Replies: 8 comments 8 replies
-
Yes, middleware is our cleanest solution for protecting API routes and pages!
|
Beta Was this translation helpful? Give feedback.
-
If I'm understanding this page correctly, this only works when using JWTs correct? Is there an elegant solution to locking down an entire app using middleware when using the database strategy? If not, what is the current reccomended way of doing so when using |
Beta Was this translation helpful? Give feedback.
-
Providing a middleware strategy for database adapters would be great. Stuck on this at the moment. |
Beta Was this translation helpful? Give feedback.
-
Hi I am trying to use middleware to protect every possible route, is there a one line code using matcher to protect any route? Thanks.
but what shows up is an infinite loop url with error message: "localhost redirected you too many times." |
Beta Was this translation helpful? Give feedback.
-
Hello everybody , |
Beta Was this translation helpful? Give feedback.
-
Is this also meant to cover page and API urls in the new Next JS v14? Is there a debugging option that proves that the middleware is in fact being called, and with what options and what results? My middleware consists only of the single line:
The pages are not automatically protected. In each page I have to
The API is not automatically protected. In each API method I have to:
So I have to manually check in every single page and every single API. This feels wrong, surely the middleware is meant to handle this before the page / API is even hit? I have got everything wrapped in a SessionProvider in the RootLayout ~/layout.tsx:
And I have ~/app/api/auth/[...nextauth] setup correctly with:
I'm using the prisma adapter and the AzureAD provider. In both the page and the API, session is returning the correct object when logged in and null when logged out. And the auth tables have profile info added, tokens etc added. So the auth is working - its just not doing the automatic protection. It only works manually. This is running locally, with Node v20.11, Next v14.0.3, NextAuth v4.24.5 |
Beta Was this translation helpful? Give feedback.
-
I am having the same problem as @oscarcoding. The documentation is really bad for this. I literally copy/paste examples and they do not work. I am on next-auth/v4, Next v14, Node v19. I want to expand the default middleware (particularly in API routes), extract the JWT, and perform certain actions. |
Beta Was this translation helpful? Give feedback.
-
I also don't understand how to protect API routes with the middleware, it kinda works, but returns html response as it redirects to the login page. So react-query cannot parse such response. I want to force 401 error instead of redirect, when it's an api route request. I am still on pages router on Next v13 and Next-auth v4. |
Beta Was this translation helpful? Give feedback.
-
Question 💬
For context, I'm using Google Auth, and
export { default } from "next-auth/middleware"
to secure pages / APIs. Whenever a user navigates to any pages or calls an API (from browsers or third-party programs like Postman) in an unauthenticated state, a sign-in page is returned. This is as expected.Traditionally, I always do both client-side and server-side check-in authentication flow. For example:
With the middleware, is it safe to assume I can completely ignore the traditional approach, and make NextAuth.js middleware a safe one-size-fits-all solution? This is under the assumption that there are no vulnerabilities.
I usually use Firebase, which requires more manual configurations and is sometimes quite troublesome (both SSR and CSR). It would be great if NextAuth.js can alleviate everything with a few lines of code.
Example images of Postman and curl are below.


How to reproduce ☕️
N/A
Contributing 🙌🏽
No, I am afraid I cannot help regarding this
Beta Was this translation helpful? Give feedback.
All reactions