Middleware not protecting routes in version 2.5.0-11
Hi everyone, I was hoping to get some help with an issue i'm having with the middleware in my app.
For context, I updated my kinde-auth-nextjs version to 2.5.0-11 to try and take advantage of the new token refresh behavior. I needed to do this as I was working on a feature to update the user's username in both my database as well as their identity on Kinde.
The initial problem arose when I realized the updated username was not showing until the user logged out and logged back in. Therefore I looked into that issue and found a discussion post here: https://discord.com/channels/1070212618549219328/1322570554594693223 in which directed me to install version 2.5.0-11 in order to refresh the token seamlessly and receive my expected behavior of receiving the updated username in the new token.
In that PR https://github.com/kinde-oss/kinde-auth-nextjs/pull/254 it's discussed that the middleware essential becomes mandatory and to achieve this we'd need to update the matcher to run on every route
export const config = {
matcher: [
// Run on everything but Next internals and static files
'/((?!_next|[^?]\.(?:html?|css|js(?!on)|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).)',
],
}
As a side effect, my main problem arose & now my routes are not being protected and the user is not being redirected to the login page when the user requests a protected route. Would really appreciate help on this!
My sdk version is "@kinde-oss/kinde-auth-nextjs": "^2.5.0-11"
I've also attached images of what my middleware file currently looks like.
GitHub
Fix/refresh token app router by DanielRivers · Pull Request #254 · ...
Explain your changes
This PR includes a significant improvement to token refreshing. Tokens now refresh seamlessly behind-the-scenes, providing users with the best possible experience.
In order to ...
10 Replies
Hi @Noel !
I haven’t been able to replicate this in testing - could I confirm that you definitely don’t have a refresh token cookie in your cookies at all? If you try to visit a protected page in the new version you won’t be redirected to login if a refresh and revalidation succeeds.
Hi @Yoshify Sorry just got back to this! For example, when I visit 'http://localhost:3000/dashboard' while logged out the route still loads and in my devtools there is no refresh token cookie at all, i'd expect the middleware to redirect to the login whenever a request was made to a protected route. I'm not sure if the problem is with how i define what routes to protect in my matcher but before the PR where I defined the routes to protect individually the middleware would detect the route being protected and redirect to the login page. I've attached an image of the devtools to show no refresh cookies. Am I misunderstanding how the PR helped with token refreshing? Ideally, I'd still like to retain the ability to showcase the latest token with the updated changes for the user without logging them out.
What does your middleware look like?
Currently like this
Thanks mate. Will attempt to replicate.
@Noel thanks for your assistance, was able to replicate and identify the cause. We should another version out for testing soon - I'll update you when this happens.
That's great to hear! Looking forward to the update, thank you!
Hi @Noel ! Could you please update to and try version
2.5.0-13? Your issue should be resolved.Hi @Yoshify I updated and can confirm that it does work as intended for protecting routes while the user is not logged in but I think another issue arose out of it. I've been programmatically routing the user to the api/auth/login route using an onsubmit and after the update the api/auth/success/route.ts file is not hit like it was before the update. I've attached screenshots for what the component handling the onsubmit looks like, and a view for the inspect tool before and after I try to login via github.
Hi @Noel - just to clarify, is the issue that /api/auth/success isn’t being hit? Or is a redirection occurring when you attempt to push to the login page?
If you could share a HAR file from your dev tool capture that would help a lot in debugging too! 🙂
Feel free to reach out privately if you’d prefer (we also have a confidential support channel)
Got it, will DM!