Great job on the template.

On refresh I noticed three issues:

1. Although it successfully returns a new access token, it doesn't persist the new access token in the session which can also cause the refresh backend endpoint to be called multiple times, generating a new access token each time.

May be related to this: Tokens rotation does not persist the new token

Potential fix: Handling session updates & Updating the session

2. The backend passes a field for expiresIn to determine the expiration of the access token. Why not just read the expiration directly from the jwt payload exp field?

Example in the jwt callback:

const jwtAccessPayload = JSON.parse(atob(access_token.split('.')[1]))
const AccessExpired = Date.now() >= jwtAccessPayload.exp * 1000
if (!AccessExpired) return token

If concerns about time difference, can also reduce jwt payload exp time given vs Date.now() by a few seconds

Can use the same logic to check refresh token expiration and that leads me to the third issue.

3. No handling of the Refresh Token expiration?

Several ways to handle:
Redirect to login and update the session with the new jwt access and refresh tokens upon success.
Redirect to login and upon success redirect to previous page user was accessing.
Redirect to logout - bad UX if user was in the middle of changing data requiring an unexpired access and refresh token.

Middleware could be a solution for some of the issues as well - example middleware