I've stumbled upon a use case where I had to pass a JWT token created by Session through a query parameter.

I do not see any way to manually verify if a token was created by Session.

I propose to adjust the useSession by changing the signature to useSession(token?: string), but I am not sure how that would interact with Context.memo

Alternatively Session.validate(token: string) can be added which will use the same internals as useSession to validate the token with an identical return type.

Having read through the code in session.ts I believe I could implement such a feature.

Are you open to merging such a PR? Which approach suits your style better?

Is this for the current Auth construct or future-auth?

@sashalikesplanes The future-auth construct provides a method called Session.verify which does what you are describing.

Though I agree this functionality would be nice to have in the base auth and could probably be pulled out into a common piece of code called in both places, just as it is done in future-auth.

@jayair Is there a plan to make future-auth the primary auth or is that not part of the roadmap anymore due to the release of SST Ion?

It'll go to Ion first for sure.