Skip to content

fix(auth-next-server): deduplicate concurrent token refresh to prevent invalid_grant #2865

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dom-murray wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(auth-next-server): deduplicate concurrent token refresh to prevent invalid_grant #2865

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 34 additions & 12 deletions packages/auth-next-server/src/refresh.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,20 +85,16 @@ export function extractZkEvmFromIdToken(idToken?: string): ZkEvmData | undefined
return undefined;
}

/**
* Refresh access token using the refresh token.
* This is called server-side in the JWT callback when the access token is expired.
*
* @param refreshToken - The refresh token to use
* @param clientId - The OAuth client ID
* @param authDomain - The authentication domain (default: https://auth.immutable.com)
* @returns The refreshed tokens
* @throws Error if refresh fails
*/
export async function refreshAccessToken(
// Deduplicates concurrent refresh calls for the same refresh token.
// OAuth refresh tokens are single-use: if two requests arrive simultaneously
// with the same expired token, only the first call reaches the provider.
// Subsequent callers await the same promise and receive the same result.
const refreshPromises = new Map<string, Promise<RefreshedTokens>>();

async function doRefreshAccessToken(
refreshToken: string,
clientId: string,
authDomain: string = DEFAULT_AUTH_DOMAIN,
authDomain: string,
): Promise<RefreshedTokens> {
const tokenUrl = `${authDomain}/oauth/token`;

Expand Down Expand Up @@ -141,3 +137,29 @@ export async function refreshAccessToken(
accessTokenExpires: decodeJwtExpiry(tokenData.access_token),
};
}

/**
* Refresh access token using the refresh token.
* This is called server-side in the JWT callback when the access token is expired.
*
* @param refreshToken - The refresh token to use
* @param clientId - The OAuth client ID
* @param authDomain - The authentication domain (default: https://auth.immutable.com)
* @returns The refreshed tokens
* @throws Error if refresh fails
*/
export async function refreshAccessToken(
refreshToken: string,
clientId: string,
authDomain: string = DEFAULT_AUTH_DOMAIN,
): Promise<RefreshedTokens> {
const cacheKey = `${clientId}:${refreshToken}`;
const inflight = refreshPromises.get(cacheKey);
if (inflight) return inflight;

const promise = doRefreshAccessToken(refreshToken, clientId, authDomain).finally(() => {
refreshPromises.delete(cacheKey);
});
refreshPromises.set(cacheKey, promise);
return promise;
}
Loading