Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refresh token rotation using the JWT callback does not work in app directory #7522

Closed
PaulWild opened this issue May 11, 2023 · 4 comments
Closed

Refresh token rotation using the JWT callback does not work in app directory #7522

PaulWild opened this issue May 11, 2023 · 4 comments
Labels
documentation Relates to documentation triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.

Comments

@PaulWild
Copy link

What is the improvement or update you wish to see?

The app directory feature of Next.js does not allow the cookies to be updated on the server. This means that any usages of getServerSession that would trigger a refresh token rotation as described in the docs would not set the new access token / refresh token / expires time in the next-auth cooke.

This should be made clear in the documentation.

Is there any context that might help us understand?

N/A

Does the docs page already exist? Please link to it.

https://authjs.dev/guides/basics/refresh-token-rotation
@PaulWild PaulWild added documentation Relates to documentation triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime. labels May 11, 2023
@AdisonCavani
Copy link

AdisonCavani commented May 11, 2023
edited
Loading

See: https://next-auth.js.org/configuration/nextjs#in-app-directory

Currently, the underlying Next.js cookies() method only provides read access to the request cookies. This means that the expires value is stripped away from session in Server Components. Furthermore, there is a hard expiry on sessions, after which the user will be required to sign in again. (The default expiry is 30 days).

Next.js docs: https://nextjs.org/docs/app/api-reference/functions/cookies
Next.js recently added API for cookies, but only for Server Action or Route Handler.

Similar issue: #7025

@balazsorban44
Copy link
Member

Closing as mentioned above. We are working on support for this via other means (Server Action, Route Handler, and/or Middleware) in the next major version of NextAuth.js.

@balazsorban44 balazsorban44 mentioned this issue May 11, 2023
Closed
@PaulWild
Copy link
Author

It's great to hear that this will be implemented, but as raised the documentation for the current version are not clear that the token refresh won't work as expected in the app directory. Is it not worth adding a small warning on the guide?

@balazsorban44
Copy link
Member

It's already mentioned here: https://next-auth.js.org/configuration/nextjs#in-app-directory

The refresh token rotation guide purposefully does not mention App Router yet.

@Talent30 Talent30 mentioned this issue Jul 11, 2023
Merged
@jazerix jazerix mentioned this issue Jul 29, 2023
Open
@NickDelta NickDelta mentioned this issue Sep 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Relates to documentation triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@PaulWild @balazsorban44 @AdisonCavani