Auth in middleware

Obviously there has been a lot of recent discussion about authentication in next middleware. I’ve gathered that the general sentiment is that it is best to confirm auth closer to the data. I’m working on my first next app now, so that is the practice I’m following. But as im integrating uploadthing into my project, I see them recommending auth checks in the uploadthing middleware in the docs. So I’m a bit confused on when it is and isn’t ok to check auth in your middleware. Is it always just as an optimistic check?
10 Replies
choco
choco5d ago
if you mean imageUploader middleware, then it does not use middleware from next.js :) theo soon will release the video, in every api you usually use middleware as auth, but not in Next.js, next.js middleware is not really a middleware in the sense of those other frameworks. also you can still use middleware in next.js but for early return, and you still have to have another means of auth after middleware work.
shawn
shawnOP3d ago
Gotcha, that makes sense. I don't have the best understanding of the inner workings of middleware, so I'm excited for that vid to come out. Thanks for the clarification! Video was super helpful. I wasn't doing any auth checks in middleware, but it was still good to learn about how it works in next. Biggest takeaway for me was that I have to move auth checks out of layouts lol Which is a bit absurd. Don't understand how it would be possible to bypass a layout to get to a page, but nbd. I don't have that many protected pages in my app anyway
Prashant
Prashant3d ago
Okay, I have seen all the information around this middleware stuff and watched Theo's video. I want to make sure I got this right. Let's say in the middleware I have something like this: if(pathName.includes("/admin") && session.user.role !== "ADMIN"){ redirect the user to another page or do something;}  This is NOT enough to protect my /admin/* routes, right? I should also check it in /admin/dashboard, correct? If I understand this correctly, I have one question: let's say I have 5-6 routes under /admin/*. Do I have to put this check on all these routes separately?
webdevkaleem
webdevkaleem3d ago
yes to be really safe you'll have to protect all of the routes under admin/* separately if you use trpc you can use procedures for this really wish there was a real middleware in next, like express so we won't have to deal with this issue
Prashant
Prashant3d ago
got it 👍
rubberburger
rubberburger2d ago
ive also watched theo's video but i honestly don't get why this is necessary doesn't the data come from the api endpoints anyway? as long as the endpoints are properly secured, it doesn't even matter even if they reach the pages am i missing something?
webdevkaleem
webdevkaleem2d ago
you're right the endpoints themselves should be secure handling auth inside your next middleware or layouts is not secure enough the weird naming convention is to blame
rubberburger
rubberburger2d ago
yup yup which is why i was confused as to how the hacker theo mentioned in his video was able to do apparently malicious things by bypassing his auth checks in his layouts i mean theo did show some snippets of his (server actiosn/api) code and they did seem secure to me which is why i was wondering how is it even possible to bypass api layer security just because they managed to bypass auth checks in the layout ---- btw im asking this because out of a bit of concern for my own apps i properly secure my API endpoints, but i just hope that bypassing layout.tsx doesn't somehow compromise my api endpoints that in ways i can't imagine
webdevkaleem
webdevkaleem2d ago
if your api endpoints are secure then you have nothing to worry about thats how its supposed to be in the backend world assuming you don't do any auth checks inside of your layout.tsx
rubberburger
rubberburger2d ago
aight thanks ig yeah i only use them for redirects my backend handles auth

Did you find this page helpful?