Rolling session race condition

[bartoszjuja]

Checklist

• The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

On my site with dozens of components I noticed that sometimes when a user tries to logout, the user is redirected through the logout process, but finally is still logged in. This seemed to happen mostly when trying to logout while parts of the site are still loading,

I analyzed this in the browser network tab and noticed that the reason are requests that are still in-flight while the user presses the logout button.
While the /auth/logout request correctly clears the session cookies, the in-flight requests sometimes get responses after /auth/logout and set the session back to active.

Timeline:

A walkaround for me was to use the auth0/nextjs-auth0 middleware only on /auth paths, contrary to what is recommended in the documentation:

  if (path.startsWith("/auth/")) { // added this condition
    const authResponse = await auth0.middleware(request);
    // other auth code
  }
  // other site specific middleware

Obviously, this prevents rolling sessions from working.

Reproduction

Logging out while there are ongoing requests.

Additional context

No response

nextjs-auth0 version

4.9.0

Next.js version

15.5.2

Node.js version

20.19.2

[tusharpandey13]

Hi @bartoszjuja 👋
Thanks for reporting this. We are actively looking into this and will quickly get back to you on this.