Bug: Inefficient Token Refreshing in Remix SDK

[badeleux]

Prerequisites

• [X] I have searched the repository’s issues and Kinde community to ensure my issue isn’t a duplicate
• [X] I have checked the latest version of the library to replicate my issue
• [X] I have read the contributing guidelines
• [X] I agree to the terms within the code of conduct

Describe the issue

Currently, the Remix SDK refreshes tokens every time getKindeSession is called, which is suboptimal. This behavior occurs on every loader in most applications. In my application, I’m currently using version 1.0.4, where I’ve implemented a manual check for token expiration, which significantly improves performance:

const { getUser, refreshTokens } = await getKindeSession(request);
const user = await getUser();
const isAuth = !!user;
const cookies = new Cookies(request.headers.get("Cookie"), { path: "/" });
const accessToken = cookies.get("access_token");

if (!isAuth || !accessToken) {
  throw redirect(ROUTE.LOGIN);
}

try {
  await jwtVerify(accessToken, JWKS);
} catch (e) {
  console.info("Refreshing tokens", {
    method: request.method,
    url: request.url,
  });
  const headers = await refreshTokens();
  if (request.method === "GET" && headers) {
    throw redirect(request.url, { headers });
  }
}

return getUser();

This approach has greatly improved performance, as getKindeSession returns in 2ms in version 1.0.4. In contrast, in newer versions, the response time is around 150-400ms, which significantly slows down the application.

Library URL

https://github.com/kinde-oss/kinde-remix-sdk/pull/15/files#diff-dd05dd7ce8b0489ee22a87e9bdbe234f67084e35538a3b73bd66f8fd44be7d80R239

Library version

1.1.0

Operating system(s)

macOS

Operating system version(s)

15.0

Further environment details

No response

Reproducible test case URL

No response

Additional information

No response

[jonhester]

Ran into this issue too. I downgraded to 1.0.4. It was adding 300-400ms to every single remix loader I used getKindeSession in.

[DanielRivers]

Thank you for this and further information, I look into this this week

[alexmartinezm]

got this issue as well, cannot bypass with latest version 1.1.3

[jmisur]

I ran into this as well when investigating outgoing requests of my app. Each secured remix loader and action now goes to Kinde to refresh tokens on every request. You're slowing down the entire app significantly + DDOSing yourselves in the process. The tokens should be refreshed only when nearing their expiration date imo.