My team is using the @auth0/nextjs-auth0
SDK, version 3.1.0
.
Our codebase uses the NextJS app
directory structure, and I have followed along with the README
, documentation, and example app closely.
Logging in and logging out works fine. However, I have noticed that no matter what I set our Refresh Token settings (e.g.; their timeouts) nor our Identity Token settings to, I am unable to force my user to re-sign in after these tokens expire. The app seems to simply always allow refreshing the app and still having he user appear to be logged in, even as far as useUser
continuing to work.
This gets worse because it appears that I can even delete the user in Auth0’s admin panel and they are still able to stay signed in, refresh the browser, and fetch some features such as via useUser
.
This is not appearing true for the access token or identity token. On the server-side (of NextJS, in the app/api
handlers), getAccessToken
and getSession
appear to always return a value, but our actual backend is refusing the tokens. So it appears there is a discrepancy happening here.
How do I make my NextJS 13 app
router based Auth0 app always attempt to re-authenticate the user during a page load or refresh so that even if they had previously signed on and a session token was stored by Auth0, that there is still a real round trip to confirm that the session should be valid (that the user exists or that they didnt change their password).
Ill paste some code here to illustrate our app setup thus far:
middleware.js
import { withMiddlewareAuthRequired } from "@auth0/nextjs-auth0/edge";
// The following paths will require authentication.
// Note that root, `/`, is not included but will ultimately also required
// authentication, due to a next.js config setting that redirects `/` to
// `/incidents`.
// See: https://auth0.github.io/nextjs-auth0/types/helpers_with_middleware_auth_required.WithMiddlewareAuthRequired.html
export const config = {
matcher: [
"/incidents/:path*",
"/settings/:path*"
],
};
export default withMiddlewareAuthRequired();
app/api/auth/[auth0.js]
import { handleAuth, handleLogin, handleLogout } from "@auth0/nextjs-auth0";
export const GET = handleAuth({
login: handleLogin({
authorizationParams: {
prompt: "login",
},
returnTo: "/incidents",
}),
logout: handleLogout(() => {
return {
returnTo: "/",
};
}),
onError(req, error) {
console.error("An Auth0 error occured:", error);
}
});