withMiddlewareAuthRequired does not check token expiration

Question

withMiddlewareAuthRequired does not check token expiration

mogzol opened this issue 5 months ago · comments

Checklist

The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
I have looked into the API documentation and have not found a suitable solution or answer.
I have searched the issues and have not found a suitable solution or answer.
I have searched the Auth0 Community forums and have not found a suitable solution or answer.
I agree to the terms within the Auth0 Code of Conduct.

Description

I am using withMiddlewareAuthRequired in my next.js 14 app (using app router). I have noticed that users with expired tokens in their session can still access the app as if they are logged in. Looking at the code, it seems that withMiddlewareAuthRequired only checks that the session exists and can be read, and does not check if the token is expired or not.

I'm not sure if this is intentional behaviour, but I definitely did not expect it to behave this way. I expected withMiddlewareAuthRequired to redirect users with expired tokens to the login.

Reproduction

Set up an app with the withMiddlewareAuthRequired middleware.
Log in
Wait for the token to expire (but not long enough for the session cookie to expire)
Try using the app, observe that you can, and withMiddlewareAuthRequired does not redirect you to login
Additionally, calling getSession still works and returns the session with the expired token

Additional context

I found that I can work around this by either using an absolute session with a duration <= the token expiry time (so the cookie expires before the token), or by calling getAccessToken in the middleware, which will throw an error if the token is expired, which I can then catch and redirect the user to the login.

nextjs-auth0 version

3.5.0

Next.js version

14.0.4

Node.js version

20.10.0

Michael Haddad · Answer 1 · Thu Jan 18 2024 09:02:56 GMT+0800 (China Standard Time)

+1, we are encountering the same issue. Thanks for opening @mogzol.

kenkoooo · Answer 2 · Mon Jan 22 2024 23:55:37 GMT+0800 (China Standard Time)

Based on my understanding, withPageAuthRequired also faces a similar issue. It safeguards pages and redirects users lacking a session to the login page. However, it permits users with expired tokens to access the protected pages.

Adam Mcgrath · Answer 3 · Wed Jan 31 2024 22:39:16 GMT+0800 (China Standard Time)

Hi @mogzol - this is by design - the duration of the session is not tied to the ID Token, or Access Token's expiration

See #538 (comment) and #833 (comment) for more info

Michael Haddad · Answer 4 · Thu Feb 08 2024 01:42:18 GMT+0800 (China Standard Time)

@mogzol Any idea how to proceed? The comments @adamjmcgrath linked to don't really provide any direction.

Morgan Zolob · Answer 5 · Thu Feb 08 2024 03:25:30 GMT+0800 (China Standard Time)

@mrhaddad, in my middleware, I call the getAccessToken() function, which throws an error if the access token is invalid

try {
  // The nextjs-auth0 library does not check token expiry in withMiddlewareAuthRequired, so do it
  // here by calling getAccessToken, which will throw an error if the token is expired.
  await auth0.getAccessToken();
} catch (e) {
  if (e instanceof AccessTokenError && e.code === "ERR_EXPIRED_ACCESS_TOKEN") {
    // Token is expired, do whatever here
  }
  throw e;
}