Auth in middleware

Obviously there has been a lot of recent discussion about authentication in next middleware. I’ve gathered that the general sentiment is that it is best to confirm auth closer to the data. I’m working on my first next app now, so that is the practice I’m following. But as im integrating uploadthing into my project, I see them recommending auth checks in the uploadthing middleware in the docs. So I’m a bit confused on when it is and isn’t ok to check auth in your middleware. Is it always just as an optimistic check?
16 Replies
choco
choco4w ago
if you mean imageUploader middleware, then it does not use middleware from next.js :) theo soon will release the video, in every api you usually use middleware as auth, but not in Next.js, next.js middleware is not really a middleware in the sense of those other frameworks. also you can still use middleware in next.js but for early return, and you still have to have another means of auth after middleware work.
shawn
shawnOP4w ago
Gotcha, that makes sense. I don't have the best understanding of the inner workings of middleware, so I'm excited for that vid to come out. Thanks for the clarification! Video was super helpful. I wasn't doing any auth checks in middleware, but it was still good to learn about how it works in next. Biggest takeaway for me was that I have to move auth checks out of layouts lol Which is a bit absurd. Don't understand how it would be possible to bypass a layout to get to a page, but nbd. I don't have that many protected pages in my app anyway
Prashant
Prashant4w ago
Okay, I have seen all the information around this middleware stuff and watched Theo's video. I want to make sure I got this right. Let's say in the middleware I have something like this: if(pathName.includes("/admin") && session.user.role !== "ADMIN"){ redirect the user to another page or do something;}  This is NOT enough to protect my /admin/* routes, right? I should also check it in /admin/dashboard, correct? If I understand this correctly, I have one question: let's say I have 5-6 routes under /admin/*. Do I have to put this check on all these routes separately?
webdevkaleem
webdevkaleem4w ago
yes to be really safe you'll have to protect all of the routes under admin/* separately if you use trpc you can use procedures for this really wish there was a real middleware in next, like express so we won't have to deal with this issue
Prashant
Prashant4w ago
got it 👍
rubberburger
rubberburger4w ago
ive also watched theo's video but i honestly don't get why this is necessary doesn't the data come from the api endpoints anyway? as long as the endpoints are properly secured, it doesn't even matter even if they reach the pages am i missing something?
webdevkaleem
webdevkaleem4w ago
you're right the endpoints themselves should be secure handling auth inside your next middleware or layouts is not secure enough the weird naming convention is to blame
rubberburger
rubberburger4w ago
yup yup which is why i was confused as to how the hacker theo mentioned in his video was able to do apparently malicious things by bypassing his auth checks in his layouts i mean theo did show some snippets of his (server actiosn/api) code and they did seem secure to me which is why i was wondering how is it even possible to bypass api layer security just because they managed to bypass auth checks in the layout ---- btw im asking this because out of a bit of concern for my own apps i properly secure my API endpoints, but i just hope that bypassing layout.tsx doesn't somehow compromise my api endpoints that in ways i can't imagine
webdevkaleem
webdevkaleem4w ago
if your api endpoints are secure then you have nothing to worry about thats how its supposed to be in the backend world assuming you don't do any auth checks inside of your layout.tsx
rubberburger
rubberburger4w ago
aight thanks ig yeah i only use them for redirects my backend handles auth
Prashant
Prashant4w ago
I have one more doubt, so we can't use nextjs middlware to proctect the api endpoints, but we can still use it as an early return like in this case if the user is already looged in, we can redirect him to /dashboard and also vise versa, right? I wonder can we utilze tRPC in this anyway? My all api endpoints are behind the trpc procedures so they are secured now I want to limit the frontend access, can we also use trpc in this by anyway ??
Prashant
Prashant4w ago
I keep facing this same issue this my nextjs middleware, I am using t3 stack and really don't know what i am doing wrong, this is the error log and I have a small middleware but still getting this
No description
No description
Prashant
Prashant4w ago
well i figured it out, the problem is somewhat related to prisma client on running on edge, work around to to fetch the session using getJWT method
No description
Waffleophagus
Waffleophagus3w ago
The biggest takeaway (for me) is that Next’s middleware isn’t middleware as the industry understands it, it’s “front-ware” They did a thing that is noticeably different than the rest of the industry and called it a thing that means something different in other full stack solutions
webdevkaleem
webdevkaleem3w ago
couldn't agree more
Prashant
Prashant3w ago
can we still implement cors and rate limiting in middleware??

Did you find this page helpful?