fix: skip MCD session backfill in static mode (#2618)

Author: tusharpandey13

src/server/auth-client.test.ts

@@ -811,11 +811,9 @@ ca/T0LLtgmbMmxSv/MmzIg==
             },
             internal: {
               sid: DEFAULT.sid,
-              createdAt: expect.any(Number),
-              mcd: {
-                domain: DEFAULT.domain,
-                issuer: `https://${DEFAULT.domain}/`
-              }
+              createdAt: expect.any(Number)
+              // No mcd field in static mode — backfill is skipped to avoid
+              // unnecessary session growth and cookie chunking (#2595)
             }
           })
         );
@@ -5120,11 +5118,9 @@ ca/T0LLtgmbMmxSv/MmzIg==
           },
           internal: {
             sid: expect.any(String),
-            createdAt: expect.any(Number),
-            mcd: {
-              domain: DEFAULT.domain,
-              issuer: `https://${DEFAULT.domain}/`
-            }
+            createdAt: expect.any(Number)
+            // No mcd field in static mode (no provider) — callback only adds
+            // mcd in resolver mode per DD-2 (zero-overhead static mode)
           }
         });
         const expectedContext = expect.objectContaining({
@@ -9347,6 +9343,12 @@ ca/T0LLtgmbMmxSv/MmzIg==
       getAll: vi.fn().mockReturnValue([])
     });
 
+    // Backfill only runs in resolver mode. Provide a minimal mock provider
+    // so that `this.provider?.isResolverMode` evaluates to true.
+    const mockResolverProvider = {
+      isResolverMode: true
+    } as any;
+
     it("should infer domain from idToken iss claim when no mcd field exists", async () => {
       const secret = await generateSecret(32);
       const transactionStore = new TransactionStore({
@@ -9391,7 +9393,8 @@ ca/T0LLtgmbMmxSv/MmzIg==
         secret,
         appBaseUrl: DEFAULT.appBaseUrl,
         routes: getDefaultRoutes(),
-        fetch: getMockAuthorizationServer()
+        fetch: getMockAuthorizationServer(),
+        provider: mockResolverProvider
       });
 
       const result = await authClient.getSessionWithDomainCheck(
@@ -9443,7 +9446,8 @@ ca/T0LLtgmbMmxSv/MmzIg==
         secret,
         appBaseUrl: DEFAULT.appBaseUrl,
         routes: getDefaultRoutes(),
-        fetch: getMockAuthorizationServer()
+        fetch: getMockAuthorizationServer(),
+        provider: mockResolverProvider
       });
 
       const result = await authClient.getSessionWithDomainCheck(
@@ -9491,7 +9495,8 @@ ca/T0LLtgmbMmxSv/MmzIg==
         secret,
         appBaseUrl: DEFAULT.appBaseUrl,
         routes: getDefaultRoutes(),
-        fetch: getMockAuthorizationServer()
+        fetch: getMockAuthorizationServer(),
+        provider: mockResolverProvider
       });
 
       const result = await authClient.getSessionWithDomainCheck(
@@ -9552,7 +9557,8 @@ ca/T0LLtgmbMmxSv/MmzIg==
         secret,
         appBaseUrl: DEFAULT.appBaseUrl,
         routes: getDefaultRoutes(),
-        fetch: getMockAuthorizationServer()
+        fetch: getMockAuthorizationServer(),
+        provider: mockResolverProvider
       });
 
       const result = await authClient.getSessionWithDomainCheck(
@@ -9657,7 +9663,8 @@ ca/T0LLtgmbMmxSv/MmzIg==
         secret,
         appBaseUrl: DEFAULT.appBaseUrl,
         routes: getDefaultRoutes(),
-        fetch: getMockAuthorizationServer()
+        fetch: getMockAuthorizationServer(),
+        provider: mockResolverProvider
       });
 
       const result = await authClient.getSessionWithDomainCheck(
@@ -9673,6 +9680,109 @@ ca/T0LLtgmbMmxSv/MmzIg==
         "https://custom-domain.auth0.com/"
       );
     });
+
+    it("should skip backfill in static mode (no provider or static provider)", async () => {
+      const secret = await generateSecret(32);
+      const transactionStore = new TransactionStore({
+        secret
+      });
+
+      const idToken = await new jose.SignJWT({
+        sub: DEFAULT.sub,
+        sid: DEFAULT.sid
+      })
+        .setProtectedHeader({ alg: DEFAULT.alg })
+        .setIssuer("https://example.auth0.com/")
+        .setAudience(DEFAULT.clientId)
+        .setExpirationTime("2h")
+        .setIssuedAt()
+        .sign(DEFAULT.keyPair.privateKey);
+
+      // Pre-MCD session without mcd field
+      const preMCDSession = createSessionData({
+        tokenSet: {
+          accessToken: "at_123",
+          refreshToken: "rt_123",
+          expiresAt: Date.now() + 3600000,
+          idToken
+        },
+        internal: {
+          sid: DEFAULT.sid,
+          createdAt: Date.now()
+        }
+      });
+
+      const mockSessionStore = createMockSessionStore(preMCDSession);
+
+      // Static mode: no provider (or provider with isResolverMode=false)
+      const authClient = new AuthClient({
+        transactionStore,
+        sessionStore: mockSessionStore as any,
+        domain: "example.auth0.com",
+        clientId: DEFAULT.clientId,
+        clientSecret: DEFAULT.clientSecret,
+        secret,
+        appBaseUrl: DEFAULT.appBaseUrl,
+        routes: getDefaultRoutes(),
+        fetch: getMockAuthorizationServer()
+        // no provider — static mode
+      });
+
+      const result = await authClient.getSessionWithDomainCheck(
+        createMockCookies() as any
+      );
+
+      // Session should be returned without backfill — no mcd field added
+      expect(result.error).toBeNull();
+      expect(result.session).toBeDefined();
+      expect(result.exists).toBe(true);
+      expect(result.session?.internal.mcd).toBeUndefined();
+    });
+
+    it("should skip backfill when provider is in static mode", async () => {
+      const secret = await generateSecret(32);
+      const transactionStore = new TransactionStore({
+        secret
+      });
+
+      const preMCDSession = createSessionData({
+        tokenSet: {
+          accessToken: "at_123",
+          refreshToken: "rt_123",
+          expiresAt: Date.now() + 3600000
+        },
+        internal: {
+          sid: DEFAULT.sid,
+          createdAt: Date.now()
+        }
+      });
+
+      const mockSessionStore = createMockSessionStore(preMCDSession);
+
+      const staticProvider = { isResolverMode: false } as any;
+      const authClient = new AuthClient({
+        transactionStore,
+        sessionStore: mockSessionStore as any,
+        domain: "example.auth0.com",
+        clientId: DEFAULT.clientId,
+        clientSecret: DEFAULT.clientSecret,
+        secret,
+        appBaseUrl: DEFAULT.appBaseUrl,
+        routes: getDefaultRoutes(),
+        fetch: getMockAuthorizationServer(),
+        provider: staticProvider
+      });
+
+      const result = await authClient.getSessionWithDomainCheck(
+        createMockCookies() as any
+      );
+
+      // Static mode: no backfill, session returned as-is
+      expect(result.error).toBeNull();
+      expect(result.session).toBeDefined();
+      expect(result.exists).toBe(true);
+      expect(result.session?.internal.mcd).toBeUndefined();
+    });
   });
 
   describe("DPoP lazy validation", () => {

src/server/auth-client.ts

@@ -2200,9 +2200,23 @@ export class AuthClient {
       };
     }
 
-    // Pre-MCD session (no mcd field): infer domain from ID token's iss claim.
-    // This is deterministic — the same session always yields the same domain,
-    // eliminating the race condition where the first resolver output claims it.
+    // Static mode: skip backfill entirely. There is only one domain, so
+    // internal.mcd provides no value and adding it grows the session cookie
+    // (~140 bytes), which can push sessions over the MAX_CHUNK_SIZE boundary
+    // and trigger unnecessary chunking. This preserves DD-2 (zero-overhead
+    // static mode). See: https://github.com/auth0/nextjs-auth0/issues/2595
+    if (!this.provider?.isResolverMode) {
+      return {
+        error: null,
+        session,
+        exists: true
+      };
+    }
+
+    // Resolver mode: pre-MCD session (no mcd field) — infer domain from ID
+    // token's iss claim. This is deterministic — the same session always yields
+    // the same domain, eliminating the race condition where the first resolver
+    // output claims it.
     let inferredDomain: string | undefined;
 
     if (session.tokenSet.idToken) {
@@ -2216,9 +2230,7 @@ export class AuthClient {
       }
     }
 
-    // Fallback: use current AuthClient's domain.
-    // Static mode: always correct (only one domain).
-    // Resolver mode: last resort if idToken absent.
+    // Fallback: use current AuthClient's domain (last resort if idToken absent)
     const domain = inferredDomain ?? this.domain;
 
     session.internal = session.internal || {};