Jacob Kim
Jacob Kim5mo ago

how to refresh JWTs before they expire

The default jwt.durationMs is an hour and it seems like convex-auth does not automatically refresh jwt. Am I responsible for refreshing the JWT before it expires? Or did I misconfigure something? I am using Next.js, and I am handling auth stuff with middleware like below.
import {
convexAuthNextjsMiddleware,
createRouteMatcher,
isAuthenticatedNextjs,
nextjsMiddlewareRedirect,
convexAuthNextjsToken,
} from '@convex-dev/auth/nextjs/server'

const isSignInPage = createRouteMatcher(['/login'])
const isProtectedRoute = createRouteMatcher(['/app(.*)'])

export default convexAuthNextjsMiddleware((request) => {
if (isSignInPage(request) && isAuthenticatedNextjs()) {
return nextjsMiddlewareRedirect(request, '/app')
}

if (isProtectedRoute(request) && !isAuthenticatedNextjs()) {
return nextjsMiddlewareRedirect(request, '/login')
}
})

export const config = {
// The following matcher runs middleware on all routes
// except static assets.
matcher: ['/((?!.*\\..*|_next).*)', '/', '/(api)(.*)'],
}
import {
convexAuthNextjsMiddleware,
createRouteMatcher,
isAuthenticatedNextjs,
nextjsMiddlewareRedirect,
convexAuthNextjsToken,
} from '@convex-dev/auth/nextjs/server'

const isSignInPage = createRouteMatcher(['/login'])
const isProtectedRoute = createRouteMatcher(['/app(.*)'])

export default convexAuthNextjsMiddleware((request) => {
if (isSignInPage(request) && isAuthenticatedNextjs()) {
return nextjsMiddlewareRedirect(request, '/app')
}

if (isProtectedRoute(request) && !isAuthenticatedNextjs()) {
return nextjsMiddlewareRedirect(request, '/login')
}
})

export const config = {
// The following matcher runs middleware on all routes
// except static assets.
matcher: ['/((?!.*\\..*|_next).*)', '/', '/(api)(.*)'],
}
7 Replies
Michal Srb
Michal Srb5mo ago
Convex Auth should be refreshing the token. If it does not, it's a bug. Can you provide any more details?
Jacob Kim
Jacob KimOP5mo ago
I would love to provide more details. what should I look for, which api endpoint gets triggered for refreshing the auth token? Will there be a log in the convex dashboard? or which function/api is responsible for refreshing the token?
Michal Srb
Michal Srb5mo ago
/api/auth is the Next.js endpoint that proxies the signIn action to your Convex backend. Your Convex backend should have a log of the auth:signIn action succeeding or failing on refresh.
Jacob Kim
Jacob KimOP5mo ago
Do I need to have /app/api/auth/route.tsx ? It seems like convex already setup POST /api/auth endpoint. very puzzled. I guess I will have to dive in more to find a root cause. will report back if I find any.
Jacob Kim
Jacob KimOP5mo ago
I get this error on Convex dashboard.
Aug 09, 00:43:22

M auth:store error
'Invalid refresh token'
Aug 09, 00:43:22

M auth:store error
'Invalid refresh token'
This error occurs when refreshToken is null here. My question is, why would refreshToken be null in the first place?
GitHub
convex-auth/src/server/implementation.ts at 6e43328e02a96db99651dd4...
Library for built-in auth. Contribute to get-convex/convex-auth development by creating an account on GitHub.
Michal Srb
Michal Srb5mo ago
@Jacob Kim do you have a repro repo? It's easy to test the refresh logic by lowering the access token lifetime, in convex/auth.ts:

session: {
inactiveDurationMs: 1000 * 60 * 2,
},
jwt: {
durationMs: 1000 * 60,
},

session: {
inactiveDurationMs: 1000 * 60 * 2,
},
jwt: {
durationMs: 1000 * 60,
},
This will set the refresh token lifetime to 2 minutes and the jwt lifetime to 1 minute.
Jacob Kim
Jacob KimOP5mo ago
thanks for the response. I couldn't figure it out and now I moved away from nextjs to vite and everything is working fine 🤷‍♂️

Did you find this page helpful?