fix(auth-next-server): deduplicate concurrent token refresh calls to prevent invalid_grant

dom-murray · claude · dom-murray · commit ccecbe505c39 · 2026-04-23T14:00:47.000+10:00
OAuth refresh tokens are single-use. Without concurrency protection, parallel
requests hitting the same expired token each fire a separate refresh, causing
the second caller to receive a 400 invalid_grant and set RefreshTokenError on
the session. Promise deduplication ensures all concurrent callers share one
in-flight refresh per token.

Co-Authored-By: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/packages/auth-next-server/src/refresh.ts b/packages/auth-next-server/src/refresh.ts
@@ -85,20 +85,16 @@ export function extractZkEvmFromIdToken(idToken?: string): ZkEvmData | undefined
   return undefined;
 }
 
-/**
- * Refresh access token using the refresh token.
- * This is called server-side in the JWT callback when the access token is expired.
- *
- * @param refreshToken - The refresh token to use
- * @param clientId - The OAuth client ID
- * @param authDomain - The authentication domain (default: https://auth.immutable.com)
- * @returns The refreshed tokens
- * @throws Error if refresh fails
- */
-export async function refreshAccessToken(
+// Deduplicates concurrent refresh calls for the same refresh token.
+// OAuth refresh tokens are single-use: if two requests arrive simultaneously
+// with the same expired token, only the first call reaches the provider.
+// Subsequent callers await the same promise and receive the same result.
+const refreshPromises = new Map<string, Promise<RefreshedTokens>>();
+
+async function doRefreshAccessToken(
   refreshToken: string,
   clientId: string,
-  authDomain: string = DEFAULT_AUTH_DOMAIN,
+  authDomain: string,
 ): Promise<RefreshedTokens> {
   const tokenUrl = `${authDomain}/oauth/token`;
 
@@ -141,3 +137,29 @@ export async function refreshAccessToken(
     accessTokenExpires: decodeJwtExpiry(tokenData.access_token),
   };
 }
+
+/**
+ * Refresh access token using the refresh token.
+ * This is called server-side in the JWT callback when the access token is expired.
+ *
+ * @param refreshToken - The refresh token to use
+ * @param clientId - The OAuth client ID
+ * @param authDomain - The authentication domain (default: https://auth.immutable.com)
+ * @returns The refreshed tokens
+ * @throws Error if refresh fails
+ */
+export async function refreshAccessToken(
+  refreshToken: string,
+  clientId: string,
+  authDomain: string = DEFAULT_AUTH_DOMAIN,
+): Promise<RefreshedTokens> {
+  const cacheKey = `${clientId}:${refreshToken}`;
+  const inflight = refreshPromises.get(cacheKey);
+  if (inflight) return inflight;
+
+  const promise = doRefreshAccessToken(refreshToken, clientId, authDomain).finally(() => {
+    refreshPromises.delete(cacheKey);
+  });
+  refreshPromises.set(cacheKey, promise);
+  return promise;
+}
