Password Reset & Verify Token: In the case of a Redirect, how to set the Referrer-Policy

[rwieruch]

Currently I am implementing the password reset feature in my Next.js application. Lucia's documentation gives us the following code snippet:

const session = await lucia.createSession(user.id, {});
const sessionCookie = lucia.createSessionCookie(session.id);
return new Response(null, {
  status: 302,
  headers: {
    Location: "/",
    "Set-Cookie": sessionCookie.serialize(),
    "Referrer-Policy": "no-referrer"
  }
});

I would like to redirect the user immediately to the login page though without setting the session token (for extra security reasons). However, even though if I would set the cookie and redirect to a protected page, would it still be necessary to set [0]? And yes, how would I do it in a Next Server Action [1]?

[0]

"Referrer-Policy": "no-referrer"

[1]

export const passwordReset = async ( ... ) => {
  ...

  redirect('/sign in');
};

[pilcrowonpaper]

I would just do it just as a safety net.

import { headers } from "next/headers";

headers().set(name, value);

[rwieruch]

I think write operations are not supported for headers: https://nextjs.org/docs/app/api-reference/functions/headers

headers returns a read-only [Web Headers](https://developer.mozilla.org/docs/Web/API/Headers) object.

But nevermind. I'll leave it out for now and maybe someone else finds this discussion and knows a solution to it!

[pilcrowonpaper]

Oh wait totally forgot that it's read only. Then the only option is to use regular API routes, unless Next.js already includes the header by default.