAMK6Pobzytlt4zQGiVyzfyYuucf_oxv80v2qya6GJgN9mvsGY_tpyV2wMmE3BQ7JhFxF0WHnVcl8gWeIIngBdsKJJzLqvsVhXo4CUrffQg9SdISVZmQF0oIcftp9D-uJVHNyoYbiuaRma46D3gB3SGMGnjbcdWj6SmUkRvP-q7Nwj2jGhjorUdR4bf3X3KaBWXu9D6mfH4JMvCmY4a-fOczQyTg9TBv8sHM4-xlTDr1OTMaxxINKbgI92LEPFDmhmq6od8uvJqHj1fiMs86mNT7GdRq7K5KTjW7gRJTIM3YVMr_4I43c4tIpQW_OS1hd7lxzkebqq13uK5Xb_5K-f7zgOeobdmRyP63Yk5xNnlYZ47Z2XI2Ac2GDll5fZgEnVRH0oKdZwmstOwCLB8gFnCFvehKkTnmVu2fU16mi4WZOq62qJc0yq387BiaJez4NKjCXnHhdniXArUyUwwb-Y-WJmK-IEcO0QefDTUJNYo0rSTJVOotWNeisdSAQ3Zn3ZKF5n2AVzBQIyNZplepbMEimnRfIDVA7NK2a_PRQQCZ7cK2GV-G297oQm6IXhYx3T9ivXW_biX06-HoElgpr-qAj4HuS3xM2tE93cYPNj0yIsAha5-er7ZmEcjgut_nc_QIezYAt7umpBfODTnORJ-e9v6dRC4aI_dgmV8tsPvFdRC7k-VUht7ib7XAyD8lgf08Jgh82Qa9thv0H-XAFsdyQlGTLehY49ZA83vFmTf1TVt4Uljkr4ff0WAJ2G-lu3R9SjsE3BbxJW9UntvFoPwPVW7IC9tJntK73pOBJHWNb5ELk-gyZOzmjYQsNOr0xFkS_cA_QgxlIzxwxgexYPrS32-dNWRzgtSP_6Xyg_P1-TdOV5zuROxkX_CNb6B2e8v9GRfF-_T80zDXpIU4F8IDNahUI92My24MYBGBDMsZyJzXdyBswDelQBOS88leBf2GPQojjKCe0pZDdNwp9np2_JuLg-GgMENo4Y6Nl8HVCQtiKE1jnUwyVHb4wkc6Yjh-KnzQl24MpRXDSAjKhCWFUf0iqnKT4Wia3AWjBPmD2aT4cZEtS2em0PiP2h_sTGuD-yyvPaM77kiqoD3VOwD8ZduzpwUYbhY91B6Cm0Mh5uIHiDzFLvnzOjekceHOtQVXnBfL156EWhN_icoZIZW1s9Wdu9dMQTLuGfFFQ4x4uq54lQIqm9sf1l9hx0qa1y1D42a2FpuKMqfrQLq2s3Ojfy6H8DhmyhQG_BQbEh8Y95pnTnfWxbWIFDACP1zgbAwN8QbpTUSOGbMf-ZeqkikEVFTxCggIh8mJ4hiLgiuulTMT3TkG7EyAcWndv5H6i_EFmmfE8ITvcqnaf7jj-d0y8HEZBAXIY5VhU2phCLhJQIfLN-AXzAnr_Xqv9tLwbC1rbu7c2acxAo6NTUcUS8yB8TESmYlIK3N2M9dILEGxSSiNm18WoMqX0UDmOqNqOvLEUPhHv837R6KOGlUJrVFdocsBm5ZdhqzF-1gdEnYl8aQsK5AJnnVtEtkfVz6QclVgBkuUI-YCRhyK8whBF1BUCz3pxrMoAXO8wrvCboUtNcLOd8xbX3Ad3vXHZWR_mJa8tW7XWdRAlIE7aqCqX8Gpkn5UESnenNg6qccQQiWq5hJhuHokgufaE83WzzuFtOS9jrBxLpyd5kUupeTOkjL6G-W-zxhNzK7YgYQBdGS7n1j4lKC5eKm5yOSEuA-ZYw5CjrU_UIW6lvDZrP3MszRZ2VjBfwHgI_ENmXBE4N0H3MRYOf2ujgVPpa_DmTf8cK3zuk_n1iGcRuHXKHtuQreq4K27HsLTLjvY7sQ_Ar3onzm7-Tj_cOPEwJfAxPZS1D2MNDGa6jPQqNpjIlOTMzzSwxppSgntYdQUdf-4sSOYM_2lh1B3ydX8ukxvKVrXvGzwjTwScm3HH53otjxuyYDATKWbqH0TtyRM_e-X5GWSv84MG8RcXpYKDdBUGQ3D5k90fTmvxZET3lT28eK5voLEK1IwbqUvy9R-b7wAtrOUeqaLcvos4nVHBkQQmkRtzNqNCtxrbXK0fCOO57Fh7Xe06omSpFuYAf_tRkMAFBi-kgSwo5wtbCuL0Scsj5tNxHLJJeDTCTM7J1W3IfqrMzEU2FEXngzKtjMw2YthAn0Q-p6IXe4CkMvYel9uPDXYJPs920bNzTH96BBVjr7zAZ7oHfF2FhmVAF1W6Zt0kC4nHlLpU8FQbymvZcDuGG0QxrqZdkLEqTHHYtqpcsYOa4mNd0z11NRiId66SIUnVwX4guvRl04WOP85OQirPI-uh67_rgyoo1lHr3UPD1wBDXVv7crP9x19w41TjAAFdKTbP47Nv-T450agIVf3ShAL8gScNUvjUtESljaBEKABcF46T4YoRvlEegQ4S4jlrFSFDdFrjQWTSOsbNWw1gGVkelRQJUUvBynHh80Q0u5Kfli3rPU9iVd6K5o_0DG25cpLKhPi1cNiuLtHTOdo3lqec6ImK1n8GKOlzQT-q07MtOCaRbqvKbXRAoMoJhxcyBMT73yBLf0uN1r13zheAYuPuyIHxFdBTq-uz-CV98zBMqClsUxwlZuZ7P6iOJK1k5ORjHJgVDYpWIYvRzbjbtqG2N-Q9Xlxnha5yqHKZEslwhSpCkz63TgtfBOsqnbUQfdt25Mu54JHTpn3fWdLCTLKp5bpEPAKHqiMOTLr3SaOVpIrUoUtWlWl1azlVZNwpa4HFJypxw3VVwfJCq8NC9peo-ohsZtNlUjZzEt2',
  'next-auth.session-token.1': 'Vqy5eJz2jz2Tgh41OBkGlWdoMvqoYyzSZZbBSJ2xnUBMr5Y-YX6d6mMA5_fgOQOUfNLEfVja8BoEE7BPYOhnsOQZeYSpaeNin4kTqKN2fxYaPTRrDyUyzcNQpaHh1mG4rYyIq2KtjB8O2gNDVgH6lJGz-xyPN5U_2yW6ze6PA77Qw44KBZKsDFMMGCBr5bbW0HkDrtrT0b55wqY_7aCKxIICq-eO3NofI9-WLZ_jqLUNXiBAr8IWBCs_2248BSb6Ycpk359EfiO7nJ9sJlYcvsT4SV887ljUu6vUyFefkUVDh14SyohXSUg9qZf0JD-jQvZrnABZ4dDVwn4ESVXwsdKGpFDSjZblQ3Vk4RMi39HCubE_Mu9o8a-HKEodj3nJSVetc1R5QdbL3ONmMzQ-mv2WK4rhGOPI3e0hf7qktFxBpicyRxMdpRmZchXcHqRpf7ATnClELvJhAuTqJzRUe5EPdcgEaA-8c8KHdg-w0Uknarrf-kmKc3uckUuWLwVol88FXQ1-M0i_LpkDlzAGrDu-mqX8QFWtnk10xSQafI7dqtna8FEFysktNX6B1HPq3a9RtVR6iXTTQef-vAg5GsUaY8qI2AxI_bHAuO8osZg7PDa9z0W136ICNWr8e4L5x5jS9o0ezyy4Ahy1Cqrap-kWVGjr6FOy9A9WKcBVUAmi1uoNyc3AAa8IAxLvWIHqHqVMtN6qmpGthp8C6_5QmblDz4iD7fIN_av7CVDGiK2ZCXrbKWOUe30WwKFwJOF7nG-MeFGueoYZbwtyZA9HEbniohaKpfXUkGr0UYW-H4bb6c67DMpVDkluB2zMgQvAStZI8PPk92jrSQA.v8f6RrA_kxD_4w09R4pHTw'
}
Returning values of chunks                                                                                                                                      14:33:27
{                                                                                                                                                               14:33:27
  values: [
    'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..S5HBPKlkZoasR4WC.B3ILaT0kwvgmIydLp60T-BaLkSTolqxCJHqxAQWdsCiO_-nvRc3z_niAYvHrPH1iciGlliEKgVj_UGLpbIDVgR8DGHirsMz2J6aPWwxjI1evht4vsQm6bBsGzJu43w88i6xDKRAqQK-zP15MYoNczlf9tAaeVagu7jPTRhUnQOVa3OsHDwc9K_CETpPdJMkcXiHa2yfxFGOa0LtP0ONPqaickrv9IzUPf2_64CEOL7QHqeFoTy-XuLtISh5IHd45ElVZr-hCZ9Qf0LiLX-nOAkgDY0G-1LJ29YGWTzfGeWNkN3UHWEqP6rBQ7ZfT59DSkWXHw_CErEl2stFzXBcWhLoqwhmFGC5B_JydZ9VHRjRIBeQdFXct2ebGgGJEyWNgUNv-4MK0w7FGK5ivwNRyJAhf9lTZngmP2z1EqIE_XSG3lrLBFPNnEHAJ08wCxFIpP14gSjyhYGPI_IXJ1RPQG9c23-TXscuF5_yO152Sa_rSIA8on0JgjHPsvg10Uk1ucUA7Uu2LZEmsLF5jmwf61lz10NW2LTqW3xUNfLcIPSccPyocycc1WI70s35TWulwSVDxgwwEEmE2ht2vb92d2WrBoAsxS7xcE0ygqx0itYIruN5RbmeMrQ6_-GhuDEpgl8-c0fG2TpWMWGQxd5idagXnCq9KhV37LmDjVregWAdKglPnZ5nXdELa-Sh5-b9YFPYg441Px0YmN-CNWIpUoHnYwojosVsADlKWFrMiCXHUDNWLNmKlXAK-A62F6QPJI01E0buJrvQU-XMf8bWtC3ZEQSo8hmbjx54dEmX8fnL20mtqgOXO5t76aOKg-s3ggpdgF09DuqDRzpUPZrriJJXQzg1ur0Ue0VtvULvW68tTtUQJmQTxhzRwTTqhhi6qzzEypQBgqgQpK162m7pWnCAwzfUm14Jq3XVTN45NGknxSCJ9z5CApHMsaH5SV2xqAj6-QIOK9d-rhvsqSSJ50hMmNxI47ILyaMtoaTmNqwdWF_cWFy5-3X5nickICRsLac11fypO4oDFYR0Ozyqj87MC1kD5R77rIehHepQFOu6y5Xbe21axnV_ejUrAkmXAorJsWmDPIOj7uzIdjFGQAMK6Pobzytlt4zQGiVyzfyYuucf_oxv80v2qya6GJgN9mvsGY_tpyV2wMmE3BQ7JhFxF0WHnVcl8gWeIIngBdsKJJzLqvsVhXo4CUrffQg9SdISVZmQF0oIcftp9D-uJVHNyoYbiuaRma46D3gB3SGMGnjbcdWj6SmUkRvP-q7Nwj2jGhjorUdR4bf3X3KaBWXu9D6mfH4JMvCmY4a-fOczQyTg9TBv8sHM4-xlTDr1OTMaxxINKbgI92LEPFDmhmq6od8uvJqHj1fiMs86mNT7GdRq7K5KTjW7gRJTIM3YVMr_4I43c4tIpQW_OS1hd7lxzkebqq13uK5Xb_5K-f7zgOeobdmRyP63Yk5xNnlYZ47Z2XI2Ac2GDll5fZgEnVRH0oKdZwmstOwCLB8gFnCFvehKkTnmVu2fU16mi4WZOq62qJc0yq387BiaJez4NKjCXnHhdniXArUyUwwb-Y-WJmK-IEcO0QefDTUJNYo0rSTJVOotWNeisdSAQ3Zn3ZKF5n2AVzBQIyNZplepbMEimnRfIDVA7NK2a_PRQQCZ7cK2GV-G297oQm6IXhYx3T9ivXW_biX06-HoElgpr-qAj4HuS3xM2tE93cYPNj0yIsAha5-er7ZmEcjgut_nc_QIezYAt7umpBfODTnORJ-e9v6dRC4aI_dgmV8tsPvFdRC7k-VUht7ib7XAyD8lgf08Jgh82Qa9thv0H-XAFsdyQlGTLehY49ZA83vFmTf1TVt4Uljkr4ff0WAJ2G-lu3R9SjsE3BbxJW9UntvFoPwPVW7IC9tJntK73pOBJHWNb5ELk-gyZOzmjYQsNOr0xFkS_cA_QgxlIzxwxgexYPrS32-dNWRzgtSP_6Xyg_P1-TdOV5zuROxkX_CNb6B2e8v9GRfF-_T80zDXpIU4F8IDNahUI92My24MYBGBDMsZyJzXdyBswDelQBOS88leBf2GPQojjKCe0pZDdNwp9np2_JuLg-GgMENo4Y6Nl8HVCQtiKE1jnUwyVHb4wkc6Yjh-KnzQl24MpRXDSAjKhCWFUf0iqnKT4Wia3AWjBPmD2aT4cZEtS2em0PiP2h_sTGuD-yyvPaM77kiqoD3VOwD8ZduzpwUYbhY91B6Cm0Mh5uIHiDzFLvnzOjekceHOtQVXnBfL156EWhN_icoZIZW1s9Wdu9dMQTLuGfFFQ4x4uq54lQIqm9sf1l9hx0qa1y1D42a2FpuKMqfrQLq2s3Ojfy6H8DhmyhQG_BQbEh8Y95pnTnfWxbWIFDACP1zgbAwN8QbpTUSOGbMf-ZeqkikEVFTxCggIh8mJ4hiLgiuulTMT3TkG7EyAcWndv5H6i_EFmmfE8ITvcqnaf7jj-d0y8HEZBAXIY5VhU2phCLhJQIfLN-AXzAnr_Xqv9tLwbC1rbu7c2acxAo6NTUcUS8yB8TESmYlIK3N2M9dILEGxSSiNm18WoMqX0UDmOqNqOvLEUPhHv837R6KOGlUJrVFdocsBm5ZdhqzF-1gdEnYl8aQsK5AJnnVtEtkfVz6QclVgBkuUI-YCRhyK8whBF1BUCz3pxrMoAXO8wrvCboUtNcLOd8xbX3Ad3vXHZWR_mJa8tW7XWdRAlIE7aqCqX8Gpkn5UESnenNg6qccQQiWq5hJhuHokgufaE83WzzuFtOS9jrBxLpyd5kUupeTOkjL6G-W-zxhNzK7YgYQBdGS7n1j4lKC5eKm5yOSEuA-ZYw5CjrU_UIW6lvDZrP3MszRZ2VjBfwHgI_ENmXBE4N0H3MRYOf2ujgVPpa_DmTf8cK3zuk_n1iGcRuHXKHtuQreq4K27HsLTLjvY7sQ_Ar3onzm7-Tj_cOPEwJfAxPZS1D2MNDGa6jPQqNpjIlOTMzzSwxppSgntYdQUdf-4sSOYM_2lh1B3ydX8ukxvKVrXvGzwjTwScm3HH53otjxuyYDATKWbqH0TtyRM_e-X5GWSv84MG8RcXpYKDdBUGQ3D5k90fTmvxZET3lT28eK5voLEK1IwbqUvy9R-b7wAtrOUeqaLcvos4nVHBkQQmkRtzNqNCtxrbXK0fCOO57Fh7Xe06omSpFuYAf_tRkMAFBi-kgSwo5wtbCuL0Scsj5tNxHLJJeDTCTM7J1W3IfqrMzEU2FEXngzKtjMw2YthAn0Q-p6IXe4CkMvYel9uPDXYJPs920bNzTH96BBVjr7zAZ7oHfF2FhmVAF1W6Zt0kC4nHlLpU8FQbymvZcDuGG0QxrqZdkLEqTHHYtqpcsYOa4mNd0z11NRiId66SIUnVwX4guvRl04WOP85OQirPI-uh67_rgyoo1lHr3UPD1wBDXVv7crP9x19w41TjAAFdKTbP47Nv-T450agIVf3ShAL8gScNUvjUtESljaBEKABcF46T4YoRvlEegQ4S4jlrFSFDdFrjQWTSOsbNWw1gGVkelRQJUUvBynHh80Q0u5Kfli3rPU9iVd6K5o_0DG25cpLKhPi1cNiuLtHTOdo3lqec6ImK1n8GKOlzQT-q07MtOCaRbqvKbXRAoMoJhxcyBMT73yBLf0uN1r13zheAYuPuyIHxFdBTq-uz-CV98zBMqClsUxwlZuZ7P6iOJK1k5ORjHJgVDYpWIYvRzbjbtqG2N-Q9Xlxnha5yqHKZEslwhSpCkz63TgtfBOsqnbUQfdt25Mu54JHTpn3fWdLCTLKp5bpEPAKHqiMOTLr3SaOVpIrUoUtWlWl1azlVZNwpa4HFJypxw3VVwfJCq8NC9peo-ohsZtNlUjZzEt2',
    'Vqy5eJz2jz2Tgh41OBkGlWdoMvqoYyzSZZbBSJ2xnUBMr5Y-YX6d6mMA5_fgOQOUfNLEfVja8BoEE7BPYOhnsOQZeYSpaeNin4kTqKN2fxYaPTRrDyUyzcNQpaHh1mG4rYyIq2KtjB8O2gNDVgH6lJGz-xyPN5U_2yW6ze6PA77Qw44KBZKsDFMMGCBr5bbW0HkDrtrT0b55wqY_7aCKxIICq-eO3NofI9-WLZ_jqLUNXiBAr8IWBCs_2248BSb6Ycpk359EfiO7nJ9sJlYcvsT4SV887ljUu6vUyFefkUVDh14SyohXSUg9qZf0JD-jQvZrnABZ4dDVwn4ESVXwsdKGpFDSjZblQ3Vk4RMi39HCubE_Mu9o8a-HKEodj3nJSVetc1R5QdbL3ONmMzQ-mv2WK4rhGOPI3e0hf7qktFxBpicyRxMdpRmZchXcHqRpf7ATnClELvJhAuTqJzRUe5EPdcgEaA-8c8KHdg-w0Uknarrf-kmKc3uckUuWLwVol88FXQ1-M0i_LpkDlzAGrDu-mqX8QFWtnk10xSQafI7dqtna8FEFysktNX6B1HPq3a9RtVR6iXTTQef-vAg5GsUaY8qI2AxI_bHAuO8osZg7PDa9z0W136ICNWr8e4L5x5jS9o0ezyy4Ahy1Cqrap-kWVGjr6FOy9A9WKcBVUAmi1uoNyc3AAa8IAxLvWIHqHqVMtN6qmpGthp8C6_5QmblDz4iD7fIN_av7CVDGiK2ZCXrbKWOUe30WwKFwJOF7nG-MeFGueoYZbwtyZA9HEbniohaKpfXUkGr0UYW-H4bb6c67DMpVDkluB2zMgQvAStZI8PPk92jrSQA.v8f6RrA_kxD_4w09R4pHTw'
  ]
}

Which leads us to the result from values.join()

eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..S5HBPKlkZoasR4WC.B3ILaT0kwvgmIydLp60T-BaLkSTolqxCJHqxAQWdsCiO_-nvRc3z_niAYvHrPH1iciGlliEKgVj_UGLpbIDVgR8DGHirsMz2J6aPWwxjI1evht4vsQm6bBsGzJu43w88i6xDKRAqQK-zP15MYoNczlf9tAaeVagu7jPTRhUnQOVa3OsHDwc9K_CETpPdJMkcXiHa2yfxFGOa0LtP0ONPqaickrv9IzUPf2_64CEOL7QHqeFoTy-XuLtISh5IHd45ElVZr-hCZ9Qf0LiLX-nOAkgDY0G-1LJ29YGWTzfGeWNkN3UHWEqP6rBQ7ZfT59DSkWXHw_CErEl2stFzXBcWhLoqwhmFGC5B_JydZ9VHRjRIBeQdFXct2ebGgGJEyWNgUNv-4MK0w7FGK5ivwNRyJAhf9lTZngmP2z1EqIE_XSG3lrLBFPNnEHAJ08wCxFIpP14gSjyhYGPI_IXJ1RPQG9c23-TXscuF5_yO152Sa_rSIA8on0JgjHPsvg10Uk1ucUA7Uu2LZEmsLF5jmwf61lz10NW2LTqW3xUNfLcIPSccPyocycc1WI70s35TWulwSVDxgwwEEmE2ht2vb92d2WrBoAsxS7xcE0ygqx0itYIruN5RbmeMrQ6_-GhuDEpgl8-c0fG2TpWMWGQxd5idagXnCq9KhV37LmDjVregWAdKglPnZ5nXdELa-Sh5-b9YFPYg441Px0YmN-CNWIpUoHnYwojosVsADlKWFrMiCXHUDNWLNmKlXAK-A62F6QPJI01E0buJrvQU-XMf8bWtC3ZEQSo8hmbjx54dEmX8fnL20mtqgOXO5t76aOKg-s3ggpdgF09DuqDRzpUPZrriJJXQzg1ur0Ue0VtvULvW68tTtUQJmQTxhzRwTTqhhi6qzzEypQBgqgQpK162m7pWnCAwzfUm14Jq3XVTN45NGknxSCJ9z5CApHMsaH5SV2xqAj6-QIOK9d-rhvsqSSJ50hMmNxI47ILyaMtoaTmNqwdWF_cWFy5-3X5nickICRsLac11fypO4oDFYR0Ozyqj87MC1kD5R77rIehHepQFOu6y5Xbe21axnV_ejUrAkmXAorJsWmDPIOj7uzIdjFGQAMK6Pobzytlt4zQGiVyzfyYuucf_oxv80v2qya6GJgN9mvsGY_tpyV2wMmE3BQ7JhFxF0WHnVcl8gWeIIngBdsKJJzLqvsVhXo4CUrffQg9SdISVZmQF0oIcftp9D-uJVHNyoYbiuaRma46D3gB3SGMGnjbcdWj6SmUkRvP-q7Nwj2jGhjorUdR4bf3X3KaBWXu9D6mfH4JMvCmY4a-fOczQyTg9TBv8sHM4-xlTDr1OTMaxxINKbgI92LEPFDmhmq6od8uvJqHj1fiMs86mNT7GdRq7K5KTjW7gRJTIM3YVMr_4I43c4tIpQW_OS1hd7lxzkebqq13uK5Xb_5K-f7zgOeobdmRyP63Yk5xNnlYZ47Z2XI2Ac2GDll5fZgEnVRH0oKdZwmstOwCLB8gFnCFvehKkTnmVu2fU16mi4WZOq62qJc0yq387BiaJez4NKjCXnHhdniXArUyUwwb-Y-WJmK-IEcO0QefDTUJNYo0rSTJVOotWNeisdSAQ3Zn3ZKF5n2AVzBQIyNZplepbMEimnRfIDVA7NK2a_PRQQCZ7cK2GV-G297oQm6IXhYx3T9ivXW_biX06-HoElgpr-qAj4HuS3xM2tE93cYPNj0yIsAha5-er7ZmEcjgut_nc_QIezYAt7umpBfODTnORJ-e9v6dRC4aI_dgmV8tsPvFdRC7k-VUht7ib7XAyD8lgf08Jgh82Qa9thv0H-XAFsdyQlGTLehY49ZA83vFmTf1TVt4Uljkr4ff0WAJ2G-lu3R9SjsE3BbxJW9UntvFoPwPVW7IC9tJntK73pOBJHWNb5ELk-gyZOzmjYQsNOr0xFkS_cA_QgxlIzxwxgexYPrS32-dNWRzgtSP_6Xyg_P1-TdOV5zuROxkX_CNb6B2e8v9GRfF-_T80zDXpIU4F8IDNahUI92My24MYBGBDMsZyJzXdyBswDelQBOS88leBf2GPQojjKCe0pZDdNwp9np2_JuLg-GgMENo4Y6Nl8HVCQtiKE1jnUwyVHb4wkc6Yjh-KnzQl24MpRXDSAjKhCWFUf0iqnKT4Wia3AWjBPmD2aT4cZEtS2em0PiP2h_sTGuD-yyvPaM77kiqoD3VOwD8ZduzpwUYbhY91B6Cm0Mh5uIHiDzFLvnzOjekceHOtQVXnBfL156EWhN_icoZIZW1s9Wdu9dMQTLuGfFFQ4x4uq54lQIqm9sf1l9hx0qa1y1D42a2FpuKMqfrQLq2s3Ojfy6H8DhmyhQG_BQbEh8Y95pnTnfWxbWIFDACP1zgbAwN8QbpTUSOGbMf-ZeqkikEVFTxCggIh8mJ4hiLgiuulTMT3TkG7EyAcWndv5H6i_EFmmfE8ITvcqnaf7jj-d0y8HEZBAXIY5VhU2phCLhJQIfLN-AXzAnr_Xqv9tLwbC1rbu7c2acxAo6NTUcUS8yB8TESmYlIK3N2M9dILEGxSSiNm18WoMqX0UDmOqNqOvLEUPhHv837R6KOGlUJrVFdocsBm5ZdhqzF-1gdEnYl8aQsK5AJnnVtEtkfVz6QclVgBkuUI-YCRhyK8whBF1BUCz3pxrMoAXO8wrvCboUtNcLOd8xbX3Ad3vXHZWR_mJa8tW7XWdRAlIE7aqCqX8Gpkn5UESnenNg6qccQQiWq5hJhuHokgufaE83WzzuFtOS9jrBxLpyd5kUupeTOkjL6G-W-zxhNzK7YgYQBdGS7n1j4lKC5eKm5yOSEuA-ZYw5CjrU_UIW6lvDZrP3MszRZ2VjBfwHgI_ENmXBE4N0H3MRYOf2ujgVPpa_DmTf8cK3zuk_n1iGcRuHXKHtuQreq4K27HsLTLjvY7sQ_Ar3onzm7-Tj_cOPEwJfAxPZS1D2MNDGa6jPQqNpjIlOTMzzSwxppSgntYdQUdf-4sSOYM_2lh1B3ydX8ukxvKVrXvGzwjTwScm3HH53otjxuyYDATKWbqH0TtyRM_e-X5GWSv84MG8RcXpYKDdBUGQ3D5k90fTmvxZET3lT28eK5voLEK1IwbqUvy9R-b7wAtrOUeqaLcvos4nVHBkQQmkRtzNqNCtxrbXK0fCOO57Fh7Xe06omSpFuYAf_tRkMAFBi-kgSwo5wtbCuL0Scsj5tNxHLJJeDTCTM7J1W3IfqrMzEU2FEXngzKtjMw2YthAn0Q-p6IXe4CkMvYel9uPDXYJPs920bNzTH96BBVjr7zAZ7oHfF2FhmVAF1W6Zt0kC4nHlLpU8FQbymvZcDuGG0QxrqZdkLEqTHHYtqpcsYOa4mNd0z11NRiId66SIUnVwX4guvRl04WOP85OQirPI-uh67_rgyoo1lHr3UPD1wBDXVv7crP9x19w41TjAAFdKTbP47Nv-T450agIVf3ShAL8gScNUvjUtESljaBEKABcF46T4YoRvlEegQ4S4jlrFSFDdFrjQWTSOsbNWw1gGVkelRQJUUvBynHh80Q0u5Kfli3rPU9iVd6K5o_0DG25cpLKhPi1cNiuLtHTOdo3lqec6ImK1n8GKOlzQT-q07MtOCaRbqvKbXRAoMoJhxcyBMT73yBLf0uN1r13zheAYuPuyIHxFdBTq-uz-CV98zBMqClsUxwlZuZ7P6iOJK1k5ORjHJgVDYpWIYvRzbjbtqG2N-Q9Xlxnha5yqHKZEslwhSpCkz63TgtfBOsqnbUQfdt25Mu54JHTpn3fWdLCTLKp5bpEPAKHqiMOTLr3SaOVpIrUoUtWlWl1azlVZNwpa4HFJypxw3VVwfJCq8NC9peo-ohsZtNlUjZzEt2Vqy5eJz2jz2Tgh41OBkGlWdoMvqoYyzSZZbBSJ2xnUBMr5Y-YX6d6mMA5_fgOQOUfNLEfVja8BoEE7BPYOhnsOQZeYSpaeNin4kTqKN2fxYaPTRrDyUyzcNQpaHh1mG4rYyIq2KtjB8O2gNDVgH6lJGz-xyPN5U_2yW6ze6PA77Qw44KBZKsDFMMGCBr5bbW0HkDrtrT0b55wqY_7aCKxIICq-eO3NofI9-WLZ_jqLUNXiBAr8IWBCs_2248BSb6Ycpk359EfiO7nJ9sJlYcvsT4SV887ljUu6vUyFefkUVDh14SyohXSUg9qZf0JD-jQvZrnABZ4dDVwn4ESVXwsdKGpFDSjZblQ3Vk4RMi39HCubE_Mu9o8a-HKEodj3nJSVetc1R5QdbL3ONmMzQ-mv2WK4rhGOPI3e0hf7qktFxBpicyRxMdpRmZchXcHqRpf7ATnClELvJhAuTqJzRUe5EPdcgEaA-8c8KHdg-w0Uknarrf-kmKc3uckUuWLwVol88FXQ1-M0i_LpkDlzAGrDu-mqX8QFWtnk10xSQafI7dqtna8FEFysktNX6B1HPq3a9RtVR6iXTTQef-vAg5GsUaY8qI2AxI_bHAuO8osZg7PDa9z0W136ICNWr8e4L5x5jS9o0ezyy4Ahy1Cqrap-kWVGjr6FOy9A9WKcBVUAmi1uoNyc3AAa8IAxLvWIHqHqVMtN6qmpGthp8C6_5QmblDz4iD7fIN_av7CVDGiK2ZCXrbKWOUe30WwKFwJOF7nG-MeFGueoYZbwtyZA9HEbniohaKpfXUkGr0UYW-H4bb6c67DMpVDkluB2zMgQvAStZI8PPk92jrSQA.v8f6RrA_kxD_4w09R4pHTw

So far, so good!

Refreshing the page

Next, I kept refreshing the page until I triggered an error. Compare with the previous logs.

Getting value of chunks                                                                                                                                         14:38:49
{                                                                                                                                                               14:38:49
  'next-auth.session-token.1': '2cc2JxGzYNjKCFQ2WJF_txzU5mjugNUyXzo9zmivb65gn_P7DoD4IXdZG_T-hLxzLXxlG4ybUkRgJg4bfLBYV2_-2MMh5B9X6ACVN0pzEvr8zrAG0pkyHY5NYKMKKrTONliFVFgekSUby-37VKITl2KDVx3J07_u6B-xnyBswucyw4lOvI8SEiesxtD7eSKvdDtYVe5QlJrRyJR-o1KuxupMgtNTnuATUuyQjjMbt9SWHUjJ5mv0ngYPLBOvrYMaXOnR5HOq60_idSxhbY5VEsjgtcpyeBChG9hQvjCpHdChtEM1y0CxrACxDobiWVMYEF4GRNdZ6YnqU5D3apQXi8-z0LHmj2oFqySTG8wRNvte9vBluPHygtvOEclTtLHLytgvGBlgXNMAU43SDBVySdJn7NQ5wdZ7qJW2Jjy01wBJCYq3cE36qz9-78Ikp4lWxIDv4lwTfCJqiYjUDMmbGXQdYwDBEY2kzglqvoN-gyjliq8m3kd_NzTeZJ0Ewn_JJyiID1gxOs_szg7VOH6fNwlKOGGxUYCuVXOg6PBbCXZMW2vFdv-08GBRHcZOuOok6cE_Uu6OceWAuZ8DXk4Bvjm-aSmhEsklk_CHR0eNaIlirAg4CHoKaL_P6Y1nqGeGPY_O15sWqTj2K61VSdxq78jxWEN0iv7ZClBBdkkuooiDB0PKqcwWxye01y4P4qJBUPaaVc6Lb_4hDOJYkEtZsVT43V4PW1h3L7aYClUd3D666Sku7Ffx7c5IANsxNKwe6jmJk_a4XJaErglgPP0YBNoTWAeVYkG5HFpjhF7RCg3BjN6UIKpvPWzSgpqfJmLiAusuZffgHwC1DLg.lT5f24ZByy9L-WijKXAKtw',
  'next-auth.session-token.0': 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..5h2EKEqUA3PGbv8N.biit375vfNlZdU692XjS9TKwzlXh_uRenZ_ernleDkVslN4p32dmA6eJuXt8a_DyzIIA7A3zfVVAIPAJ4uKpiBwNxgi05O45CTqvc1e1VAesND-h4rGs6p-e6yyd4Xgr4xXMcLbbL_k7OeddlS35v2qniF0aGNCtkEmkgHZM0vnz7Nh23OFVPup7ycyYSZyUcBz4Tv0fQjThobUvm_OlMtHQ3_VTVluuKenzyM86nwxvdZ55_Xdee7KYRP1sI3ROB7I9rTWn5wTu0BcXoILhIrs7V0vnLFIv7aawfscJ2R23eDLd2vUyPmonmt90tyHiafO1VQTHTH8rd7cUMQ4ODAt9CSbXA9ZpA19kvdNYoynizt1X_aVapwyldBc_jhEBD4DWiDWmF3LTys_RjB80E6MtjiDPRMlERzmC-v-YJrniMP9arDgoRcYto5WYfqPWM_Yv2KaOiZnC-hw_psJGHd4Eg03YaHFtq62pPK465U3ynYrNZdv6PWLhFWY6HcgnwB4_ZDhIKtAqNbWUegXFtljhU5aH4txhAsVX02zWrtKYBJAXpyyOMqlYOpeAQV5mvKl7IAegeSL4fgi_63sxNliI-3Vf8aso3YS0rAuuE4p_MImOYXcVEgPoBoGLSzAx-zKoI1Qg3HZ7Vsx-AgT_SeVNb0wdN76qRYqD_QaCKJKNlqfvj85MJFTH4hZG0r09i6HOiEDGNfW0LYciaEtuq5UP0NB8ZZ0Q_bDGGseGzSAdeds2L-Mom-W4eea41cDfz5ZJqBMGMiP9YVIIptBE9HW6YfzVz67HQMjq9nvvVzxjloxdB-MpczOTGCgjbKLHIV52DRHWFFMFzwrBw6_17Shtc_5O_n6CtS3KoQt-w9zfx_67cpK3Nbxy77yMXcAZuO4h-26SDSiJFIfLSPK7sNBN0E4savgfdlbv2FRHX4NS-AUCcF_O2XIs9QFpw7bm6HDPDv5V3buI2158nbmor64JOmPS0OKLHYDiojtLh-Gb-1dcS4JaSr9qQIuZOsGCFYHFBuk6QF7p_MEISjKchHBBoCL-mw_rPEE8W4pLYMDfl-fdS6rTC9yEbB6LZBQw5uQj1Lwr9zywGlv1xElFbuYjFVUWDV8nubwV5vIKw-6oY_SXFQ59LeExELVwsJHLJp6WHtMuzs_UjQUzWu5GmMlaE8eGrgNorDLAw5_gYhyewZaWWT6L90dhIPY01_qmXNGMxKqZtXShIofHpFDx2DYsjGlZNf-FnLBEoa1_Ayz32XmcoBceaL9boGFnsEpJHICsJJxSHh5TkFWUVdVzngR9qYullU_IKXeVtw5SAHXhofTfOnnr0O65hTXASK_FwaryoLOC0_7JwmNIWw2k9UeeyCXrGlhgIcNN4FR_r_GeFhLbEZl4bS0gYvz30NaxMWLnqz5gctAovyMTPYuz3BcYCBhd-JyXOOmne6vCIv337_V5zvi2rg9aqAV577KRacOca87hItpc8DnklbRzibyqzmiDvvgoR3SAU7MF4cu1DEFKi3SL-8nky1-DovuAeG0c-JP_LLnN_I6-h4pap61pWRLVP3shqnjAQYDlvUNLBzKt0lE8EJ5GZUHitL0dWptfXQtiLdns6gn40yHfmO3rdZt5sbrSsEe7KKiEJy2uNXy6Ans-IMUkV9qLFpSzmkawLoK4zol4ENYDxwLYypOo_FiJpXKpERUAsSdIuNlxamWT_7xIb203WfJmFlgu6yb_G8AHdVwB_zKYEMRgfe_zUvP1qGVY83Mo4HqDSYYrjwfjKFEL00lNg8DYO0TM5pirzYOojdHHo3vM8-w0zOwl5g6YQsfs8G0lAfx8kLX08ph45u0arue5gvU9Sldlf4eIjs_LzZsHiv_IMjaMo2lXdRxX19-jhHlJgYR21jBK_ejyGO02teJy0LnXHOMBb8Zjf026nIpD481tgkQHgisZh4z3FeakOaqxVEBEe1gu5jeZFyTIoCVXQa-1cWohmV_xI4FR-ITVSm05ZqXulZkmojulR_GE7lTzjg7oYlh42uh8SBMLGursjCMrgVH9_H8JTZCCrwSMd-LOAbEWe1Sxu9MmBxGvwoHENEfH-OKPuc6FkOsua3S1tahAimGsqlHudW8Hnm9fBx1FkN-uykKEouMvDCXlZeU6PX7LcM-fzXrxu9qXwiXfFGaHpXayBBS03dTfIhZC2Gh2KiSTaCUldlTKMwB531oLeqoHd449dshDROWUsjF6S4cVKrE4yyudjlRqbCNBQhQiReoDLp74nFGptuR4Mg_QdiNiL5wtjvx2xZfwjsJmSP9NHT_WlZy-D9PpPkJSztgpNRBNFIs76-nhsKqvsA2jYnUfH7v4XiaNknHe6xUAA-egQRD3llXyXGDrimzox5cxTF5EUQAOxzZL7YgJbusOk8LcQ8CdVDncObuQC6uxsJlS8MNnboG6hOFPRu3Sb0Zv2pl6LviWMcE-3v9DXfTc05-BfSmSyuGs8lDUeFWM8dQopV_35Z-Xk-Z8goom4VqBSu6N2C3JcxEFSYv16XvdMtocV-l2gs1vMjO9lT8lD8LENxDGpN09TKfQVu0bJdBdl7-MPqPzs0NXlU2F6MMyBuQzwaf5H-z91h5Zu400HBDFNZb97axqqOjDVsS2YPYZpf-TCJ7-yeWVHIYCgNmag-OBU5UVaA034yOPYH_5LYoxGh1AvAjgVhfwmpTyyQJsQ2KAl9V-E8F5xJnnUsCtRwFAF_oLkuytfXYxYRiEFAXWPvgnaOgUbD2QB6m82EFFTCXOMCf78p_0qEVZp_SApMeVVpgwKnGE57Nj4K-fgZGz2CF_pW612h524HoZH3BBh_sh4YCD64xQ-JDMkTX4frGyL1sxxGSJNjp7b98UaJNNHRYCsxgspGo2409rRPqQwZoPf5fCGNi4maKXsHvN7gSNzte3eU1Azwauzlny6YMkIyVzBQiKa9qCK4BU13TAcNYmStMjcMhaRfIhr0JvONvpnSisezbRNTDjmE4UMrwyXzV1TyTDE7VBpmq9ZzwmEovIcxg2i-0z5pPS8tROCGO_Lme4ZRnOketp5s5bqZ5UIcev0f3cNPu7vxRllLLbGrjo9BHZVEyHLr_H5SLTaAraSJl5-q65eUsDmRsLKG0N9qMqJMfJ4kcM1RgE1AT4RAMlaQJW9oy_AJ9oSnYvyxxxXcXKEf9ZBUme9OHEqYC4PKkrA2Mvx_DU-r_PsfUYEDnOLPup2JRcho-6lcnpAIRbIOIFHSEHOBv6oYjN5OMIh7k0J8SxMwuHv5aFwodMxLPk-oy-vw3EtPMTN2wirTHDpoaMoNiOBcMQ1mJB10Xz8TRD8Hv6mi2KIgfvr82x7_1IyQT7e9tNFYNeLQHEJvaws2ESgxXTALxRWfOn3917TKq44vnjI0Zcw-i_DrFIbQQQHTchxptxCl4nDnQkDz9pSX3gAv9m8dihK_BS0lk26v6rIWbb5n8XZBMV9wcdzyZ6-anp9ytwGucAFftBk6E9Ru9RhKnxmADK_ITnuvOpKmVr4FQGbWfsTQ4RMeU1XDTfdYUqFbVDTNxa6625D5qI7lirAxJBK1_tY5p9bV7oITxhvmivOz0hE75Vv1psIxim5R6tzhvW4v5yYJc22lejjy1X5lPf6FrLCFwN7bi0FWmW0cHjuU7eEMa08WjXky8m2UMRvtXdJl9oF9fXs9Gw8y4OCWczu7_xPm21yl2uC-9jTmHsx546GQcuZL9nmXVVPRmykX896SdpC8OA6BYSajQdnM5KzVd0eJzLsgQ3N3TfCYk7ikyi9j-xusnT_f69Rl6bQB9Jqh-i6IP7mEunG2bM_uQNDoJd3tiYuA2VJoeEFuj2xoy4vt6YWeeNXy0SElVGPzvlABRwQZh'
}

And that returns the following token after doing the values.join() method.

2cc2JxGzYNjKCFQ2WJF_txzU5mjugNUyXzo9zmivb65gn_P7DoD4IXdZG_T-hLxzLXxlG4ybUkRgJg4bfLBYV2_-2MMh5B9X6ACVN0pzEvr8zrAG0pkyHY5NYKMKKrTONliFVFgekSUby-37VKITl2KDVx3J07_u6B-xnyBswucyw4lOvI8SEiesxtD7eSKvdDtYVe5QlJrRyJR-o1KuxupMgtNTnuATUuyQjjMbt9SWHUjJ5mv0ngYPLBOvrYMaXOnR5HOq60_idSxhbY5VEsjgtcpyeBChG9hQvjCpHdChtEM1y0CxrACxDobiWVMYEF4GRNdZ6YnqU5D3apQXi8-z0LHmj2oFqySTG8wRNvte9vBluPHygtvOEclTtLHLytgvGBlgXNMAU43SDBVySdJn7NQ5wdZ7qJW2Jjy01wBJCYq3cE36qz9-78Ikp4lWxIDv4lwTfCJqiYjUDMmbGXQdYwDBEY2kzglqvoN-gyjliq8m3kd_NzTeZJ0Ewn_JJyiID1gxOs_szg7VOH6fNwlKOGGxUYCuVXOg6PBbCXZMW2vFdv-08GBRHcZOuOok6cE_Uu6OceWAuZ8DXk4Bvjm-aSmhEsklk_CHR0eNaIlirAg4CHoKaL_P6Y1nqGeGPY_O15sWqTj2K61VSdxq78jxWEN0iv7ZClBBdkkuooiDB0PKqcwWxye01y4P4qJBUPaaVc6Lb_4hDOJYkEtZsVT43V4PW1h3L7aYClUd3D666Sku7Ffx7c5IANsxNKwe6jmJk_a4XJaErglgPP0YBNoTWAeVYkG5HFpjhF7RCg3BjN6UIKpvPWzSgpqfJmLiAusuZffgHwC1DLg.lT5f24ZByy9L-WijKXAKtweyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..5h2EKEqUA3PGbv8N.biit375vfNlZdU692XjS9TKwzlXh_uRenZ_ernleDkVslN4p32dmA6eJuXt8a_DyzIIA7A3zfVVAIPAJ4uKpiBwNxgi05O45CTqvc1e1VAesND-h4rGs6p-e6yyd4Xgr4xXMcLbbL_k7OeddlS35v2qniF0aGNCtkEmkgHZM0vnz7Nh23OFVPup7ycyYSZyUcBz4Tv0fQjThobUvm_OlMtHQ3_VTVluuKenzyM86nwxvdZ55_Xdee7KYRP1sI3ROB7I9rTWn5wTu0BcXoILhIrs7V0vnLFIv7aawfscJ2R23eDLd2vUyPmonmt90tyHiafO1VQTHTH8rd7cUMQ4ODAt9CSbXA9ZpA19kvdNYoynizt1X_aVapwyldBc_jhEBD4DWiDWmF3LTys_RjB80E6MtjiDPRMlERzmC-v-YJrniMP9arDgoRcYto5WYfqPWM_Yv2KaOiZnC-hw_psJGHd4Eg03YaHFtq62pPK465U3ynYrNZdv6PWLhFWY6HcgnwB4_ZDhIKtAqNbWUegXFtljhU5aH4txhAsVX02zWrtKYBJAXpyyOMqlYOpeAQV5mvKl7IAegeSL4fgi_63sxNliI-3Vf8aso3YS0rAuuE4p_MImOYXcVEgPoBoGLSzAx-zKoI1Qg3HZ7Vsx-AgT_SeVNb0wdN76qRYqD_QaCKJKNlqfvj85MJFTH4hZG0r09i6HOiEDGNfW0LYciaEtuq5UP0NB8ZZ0Q_bDGGseGzSAdeds2L-Mom-W4eea41cDfz5ZJqBMGMiP9YVIIptBE9HW6YfzVz67HQMjq9nvvVzxjloxdB-MpczOTGCgjbKLHIV52DRHWFFMFzwrBw6_17Shtc_5O_n6CtS3KoQt-w9zfx_67cpK3Nbxy77yMXcAZuO4h-26SDSiJFIfLSPK7sNBN0E4savgfdlbv2FRHX4NS-AUCcF_O2XIs9QFpw7bm6HDPDv5V3buI2158nbmor64JOmPS0OKLHYDiojtLh-Gb-1dcS4JaSr9qQIuZOsGCFYHFBuk6QF7p_MEISjKchHBBoCL-mw_rPEE8W4pLYMDfl-fdS6rTC9yEbB6LZBQw5uQj1Lwr9zywGlv1xElFbuYjFVUWDV8nubwV5vIKw-6oY_SXFQ59LeExELVwsJHLJp6WHtMuzs_UjQUzWu5GmMlaE8eGrgNorDLAw5_gYhyewZaWWT6L90dhIPY01_qmXNGMxKqZtXShIofHpFDx2DYsjGlZNf-FnLBEoa1_Ayz32XmcoBceaL9boGFnsEpJHICsJJxSHh5TkFWUVdVzngR9qYullU_IKXeVtw5SAHXhofTfOnnr0O65hTXASK_FwaryoLOC0_7JwmNIWw2k9UeeyCXrGlhgIcNN4FR_r_GeFhLbEZl4bS0gYvz30NaxMWLnqz5gctAovyMTPYuz3BcYCBhd-JyXOOmne6vCIv337_V5zvi2rg9aqAV577KRacOca87hItpc8DnklbRzibyqzmiDvvgoR3SAU7MF4cu1DEFKi3SL-8nky1-DovuAeG0c-JP_LLnN_I6-h4pap61pWRLVP3shqnjAQYDlvUNLBzKt0lE8EJ5GZUHitL0dWptfXQtiLdns6gn40yHfmO3rdZt5sbrSsEe7KKiEJy2uNXy6Ans-IMUkV9qLFpSzmkawLoK4zol4ENYDxwLYypOo_FiJpXKpERUAsSdIuNlxamWT_7xIb203WfJmFlgu6yb_G8AHdVwB_zKYEMRgfe_zUvP1qGVY83Mo4HqDSYYrjwfjKFEL00lNg8DYO0TM5pirzYOojdHHo3vM8-w0zOwl5g6YQsfs8G0lAfx8kLX08ph45u0arue5gvU9Sldlf4eIjs_LzZsHiv_IMjaMo2lXdRxX19-jhHlJgYR21jBK_ejyGO02teJy0LnXHOMBb8Zjf026nIpD481tgkQHgisZh4z3FeakOaqxVEBEe1gu5jeZFyTIoCVXQa-1cWohmV_xI4FR-ITVSm05ZqXulZkmojulR_GE7lTzjg7oYlh42uh8SBMLGursjCMrgVH9_H8JTZCCrwSMd-LOAbEWe1Sxu9MmBxGvwoHENEfH-OKPuc6FkOsua3S1tahAimGsqlHudW8Hnm9fBx1FkN-uykKEouMvDCXlZeU6PX7LcM-fzXrxu9qXwiXfFGaHpXayBBS03dTfIhZC2Gh2KiSTaCUldlTKMwB531oLeqoHd449dshDROWUsjF6S4cVKrE4yyudjlRqbCNBQhQiReoDLp74nFGptuR4Mg_QdiNiL5wtjvx2xZfwjsJmSP9NHT_WlZy-D9PpPkJSztgpNRBNFIs76-nhsKqvsA2jYnUfH7v4XiaNknHe6xUAA-egQRD3llXyXGDrimzox5cxTF5EUQAOxzZL7YgJbusOk8LcQ8CdVDncObuQC6uxsJlS8MNnboG6hOFPRu3Sb0Zv2pl6LviWMcE-3v9DXfTc05-BfSmSyuGs8lDUeFWM8dQopV_35Z-Xk-Z8goom4VqBSu6N2C3JcxEFSYv16XvdMtocV-l2gs1vMjO9lT8lD8LENxDGpN09TKfQVu0bJdBdl7-MPqPzs0NXlU2F6MMyBuQzwaf5H-z91h5Zu400HBDFNZb97axqqOjDVsS2YPYZpf-TCJ7-yeWVHIYCgNmag-OBU5UVaA034yOPYH_5LYoxGh1AvAjgVhfwmpTyyQJsQ2KAl9V-E8F5xJnnUsCtRwFAF_oLkuytfXYxYRiEFAXWPvgnaOgUbD2QB6m82EFFTCXOMCf78p_0qEVZp_SApMeVVpgwKnGE57Nj4K-fgZGz2CF_pW612h524HoZH3BBh_sh4YCD64xQ-JDMkTX4frGyL1sxxGSJNjp7b98UaJNNHRYCsxgspGo2409rRPqQwZoPf5fCGNi4maKXsHvN7gSNzte3eU1Azwauzlny6YMkIyVzBQiKa9qCK4BU13TAcNYmStMjcMhaRfIhr0JvONvpnSisezbRNTDjmE4UMrwyXzV1TyTDE7VBpmq9ZzwmEovIcxg2i-0z5pPS8tROCGO_Lme4ZRnOketp5s5bqZ5UIcev0f3cNPu7vxRllLLbGrjo9BHZVEyHLr_H5SLTaAraSJl5-q65eUsDmRsLKG0N9qMqJMfJ4kcM1RgE1AT4RAMlaQJW9oy_AJ9oSnYvyxxxXcXKEf9ZBUme9OHEqYC4PKkrA2Mvx_DU-r_PsfUYEDnOLPup2JRcho-6lcnpAIRbIOIFHSEHOBv6oYjN5OMIh7k0J8SxMwuHv5aFwodMxLPk-oy-vw3EtPMTN2wirTHDpoaMoNiOBcMQ1mJB10Xz8TRD8Hv6mi2KIgfvr82x7_1IyQT7e9tNFYNeLQHEJvaws2ESgxXTALxRWfOn3917TKq44vnjI0Zcw-i_DrFIbQQQHTchxptxCl4nDnQkDz9pSX3gAv9m8dihK_BS0lk26v6rIWbb5n8XZBMV9wcdzyZ6-anp9ytwGucAFftBk6E9Ru9RhKnxmADK_ITnuvOpKmVr4FQGbWfsTQ4RMeU1XDTfdYUqFbVDTNxa6625D5qI7lirAxJBK1_tY5p9bV7oITxhvmivOz0hE75Vv1psIxim5R6tzhvW4v5yYJc22lejjy1X5lPf6FrLCFwN7bi0FWmW0cHjuU7eEMa08WjXky8m2UMRvtXdJl9oF9fXs9Gw8y4OCWczu7_xPm21yl2uC-9jTmHsx546GQcuZL9nmXVVPRmykX896SdpC8OA6BYSajQdnM5KzVd0eJzLsgQ3N3TfCYk7ikyi9j-xusnT_f69Rl6bQB9Jqh-i6IP7mEunG2bM_uQNDoJd3tiYuA2VJoeEFuj2xoy4vt6YWeeNXy0SElVGPzvlABRwQZh

Which will finally give us the [next-auth][error][JWT_SESSION_ERROR]

Next

Now, there's multiple possibilities here to explore.

1. Either the Map/Set collection next-auth is using to store chunks should sort the cookies by default instead of relying on object order (I think this is the safest solution?)
2. Nuxt.js maybe doesn't preserve cookie order, and we should fix it in Nuxt.js
3. next-auth isn't recreating the objects right, and it's a next-auth bug.

Let me know what you think. I can always start a discussion or issue in next-auth as well.

[BracketJohn]

Thanks for taking time to look into this - I really appreaciate it!

As it's realted to really low-level cookie ordering, this is likely either (1) or (2), as nuxt-auth does not touch cookies,it relies on next-auth and nuxt setting / unsetting them. So I'd propose to go into next-auth with a minimal reproduction -> best would probably be a native next-auth/auth.js reproduction as I don't want @balazsorban44 to come under pressure to look into the code of nuxt-auth -> it's our job not his.

Having a next-auth reproduction would also improve the reliability of this analysis: It would show that it is definitely not related to nuxt or nuxt-auth!

nextauthjs/next-auth#5398 is probably already a good lead, great find!

Btw: You could re-try with the latest supported next-auth version just for fun to see if maybe they've (accidentally) solved the problem.

[kilakewe]

So I did a bit more digging and I don't think it's the chunk ordering that is the issue because when I replace the encrpyt and decrypt to produce something other than the JWE, it works. 😖

For example, If I produce a JWT instead with the following functions, it has not issues:

  jwt: {
    async encode(params) {
      if (!params.token) throw new Error("Missing Token");
      if (!params.secret) throw new Error("Missing Secret");
      // Create a JWS JWT
      const jwt = await encodeJwt(params.token || {}, params.secret as string);
      return jwt;

    },
    async decode(params) {
      if (!params.token) throw new Error("Missing Token");
      if (!params.secret) throw new Error("Missing Secret");
      // Decode and verify a JWS JWT
      const token = await decodeJwt(
        params.token || "",
        params.secret as string
      );
      return token;

    },
  },

There's something with how the default JWE functions work that's causing the kerfuffle.

[BracketJohn]

Related to this: #371

@kilakewe thanks for digging deeper, can the comment of @kenkichi in #371 maybe help?

Quote:

@LubosAngus san

I hav the same issue. Because the joining order of the split files is not correct, I think you should sort it.

next-auth/core/lib/cookie.js:

142:    } else {
143:      Object.keys(_cookies).sort().forEach(name => {
144:        if (name.startsWith(cookieName)) (0, _classPrivateFieldGet3.default)(this, _chunks)[name] = _cookies[name];
145:      })
146:    }

[kilakewe]

Thanks @BracketJohn

So I was able to sort the cookies but it looks like the issue is firing before the the cookie process finishes which leads me to believe that there's a promise not being handled correctly somewhere.

The result of injecting logging in the process:

Testing Cookie:  _ga 
[next-auth][error][JWT_SESSION_ERROR]
https://next-auth.js.org/errors#jwt_session_error signature verification failed {
  message: 'signature verification failed',
  stack: 'JWSSignatureVerificationFailed: signature verification failed\n' +
    '    at flattenedVerify (.../node_modules/jose/dist/node/esm/jws/flattened/verify.js:81:15)\n' +
    '    at processTicksAndRejections (node:internal/process/task_queues:96:5)\n' +
    '    at async compactVerify (.../node_modules/jose/dist/node/esm/jws/compact/verify.js:15:22)\n' +
    '    at async jwtVerify (.../node_modules/jose/dist/node/esm/jwt/verify.js:6:22)\n' +
    '    at async decodeJwt (.../.nuxt/dev/index.mjs:1103:23)\n' +
    '    at async Object.decode (.../.nuxt/dev/index.mjs:1019:21)\n' +
    '    at async Object.session (.../node_modules/next-auth/core/routes/session.js:43:28)\n' +
    '    at async AuthHandler (.../node_modules/next-auth/core/index.js:165:27)\n' +
    '    at async .../.nuxt/dev/index.mjs:939:24\n' +
    '    at async Object.handler (.../node_modules/h3/dist/index.mjs:1247:19)',
  name: 'JWSSignatureVerificationFailed'
}
Testing Cookie:  next-auth.callback-url
Testing Cookie:  next-auth.csrf-token
Testing Cookie:  next-auth.session-token.0
Testing Cookie:  next-auth.session-token.1        
Testing Cookie:  OptanonConsent

[kilakewe]

Alright, it's been awhile since i've been able to dig into it and I've discovered that it indeed has something to do with the chunker or the chunking process.

I was able to inspect the token JWE at the point of encryption and decryption and what I found was that when the token we recompiled from the chunks, it was indeed out of order.

@BracketJohn, Is the chunking system something that's coming from NextAuth?

[christine927t]

Also ran into this issue today. Thanks for looking into it.

[kilakewe]

PR to resolve this has been submitted - Please give it a thumbs up to get it moved along. @BracketJohn I guess it'll need to be pulled in once it's merged.

[christine927t]

PR to resolve this has been submitted - Please give it a thumbs up to get it moved along. @BracketJohn I guess it'll need to be pulled in once it's merged.

@kilakewe Thanks for working on this! Do you know when these changes will be available in the package or if I can use it before the next release?

[kilakewe]

@christine927t not sure sorry, I'm not a part of the next-auth team, just a contributor out in the wild.

[janhoogeveen]

The PR looks to be merged and released as a pre-release version.

https://github.com/nextauthjs/next-auth/releases/tag/%40auth%2Fcore%400.8.2

[christine927t]

@janhoogeveen I installed the pre-release @auth/[email protected] but I'm still seeing this issue with the cookies being split, then cleared after about 10 seconds and then my user is logged out and unauthenticated. Is there anything else I should have to do besides install the pre-release?
I have "next-auth": "^4.22.1" and "@sidebase/nuxt-auth": "^0.5" installed as well.

[kilakewe]

@janhoogeveen I installed the pre-release @auth/[email protected] but I'm still seeing this issue with the cookies being split, then cleared after about 10 seconds and then my user is logged out and unauthenticated. Is there anything else I should have to do besides install the pre-release? I have "next-auth": "^4.22.1" and "@sidebase/nuxt-auth": "^0.5" installed as well.

That's the same thing that was happening to me too. It looks like there's more than just the chunking issue at play and not enough of a problem for any of the package owners help deep dive into it. Which is quite frustrating.

Hopefully it's something that's addressed in the new version of of authjs and sidebase can upgrade/migrate to it, but for now I have up ditching sidebase/auth for a custom implementation.

[christine927t]

@kilakewe Ok thanks for confirming, just wanted to make sure I wasn't missing anything. I agree it's frustrating. I'm having to reduce the amount of user data I'm sending back with the initial login/authentication and then retrieve it again after login and update the user. I may end up having to switch to another package as well.

[codetheorist]

Can confirm, using 0.6.0-beta.3 however, my tokens are less than 4kb and they still get chunked for some reason. That may be my user error though but the OPs error of re-joining chunked cookies does exist.

[codetheorist]

The latest versions of next-auth have the fix in for this.

[kilakewe]

next-auth

Next auth or it's replacement, AuthJS?

[codetheorist]

Next auth has it in.

I've done a simple upgrade of the package and tested it and it seems to work as expected. I've rolled it up and published it to NPM under @codetheorist/nuxt-auth so I could test it properly, so you could test that package if you like.

I've currently got a JWT with a lot of roles in it so it splits over 2 chunks and would normally log out and clear cookies, but everything works perfectly with regards to the cookie chunking issue now.

I would expect the replacement to have it in too.

[codetheorist]

OK, so I was convinced that next-auth had this fix in, having seen the PR and commit being merged.

My tests this morning must have just gotten the cookie chunks in order every time correctly which led me to believe that the issue was fixed.

The module is now not working as expected on my end again.

I've checked-out [email protected] and for some reason the fix seems to have been rolled back, so therefor the above PR doesn't fix the issue.

[tnld]

I'd like to know too, this issue needs to be fixed.

[codetheorist]

Can confirm this is still a thing and the fix that was merged into next-auth isn't included in their latest releases.

I'm not entirely sure how the release process works internally with next-auth so I'm not sure when the functionality will land, but there has been at least one PR created with the fix in next-auth with one of them definitely being merged.

It would be best to pursue any further updates through the next-auth repository issue system, as we're currently waiting on them before the functionality can be fixed in this package.

There is ongoing development on auth.js, so I'm not entirely sure if the functionality will ever be merged.

TLDR; This is a supply chain issue and we are waiting for the "parent" package to release the fixes before we can update the dependency version number in this package.

[edenstrom]

Created a PR fixing this here nextauthjs/next-auth#8278

A workaround is to rename the cookie to something without a .

[dvh91]

Looks like it was fixed on https://github.com/nextauthjs/next-auth/releases/tag/next-auth%404.23.0
but upgrading to this version seems to break nuxt-auth

[christianlmc]

@dvh91 I don't think it was fixed on 4.23, I added the missing core exports (see link) manually and the error is still there

[febinfrancis31]

Any update/workaround for the issue?

[diegogava]

Any update/workaround for the issue? [2]

[christianlmc]

@febinfrancis31 @diegogava you can try making you JWT and session smaller by only returning the essentials on the callback functions. This is what I did to keep my cookie under the size limit

  callbacks: {
    /**
     * NOTE: On this callback I'm only returning the essential data for the app to function.
     * If I try to return the whole token instead, the cookie size gets too large and the
     * plugin is unable to decode it properly.
     *
     *
     */
    jwt ({ token, account }) {
      if (account) {
        token.accessToken = account.access_token
      }

      return {
        accessToken: token.accessToken,
        email: token.email,
        name: token.name
      }
    },
    session ({ session, token }) {
      session.accessToken = token.accessToken

      return session
    }
  }

[semkeijsper]

bump because I just wasted 3 hours struggling before finding out it was a bug :)

@febinfrancis31 @diegogava you can try making you JWT and session smaller by only returning the essentials on the callback functions. This is what I did to keep my cookie under the size limit

this works great for now, thank you.

[th3l0g4n]

What if making the return value of the jwt callback not possible?
I need to keep the access_token around (to make API requests to our own backend), the refresh_token (to enable token rotation) and certain user information.

All of this is of cause not needed in the session itself and the information are filtered properly (in the session callback), but as the return value of the jwt callback is encrypted and the token is used to populate the session, i cannot reduce these information.

[imduchy]

What if making the return value of the jwt callback not possible? I need to keep the access_token around (to make API requests to our own backend), the refresh_token (to enable token rotation) and certain user information.

All of this is of cause not needed in the session itself and the information are filtered properly (in the session callback), but as the return value of the jwt callback is encrypted and the token is used to populate the session, i cannot reduce these information.

I have the exact same use case as I'm trying to implement a token refresh logic for my Cognito user pools. I need to be able to store the access and refresh tokens in the token property—not necessarily to pass them to the front end but simply to persist them throughout the session and refresh the token when needed.

Any ideas?

[mpgalaxy]

Also worth mentioning:

• If I remove the origin in v0.5.0 it works perfectly fine in develop, the error returns when adding the origin (for production).
• In v0.6.3 the error occurs and I get logged out, even in develop without origin.

[Soulusions]

Any plans on this getting some kind of hotfix soon or do we simply have to wait for nuxt-auth to migrate to authjs v5 (seems to be the version where the patch is merged)?

[zoey-kaiser]

Hi everyone!

After doing some more research, it seems like we will not be able to fix this issue on our end. As mentioned above the solution will be to migrate to authjs under the hood, where this issue has been resolved.

We are now beginning this migration, for more information please keep an eye on #673. As this issue will be fixed through this migration, I will now close this issue.

Thank you for all the hard work investigating!

[joaltoroc]

Any update/workaround for the issue?

I'm using

"@sidebase/nuxt-auth": "0.7.1",

[phoenix-ru]

Closed via #726

[codetheorist]

How does the above commit fix the issue presented here? Genuine question.