How do we ensure a session is still valid on refresh with NextJS app folder?

My team is using the @auth0/nextjs-auth0 SDK, version 3.1.0.

Our codebase uses the NextJS app directory structure, and I have followed along with the README, documentation, and example app closely.

Logging in and logging out works fine. However, I have noticed that no matter what I set our Refresh Token settings (e.g.; their timeouts) nor our Identity Token settings to, I am unable to force my user to re-sign in after these tokens expire. The app seems to simply always allow refreshing the app and still having he user appear to be logged in, even as far as useUser continuing to work.

This gets worse because it appears that I can even delete the user in Auth0’s admin panel and they are still able to stay signed in, refresh the browser, and fetch some features such as via useUser.

This is not appearing true for the access token or identity token. On the server-side (of NextJS, in the app/api handlers), getAccessToken and getSession appear to always return a value, but our actual backend is refusing the tokens. So it appears there is a discrepancy happening here.

How do I make my NextJS 13 app router based Auth0 app always attempt to re-authenticate the user during a page load or refresh so that even if they had previously signed on and a session token was stored by Auth0, that there is still a real round trip to confirm that the session should be valid (that the user exists or that they didnt change their password).

Ill paste some code here to illustrate our app setup thus far:

middleware.js

import { withMiddlewareAuthRequired } from "@auth0/nextjs-auth0/edge";

// The following paths will require authentication.
// Note that root, `/`, is not included but will ultimately also required
// authentication, due to a next.js config setting that redirects `/` to
// `/incidents`.
// See: https://auth0.github.io/nextjs-auth0/types/helpers_with_middleware_auth_required.WithMiddlewareAuthRequired.html
export const config = {
  matcher: [
    "/incidents/:path*",
    "/settings/:path*"
  ],
};

export default withMiddlewareAuthRequired();

app/api/auth/[auth0.js]

import { handleAuth, handleLogin, handleLogout } from "@auth0/nextjs-auth0";

export const GET = handleAuth({
  login: handleLogin({
    authorizationParams: {
      prompt: "login",
    },
    returnTo: "/incidents",
  }),
  logout: handleLogout(() => {
    return {
      returnTo: "/",
    };
  }),
  onError(req, error) {
    console.error("An Auth0 error occured:", error);
  }
});

Hi @bradleygriffith-cit! Have you solve that? I have the same problem.

Hey @bradleygriffith-cit , also have been running into this issue on and off for months now. Wondering if you ever came around to figuring this out?

Getting the same issue. I also find that logout from a user (cookie is deleted) but then redirect is done the cookie is appended with the previous user. Even if a log in to another user, it only update client side (useUser), if I reload the app it will come back to previous logged in user since the appSession in cookie belongs to it

Same here… @lucas8 @drustill4 @bradleygriffith-cit @christian.aquino have you solved this issue?

Hi everyone and @bradleygriffith-cit

Thank you for posting your questions on the community!

I am sorry about the late reply to your post.

For the issue you are experiencing, I would advise to check the session of the user whenever they access the webpage and redirect them to the logout endpoint since your application does not seem to handle that.

I would recommend to review this community post, also How to redirect user to login when token is expire and this knowledge article regarding the matter.

If you have found a solution or have additional questions regarding the matter, feel free to leave a reply or post again on the community!

Kind Regards,
Nik