Various issues with refresh token rotation

[mtt87]

Description 🐜

Took me a bit of time but I think I finally understood why we were seeing so many errors related to refreshing the token in our app.

I'm following the suggested setup to refresh tokens https://next-auth.js.org/tutorials/refresh-token-rotation which works fine.

The issue is the broadcasting that if you have more than 1 tab open with your web app, it will trigger a session check for EVERY tab and then you end up triggering the refreshAccessToken() function multiple times simultaneously with the same set of parameters (same refresh_token)

This creates an issue because the first request will be successful and obtain a new access_token paired with a refresh_token while all the other calls that were made will get a 400 since the old refresh_token has just been invalidated by the first successful call.

Simplest way to fix this would be to have the option to disable broadcasting and let each tab try to refresh the session only when focused.

EDIT: 3 scenarios where this is a problem

• broadcasting getSession event when a session refresh is already in flight
• opening a new page when a session refresh is already in flight
• focusing a different tab when a session refresh is already in flight

Check here for a lock mechanism proposed solution:
#2071 (comment)

How to reproduce ☕️

In the app try to set a clientMaxAge of 10 seconds

      <AuthProvider
        session={pageProps.session}
        options={{
          clientMaxAge: 10,
        }}
      >

Then add a log in [...nextauth].js jwt callback

    async jwt(token, user, account, profile) {
      console.log('JWT')

Open 2 tabs and move between them, you will notice that every 10 seconds there are 2 calls being made to refresh the session and 2 console logs

JWT
JWT

I can create a codesandbox later after I finish work if needed but it's pretty simple to verify I believe 😄

I'm using "next-auth": "3.23.3"

[balazsorban44]

If true, that would be a very nice fix! So basically there is a race condition here, where two calls made to the /ap/auth/session endpoint will both try to refresh the token, and the second one finishing fails. Right?

[mtt87]

Yes correct, let me explain it better with a practical example.

Imagine you issue access_token that expire after 10 minute and a refresh_token that lasts for 1 month that you can use to refresh your access_token.

The way it works is that when you exchange the refresh_token you obtain a new access_token but also a new refresh_token, which means that the previous refresh_token is now invalid.

Now imagine a timeline where you have 3 tabs open with the same app my-app.com

00:00 the user opens my-app.com on a tab and login into the app, the user now has a session that contains

{ access_token: "at1", refresh_token: "rt1", expire_in: "15min" }

00:01 the user opens another tab with my-app.com and after a brief check, the user is already logged in because there is a valid session
00:02 the user opens another tab with my-app.com and after a brief check, the user is already logged in because there is a valid session
00:03 the user open another tab with a different website and starts reading an article for 5 minutes
-- 5 min later --
05:00 the user decides to go back to tabA where your app my-app.com is open, this triggers a broadcast of the session event to tell all the other tabs where your app is open to check the session
05:01 all the 3 tabs have made a call and the token is still valid so nothing happens, just to confirm we still have the originally exchanged access_token and refresh_token

{ access_token: "at1", refresh_token: "rt1", expire_in: "15min" }

05:02 the user opens another tab and keeps browsing
-- the user goes out for lunch, 30 min later --
35:00 the user is back from lunch and selects one of the my-app.com open tabs
35:01 the tab broadcasts the session event and all 3 tabs are checking at the same time if the session is valid
35:02 the access_token is now expired so all the 3 check session calls have triggered refreshAccessToken()

1st request is successful: exchange the refresh_token rt1 with a new access_token and refresh_token so the jwt callback is returning the updated token as following

{ access_token: "at2", refresh_token: "rt2", expire_in: "15min" }

2nd and 3rd request fail with 400 because they are trying to use the refresh_token rt1 that has just been invalidated so the jwt callback is returning the updated token as following

{ access_token: "at1", refresh_token: "rt1", expire_in: "15min", error: "RefreshAccessTokenError" }

Now we have 3 big problems:

1. This happens in a window of milliseconds and it can trigger a rate limit, imagine you have 5 tabs open it's 5req/s, generally these auth endpoint have a rate limit to avoid bruteforcing etc
2. We added error to the token and the client now believes that the the refresh token exchange was unsuccessful (we send the user to the login again)
3. We have lost forever the latest correct access_token and refresh_token because the last call that was made returned the previous token with the error

// The function was called with the old token containing "at1" and "rt1"
{ ...token, error: "RefreshAccessTokenError" }

[balazsorban44]

Love the details, make sense! I'll come back to this, thank you!

At the end of the day, I think the main problem here is not the broadcasting, but the race condition. Similar to #1455

[mtt87]

Yes but unfortunately the race condition is not solvable in a stateless serverless environment that’s why I think the only way to solve it is to prevent this from happening due to the broadcasting.

To solve this at the server level we would need a persisted state of the refresh token requests that are in flight in order to stop the subsequent request and instead wait but it starts to become very complex :)

[balazsorban44]

I see, and I was thinking the same. fixing it by making it possible to disable broadcasting is half way, but what about clientside code where after some stale time, let's say two requests are going to an external api and they use the access token from session?

I know react-query does fetch deduplication, so maybe we need to do something similar in our client code?

[mtt87]

I’m using SWR for the requests which works similarly to react-query for the deduplication and that’s fine. The problem imho is not deduplicating on the client side for a single page but trying to deduplicate for all the pages.

I’m trying to think at the problem from a different perspective: how about the broadcast is not saying “hey all tabs please refresh the session” but rather “hey I’m
TabA and I’m going to refresh the session”.
Then all the other tabs can wait for either a success event, and after that they can refresh their session or a fail event which means they should logout.

[balazsorban44]

Don't know if SWR does that, but react-query deduplicates site-wise, using a React Context. (Or by pages I guess you meant tabs?)

What you are saying how to go about broadcasting does sound interesting, and I would rather not introduce new options, if we can work something out transparently for this.

[mtt87]

What you are saying how to go about broadcasting does sound interesting, and I would rather not introduce new options, if we can work something out transparently for this.

Going to bed now, I’ll write down a proposal tomorrow with some scenario

[mtt87]

On my side the main question for you @balazsorban44 is:

What problems are we trying to solve broadcasting the getSession event?

I see, and I was thinking the same. fixing it by making it possible to disable broadcasting is half way, but what about clientside code where after some stale time, let's say two requests are going to an external api and they use the access token from session?

This problem has nothing to do with next-auth because you can have 100 requests to external API at the same time and they will not trigger the jwt() callback even if you are using a lambda to proxy the requests, I just tested the scenario where I have a serverless API that's using getToken() and it doesn't trigger jwt()

async function handler(req: NextApiRequest, res: NextApiResponse) {
  const token = await getToken({
    req,
    secret: process.env.NEXTAUTH_SECRET,
    encryption: true,
    signingKey: process.env.NEXTAUTH_SIGNIN_KEY,
    encryptionKey: process.env.NEXTAUTH_ENCRYPTION_KEY,
  })
  // call the API with the access_token contained in the encrypted token object
  ...
}

---

Writing down the full picture so if someone wants to read they have more context.

Refresh token rotation scenario

A session is based on session cookies that are set on successful login by the server lambda.

__Secure-next-auth.session-token
__Host-next-auth.csrf-token
__Secure-next-auth.callback-url

The most common scenario is the oAuth based authentication where an oAuth provider on successful login will issue an access_token and a refresh_token.

If you want to have a completely stateless authentication (no databases needed) then you will add these tokens to the JWT.
Due to the nature of these artifacts, it's not a good idea to put them plain unencrypted in a JWT but rather use an encrypted JWT (JWE).

Next-auth supports this by adding

jwt: {
  encryption: true,
  secret: process.env.NEXTAUTH_SECRET,
  signingKey: process.env.NEXTAUTH_SIGNIN_KEY,
  encryptionKey: process.env.NEXTAUTH_ENCRYPTION_KEY,
},

Next-auth uses the jwt() callback to control this, so in the case of a scenario where you have a refresh token you want to add a check to make sure if the access_token is expired, try to refresh it and return the new access_token and refresh_token.

Note: the jwt() callback is triggered every time the user is checking the session, either by calling getSession() or with the useSession() hook.
What they do is calling GET /api/auth/session behind the scenes.

async jwt(token, user, account, profile) {
  // Return previous token if the access token has not expired yet
  if (Date.now() < token.expiresAt) {
    return token
  }
  // Access token has expired, try to update it
  return refreshAccessToken(token)
},

refreshAccessToken() is a function to exchange the refresh_token for a new pair of access_token and refresh_token that are returned and included in the updated encrypted JWT (JWE).
Important: the previous refresh_token is instantly invalidated.

async function refreshAccessToken(token: JWT) {
  try {
    const refreshedTokens = await request(...)
    return {
      ...token,
      accessToken: refreshedTokens.access_token,
      expiresAt: Date.now() + refreshedTokens.expires_in * 1000,
      refreshToken: refreshedTokens.refresh_token ?? token.refreshToken, // Fall back to old refresh token
    }
  } catch (err) {
    return {
      ...token,
      error: 'RefreshAccessTokenError',
    }
  }
}

Next-auth broadcasting

Next-auth creates automatically a broadcast channel on every tab you open with the same web app.
https://github.com/nextauthjs/next-auth/blob/main/src/client/index.js#L39
Every tab is listening for 2 session events:

• getSession: this is broadcasted whenever you unfocus and focus back one of the tabs where your web app is running, telling the other tabs that they should check their session and in the scenario where you have 3 tabs open it will trigger simultaneously 3 API calls to check the session
• signout: this is telling the other tabs that the user is not longer logged in so they should sync and logout the user as well

Broadcasting issue with refresh tokens

If you have 3 tabs checking the session and triggering the jwt() callback 3 times in the same moment, it means that there are 3 refreshAccesstoken() being called, which means that there are 3 API calls to exchange the token, all of them with the same refresh_token currently available.

1st call: 200 successful, receives the new access_token and refresh_token that are returned and added to the encrypted JWT to substitute the existing access_token and refresh_token.
2nd call: 400 error, the refresh_token used to call the function is now invalid as it's just been used. We add the key error: "RefreshAccessTokenError" that's added to the session so the frontend now believes that the user needs to signin from scratch.
3rd call: 400 error, same as above

The problem is that the 2nd and 3rd call are basically "overwriting" the 1st call and now the latest JWT contains the error and the wrong tokens. The refreshed tokens are now lost and unrecoverable.

Serverless stateless environment

It's important to understand that we are in a stateless serverless environment.
We cannot assume that the 3 check session calls mentioned above are going to the same lambda function, they could be different lambda function and all of them are isolated.
We want to keep a stateless auth so there are no databases involved and nothing can be persisted due to the ephemeral nature of a lambda function.

Proposed solution: option to disable broadcasting some events

If we add an option to disable the broadcasting of the getSession event, we can prevent this from happening at the root.
What does it mean in a scenario where we have 3 tabs?
1st tab that gets focus will check the session and trigger a refresh token and update the session accordingly.
2nd tab and 3rd tab are not aware this happened BUT because updating the session with the new tokens basically means to update the cookies, the 2nd and 3rd tab got the session updated automatically in case they have some background stuff (for example they are polling an API from time to time)
When the user opens the 2nd tab it will check its session and nothing happens as the cookie has already been updated with the new tokens not yet expired, same would happen to the 3rd tab.
Since we are still broadcasting the signout event, in case the user decides to logout or their tokens are expired and can't be refreshed, all the other tabs will still be notified.

[mtt87]

@balazsorban44 sorry to bother you, did you have a chance to read my last comment?
My question for you: what problems are we trying to solve broadcasting the getSession event?

[balazsorban44]

Will have a proper read of this in the next few days, I hope. I actually just had to deal with this problem at work, came to a conclusion and used some different approaches, but ultimately I think supporting token rotation will be something that will need some more thinking. This has certainly become rather a feature request than a bug.

[mtt87]

Thanks for the update, I see your point, on my side I was more inclined to define this a bug since refreshing a token feels to me like a basic necessity rather than an "additional feature" for modern web apps 😄
Anyway I'll wait for your next reply and once agreed on the approach I'm happy to contribute if need my help.

[balazsorban44]

I would only call it a bug, if the functionality is already built-in, but do not deliver what it is meant to. A feature request is when we want to introduce a functionality that hasn't existed yet in the library. We still do not have built-in token rotation, and partially from the above mentioned issues, it is not trivial at the moment.

I have looked around the web to see how others are doing it, and honestly, I haven't found a go-to solution. The main problem here be it tab sync or other reasons of race conditions, when a token refresh is in flight and a new request wants an updated token, the old refresh token will be used again, which will lead to a problem.

According to my findings, the only way to avoid this is orchestrating (read deduplication) the client-side requests to /api/auth/session. In our case at work, we are using https://github.com/nextauthjs/react-query which does deduplication automatically. Basically you want to make sure that whenever a request goes to /api/auth/session, other calls rather "subscribe" to that response, than start a new request. When using https://github.com/nextauthjs/react-query broadcasting is avoided as we don't need the useSession hook from next-auth/client (which is the source of the broadcasting logic).

To answer the question

what problems are we trying to solve broadcasting the getSession event?

I have to say I am not 100% sure what real-life use cases @iaincollins have looked at when he originally implemented it, but he probably had a reason. Unfortunately, I wasn't around then yet, so I cannot give an honest answer, maybe if Iain sees this thread one day, he can explain it. Until then, if an option to disable this behavior helps us here in any way, I am all for it, but I don't think it will be enough.

I think if we want to move forward with built-in token rotation, we will need to complicate our clilent-side code slightly, so it handles deduplicated requests to /api/auth/session correctly. I don't think it would be as easy as it sounds, but I might be wrong. In any case, I would like to hold this off until we have a better client implementation #1473

[mtt87]

Sorry but unless there is something that I didn’t understand, I don’t think what you are saying is correct and you might not be looking at the problem from the correct angle.
The problem doesn’t exist when you have a single tab open but only when you have multiple tabs.
When you have a single tab open, since you are wrapping the entire application in the session provider, it looks like even with multiple components depending on useSession you only get 1 api call.
As mentioned before even when calling a lambda API and using getToken utility, that doesn’t trigger a session update as it doesn’t trigger the JWT callback.
Deduplicating requests on a single tab is definitely possible as you said with stuff like react-query or useSWR, but it seems completely irrelevant to the problem.
The problem will still be there unless you deduplicate across ALL the open tabs.

EDIT: I saw your edit after and the reply to my answer, thank you 😄

Thanks for your time and patience

[balazsorban44]

OK, so we might have diverged at to react-query before I managed to check that the built-in Provider actually de-duplicates in a single tab scenario, but after some thinking, yes, it's probably true (https://next-auth.js.org/getting-started/client#options).

So in theory, a single boolean flag to disable broadcasting would do it then? Unless there is a more complicated way that would make it possible to de-duplicate even across open tabs? 😄

[AJMcKane]

Is there any update on this? I'm able to replicate this issue on a single tab wherein I have two components on a page that both call useSession()

What's I'm able to replicate is that the initial sign-on works, the first refresh also works. I've modified this call to always call the refresh, so that I don't have to wait X minutes, but I'm observing the behaviour even if I do wait.

I.E

  callbacks: {
    async jwt({ token, account }) {

      console.log("account refresh token", account?.refresh_token)
      console.log("token in jwt callback", token?.refreshToken)

      if (account?.id_token) {
        token.idToken = account?.id_token
      }

      if (account?.access_token) {
        token.accessToken = account?.access_token
      }

      if (account?.refresh_token) {
        token.refreshToken = account?.refresh_token
      }

      if(account?.expires_at) {
        token.accessTokenExpires = new Date(account?.expires_at * 1000).getTime()        
      }

      // if (Date.now() + 60000 < token.accessTokenExpires) {
      //   return token
      // }
      return refreshAccessToken(token)
    }

Combined with the refresh code (which has been taken from the OAuth rotation guide), ends up with logs like so:

--- initial signIn Callback, account populated
account refresh token A882C9821239480A3654B8FC0CE9032C687F4418315F0D13F10754756C86C590
token in jwt callback undefined

--- First refreshAccessToken call
refreshToken Passed to Server A882C9821239480A3654B8FC0CE9032C687F4418315F0D13F10754756C86C590
token persisted 54616CA1EAA0AED6B62C3DEC74D65000109BCD862B5A66A886C0C7DC5CDD7324

--- Second refreshAccessToken Call
account refresh token undefined
token in jwt callback 54616CA1EAA0AED6B62C3DEC74D65000109BCD862B5A66A886C0C7DC5CDD7324
refreshToken Passed to Server 54616CA1EAA0AED6B62C3DEC74D65000109BCD862B5A66A886C0C7DC5CDD7324
token persisted 85CE38B3CEA6E6560E61676B494061F165296E26C7CD0B3F4838E6AC6B8C644C

---  Third refreshAccessToken call, uses the result of the first refreshAccessToken call, instead of the second. 

token in jwt callback 54616CA1EAA0AED6B62C3DEC74D65000109BCD862B5A66A886C0C7DC5CDD7324
refreshToken Passed to Server 54616CA1EAA0AED6B62C3DEC74D65000109BCD862B5A66A886C0C7DC5CDD7324
{ error: 'invalid_grant' }

[filmerjarred]

I also wished to disable the broadcast event (for reasons other than token refresh issues) and found a way to do it. If you ensure this code runs before the nextauthjs package, it will prevent the page receiving and broadcasting auth change events.

// prevent receiving
window.addEventListener("storage", (event) => {
  const message = JSON.parse(event.newValue ?? "{}")
  if (message?.event !== "session" || !message?.data) return
  
  event.stopImmediatePropagation()
  console.log('blocked receiving nextjs-auth storage message', event.newValue)
})

// prevent sending
const originalSetItem = localStorage.setItem.bind(localStorage)
localStorage.setItem = (key, value) => {
  if (key !== "nextauth.message") {
    return originalSetItem(key, value)
  }

  console.log('blocked nextjs-auth storage message', key, value)
}

[lhammarstrom]

Would a potential solution (instead of using Redis) be to use locks with a key corresponding to the user? Some pseudo-code would be:

async jwt({ token, user }) {
    if (user) {
        return { ...user };
    }

    const key = `token-${token.user.email}`;
    const lock = semaphore.acquire(key);

    try {
        lock.waitForUnlock();
        if (tokenIsValid(token)) {
            lock.release();
            return token;
        }

        const refreshedToken = await refreshAccessToken(token);
        lock.release();

        return refreshedToken;
    }
    catch {
        lock.release();
    }
},

Essentially, you acquire a lock and release it after you've gotten your token. Would a library like async-mutex work well for this or would the application get bogged down? I'm used to C# so using semaphores is pretty standard, but get kind of lost with this JS/TS stuff.

[lhammarstrom]

I found a solution that is provider agnostic using async-lock, where the finished product would look something like this:

async jwt({ token, user }) {
    // Will be called on first login, return data from authorize method
    if (user) {
        const jwt = { ...user };
        const key = constructKey(jwt.user.email);

        cache.set<JWT>(key, jwt);
        return jwt;
    }

    if (tokenIsValid(token)) {
        return token;
    }

    let jwt: JWT = {
        ...token,
        error: LOGIN_ERRORS.REFRESH_ERROR,
    };

    const key = constructKey(token.user.email);
    await lock.acquire(key, async () => {
        const currentToken = cache.get<JWT>(key);
        if (!currentToken) {
            return;
        }

        // When this endpoint is called concurrently, the previous request
        // can sometimes already have updated the token in the cache, in that
        // case returned the already cached token
        if (tokenIsValid(currentToken)) {
            jwt = currentToken;
            return;
        }

        // If it's the first request to refresh the tokens then
        // we get new tokens using the refresh endpoint
        const refreshedTokens = await refreshAccessToken(currentToken);

        // Save the new JWT to the cache
        cache.set<JWT>(key, refreshedTokens);

        // Return new JWT token
        jwt = refreshedTokens;
    });

    return jwt;
}

The only thing to implement there is the cache provider, which it seems needs to be somewhere other than in here so that the cache is not destroyed when in dev mode. I believe something like this would be agnostic enough to be included in the standard library without causing too much of an issue. I.E using a form of queue-system to implement the locking and then insert a provider for the cache which implements an interface for getting / setting keys. Also not agaisnt having this stay in user land, but to document it properly as this is a major PIA

[vanenshi]

This seems like a good idea to use the email or id as the lock, but this solution is not going to work for all the users, some tokens are encrypted and hence not readable.
so I was thinking maybe we can generate an instance-id for each browser and use it to understand the request scope. we have to save this instance-id in the cookies to be able to use it, and it will not going to get change. using this solution we might be able to use it regardless of the structure of the token.

[lhammarstrom]

That's fair and I have had the same thoughts but never bothered to implement it. It's not too hard to generate a UUID for each session and keep track of it. This also solves the issue of having multiple sessions across devices.

[todesignandconquer]

If you're using Next.js 13 and the App Router, you can add time-based revalidation with some arbitrary amount to your refresh access token fetch call and it won't call it twice (or more) under all scenarios (single tab, multiple tab). Reason being due to the built-in cache functionality of Next.js 13 in conjunction with a revalidate minimum option, it will recognize the same input parameters (meaning your old refresh token in the body) and won't call it again.

https://nextjs.org/docs/app/building-your-application/caching#time-based-revalidation

[Thanaen]

Unfortunately, I have the impression that the invocations of the JWT callback are so close that the second invocation will systematically miss the data cache :(

[mohammedsafvan]

For me the issue is purely on refreshing the page, or opening a new tab after expiration. if the access_token expired then it will try to fetch new access_token using refresh_token. the refreshing of the page triggers around 3 session checking.

all gives the previous token (expired). so the first one successfully refreshes the token, then the second one (it is also the expired one), so it will try for a refresh_token rotation, but the the first one already redeemed the refresh_token, so it will give an error.(For me it is on the 3rd one Don't know why, may be the token endpoint issue)

The solution I did

i used a map, if a refresh_token rotation occured then it will save the refresh token and newTokenSet as key value pairs, But the lifespan of each entry would be around 2 to 3 seconds. now in the jwt callback if an expired token arrives , it will check if the current refresh_token is present in the map keys, if it is then return from the map, if it is not then fetch a new access_token and save it to the map.

Please note that I only need the access_token in the server so no need to pass it to the session. It is working.But needed others thoughts on this

[mohammedsafvan]

the problem solved by disabling ssr. Now I don't need a caching mechanism

[nguyenhuugiatri]

My solution:

import mem from 'mem'

export const refreshTokenAPI = mem(
  async (tokenType: string, refreshToken: string) => {
    return publicRequest<TAuthToken>('/user/auth/refresh', {
      method: 'POST',
      headers: {
        Authorization: `${tokenType} ${refreshToken}`,
      },
    })
  },
  {
    maxAge: 1_000,
    cacheKey: (arguments_) => arguments_.join(','),
  }
)


  callbacks: {
    async jwt({ token, user }) {
      if (user) {
        token.user = user
        return token
      }

      const isTokenStillValid = token.user.expiredAt - getCurrentTimeStamp() > 0

      if (isTokenStillValid) return token

      try {
        const { accessToken, refreshToken, expiredAt, tokenType } =
          await refreshTokenAPI(token.user.tokenType, token.user.refreshToken)

        return {
          user: {
            ...token.user,
            accessToken,
            refreshToken,
            tokenType,
            expiredAt: expiredAt - REFRESH_TOKEN_OFFSET,
          },
        }
      } catch {
        return {
          ...token,
          error: REFRESH_TOKEN_EXPIRED_ERROR,
        }
      }
    },
  },

[etnichols]

@nguyenhuugiatri could you explain a little bit more on how this solution works in the serverless environment (i.e. Next API routes)? I guess I'm a little confused how the mem package functions in a serverless context, as it requires persistent memory in order to cache values. Is this relying on a serverless function being "warm", and thus allowing multiple requests to access the cache?

I don't totally understand how Next chooses to spin up, re-use, and tear down serverless function execution contexts, but the issue i see here is an edge case where Request 1 refreshes the token (and caches value), but Request 2 _executes in an entirely different serverless function, thus fails to hit the cache.

[etnichols]

See @mtt87's comments on lambdas here: #3940 (comment)

[gera-cl]

@nguyenhuugiatri it works for me, thank you. I use memoizerific instead of memoize but is the same logic

[sophieqgu]

This stopped working for me :(

[jdmnk]

I can confirm this works, I was able to achieve the same result by using memoizee. I'm running next-auth v5.

import memoize from 'memoizee'

export const memRefreshToken = memoize(refreshTokenFn, {
  maxAge: 60 * 1000, // clear cache after 1 minute or whatever works for you
  promise: true, // this is important (set to 'true' if your fn returns a promise)

  // custom hash for caching
  normalizer: function (args) {
    // args is arguments object as accessible in memoized function
    return JSON.stringify(args[0].refreshToken)
  }
})

You might run into issues running this on Edge runtime though. I had to avoid doing that entirely because otherwise my app wouldn't build (removed auth from middleware).

[NanningR]

@nguyenhuugiatri @VGontier-cmd @ARJohnsonKwik @mohammedsafvan

A cleaner solution is to use middleware.ts, as it's more inline with the official next.js docs: https://nextjs.org/docs/pages/building-your-application/authentication

Solution available here (hats off to the guy Rinvii who first came up with it): #9715

In short, you implement the refresh token rotation logic in middleware, and force getServerSession() to read the new session and send it back to the browser by setting the cookies. You do something like this:

import { NextResponse, type NextMiddleware, type NextRequest } from "next/server";
import { encode, getToken, type JWT } from "next-auth/jwt";

import {
	admins,
	SESSION_COOKIE,
	SESSION_SECURE,
	SESSION_TIMEOUT,
	SIGNIN_SUB_URL,
	TOKEN_REFRESH_BUFFER_SECONDS
} from "./config/data/internalData";

let isRefreshing = false;

export function shouldUpdateToken(token: JWT): boolean {
	const timeInSeconds = Math.floor(Date.now() / 1000);
	return timeInSeconds >= token?.expires_at - TOKEN_REFRESH_BUFFER_SECONDS;
}

export async function refreshAccessToken(token: JWT): Promise<JWT> {
	if (isRefreshing) {
		return token;
	}

	const timeInSeconds = Math.floor(Date.now() / 1000);
	isRefreshing = true;

	try {
		const response = await fetch(process.env.AUTH_ENDPOINT + "/o/token/", {
			headers: { "Content-Type": "application/x-www-form-urlencoded" },
			body: new URLSearchParams({
				client_id: process.env.CLIENT_ID,
				client_secret: process.env.CLIENT_SECRET,
				grant_type: "refresh_token",
				refresh_token: token?.refresh_token
			}),

			credentials: "include",
			method: "POST"
		});

		const newTokens = await response.json();

		if (!response.ok) {
			throw new Error(`Token refresh failed with status: ${response.status}`);
		}

		return {
			...token,
			access_token: newTokens?.access_token ?? token?.access_token,
			expires_at: newTokens?.expires_in + timeInSeconds,
			refresh_token: newTokens?.refresh_token ?? token?.refresh_token
		};
	} catch (e) {
		console.error(e);
	} finally {
		isRefreshing = false;
	}

	return token;
}

export function updateCookie(
	sessionToken: string | null,
	request: NextRequest,
	response: NextResponse
): NextResponse<unknown> {
	/*
	 * BASIC IDEA:
	 *
	 * 1. Set request cookies for the incoming getServerSession to read new session
	 * 2. Updated request cookie can only be passed to server if it's passed down here after setting its updates
	 * 3. Set response cookies to send back to browser
	 */

	if (sessionToken) {
		// Set the session token in the request and response cookies for a valid session
		request.cookies.set(SESSION_COOKIE, sessionToken);
		response = NextResponse.next({
			request: {
				headers: request.headers
			}
		});
		response.cookies.set(SESSION_COOKIE, sessionToken, {
			httpOnly: true,
			maxAge: SESSION_TIMEOUT,
			secure: SESSION_SECURE,
			sameSite: "lax"
		});
	} else {
		request.cookies.delete(SESSION_COOKIE);
		return NextResponse.redirect(new URL(SIGNIN_SUB_URL, request.url));
	}

	return response;
}

export const middleware: NextMiddleware = async (request: NextRequest) => {
	const token = await getToken({ req: request });
	const isAdminPage = request.nextUrl.pathname.startsWith("/epa");
	const isAuthenticated = !!token;

	let response = NextResponse.next();

	if (!token) {
		return NextResponse.redirect(new URL(SIGNIN_SUB_URL, request.url));
	}

	if (shouldUpdateToken(token)) {
		try {
			const newSessionToken = await encode({
				secret: process.env.NEXTAUTH_SECRET,
				token: await refreshAccessToken(token),
				maxAge: SESSION_TIMEOUT
			});
			response = updateCookie(newSessionToken, request, response);
		} catch (error) {
			console.log("Error refreshing token: ", error);
			return updateCookie(null, request, response);
		}
	}

	if (isAdminPage && isAuthenticated && !admins.includes(token.email!)) {
		return NextResponse.redirect(new URL("/forbidden", request.url));
	}

	return response;
};

export const config = {
	matcher: ["/dashboard/:path*", "/epa/:path*"]
};

Make sure you read all the comments on the references page to apply this to your situation

[maxbec]

I tried to use redis and redlock for that issue. But it is not working due to the edge runtime limitation. Maybe someone of you guys has an idea how to use redlock with authjs?

[asif-jalil]

This solution works for me. Thank you

[ghost]

@NanningR thanks for the solution, it is working for me.
But tbh I don't understand why it is working (sorry if the reason is obvious, I'm kind of new to NextJS/React).
I tried to implement the refresh logic and lock mechanism in the JWT callback but multiple requests would pass the isRefreshing lock at the same time.
Why in middleware level, this issue not happen?

[NanningR]

@tungnt-1562 It's mentioned here: #9715 (reply in thread)

That thread in general contains more information about this solution, as well as the process of how it came to be.

[luco]

This works! But does it work with SSO such as Google?

[asopromadze]

[Vitto-Mazeto]

It worked for me! And no other solution was working. Thanks!

[emreakdas]

@Vitto-Mazeto can you share the solution?

[asopromadze]

Sorry guys i deleted it
At dev environment it works. problem is when some api call returns 401, next-auth triggers and tries to refresh it at serverside.
I was checking only for one client.

My solution is vercel has Redis KV database option, You can use it and save every incoming refresh request queue,

• here my previous answer, but instead of tokenCache and refreshQueue, you need some kind of service to save all client requests

const tokenCache = new Map();
// Flag to indicate if a refresh is in progress
let isTokenRefreshing = false;
// Queue to store pending refresh requests
const refreshRequestQueue = new Map();
async function CloudProviderJWT({ token, account }: JWTCallBackInput) {
  if (account && account.id_token) {
    const { status, jwt } = await tokens(account.id_token as string);
    if (status === TokeResponseStatuses.OK) {
      return Object.assign(token, jwt);
    }
    return Promise.reject("An Error occurred, try again later");
  }
  if (Date.now() < (token.accessTokenExpires as number)) {
      return token;
  }
  const key = token.refreshToken as string;
  // Check if there's already a cached token for this key
  if (tokenCache.has(key)) {
    return tokenCache.get(key);
  }
  // If refresh is in progress, wait for it to complete
  if (isTokenRefreshing) {
    await new Promise((resolve) => {
      refreshRequestQueue.set(key, resolve);
    });
    // get valid token from cahce
    return tokenCache.get(key);
  }
  // Set the refresh flag to indicate that a refresh is in progress
  isTokenRefreshing = true;
  const { jwt, error } = await refresh(key);
  const newToken = error
    ? Object.assign(token, { error })
    : Object.assign(token, jwt);
  // clear the cache
  tokenCache.clear();
  // Store the new token in the map
  tokenCache.set(key, newToken);
  // Resolve any pending refresh requests
  const resolveFunc = refreshRequestQueue.get(key);
  if (resolveFunc) {
    resolveFunc();
  }
  isTokenRefreshing = false;
  refreshRequestQueue.clear();
  return newToken;
}

[ryannovarypradana]

pleasee help me, i can't refresh my token

my middleware :

import axios, { AxiosRequestConfig } from "axios";
import { getToken, encode, type JWT } from "next-auth/jwt";
import { NextFetchEvent, NextMiddleware, NextRequest, NextResponse } from "next/server";

export const SIGNIN_SUB_URL = "/login"; // Adjust this as needed
export const SESSION_TIMEOUT = 60 * 60 * 24 * 30; // 30 days
export const TOKEN_REFRESH_BUFFER_SECONDS = 60; // 1 minute
export const SESSION_SECURE = process.env.NEXTAUTH_URL?.startsWith("https://");
export const SESSION_COOKIE = SESSION_SECURE ? "__Secure-next-auth.session-token" : "next-auth.session-token";

// Check if the token is close to expiration and needs refreshing
export function shouldUpdateToken(token: JWT): boolean {
  const timeInSeconds = Math.floor(Date.now() / 1000);
  return timeInSeconds >= 120 * 1000 - TOKEN_REFRESH_BUFFER_SECONDS;
}

// Refresh the access token by calling the backend refresh endpoint
export async function refreshAccessToken(token: JWT): Promise<JWT> {
  const baseUrl = process.env.REACT_APP_API_URL;
  const url = baseUrl + '/v1/user/token-refresh';
  const tokenAccess = token.tokenAccess;

  try {
    const config: AxiosRequestConfig = {
      headers: {
        'Content-Type': 'application/json',
        'Authorization': `Bearer ${tokenAccess}`,
      },
    };

    // Await the refresh request
    const response = await axios.get(url, config);

    if (response.status === 200) {
      console.log('Successfully got a new token:', response.data.new_token.token);

      // Return the new token structure
      return {
        ...token,
        tokenAccess: response.data.new_token.token,
        expires_in: Math.floor(Date.now() / 1000) + 120 * 1000, // Update token expiration time
        refreshToken: response.data.new_token.token ?? token.refreshToken, // Use new refresh token if available
      };
    } else {
      console.log('Failed to get new token:', response.status, response.data);
      throw new Error('Failed to refresh token');
    }
  } catch (e) {
    console.error("Error refreshing token: ", e);
    throw new Error('Error refreshing token');
  }
}

// Update the session token cookie in the response
export function updateCookie(
  sessionToken: string | null,
  request: NextRequest,
  response: NextResponse
): NextResponse {
  if (sessionToken) {
    response.cookies.set(SESSION_COOKIE, sessionToken, {
      httpOnly: true,
      maxAge: SESSION_TIMEOUT,
      secure: SESSION_SECURE,
      sameSite: "lax",
    });
  } else {
    response.cookies.delete(SESSION_COOKIE);
    response = NextResponse.redirect(new URL(SIGNIN_SUB_URL, request?.url));
  }

  return response;
}

// Main middleware with authentication and token refresh logic
export default function withAuth(
  middleware: NextMiddleware,
  requireAuth: string[] = []
) {
  return async (req: NextRequest, next: NextFetchEvent) => {
    const pathname = req.nextUrl.pathname;

    if (requireAuth.includes(pathname) || pathname.startsWith('/admin') || pathname === '/login' || requireAuth.some(route => pathname.startsWith(route))) {
      const token = await getToken({ req, secret: process.env.NEXTAUTH_SECRET });

     

      if (!token) {
        if (pathname === '/login') {
          return middleware(req, next);
        }
        const url = new URL(SIGNIN_SUB_URL, req.url);
        return NextResponse.redirect(url);
      } else {
        if (pathname === '/login') {
          const url = new URL('/', req.url);
          return NextResponse.redirect(url);
        }

        if (pathname.startsWith('/admin') && token.role !== 'YWRtaW4=') {
          const url = new URL('/', req.url);
          return NextResponse.redirect(url);
        }

        // Token refresh logic
        if (shouldUpdateToken(token)) {
          try {
            const refreshedToken = await refreshAccessToken(token);
        
            if (!refreshedToken) {
              console.error("Error refreshing token");
              return updateCookie(null, req, NextResponse.next());
            }

            if (refreshedToken && refreshedToken.tokenAccess) {
              const newSessionToken = await encode({
                secret: process.env.NEXTAUTH_SECRET!,
                token: refreshedToken,
                maxAge: SESSION_TIMEOUT,
              });

              return updateCookie(newSessionToken, req, NextResponse.next());
            } else {
              console.error("Refreshed token is invalid", refreshedToken);
              return updateCookie(null, req, NextResponse.next());
            }
          } catch (error) {
            console.error("Error refreshing token: ", error);
            return updateCookie(null, req, NextResponse.next());
          }
        }
      }
    } else {
      return middleware(req, next);
    }

    return middleware(req, next);
  };
}

my main middleware :

import { key, timeEncryptKey, tokenEncryptKey, userEncryptKey } from '@/lib/cryptoJs/encrypt'
import { getLocalStorage } from '@/lib/localStorage/page'
import { useSession } from 'next-auth/react';
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'
import withAuth from './middlewares/withAuth';


export async function mainMiddleware(req: NextRequest) {

  const res = NextResponse.next();
  return res;
}
export default withAuth(mainMiddleware, [
  "/admin",
  "/cart",
  "/checkout",
  "/checkout/payment/[number]",
  "/loyalty",
  "/settings",
]);

my auth :

import type { NextAuthOptions } from 'next-auth';
import CredentialsProvider from 'next-auth/providers/credentials';
import AuthService from '@/app/service/authService';
import axios, { AxiosRequestConfig } from 'axios';
import { setLocalStorage } from '@/lib/localStorage/page';

let isRefreshing = false;
let refreshPromise: Promise<any> | null = null;

export async function refreshAccessToken(token: any) {
  console.log('refresh token in process');
  // console.log('access token: ' + token.tokenAccess);
  // console.log('refresh token: ' + token.refreshToken);

  if (isRefreshing) {
    console.log('Refresh token is currently running, skip refresh');
    return refreshPromise;
  }

  console.log('Processing the refresh token');

  const baseUrl = process.env.REACT_APP_API_URL;
  try {
    const url = baseUrl + '/v1/user/token-refresh';
    const tokenAccess = token.tokenAccess;
    console.log('Token sent for refresh:', tokenAccess);

    const config: AxiosRequestConfig = {
      headers: {
        'Content-Type': 'application/json',
        'Authorization': `Bearer ${tokenAccess}`,
      },
    };

    isRefreshing = true; // Set flag to true to prevent double refresh token

    // Start the refresh process and save to refreshPromise so other requests can wait
    refreshPromise = axios.get(url, config)
      .then((res) => {
        if (res.status === 200) {
          // console.log('Successfully got a new token:', res.data.new_token.token);

          // Reset flag after refresh is complete
          isRefreshing = false;
          refreshPromise = null;

          // Return the new token
          return {
            ...token,
            tokenAccess: res.data.new_token.token,
            expires_in: Date.now() + 120 * 1000, // Update token expiration time
            refreshToken: res.data.new_token.token ?? token.refreshToken, // Use new refresh token if available
          };
        } else {
          console.log('Failed to get new token:', res.status, res.data);
          throw new Error('Failed to refresh token');
        }
      })
      .catch((error) => {
        console.error('Error refreshing token:');
        // console.error('Error refreshing token:', error.response ? error.response.data : error.message);

        isRefreshing = false; // Reset flag when error occurs
        refreshPromise = null;

        // Return token with error
        return {
          ...token,
          error: 'RefreshAccessTokenError',
        };
      })

    return refreshPromise;
  } catch (error: any) {
    console.error('Failed to get new token, catch error:', error.message);

    isRefreshing = false;
    refreshPromise = null;

    return {
      ...token,
      error: "RefreshAccessTokenError",
    };
  }
}

export const authOptions: NextAuthOptions = {
  session: {
    strategy: "jwt",
    // maxAge: 120,
  },
  jwt: {
    secret: process.env.NEXTAUTH_SECRET,
  },
  providers: [
    CredentialsProvider({
      name: "Credentials",
      credentials: {
        email: { label: "Email / No Handphone", type: "email" },
        password: { label: "Password", type: "password" },
      },
      async authorize(credentials) {
        const payload = {
          user: {
            email_phone: credentials!.email,
            password: credentials!.password
          }
        }
        const res = await AuthService.handleLogin(payload);
        if (res.status === 200) {
          const user = {
            id: res.data.data.user_id,
            role: res.data.data.user_type,
            tokenAccess: res.data.data.access_token,
            // expires_in: res.data.data.expires_in,
            expires_in: Date.now() + 120 * 1000, // hardcoded for access token to be 2 minutes for now
            dataUser: res.data.data.user,
          }
          console.log('this is user', user)
          return user;
        } else {
          return null
        }
      }
    })
  ],
  callbacks: {
    async jwt({ token, account, user, trigger, session }: any) {

      // This will be for updating profile
      if (trigger === 'update') {
        token.dataUser = session.user.dataUser;
      }

      if (account && user) {
        if (account?.provider === 'credentials') {
          token.id = user.id;
          token.role = user.role;
          token.tokenAccess = user.tokenAccess;
          token.expires_in = user.expires_in;
          token.dataUser = user.dataUser;
          token.refreshToken = user.tokenAccess;

          if (typeof window !== 'undefined') {
            localStorage.setItem('tokenAccess', user.tokenAccess);
            localStorage.setItem('refreshToken', user.tokenAccess);
          }
        }
      }
      console.log('this is current token', token.tokenAccess)
      console.log(token.expires_in)
      console.log('this is current time', Date.now())
      const bufferTime = 60 * 1000; // 60 seconds

      // Check if token is about to expire (less than bufferTime)
      if (Date.now() < token.expires_in) {
        // console.log('token', token)
        return token; // Token is still valid, no need to refresh


      }



      if (token.error === "RefreshAccessTokenError") {
        console.log("Token refresh already failed, not trying again.");
        return token;
      }

      console.log('Token before update:', token.tokenAccess);
      const refreshedToken = await refreshAccessToken(token);
      console.log('Token after update on refresh token:', refreshedToken.tokenAccess);
      console.log('Token after update on token:', token.tokenAccess);
      if (refreshedToken.error) {
        // If refresh fails, mark token with error to not try again
        token.error = refreshedToken.error;
      }

      // return refreshAccessToken(token);
      return token
      // return refreshedToken;
    },

    async session({ session, token }: any) {

      localStorage.setItem('session', session);

      

      if (token) {
        // session.user.dataUser = token.dataUser;
        // session.user.role = token.role;
        // session.accessToken = token.tokenAccess;
        // session.error = token.error;

      

        if ("dataUser" in token) {
          session.user.dataUser = token.dataUser;

        }
        if ("role" in token) {
          session.user.role = token.role;
        }
        if ("tokenAccess" in token) {
          session.user.name = token.tokenAccess; // access token is stored in the name variable in session data
        }
        if ("expires_in" in token) {
          session.user.expires_in = token.expires_in;
        }
        if (token) {
          session.accessToken = token.tokenAccess as string}
      }
      session.error = token.error
      // console.log(session, 'ini token dari session')
      return session
    }
  },
  pages: {
    signIn: "/login",
  },
}

[luco]

Same here. Token doesn't update.

[serolgames]

Hello everyone,

We are almost in 2025 and there is still no solution to this issue.
Is there a real working solution out there ? I tried to implement a lock system but it doesn't work 100% of times.

Someone that has a fully 100% working code can share it so we can end this issue please ?

[DenisHannig]

Hello everyone,

I believe I’ve found a possible workaround that works for me.

I introduced a new variable called currentRefreshToken. Whenever I receive a new refresh_token, I assign it to this variable.

Could someone test and confirm if this workaround works for you as well?

Here’s my current implementation:

...

let currentRefreshToken: string = null;

const callbacks: Partial<CallbacksOptions> = {

    async jwt({ token, account, user }) {
        if (account) {
            // called on login
            currentRefreshToken = account.refresh_token; // <-- here I'm already setting the currentRefreshToken variable
            return {
                ...token,
                access_token: account.access_token,
                expires_at: account.expires_at,
                refresh_token: account.refresh_token
                // add more if needed
            };
        } else if (Date.now() < token.expires_at * 1000) {
            // token is valid
            return {
                ...token,
                access_token: token.access_token
                // add more if needed
            };
        } else {
            // token expired, continue with refresh token logic
            return await refreshAccessToken(token);
        }
    }

    async session({ session, token }) {
        session.error = token.error;
        return {
            ...session,
            access_token: token.access_token
            // add more if needed
        };
    }

}

/** 
 *   The refresh token "rotation" logic
 */
async function refreshAccessToken(token) {
    try {
        const url = `${process.env.NEXTAUTH_OAUTH_URL}/oauth/token`;
        const response = await fetch(url, {
            method: 'POST',
            headers: {
                'Content-Type': 'application/json'
            },
            body: JSON.stringify(
                {
                    client_id: process.env.NEXTAUTH_OAUTH_CLIENT_ID_AUTH_CLIENT,
                    client_secret: process.env.NEXTAUTH_OAUTH_CLIENT_SECRET_AUTH_CLIENT,
                    grant_type: 'refresh_token',
                    refresh_token: currentRefreshToken ?? token.refresh_token // <-- Here I'm using the currentRefreshToken variable
                } 
            )
        });

        const tokensOrError = await response.json();

        if (!response.ok) {
            throw tokensOrError;
        }

        const newTokens = tokensOrError as {
            access_token: string;
            expires_in: number;
            refresh_token?: string;
        };

        currentRefreshToken = newTokens.refresh_token; // <-- here I'm setting the currentRefreshToken variable

        token.access_token = newTokens.access_token;
        token.refresh_token = newTokens.refresh_token;
        token.expires_at = Math.floor(Date.now() / 1000 + newTokens.expires_in);
        return token;
    } catch (error) {
        console.error('Error refreshing access token', error);
        // If we fail to refresh the token, return an error so we can handle it on the page
        token.error = 'RefreshTokenError';
        return token;
    }
}

...

Version Information:
next v15.0.3
next-auth v4.24.10

[serolgames]

I HAVE A WORKING SOLUTION

I tried yours, it works but in some case it doesn't. Let's about 20% of times it will fail.

I found a proper solution with redis. It's not perfect because you need to have redis installed on your server but from my test it's 100% working, multi tabs compatible.

This is the code :

function getTokenExpireDate()
{
    return Date.now() + 15 * 60 * 1000
}

const redis = new Redis({
    host: 'localhost', 
    port: 6379,
});

function sleep(ms: number) {
    return new Promise(resolve => setTimeout(resolve, ms));
}

async function refreshAccessToken(token: any, userAgent: string) {
    const lockKey = `refresh-token-lock-${token.refreshToken}`;
    const resultKey = `refresh-token-result-${token.refreshToken}`;

    while (await redis.exists(lockKey)) {
        console.log("Another process is refreshing the token. Waiting...");
        await sleep(100); // Attendre que la rotation actuelle se termine
    }

    const cachedResult = await redis.get(resultKey);
    if (cachedResult) {
        console.log("Using cached result for refresh token.");
        return JSON.parse(cachedResult);
    }

    const lockAcquired = await (redis.set as any)(lockKey, "locked", "NX", "PX", 5000);
    if (!lockAcquired) {
        console.log("Lock already acquired by another process. Waiting for result...");
        while (await redis.exists(lockKey)) {
            await sleep(100);
        }

        const cachedResultAfterWait = await redis.get(resultKey);
        if (cachedResultAfterWait) {
            console.log("Using cached result after waiting.");
            return JSON.parse(cachedResultAfterWait);
        }

        console.warn("No result available after waiting. Returning original token.");
        return token;
    }

    try {
        console.log("\n REFRESHING REQUEST INITIATED " + token.refreshToken + '\n');

        const response = await fetch(`${process.env.NEXT_PUBLIC_API_URL}auth/refresh`, {
            method: 'POST',
            body: JSON.stringify({ refreshToken: token.refreshToken }),
            headers: { 
                "Content-Type": "application/json", 
                'User-Agent': userAgent 
            }
        });

        const refreshedTokens = await response.json();

        if (!response.ok) {
            throw refreshedTokens;
        }

        console.log("\n REFRESHING REQUEST ACCEPTED " + refreshedTokens.refreshToken + '\n');

        const newToken = {
            ...token,
            accessToken: refreshedTokens.accessToken,
            accessTokenExpires: getTokenExpireDate(),
            refreshToken: refreshedTokens.refreshToken,
        };

        await redis.set(resultKey, JSON.stringify(newToken), "PX", 5000);

        return newToken;
    } catch (error) {
        console.error("\n ERROR DURING REFRESH: ", error);
        return {
            ...token,
            error: "RefreshAccessTokenError",
        };
    } finally {
        await redis.del(lockKey);
    }
}

const handler = NextAuth({
    providers: [
        CredentialsProvider({
        name: 'Credentials',
        credentials: {
            email: { label: 'Email', type: 'email' },
            password: { label: 'Password', type: 'password' },
        },
        async authorize(credentials) {
            try {

                const res = await fetch("http://localhost:3001/auth/login", {
                    method: 'POST',
                    body: JSON.stringify({login: credentials?.email, password: credentials?.password}),
                    headers: { "Content-Type": "application/json" }
                })
                
                const respDatas = await res.json()

                const { user, accessToken, refreshToken } = respDatas;

                if (user && accessToken) {
                    return {
                        ...user,
                        user: user,
                        accessToken,
                        refreshToken,
                    };
                } else {
                    return null;
                }
            } catch (error) {
                console.error('Login error:', error);
                return null;
            }
        },
        }),
    ],
    session: {
        strategy: 'jwt',
    },
    callbacks: {
        async jwt({ token, user }: any) 
        {
            if (user) {
                token.user = user.user
                token.accessToken = user.accessToken;
                token.refreshToken = user.refreshToken;
                token.accessTokenExpires = Date.now() + 15 * 60 * 1000; 
            }

            if (Date.now() < token.accessTokenExpires) {
                return token;
            }

            const newToken = await refreshAccessToken(token, token.userAgent);

            return newToken;
        },
        async session({ session, token }: any) {
            session.user = token.user
            session.accessToken = token.accessToken;
            session.refreshToken = token.refreshToken;
            return session;
        },
    },
    pages: {
        signIn: '/login',
        error: '/login',
        newUser: '/account'
    },
});

export { handler as GET, handler as POST }```

[NanningR]

@DenisHannig @serolgames Did you guys even read the previous replies? There are other threads where solutions inline with Next.js' recommended solution for handling authentication and session management are discussed. It works flawlessly with v4. For some it works with v5 also, but honestly, you shouldn't be using that as it's still in beta and as such not ready for production. If you scroll a bit to the top you can find this comment:

#3940 (comment)

I explained it in even more detail here, including how to handle some important redirects: #6642 (reply in thread)

As mentioned in those comments/replies, the original thread where this solution was first proposed is #9715.

Any Redis solution is just a workaround… This is really clean and will solve your issues. My biggest tip is downgrade to v4 to save yourself some headaches :)

[DenisHannig]

Great, thanks! I thought I had read all the previous replies, but it seems I might have missed something. I’ll go through the previous answers again now and test the possible solutions.

[DenisHannig]

Your middleware approach seems to work well after tweaking the code a bit to fit it to my environment. Thanks @NanningR

[minhbvhp]

Thanks to @nguyenhuugiatri @NanningR and @rinvii @angelhodar in #9715. After trying all, to sum up, only middleware solution can completely solve issues with refresh token rotation, and these code works with me:
I'm using: Nextjs 14 App router, Next-Auth v5 (authjs)

//middleware.ts
const privatePaths = ["/dashboard"];
const publicPaths = ["/login"];
const secret = process.env.AUTH_SECRET;
const sessionTokenName = process.env.SESSION_TOKEN_NAME || "sessionToken";

export async function middleware(request: NextRequest) {
  const { pathname } = request.nextUrl;

  const isProtectedPage = privatePaths.some((path) =>
    pathname.startsWith(path)
  );
  const isPublicPage = publicPaths.some((path) => pathname.startsWith(path));
  const isAdminPage = pathname.includes("admin");

  if (!secret) return signOut(request);

  const session = await getToken({
    req: request,
    cookieName: sessionTokenName,
    secret,
  });

  let response = NextResponse.next();

  if (isProtectedPage) {
    if (!session) return signOut(request);

    if (shouldSignOut(session)) return signOut(request);

    if (shouldUpdateToken(session.user.access_token)) {
      try {
        const refreshedSession = await refreshAccessToken(
          session,
          session.user.refresh_token
        );

        const newSessionTokenMaxAge = getSecondsUntilExpiration(
          refreshedSession.user.refresh_token
        );

        const newSessionToken = await encode({
          secret,
          salt: sessionTokenName,
          token: refreshedSession,
          maxAge: newSessionTokenMaxAge
            ? newSessionTokenMaxAge
            : 7 * 24 * 60 * 60, // 7 days
        });

        response = updateCookie(
          newSessionToken,
          newSessionTokenMaxAge,
          request,
          response
        );
      } catch {
        return signOut(request);
      }
    }
  }

  // Restrict admin pages
  if (isAdminPage && session?.user?.role?.name !== "Admin") {
    return NextResponse.redirect(new URL("/dashboard", request.url));
  }

  // Redirect authenticated users away from login page
  if (isPublicPage) {
    if (
      //access_token still valid
      (session?.user.access_token &&
        !isTokenExpired(session?.user.access_token)) ||
      //access_token expire but refresh_token still valid
      ((!session?.user.access_token ||
        isTokenExpired(session?.user.access_token)) &&
        session?.user.refresh_token &&
        !isTokenExpired(session?.user.refresh_token))
    )
      return NextResponse.redirect(new URL("/dashboard", request.url));
  }

  return response;
}

function signOut(request: NextRequest) {
  request.cookies.delete(sessionTokenName);
  return NextResponse.redirect(new URL("/login", request.url));
}

function isTokenExpired(token: string): boolean {
  const { exp } = jwtDecode(token);
  return exp ? Date.now() > exp * 1000 : false;
}

function shouldSignOut(token: JWT | null): boolean {
  if (
    !token ||
    !token.user ||
    (!token.user.access_token && !token.user.refresh_token)
  )
    return true;

  const accessToken = token.user.access_token;
  const refreshToken = token.user.refresh_token;
  const isAccessTokenExpired = isTokenExpired(accessToken);
  const isRefreshTokenExpired = isTokenExpired(refreshToken);

  if (
    (!accessToken || isAccessTokenExpired) &&
    (!refreshToken || isRefreshTokenExpired)
  )
    return true;

  return false;
}

function shouldUpdateToken(access_token: string): boolean {
  const isAccessTokenExpired = isTokenExpired(access_token);

  if (!access_token || isAccessTokenExpired) return true;

  return false;
}

async function refreshAccessToken(
  session: any,
  refreshToken: string
): Promise<JWT> {
  const res = await sendRequest<IBackendRes<IRefresh>>({
    method: "POST",
    url: "/api/auth/refresh",
    headers: { Authorization: `Bearer ${refreshToken}` },
  });

  if (!res.data) throw new Error("Failed to refresh access token");

  return {
    ...session,
    user: {
      ...session.user,
      access_token: res.data.access_token,
      refresh_token: res.data.refresh_token,
    },
  };
}

function updateCookie(
  newSession: string | null,
  maxAge: number | null,
  request: NextRequest,
  response: NextResponse
): NextResponse<unknown> {
  if (newSession) {
    request.cookies.set(sessionTokenName, newSession);

    response = NextResponse.next({
      request: {
        headers: request.headers,
      },
    });

    response.cookies.set(sessionTokenName, newSession, {
      httpOnly: true,
      maxAge: maxAge || 7 * 24 * 60 * 60, // 7 days
      sameSite: "lax",
    });
  } else {
    return signOut(request);
  }

  return response;
}

export const config = {
  matcher: [...privatePaths, ...publicPaths],
};

//auth.ts
...
callbacks: {
    async jwt({ token, user }) {
      if (user) {
        token.user = user as IUser;
      }

      return token;
    },
    async session({ session, token }) {
      (session.user as IUser) = token.user;
      return session;
    },
    async authorized({ auth }) {
      return !!auth;
    },
  },

My custom backend data type:

interface IBackendRes<T> {
    error?: string | string[];
    message: string;
    statusCode: number | string;
    data?: T;
  }

interface IUser {
    id: string;
    email: string;
    role: {
      name: string;
    };
    access_token: string;
    refresh_token: string;
  }

My custom next-auth data type:

declare module "next-auth/jwt" {
  interface JWT {
    access_token: string;
    refresh_token: string;
    user: IUser;
    access_expire: number;
    error: string;
  }
}

declare module "next-auth" {
  interface Session {
    access_token: string;
    refresh_token: string;
    user: IUser;
    access_expire: number;
    error: string;
  }
}