-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refreshing token in API route - subsequent request returns 401 and clears session #1293
Comments
Upgraded the project to 2.6.3 and the same issue is reproducible. |
Hi @adoprog - thanks for raising this. Have just tested this on the sample app with 2.6.3 installed and can't reproduce the issue you're describing. Could you share an example repo that demonstrates the issue and I can debug it for you. |
I've just tested it on sample app (downloaded main branch, so "@auth0/nextjs-auth0": "^2.0.0") and can reproduce it, the changes I've made to work with our Auth0 instance are:
After I open (in a separate browser tab) http://localhost:3000/api/shows - it loads once and says '{"msg":"Your access token was successfully validated!"}', but on second load it returns '{"error":"not_authenticated","description":"The user does not have an active session or is not authenticated"}' |
Okay, after removing 'profile' from scope it seems to work... Could it be actually caused by token / session size? |
Possibly, although the SDK is designed to handle larger sessions by breaking the cookie up into chunks - have just tested this on the sample app with a session > 4096 (cookie max size). How large is the session in bytes? Could you share a HAR file (with secrets redacted)? |
There is 5 chunks total when 'profile' is there and 4 when it is not. Attached the HAR file (two subsequent requests, when 'profile' is there). Thanks! |
Thanks for sharing the HAR file @adoprog - I think I see the issue When you make the first request to But the response does not remove the the erroneous 5th chunk. So when the second request turns up with 5 chunks, the SDK puts all 5 together and gets an invalid session. (if you delete For cases like yours where the session gets smaller and the number of chunks decreases, we need to delete any erroneous chunks - will raise some work to fix this. (Note: this should not be an issue in the new Beta because https://github.com/auth0/nextjs-auth0/blob/beta/src/auth0-session/session/stateless-session.ts#L142) |
@adoprog This has been fixed in https://github.com/auth0/nextjs-auth0/releases/tag/v2.7.0 |
Checklist
Description
I have a NextJS app with multiple /api routes that communicate to external system. I'm trying to get token refresh to work and so far isolated the following problem: after successful refresh, the session is updated, new session cookies are sent to the client, but the very next request to the same API route fails with 401 and cookies are cleared:
Reproduction
Is there anything special I'm missing about API routes?
Additional context
No response
nextjs-auth0 version
1.9.3
Next.js version
12.1
Node.js version
16.20.0
The text was updated successfully, but these errors were encountered: