Redirect in middleware when request is a server action fails with "failed to forward action response"

[ehis]

Running: NextJS v14.2.3
Node: v20.5.1

Here's the permalink to the console.error in the action-handler.

Stack Trace on Vercel

failed to forward action response TypeError: fetch failed
    at Object.fetch (node:internal/deps/undici/undici:11731:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async r_ (/var/task/node_modules/.pnpm/[email protected]_@[email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/app-page.runtime.prod.js:15:4134)
    at async rP (/var/task/node_modules/.pnpm/[email protected]_@[email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/app-page.runtime.prod.js:15:7924)
    at async r5 (/var/task/node_modules/.pnpm/[email protected]_@[email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/app-page.runtime.prod.js:18:1139)
    at async es (/var/task/node_modules/.pnpm/[email protected]_@[email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/server.runtime.prod.js:16:26320)
    at async ei.responseCache.get.routeKind (/var/task/node_modules/.pnpm/[email protected]_@[email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/server.runtime.prod.js:17:1026)
    at async r3.renderToResponseWithComponentsImpl (/var/task/node_modules/.pnpm/[email protected]_@[email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/server.runtime.prod.js:17:508)
    at async r3.renderPageComponent (/var/task/node_modules/.pnpm/[email protected]_@[email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/server.runtime.prod.js:17:5028)
    at async r3.renderToResponseImpl (/var/task/node_modules/.pnpm/[email protected]_@[email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/server.runtime.prod.js:17:5615) {
  cause: Error
      at makeNetworkError (node:internal/deps/undici/undici:5002:35)
      at httpRedirectFetch (node:internal/deps/undici/undici:9994:16)
      at httpFetch (node:internal/deps/undici/undici:9954:28)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
      at async schemeFetch (node:internal/deps/undici/undici:9854:18)
      at async node:internal/deps/undici/undici:9727:20
      at async mainFetch (node:internal/deps/undici/undici:9717:20)
}

[ehis]

hi @ztanner In our application, createForwardedActionResponse fetch request is failing when the middleware intercepts a server action request and based on some application logic (eg. invalid session) redirects the user to another page.

#64227

Example of condition and redirect in middleware.

const isMember = false

if (!isMember) {
   return NextResponse.redirect(new URL('/plans', request.url));
}

Hoping we can get a patch soon!

[ztanner]

Hi @ehis, thank you for the report! This should be fixed by #65097 which is available in v14.3.0-canary.27. Let me know if you're still seeing this behavior on/after this version.

[ehis]

@ztanner Thanks for the callout on getIsServerAction and only using to demonstrate behavior - not going to use in production code.

Correct, as presumed the end goal is for the middleware to intercept any server action triggered on /buy (including the forwarded action) and force redirect to the /plans page.

A practical use case for this flow could be the middleware intercepting an action and redirecting to the /login page because of an expired JWT.

If there's another recommended NextJS approach to doing the equivalent would love any suggestions 🙏🏾

[ztanner]

Hey @ehis --

I see, that makes sense! For the use-case you shared, some ideas/recommendations:

• Ensure your server action is performing the hard auth check, rather than solely relying on middleware (ex).
• If the user isn't logged in, your server action could trigger a redirect to the plans page, eg:

export const purchaseMe = async () => {
  const isLoggedIn = await verifyAuth()

  if (!isLoggedIn) {
    redirect('/plans')
  }

  return {
    foo: 'bar',
  }
}

• If you wanted to generalize this behavior, you could abstract it into a helper that's used on your non-public actions. e.g., await redirectIfUnauthorized())

[ehis]

@ztanner I see! If we perform the hard auth check in our server actions could we then exclude them from the middleware?

eg.

export const config = {
  matcher: [
    /*
     * Match all request paths except for the ones starting with:
     * - api (API routes)
     * - _next/static (static files)
     * - _next/image (image optimization files)
     * - favicon.ico (favicon file)
     */
    {
      source:
        '/((?!api|_next/static|_next/image|media|fonts|favicon.ico|favicon.png).*)',
      missing: [
        // Exclude Server Actions
        { type: 'header', key: 'next-action' },
      ],
    },
  ],
};

[ztanner]

@ehis, yep, no need to handle in middleware! You can think of it similar to an API route where you'd have the auth check at the top of the request handler.

[ehis]

thanks so much @ztanner and really appreciate the response to the help discussion!!

[EnzoPV25]

hey, I had a similar issue, and I could solve it by adding the missing field. However I don't really understand why excluding server actions does the trick, and even more, how is this line excluding server actions ?

My use case was an auth process with jwt token and refresh token, that would redirect to login when the session was expired

[harsha-at-magicshake]

@Enzo-PVsyst Same in my case.
My use case is something like this:

middleware.ts

const testAuth = await isAuthenticated();
  console.log(testAuth, "in middleware");

  if (testAuth) {
    return NextResponse.next();
  } else {
    return NextResponse.redirect(new URL("/login", request.url));
  }
 }
// matcher config that excludes login and some other essentials

login/page.tsx

"use client";

import { useRouter } from "next/navigation";
import { makeAPICall } from "../utils";

export default function Home() {
  const router = useRouter();

  const handleSet = async (value: number) => {
    await makeAPICall(value); // added this implementation at the end. (utils.ts)
    // redirect("/v4") // commented because it's throwing NEXT_REDIRECT error.
    router.replace("/v4");
  };

  return (
    <main className="space-x-4">
      <button onClick={async () => await handleSet(1)}>Set Cookie</button>
    </main>
  );
}

v4/page.tsx

"use client";

import { useRouter } from "next/navigation";
import { makeAPICall, onSubmit } from "../utils";
import clearCachesByServerAction from "@/customCacheClear";

export default function Home() {
  const router = useRouter();

  const handleSet = async (value: number) => {
    await makeAPICall(value);
    clearCachesByServerAction("/");
    if (value == -1) {
      router.replace("/login");
    }
  };

  return (
    <main className="space-x-4">
      <button onClick={async () => await handleSet(-1)}>Logout</button>
      <button onClick={async () => await handleSet(0)}>Get Cookie</button>
      <button onClick={async () => await handleSet(1)}>Set Cookie</button>
      <button onClick={async () => await handleSet(2)}>Refresh Cookie</button>
    </main>
  );
}

utils.ts

"use server"

export const isAuthenticated = async () => {
  const value = await getCookie();
  if (value) {
    return true;
  } else {
    return false;
  }
};

export const setCookie = async () => {
  cookies().set("client", "settingCookie");
};

export const deleteCookie = async () => {
  cookies().delete("client");
};

export const setNewCookie = async () => {
  cookies().set("client", "settingNewCookie");
};

export const getCookie = async () => {
  const value = cookies().get("client");
  console.log(value?.value ?? "Not found!");
  return value?.value;
};

clearCacheByServerAction.ts

"use server"
import { revalidatePath } from "next/cache"

const clearCachesByServerAction = async (path: any) => {
try {
  if (path) {revalidatePath(path)} 
else {
  revalidatePath("/")
  revalidatePath("/[lang]")
}
} catch (error) {
  console.error("clearCachesByServerAction=> ", error)
}
}
export default clearCachesByServerAction

Use case:

When I click on logout, the cookies gets deleted, but still, apparently, in the middleware, the log shows
true -> which states user is authenticated

The intended action was to navigate to /login which wouldn't happen without putting clearCacheByServerAction
As per my understanding, when I clear cache, the middleware is hit again, then it shows false, hence it gets redirected.
In this scenario, I am getting the error.

Now my queries are:
Is it okay to get it?
Is it intended?
Can I go ahead to production without handling it?
Why redirect("/") getting NEXT_REDIRECT error?
Can I include checking the token validity logic in middleware.ts and handle refresh token there? Or is it heavy to do so?
Assuming makeApiCall is a helper which calls all my routes, from all the screens, can I use it to intercept the responses, (I handled the token expiry with custom code) so that I can check it and do another API call to refresh token, set new cookies, then perform the actual api call?

@ztanner

Apologies in advance if the queries seem to be silly, since I did not find any proper resource for handling the cookies from route.ts, middleware.ts etc.

[Daniel-Ash]

Hey @ztanner - so to confirm, are you saying that you can't use middleware for auth redirects when using server actions? It would be great if this was supported, or added to the middleware docs as a limitation as it can lead to bugs that are tricky to pin down!

[VivekGupta137]

I came across to this problem as well, IMO, having the redirects at middleware level made more sense, instead of duplicating same logic in more than one place ( one at middle ware and others at each server action ).
I feel that if I made the middleware that captures all the requests for a particular page ( including all the server actions calls ), and that route is only for authenticated users, then it makes less sense to have separate duplicate logic in each of the server actions for that page.

My dependencies:
"dependencies": {
"react": "^18",
"react-dom": "^18",
"next": "14.2.14"
}

in the middleware.ts file:
`import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";

export function middleware(request: NextRequest) {
const token = request.cookies.get('access_token');

const isAuthenticated = !token? false : true;
if (!isAuthenticated) {
    const response = NextResponse.redirect(new URL('/?error=not-authenticated', request.url));

    return response;
}
return NextResponse.next();

}

export const config = {
matcher:[ "/gqlclientcheck/:path*", "/gqlservercheck/:path*"],
};`

[ollebergkvist]

@ztanner

We're in October now, and the docs are still not updated, it should clearly reflect this conflict between server actions and running auth in middleware. Would probably save other devs from running into this.. 🙏

Thanks to finding this closed thread we were able to solve a major headache in our auth flow.

We disabled middleware for server actions by checking this condition in our conditional statement:
const isServerAction = request.headers.get('next-action')

And added explicit checks in each action instead.

[J4v4Scr1pt]

Thanks for this thread and the "work arrounds" I was pulling my hear on this one 😅

[axten]

I solved redirection of server actions in middleware with setting the corresponding header:

// middleware.ts
    ...
      const hasSession = request.auth && !request.auth.isExpired;
      const isAction = request.method === 'POST' && request.headers.has('Next-Action');
    
    // since middleware cannot redirect server actions directly, the corresponding header gets set
    if (!hasSession && isAction) {
      response.headers.set('x-action-redirect', `/login?callbackUrl=${encodeURIComponent(request.nextUrl.toString())}`);
     return response;
    }
    ...

[LikeDreamwalker]

There are almost nothing in document mentioned that middleware can't control server action directly.
I know writing documents is a hard job but if there is just one saying, will be better than nothing. I even exclude if SSG page can't handle 307 redirect.

[Rrobinvip]

@axten has a great proposal. However, I've noticed that the redirect with this header doesn't occur immediately. This could be due to our different setups. In my setup, I return an empty response and everything works fine.

Also, using nextUrl.toString() will provide the full path. Most likely, it will be https://localhost:8080 because the server action is executed on the deployment.

Here's a revised code:

// Change return url to pathname and search

const response = new NextResponse();
response.headers.set('x-action-redirect', `/login?returnUrl=${encodeURIComponent(request.nextUrl.pathname + request.nextUrl.search)}`);

// Clean up any session cookies if necessary

response.cookies.delete("sessionToken");
return response;

This code changes the return URL to pathname and search, and cleans up any session cookies if necessary.

[kennataddese6]

Having related issue with middleware and server action
Problem Summary

1. I have a form using useActionState + server action

2. On submission, middleware runs.

3. If auth() fails in middleware, it does NextResponse.redirect('/login').

4. That sends a 301 response, not a response expected by useActionState.

So, your client doesn't receive { success, errorMessage } — it gets a redirect response instead → resulting in undefined state and no redirect login.

What makes it tricky. The request never reaches server actions so using middleware for auth pages during page naviation works to redirect the user to logn but not during server action.

[kennataddese6]

Yes. I believe this is serious Kind Regards, [image: image] Kenna Taddese Software Developer Phone. ‪+1 (530) 712-3425‬‬ Web. Babure.rf.gd Address. Level 9, Abraham Street, WA 6029 [image: facebook] <http://www.facebook.com/> [image: twitter] <http://www.twitter.com/> [image: linkedin] <http://www.instagram.com/> [image: google-plus] ***@***.***/> Get your own signature <https://gimm.io/en_US/email-signature-generator?utm_source=sent-emails&utm_medium=email&utm_campaign=get-your-own-signature>

…

On Sat, Jul 12, 2025, 8:46 PM gmoniava ***@***.***> wrote: @ztanner <https://github.com/ztanner> Currently I have similar issue a client component executes a server action, which triggers middleware, inside it, since the user is not authenticated - redirect is called. Which results in the server function call returning undefined on the client component. Basically redirect does not work with server functions. So what should we do in such cases? I have auth check inside the server function but it never reaches it due to redirect (but neither redirect happens). IMHO server function don't start with api. — Reply to this email directly, view it on GitHub <#64993 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A4EDG3G6V6J7QUG3VA4D7BL3IFCY7AVCNFSM6AAAAABGXNZMBKVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTGNZUGAYTCMQ> . You are receiving this because you commented.Message ID: <vercel/next. ***@***.***>