How do we ensure a session is still valid on refresh with NextJS app folder?

bradleygriffith-cit · August 14, 2023, 9:40pm

My team is using the @auth0/nextjs-auth0 SDK, version 3.1.0.

Our codebase uses the NextJS app directory structure, and I have followed along with the README, documentation, and example app closely.

Logging in and logging out works fine. However, I have noticed that no matter what I set our Refresh Token settings (e.g.; their timeouts) nor our Identity Token settings to, I am unable to force my user to re-sign in after these tokens expire. The app seems to simply always allow refreshing the app and still having he user appear to be logged in, even as far as useUser continuing to work.

This gets worse because it appears that I can even delete the user in Auth0’s admin panel and they are still able to stay signed in, refresh the browser, and fetch some features such as via useUser.

This is not appearing true for the access token or identity token. On the server-side (of NextJS, in the app/api handlers), getAccessToken and getSession appear to always return a value, but our actual backend is refusing the tokens. So it appears there is a discrepancy happening here.

How do I make my NextJS 13 app router based Auth0 app always attempt to re-authenticate the user during a page load or refresh so that even if they had previously signed on and a session token was stored by Auth0, that there is still a real round trip to confirm that the session should be valid (that the user exists or that they didnt change their password).

Ill paste some code here to illustrate our app setup thus far:

middleware.js

import { withMiddlewareAuthRequired } from "@auth0/nextjs-auth0/edge";

// The following paths will require authentication.
// Note that root, `/`, is not included but will ultimately also required
// authentication, due to a next.js config setting that redirects `/` to
// `/incidents`.
// See: https://auth0.github.io/nextjs-auth0/types/helpers_with_middleware_auth_required.WithMiddlewareAuthRequired.html
export const config = {
  matcher: [
    "/incidents/:path*",
    "/settings/:path*"
  ],
};

export default withMiddlewareAuthRequired();

app/api/auth/[auth0.js]

import { handleAuth, handleLogin, handleLogout } from "@auth0/nextjs-auth0";

export const GET = handleAuth({
  login: handleLogin({
    authorizationParams: {
      prompt: "login",
    },
    returnTo: "/incidents",
  }),
  logout: handleLogout(() => {
    return {
      returnTo: "/",
    };
  }),
  onError(req, error) {
    console.error("An Auth0 error occured:", error);
  }
});

christian.aquino · September 8, 2023, 8:05pm

Hi @bradleygriffith-cit! Have you solve that? I have the same problem.

drustill4 · February 4, 2024, 6:39pm

Hey @bradleygriffith-cit , also have been running into this issue on and off for months now. Wondering if you ever came around to figuring this out?

lucas8 · April 4, 2024, 4:01pm

Getting the same issue. I also find that logout from a user (cookie is deleted) but then redirect is done the cookie is appended with the previous user. Even if a log in to another user, it only update client side (useUser), if I reload the app it will come back to previous logged in user since the appSession in cookie belongs to it