Access token expiration not updated after the first refresh when using custom API

[TheoGrassien]

In my Next.js project, where I am using auth.js with the credentials provider and generating access and refresh tokens with my custom API, I am encountering the following issue:

After the first access token expires, the refresh process works as expected. However, after each subsequent API call, the refresh function is triggered again. This is happening because the token.accessExpire is never updated, so it always passes the check if (Date.now() > token.accessExpire).

When I log the new accessExpire, it correctly shows a new expiration date, but for some reason, the token isn't being updated properly.

Here is my code :

// auth.js
import NextAuth from 'next-auth';
import Credentials from 'next-auth/providers/credentials';

const apiUrl = process.env.API_URL;
const ACCESS_TOKEN_LIFETIME = 10 * 1 * 1000; // Example: 10 seconds
const REFRESH_TOKEN_LIFETIME = 60 * 60 * 24 * 1000; // Example: 24 hours

const options = {
  providers: [
    Credentials({
      credentials: {
        email: { label: 'Email', type: 'email' },
        password: { label: 'Password', type: 'password' },
      },
      authorize: async (credentials) => {
        const res = await fetch(`${apiUrl}/authentication/login/token/`, {
          method: 'POST',
          headers: {
            'Content-Type': 'application/json',
          },
          body: JSON.stringify(credentials),
        });

        const data = await res.json();
        const user = data.user;

        if (res.ok && data.user) {
          user.accessToken = data.access;
          user.refreshToken = data.refresh;
          return user;
        }
        return null;
      },
    }),
  ],
  pages: {
    signIn: '/login',
  },
  callbacks: {
    async jwt({ token, user }) {
      if (user) {
        token.firstname = user.firstname;
        token.lastname = user.lastname;
        token.is_lawyer = user.is_lawyer;
        token.uuid = user.user_uuid;
        token.accessToken = user.accessToken;
        token.refreshToken = user.refreshToken;
        token.accessExpire = Date.now() + ACCESS_TOKEN_LIFETIME;
      }

      if (Date.now() > token.accessExpire) {
        console.log('accessExpire', token.accessExpire);
        console.log('Access token expired, refreshing...');

        const newToken = await refreshAccessToken(token);
        token.accessToken = newToken.accessToken;
        token.accessExpire = newToken.accessExpire;
        console.log('new accessExpire', token.accessExpire);
      }

      return token;
    },
    async session({ session, token }) {
      if (token) {
        session.user.firstname = token.firstname;
        session.user.lastname = token.lastname;
        session.user.is_lawyer = token.is_lawyer;
        session.user.uuid = token.uuid;
        session.accessToken = token.accessToken;
      }

      return session;
    },
  },
};

async function refreshAccessToken(token) {
  try {
    const res = await fetch(`${apiUrl}/authentication/login/token/refresh/`, {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({ refresh: token.refreshToken }),
    });

    const data = await res.json();

    if (data.error === 'RefreshAccessTokenError') {
      return {
        ...token,
        error: 'RefreshAccessTokenError',
        accessToken: null,
        refreshToken: null,
        accessExpire: 0,
      };
    }

    if (!res.ok) {
      throw new Error('Failed to refresh token');
    }

    return {
      ...token,
      accessToken: data.access,
      accessExpire: Date.now() + ACCESS_TOKEN_LIFETIME,
    };
  } catch (error) {
    console.error('Error while refreshing token:', error);
    return {
      ...token,
      error: 'RefreshAccessTokenError',
      accessToken: null,
      accessExpire: 0,
    };
  }
}

export const { handlers, signIn, signOut, auth } = NextAuth(options);

The issue seems to be that token.accessExpire is not updating as expected. Any guidance on how to fix this or if I'm missing something in my flow would be appreciated!

[nic-vo]

Could it be as simple as ACCESS_TOKEN_LIFETIME is really short? Do you make subsequent API calls more than 10 seconds apart? If so, that'll trigger the access refresh every single time