Trying to add refresh token logic in next-auth

screw this I'm switching back to database strategy. I'm not convinced using jwt strategy isn't worth the hassle when it comes to using next-auth

WebDevCody

I've found myself shimmying the entire auth logic in the next auth config. To the point that It would've been easier to roll my own auth from scratch .. that's next auth for you

drprdcts

Nice one! Thanks for sharing this with us, it's a great one 👏

pHProgramming

When I first used next-auth, I hated it because of these reasons. I was wondering how everyone is advertising next-auth as a good solution. I am glad I am not the only one who thinks so.

binamralamsal

Cool, I’ll have to dig into next auth again. I tested the v5 beta a few months ago and kept running into various issues. So switched back to Clerk. I do like next auth, but just didn’t have time to mess with authentication because it is always more of a distraction from what I actually wanted to build. Looking forward to seeing how your project turns out and I’ll revisit next auth again soon.

Stallion

Great vid! I love these forms of videos, my favourite! :)
I suppose a way for users to "take back" control when they get their access token/refresh token taken could be to just logout and log back in, would it make sense to delete old refresh tokens when you login? That's how the typical cookie system works right, you're only vulnerable until you login again

oSpam

I tried using next auth at first and absolutely hated it. Could not get it to consistently refresh tokens across sever components, server actions, client components, etc. As i have a separate backend i switched it up where the backend handles the oauth flow and refreshes tokens automatically. All I need the frontend to do is check the cookie exists. If next Middleware doesn't see the cookie or a fetch returns 401 the user hits the backend /login route. You could almost certainly set that up with route handlers too I imagine.

buzzebee

My approach was to fetch a new token from the oauth provider when it expires then replace the old one, IDK if this the right way but I saw the same method in the docs.

lee.g.v

You should check into building your own auth (cognito being the easiest for me) because it gives you way more control with less code. You already know the basics by now so you'll find it much simpler.

jairseedorf

I'm doing a test project right now and all I wanted to do was have the ability to deauthorize (ban) a user by changing their role in real time. I'm using credentials provider and I was told that using a refresh token was probably the best way, because in my current setup I'm querying the database and getting the user's role from there on every request to a protected page (which is not scalable at all obviously). After hitting my head against the wall for 3 days I genuinely think querying the database on every request and just making read replicas would be EASIER and more convinient than implementing a proper way to invalidate in authJS. Just horrific documentation especially for a new dev like myself.

nasko

I have a problem with the minecraft server hosting project I am trying to practice but when I run the agent it gives me an error and I can only run the client please help thanks

darespvpmc

Why "jwt" over "database"? I can see that database is present in the project. As I am working on project of my own and I went with "database" strategy I wonder if there are tradeoffs I am not aware of?

NoIngNames

hello sir, sorry my english is bad. I want to ask, I have followed your tutorial about auth js rotation. but why in my code does the refresh token only run once, then it refreshes the token with a long refresh token, even though in auth.ts I have equated the algorithm according to your video. btw, the application I'm working on is next js. If you reply to my message, I will send some code so that you can give me a solution.

MrCakilSindycate-uvdo

I love Next Auth but it is a constant pain when you run into basic things it doesn't support still

euanmorgann

I'm new to Nextjs and I'm trying to implement access/refresh token logic but without JWT. My API is in Go. Does next-auth support that? From what I understood reading the docs, it only supports JWT. Is that correct?

zarzonis

Hey Cody just wondering why you are saving refresh token in db, i understood your point for security but couldnt you just encrypt it with a secret on backend ? and put it in httponly cookie? incase of compromise you could just change the secret salt, (this might lead to many other people getting logged out though, but its a very rare case to happen)

jazzdestructor

If you're using jwt, curious on why store it in the database? Because this becomes the database strategy.

Cuz in jwt, there's a private signing key which encrypts and decrypts the token stored in http only cookie (no uuid but hash functions used). No database involved. So this code will become much simpler.

sameerahmedk

I haven't used next auth since the pages router. I hope it got easier to customize because back then it always felt gross.

ooccococococooco

How I would like to do it.

/auth/login - issue refresh token and acesss token

Store refresh token in cookie and don't store access token at all.

/auth/refresh - get new access token using, called on full page reload or if token expire on when client is still on the page.

Reduce lifetime of acess token to <5min.

How I like to keep track of refresh token?
I create a devices table which store the info about user-agent and ip address. I put device id in refresh token. When a request for token refresh is made I check if device exist if yes then return access token.

abhinavadarsh

next and next-auth is a joke, you can use it only for hello world projects. in real world scenario where you need to support auth calls to api both in browser and server its impossible to implement this in next. switched to remix and feeling good

nickolaykabash