Add Native Re-authentication Support in @auth0/nextjs-auth0 for Session Expiry

[sdboer78]

Checklist

• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

Currently, @auth0/nextjs-auth0 does not provide a built-in way to enforce re-authentication after a session has been active for a certain period. This is crucial for applications handling sensitive actions (e.g., viewing personal data, executing financial transactions, or changing security settings).

While Auth0 supports session expiration via max_age, developers must manually implement workarounds to check session freshness, redirect users, or enforce re-authentication using getAccessToken() with max_age. These implementations can be inconsistent, require extra boilerplate code, and introduce unnecessary complexity.

A native solution within the SDK would simplify secure session handling, ensuring that users are re-authenticated seamlessly after a set time limit without requiring custom logic in each project.

Describe the ideal solution

The ideal solution would be to provide a native way to enforce re-authentication within the @auth0/nextjs-auth0 SDK without requiring manual workarounds. This could be implemented in one of the following ways:

1. Configuration-Based Approach
   Add a maxReauthAge setting in the SDK configuration to specify the maximum session age before requiring re-authentication.

   export default handleAuth({
     login: handleLogin({
       maxReauthAge: 1800, // Require re-authentication if session is older than 30 minutes
     }),
   });

2. Enhance withPageAuthRequired()
   Allow an optional maxAge parameter in withPageAuthRequired() to enforce re-authentication on sensitive pages automatically.

   export default withPageAuthRequired(MySensitivePage, {
     maxAge: 1800, // Force login if the session is older than 30 minutes
   });

3. Automatic Session Handling with getAccessToken()
   Modify getAccessToken() to automatically check session age and trigger re-authentication if needed, instead of requiring manual max_age checks.

   const { accessToken } = await getAccessToken(req, res, { enforceReauth: true });

Alternatives and current workarounds

Currently, developers must manually enforce re-authentication in Next.js with @auth0/nextjs-auth0, as there is no built-in feature for session expiration. Common workarounds include:

1. Using max_age in login redirects – Manually checking session age and redirecting users to /api/auth/login?prompt=login&max_age=1800.
2. Fetching tokens with getAccessToken() – Enforcing re-authentication in API calls by passing maxAge to ensure tokens are fresh.
3. Middleware-based enforcement – Implementing custom Next.js middleware to validate session age before granting access to protected API routes.
4. Auth0 Actions or Rules – Configuring custom logic in Auth0 to deny access if a session exceeds a defined threshold.

These solutions require extra boilerplate code and lack a unified approach, making session re-authentication cumbersome. A native solution in the SDK would simplify and standardize this process.

Additional context

No response