fix(react): drop cached JWT when sessionId rotates

[ramonclaudio]

cachedToken in ConvexBetterAuthProvider doesn't get cleared when the session id changes (only on logout). So right after a session rotation (password change), the next call to fetchAccessToken({ forceRefreshToken: false }) hands back the JWT for the now-deleted session.

This PR backs cachedToken with a ref so the fetcher reads the current value instead of the one captured at the last render. The rotation check runs inline in the fetcher and clears the ref when sessionId changes. A promise-identity guard in .then/.catch/.finally keeps a late-resolving stale token() fetch from overwriting a fresh value.

Unit test repro: 6/9 fail on v0.12.2, all pass with this fix.

Worth flagging: this doesn't close the visible Invalid session ID flicker on changePassword({ revokeOtherSessions: true }). Tested end-to-end on repros with real credentials (Expo test repro, TanStack test repro) but the patched build behaves the same as vanilla on that flow. Looks like an upstream Convex issue, same shape as convex-js#82 but I am honestly not 100% sure. better-auth#9345 is the upstream complement on the Better Auth side that would preserve the caller's session on change-password instead of rotating it.

[vercel]

@ramonclaudio is attempting to deploy a commit to the Convex Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The hook useUseAuthFromBetterAuth mirrors cachedToken into cachedTokenRef via a setCachedToken helper so fetchAccessToken reads the latest token. It clears the cached JWT when the Better Auth session disappears and adds lastSessionIdRef plus an effect that, on sessionId rotation, clears cachedToken and nulls pendingTokenRef.current to drop in-flight fetches tied to the old session. fetchAccessToken now prefers cachedTokenRef, reuses in-flight promises, and only updates the cache when the resolved promise is still the active one.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant useUseAuthFromBetterAuth
  participant fetchAccessToken
  participant TokenEndpoint
  Client->>useUseAuthFromBetterAuth: needs authenticated request
  useUseAuthFromBetterAuth->>fetchAccessToken: fetchAccessToken()
  fetchAccessToken->>useUseAuthFromBetterAuth: read cachedTokenRef.current
  alt cached token valid
    fetchAccessToken->>Client: return cached token
  else no valid token
    fetchAccessToken->>useUseAuthFromBetterAuth: set pendingTokenRef
    fetchAccessToken->>TokenEndpoint: request new JWT
    TokenEndpoint-->>fetchAccessToken: JWT response
    fetchAccessToken->>useUseAuthFromBetterAuth: setCachedToken(JWT)
    useUseAuthFromBetterAuth->>Client: return JWT
  end

Loading

Possibly related issues

• ConvexBetterAuthProvider clears cachedToken on transient session-fetch failures + force-refresh race #353: Matches the cache-ref and pendingTokenRef cancelation behavior described for sessionId rotation.

Possibly related PRs

• get-convex/better-auth#218: Modifies token caching and pending token handling in src/react/index.tsx, related to the same auth-token control path.
• get-convex/better-auth#223: Adjusts cachedToken initialization/SSR semantics in the same hook and token cache area.
• get-convex/better-auth#267: Adds pendingTokenRef dedupe logic; this PR clears that pending token on session rotation.

Suggested reviewers

• erquhart
• devstojko

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main fix: clearing the cached JWT when sessionId rotates.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description accurately describes the cacheing bug and the ref-based solution with promise guards, matching the changeset's session-rotation handling.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/react/index.tsx`:
- Around line 140-154: The effect drops the pendingTokenRef pointer but doesn't
prevent an already-started fetchAccessToken promise from later calling
setCachedToken and restoring a stale JWT; change the
fetchAccessToken/pendingTokenRef flow so each token request carries a unique
request id or the promise object and, before calling setCachedToken(token),
verify that pendingTokenRef.current still matches that id/promise (or that a
monotonic tokenRequestVersion equals the version captured at start). Also, when
the session rotates in the useEffect (where lastSessionIdRef and pendingTokenRef
are handled), increment/clear that version or set pendingTokenRef to a sentinel
so any in-flight .then handlers will detect the mismatch and abort calling
setCachedToken; update places that assign/clear pendingTokenRef and the
.then/.catch handlers in fetchAccessToken to perform this guard.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: get-convex/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: abee74a9-72d1-4c6d-9c8e-a05779a27311

📥 Commits

Reviewing files that changed from the base of the PR and between 50dea0d and 1b21b5a.

📒 Files selected for processing (1)

• src/react/index.tsx

[ramonclaudio]

Hey @erquhart, sorry for the multiple pings here.

Just did a bunch of testing so I could provide useful repros. The unit tests show this fix works at the React layer (6/9 fail without it, all pass with it). But the Expo and TanStack real-app repros show the user-visible Invalid session ID flicker on changePassword is the same with or without this PR. So this PR alone doesn't close the visible window. It might actually be an upstream Convex issue (convex-js#82), I'm not really sure here.

Curious for your read on the upstream side (better-auth#9345). I opened this PR in Better Auth a few weeks ago after closing this one initially. Is preserving the caller's session on change-password the right call, or is the rotation actually the right behavior and users should just ignore the flicker?

If neither direction feels right, happy to close this and #9345. Don't want to pile on review work.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@convex-dev/better-auth@329

commit: 37bdd4b