Skip to content

fix(core): honor session.updateAge for JWT strategy re-signing#13424

Open
Zelys-DFKH wants to merge 2 commits into
nextauthjs:mainfrom
Zelys-DFKH:fix/jwt-updateAge
Open

fix(core): honor session.updateAge for JWT strategy re-signing#13424
Zelys-DFKH wants to merge 2 commits into
nextauthjs:mainfrom
Zelys-DFKH:fix/jwt-updateAge

Conversation

@Zelys-DFKH
Copy link
Copy Markdown

@Zelys-DFKH Zelys-DFKH commented Apr 28, 2026
edited
Loading

Fixes #13248

Summary

`session.updateAge` throttles how often the session token is refreshed. The database
strategy already respects it (since v4), but the JWT strategy ignores it entirely,
re-signing and resetting the cookie on every single request.

What this does

Mirrors the throttle logic from the database branch into the JWT branch:

```
(payload.exp * 1000) - (sessionMaxAge * 1000) + (sessionUpdateAge * 1000) <= now
```

When the condition is false, `jwt.encode()` and `sessionStore.chunk()` are skipped.
The response body is unchanged: `expires` still reflects the full `sessionMaxAge`
window regardless of whether we re-sign.

Tests

Two regression tests added to `session.test.ts`:

  • Asserts no `Set-Cookie` when the token was just issued (within `updateAge` window)
  • Asserts a new signed token appears in `Set-Cookie` once `updateAge` has elapsed

All 148 tests pass.

Checklist

  • My code follows the project's coding style
  • I have added tests that prove my fix is effective
  • New and existing unit tests pass locally

@Zelys-DFKH
fix(core): honor updateAge for JWT strategy session re-signing
f830b29 
The JWT strategy in the session action re-signed and re-set the session
token cookie on every request, ignoring `session.updateAge`. The
database strategy already throttled writes with the same option. This
applies the same formula to the JWT branch:

  (token expiry - sessionMaxAge) + sessionUpdateAge <= now

When the condition is false, jwt.encode() and the Set-Cookie header are
skipped. A forced update (isUpdate) or a token without an `exp` claim
always re-signs regardless of the window.

Tests: updated the existing JWT session test to reflect correct behavior
(fresh tokens are not re-signed), and added two regression tests that
verify the throttle boundary.

Fixes nextauthjs#13248
@Zelys-DFKH
remove unused decode import from session test
c43308d
@Zelys-DFKH Zelys-DFKH requested a review from ThangHuuVu as a code owner April 28, 2026 00:35
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 28, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
auth-docs Ready Ready Preview, Comment Apr 28, 2026 0:39am
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
next-auth-docs Ignored Ignored Preview Apr 28, 2026 0:39am

Request Review

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 28, 2026

@Zelys-DFKH is attempting to deploy a commit to the authjs Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions Bot added the core Refers to `@auth/core` label Apr 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ThangHuuVu ThangHuuVu Awaiting requested review from ThangHuuVu ThangHuuVu is a code owner

Assignees

No one assigned

Labels

core Refers to `@auth/core`

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

JWT strategy does not support updateAge parameter

1 participant

@Zelys-DFKH