Refresh Token Rotation -- access Token Expiry

[dhavalveera]

Hello,

using NextAuth, and Google Login as a provider, I need to use the Refresh Token Rotation for my Web App, and for that, I'm following this NextAuth Docs === Link.

Code

// NextAuth
import NextAuth from 'next-auth'

// NextAuth Providers
import GoogleProvider from 'next-auth/providers/google'
import FacebookProvider from 'next-auth/providers/facebook'

const GOOGLE_AUTHORIZATION_URL =
  'https://accounts.google.com/o/oauth2/v2/auth?' +
  new URLSearchParams({
    prompt: 'consent',
    access_type: 'offline',
    response_type: 'code',
  })

/**
 * Takes a token, and returns a new token with updated
 * `accessToken` and `accessTokenExpires`. If an error occurs,
 * returns the old token and an error property
 */
async function refreshAccessToken(token) {
  try {
    const url =
      'https://oauth2.googleapis.com/token?' +
      new URLSearchParams({
        client_id: process.env.GOOGLE_CLIENT_ID,
        client_secret: process.env.GOOGLE_CLIENT_SECRET,
        grant_type: 'refresh_token',
        refresh_token: token.refreshToken,
      })

    const response = await fetch(url, {
      headers: {
        'Content-Type': 'application/x-www-form-urlencoded',
      },
      method: 'POST',
    })

    const refreshedTokens = await response.json()

    if (!response.ok) {
      throw refreshedTokens
    }

    return {
      ...token,
      accessToken: refreshedTokens.access_token,
      accessTokenExpires: Date.now() + refreshedTokens.expires_at * 1000,
      refreshToken: refreshedTokens.refresh_token ?? token.refreshToken, // Fall back to old refresh token
    }
  } catch (error) {
    console.log(error)

    return {
      ...token,
      error: 'RefreshAccessTokenError',
    }
  }
}

export default NextAuth({
  providers: [
    GoogleProvider({
      clientId: process.env.GOOGLE_CLIENT_ID,
      clientSecret: process.env.GOOGLE_SECRET,
      authorization: {
        params: {
          prompt: 'consent',
          access_type: 'offline',
          response_type: 'code',
        },
      },
    }),
  ],
  pages: {
    signIn: '/signinpage',
  },
  session: {
    jwt: true,
  },
  jwt: {
    secret: process.env.JWTSECRET,
  },
  secret: true,
  idToken: true,
  callbacks: {
    async jwt({ token, user, account }) {
      if (account && user) {
        console.log('nextauth 102', account)
        console.log(new Date(account.expires_at))
        return {
          accessToken: account.access_token,
          accessTokenExpires: Date.now() + account.expires_at * 1000,
          refreshToken: account.refresh_token,
          id_token: account.id_token,
          provider: account.provider,
          user,
        }
      }

      // Return previous token if the access Token has not expired yet
      if (Date.now() < token.accessTokenExpires) {
        return token
      }

      // Access token has expired, try to update it
      return refreshAccessToken(token)
    },
    async session({ session, token }) {
      const userDetail = {
        ...token.user,
        id_token: token.id_token,
        provider: token.provider,
      }
      session.user = userDetail
      session.accessToken = token.accessToken
      session.expiresAt = token.accessTokenExpires
      session.error = token.error

      return session
    },
  },
})

I've copied the entire same code from the above-mentioned Refresh Token Rotation Docs, and in that, they're using accessTokenExpires: Date.now() + refreshedTokens.expires_at * 1000, which I was doing console to check what the Expiry is coming.

1. console.log(session.expiresAt) - which returns === 3321622580000
2. console.log(new Date(session.expiresAt) - which returns === Thu Apr 04 2075 22:26:20 GMT+0530 (India Standard Time)

can anyone tell me or help me what's wrong I'm doing? as I want the Token Expiry to be +4 hours from the current time.

and I tried the following:

accessTokenExpires: Date.now() + 3600 * 3000, then this is getting on the loop to the login page

can anyone please help me 🙏