jti set in encode is not preserved in decode

[paambaati]

Environment

------------------------------
- Operating System: Darwin
- Node Version:     v20.18.0
- Nuxt Version:     3.13.0
- CLI Version:      3.13.1
- Nitro Version:    2.9.7
- Package Manager:  [email protected]
- Builder:          -
- User Config:      sourcemap, app, auth, components, colorMode, css, i18n, imports, modules, openFetch, nitro, runtimeConfig, rootDir, security, srcDir, typescript, vite, compatibilityDate
- Runtime Modules:  ./src/modules/datadog-module, @nuxtjs/[email protected], @nuxtjs/[email protected], @sidebase/[email protected], @pinia/[email protected], @nuxt/[email protected], @nuxtjs/[email protected], [email protected], @nuxt/[email protected], @nuxtjs/[email protected], [email protected], @nuxt/test-utils/[email protected], [email protected]
- Build Modules:    -
------------------------------

Reproduction

NuxtAuthHandler({
    secret: process.env.NUXT_AUTH_SECRET,
    pages: {
      signIn: '/',
    },
    session: {
      strategy: 'jwt',
      maxAge: 30 * 24 * 60 * 60,
      updateAge: 24 * 60 * 60,
    },
    jwt: {
      encode: async ({ secret, token, maxAge }) => {
        console.log('Encode - Original Token JTI:', token?.jti);
        if (!token?.jti) {
          token!.jti = randomUUID();
        }
        console.log('Encode - Token JTI After Generation:', token!.jti);
        const encodedToken = await encode({ token, secret, maxAge });

        return encodedToken;
      },
      decode: async ({ secret, token }) => {
        const decodedToken = await decode({ token, secret });
        console.log('Decode - Original Attempted JTI:', token?.jti);
        console.log('Decode - Decoded Token JTI:', decodedToken?.jti);
        if (decodedToken) {
          console.log('Decoded Token Full Dump:', JSON.stringify(decodedToken, null, 2));
        }
        if (!decodedToken) return null;
        return decodedToken;
      },
    },
    callbacks: {
      async jwt({ token, user, account }) {
        // NOTE: Initial sign-in.
        if (account && user) {
          const tokenFamilyId = crypto.randomUUID();
          const updatedToken = {
            ...token,
            at: account.access_token!,
            rt: account.refresh_token,
            jti: token.jti,
            rtf: tokenFamilyId,
            exp: Math.floor(Date.now() / 1000 + (24 * 60 * 60)),
          };
          return updatedToken;
        }

        // NOTE: Return existing token if not expired
        if (token.at && Date.now() < token.exp * 1000) {
          return token;
        }
      },
    },
    providers: [
      OktaProvider.default({
        clientId: OKTA_CLIENT_ID,
        clientSecret: OKTA_CLIENT_SECRET,
        issuer: OKTA_ISSUER,
      }),
    ],
  });

Describe the bug

When writing custom logic to generate my own JWT, I notice that the jti returned from encode function and the jti read in the decode function are completely different.

I'm afraid there's some other middleware (or perhaps core logic) that completely modifies the jti.

Additional context

While jti changes, I tried setting a new jti2 value on the JWT, which does get preserved after decode.

Logs

Encode - Original Token JTI: b7601006-9a3d-48f6-a172-b68b2b503555
Encode - Token JTI After Generation: b7601006-9a3d-48f6-a172-b68b2b503555
Decode - Decoded Token JTI: 6aeac235-0ce7-4243-af3f-9b99578769fb