nextjs-auth0 icon indicating copy to clipboard operation
nextjs-auth0 copied to clipboard
verified publisher icon auth0

exp claim timestamp check failed

Open magaldima opened this issue 2 years ago • 0 comments

Checklist

  • [X] The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
  • [X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
  • [X] I have looked into the API documentation and have not found a suitable solution or answer.
  • [X] I have searched the issues and have not found a suitable solution or answer.
  • [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • [X] I agree to the terms within the Auth0 Code of Conduct.

Description

I have a Single Page Application built using NextJS and the auth0-nextjs library to manage user authentication and web sessions. I am using the pages router and routing all of my FrontEnd requests through the API route handlers where each handler looks similar to the following

export default withApiAuthRequired(handler);

export async function handler(req: NextApiRequest, res: NextApiResponse) {
  const session = await getSession(req, res);
  const token = session?.accessToken || req.headers.authorization?.replace("Bearer ", "");
  await handleRequest(req, res, process.env.BASE_URL, token);
}

async function handleRequest(
  req: NextApiRequest,
  res: NextApiResponse,
  baseUrl: string,
  token?: string
) {
  const headers = {
    ...(token ? { Authorization: `Bearer ${token}` } : {}),
  };
  axios
    .get(`${baseUrl}/v1/applications`, {
      headers: headers,
      params: req.query,
    })
    .then((response) => {
      res.status(response.status).json(response.data);
    })
    .catch((error) => {
      if (error.response) {
        res.status(error.response.status).json(error.response.data);
      } else if (error.request) {
        res.status(500).json(error.request);
      } else {
        res.status(500).json(error);
      }
    });
}

The problem is that we have seen issues intermittently where the requests to the backend are failing with 401 error - exp claim timestamp check. Logging the user out of the session and re-logging back in fixes this issue.

I would expect the browser to handle an stale session automatically by logging the user out and/or refreshing the tokens using refresh tokens if necessary, however this doesn't seem to be happening here. I have a hard time reproducing the issue as it only seems to appear after a certain amount of time passes. Could it be that the library is respecting some fixed timeout whereas the actual session timeout is shorter?

Reproduction

I'm unable to share specifics on how to reproduce this issue. I was hoping for some guidance on the behavior of the auth0-nextjs library with regards to handling token refreshing.

Additional context

The API server is an express Node.js server using the express-oauth2-jwt-bearer library version 1.1.0. The server is the one throwing the error, however I believe it's not an issue with the server because clearing the browser cache fixes the issue.

nextjs-auth0 version

3.5.0

Next.js version

7.84.0

Node.js version

20.3.3

magaldima avatar Jan 10 '24 23:01 magaldima