Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refreshed JWT token is not updated on the client #7111

Closed
violabg opened this issue Mar 29, 2023 · 4 comments
Closed

refreshed JWT token is not updated on the client #7111

violabg opened this issue Mar 29, 2023 · 4 comments
Labels
triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.

Comments

@violabg
Copy link

violabg commented Mar 29, 2023
edited
Loading

Environment

"next": "13.2.4",
"next-auth": "^4.20.1",

Reproduction URL

https://github.com/nextauthjs/next-auth-refresh-token-example

Describe the issue

I'm implementing the refresh token strategy as per the example on https://authjs.dev/guides/basics/refresh-token-rotation#client-side

I'm using credentialProvider, I'm able to obtain a new token and setting it on the jwt callback in [...nextauth].ts

if I console log the session on

async session({ session, token }) {
      session.user = token.user
      session.accessToken = token.accessToken
      session.error = token.error
      // console.log("session :>> ", session);
      return session
    },

I get the new token and eventually the error, so everything is working fine up to here.

on the client I'm using useSession() on a layout component that I share with all the pages:

  const { data: session } = useSession()

  useEffect(() => {
    if (session?.error === 'RefreshAccessTokenError') {
      signIn() // Force sign in to hopefully resolve error
    }
  }, [session])

but when I navigate to any page via Link (next/link), I can see the logs from async session({ session, token }) callback on the terminal whit the correct values, but on the client, session is always the old one, I need to do an hard reload of the page, in order to see the refreshed values

How to reproduce

Expected behavior

to be able to see the new value of useSession() when navigating the site, in order to logout the user if the token expires
@violabg violabg added the triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime. label Mar 29, 2023
@balazsorban44
Copy link
Member

This is currently expected as the session is not re-fetched on the client whenever it changes on the server.

If you want to avoid doing a manual refresh, you can poll the session https://next-auth.js.org/getting-started/client#refetch-interval to make sure it's kept up-to-date with the server value.

Note, #7056 will introduce a more idiomatic way to update the session that might help with this case too.

Long-term, we would like to have built-in support for refresh token rotation.

@violabg
Copy link
Author

violabg commented Mar 30, 2023

Perfect, thanks

@violabg
Copy link
Author

violabg commented Mar 30, 2023

What if I want to logout the user directly on

async session({ session, token }) {
      session.user = token.user
      session.accessToken = token.accessToken
      session.error = token.error
      // console.log("session :>> ", session);
      return session
    },

What would be the correct way to do it?

@balazsorban44
Copy link
Member

#7035

For now, just set some error and trigger signOut via the browser.

@naimo84 naimo84 mentioned this issue Dec 5, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@violabg @balazsorban44