Credentials Provider Refresh Token Rotation - jwt callback token doesn't update after initial sign in.

[jan-grasewicz]

Question 💬

Hi.
I'm trying to setup refresh token rotation using Credentials Provider.
Based on this example: https://next-auth.js.org/v3/tutorials/refresh-token-rotation

Unfortunate jwt callback saves returned token only on initial sign in and when getSession is called client-side, not when getSession is called in getServerSideProps function.

So my access token gets refreshed as long as I do client-side requests, but if I fetch all my data server-side my session will expire.

Am I doing something wrong in my config, or is it a bug?

How to reproduce ☕️

[...nextauth].js

export default NextAuth({
  providers: [
    CredentialsProvider({
      name: 'Sign in with email and password',
      credentials: {
        email: {
          label: 'Email',
          type: 'email',
          placeholder: '[email protected]',
        },
        password: { label: 'Password', type: 'password' },
      },
      async authorize(credentials) {
          const res = await fetch(
            process.env.NEXTAUTH_API_URL + '/auth/sign-in',
            {
              method: 'POST',
              body: JSON.stringify(credentials),
              headers: { 'Content-Type': 'application/json' },
            },
          );

          const user = await res.json();

          if (res.ok && user) {
            const { accessToken, accessTokenExpirationTime, refreshToken } =
              user.metadata;

            return {
              ...user.result,
              accessToken,
              accessTokenExpires: Date.now() + accessTokenExpirationTime,
              refreshToken,
            };
          }

          return null;
      },
    }),
  ],
  pages: {
    signIn: '/auth/login',
  },
  callbacks: {
    async jwt(token, user, account) {
      // Initial sign in
      if (account && user) {
        const { accessToken, accessTokenExpires, refreshToken, ...userData } =
          user;
        return {
          accessToken,
          accessTokenExpires,
          refreshToken,
          user: userData,
        };
      }

      if (Date.now() < token.accessTokenExpires) {
        return token;
      }

      const updatedToken = await refreshAccessToken(token);

      return updatedToken;
    },
    async session(session, token) {
      session.user = token.user;
      session.accessToken = token.accessToken;
      session.error = token.error;

      return session;
    },
  },
});

async function refreshAccessToken(token) {
  try {
    const cookie = `Authentication=${token.accessToken}; Refresh=${token.refreshToken}; `;
    const response = await fetch(
      process.env.NEXTAUTH_API_URL + '/auth/refresh',
      { method: 'POST', headers: { cookie } },
    );

    const refreshedTokens = await response.json();

    if (!response.ok) {
      throw refreshedTokens;
    }

    const { accessToken, accessTokenExpirationTime, refreshToken } =
      refreshedTokens.metadata;

    const updatedToken = {
      ...token,
      accessToken,
      accessTokenExpires: Date.now() + accessTokenExpirationTime,
      refreshToken: refreshToken ?? token.refreshToken, // Fall back to old refresh token
    };

    return updatedToken;
  } catch (error) {
    console.error('RefreshAccessTokenError', error);
    return {
      ...token,
      error: 'RefreshAccessTokenError',
    };
  }
}

"refreshAccessToken" always returns new tokens, but on subsequent calls "jwt(token)" returns them only if refresh was the result of "getSession" called client-side, not in getServerSideProps

I'm using v3, but tried v4 with no success.

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[mackankowski]

The following topic looks similar and it doesn't seem to be any solution since May :(

#2003

[balazsorban44]

getSession works exactly the same for backend and front-end usage (something which I actually want to change because it is a performance bottleneck #1535), so it does the same in both places.

When used server-side though, you should pass req to getSession as documented here:
https://next-auth.js.org/getting-started/client#server-side-example

In the future, we likely will have a getServerSession or similar method, to avoid confusion.

[jan-grasewicz]

Considering the implementation of getSession it is not really surprising to be honest, it never actually uses the res to set cookies, even if you pass the whole context.

That's what I checked after my last reply.

Thank you for confirming the problem I expected, and providing currently available solution.
Is there any timeline when getServerSession might end up in beta release at least?

[balazsorban44]

no, there is no ETA

[magicspon]

Any movement on this?

[lws803]

Running into the same issue now with rotating refresh tokens and calling getSession within getServerSideProps. Is there a resolution for this? 😢

[dariolongo]

Hi all,
is there any update about unstable_getServerSession? when there will be an official getServerSession?
Thanks