Skip to content

Force Refresh Access Token Enhancements #2164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Force Refresh Access Token Enhancements #2164

wants to merge 2 commits into from

Conversation

tusharpandey13
Copy link
Contributor

@tusharpandey13 tusharpandey13 commented Jun 11, 2025
edited
Loading

  • Added force refresh capability to client counterpart getAccessToken()
  • Added a refresh:boolean searchParam /auth/access-token for force refresh
  • Updated examples

@tusharpandey13
feat: add force refresh capabilities to client-side getAccessToken - …
1814759 
…Add GetAccessTokenOptions type with refresh parameter to client-side getAccessToken - Update server-side handleAccessToken to support refresh query parameter - Add comprehensive unit tests for force refresh functionality - Add E2E tests with force refresh buttons for both app and pages router - Update EXAMPLES.md with comprehensive client and server-side force refresh examples - Maintain backward compatibility with existing getAccessToken usage - Add proper TypeScript overloads and JSDoc documentation
@tusharpandey13 tusharpandey13 requested a review from a team as a code owner June 11, 2025 11:43
@tusharpandey13 tusharpandey13 changed the title feat: add force refresh capabilities to client-side getAccessToken - Add GetAccessTokenOptions type with refresh parameter to client-side getAccessToken - Update server-side handleAccessToken to support refresh query parameter - Add comprehensive unit tests for force refresh functionality - Add E2E tests with force refresh buttons for both app and pages router - Update EXAMPLES.md with comprehensive client and server-side force refresh examples - Maintain backward compatibility with existing getAccessToken usage - Add proper TypeScript overloads and JSDoc documentation Force Refresh Access Token Enhancements Jun 11, 2025
@codecov-commenter
Copy link

codecov-commenter commented Jun 11, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 28.57143% with 15 lines in your changes missing coverage. Please review.

Project coverage is 82.21%. Comparing base (be9b2e4) to head (94cb67a).

Files with missing lines Patch % Lines
src/client/helpers/get-access-token.ts 0.00% 11 Missing ⚠️
src/server/auth-client.ts 60.00% 4 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2164      +/-   ##
==========================================
- Coverage   82.61%   82.21%   -0.40%     
==========================================
  Files          21       21              
  Lines        2042     2058      +16     
  Branches      358      359       +1     
==========================================
+ Hits         1687     1692       +5     
- Misses        348      359      +11     
  Partials        7        7

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

frederikprijck
frederikprijck requested changes Jun 11, 2025
View reviewed changes
src/client/helpers/get-access-token.ts
Comment on lines +16 to +33
/**
* Retrieves an access token from the `/auth/access-token` endpoint.
*
* @returns The access token string.
* @throws {AccessTokenError} If there's an error retrieving the access token.
*/
export async function getAccessToken(): Promise<string>;

/**
* Retrieves an access token from the `/auth/access-token` endpoint.
*
* @param options Configuration for getting the access token.
* @returns The access token string.
* @throws {AccessTokenError} If there's an error retrieving the access token.
*/
export async function getAccessToken(
options: GetAccessTokenOptions
): Promise<string>;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need these overloads?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To adhere to a no-contract change (adding new overloads)

Copy link
Member

@frederikprijck frederikprijck Jun 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not need those. We can just keep the one we have where options is marked optional, there is no point to the overloads here.

src/server/auth-client.ts
Comment on lines +593 to +597
if (!this.enableAccessTokenEndpoint) {
return new NextResponse("Not Found", {
status: 404
});
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this relate to the PR scope?

@frederikprijck
Copy link
Member

I would also propose to change the PR title to be: Support force refresh in client-side getAccessToken

guabu
guabu suggested changes Jun 14, 2025
View reviewed changes
Copy link
Contributor

@guabu guabu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it's the right move to allow the untrusted client to dictate whether the AT should be refreshed. I would lean towards this being a server-side configuration option on the auth0 client (e.g.: alwaysRefreshTokenSet).

Are we trying to solve a particular problem that can't be addressed by making this a server-side configuration option?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frederikprijck frederikprijck frederikprijck requested changes

@guabu guabu guabu requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tusharpandey13 @codecov-commenter @frederikprijck @guabu