Issue with Updating Access Token in Custom Middleware

[danieljcksn]

Hello AdonisJS community,

I'm facing an issue in AdonisJS (version 6) while working on a custom authentication middleware. The problem occurs when refreshing an expired access token. Even after a successful token refresh and updating ctx.request.headers().authorization, the middleware appears to re-execute and continues using the old, expired token. I understand that ctx.request.headers() seems to be read-only, which adds complexity to directly updating the headers.

The Problem

When an access token expires, the middleware refreshes it and attempts to update ctx.request.headers().authorization, which is always set as Bearer ${accessToken}. However, what does not persist between the initial request (before the token refresh) and subsequent requests is the cookies set during the refresh process. This causes the middleware to re-execute and continue using the old, expired token, leading to failed authentication.

Middleware Code

import type { HttpContext } from '@adonisjs/core/http';
import type { NextFn } from '@adonisjs/core/types/http';
import RefreshAccessTokenController from '#controllers/auth/refresh_access_token_controller';

const refreshController = new RefreshAccessTokenController();

export default class AuthMiddleware {
  async handle(ctx: HttpContext, next: NextFn) {
    const accessToken = ctx.request.cookie('access_token');
    const refreshToken = ctx.request.cookie('refresh_token');
    const userId = ctx.request.cookie('user_id');

    // Attempt to set the initial authorization header
    ctx.request.headers().authorization = `Bearer ${accessToken}`;

    try {
      await ctx.auth.authenticate();
      return next();
    } catch (err) {
      console.log("Invalid auth token, attempting to refresh...");

      if (!userId || !refreshToken || !accessToken) {
        console.log("Required cookies missing.");
        return ctx.response.unauthorized();
      }

      try {
        // Refresh the tokens
        const newTokens = await refreshController.handle(refreshToken, accessToken, userId);
        if (!newTokens.success) {
          console.log("Token refresh failed.");
          return ctx.response.unauthorized();
        }

        // Set the new tokens in the response cookies
        ctx.response.cookie('access_token', newTokens.accessToken, {
          httpOnly: true,
          maxAge: '15s',
          secure: true,
        });
        ctx.response.cookie('refresh_token', newTokens.refreshToken, {
          httpOnly: true,
          maxAge: '15d',
          secure: true,
        });

        console.log('✅ Tokens successfully refreshed.');

        // Attempt to update the authorization header (but this seems ineffective)
        ctx.request.headers().authorization = `Bearer ${newTokens.accessToken}`;

        return next();
      } catch (refreshError) {
        console.log("Failed to refresh tokens, clearing cookies.");
        ctx.response.clearCookie('access_token');
        ctx.response.clearCookie('refresh_token');
        ctx.response.clearCookie('user_id');
        return ctx.response.unauthorized();
      }
    }
  }
}

Refresh Token Controller

import RefreshToken from '#models/refresh_token';
import User from '#models/user';
import { DateTime } from 'luxon';
import { v4 as uuid } from 'uuid';

export default class RefreshAccessTokenController {
  private refreshTokenPayload = {
    expiresAt: DateTime.now().plus({ days: 15 }),
    token: uuid(),
  };

  async handle(refreshTokenIdentifier: string, _expiredAccessToken: string, userId: string) {
    const refreshTokenModel = await RefreshToken.query()
      .where('token', refreshTokenIdentifier)
      .where('user_id', userId)
      .firstOrFail();

    const user = await User.findOrFail(userId);

    if (refreshTokenModel.isUsed) {
      await RefreshToken.query().where('user_id', userId).update({ is_revoked: true });
      return { message: 'Invalid refresh token. All tokens revoked.', success: false };
    }

    const accessToken = await User.accessTokens.create(user);
    refreshTokenModel.isUsed = true;
    await refreshTokenModel.save();

    const newRefreshToken = await RefreshToken.create({ ...this.refreshTokenPayload, userId });

    return {
      accessToken: accessToken.value!.release(),
      refreshToken: newRefreshToken.token,
      success: true,
    };
  }
}

My Question

Given that ctx.request.headers() is read-only and cannot be effectively updated to reflect the new token, how can I ensure that the updated ctx.request.headers().authorization is recognized and used throughout the current request lifecycle? Is there a recommended approach to handle this scenario so that subsequent middleware or route handlers acknowledge the new token?

I appreciate any guidance or suggestions from the community. Thank you for your help!

---

Environment Details

• AdonisJS Version: 6.2
• Node.js Version: v20.17.0
• TypeScript: Yes

[timneedham]

Great question @danieljcksn.
I've hit this too, have you had any success at all?
If not, can anyone else please assist?