Cookie not updating after getting a new access token

[vortexture]

Checklist

• The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

I am attempting to upgrade the version of this library I am using from 4.0.2 to 4.11.0
I am using the pages router and I use rotating refresh tokens

I have been using getSession(request) (to confirm there is a session) and getAccessToken(request, response) in my api route to get the access token so I can retrieve my users roles from the access token (this is all after checking for a valid session in the middleware).

Since updating I have been having an issue where my session does not get updated with the new access token & refresh token, so once my token expires the call to getAccessToken(request, response) will get a new token but then after the grace period for rotating refresh token reuse passes I get an error for refresh token reuse any time I call getAccessToken

I have tried moving the retrieval of the access token to the the middleware and passing the access token directly to the api routes via the headers, this seems to have the same issue (this is following the recomendation in the second example for getting an access token in the middleware and setting the authRes headers - https://github.com/auth0/nextjs-auth0/blob/main/EXAMPLES.md#middleware-2)

I have tracked the problem down to to the version change 4.2.1 -> 4.4.4 v4.2.1...v4.4.0
After upgrading beyond this I encounter the above issue

Any guidance on what I might be doing wrong, or what changed that might cause this would be appreciated

I have managed to setup a workaround currently by manually setting the the set-cookie headers with .append after calling getAccessToken, which is different from what's in the example I mentioned above as .set overrides each "set-cookie" header as it loops. (this is not a 100% reliable workaround, I still sometimes get token reuse errors, so I can't use it in production)

Without the above workaround in v.4.4.0 I do see a set-cookie appSession=; Path=/; Max-Age=0 header returned when my token has expired, but the rest of the set-cookie headers with the __session__0 and __session__1 names are missing

I should also note that calling updateSession didn't seem to do anything either

Reproduction

• Login
• Wait for token expiry
• Attempt to get a token in an api route / middleware
• Wait for token reuse timeout
• Attempt to get a token in an api route / middleware again

Additional context

I use TRPC for my APIs 10.45.2

nextjs-auth0 version

4.11.0

Next.js version

15.5.6

Node.js version

20.18.2

[maishivamhoo123]

@team can you please assign this issue to me i want to work on this.

[tusharpandey13]

Hi @maishivamhoo123 👋
You can go ahead with working on this issue. Community contributions are welcome and it would be great if you could provide your analysis and a PR here. I see that the issue's original reporter has already added substantial context, that should be helpful.
Additionally, feel free to ping me here if you need any help or if you do not plan to work on this issue at all, in which case we will pick this up 👍

@vortexture thanks for reporting this, we will be taking a look into this.

[vortexture]

Quick update that this issue seems to still be present on v4.11.1 and above (tried 4.11.1, 4.12.1 and 4.13.0)
Once my access token has expired I see a single set-cookie __session=; Path=/; Max-Age=0 header being returned over and over until the refresh token reuse period is over then I get token reuse errors