Having a fixed maxAge/Expires time for the session (instead of rotational policy)

[nik32]

Description 📓

Problem statement
@balazsorban44 @ThangHuuVu This requirement arises because of we using credentials provider with auth functionality provided by our own backend. Due to maxAge being rotational it leads to 'page jump' problem in our application.
Our backend API provides me JWT token along with its expiry time (which is stored in the NextAuth session). Now what happens is that whenever user visits the page -

1. Before rendering each page we check if the session is valid. If its valid then page is rendered (its inspired by code given in docs - https://next-auth.js.org/getting-started/client#custom-client-session-handling)
2. When the page is rendered, API is called with the JWT (to fetch data related to the page)
3. Now because the JWT token (provided by the backend of our application) is expired... backend returns a 401
4. When I receive 401 I logout the user and thus he is redirected to login page
   Now the problem with the above is that the user is allowed to see our auth related pages for a while (until the data is being loaded) and then suddenly as soon as frontend knows that the token has expired... user is logged out and thus being redirected to login page. This leads to page jump and thus a very bad user experience (also as 401 is an error response, the user sees error message for a few secs, in each component where API call is made (until he is eventually logged out). This worsens the UX further).
   I feel maybe people in the below issues are also facing the same issue -
   Custom session expire date #2790

Proposed solution
I feel this can be solved just if the maxAge/expires can be fixed to the date and time provided by our API (this can be an opt-in option). If this feature is provided, the flow of our app (explained in the problem statement above) will become as follows -

1. Before rendering each page we check if the session is valid.
2. Because of fixed maxAge... the session will now be 'unauthenticated' when JWT expires and thus the user can be redirected to the login page [using the onUnauthenticated() callback provided by useSession()] without rendering the auth related pages (thus no page jump)

PS: Please feel free to correct me if you find a gap in my understanding as I am relatively inexperienced

How to reproduce ☕️

Sorry, Can't help with this

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[hjoelh]

similar issue here!

[hjoelh]

this seems to do the trick

add a fixedExpiry date to the newly created jwt/token

whenever a new session is initialised, read this new field off the jwt and attach to the session