I try to implement refresh token rotation logic in options.ts of NextAuth.JS
I’ve tried to implement it using Refresh Token Rotation For NextAuth Docs by checking in JWT callback whether access token expired or not and if not then call refreshToken function. Refresh logic is taking action on my server where I update token and return { accessToken, refreshToken, accessTokenExpiry }
The problem is that despite I update accessTokenExpiry field just like in docs refresh token is being triggered on every JWT trigger.
I tried to add console.log in order to check what’s going on and found out following:
Row 96: is showing me
console.log(new Date(Date.now(), new Date(token.accessTokenExpiry)
Row 18: is showing me
console.log(new Date(Date.now(), new Date(data.accessTokenExpiry)
where data – response from refresh endpoint from server
So from here we can see that data.accessTokenExpiry which I received from server works correctly (I set up 5 seconds access token lifespan in order not to wait minutes until it actually expires) so we see 53:41 for current time and 53:46 as current time + token lifespan. But when I check actual token.accessTokenExpiry it shows me wrong time
[…nextauth]/options.ts:
import { UUID } from 'crypto';
import { NextAuthOptions } from 'next-auth';
import CredentialsProvider from 'next-auth/providers/credentials';
// eslint-disable-next-line @typescript-eslint/no-explicit-any
const refreshToken = async (token: any) => {
try {
const response = await fetch(`${process.env.SERVER_URL}/admins/auth/refresh`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
Authorization: `Bearer ${token.refreshToken}`,
},
});
const data = await response.json();
console.log('row 18:', new Date(Date.now()), new Date(data.accessTokenExpiry));
if (!response.ok) {
throw data;
}
return {
accessToken: data.accessToken,
accessTokenExpiry: data.accessTokenExpiry,
refreshToken: data.refreshToken ?? token.refreshToken,
};
} catch (error) {
console.error(error);
return {
...token,
error: 'RefreshAccessTokenError',
};
}
};
export const options: NextAuthOptions = {
session: {
maxAge: 60 * 24 * 60 * 60,
},
secret: process.env.JWT_SECRET,
providers: [
CredentialsProvider({
name: 'Credentials',
credentials: {
username: { label: 'Username', type: 'text' },
password: { label: 'Password', type: 'password' },
},
authorize: async credentials => {
const response = await fetch(`${process.env.SERVER_URL}/admins/auth/login`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(credentials),
});
if (response.status === 404) {
throw new Error('404');
}
if (response.status === 403) {
throw new Error('403');
}
const data = await response.json();
const user = await fetch(`${process.env.SERVER_URL}/admins/admin`, {
headers: {
Authorization: `Bearer ${data.accessToken}`,
},
}).then(res => res.json());
return {
...user,
accessToken: data.accessToken,
refreshToken: data.refreshToken,
accessTokenExpiry: data.accessTokenExpiry,
};
},
}),
],
callbacks: {
async jwt({ token, user }) {
if (user) {
token.id = user.id as UUID;
token.email = user.email;
token.name = user.name;
token.surname = user.surname;
token.role = user.role;
token.accessToken = user.accessToken!;
token.refreshToken = user.refreshToken!;
token.accessTokenExpiry = user.accessTokenExpiry;
}
console.log('row 96:', new Date(Date.now()), new Date(token.accessTokenExpiry));
// //////////////////////
// Checking if the access token is expired
if (Date.now() < token.accessTokenExpiry) {
return token;
}
return await refreshToken(token);
},
async session({ session, token }) {
session.user.email = token.email;
session.user.role = token.role;
session.user.surname = token.surname;
session.user.name = token.name;
session.user.id = token.id;
session.accessToken = token.accessToken;
session.refreshToken = token.refreshToken;
session.accessTokenExpiry = token.accessTokenExpiry;
return session;
},
},
};
[…nextauth]/route.ts:
import NextAuth from 'next-auth/next';
import { options } from './options';
const handler = NextAuth(options);
export { handler as GET, handler as POST };
routes/admins/auth/auth-admin.service.ts:
async refreshToken(req: Request) {
const token = req.headers.authorization.split(' ')[1];
const payload = this.jwtService.decode(token);
const admin = await this.adminsRepository.findOne({
where: { id: payload.id },
});
if (token !== admin.refreshToken) {
throw new UnauthorizedException('Invalid refresh token');
}
console.log('refresh');
// const accessTokenExpiry = Date.now() + 12 * 60 * 60 * 1000;
const accessTokenExpiry = Date.now() + 5 * 1000;
const accessTokenPayload = { id: payload.id, exp: accessTokenExpiry };
const newAccessToken = this.jwtService.sign(accessTokenPayload);
return {
accessToken: newAccessToken,
refreshToken: payload.refreshToken,
accessTokenExpiry,
};
}