Bug: getKindeServerSession isAuthenticated triggers a new login and a redirect if token expired

[antonioGlavocevic]

Prerequisites

• I have searched the repository’s issues and Kinde community to ensure my issue isn’t a duplicate
• I have checked the latest version of the library to replicate my issue
• I have read the contributing guidelines
• I agree to the terms within the code of conduct

Describe the issue

Summary

I upgraded my @kinde-oss/kinde-auth-nextjs and noticed on my web app that I was being redirected to the kinde login page when my token expired. Prior to my upgrade, the above scenario would have just resulted in my web app rendering my pages with a "not logged in" state. I have narrowed it down to where I call await isAuthenticated (example further below).

Additionally, this is causing further problems in that I have KINDE_POST_LOGIN_REDIRECT_URL set to go to the users profile. This means when I paste a link somewhere in my app and my token has expired it now redirects to login and then redirects to my profile, rather than where my link specified. I could add some extra logic to track where the user was trying to go and redirect them there instead, but that triggers multiple page loads.

It is quite possible I am miss understanding how isAuthenticated should be used. My understanding is that isAuthenticated should check the auth token and return true if it is valid and false otherwise, which is how it was behaving in 2.4.6. Now it seems to return true when the token is valid, otherwise trigger a login redirect (performing an authentication).

Versions

Previous @kinde-oss/kinde-auth-nextjs version: 2.4.6
Issue occurs on @kinde-oss/kinde-auth-nextjs version: 2.5.0 or higher

I believe it is happening due to

kinde-auth-nextjs/src/session/isAuthenticated.js

Line 19 in d221023

redirectOnExpiredToken(token);

In change batch v2.4.6...v2.5.0#diff-0f5d49c1a149da5ca6fe2bd8f3e6456b90e5eb13dfa48052c3d77cc72407383eR19

Setup

my-app/app/page.tsx

import { getKindeServerSession } from "@kinde-oss/kinde-auth-nextjs/server";

import LoginComponent from "./logincomponent";

export default async function HomePage() {
  const { isAuthenticated, getUser } = getKindeServerSession();
  console.log("checking is authenticated...");
  const check = await isAuthenticated();
  console.log("isAuthenticated: ", check);
  let userID = "Not Logged In";
  if (check) {
    const user = await getUser();
    if (user) {
      userID = user.id;
    }
  }
  return (
    <div>
      <LoginComponent />
      {userID}
    </div>
  );
}

LoginComponent is just a small client component that uses useKindeBrowserClient to render import { LoginLink, LogoutLink, RegisterLink } from "@kinde-oss/kinde-auth-nextjs/components";

Result v2.4.6

If you render the page with an expired token you get the following logs:

 ○ Compiling / ...
 ✓ Compiled / in 1214ms (954 modules)
checking is authenticated...
isAuthenticated:  false
 GET / 200 in 1491ms
 ✓ Compiled /api/auth/[kindeAuth] in 150ms (961 modules)
 GET /api/auth/setup 500 in 995ms

And it will render the Not Logged In.

Result v2.5.0 and higher

If you render the page with an expired token you get the following logs:

 ○ Compiling / ...
 ✓ Compiled / in 1387ms (1326 modules)
checking is authenticated...
 GET / 307 in 1780ms
 ✓ Compiled /api/auth/[kindeAuth] in 170ms (1333 modules)
 ⨯ [Error: No response is returned from route handler '<PATH_TO_APP>/app/api/auth/[kindeAuth]/route.ts'. Ensure you return a `Response` or a `NextResponse` in all branches of your handler.]
 ⨯ [Error: No response is returned from route handler '<PATH_TO_APP>/app/api/auth/[kindeAuth]/route.ts'. Ensure you return a `Response` or a `NextResponse` in all branches of your handler.]
 GET /api/auth/login 500 in 734ms
checking is authenticated...
 GET / 307 in 83ms
 GET /api/auth/login 307 in 8ms
 GET /api/auth/kinde_callback?<ARGS> 307 in 129ms
checking is authenticated...
isAuthenticated:  true
 GET / 200 in 24ms
 GET /api/auth/setup 200 in 11ms

And it will render the user id.

Note the number of times "checking is authenticated..." is triggered and that isAuthenticated is never false.

Library URL

https://github.com/kinde-oss/kinde-auth-nextjs

Library version

2.5.0 and higher

Operating system(s)

macOS

Operating system version(s)

15.4.1

Further environment details

No response

Reproducible test case URL

No response

Additional information

I think the function is not doing what is described in the docs: https://docs.kinde.com/developer-tools/sdks/backend/nextjs-sdk/#isauthenticated

I believe this function should simply return true or false regarding the validity of the token. This is what it did in 2.4.6 (https://github.com/kinde-oss/kinde-auth-nextjs/blob/v2.4.6/src/session/isAuthenticated.js)

It seems like now the function performs authentication. Would it be more appropriate for this to be on a different function named something like authenticate?

[arnis87]

What is the status of this, has someone started to take a look?
Getting redirected for "authenticated" check on server every time token is stale feels really annoying, especially when user has forgotton their passoword. They will certainly not go clear the cookies manually.
I think I would prefer to get some kind of error thrown instead.

[Frost-on-Web]

I'm here to hear about that too.

[mxa0079]

Any updates on this? There is little to no information regarding updates to this SDK. That is not very reassuring....

[arnis87]

This does not seem to get any attention so I finally came up with a simple workaround. Wrap the calling code in try/catch. They use nextjs redirect() under the hood which in turn throws an error to redirect. If this is caught it will not happen.
Essentially this will block all other redirects but so far this is much more preferrable in my case then the current implementation

[gitdagray]

I've noticed the last comment was in August, but this issue is still open - so I want to add more context here and why it is a major problem for any company using multi-tenancy = multiple organizations.

I'm currently using "@kinde-oss/kinde-auth-nextjs": "^2.9.2" while experiencing this.

An example of the problem originally described and still an issue:

NOTE: This only happens when a user has previously logged in and currently has a cookie with an expired token.

export default async function Home() {

  const {
    isAuthenticated,
  } = getKindeServerSession()

  const isAuth = await isAuthenticated() // User is redirected to Kinde hosted page here

  console.log('isAuth: ', isAuth) // We never make it here

  // return whatever
}

In contrast, if the user does NOT have a cookie with an expired token (either never logged in or clicked LogOut):

export default async function Home() {

  const {
    isAuthenticated,
  } = getKindeServerSession()

  const isAuth = await isAuthenticated()

  console.log('isAuth: ', isAuth) // Logs null 

  // redirect authenticated users to page with full features
  if (isAuth) {
    redirect('/chat/new')
  }

  // We make it to here
  return (
    <NoAuthChatHome />
  )
}

Why this is a major problem for multi-tenancy:

• The redirect automatically triggered by isAuthenticated does NOT pass along your org_code value.
• You may have some apps that are public and some that are internal - each with their own org_code.
• In a passwordless auth flow, after users enter the code they receive via email, they are taken to a screen that asks which organization they want to login to. That's confusing for a public user when presented with a select menu containing a list of applications / organizations.

[mxa0079]

Agree with @gitdagray - furthermore it is a leak of information as now the person who experiences this will have a list of all our customers - some of whom may be their competition.

[DanielRivers]

@gitdagray @mxa0079 Do you have middleware configured?

With it configured, it should handle the check at that level and you can direct the user accordingly, you can also add your own custom isAuthenticated logic.

https://docs.kinde.com/developer-tools/sdks/backend/nextjs-sdk/#set-up-middleware

I will check into this behaviour, at best is should be preserving the org_code the user was logged into, would need to look into the viability.

[gitdagray]

@DanielRivers - thank you for the reply. I do have middleware configured, but it is not applied to the home page example I gave above. You can see I want to redirect if isAuth is true. If false, fallback to the NoAuth component.

The issue is from the isAuthenticated call. As the original issue post noted, it calls redirectOnExpiredToken. Digging into that function on the repo:

https://github.com/kinde-oss/kinde-auth-nextjs/blob/d221023de87008ca1115ab2bcf9598ba79106df9/src/utils/redirectOnExpiredToken.ts

..shows it was commented as a temporary fix for an edge case and does not send along an org_code.

I think the main issue is the docs and even the AI in the docs state isAuthenticated from getKindeServerSession will respond with true or false, but that is no longer the case. The change probably broke some things that were previously using it.

The issue I hope to avoid is sending users to a login without the org_code value I have specified for the app. Users end up at a select menu asking them which one to login to. Support in Slack did let me know the only options they are presented with in the dropdown are organizations they belong to, but it can still be confusing for users.

Thanks again for the reply and your work!

[gitdagray]

@DanielRivers - could you allow the isAuthenticated function to receive a flag like autoRedirect=booleanto enable or disable the redirectOnExpiredToken call? This would give developers control over the behavior.

Think of the ChatGPT home page that delivers a limited feature version without the user being logged in and a full feature version with an authorized user. Example (not using middleware on this page):

export default async function Home() {

  const {
    isAuthenticated,
  } = getKindeServerSession()

  const isAuth = await isAuthenticated()

  console.log('isAuth: ', isAuth) // Logs null 

  // redirect authenticated users to page with full features
  if (isAuth) {
    redirect('/chat/new')
  }

  // We make it to here - limited feature version
  return (
    <NoAuthChatHome />
  )
}

Thanks again!

[Koosha-Owji]

You should be running the middleware on all routes regardless of them being an Authenticated route or a Non Authenticated route. You can then use the publicPaths array to set which routes are public. This allows the middleware to handle session management including token refresh on all routes and publicPaths to control access.

// middleware.ts
import { withAuth } from "@kinde-oss/kinde-auth-nextjs/middleware";

export default withAuth(req, {
  publicPaths: ['/']  // Homepage is public
});

export const config = {
  matcher: ['/((?!_next|favicon.ico).*)']  // Run on ALL routes
};

[DanielRivers]

@gitdagray this is along the lines I am planning.

@DanielRivers - could you allow the isAuthorized function to receive a flag like autoRedirect=booleanto enable or disable the redirectOnExpiredToken call? This would give developers control over the behavior.

Think of the ChatGPT home page that delivers a limited feature version without the user being logged in and a full feature version with an authorized user. Example (not using middleware on this page):

export default async function Home() {

  const {
    isAuthenticated,
  } = getKindeServerSession()

  const isAuth = await isAuthenticated()

  console.log('isAuth: ', isAuth) // Logs null 

  // redirect authenticated users to page with full features
  if (isAuth) {
    redirect('/chat/new')
  }

  // We make it to here - limited feature version
  return (
    <NoAuthChatHome />
  )
}

Thanks again!

[gitdagray]

@Koosha-Owji - thank you for your suggestion! I like that idea and will give it a try.

I was previously excluding the homepage with the matcher in the middleware config:

export const config = {
    matcher: [
        /*
         * Match all request paths except for the ones starting with:
         * - api (API routes)
         * - _next/static (static files)
         * - _next/image (image optimization files)
         * - auth
         * - favicon.ico (favicon file)
         * - robots.txt
         * - images
         * - login - noted above in the Kinde options
         * - homepage (represented with $ after beginning /)
         */
        '/((?!api|_next/static|_next/image|auth|favicon.ico|robots.txt|images|login|$).*)',
    ],
}

I had picked up this pattern with earlier versions of Kinde.

Are you saying using publicPaths will handle these paths differently than if excluded with the matcher?

Update: I referenced the docs and the AI in the docs to learn the difference.

That said, authentication is not enforced if I use publicPaths, and given my example in a previous post above, I still need to call isAuthenticated to verify and redirect users who are.

---

@DanielRivers - thank you for your replies, too. The flag will be a nice addition and should solve my example use case from my previous post.

You have both been very responsive, and I sincerely appreciate it.