Auth in middleware
Obviously there has been a lot of recent discussion about authentication in next middleware. I’ve gathered that the general sentiment is that it is best to confirm auth closer to the data. I’m working on my first next app now, so that is the practice I’m following. But as im integrating uploadthing into my project, I see them recommending auth checks in the uploadthing middleware in the docs.
So I’m a bit confused on when it is and isn’t ok to check auth in your middleware. Is it always just as an optimistic check?
16 Replies
if you mean imageUploader middleware, then it does not use middleware from next.js :)
theo soon will release the video, in every api you usually use middleware as auth, but not in Next.js, next.js middleware is not really a middleware in the sense of those other frameworks.
also you can still use middleware in next.js but for early return, and you still have to have another means of auth after middleware work.
Gotcha, that makes sense. I don't have the best understanding of the inner workings of middleware, so I'm excited for that vid to come out. Thanks for the clarification!
Video was super helpful. I wasn't doing any auth checks in middleware, but it was still good to learn about how it works in next. Biggest takeaway for me was that I have to move auth checks out of layouts lol
Which is a bit absurd. Don't understand how it would be possible to bypass a layout to get to a page, but nbd. I don't have that many protected pages in my app anyway
Okay, I have seen all the information around this middleware stuff and watched Theo's video. I want to make sure I got this right. Let's say in the middleware I have something like this: if(pathName.includes("/admin") && session.user.role !== "ADMIN"){
redirect the user to another page or do something;}
This is NOT enough to protect my /admin/* routes, right? I should also check it in /admin/dashboard, correct? If I understand this correctly, I have one question: let's say I have 5-6 routes under /admin/*. Do I have to put this check on all these routes separately?
yes
to be really safe you'll have to protect all of the routes under
admin/* separately
if you use trpc you can use procedures for this
really wish there was a real middleware in next, like express
so we won't have to deal with this issuegot it 👍
ive also watched theo's video but i honestly don't get why this is necessary
doesn't the data come from the api endpoints anyway? as long as the endpoints are properly secured, it doesn't even matter even if they reach the pages
am i missing something?
you're right
the endpoints themselves should be secure
handling auth inside your next middleware or layouts is not secure enough
the weird naming convention is to blame
yup yup
which is why i was confused as to how the hacker theo mentioned in his video was able to do apparently malicious things by bypassing his auth checks in his layouts
i mean theo did show some snippets of his (server actiosn/api) code and they did seem secure to me
which is why i was wondering how is it even possible to bypass api layer security just because they managed to bypass auth checks in the layout
----
btw im asking this because out of a bit of concern for my own apps
i properly secure my API endpoints, but i just hope that bypassing layout.tsx doesn't somehow compromise my api endpoints that in ways i can't imagine
if your api endpoints are secure then you have nothing to worry about
thats how its supposed to be in the backend world
assuming you don't do any auth checks inside of your
layout.tsxaight thanks ig
yeah i only use them for redirects
my backend handles auth
I have one more doubt, so we can't use nextjs middlware to proctect the api endpoints, but we can still use it as an early return like in this case
if the user is already looged in, we can redirect him to /dashboard and also vise versa, right?
I wonder can we utilze tRPC in this anyway? My all api endpoints are behind the trpc procedures so they are secured now I want to limit the frontend access, can we also use trpc in this by anyway ??
I keep facing this same issue this my nextjs middleware, I am using t3 stack and really don't know what i am doing wrong, this is the error log and I have a small middleware but still getting this
well i figured it out, the problem is somewhat related to prisma client on running on edge, work around to to fetch the session using getJWT method
The biggest takeaway (for me) is that Next’s middleware isn’t middleware as the industry understands it, it’s “front-ware”
They did a thing that is noticeably different than the rest of the industry and called it a thing that means something different in other full stack solutions
couldn't agree more
can we still implement cors and rate limiting in middleware??