feat(auth): limit output in session endpoint

apps/scandic-web/auth.ts

@@ -104,7 +104,7 @@ const curityProvider = {
   },
 } satisfies OIDCConfig<User>
 
-export const config = {
+const baseConfig = {
   basePath: "/api/web/auth",
   debug: env.NEXTAUTH_DEBUG,
   providers: [curityProvider],
@@ -122,7 +122,10 @@ export const config = {
       if (session.user) {
         return {
           ...session,
-          token,
+          token: {
+            expires_at: token.expires_at,
+            error: token.error,
+          },
           user: {
             ...session.user,
             id: token.sub,
@@ -160,7 +163,7 @@ export const config = {
       console.log(`[auth] URL denied, returning base URL: ${baseUrl}`)
       return baseUrl
     },
-    async authorized({ auth, request }) {
+    async authorized() {
       return true
     },
     async jwt({ account, session, token, trigger, user, profile }) {
@@ -223,9 +226,32 @@ export const config = {
   // },
 } satisfies NextAuthConfig
 
+const serverConfig = {
+  ...baseConfig,
+  callbacks: {
+    ...baseConfig.callbacks,
+    async session({ session, token }) {
+      session.error = token.error
+      if (session.user) {
+        return {
+          ...session,
+          token,
+          user: {
+            ...session.user,
+            id: token.sub,
+          },
+        }
+      }
+
+      return session
+    },
+  },
+} satisfies NextAuthConfig
+
 export const {
   handlers: { GET, POST },
-  auth,
   signIn,
   signOut,
-} = NextAuth(config)
+} = NextAuth(baseConfig)
+
+export const { auth } = NextAuth(serverConfig)