getSessionCookie is broken in Next.js middleware
I have to manually check my cookies in middleware, which works just fine. But getSessionCookie never returns.
80 Replies
What version?
I've been using getSessionCookie() no prob
1.2.3
It can be reproduced on my Next.js starter just by uncommenting it in the Middleware
GitHub
GitHub - daveyplate/better-auth-nextjs-starter: Better Auth Next.js...
Better Auth Next.js starter template with PostgreSQL, Drizzle, shadcn/ui and TanStack Query - daveyplate/better-auth-nextjs-starter
When I use getSessionCookie I can never reach settings page even after login and refreshing page
Okay I was aparently using 1.1.21
in the implementation I was testing
You could reduce your middleware invocations significantly if you just match the defined routes
Unless those are your only pages
Probably
I have to do the global check for my i18n routing
Or what do you mean exactly with this?
You could change the matcher to be an array of paths that are only your protectedRoutes and your publicRoutes
So any paths that are neither won't trigger middleware invocations
Not sure where you're hosting but Vercel charges for middleware invocations if you overage
Not hosting anywhere rn, but I wanted to try self-hosting on my server pc eventually
Self hosting should be no problem then
Ye
Btw, is the cookie actually set in the browser when you tried this?
I can go to /auth/settings and get redirected to /auth/sign-in when I'm not authenticated @daveycodez
(even after uncommenting the call to getSessionCookie())
Yeah it works even when authenticated
I can't reproduce your error even with your template repo
Did you turbo build turbo start
And replace the cookie check in the if
I ran
npm run dev and changed the code to:
can try turbo build turbo startokay nvm I can't run turbo?
Ok try just npm run build and npm run start
Yes
still didn't get stuck
Hmmmmm
when unauthenticated
I’ll try again
Yeah I'm gonna try something also
I might have a skill issue
Yeah idk man, it works for me
Oh wait something is happening now
Okay so now when I go to /auth/settings, it redirects me to the login page and sets
?redirectTo=auth/settings
but when I sign in it gets stuckYea
So it only occurs on production
not on npm run dev
However the console log ran when I pressed the button
only on npm run start
It's specifically broken on production
Yeah it seems so
I'm a bit confused tho
The console.log is outputting before I get stuck (after I press the button)
So is it trying to double redirect me?
It's logging null for me
on production
Even though I'm logged in
Yeah same
Oh even when ur logged in?
How did u log in? I just get stuck
Idk what you mean by stuck
It redirects me back to the login page
The loading state on the login button never finishes
But you can see logged in state at the top right of the page
Oh that's weird
I literally don't get redirected
That's not happening to me
😵💫
OOHh
I see that happening to me now
That's because the navigate is being rewrited back to current destination
Yeah I'm wondering if its creating infinite redirects?
And it stays loading til you leave page
Right
Nah it's not infinite redirects
I set the button to loading then I call navigate
the navigate gets a rewrite
so its like navigate(currentUrl) so it never unmounts
Mmh
But yea it works perfectly in dev, and it works perfectly if I manually check the cookie
Must be some specific logic to production
Some sort of cookie validation?
Amazing to debug 😍
I merely want to check for the presence of the cookie in middleware, don't really care about the validity
isn't that what the getSessionCookie does?
I don't know the implementation
I'll dig through the source
const name = isProduction
?
__Secure-${cookiePrefix}.${cookieName}
: ${cookiePrefix}.${cookieName};
It's this lineI think some other thread here on the discord was talking about this
Or something similar
GitHub
better-auth/packages/better-auth/src/cookies/index.ts at f90581d7ab...
The most comprehensive authentication framework for TypeScript - better-auth/better-auth
https://discord.com/channels/1288403910284935179/1342396355959721985/1342837808754196522
Maybe something helpful here?
Yea so idk. I don't want to set any URL's, everything works out of the box just fine
https://discord.com/channels/1288403910284935179/1347345382878871623/1347345382878871623
Talks about something related also I think 👆
Is this in your code or a suggestion to better-auth source?
Suggestion to modify source linked above
This is only needed for presence, not validation, so checking for either is just fine instead of conditionally checking for one
If thats the case then I agree
getSessionCookie was created mainly for optimistic 0 latency middleware checks
You use getSession on individual routes to authenticate them or client side authentication
So do you do
getSession() and then redirect on individual routes as well?Yea
The middleware is for "skipping" a route
Okay
If the user doesn't have a cookie, don't even bother a function invocation for that route
Makes sense
If the user does have a cookie, run the route, then the route will check getSession
This is also kinda what I found on the nextjs docs
Yea Next.js advises against fetching in middleware
For my /auth/settings page from better-auth-ui, it uses the useAuthenticate hook which authenticates client side (shows Skeletons during isPending, then redirects if no session), and then you can use middleware to skip that route entirely if they don't even have a cookie
So the only time useAuthenticate even does anything is if they have an old cookie or invalid cookie
Oh does useAuthenticate handle redirecting also?
Yea
Nice
it redirects to /auth/sign-in?redirectTo=${currentUrl} pretty much
Makes sense
including search params and hash
First time using better-auth and first time-ish using nextjs here so this is great info
Ty!
Yea the useAuthenticate hook comes from my better-auth-ui library, not better-auth itself
Ahh
Idk if its worth switching to now as I'm approaching deadline, but I took a look at ur library before. Seems pretty nice
Fetch in Middleware no bueno
@bekacru please have a look at this pr https://github.com/better-auth/better-auth/pull/1716 . alot is getting confused with this function.
GitHub
fix: getSessionCookie function and improve docs. by ahmed-m-abbass ...
Improved the logic in getSessionCookie() to correctly handle secure prefix and added useSecureCookies config.
closes #1487.
It doesn't really need useSecureCookies prop
You can just check if either is present and use whichever is present
https://discord.com/channels/1288403910284935179/1348847982748897380/1348917566600511498