From f2929692c39d998e50f95839b563c0d50b76e787 Mon Sep 17 00:00:00 2001 From: Iweisc Date: Sun, 28 Dec 2025 22:30:08 +0600 Subject: [PATCH] feat: add WORKOS_SKIP_MIDDLEWARE_CHECK env var to bypass middleware header check This adds a fallback mechanism for scenarios where the x-workos-middleware header doesn't propagate correctly to API routes (e.g., when using custom middleware wrappers in Next.js 16 with proxy.ts). When WORKOS_SKIP_MIDDLEWARE_CHECK=true is set, the getSessionFromHeader() function will fall back to reading the session directly from cookies instead of throwing an error about missing middleware coverage. Fixes #351 --- src/session.ts | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/session.ts b/src/session.ts index 8e61e56..18a765a 100644 --- a/src/session.ts +++ b/src/session.ts @@ -558,14 +558,19 @@ export async function getSessionFromCookie(request?: NextRequest) { async function getSessionFromHeader(): Promise { const headersList = await headers(); const hasMiddleware = Boolean(headersList.get(middlewareHeaderName)); + const skipMiddlewareCheck = process.env.WORKOS_SKIP_MIDDLEWARE_CHECK === 'true'; - if (!hasMiddleware) { + if (!hasMiddleware && !skipMiddlewareCheck) { const url = headersList.get('x-url'); throw new Error( `You are calling 'withAuth' on ${url ?? 'a route'} that isn't covered by the AuthKit middleware. Make sure it is running on all paths you are calling 'withAuth' from by updating your middleware config in 'middleware.(js|ts)'.`, ); } + if (!hasMiddleware && skipMiddlewareCheck) { + return getSessionFromCookie(); + } + const authHeader = headersList.get(sessionHeaderName); if (!authHeader) return;