Check if token expired before refresh (#2101)

2025-04-14 20:46:15 +02:00 · 2025-04-14 20:46:15 +02:00 · 1103f04f4b
commit 1103f04f4b
parent fd7ffb90f5
1 changed files with 21 additions and 2 deletions
--- a/lib/auth.js
+++ b/lib/auth.js
@ -135,6 +135,13 @@ async function resetMultiAuthCookies (req, res) {
  setMultiAuthCookies(req, res, { ...decoded, jwt: token })
 }

+class JwtExpiredError extends Error {
+  constructor () {
+    super('token expired')
+    this.name = 'JwtExpiredError'
+  }
+}
+
 async function refreshMultiAuthCookies (req, res) {
  const httpOnlyOptions = cookieOptions()
  const jsOptions = { ...httpOnlyOptions, httpOnly: false }
@ -145,8 +152,12 @@ async function refreshMultiAuthCookies (req, res) {

  const refreshToken = async (token) => {
    const secret = process.env.NEXTAUTH_SECRET
+    const decoded = await decodeJWT({ token, secret })
+    if (decoded.exp <= Date.now() / 1000) {
+      throw new JwtExpiredError()
+    }
    return await encodeJWT({
-      token: await decodeJWT({ token, secret }),
+      token: decoded,
      secret
    })
  }
@ -161,7 +172,15 @@ async function refreshMultiAuthCookies (req, res) {

    if (MULTI_AUTH_JWT_REGEXP.test(key) || key === SESSION_COOKIE) {
      const oldToken = value
-      const newToken = await refreshToken(oldToken)
+      let newToken
+      try {
+        newToken = await refreshToken(oldToken)
+      } catch (err) {
+        if (err instanceof JwtExpiredError) {
+          continue
+        }
+        throw err
+      }
      res.appendHeader('Set-Cookie', cookie.serialize(key, newToken, httpOnlyOptions))
      continue
    }