feat(middleware): introduce withAuth Next.js method (#3657)

* feat(middleware): introduce Middleware API to Next.js

* chore(app): upgrade Next.js in dev app

* chore(dev): add Middleware protected page to dev app

* chore(middleware): add `next/middleware` to `exports`

* fix(middleware): bail out redirect on custom pages

* fix(middleware): allow one-line export

* chore(middleware): simplify code

* fix(middleware): redirect back to page after succesful login

* feat(middleware): re-export `withAuth` as `default`

* chore: export middleware from `next-auth/middleware`

* chore: add `middleware` files to npm

* feat(middleware): handle chaining, fix some bugs

* chore(dev): showcase different middlewares

* chore(middleware): remove `@ts-expect-error` comments

* chore: update build clean script

* fix: bail out when NextAuth.js paths

* refactor: be more explicit about `initConfig` result

* refactor: simplify

* refactor: use `callbacks` similarily to `NextAuthOptions`

* refactor: use `nextauth` namespace when setting `token` on `req`

* refactor: don't allow passing `secret`

* addressing review

Author: balazsorban44

.gitignore

@@ -36,6 +36,8 @@ node_modules
 /index.d.ts
 /index.js
 /next
+/middleware.d.ts
+/middleware.js
 
 # Development app
 app/src/css

app/components/header.js

@@ -103,6 +103,11 @@ export default function Header() {
               <a>Email</a>
             </Link>
           </li>
+          <li className={styles.navItem}>
+            <Link href="/middleware-protected">
+              <a>Middleware protected</a>
+            </Link>
+          </li>
         </ul>
       </nav>
     </header>

app/package.json

@@ -22,7 +22,7 @@
     "@prisma/client": "^3.7.0",
     "fake-smtp-server": "^0.8.0",
     "faunadb": "^4.4.1",
-    "next": "^12.0.7",
+    "next": "^12.0.8",
     "nodemailer": "^6.7.2",
     "react": "^17.0.2",
     "react-dom": "^17.0.2"

app/pages/middleware-protected/_middleware.js

@@ -0,0 +1,44 @@
+export { default } from "next-auth/middleware"
+
+// Other ways to use this middleware
+
+// import withAuth from "next-auth/middleware"
+// import { withAuth } from "next-auth/middleware"
+
+// export function middleware(req, ev) {
+//   return withAuth(req)
+// }
+
+// export function middleware(req, ev) {
+//   return withAuth(req, ev)
+// }
+
+// export function middleware(req, ev) {
+//   return withAuth(req, {
+//     callbacks: {
+//       authorized: ({ token }) => !!token,
+//     },
+//   })
+// }
+
+// export default withAuth(function middleware(req, ev) {
+//   console.log(req.nextauth.token)
+// })
+
+// export default withAuth(
+//   function middleware(req, ev) {
+//     console.log(req, ev)
+//     return undefined // NOTE: `NextMiddleware` should allow returning `void`
+//   },
+//   {
+//     callbacks: {
+//       authorized: ({ token }) => token.name === "Balázs Orbán",
+//     }
+//   }
+// )
+
+// export default withAuth({
+//   callbacks: {
+//     authorized: ({ token }) => !!token,
+//   },
+// })

app/pages/middleware-protected/index.js

@@ -0,0 +1,9 @@
+import Layout from "components/layout"
+
+export default function Page() {
+  return (
+    <Layout>
+      <h1>Page protected by Middleware</h1>
+    </Layout>
+  )
+}

package.json

@@ -31,12 +31,13 @@
     "./react": "./react/index.js",
     "./core": "./core/index.js",
     "./next": "./next/index.js",
+    "./middleware": "./middleware.js",
     "./client/_utils": "./client/_utils.js",
     "./providers/*": "./providers/*.js"
   },
   "scripts": {
     "build": "npm run build:js && npm run build:css",
-    "clean": "rm -rf client css lib providers core jwt react next index.d.ts index.js adapters.d.ts",
+    "clean": "rm -rf client css lib providers core jwt react next index.d.ts index.js adapters.d.ts middleware.d.ts middleware.js",
     "build:js": "npm run clean && npm run generate-providers && tsc && babel --config-file ./config/babel.config.js src --out-dir . --extensions \".tsx,.ts,.js,.jsx\"",
     "build:css": "postcss --config config/postcss.config.js src/**/*.css --base src --dir . && node config/wrap-css.js",
     "dev:setup": "npm i && npm run generate-providers && npm run build:css && cd app && npm i",
@@ -61,7 +62,9 @@
     "core",
     "index.d.ts",
     "index.js",
-    "adapters.d.ts"
+    "adapters.d.ts",
+    "middleware.d.ts",
+    "middleware.js"
   ],
   "license": "ISC",
   "dependencies": {

src/jwt/index.ts

@@ -37,7 +37,7 @@ export async function decode(params: JWTDecodeParams): Promise<JWT | null> {
 
 export interface GetTokenParams<R extends boolean = false> {
   /** The request containing the JWT either in the cookies or in the `Authorization` header. */
-  req: NextApiRequest
+  req: NextApiRequest | Pick<NextApiRequest, "cookies" | "headers">
   /**
    * Use secure prefix for cookie name, unless URL in `NEXTAUTH_URL` is http://
    * or not set (e.g. development or test instance) case use unprefixed name

src/lib/parse-url.ts

@@ -11,6 +11,7 @@ export interface InternalUrl {
   toString: () => string
 }
 
+/** Returns an `URL` like object to make requests/redirects from server-side */
 export default function parseUrl(url?: string): InternalUrl {
   const defaultUrl = new URL("http://localhost:3000/api/auth")
 

src/middleware.ts

@@ -0,0 +1,2 @@
+export { default } from "./next/middleware"
+export * from "./next/middleware"

src/next/middleware.ts

@@ -0,0 +1,141 @@
+import type { NextMiddleware, NextFetchEvent } from "next/server"
+import type { Awaitable, NextAuthOptions } from ".."
+import type { JWT } from "../jwt"
+
+import { NextResponse, NextRequest } from "next/server"
+
+import { getToken } from "../jwt"
+import parseUrl from "../lib/parse-url"
+
+type AuthorizedCallback = (params: {
+  token: JWT | null
+  req: NextRequest
+}) => Awaitable<boolean>
+
+export interface NextAuthMiddlewareOptions {
+  /**
+   * Where to redirect the user in case of an error if they weren't logged in.
+   * Similar to `pages` in `NextAuth`.
+   *
+   * ---
+   * [Documentation](https://next-auth.js.org/configuration/pages)
+   */
+  pages?: NextAuthOptions["pages"]
+  callbacks?: {
+    /**
+     * Callback that receives the user's JWT payload
+     * and returns `true` to allow the user to continue.
+     *
+     * This is similar to the `signIn` callback in `NextAuthOptions`.
+     *
+     * If it returns `false`, the user is redirected to the sign-in page instead
+     *
+     * The default is to let the user continue if they have a valid JWT (basic authentication).
+     *
+     * How to restrict a page and all of it's subpages for admins-only:
+     * @example
+     *
+     * ```js
+     * // `pages/admin/_middleware.js`
+     * import { withAuth } from "next-auth/middleware"
+     *
+     * export default withAuth({
+     *   callbacks: {
+     *     authorized: ({ token }) => token?.user.isAdmin
+     *   }
+     * })
+     * ```
+     *
+     * ---
+     * [Documentation](https://next-auth.js.org/getting-started/nextjs/middleware#api) | [`signIn` callback](configuration/callbacks#sign-in-callback)
+     */
+    authorized?: AuthorizedCallback
+  }
+}
+
+async function handleMiddleware(
+  req: NextRequest,
+  options: NextAuthMiddlewareOptions | undefined,
+  onSuccess?: (token: JWT | null) => Promise<any>
+) {
+  const signInPage = options?.pages?.signIn ?? "/api/auth/signin"
+  const errorPage = options?.pages?.error ?? "/api/auth/error"
+  const basePath = parseUrl(process.env.NEXTAUTH_URL).path
+  // Avoid infinite redirect loop
+  if (
+    req.nextUrl.pathname.startsWith(basePath) ||
+    [signInPage, errorPage].includes(req.nextUrl.pathname)
+  ) {
+    return
+  }
+
+  if (!process.env.NEXTAUTH_SECRET) {
+    console.error(
+      `[next-auth][error][NO_SECRET]`,
+      `\nhttps://next-auth.js.org/errors#no_secret`
+    )
+
+    return {
+      redirect: NextResponse.redirect(`${errorPage}?error=Configuration`),
+    }
+  }
+
+  const token = await getToken({ req: req as any })
+
+  const isAuthorized =
+    (await options?.callbacks?.authorized?.({ req, token })) ?? !!token
+
+  // the user is authorized, let the middleware handle the rest
+  if (isAuthorized) return await onSuccess?.(token)
+
+  // the user is not logged in, re-direct to the sign-in page
+  return NextResponse.redirect(
+    `${signInPage}?${new URLSearchParams({ callbackUrl: req.url })}`
+  )
+}
+
+export type WithAuthArgs =
+  | [NextRequest]
+  | [NextRequest, NextFetchEvent]
+  | [NextRequest, NextAuthMiddlewareOptions]
+  | [NextMiddleware]
+  | [NextMiddleware, NextAuthMiddlewareOptions]
+  | [NextAuthMiddlewareOptions]
+
+/**
+ * Middleware that checks if the user is authenticated/authorized.
+ * If if they aren't, they will be redirected to the login page.
+ * Otherwise, continue.
+ *
+ * @example
+ *
+ * ```js
+ * // `pages/_middleware.js`
+ * export { default } from "next-auth/middleware"
+ * ```
+ *
+ * ---
+ * [Documentation](https://next-auth.js.org/getting-started/middleware)
+ */
+export function withAuth(...args: WithAuthArgs) {
+  if (args[0] instanceof NextRequest) {
+    // @ts-expect-error
+    return handleMiddleware(...args)
+  }
+
+  if (typeof args[0] === "function") {
+    const middleware = args[0]
+    const options = args[1] as NextAuthMiddlewareOptions | undefined
+    return async (...args: Parameters<NextMiddleware>) =>
+      await handleMiddleware(args[0], options, async (token) => {
+        ;(args[0] as any).nextauth = { token }
+        return await middleware(...args)
+      })
+  }
+
+  const options = args[0]
+  return async (...args: Parameters<NextMiddleware>) =>
+    await handleMiddleware(args[0], options)
+}
+
+export default withAuth