elie222 · edulelis · Aug 1, 2025 · Aug 1, 2025
diff --git a/apps/web/utils/auth.ts b/apps/web/utils/auth.ts
@@ -215,81 +215,99 @@ export const getAuthOptions: () => NextAuthConfig = () => ({
     jwt: async ({ token, user, account }): Promise<JWT> => {
       logger.info("JWT", { token, user, account });
 
-      if (account) {
-        token.provider = account.provider;
-      }
-
-      // Temporary bypass for testing
-      if (account?.access_token && account.provider === "microsoft-entra-id") {
-        // These fields shouldn't be in the JWT because the cookie will be too large
-        // They are stored in the database instead
-        token.picture = undefined;
-        token.user = undefined;
-        return token;
-      }
-      // Signing in
-      // on first sign in `account` and `user` are defined, thereafter only `token` is defined
-      if (account && user && account.provider === "google") {
-        // Google sends us `refresh_token` only on first sign in so we need to save it to the database then
-        // On future log ins, we retrieve the `refresh_token` from the database
-        if (account.refresh_token) {
-          logger.info("Saving refresh token", { email: token.email });
-
-          await saveTokens({
-            tokens: {
-              access_token: account.access_token,
-              refresh_token: account.refresh_token,
-              expires_at: calculateExpiresAt(
-                account.expires_in as number | undefined,
-              ),
-            },
-            accountRefreshToken: account.refresh_token,
-            providerAccountId: account.providerAccountId,
-            provider: account.provider,
+      if (token.provider === "microsoft-entra-id") {
+        if (token.exp && Date.now() < (token.exp as number) * 1000) {
+          // These fields shouldn't be in the JWT because the cookie will be too large
+          // They are stored in the database instead
+          token.picture = undefined;
+          token.user = undefined;
+          return token;
+        } else {
+          logger.info("Token expired at", {
+            email: token.email,
+            expiresAt: token.expires_at
+              ? new Date((token.expires_at as number) * 1000).toISOString()
+              : "not set",
+          });
+          const refreshedToken = await refreshAccessToken(token);
+          logger.info("Refresh attempt completed", {
+            email: token.email,
+            newExpiration: refreshedToken.expires_at
+              ? new Date(refreshedToken.expires_at * 1000).toISOString()
+              : "undefined",
           });
+          refreshedToken.picture = undefined;
+          refreshedToken.user = undefined;
+          return refreshedToken;
+        }
+      } else if (token.provider === "google") {
+        // Signing in
+        // on first sign in `account` and `user` are defined, thereafter only `token` is defined
+        if (account && user) {
+          // Google sends us `refresh_token` only on first sign in so we need to save it to the database then
+          // On future log ins, we retrieve the `refresh_token` from the database
+          if (account.refresh_token) {
+            logger.info("Saving refresh token", { email: token.email });
+
+            await saveTokens({
+              tokens: {
+                access_token: account.access_token,
+                refresh_token: account.refresh_token,
+                expires_at: calculateExpiresAt(
+                  account.expires_in as number | undefined,
+                ),
+              },
+              accountRefreshToken: account.refresh_token,
+              providerAccountId: account.providerAccountId,
+              provider: account.provider,
+            });
 
-          token.refresh_token = account.refresh_token;
-        } else {
-          const dbAccount = await prisma.account.findUnique({
-            where: {
-              provider_providerAccountId: {
-                providerAccountId: account.providerAccountId,
-                provider: account.provider,
+            token.refresh_token = account.refresh_token;
+          } else {
+            const dbAccount = await prisma.account.findUnique({
+              where: {
+                provider_providerAccountId: {
+                  providerAccountId: account.providerAccountId,
+                  provider: account.provider,
+                },
               },
-            },
-            select: { refresh_token: true },
-          });
-          token.refresh_token = dbAccount?.refresh_token ?? undefined;
+              select: { refresh_token: true },
+            });
+            token.refresh_token = dbAccount?.refresh_token ?? undefined;
+          }
+
+          token.provider = account.provider;
+          token.access_token = account.access_token;
+          token.refresh_token = account.refresh_token;
+          token.expires_at = account.expires_at;
+          token.user = user;
+          return token;
         }
 
-        token.provider = account.provider;
-        token.access_token = account.access_token;
-        token.refresh_token = account.refresh_token;
-        token.expires_at = account.expires_at;
-        return token;
-      }
+        if (
+          token.expires_at &&
+          Date.now() < (token.expires_at as number) * 1000
+        ) {
+          return token;
+        }
 
-      if (
-        token.expires_at &&
-        Date.now() < (token.expires_at as number) * 1000
-      ) {
-        return token;
+        logger.info("Token expired at", {
+          email: token.email,
+          expiresAt: token.expires_at
+            ? new Date((token.expires_at as number) * 1000).toISOString()
+            : "not set",
+        });
+        const refreshedToken = await refreshAccessToken(token);
+        logger.info("Refresh attempt completed", {
+          email: token.email,
+          newExpiration: refreshedToken.expires_at
+            ? new Date(refreshedToken.expires_at * 1000).toISOString()
+            : "undefined",
+        });
+        return refreshedToken;
       }
 
-      logger.info("Token expired at", {
-        email: token.email,
-        expiresAt: token.expires_at
-          ? new Date((token.expires_at as number) * 1000).toISOString()
-          : "not set",
-      });
-      const refreshedToken = await refreshAccessToken(token);
-      logger.info("Refresh attempt completed", {
-        email: token.email,
-        newExpiration: refreshedToken.expires_at
-          ? new Date(refreshedToken.expires_at * 1000).toISOString()
-          : "undefined",
-      });
-      return refreshedToken;
+      return token;
     },
     session: async ({ session, token }: { session: Session; token: JWT }) => {
       session.user = {